Skip to content

Commit

Permalink
Files upload
Browse files Browse the repository at this point in the history
  • Loading branch information
zoogie authored and zoogie committed Jun 23, 2019
1 parent 94de247 commit 5871c63
Show file tree
Hide file tree
Showing 13 changed files with 2,553 additions and 2 deletions.
55 changes: 55 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
#---------------------------------------------------------------------------------
.SUFFIXES:
#---------------------------------------------------------------------------------
ifeq ($(strip $(DEVKITARM)),)
$(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
endif

export TARGET := $(shell basename $(CURDIR))
export TOPDIR := $(CURDIR)

# specify a directory which contains the nitro filesystem
# this is relative to the Makefile
NITRO_FILES :=

# These set the information text in the nds file
GAME_TITLE := dumpTool
GAME_SUBTITLE1 := zoogie
GAME_SUBTITLE2 := Dump DSi NAND w/ nocash footer

include $(DEVKITARM)/ds_rules

.PHONY: checkarm7 checkarm9 clean

#---------------------------------------------------------------------------------
# main targets
#---------------------------------------------------------------------------------
all: checkarm7 checkarm9 $(TARGET).nds

#---------------------------------------------------------------------------------
checkarm7:
$(MAKE) -C arm7

#---------------------------------------------------------------------------------
checkarm9:
$(MAKE) -C arm9

#---------------------------------------------------------------------------------
$(TARGET).nds : $(NITRO_FILES) arm7/$(TARGET).elf arm9/$(TARGET).elf
ndstool -c $(TARGET).nds -7 arm7/$(TARGET).elf -9 arm9/$(TARGET).elf \
-b $(GAME_ICON) "$(GAME_TITLE);$(GAME_SUBTITLE1);$(GAME_SUBTITLE2)" \
$(_ADDFILES)

#---------------------------------------------------------------------------------
arm7/$(TARGET).elf:
$(MAKE) -C arm7

#---------------------------------------------------------------------------------
arm9/$(TARGET).elf:
$(MAKE) -C arm9

#---------------------------------------------------------------------------------
clean:
$(MAKE) -C arm9 clean
$(MAKE) -C arm7 clean
rm -f $(TARGET).nds $(TARGET).arm7 $(TARGET).arm9
2 changes: 0 additions & 2 deletions README.md

This file was deleted.

27 changes: 27 additions & 0 deletions README.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
Directions:
Just boot the dumpTool.nds app and press A.
It will dump a nand.bin with nocash footer to your dsi at
DT010203040A0B0C0D/nand.bin
The folder will be next to wherever you put dumpTool.nds. And obviously, your foldername will have different characters. It's console-unique.

General Info:
This tool should create a nand.bin identical to fwTool.nds 2.0. The same holds true for its nand.bin.sha1 file as well.
If this isn't the case in your neck of the woods, please make an issue :)
(note that identical nands can only occur if both app's output are compared in the same hbmenu session; booting to dsi home menu in between will undoubtably change NAND contents)

Features:
- Completely open source.
- Lots of checks, including verifying the nocash footer will decrypt the outputed NAND. Low battery and insufficient SD space are also checked.
- Project has a permissive license, and more importantly, its dev is permissive. I don't care what's done with this post-release as long as credit is given.
- Simple operation. Just press A and watch it go.
- You can cancel the dump in progress. The incomplete nand will be cleaned up.
- A little bit faster than fwTool. Should complete in about 7 minutes.

Thanks:
Martin Korth (nocash) - Documenting the consoleID dumping method on GBAtek.
Tinivi - Borrowed his 3ds mode (arm9) aes function from https://github.com/TiniVi/AHPCFW/
WulfyStylez - Loosely followed his method for nocash footer verification in twlTool:
https://gbatemp.net/threads/release-twltool-dsi-downgrading-save-injection-etc-multitool.393488/ (attachment has source code)
neimod - Taddy dsi aes functions (dsi.c/h) https://github.com/neimod/dsi/tree/master/taddy (this inlcludes some polarssl files (aes.c/h) and that is GPL v2, info in aes.h)


126 changes: 126 additions & 0 deletions arm7/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
#---------------------------------------------------------------------------------
.SUFFIXES:
#---------------------------------------------------------------------------------
ifeq ($(strip $(DEVKITARM)),)
$(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
endif

include $(DEVKITARM)/ds_rules

#---------------------------------------------------------------------------------
# BUILD is the directory where object files & intermediate files will be placed
# SOURCES is a list of directories containing source code
# INCLUDES is a list of directories containing extra header files
# DATA is a list of directories containing binary files
# all directories are relative to this makefile
#---------------------------------------------------------------------------------
BUILD := build
SOURCES := source
INCLUDES := include build
DATA :=

