Search

[fexo]

http://www.64scener.com/

DARKFADER APOLOGIZES FOR MAKING THE TROJAN October 13 2005 - 11:59 am - Posted by Acey  GAMEBOY ADVANCE  

The following was posted on darkfader.net

I want to say sorry to everyone out there. I should have realized the impact. Not just few DS'es that were hurt, but all the damn media and whatnot.
I cannot really justify my actions. It was also very selfish to draw some attention, which I tend to do in odd ways.
It caused some harm to some non-targetted and targetted people owning a DS with non-Nintendo-approved hardware.
And that is a terrible thing to do. Even more so with the reputation I had in the DS homebrew scene that now completely abandoned me.
I do not have clear reasons and I can't blaim the little headache I had at the time. I just had to realize the idea I had after seeing the PSP variant of a bricker.
The files do not come with any form of name/signature of me, a thing I would do if it could be trusted.
I won't release any more of this crap for DS and I don't think parts of this trojan or the idea itself will emerge in future homebrew releases.
The point is probably clear. Do not run any form of untrusted code that just suddenly appears without any name.
If you only use official Nintendo games, there is absolutely nothing to worry about.
Untrusted code includes ROM loaders and that sort of stuff. It's probably not a very good reason since it has been proven before.
I can tell that the negative feedback is far greater than the positive ones. I received one donation of $6.66 and I'm not proud of it.
One news site completely ignores the r0mloader version and reasoning behind it. grrrrr.
Another common mistake: A TROJAN IS NOT A VIRUS! That means that it does not propagate on its own. And thus non-intrusive.

The trojan was released in two forms:

TROJ_DSBRICK.A, Trojan.DSBrick.A, 151361 bytes, md5sum a959cfa514f4c7162a81421ee99d3356, r0mloader.nds
Version A was intended for the so called ROM-pirates. Hence the name of the filename and description. It was anonymously posted to just a few IRC channels and one forum. Elsewhere, it was known that is was a trojan.
After doing its thing, it shows a picture of a brick wall. Apropriate to the situation.

TROJ_DSBRICK.B, Trojan.DSBrick.B, 548673 bytes, md5sum 8e7a3728759df265ca3a78553cf27bb8, taihen.nds
Version B was not really released into public and should rarely be seen. It was only directly released in a closed IRC channel with prior notice of what it did and a comment that might have triggered some (less evil than me) persons to pass it along.
After doing its thing, it cycles through five attractive drawings.

I cannot control the propagation of the files or the names it might be disguised as.

Ok, on to the more technical details:
The trojan _tries_ (but not definately succeeds) to:
* Erase DS firmware. Practically the first 64 KBytes are write-protected and thus is recoverable when the FlashMe firmware was installed.
* Erase first few sectors of CompactFlash card inside GBA movieplayer. You can try to sort out your data sectors if you really want something back.
* Erase GBA movieplayer firmware. Fairly easy to fix using flashmp utility.
* Erase Supercard firmware. A fix is currently being worked on.
* Erase XG/Neo flash card. Seems it was forgotten to be mentioned in r0mloader.txt.
If you have a legal use for these functions like testing recovery tools, you're welcome.

Here are some fixing utilities and links:
ppflash.zip - Contains info, sourcecode and binary to flash the fail-safe loader also contained in FlashMe using a parallel port connection. Some soldering skills are required to perform this operation. Don't worry about voiding your warranty because you already have according to the DS manuals.
FlashMe - The page to get FlashMe. You can't survive without it.
flashmp.zip - Firmware flasher for GBA Movie Player. Supports writing to Supercard, but the included firmware IS NOT WORKING probably because of a bad firmware dump! If you have an original firmware version and Flash Advance Linker, let me know.
Probably more to come.
You can easily detect the two DSbrick variants by using the following command:
grep -F -U -f DSbrick.signature FileToBeTested.nds
A good way to prevent malicious firmware access is to keep a record of known ARM7 binaries. This could be incorporated into ndstool.

