Acekard 2, not 2i (www.Acekard.com)

[LucaCorigliano]

So, this is quite interesting. Giving the fact that I don't know anything about the underlying work of ntrboot (or not enough to quite grasp it) and how a flashcard gets reflashed (I get the jist, but again I don't know enough) I tried editing flashcart_core to support the classic AceKart 2 (not the 2i variant).

It gets read as HW Revision 0x40404040 and for some reason GodMode9 can't dump its contents (when no modifications are done). After that I decided that I didn't mind risking bricking it and I went playing with some code.

First things first I tried to force it as HW Revision 0x44444444 and nothing happened: it could not read nor write to the flashcard.

I then tried to force HW Revision 0x81818181 and lo and behold it flashed! I'm now in the progress of attempting an ntrboot, but I'm quite sure it wont work because more work is surely needed. I'l edit as soon as I get some results. Update : Seems to not work, but still.

I'll attach a dump of the current flashed cart and some pics of this card.

https://drive.google.com/open?id=1YBsCDzVxE3djYuE7QZpokIS9iE1l1rlP

The memory chip inside is the SST 39VF1681: http://www.microchip.com/wwwproducts/en/SST39VF1681 And the ASIC is this the Actel ProASIC 3 A3P250

[kitlith]

Glad to see someone messing with the code and experimenting! I think it's fairly obvious that this isn't a priority to us, but if it makes a nice project for you, I'm glad to give you pointers.

Do you have a backup.bin from before attempting to write to the card? It may be useful for you to look through it to find the locations of stuff in flash, and if they're different from an ak2i.

In general, you'll want to find the blowfish key (which is a bit oddly sized) and where the data for the game it pretends to be is on flash. (This is the reason why we ask for a GM9 dump of the cart -- so we can compare, and so that we can figure out any obfuscation on flash if the ROM isn't plaintext)

[LucaCorigliano]

This should be the stock dump of the card: https://drive.google.com/open?id=18khJpmVf3I1MYEkFZcJlaOuFI3nYJYOI

And this should be the full dump: https://drive.google.com/open?id=1vBo_OdEcnAQJVWC6ql_lvXRAP8pdtPWd

I'm snooping around with an hex editor, I'll keep ya updated.

[angelsl]

I've already done this with an AK 2.1. The flash commands are the same as HW 81.

If the AK 2 is the same, the blowfish key should be located somewhere near the start of the flash (I can't remember exactly where).

[LucaCorigliano]

The thing is: I don't know what I'm looking for. I see in the original code that injectNtrBoot uses several addresses and offsets, but I don't know what they are relative to. The nds file is far too small, and I can't get head or tails of the full dump done by flashcart_core.

I know I'm looking like a script kiddie right now, but I have little to no knowledge about the DS/3DS system.

[angelsl]

injectNtrBoot offsets are from the start of the flash image.

The AK2 and AK2.1's flash layout is quite different compared to the AK2i's. You're looking for the blowfish P state and S boxes, as well as the location to write FIRM to i.e. where 0x7E00 in the ROM is located in the flash.

[angelsl]

I've already found this, actually, I just need to figure out some minor issues..

[LucaCorigliano]

So the flash is the full dump that flashcart_core is able to read. And I suppose the format is proprietary to the flashcard right? The blowfish key I'm looking for on the other end, is there any particular way to recognize it? Could you or anyone provide a 2i or 2.1 for comparison?

[angelsl]

So the flash is the full dump that flashcart_core is able to read. And I suppose the format is proprietary to the flashcard right?

Yes.

The blowfish key I'm looking for on the other end, is there any particular way to recognize it? Could you or anyone provide a 2i or 2.1 for comparison?

It is 0x1048 bytes long.

In the Acekard 2.1, it starts with AF B3 66 CD 25 80 48 66 CE 34 E1 9C 9B C9 4C 49 and ends with 16 38 A8 88 7B 0E D4 C5 1C 39 04 3E 9E E2 77 71. I think it should be the same for the Acekard 2, if the ROM it presents also uses the gamecode ACEK.

Anyway, I don't think the Acekard 2/2.1 series is able to serve FIRM to boot9. It seems these cards have a hardcoded response for the KEY1 secure area read commands?