Cannot dump DSi dev carts

[mariomadproductions]

Someone I know is trying to dump a DSi dev flash cart. But there is a "Cart Init Failed!" error message when he tries to dump it using GodMode9 1.7.1. Is there any more detailed debug info I can provide? One of his carts does dump, but three of them don't. He suspects they may use some special developer encryption as these carts won't even show up in the menu of a retail DSi.

[legoj15]

I'm going to go out on a limb and say if it is true that dev DSi carts are encrypted for dev DSi hardware, then they need dev DSi keys, something that a retail 3DS (or even dev 3DS) probably doesn't have. I could easily be 100% wrong, but I'd imagine that there'd be no reason to have DSi dev keys on a 3DS.

[mariomadproductions]

Possibly. This could be something that could be put in the support files folder. But I wonder why this would cause a cart init failure. Maybe failure to decrypt the ROM causes this error, even if technically the cart init worked?

[legoj15]

Oh you may be right about the support folder thing. I think the explanation that the cart did init but failed to decrypt seems logical, but only @d0k3 would really know.

[GerbilSoft]

https://problemkaputt.de/gbatek.htm#dsencryptionbygamecodeidcodekey1 https://problemkaputt.de/gbatek.htm#dsicartridgeheader

DS and DSi cartridges are initialized using commands 0x3C (NTR) and 0x3D (TWL), respectively. GBATEK lists three sets of Blowfish keys for KEY1 initialization:

• NDS (ARM7 ROM): 99 D5 20 5F...
• DSi (ARM7 ROM): 59 AA 56 8E...
• DSi Debug (stored in launcher): 69 63 52 05...

The DSi Debug key is used when SCFG_OP is non-zero, i.e. running on debug hardware.

There's also a debug-specific modcrypt key for the DSi secure area. This is indicated in the ROM header by setting bit 3 of 0x1C. When set, the modcrypt key is set to the first 16 bytes of the cartridge header. I'm not sure if GM9's DSi dumping functionality decrypts the modcrypt area or leaves it intact. Note that decrypting the DSi secure area is not required for cartridge initialization, just the Blowfish key.

EDIT: From secure_ntr.c, it appears that GodMode9 is obtaining the Blowfish keys from ITCM: https://github.com/d0k3/GodMode9/blob/e4352d4cb08839d0c334cbaf61aceb66102fdbfe/arm9/source/gamecart/secure_ntr.c#L121-L145

• 0x1FFD3E0: DSi Blowfish key
• 0x1FFE428: NDS Blowfish key

Since the DSi Debug key is stored in the launcher on devkit DSi units, it might not actually be present in ITCM; it might be in the System Menu instead. (Or, it might only be in ITCM on debug 3DS units.)

Of course, it is entirely possible that the debug key is present somewhere on retail. Remember that Boot9 contains the KeyX components for both retail and debug 3DS titles. (Boot9 is the same on all systems, retail and debug, including some known pre-production target boards.)

[d0k3]

Thanks @GerbilSoft! Right now I'm unsure, too, if the modcrypt area is decrypted for DSi carts. Keep in mind, I did little coding for the cart driver routines myself. I'm all for increasing compatibility, but I'd need help, and we have to be very careful not to loose the compatibility we already have (DSi-enhanced and DSi-exclusive carts were pretty hard to support).

@mariomadproductions - does the cart actually work on a 3DS?

[redunka-zver]

That DSi Debug key (69 63 52 05…) can be found inside TWL_FIRM. Retail 3DS systems use debug TWL Launcher, although the same key exists in the Launcher of retail DSi's too. Either way, on 3DS the key doesn't seem to be in the Launcher itself, but in a different part of the TWL_FIRM instead.

[mariomadproductions]

@mariomadproductions - does the cart actually work on a 3DS?

Retail: no Dev: yes

[GerbilSoft]

I tested some retail DSi-enhanced/exclusive titles in a Panda 3DS system last night. All of them showed up on the Home Menu, likely because it uses command 0x3C (NTR) to load the icon. They all crashed when attempting to start the game, since it used command 0x3D (TWL) to load the DSi secure area, and that requires the retail key.

@mariomadproductions Assuming you have Luma3DS installed: Can you set developer UNITINFO in Luma's configuration and then try booting the dev TWL cart?

[mariomadproductions]

Its not me that owns the carts. I think I'll ask the owner (voodooween) to come here.

[d0k3]

@mariomadproductions - no new info since 26 days. Did you ask voodooween to come here?

[mariomadproductions]

Yes, but I'll remind him.

[voodooween]

Hey ! Yes sorry I totally forgot about this... I'm here ^^.

[d0k3]

Hey @voodooween, thanks for coming here!

Quoting @GerbilSoft: @voodooween Assuming you have Luma3DS installed: Can you set developer UNITINFO in Luma's configuration and then try booting the dev TWL cart?

[voodooween]

I did try to set developer UNITINFO, but it didn't work.

[legoj15]

@voodooween like, setting the dev UNITINFO didn't work? Or after setting the developer UNITINFO the carts didn't work?

[voodooween]

The card still show an error message even with UNITINFO :

An error has occured. Press and hold the POWER button to turn the system off. Please refer to the Operations Manual for details.

[TrashBandatcoot]

Me and Voodooween also have a hard time dumping a specific TWL development cart. GodMode9 simply won't find the cart, while decrypt9wip finds it, but makes a bad dump. The only current information that exists about this cart is a stubbed article I wrote: https://wiki.mariocube.xyz/index.php/SystemUpdater_v1.4a

[HexadecimalMantis0e]

I have a few dsi dev carts myself. Running into the same issue.

[d0k3]

Is there any chance this is fixed by #645? @HexadecimalMantis0e @TrashBandatcoot @voodooween @legoj15 - can you compile and test? Don't have any dev carts myself.

[d0k3]

Here's the already compiled test build: https://f.secretalgorithm.com/SPO0o/godmode9-v1.9.2pre1-21-titleman-devcartdump.zip

[HexadecimalMantis0e]

The build doesn't seem to mount my cart. However, I managed to dump the roms a few months ago

[d0k3]

@HexadecimalMantis0e - here's another one, courtesy of @GerbilSoft . https://f.secretalgorithm.com/Ks0Kc/godmode9.firm

Can you try that?

[HexadecimalMantis0e]

This one doesn't seem to mount my carts either.