Upload File

nindendo ds - introduction and hacking...replaying a complete game download, only exchanging the...

31
Nindendo DS Introduction and Hacking [email protected], mm, [email protected] Chaos Computer Club Cologne e.V. http://koeln.ccc.de 29.12.2006 [email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 1 / 31

Upload: others

Post on 11-Nov-2020

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Nindendo DSIntroduction and Hacking

[email protected], mm, [email protected]

Chaos Computer Club Cologne e.V.http://koeln.ccc.de

29.12.2006

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 1 / 31

Page 2: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Outline

1 Introduction

2 Running Your Own Code

3 Homebrew

4 DSLinux

5 Emulators

6 Games

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 2 / 31

Page 3: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Introduction

Outline

1 Introduction

2 Running Your Own Code

3 Homebrew

4 DSLinux

5 Emulators

6 Games

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 3 / 31

Page 4: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Introduction

Introduction

"‘Nintendo sold 26.82 million units of the Nintendo DS"’(N-Sider.com, 01.12.2006)

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 4 / 31

Page 5: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Introduction

Hardware

2 TFT LCD screens, each 256x192 pixels resolution, lower onetouch-sensitiveMain CPU: ARM946E-S (66 MHz)Co-processor: ARM7TDMI (33 MHz) (GBA)4MB main memoryWi-Fi 802.11b, simple proprietary "‘NiFi"’ protocol for local games,standard TCP/IP for internet playA/B/X/Y/L/R Buttons, Start, Select, digital control padintegrated microphone and stereo speakersUp to 10 hours of battery life (proprietary Li-Ion battery pack)GBA slot, NDS slot (Slot-1)

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 5 / 31

Page 6: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Introduction

GBA

Main CPU: ARM7Co-processor: Z80 (Gameboy)Usual stuff . . .No copyprotection

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 6 / 31

Page 7: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Introduction

Gameboy Timeline

1989, 1998

2001, 2003, 2005

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 7 / 31

Page 8: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Introduction

Nintendo Firmware

includes basic GUI for user settings and PictoChatCommunication between DS and cartridges in Slot-1 is encrypted,only game header is read unencrypted.Downloaded games need to be RSA signedflashable by NDS code only

JumperThe first area of the firmware is read-only. A jumper needs to beshortened to gain write access.

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 8 / 31

Page 9: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Running Your Own Code

Outline

1 Introduction

2 Running Your Own Code

3 Homebrew

4 DSLinux

5 Emulators

6 Games

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 9 / 31

Page 10: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Running Your Own Code

GBA Flash Cards

There are several ways to enable the first homebrewn codeexecution.Many people still have their GBA flash cards.

: use the GBA slot to run NDS code from an SD card.

EZ IV Lite G6 Flash M3 SD Slim

Problem: How to run DS code from the GBA slot?

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 10 / 31

Page 11: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Running Your Own Code

Subverting Download Play: WiFiMe

Uses a conceptual error in the download play code.When sending the code for download play the hosting DS sends aRSA frame, which includes:

Signature block for the following NDS header, ARM7 and ARM9code.ARM9 execute addressARM7 execute addressand some other uninteresting stuff. . .

The RSA frame itself is not signed!

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 11 / 31

Page 12: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Running Your Own Code

WiFiMe

Replaying a complete game download, only exchanging the ARM7 andARM9 execute address.

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 12 / 31

Page 13: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Running Your Own Code

Subverting Game Copy Protection: PassMe

Patches original ROM header to start from GBA slotIt’s possible to run homebrew codeHardware solution, tricks DS into authenticating a commercialgame

Passme

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 13 / 31

Page 14: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Running Your Own Code

Nintendo Fixes Bugs

Newer versions of the DS are ‘fixed’ to defeat WiFiMe and PassMe.Download play does not trust the execution address in the RSAanymore. Firmware does not let cartridges specify a start address inthe GBA address space.The homebrew community reacts: PassMe2. . .

PassMe2

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 14 / 31

Page 15: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Running Your Own Code

PassMe2

Update of PassMe, works with newer firmware versionsUses evil tricks to achieve the same goal as PassMeSince it can not let the firmware jump directly to the GBA addressspace, it lets the firmware jump somewhere into the game binarywhich let the ARM7 jump into GBA SRAM address spaceSince the instructions are at different places in different games, itneeds to be programmed for the game it will be used withMore evil tricks get us out of GBA SRAM and execute our codefrom the GBA card.

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 15 / 31

Page 16: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Running Your Own Code

Copy Protection Cracked: Slot-1 Flash Cards / NoPass

NoPass is a equivalent to a PassMe, but it needs no game and fitscompletly into the NDS slot.Newer flash cards use the NDS slot to run NDS code, possiblebecause encryption was reverse engineered.

