DsCartridgeInfo

From EurAsiaWiki

Main Page | Recent changes | View source | Page history | Log in / create account |

Special pages Double redirects Broken redirects Disambiguation pages Log in / create account Preferences My watchlist Recent changes Upload file File list Gallery of new files User list Statistics Random page Orphaned pages Uncategorized pages Uncategorized categories Uncategorized files Uncategorized templates Unused categories Unused files Wanted pages Wanted categories Most linked to pages Most linked to categories Most linked-to templates Pages with the most categories Most linked to files Pages with the most revisions Pages with the fewest revisions Short pages Long pages New pages Oldest pages Dead-end pages Protected pages Protected titles All pages Prefix index List of blocked IP addresses and usernames User contributions What links here Book sources Categories Export pages Version System messages Logs MIME search List redirects Unused templates Random redirect Pages without language links File path Popular pages Search

Printable version | Disclaimers | Privacy policy
Category: DS

---

Nintendo DS cartridge information
Updated: 17 dec 2004



pin x  name        name         description
--- -  ---------   ----------   ----------------
1   >  GND
2      CLK         CLKB-MC      Clock. High when idle. Data must be stable on rising edge.
3   N  NC
4   i  ROM CS      CSB-MC       Selects ROM when low. 8 byte command is expected after pulling low. After that, direction is reversed and optional data is transferred.
5   n  RESET       RESB-MC
6   t  EEPROM CS   CSB-MC2      Selects EEPROM when low. 1 byte command is expected after pulling low. After that, optional data is transferred.
7   e  IRQ         IREQ-MC		Grounded in cartridge. Used to detect removal.
8   n  +3V3
9   d  I/O0
10  o  I/O1
11     I/O2
12  C  I/O3
13  0  I/O4
14  1  I/O5
15  -  I/O6                     Also is a serial signal coming from the EEPROM.
16  0  I/O7                     Also is a serial signal goes to the EEPROM.
17  1  GND



U1
custom mask ROM
partnr: Macronix MX23L12808-15D		(128 Mb = 16 MB)
package: 44SOP
NTR-AMFE-0

    .--------------------.
GND || 1               44 || RES
VCC || 2               43 || GND
GND || 3               42 || IRQ
GND || 4               41 || GND
CLK || 5               40 || GND
GND || 6               39 || GND
GND || 7               38 || GND
GND || 8               37 || GND
GND || 9               36 || GND
GND || 10              35 || GND
GND || 11              34 || GND
GND || 12              33 || GND
GND || 13              32 || GND
GND || 14              31 || GND
GND || 15              30 || GND
GND || 16              29 || GND
CS  || 17              28 || GND
IO0 || 18              27 || IO7
IO1 || 19              26 || IO6
IO2 || 20              25 || IO5
IO3 || 21              24 || IO4
GND || 22              23 || VCC
    '--------------------'




U2
EEPROM
partnr: ST 5044P 9440
SPI interface





        outer dimensions        contact pitch
DS:     32mm x 34mm             1.5mm
GBA:    57mm x 34.5mm           1.5mm			(you can use a GB connector and cut both sides and then add a thin tape to make better contact)




Commands in unencrypted mode (after reset):
00 00 00 00 00 00 00 00			Read unencrypted header data.
90 00 00 00 00 00 00 00			Read ID. Returns repeated "C2 0F 00 00".
9F xx xx xx xx -- -- --			Seems to leave I/O in high-impedance. It's the first command at startup and lasts for 8192 clocks.
3C xx xx xx -x xx xx --			Initialize encryption. Might be seeded from RTC or other random source. Encryption also depends on the header.
								After this command, 7 unknown encrypted commands are sent with a lot of traffic. The lengths appear a little bit random.
								This is probably done to make hacking more difficult. I call this type-1 transfers.

Commands in encrypted mode (both command and data are encrypted with the LFSR ==):==
9F xx xx xx xx -- -- --			Read data from byte offset. MSB first. Maximum read size is 4 KB (512 bytes recommended). I call this type-2 transfers.
90 00 00 00 00 00 00 00			Read ID. Returns repeated "C2 0F 00 00".
xx xx xx xx xx xx xx xx			Invalid command. Returns all zero's.


x) non-constant data
-) don't care



Encryption is based on some LFSR (Linear Feedback Shift Register) stream.
The commands and data are then xorred with it. This stream (for the data part) can be retrieved easily by sending an ID command.

Assumptions/Facts:
	- type-1 transfers with less than 2320 bytes data are simply ignored.
	- type-1 transfer lengths are summed when they have the same command, thus the command itself does not update the LFSR.
	- a type-2 command updates the LFSR. (need to confirm this)
	- each databyte in a type-1 or type-2 transfer updates the LFSR.
	- type-2 transfers cannot read the first 0x8000 bytes of the ROM
	- type-1 transfers are used for the first 0x8000 bytes of the ROM

Things to do:
	- check how the type-2 commands are xorred with the LFSR stream.
	- find out how the type-1 things work.
	- find out how the 3C command works and how it gets seeded by the DS.

---

View source | Discuss this page | Page history | What links here | Related changes


This page has been accessed 204 times. This page was last modified 07:47, 17 February 2010.
Main Page | About EurAsiaWiki |