#---------------------------------------------------------------------------------
# options for code generation
#---------------------------------------------------------------------------------
ARCH := -mthumb-interwork

CFLAGS := -g -Wall -O0\
-mcpu=arm7tdmi -mtune=arm7tdmi -fomit-frame-pointer\
-ffast-math \
$(ARCH)

CFLAGS += $(INCLUDE) -DARM7
CXXFLAGS := $(CFLAGS) -fno-rtti -fno-exceptions -fno-rtti


ASFLAGS := -g $(ARCH)
LDFLAGS = -specs=ds_arm7.specs -g $(ARCH) -Wl,-Map,$(notdir $*).map

LIBS := -ldswifi7 -lmm7 -lnds7

#---------------------------------------------------------------------------------
# list of directories containing libraries, this must be the top level containing
# include and lib
#---------------------------------------------------------------------------------
LIBDIRS := $(LIBNDS)


#---------------------------------------------------------------------------------
# no real need to edit anything past this point unless you need to add additional
# rules for different file extensions
#---------------------------------------------------------------------------------
ifneq ($(BUILD),$(notdir $(CURDIR)))
#---------------------------------------------------------------------------------

export ARM7ELF := $(CURDIR)/$(TARGET).elf
export DEPSDIR := $(CURDIR)/$(BUILD)

export VPATH := $(foreach dir,$(SOURCES),$(CURDIR)/$(dir))

CFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c)))
CPPFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp)))
SFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s)))
BINFILES := $(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*)))

export OFILES := $(addsuffix .o,$(BINFILES)) \
$(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o)

export INCLUDE := $(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \
$(foreach dir,$(LIBDIRS),-I$(dir)/include) \
-I$(CURDIR)/$(BUILD)

export LIBPATHS := $(foreach dir,$(LIBDIRS),-L$(dir)/lib)

#---------------------------------------------------------------------------------
# use CXX for linking C++ projects, CC for standard C
#---------------------------------------------------------------------------------
ifeq ($(strip $(CPPFILES)),)
#---------------------------------------------------------------------------------
export LD := $(CC)
#---------------------------------------------------------------------------------
else
#---------------------------------------------------------------------------------
export LD := $(CXX)
#---------------------------------------------------------------------------------
endif
#---------------------------------------------------------------------------------

.PHONY: $(BUILD) clean

#---------------------------------------------------------------------------------
$(BUILD):
@[ -d $@ ] || mkdir -p $@
@$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile

#---------------------------------------------------------------------------------
clean:
@echo clean ...
@rm -fr $(BUILD) *.elf


#---------------------------------------------------------------------------------
else

DEPENDS := $(OFILES:.o=.d)

#---------------------------------------------------------------------------------
# main targets
#---------------------------------------------------------------------------------
$(ARM7ELF) : $(OFILES)
@echo linking $(notdir $@)
@$(LD) $(LDFLAGS) $(OFILES) $(LIBPATHS) $(LIBS) -o $@


#---------------------------------------------------------------------------------
# you need a rule like this for each extension you use as binary data
#---------------------------------------------------------------------------------
%.bin.o : %.bin
#---------------------------------------------------------------------------------
@echo $(notdir $<)
@$(bin2o)

-include $(DEPENDS)

#---------------------------------------------------------------------------------------
endif
#---------------------------------------------------------------------------------------
157 changes: 157 additions & 0 deletions arm7/source/arm7.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
/*---------------------------------------------------------------------------------
derived from the default ARM7 core
Copyright (C) 2005 - 2010
Michael Noland (joat)
Jason Rogers (dovoto)
Dave Murphy (WinterMute)
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any
damages arising from the use of this software.
Permission is granted to anyone to use this software for any
purpose, including commercial applications, and to alter it and
redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you
must not claim that you wrote the original software. If you use
this software in a product, an acknowledgment in the product
documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and
must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source
distribution.
---------------------------------------------------------------------------------*/
#include <nds.h>
#include <stdio.h>
#include <string.h>
#include <dswifi7.h>
#include <maxmod7.h>
#include <nds/bios.h>
#include <nds/arm7/aes.h>

