Difference between revisions of "Card hardware"

From DSiBrew
Jump to: navigation, search
Line 123: Line 123:
  
 
So far, this matches up with a normal DS bootup - with minor differences such as CARDID (90) coming before HEADER (00), the header being queried for 0x1000 bytes, and the size of responses changed for some commands from 0x910 to 0x9F8.
 
So far, this matches up with a normal DS bootup - with minor differences such as CARDID (90) coming before HEADER (00), the header being queried for 0x1000 bytes, and the size of responses changed for some commands from 0x910 to 0x9F8.
After these commands, the sequence changes. A raw all zeroes command is sent, followed by a raw command that always starts with 0x3D. The following commands are all shown in raw format, as I've been unable to decrypt them yet. However, some obvious similarities exist by simply looking at the response size of the commands.
+
After these commands, the card is reset and a new sequence starts. A raw read header command (00) is sent, followed by a raw command that always starts with 0x3D. The following commands are all shown in raw format, as I've been unable to decrypt them yet. However, some obvious similarities exist by simply looking at the response size of the commands.
  
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"

Revision as of 23:38, 1 August 2009

Here's a set of sample card commands that an old DS sends to a DSi enhanced card upon bootup:

Size Command Description
2000 9F00000000000000 RESET
0200 0000000000000000 HEADER
0004 9000000000000000 CARDID 40001FC2
0000 3C02DD38BEC62AC2 ENTER KEY1
0910 475C7973528EC62A ENTER KEY2
0914 175C702DD38EC62B CARDID 40001FC2
0914 175C702DD38EC62C CARDID 40001FC2
19B8 2000502DD38EC62D SEC 5
19B8 2000402DD38EC62E SEC 4
19B8 2000702DD38EC62F SEC 7
19B8 2000602DD38EC630 SEC 6
0910 A75C702DD38EC631 ENTER MAIN
0004 B800000000000000 CARDID 40001FC2
0200 B7001C7200000000 ROM READ
0200 B7001C7400000000 ROM READ

Note that the KEY1 and KEY2 commands shown here are already decrypted.



Now here's a set of sample commands that a DSi sends to a DSi enhanced card:

Size Command Description
2000 9F00000000000000 RESET
0004 9000000000000000 CARDID 40001FC2
1000 0000000000000000 HEADER
0000 3CA3BD240F4B7400 ENTER KEY1
09F8 400008867A9F4B74 ENTER KEY2
0914 10000A3BD24F4B75 CARDID 40001FC2
19B8 20004A3BD24F4B76 SEC 4
19B8 20005A3BD24F4B77 SEC 5
19B8 20006A3BD24F4B78 SEC 6
19B8 20007A3BD24F4B79 SEC 7

So far, this matches up with a normal DS bootup - with minor differences such as CARDID (90) coming before HEADER (00), the header being queried for 0x1000 bytes, and the size of responses changed for some commands from 0x910 to 0x9F8. After these commands, the card is reset and a new sequence starts. A raw read header command (00) is sent, followed by a raw command that always starts with 0x3D. The following commands are all shown in raw format, as I've been unable to decrypt them yet. However, some obvious similarities exist by simply looking at the response size of the commands.

Size Command Description
0200 0000000000000000 HEADER again?
0000 3DBA1F0A0E91C100 ENTER KEY1 again?
09F8 67DCFB8E9CC369DF ENTER KEY2 again?
0914 A1FF8184D5312ACD CARDID again?
19B8 E1B09DEAABE3D960 SEC again?
19B8 082289FB6F52EC75 SEC again?
19B8 854F68025AAC4B6D SEC again?
19B8 994FAFFDD8993548 SEC again?
09F8 049D1DB7297CCE7F ENTER MAIN ?
0004 247D01C82FD0D964 CARDID?
0200 1300E4799B395232 ROM READ?
0200 14C25EC1E7F63C27 ROM READ?
0200 BA11CDA5BDB17489 ROM READ?

The command after 0x3D can not be decrypted using the previous KEY1, it is likely that the Blowfish P and/or S arrays are switched with a new set. The 0x9F8 response for this command is identical to the previous ENTER KEY2 command (which is a fixed stream), so it is also very likely that this command is issueing a new LFSR seed.

More to come...