Difference between revisions of "/talk まちゃぴろ"

From 3dbrew
Jump to navigation Jump to search
Line 1: Line 1:
[[Media:.ogg]]
+
[[File:Gamecard.jpg|thumb|right|A 3DS gamecard]]  
 +
[[File:GamecardPhy.jpg|thumb|right|Close-up of PCB]]
 +
 
 +
===Physical interface===
 +
The 3DS gamecards have the same physical interface as regular DS and DSi gamecards. There is only a minor cosmetic difference in the plastic case, which has a small extruding notch on the top-right side. As such, it prevents insertion of the gamecard into old Nintendo DS or DSi systems.
 +
 
 +
When modifying the case so that the 3DS gamecard fits in a DS or DSi system, those systems will refuse to detect the gamecard and show no banner icon.
 +
 
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Pin
 +
!  Name
 +
!  Description
 +
|-
 +
|  1
 +
|  GND
 +
|  Ground
 +
|-
 +
|  2
 +
|  CLK
 +
|  Clock. Frequencies 6.7MHz and 4.2MHz)
 +
|-
 +
|  3
 +
|  NC
 +
|  Not connected. Possibly used to program cards.
 +
|-
 +
|  4
 +
|  RCS
 +
|  ROM select, active low. Pulled low to start a ROM transfer.
 +
|-
 +
|  5
 +
|  RST
 +
|  Reset, active low.
 +
|-
 +
|  6
 +
|  ECS
 +
|  Savegame chip select, active low. Pulled low to start a savegame SPI transfer.
 +
|-
 +
|  7
 +
|  IRQ
 +
|  Removal detection.
 +
|-
 +
|  8
 +
|  VCC
 +
|  Powersupply 3.3V.
 +
|-
 +
|  9
 +
|  DAT0
 +
|  Bidirectional data bus.
 +
|-
 +
|  10
 +
|  DAT1
 +
|  Bidirectional data bus.
 +
|-
 +
|  11
 +
|  DAT2
 +
|  Bidirectional data bus.
 +
|-
 +
|  12
 +
|  DAT3
 +
|  Bidirectional data bus.
 +
|-
 +
|  13
 +
|  DAT4
 +
|  Bidirectional data bus / pin ? to savegame chip{{check}}
 +
|-
 +
|  14
 +
|  DAT5
 +
|  Bidirectional data bus / pin ? to savegame chip{{check}}
 +
|-
 +
|  15
 +
|  DAT6
 +
|  Bidirectional data bus / SPI data from savegame chip.
 +
|-
 +
|  16
 +
|  DAT7
 +
|  Bidirectional data bus / SPI data to savegame chip.
 +
|-
 +
|  17
 +
|  GND
 +
|  Ground
 +
|}
 +
 
 +
===SPI flash===
 +
So far, only one savegame FLASH chip has been identified. The chip identifies as a 0xC22211. The JEDEC manufacturer ID is Macronix, and despite the chip label saying 25L1001 it is actually an MX25L1021E. Datasheet at: http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/3F21BAC2E121E17848257639003A3146/$File/MX25L1021E,%203V,%201Mb,%20v0.01.pdf.
 +
 
 +
===Protocol===
 +
The communication protocol between the 3DS system and the 3DS gamecard has changed almost completely in comparison with the DS and DSi gamecard communication protocol.
 +
 
 +
After the sixth transfer, commands change size from 8 bytes to 16 bytes. Possibly a new encryption is used, such as AES CTR.
 +
 
 +
Here's a set of sample gamecard commands that a 3DS sends to a 3DS gamecard:
 +
 