//---------------------------------------------------------------------------------
void VblankHandler(void) {
//---------------------------------------------------------------------------------
Wifi_Update();
}


//---------------------------------------------------------------------------------
void VcountHandler() {
//---------------------------------------------------------------------------------
inputGetAndSend();
}

volatile bool exitflag = false;

//---------------------------------------------------------------------------------
void powerButtonCB() {
//---------------------------------------------------------------------------------
exitflag = true;
}

/*
REG_AESCNT 0x04004400 4
REG_AESBLKCNT 0x04004404 4
REG_AESWRFIFO 0x04004408 4
REG_AESRDFIFO 0x0400440C 4
REG_AESCTR 0x04004420 16
REG_AESMAC 0x04004430 16
REG_AESKEY0 0x04004440 48
REG_AESKEY1 0x04004470 48
REG_AESKEY2 0x040044A0 48
REG_AESKEY3 0x040044D0 48
*/

#define AES_CTR_DECRYPT (2 << 27)

void set_ctr(u32* ctr){
for (int i = 0; i < 4; i++) REG_AES_IV[i] = ctr[3-i];
}

void wait(int ticks){

while(ticks--)swiWaitForVBlank();
}

// 10 11 22 23 24 25
void aes(void* in, void* out, void* iv, u32 method){ //this is sort of a bodged together dsi aes function adapted from this 3ds function
REG_AES_CNT = ( AES_CNT_MODE(method) | //https://github.com/TiniVi/AHPCFW/blob/master/source/aes.c#L42
AES_WRFIFO_FLUSH | //as long as the output changes when keyslot values change, it's good enough.
AES_RDFIFO_FLUSH |
AES_CNT_KEY_APPLY |
AES_CNT_KEYSLOT(3) |
AES_CNT_DMA_WRITE_SIZE(2) |
AES_CNT_DMA_READ_SIZE(1)
);

if (iv != NULL) set_ctr((u32*)iv);
REG_AES_BLKCNT = (1 << 16);
REG_AES_CNT |= 0x80000000;

for (int j = 0; j < 0x10; j+=4) REG_AES_WRFIFO = *((u32*)(in+j));
while(((REG_AES_CNT >> 0x5) & 0x1F) < 0x4); //wait for every word to get processed
for (int j = 0; j < 0x10; j+=4) *((u32*)(out+j)) = REG_AES_RDFIFO;
//REG_AES_CNT &= ~0x80000000;
//if (method & (AES_CTR_DECRYPT | AES_CTR_ENCRYPT)) add_ctr((u8*)iv);
}

//---------------------------------------------------------------------------------
int main() {
//---------------------------------------------------------------------------------

//readUserSettings();
irqInit();
fifoInit();
//mmInstall(FIFO_MAXMOD);
//initClockIRQ(); // Start the RTC tracking IRQ
//SetYtrigger(80);
//installWifiFIFO();
//installSoundFIFO();
installSystemFIFO();
irqSet(IRQ_VCOUNT, VcountHandler);
irqSet(IRQ_VBLANK, VblankHandler);
irqEnable( IRQ_VBLANK | IRQ_VCOUNT | IRQ_NETWORK);
//setPowerButtonCB(powerButtonCB);

u8 base[16]={0};
u8 in[16]={0};
u8 iv[16]={0};
u8 *scratch=(u8*)0x02300200;
u8 *out=(u8*)0x02300000;
u8 *key3=(u8*)0x40044D0;

aes(in, base, iv, 2);

//write consecutive 0-255 values to any byte in key3 until we get the same aes output as "base" above - this reveals the hidden byte. this way we can uncover all 16 bytes of the key3 normalkey pretty easily.
//greets to Martin Korth for this trick https://problemkaputt.de/gbatek.htm#dsiaesioports (Reading Write-Only Values)
for(int i=0;i<16;i++){
for(int j=0;j<256;j++){
*(key3+i)=j & 0xFF;
aes(in, scratch, iv, 2);
if(!memcmp(scratch, base, 16)){
out[i]=j;
//hit++;
break;
}
}
}

fifoSendValue32(FIFO_USER_01, 42);//just signal to the arm9 that everything's ready. the value doesn't matter

// Keep the ARM7 mostly eric idle
while (!exitflag) {
if ( 0 == (REG_KEYINPUT & (KEY_SELECT | KEY_START | KEY_X | KEY_Y))) {
exitflag = true;
}
swiWaitForVBlank();
}

return 0;
}
Loading

0 comments on commit 5871c63

Please sign in to comment.