Difference between revisions of "Gamecards"

From 3dbrew
Jump to navigation Jump to search
(Card-detect info)
(Details on CRC-32)
Line 118: Line 118:
  
 
After the sixth transfer, commands change size from 8 bytes to 16 bytes. Possibly a new encryption is used, such as AES CTR.
 
After the sixth transfer, commands change size from 8 bytes to 16 bytes. Possibly a new encryption is used, such as AES CTR.
When 16-byte commands are used, the data bus maintains the value 0x00 until the card signals it is ready by clocking a single byte 0x01, followed by the actual data. After each 0x200-byte block of actual data, a 4-byte standard CRC32 of the block data (before encryption) follows.
+
When 16-byte commands are used, the data bus maintains the value 0x00 until the card signals it is ready by clocking a single byte 0x01, followed by the actual data. After each 0x200-byte block of actual data, a 4-byte standard CRC32 of the block data (before encryption, polynomial 0x82608edb and the final output is xored with 0xffffffff) follows.
  
 
Here's a set of sample gamecard commands that a 3DS sends to a 3DS gamecard:
 
Here's a set of sample gamecard commands that a 3DS sends to a 3DS gamecard:

Revision as of 07:13, 26 May 2024

A 3DS gamecard
Close-up of PCB

Physical interface

The 3DS gamecards have the same physical interface as regular DS and DSi gamecards. There is only a minor cosmetic difference in the plastic case, which has a small extruding notch on the top-right side. As such, it prevents insertion of the gamecard into old Nintendo DS or DSi systems.

When modifying the case so that the 3DS gamecard fits in a DS or DSi system, those systems will refuse to detect the gamecard and show no banner icon.

Pin Name Description
1 GND Ground
2 CLK Clock. Frequencies 6.7MHz and 4.2MHz for DS/DSi gamecards, up to 16.6MHz for 3DS gamecards (for both SPI and ROM transfers).
3 NC Not connected. Possibly used to program cards.
4 RCS ROM select, active low. Pulled low to start a ROM transfer.
5 RST Reset, active low.
6 ECS Savegame chip select, active low. Pulled low to start a savegame SPI transfer.
7 IRQ Removal detection.
8 VCC Powersupply 3.3V.
ROM bus (selected by RCS) Savegame bus (selected by ECS)
9 DAT0 Bidirectional data bus. NC
10 DAT1
11 DAT2
12 DAT3
13 DAT4 NC/SIO3
14 DAT5 WP#/SIO2
15 DAT6 SO/SIO1
16 DAT7 SI/SIO0
17 GND Ground
3DS DS and DSi
VCC Only enabled when the power supply bits of CFG9_CARDSTATUS are set to 10 Always available when card is detected
Card-detect Physical insertion switch, readable through CFG9_CARDSTATUS bit 0 IRQ pin
Time to first clock pulse ~280ms ~166ms

SPI flash

Savegame SPI flash transfers use CPOL=1 and CPHA=1. So far, only one savegame FLASH chip has been identified. The chip identifies as 0xC22211. The JEDEC manufacturer ID is Macronix, and despite the chip label saying 25L1001, the JEDEC ID matches the MX25L1021E. Datasheet at:
Macronix (Rev. 1.3, nov. 11, 2013)
Old version mirror (Rev. 0.01, apr. 07, 2010)
However, the MX25L1021E doesn't support the 4 bit wide transmission that the 3DS uses to talk to the SPI flash. It is thus likely that this is a custom flash chip.

Format

Cartridges can come in several sizes and include system updates in a region reserved for this. In ROMs less than 1GB the update region can be found with: CART_SIZE_MAX-( 0x280000*(CART_SIZE_MAX/CART_SIZE_128MB) )-0x2000000. The region is then 0x2000000 bytes.

Protocol

The communication protocol between the 3DS system and the 3DS gamecard has changed almost completely in comparison with the DS and DSi gamecard communication protocol.

After the sixth transfer, commands change size from 8 bytes to 16 bytes. Possibly a new encryption is used, such as AES CTR. When 16-byte commands are used, the data bus maintains the value 0x00 until the card signals it is ready by clocking a single byte 0x01, followed by the actual data. After each 0x200-byte block of actual data, a 4-byte standard CRC32 of the block data (before encryption, polynomial 0x82608edb and the final output is xored with 0xffffffff) follows.