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Size
 +
!  Command
 +
!  Description
 +
|-
 +
|2000
 +
|9F00000000000000
 +
| Reset
 +
|-
 +
|0000
 +
|71C93FE9BB0A3B18
 +
| Unknown
 +
|-
 +
|0004
 +
|9000000000000000
 +
| Get gamecard ID, response=9000FEC2
 +
|-
 +
|0004
 +
|9000000000000000
 +
| Get gamecard ID, response=9000FEC2
 +
|-
 +
|0004
 +
|A000000000000000
 +
| Unknown, response=00000000
 +
|-
 +
|0000
 +
|3E00000000000000
 +
| Enter 16-byte command mode.
 +
|-
 +
|07EC
 +
|82000000000000000000000000000000
 +
| Get header
 +
|-
 +
|05E3
 +
|F32C92D85C9D44DED3E0E41DBE7C90D9
 +
| Encrypted, unknown
 +
|-
 +
|0332
 +
|696B9D8582FB55D31B68CAFE70C74A95
 +
| Encrypted, unknown
 +
|-
 +
|0332
 +
|BAA4812CA0AC9C5D19399530E3ACCCAB
 +
| Encrypted, unknown
 +
|-
 +
|032E
 +
|178E427C22D87ADB86387249A97D321A
 +
| Encrypted, unknown
 +
|-
 +
|0332
 +
|E06019B1BD5C9130ED6A4D9F4A9E7193
 +
| Encrypted, unknown
 +
|-
 +
|0332
 +
|4E0D224862523BBFE2E6255F80E15F37
 +
| Encrypted, unknown
 +
|-
 +
|0332
 +
|4CDF93D319FB62D0DB632A45E3E8D84C
 +
| Encrypted, unknown
 +
|-
 +
|0332
 +
|9AA5D80551002F955546D296A57F0FEF
 +
| Encrypted, unknown
 +
|-
 +
|0332
 +
|C12BA81AEF30DDDBD93FAD5D544C6334
 +
| Encrypted, unknown
 +
|-
 +
|0532
 +
|62EC5FB7F420AE1DC6253AE18AFA5BB3
 +
| Encrypted, read address 0
 +
|-
 +
|0332
 +
|E3FA23AA016BE0C93430D1F42FF41324
 +
| Encrypted, read address 0x4000
 +
|}
 +
 
 +
The header command has some initial dummy bytes, and eventually responds with a 0x200 byte header. Here's an example for Lego Starwars 3:
 +
0000000: 00 8c 03 00 00 00 04 00 00 00 00 00 00 00 00 00  ................
 +
0000010: b3 cf fb c6 6a b1 cb 20 32 af ce 35 d4 1c 74 c9  ....j.. 2..5..t.
 +
0000020: 8e 6b 27 2f 08 01 28 3b d4 30 de 44 37 f5 b0 46  .k'/..(;.0.D7..F
 +
0000030: 91 59 d7 38 33 48 df 83 fd 71 84 2c 00 00 00 00  .Y.83H...q.,....
 +
0000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
0000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
0000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
0000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
0000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
0000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
00000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
00000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
00000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
00000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
00000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
00000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
0000100: 4e 43 43 48 7a 7f 0e 00 00 8c 03 00 00 00 04 00  NCCHz...........
 +
0000110: 36 34 02 00 00 00 00 00 00 8c 03 00 00 00 04 00  64..............
 +
0000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
0000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
0000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 +
0000150: 43 54 52 2d 50 2d 41 4c 47 50 00 00 00 00 00 00  CTR-P-ALGP......
 +
0000160: 0c 27 e3 c1 de 7b 2a e2 d3 11 4f 32 a4 ee bf 46  .'...{*...O2...F
 +
0000170: 9a fd 0c f3 52 c1 1d 49 84 c2 a9 f1 d2 14 4c 63  ....R..I......Lc
 +
0000180: 00 04 00 00 00 00 00 00 00 00 00 00 01 03 00 00  ................
 +
0000190: 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
 +
00001a0: 06 00 00 00 1c 0a 00 00 01 00 00 00 00 00 00 00  ................
 +
00001b0: 22 0a 00 00 58 75 0e 00 01 00 00 00 00 00 00 00  "...Xu..........
 +
00001c0: 13 0c 04 26 15 f6 47 c4 c6 32 25 ea 9e 67 f8 a2  ...&..G..2%..g..
 +
00001d0: 7b 15 24 6b 88 fb c7 a9 27 25 7b 84 97 7b 78 7b  {.$k....'%{..{x{
 +
00001e0: a6 5b ee 10 60 bb 6a 68 21 bb ce c6 00 03 5b 7e  .[..`.jh!.....[~
 +
00001f0: 64 fb 6e ac a7 f0 96 0c fb 1f 5a 37 08 77 28 f7  d.n.......Z7.w(.

Revision as of 10:35, 10 April 2011

A 3DS gamecard
Close-up of PCB

Physical interface

The 3DS gamecards have the same physical interface as regular DS and DSi gamecards. There is only a minor cosmetic difference in the plastic case, which has a small extruding notch on the top-right side. As such, it prevents insertion of the gamecard into old Nintendo DS or DSi systems.

