[FEATURE REQUEST] Writing to dev cartridges

[XLuma]

Got a great idea on how to improve GodMode9? Dev cartridges can be rewritten at will. Usually one would need an official dev unit from Nintendo to write to the carts, but they can be read from a retail unit (not exactly true in the case of retail units because games on them are signed with dev keys), but they can still be dumped using godmode9.

Describe the feature you'd like Support for writing to developer carts. Dev units are wayyy too expensive, and it could give a purpose to these carts once the rom on them has been dumped for preservation.

Describe alternatives you've considered Buying a writer: expensive, actually rare in these times

[Wolfvak]

Do you have documentation or information on how these carts could be written? Also, I think it might be better left to a separate program but it's not completely off the table to implement...

[XLuma]

Do you have documentation or information on how these carts could be written? Also, I think it might be better left to a separate program but it's not completely off the table to implement...

Honestly, not really myself (I do not own a writer, but I bought a dev cart and waiting for it to ship from japan) But, if necessary, I can provide with PCB pics. Basically, it is pretty much your regular ds cart (More details down about 3ds carts) Except that they are longer due to having swappable memory chips, and they use a parrarel nor flash bga chip instead of a tsop package. They also have an additionna chip labelled NINTENDO NTR-FCC-01, not sure what it does but I don’t really believe it is used in the writing process at all. Probably used by the dev writer to detect if it is a dev cart or not

I assume 3ds dev carts to be similar, except nintendo had 3 models up for sale: One that has swappable memory, one that is the same size as a retail 3ds cart (no swappable memory, rewritable) and a third one that is actually undocumented on websites like 3dbrew, that is actually the same size and layout as an original DS Cart (black case, no notch on the top right). While I have pcb pics of the larger model of the DS Dev cart, I do not have pics (yet) of the ones that are the same size as retail. Also, there are no extra pins; the layout is the same as the retail carts, allowing for retail systems to read and execute the data

PCB pics linked

EDIT: There is an nsmbhd thread that has a lot of useful information about the devkits and dev flashcarts interface: https://nsmbhd.net/thread/4438-nintendo-ds-dev-hardware-is-nitro-emulator-and-co/

[XLuma]

I wonder if the NTR SDK also has documentation on the writer ? That would be very unlikely but who knows…

[XLuma]

Sorry for the comment spam: Back pcb pics

[GerbilSoft]

The commands aren't detailed in the SDK, but it might be possible to reverse-engineer commands from the IS-NITRO-DEBUGGER software. Do note that the commands sent by ISND are not the same as cartridge commands; they're commands handled by the V850 CPU in the IS-NITRO unit.

I'll note that there's definitely some command used by IS-NITRO-DEBUGGER that can identify an official flashcart and its full capacity, even if it's programmed to show a lower capacity in the chip ID.

[fox8091]

@GerbilSoft It actually should be possible to do from the 3DS itself using https://www.3dbrew.org/wiki/PXIDEV:WriteCTRCARD_Cmd41. (Well, a bare-metal reimplementation of this.) Unsure about the capacity detection though.

[XLuma]

@GerbilSoft It actually should be possible to do from the 3DS itself using https://www.3dbrew.org/wiki/PXIDEV:WriteCTRCARD_Cmd41. (Well, a bare-metal reimplementation of this.) Unsure about the capacity detection though.

Maybe the user could let the program know what the cart size is ?

[XLuma]

I just received my 3ds dev cart. I can do testing if needed

[XLuma]

@GerbilSoft It actually should be possible to do from the 3DS itself using https://www.3dbrew.org/wiki/PXIDEV:WriteCTRCARD_Cmd41. (Well, a bare-metal reimplementation of this.) Unsure about the capacity detection though.

The leaked documents from about a year ago had documents about commands used to write to the dev carts. Could that info be used ?

[XLuma]

Bringing this issue back up: I have made significant progress since then. TWL dev cartridges as well as CTR dev cartridges can be read, erased and thus quite possibly written to via a retail system. I have done most of my work with Decrypt9, simply to take advantage of the nicer UI for now. My current roadblock as of right now is writing, because the 3ds has to send data to the cartridge. So far, all of my attempts have not been successfull due to the fact that I have no idea if my modifications to protocol_ntr.c are working at all, and other issues with buffers. I strongly believe it can be done though. If anybody would be willing to help on the matter, I would really appreciate it.

EDIT I think NTR_SendCommand may also have some problems. While it does sends and receives data from the cartridge correctly, it cannot copy the data over to a provided buffer correctly (or at least, this is consistent behavior that I have seen so far) I had good results using card_ntr functions instead, but I literally have no idea what the functions themselves do and as such I can't really modify them or use them correctly...

[d0k3]

@XLuma - sounds great. If you ever get something usable, I'll take that pull request. I think the user interface should be easy to implement this in GM9 via just copying the data to the cart folder.

[XLuma]

Progress report: ROM Writing has been achieved from Decrypt9 using a hacked Old3DS to a CTR dev cartridge. Theres a few things I need to fix like page/block size detection and writing safety checks and measures, but a PR should be coming soon enough.

Regarding TWL and NTR: While TWL uses the exact same set of commands as CTR, while testing erase commands I managed to render three dev cartridges unusable (Returning wrong cart ID or nand info). More testing will be needed for those. For NTR, I have no idea how the writing is performed. The logs I captured, unlike TWL and CTR communications, do not show any plaintext data of the rom being written. Commands are not encrypted.

If some people with IS-NITROS/NTR dev cartridges want to help me figure out what is going on, let me know. More than willing to also upload the captured logs.

[Dionicio3]

Hey sorry to bother @XLuma , but what's the progress on this? I have a CTR dev cart that I need to write CTR SysUpdater to (to region change my o3DS Panda), but this is the only thing that comes up that doesn't involve buying a dev writer

[XLuma]

Still far away from anything usable. I managed to fix a few cartridges, so now we have working code for erasing/writing. Theres still a couple thing to figure out about the cartridge configuration settings that I have trouble writing back, and then I need to create actually usable code with proper detection of dev/retail roms, cartridge size and stuff like that.