「ハードウェア - パススルー」の編集履歴(バックアップ)一覧はこちら
「ハードウェア - パススルー」(2007/12/09 (日) 22:22:51) の最新版変更点
追加された行は緑色になります。
削除された行は赤色になります。
The primary (read: only) means of running homebrew code on the Nintendo DS is currently via a passthrough mechanism in the DS card port and a traditional GBA flash cart in the GBA cartridge port. A passthrough technique is required, since the DS BIOS enables encryption after reading the header, and the encryption is not fully understood.
The passthrough operates in protocol mode most of the time, transparently directing commands to the card and data back to the DS (see DS protocol?. However, for the first transfer after a card reset (always the header fetch during boot), it feeds a modified header back to the DS instead of the data that would have come from the card.
This modified header is the same as the original header, with the exception of the ARM7 execute address and the header CRC16. The ARM7 execute address points to 0x080000C0 (GBA cartrdige ROM), and the header CRC16 is recomputed to account for the modifications. You can't do this trick to run ARM9 directly, because the BIOS gives the ARM7 priority on the cartridge space during bootup. That's why ARM9 is put into a small waiting loop. ARM9 execution can then be continued by the following C instruction:
*(volatile uint32 *)0x027FFE24 = 0x02004000;
Once you select the game in the firmware menu (or it auto-loads, depending on your settings), the code on the GBA cartridge will be executed. Unlike running code directly off of a GBA cartridge, it is executed in DS mode, not GBA mode! At this point, you're free to do what you want, but typically the ARM7 bootloader code on the cartridge copies a pair of ARM binaries to RAM, one for the ARM7 and the other for the ARM9.
All of the hardware constructed so far consists of a FPGA between the DS and a DS cartridge, and either a GBA flash cart or GBA cartridge emulator also running on the FPGA.
sgstair and Ampz built protocol sniffers. DarkFader found out he could change the execution entrypoint in the header and built the first passthrough using an FPGA and documented it. Natrium and Dovoto are making passthroughs out of CPLDs, which should be significantly smaller than the existing FPGA boards, but the only current idea for eliminating the passthrough entirely involves replacing a BGA chip inside the DS... or by cracking the encryption which DarkFader is trying to do.
So far, these people have built a passthrough device:
* DarkFader
* Joat
* Dovoto
* Natrium
* Furan
* sgstair
----
The primary (read: only) means of running homebrew code on the Nintendo DS is currently via a passthrough mechanism in the DS card port and a traditional GBA flash cart in the GBA cartridge port. A passthrough technique is required, since the DS BIOS enables encryption after reading the header, and the encryption is not fully understood.
The passthrough operates in protocol mode most of the time, transparently directing commands to the card and data back to the DS (see DS protocol?. However, for the first transfer after a card reset (always the header fetch during boot), it feeds a modified header back to the DS instead of the data that would have come from the card.
This modified header is the same as the original header, with the exception of the ARM7 execute address and the header CRC16. The ARM7 execute address points to 0x080000C0 (GBA cartrdige ROM), and the header CRC16 is recomputed to account for the modifications. You can't do this trick to run ARM9 directly, because the BIOS gives the ARM7 priority on the cartridge space during bootup. That's why ARM9 is put into a small waiting loop. ARM9 execution can then be continued by the following C instruction:
*(volatile uint32 *)0x027FFE24 = 0x02004000;
Once you select the game in the firmware menu (or it auto-loads, depending on your settings), the code on the GBA cartridge will be executed. Unlike running code directly off of a GBA cartridge, it is executed in DS mode, not GBA mode! At this point, you're free to do what you want, but typically the ARM7 bootloader code on the cartridge copies a pair of ARM binaries to RAM, one for the ARM7 and the other for the ARM9.
All of the hardware constructed so far consists of a FPGA between the DS and a DS cartridge, and either a GBA flash cart or GBA cartridge emulator also running on the FPGA.
sgstair and Ampz built protocol sniffers. DarkFader found out he could change the execution entrypoint in the header and built the first passthrough using an FPGA and documented it. Natrium and Dovoto are making passthroughs out of CPLDs, which should be significantly smaller than the existing FPGA boards, but the only current idea for eliminating the passthrough entirely involves replacing a BGA chip inside the DS... or by cracking the encryption which DarkFader is trying to do.
So far, these people have built a passthrough device:
* DarkFader
* Joat
* Dovoto
* Natrium
* Furan
* sgstair
----
[[@wikiへ>http://kam.jp"><META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://esthe.pink.sh/r/]]
