User:Kuhprii/History on the DS hacking scene: Difference between revisions
More actions
No edit summary |
m note |
||
| Line 1: | Line 1: | ||
Sources: | Sources: | ||
* https://gbatemp.net/threads/wondering-about-the-timeline-of-ds-hacking.663789/ | *https://gbatemp.net/threads/wondering-about-the-timeline-of-ds-hacking.663789/ | ||
* https://darkfader.blogspot.com/2005/ | *https://darkfader.blogspot.com/2005/ | ||
* https://pineight.com/ds/pass/#passme | *https://pineight.com/ds/pass/#passme | ||
* https://www.gameboy-advance.net/nintendo_ds/passme.htm | *https://www.gameboy-advance.net/nintendo_ds/passme.htm | ||
== The Release of the Nintendo DS == | discontinued as of now, dont know if i will work on it for a bit, anyone feel free to | ||
==The Release of the Nintendo DS== | |||
The Nintendo DS released November 21st, of 2004. | The Nintendo DS released November 21st, of 2004. | ||
== 2005 == | ==2005 == | ||
=== The first pass-through (January) === | ===The first pass-through (January)=== | ||
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge. | The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge. | ||
| Line 21: | Line 23: | ||
Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through. | Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through. | ||
=== The first PassMe device (February) === | ===The first PassMe device (February)=== | ||
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined. | A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined. | ||
=== WiFiMe (April) === | ===WiFiMe (April)=== | ||
WiFiMe brought new ways to run homebrew. It ran through DS Download Play. This method required a specific wireless network card (Ralink RT2560). You also would need a program called WMB (Wireless Multiboot), that program uploads the homebrew to the console using DS Download Play. All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.<blockquote>Note: Needs to be rewritten?</blockquote> | WiFiMe brought new ways to run homebrew. It ran through DS Download Play. This method required a specific wireless network card (Ralink RT2560). You also would need a program called WMB (Wireless Multiboot), that program uploads the homebrew to the console using DS Download Play. All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.<blockquote>Note: Needs to be rewritten?</blockquote> | ||
=== FlashMe (Spring, Unknown Month) === | ===FlashMe (Spring, Unknown Month)=== | ||
FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB. | FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB. | ||
=== Nintendo's fixes === | ===Nintendo's fixes=== | ||
Nintendo fixes the vulnerabilities present in firmware version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution to the GBA SRAM space. It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles. | |||
== Nintendo fixes the vulnerabilities present in firmware version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution to the GBA SRAM space. It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles. == | |||
=== PPFlash (Add later, Unknown month and season) === | ===PPFlash (Add later, Unknown month and season)=== | ||
filler | filler | ||
=== PassMe2 (October) === | ===PassMe2 (October)=== | ||
PassMe2 is on the same hardware as the original, but there is a new program on the CPLD. What this program does is changes the header's run address to a BIOS call that goes to shellcode in the GBA SRAM. (Maybe add more) | PassMe2 is on the same hardware as the original, but there is a new program on the CPLD. What this program does is changes the header's run address to a BIOS call that goes to shellcode in the GBA SRAM. (Maybe add more) | ||
=== NoPass === | ===NoPass=== | ||
Latest revision as of 15:48, 4 August 2025
Sources:
discontinued as of now, dont know if i will work on it for a bit, anyone feel free to
The Release of the Nintendo DS
The Nintendo DS released November 21st, of 2004.
2005
The first pass-through (January)
The developer DarkFader gets his hands on the Nintendo DS, he wants to hack it. Others in the community started to capture to traffic of the cartridge (I assume Metroid Demo). DarkFader then saw header data, as well as encrypted data. He then figured that the RSA on the back, didn't apply to the actual cartridge.
He then programmed an FPGA to make a pass-through that would let him capture and alter the data traffic from the cartridge. DarkFader made an etched PCB that went into the DS, and a cut GBC connecter that held a DS cartridge. He then altered the header and figured out he could run his own code from the Game Boy Advance slot.
Once he could run his own code, he made a program that modified a string of text in the Metroid Demo, and then continued executing. That was the first pass-through.
The first PassMe device (February)
A developer by the name of Natrium42 makes a pass-through based on DarkFader's FPGA. It is similar to a Game-Genie. It was pretty much the same as DarkFaders's FGPA, as it altered NDS cartridge header data, changing the run address points to the GBA slot. The main difference was that PassMe was more refined.
WiFiMe (April)
WiFiMe brought new ways to run homebrew. It ran through DS Download Play. This method required a specific wireless network card (Ralink RT2560). You also would need a program called WMB (Wireless Multiboot), that program uploads the homebrew to the console using DS Download Play. All of this works because the first version of DS Download Play used a run address from a header that wasn't located with the rest of the digitally signed code. WiFiMe specifically is a DS Download Play program that was extracted from SM64DS, it had it's run address changed to the GBA slot. This allowed WMB to act as DS, allowing you to send signed programs over to the DS.
Note: Needs to be rewritten?
FlashMe (Spring, Unknown Month)
FlashMe is a modified version of the Nintendo DS firmware that checks the Game Boy Advance slot for DS code, and booting it if it is present. It also removes the signature check in DS Download Play, allowing users to send programs that didn't have Nintendo signatures via WMB.
Nintendo's fixes
Nintendo fixes the vulnerabilities present in firmware version 4. They added range checks to the DS card startup code which blocked PassMe devices. They also used a new run address in the signed section of DS Download Play blocking WiFiMe. The BIOS still has a vulnerability that allowed redirection of execution to the GBA SRAM space. It was also discovered that Nintendo Wi-Fi code overwrites an area of the firmware. The original FlashMe developers didn't know this and Mario Kart DS was bricking people's consoles.
PPFlash (Add later, Unknown month and season)
filler
PassMe2 (October)
PassMe2 is on the same hardware as the original, but there is a new program on the CPLD. What this program does is changes the header's run address to a BIOS call that goes to shellcode in the GBA SRAM. (Maybe add more)