[Snc]

it won't change what he has done.

[DeVS]

it won't change what he has done.

Ya but people are going to have to get over it. Funny how 10 GREAT things he has done for the scene are easly forgoten after 1 bad thing. 99% of the people who are bitching now, probably never took the time or as much effort to thank him for the good things he has done. I dont agree with the bricker being released, but as they say, let he who hasn't sined cast the first stone,lol. Takes a big man to admit his mistakes.

[NT]

Takes a big man to admit his mistakes.

[Reaperman93010]

he slipped up once, but his work getting information about the link port out there was extremely helpful--that's just one I've stumbled over in the days since his mistake.

Looks like the only major damage was to supercard firmware, everything else can be recovered.  I suppose this means the 'bricks' he ended up making were a lot smaller and less expensive.  Now that the major antivirus programs have a def for it, it's pretty easy to make sure we're all clean.

I don't have a problem with his mistake, and he gets to be known as the first person to make a virus for a handheld game system.

[DeVS]

Now that the major antivirus programs have a def for it, it's pretty easy to make sure we're all clean.

I don't have a problem with his mistake, and he gets to be known as the first person to make a virus for a handheld game system.

I think your confused. The PSP had the first virus/bricker and it's the PSP virus that has an antivirus def not the DS one.

[socket]

TROJ_DSBRICK.A, Trojan.DSBrick.A, 151361 bytes, md5sum a959cfa514f4c7162a81421ee99d3356, r0mloader.nds
Version A was intended for the so called ROM-pirates. Hence the name of the filename and description. It was anonymously posted to just a few IRC channels and one forum. Elsewhere, it was known that is was a trojan.
After doing its thing, it shows a picture of a brick wall. Apropriate to the situation.

TROJ_DSBRICK.B, Trojan.DSBrick.B, 548673 bytes, md5sum 8e7a3728759df265ca3a78553cf27bb8, taihen.nds
Version B was not really released into public and should rarely be seen. It was only directly released in a closed IRC channel with prior notice of what it did and a comment that might have triggered some (less evil than me) persons to pass it along.
After doing its thing, it cycles through five attractive drawings.

Check the links..

[DeVS]

Ahh ok thanks. PSP was still first handheld system with virus. I take it only Norton is using  the def? I use AVG and I guess they arent getting the def?

[754boy]

it won't change what he has done.

Ya but people are going to have to get over it.

Lets see if you would be saying that if your DS was one of the ones that got fucked up. I really appreciate all that DF has done for the community but this, KNOWINGLY damaging the personal property of his own fans was a step too far. I can forgive him cuz my DS wasn't bricked but there are a lot of others who are out of $120+ bucks who can't.

[DeVS]

They all know/knew the risk in tampering with the DS. The ones bitching about being out $125 are the same ones that say FU to game companys by downloading roms, they dont care if someone us out money unless it's themselves. Dont give us the crap about hombrew this or that, 99% of the market for mod chips in any console is for 1 purpose, free games, homebrew is a nice side affect. If you bricked your DS then just take it as payback for all the games, movies and mp3's you download illegaly,lol, and wait for a fix to come out.

[ivanbbq]

"You can easily detect the two DSbrick variants by using the following command:
grep -F -U -f DSbrick.signature FileToBeTested.nds"

anybody ever tried this method to tested whether a rom is infected?
does it work? and what files are actually needed to do the test?

[look]

get a linux box/hosting account and a copy of the sig and your infected rom in the same directory and run that command

it will spew out the sig as output

[socket]

grep is in winxp as well.

[ivanbbq]

grep is in winxp as well.

um.. i don't know, i am using win xp, but i can't run grep in command prompt.

anyway, i downloaded the grep-2.5.1a.exe from darkfader's website.
does it really work?

[socket]

hmm, i didnt install it... it is on my home and work computers... interesting.