Ninja DS / DS-Xtreme / Magic Key / M3 Simply

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 16 / 31

Page 17: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Homebrew

Outline

1 Introduction

2 Running Your Own Code

3 Homebrew

4 DSLinux

5 Emulators

6 Games

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 17 / 31

Page 18: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Homebrew

FlashMe

FlashMe was developed by "‘Loopy, FireFly und DarkFader"’. It allowsto run NDS code from the GBA slot.

Homebrew software"‘Pirated"’ gameWiFi games workrestore function (Un-Bricker) fits into write protected firmwarespaceno more RSA signature check on download playno health warning screen anymore (optional)

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 18 / 31

Page 19: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Homebrew

Homebrew

DSOrganizeMoonshellWiFi-lib. . .

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 19 / 31

Page 20: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

DSLinux

Outline

1 Introduction

2 Running Your Own Code

3 Homebrew

4 DSLinux

5 Emulators

6 Games

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 20 / 31

Page 21: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

DSLinux

Linux On Every Device!

DSLinux is a Linux port for the Nintendo DS mainly developed byMalcolm ‘pepsiman’ Parsons, Stefan ‘stsp’ Sperling and Wolfgang‘Amadeus’ Muess.

The DS has no MMU, so DSLinux is based on uClinuxPreferred port now uses the RAM present on the SuperCard/M3,so DSLinux has 36MB of RAM available.Thus currently support for Slot-1 flash cards is not plannedSupports all DS hardware (except sound input)Currently no GUI

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 21 / 31

Page 22: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

DSLinux

Linux Applications

busyboxdropbear SSHlinks with SSL supportbitchX IRC clientmadplaybsdgames

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 22 / 31

Page 23: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Emulators

Outline

1 Introduction

2 Running Your Own Code

3 Homebrew

4 DSLinux

5 Emulators

6 Games

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 23 / 31

Page 24: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Emulators

EmulatorsEmulating The NDS

Dualis - DS emulator for windows, emulates only demos and noNDS dumpsiDeaS - DS emulator for windows, emulates demos and NDSdumpsDeSmuME - OpenSource DS emulator, runs demos and NDSdumps, also available for linuxNO$GBA - small and fast GBA/NDS emulator for DOS/Windows

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 24 / 31

Page 25: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Emulators

EmulatorsNDS Emulating Other Devices

SnezziDS - SNES emulatorsnesDS - SNES emulatorPocketSPC - SNES sound chip emulatornesDS - NES emulatorScummVM DS - ScummVM PortCalcEmu - emulates the TI 85 calculator

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 25 / 31

Page 26: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Games

Outline

1 Introduction

2 Running Your Own Code

3 Homebrew

4 DSLinux

5 Emulators

6 Games

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 26 / 31

Page 27: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Games

WFCNintendo WiFi Connection

Multiplayer uses an ad-hoc W-LAN or Nintendo’s WFC via the internet.

some games use gamespy master serversP2P games like Mario KartAuthentication with the WFC uses SSLv3 (+ server certificatecheck)NDS ID + Game ID ?Authentication with WFC enables the NDS IP to use T-Onlinehotspots in Germany without a fee!Hey, look! The URL in the ROM is in plaintext...

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 27 / 31

Page 28: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Games

Games

"‘Not to mention that there are actual games out for it."’(slashdot.org)

Actually, DS games are pretty fun!

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 28 / 31

Page 29: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Games

Gamez

December 2006:Europe 228 titles

USA 312 titlesJapan 443 titles

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 29 / 31

Page 30: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Future

Future

reliable Slot-1 flash cards.Linux GUI and applicationsmore WiFi homebrewDS-PSP WiFi multiplayer?. . .

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 30 / 31

Page 31: Nindendo DS - Introduction and Hacking...Replaying a complete game download, only exchanging the ARM7 and ARM9 execute address. marcel@koeln.ccc.de, mm, tobias@koeln.ccc.de (CCC) Nindendo

Future

Literature and Links

http://wiki.pocketheaven.com/

http://masscat.afraid.org/ninds/wifi_investigation.php

http://akkit.org/dswifi/

http://darkfader.net/ds/

http://devkitpro.org/

http://www.bottledlight.com/ds/ (NDS Tech Wiki)

[email protected], mm, [email protected] (CCC) Nindendo DS 29.12.2006 31 / 31

http://wiki.pocketheaven.com/
http://masscat.afraid.org/ninds/wifi_investigation.php
http://masscat.afraid.org/ninds/wifi_investigation.php
http://akkit.org/dswifi/
http://darkfader.net/ds/
http://devkitpro.org/
http://www.bottledlight.com/ds/

Introducing Network Analysis - TechTargetmedia.techtarget.com/searchEnterpriseLinux/... · Capturing and replaying Voice over IP telephone conversations Mapping a network Passive