Here's a set of sample gamecard commands that a 3DS sends to a 3DS gamecard:

Size Command Decrypted command Description
2000 9F00000000000000 ? Reset
0000 71C93FE9BB0A3B18 ? Unknown
0004 9000000000000000 ? Get gamecard ID, response=9000FEC2
0004 9000000000000000 ? Get gamecard ID, response=9000FEC2
0004 A000000000000000 ? Unknown, response=00000000
0000 3E00000000000000 ? Enter 16-byte command mode.
0200 82000000000000000000000000000000 ? Get header
0000 F32C92D85C9D44DED3E0E41DBE7C90D9 8300000000000000708DF1A731717D0B Seed
0004 696B9D8582FB55D31B68CAFE70C74A95 A200000000000000708DF1A731717D0B Get secured gamecard ID, response=9000FEC2
0004 BAA4812CA0AC9C5D19399530E3ACCCAB A300000000000000708DF1A731717D0B Unknown
0000 178E427C22D87ADB86387249A97D321A C500000000000000708DF1A731717D0B Unknown
0004 E06019B1BD5C9130ED6A4D9F4A9E7193 A200000000000000708DF1A731717D0B Get secured gamecard ID, response=9000FEC2
0004 4E0D224862523BBFE2E6255F80E15F37 A200000000000000708DF1A731717D0B Get secured gamecard ID, response=9000FEC2
0004 4CDF93D319FB62D0DB632A45E3E8D84C A200000000000000708DF1A731717D0B Get secured gamecard ID, response=9000FEC2
0004 9AA5D80551002F955546D296A57F0FEF A200000000000000708DF1A731717D0B Get secured gamecard ID, response=9000FEC2
0004 C12BA81AEF30DDDBD93FAD5D544C6334 A200000000000000708DF1A731717D0B Get secured gamecard ID, response=9000FEC2
0200 62EC5FB7F420AE1DC6253AE18AFA5BB3 BF000000000000000000000000000000 Read address 0
0200 E3FA23AA016BE0C93430D1F42FF41324 BF000000000040000000000000000000 Read address 0x4000

The header command has some initial dummy bytes, and eventually responds with a 0x200 byte header. Here's an example for Lego Starwars 3:

0000000: 00 8c 03 00 00 00 04 00 00 00 00 00 00 00 00 00  ................
0000010: b3 cf fb c6 6a b1 cb 20 32 af ce 35 d4 1c 74 c9  ....j.. 2..5..t.
0000020: 8e 6b 27 2f 08 01 28 3b d4 30 de 44 37 f5 b0 46  .k'/..(;.0.D7..F
0000030: 91 59 d7 38 33 48 df 83 fd 71 84 2c 00 00 00 00  .Y.83H...q.,....
0000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000100: 4e 43 43 48 7a 7f 0e 00 00 8c 03 00 00 00 04 00  NCCHz...........
0000110: 36 34 02 00 00 00 00 00 00 8c 03 00 00 00 04 00  64..............
0000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000150: 43 54 52 2d 50 2d 41 4c 47 50 00 00 00 00 00 00  CTR-P-ALGP......
0000160: 0c 27 e3 c1 de 7b 2a e2 d3 11 4f 32 a4 ee bf 46  .'...{*...O2...F
0000170: 9a fd 0c f3 52 c1 1d 49 84 c2 a9 f1 d2 14 4c 63  ....R..I......Lc
0000180: 00 04 00 00 00 00 00 00 00 00 00 00 01 03 00 00  ................
0000190: 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
00001a0: 06 00 00 00 1c 0a 00 00 01 00 00 00 00 00 00 00  ................
00001b0: 22 0a 00 00 58 75 0e 00 01 00 00 00 00 00 00 00  "...Xu..........
00001c0: 13 0c 04 26 15 f6 47 c4 c6 32 25 ea 9e 67 f8 a2  ...&..G..2%..g..
00001d0: 7b 15 24 6b 88 fb c7 a9 27 25 7b 84 97 7b 78 7b  {.$k....'%{..{x{
00001e0: a6 5b ee 10 60 bb 6a 68 21 bb ce c6 00 03 5b 7e  .[..`.jh!.....[~
00001f0: 64 fb 6e ac a7 f0 96 0c fb 1f 5a 37 08 77 28 f7  d.n.......Z7.w(.