Acekard 2, not 2i (www.Acekard.com) #125
Comments
LucaCorigliano
changed the title
|
Glad to see someone messing with the code and experimenting! I think it's fairly obvious that this isn't a priority to us, but if it makes a nice project for you, I'm glad to give you pointers. Do you have a In general, you'll want to find the blowfish key (which is a bit oddly sized) and where the data for the game it pretends to be is on flash. (This is the reason why we ask for a GM9 dump of the cart -- so we can compare, and so that we can figure out any obfuscation on flash if the ROM isn't plaintext) |
|
This should be the stock dump of the card: And this should be the full dump: I'm snooping around with an hex editor, I'll keep ya updated. |
|
I've already done this with an AK 2.1. The flash commands are the same as HW 81. If the AK 2 is the same, the blowfish key should be located somewhere near the start of the flash (I can't remember exactly where). |
|
The thing is: I don't know what I'm looking for. I see in the original code that I know I'm looking like a script kiddie right now, but I have little to no knowledge about the DS/3DS system. |
|
The AK2 and AK2.1's flash layout is quite different compared to the AK2i's. You're looking for the blowfish P state and S boxes, as well as the location to write FIRM to i.e. where 0x7E00 in the ROM is located in the flash. |
|
I've already found this, actually, I just need to figure out some minor issues.. |
|
So the flash is the full dump that flashcart_core is able to read. And I suppose the format is proprietary to the flashcard right? |
Yes.
It is 0x1048 bytes long. In the Acekard 2.1, it starts with Anyway, I don't think the Acekard 2/2.1 series is able to serve FIRM to boot9. It seems these cards have a hardcoded response for the KEY1 secure area read commands? |
So, this is quite interesting. Giving the fact that I don't know anything about the underlying work of ntrboot (or not enough to quite grasp it) and how a flashcard gets reflashed (I get the jist, but again I don't know enough) I tried editing flashcart_core to support the classic AceKart 2 (not the 2i variant).
It gets read as HW Revision
0x40404040and for some reason GodMode9 can't dump its contents (when no modifications are done). After that I decided that I didn't mind risking bricking it and I went playing with some code.First things first I tried to force it as HW Revision
0x44444444and nothing happened: it could not read nor write to the flashcard.I then tried to force HW Revision
0x81818181and lo and behold it flashed! I'm now in the progress of attempting an ntrboot, but I'm quite sure it wont work because more work is surely needed. I'l edit as soon as I get some results. ** Update : ** Seems to not work, but still.I'll attach a dump of the current flashed cart and some pics of this card.
https://drive.google.com/open?id=1YBsCDzVxE3djYuE7QZpokIS9iE1l1rlP
The memory chip inside is the SST 39VF1681: http://www.microchip.com/wwwproducts/en/SST39VF1681
And the ASIC is this the Actel ProASIC 3 A3P250
The text was updated successfully, but these errors were encountered: