Difference between revisions of "Card hardware"

From DSiBrew
Jump to: navigation, search
 
(5 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
= DSi cards =
 +
 +
There are essentially 3 different types of DS/DSi cards:
 +
* Nitro (DS)
 +
* Hybrid (DS & DSi)
 +
* Limited (DSi only)
 +
 +
For Nitro cards, DSi enters backward compatibility mode to ensure an environment similar to an old DS (no cameras, slower clock speed, et cetera).
 +
For Hybrid cards, the software can make use of DSi features when running on a DSi, while reverting back to DS only features when running on a DS.
 +
For Limited cards, the software will only run on a DSi, and cannot be run on a DS.
 +
 +
= Card slot =
 +
The DSi card slot is exactly the same as the old DS card slot (also known as SLOT-1).
 +
 +
However, the DSi has more control over this slot in software than its DS counterpart.
 +
More specifically, the following hardware lines can be controlled (indirectly) in software:
 +
* Power supply (VCC) can be enabled or disabled
 +
* Reset (RST) can be cycled
 +
 +
Being able to reset a card using the hardware RST line is essential for the DSi card protocol.
 +
 +
= Card commands =
 
Here's a set of sample card commands that an old DS sends to a DSi enhanced card upon bootup:
 
Here's a set of sample card commands that an old DS sends to a DSi enhanced card upon bootup:
  
Line 21: Line 43:
 
|0000
 
|0000
 
|3C02DD38BEC62AC2
 
|3C02DD38BEC62AC2
| ENTER KEY1
+
| ENTER BLOWFISH MODE
 
|-
 
|-
 
|0910
 
|0910
 
|475C7973528EC62A
 
|475C7973528EC62A
| ENTER KEY2
+
| RESEED LFSR
 
|-
 
|-
 
|0914
 
|0914
Line 53: Line 75:
 
|0910
 
|0910
 
|A75C702DD38EC631
 
|A75C702DD38EC631
| ENTER MAIN
+
| ENTER LFSR MODE
 
|-
 
|-
 
|0004  
 
|0004  
Line 68: Line 90:
 
|}
 
|}
  
Note that the KEY1 and KEY2 commands shown here are already decrypted.
+
Note that the blowfish and lfsr commands shown here are already decrypted.
  
  
Line 95: Line 117:
 
|0000
 
|0000
 
|3CA3BD240F4B7400
 
|3CA3BD240F4B7400
| ENTER KEY1
+
| ENTER BLOWFISH MODE
 
|-
 
|-
 
|09F8
 
|09F8
 
|400008867A9F4B74
 
|400008867A9F4B74
| ENTER KEY2
+
| RESEED LFSR
 
|-
 
|-
 
|0914
 
|0914
Line 123: Line 145:
  
 
So far, this matches up with a normal DS bootup - with minor differences such as CARDID (90) coming before HEADER (00), the header being queried for 0x1000 bytes, and the size of responses changed for some commands from 0x910 to 0x9F8.
 
So far, this matches up with a normal DS bootup - with minor differences such as CARDID (90) coming before HEADER (00), the header being queried for 0x1000 bytes, and the size of responses changed for some commands from 0x910 to 0x9F8.
After these commands, the sequence changes. A raw all zeroes command is sent, followed by a raw command that always starts with 0x3D. The following commands are all shown in raw format, as I've been unable to decrypt them yet. However, some obvious similarities exist by simply looking at the response size of the commands.
+
After these commands, the card is reset and a new sequence starts. A raw read header command (00) is sent, followed by a raw command that always starts with 0x3D. The following commands are all shown in raw format, as it is impossible to decrypt them yet. However, some obvious similarities exist by simply looking at the response size of the commands.
  
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 133: Line 155:
 
|0200  
 
|0200  
 
|0000000000000000
 
|0000000000000000
| HEADER again?
+
| HEADER again
 
|-
 
|-
 
|0000  
 
|0000  
 
|3DBA1F0A0E91C100
 
|3DBA1F0A0E91C100
| ENTER KEY1 again?
+
| ENTER BLOWFISH DSi MODE
 
|-
 
|-
 
|09F8  
 
|09F8  
 
|67DCFB8E9CC369DF
 
|67DCFB8E9CC369DF
| ENTER KEY2 again?
+
| RESEED LFSR
 
|-
 
|-
 
|0914  
 
|0914  
 
|A1FF8184D5312ACD
 
|A1FF8184D5312ACD
| CARDID again?
+
| CARDID again
 
|-
 
|-
 
|19B8  
 
|19B8  
 
|E1B09DEAABE3D960
 
|E1B09DEAABE3D960
| SEC again?
+
| SEC DSi 4
 
|-
 
|-
 
|19B8  
 
|19B8  
 
|082289FB6F52EC75
 
|082289FB6F52EC75
| SEC again?
+
| SEC DSi 5
 
|-
 
|-
 
|19B8  
 
|19B8  
 
|854F68025AAC4B6D
 
|854F68025AAC4B6D
| SEC again?
+
| SEC DSi 6
 
|-
 
|-
 
|19B8  
 
|19B8  
 
|994FAFFDD8993548
 
|994FAFFDD8993548
| SEC again?
+
| SEC DSi 7
 
|-
 
|-
 
|09F8  
 
|09F8  
 
|049D1DB7297CCE7F
 
|049D1DB7297CCE7F
| ENTER MAIN ?
+
| ENTER LFSR MODE
 
|-
 
|-
 
|0004
 
|0004
 
|247D01C82FD0D964
 
|247D01C82FD0D964
| CARDID?
+
| CARDID again
 
|-
 
|-
 
|0200
 
|0200
 
|1300E4799B395232
 
|1300E4799B395232
| ROM READ?
+
| ROM READ  
 
|-
 
|-
 
|0200  
 
|0200  
 
|14C25EC1E7F63C27
 
|14C25EC1E7F63C27
| ROM READ?
+
| ROM READ
 
|-
 
|-
 
|0200  
 
|0200  
 
|BA11CDA5BDB17489
 
|BA11CDA5BDB17489
| ROM READ?
+
| ROM READ  
 
|}
 
|}
  
The command after 0x3D can not be decrypted using the previous KEY1, it is likely that the Blowfish P and/or S arrays are switched with a new set. The 0x9F8 response for this command is identical to the previous ENTER KEY2 command (which is a fixed stream), so it is also very likely that this command is issueing a new LFSR seed.
+
The command after 0x3D can not be decrypted using the old DS blowfish keys, it is likely that new blowfish keys are used when entering DSi blowfish mode. From the response lengths and similarity to the normal DS card protocol, a good guesstimate can be made about what each command in the DSi card protocol does.
 +
 
 +
= See Also =
  
More to come...
+
* [[DSi Cartridge Header]]

Latest revision as of 17:21, 16 July 2013

DSi cards

There are essentially 3 different types of DS/DSi cards:

  • Nitro (DS)
  • Hybrid (DS & DSi)
  • Limited (DSi only)

For Nitro cards, DSi enters backward compatibility mode to ensure an environment similar to an old DS (no cameras, slower clock speed, et cetera). For Hybrid cards, the software can make use of DSi features when running on a DSi, while reverting back to DS only features when running on a DS. For Limited cards, the software will only run on a DSi, and cannot be run on a DS.

Card slot

The DSi card slot is exactly the same as the old DS card slot (also known as SLOT-1).

However, the DSi has more control over this slot in software than its DS counterpart. More specifically, the following hardware lines can be controlled (indirectly) in software:

  • Power supply (VCC) can be enabled or disabled
  • Reset (RST) can be cycled

Being able to reset a card using the hardware RST line is essential for the DSi card protocol.

Card commands

Here's a set of sample card commands that an old DS sends to a DSi enhanced card upon bootup:

Size Command Description
2000 9F00000000000000 RESET
0200 0000000000000000 HEADER
0004 9000000000000000 CARDID 40001FC2
0000 3C02DD38BEC62AC2 ENTER BLOWFISH MODE
0910 475C7973528EC62A RESEED LFSR
0914 175C702DD38EC62B CARDID 40001FC2
0914 175C702DD38EC62C CARDID 40001FC2
19B8 2000502DD38EC62D SEC 5
19B8 2000402DD38EC62E SEC 4
19B8 2000702DD38EC62F SEC 7
19B8 2000602DD38EC630 SEC 6
0910 A75C702DD38EC631 ENTER LFSR MODE
0004 B800000000000000 CARDID 40001FC2
0200 B7001C7200000000 ROM READ
0200 B7001C7400000000 ROM READ

Note that the blowfish and lfsr commands shown here are already decrypted.



Now here's a set of sample commands that a DSi sends to a DSi enhanced card:

Size Command Description
2000 9F00000000000000 RESET
0004 9000000000000000 CARDID 40001FC2
1000 0000000000000000 HEADER
0000 3CA3BD240F4B7400 ENTER BLOWFISH MODE
09F8 400008867A9F4B74 RESEED LFSR
0914 10000A3BD24F4B75 CARDID 40001FC2
19B8 20004A3BD24F4B76 SEC 4
19B8 20005A3BD24F4B77 SEC 5
19B8 20006A3BD24F4B78 SEC 6
19B8 20007A3BD24F4B79 SEC 7

So far, this matches up with a normal DS bootup - with minor differences such as CARDID (90) coming before HEADER (00), the header being queried for 0x1000 bytes, and the size of responses changed for some commands from 0x910 to 0x9F8. After these commands, the card is reset and a new sequence starts. A raw read header command (00) is sent, followed by a raw command that always starts with 0x3D. The following commands are all shown in raw format, as it is impossible to decrypt them yet. However, some obvious similarities exist by simply looking at the response size of the commands.

Size Command Description
0200 0000000000000000 HEADER again
0000 3DBA1F0A0E91C100 ENTER BLOWFISH DSi MODE
09F8 67DCFB8E9CC369DF RESEED LFSR
0914 A1FF8184D5312ACD CARDID again
19B8 E1B09DEAABE3D960 SEC DSi 4
19B8 082289FB6F52EC75 SEC DSi 5
19B8 854F68025AAC4B6D SEC DSi 6
19B8 994FAFFDD8993548 SEC DSi 7
09F8 049D1DB7297CCE7F ENTER LFSR MODE
0004 247D01C82FD0D964 CARDID again
0200 1300E4799B395232 ROM READ
0200 14C25EC1E7F63C27 ROM READ
0200 BA11CDA5BDB17489 ROM READ

The command after 0x3D can not be decrypted using the old DS blowfish keys, it is likely that new blowfish keys are used when entering DSi blowfish mode. From the response lengths and similarity to the normal DS card protocol, a good guesstimate can be made about what each command in the DSi card protocol does.

See Also