TI Sitara ™ ARM ® Cortex ™ -A8 & ARM9 ™ Quick Overview Aug 2011

(Re)Mark(s) of the Ninja: Replaying the Remnants · “groundbreaking” retro-aesthetics of Castlevania: ... ludophiliac gamer ... rewarded collection of mythical ancient scrolls

bdiGDB for BDI2000 ARM7 / ARM9 version - ultsol.com · • New configuration parameter (STARTUP) added, see user‘s manual for more information. ... bdiGDB for BDI2000 ARM7 / ARM9

Cirrus Logic Announces New ARM9-Based Embedded Processor

FOXBOX MINI › ... › FoxBox_MINI_info_brochure.pdf · 2016-11-30 · Informational brochure . DUAL SIM HARDWARE SMS GATEWAY FOXBOX MINI PROCESSOR ARM9 @ 400Mhz on Atmel AT91SAM9G25

FEATURES High Speed ARM9 System- on-Chip Processor with MaverickCrunch

DMM107 Capturing and Replaying Workload in SAP HANA · 2016. 9. 14. · SAP HANA SPS12 Basic functionality Capturing, preprocessing, and replaying of workload Filtering of captured

Capturing the Future by Replaying the Past (Functional Pearl)gallium.inria.fr/~scherer/research/replay/replay-icfp18.pdf · 2018-07-18 · 76 Capturing the Future by Replaying the

Scherer Balázs - mit.bme.hu · PDF fileOS_Q.c uCOS_II.h µµµµC-OS ... oARM7, ARM9, CortexM3 oAtmel AVR, AVR32 oPIC18, PIC24, dsPIC, PIC32 oMicroblase

Seminar of Advanced Exploitation Techniques, WS 2006…eh2008.koeln.ccc.de/fahrplan/attachments/1068_SEAT1394-svn-r432... · Introduction Accessing memory Virtual address spaces Gathering

Replaying and Isolating Failing Multi-Object Interactions

The Ambient Wood Journals-Replaying the Experience

Access Control PAC iEVO Fingerprint Reader Series Resources/PAC...Fingerprint Reader Indoor/ Outdoor Biometric Fingerprint Reader CPU ARM9 ARM9 Memory RAM 16mb FLASH 32mb RAM 16mb

Adaptive Nonlinear Video Editing: Retargeting, …yuhuang/papers/VideoEditingOverview09.pdf- 3 - Adaptive Nonlinear Video Editing: Retargeting, Replaying, Repainting and Reusing (R

ARM9 Architecture.pdf

DNS - koeln.ccc.de fileDNS FelixvonLeitner CCCBerlin [email protected] Dezember2000 Zusammenfassung DNS ist nach dem Routing der Schl¨ussel zum Internet. Dank ICANN hat fast jeder davon

Ethernet/CAN Interface EtherCAN CI­ ARM9/ · PDF fileA­9 Ethernet/CAN‑Interface EtherCAN CI

U23 2016 - Reverse Engineering - C4 Wiki · U23 2016 - Reverse Engineering Andy [email protected] November 15, 2016

ARM7 and ARM9 Emulation and Analysis Solutions for ...application-notes.digchip.com/018/18-26068.pdf · ARM7 and ARM9 Emulation and Analysis Solutions for Microprocessors Product

Replaying Life's Tape evolution

EeePC Hardware Hacking - Chaos Computer Clubeh2008.koeln.ccc.de/fahrplan/attachments/1093_hackeee.pdfEeePC Hardware Hacking Risktaker March 24, 2008. Inhaltsverzeichnis Hardware Default

REPLAYING THE STORY - Giving to Michigan State Universitygivingto.msu.edu/media/stories-archive/pdf/Developments_Winter2017.pdfUniversity Advancement University Development Spartan

Nano PC User's Manual - arm9.net

At91-Arm9 Board Design Faq 2006-08-30

µC/OS-II, The Real-Time Kernels and the ARM7 / ARM9 Jean J. Labrosse

Replaying Reports - Denver SAS Users Group

Low-cost i.MX28 ARM9 Development Board and CPU Module

Www.Micrium.com µC/OS-II, The Real-Time Kernels and the ARM7 / ARM9 Jean J. Labrosse

78Q8430 ARM9 (920T) Embest Evaluation Board User Manual

Atmel SAM9G & SAM9X ARM9 Development Boards and CPU Modules

Carving and Replaying Differential Unit Test Cases from

Contingency and determinism in evolution: Replaying life s

ARM9 20T lab manual

The Ambient Wood Journals- Replaying the Experience Mark Weal ([email protected]) IAM Group, University of Southampton Mark J. Weal, Danius T. Michaelides,