When modifying the case so that the 3DS gamecard fits in a DS or DSi system, those systems will refuse to detect the gamecard and show no banner icon.

Pin Name Description
1 GND Ground
2 CLK Clock. Frequencies 6.7MHz and 4.2MHz)
3 NC Not connected. Possibly used to program cards.
4 RCS ROM select, active low. Pulled low to start a ROM transfer.
5 RST Reset, active low.
6 ECS Savegame chip select, active low. Pulled low to start a savegame SPI transfer.
7 IRQ Removal detection.
8 VCC Powersupply 3.3V.
9 DAT0 Bidirectional data bus.
10 DAT1 Bidirectional data bus.
11 DAT2 Bidirectional data bus.
12 DAT3 Bidirectional data bus.
13 DAT4 Bidirectional data bus / pin ? to savegame chip[check]
14 DAT5 Bidirectional data bus / pin ? to savegame chip[check]
15 DAT6 Bidirectional data bus / SPI data from savegame chip.
16 DAT7 Bidirectional data bus / SPI data to savegame chip.
17 GND Ground

SPI flash

So far, only one savegame FLASH chip has been identified. The chip identifies as a 0xC22211. The JEDEC manufacturer ID is Macronix, and despite the chip label saying 25L1001 it is actually an MX25L1021E. Datasheet at: http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/3F21BAC2E121E17848257639003A3146/$File/MX25L1021E,%203V,%201Mb,%20v0.01.pdf.

Protocol

The communication protocol between the 3DS system and the 3DS gamecard has changed almost completely in comparison with the DS and DSi gamecard communication protocol.

After the sixth transfer, commands change size from 8 bytes to 16 bytes. Possibly a new encryption is used, such as AES CTR.

Here's a set of sample gamecard commands that a 3DS sends to a 3DS gamecard:

Size Command Description
2000 9F00000000000000 Reset
0000 71C93FE9BB0A3B18 Unknown
0004 9000000000000000 Get gamecard ID, response=9000FEC2
0004 9000000000000000 Get gamecard ID, response=9000FEC2
0004 A000000000000000 Unknown, response=00000000
0000 3E00000000000000 Enter 16-byte command mode.
07EC 82000000000000000000000000000000 Get header
05E3 F32C92D85C9D44DED3E0E41DBE7C90D9 Encrypted, unknown
0332 696B9D8582FB55D31B68CAFE70C74A95 Encrypted, unknown
0332 BAA4812CA0AC9C5D19399530E3ACCCAB Encrypted, unknown
032E 178E427C22D87ADB86387249A97D321A Encrypted, unknown
0332 E06019B1BD5C9130ED6A4D9F4A9E7193 Encrypted, unknown
0332 4E0D224862523BBFE2E6255F80E15F37 Encrypted, unknown
0332 4CDF93D319FB62D0DB632A45E3E8D84C Encrypted, unknown
0332 9AA5D80551002F955546D296A57F0FEF Encrypted, unknown
0332 C12BA81AEF30DDDBD93FAD5D544C6334 Encrypted, unknown
0532 62EC5FB7F420AE1DC6253AE18AFA5BB3 Encrypted, read address 0
0332 E3FA23AA016BE0C93430D1F42FF41324 Encrypted, read address 0x4000

The header command has some initial dummy bytes, and eventually responds with a 0x200 byte header. Here's an example for Lego Starwars 3:

0000000: 00 8c 03 00 00 00 04 00 00 00 00 00 00 00 00 00  ................
0000010: b3 cf fb c6 6a b1 cb 20 32 af ce 35 d4 1c 74 c9  ....j.. 2..5..t.
0000020: 8e 6b 27 2f 08 01 28 3b d4 30 de 44 37 f5 b0 46  .k'/..(;.0.D7..F
0000030: 91 59 d7 38 33 48 df 83 fd 71 84 2c 00 00 00 00  .Y.83H...q.,....
0000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000100: 4e 43 43 48 7a 7f 0e 00 00 8c 03 00 00 00 04 00  NCCHz...........
0000110: 36 34 02 00 00 00 00 00 00 8c 03 00 00 00 04 00  64..............
0000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000150: 43 54 52 2d 50 2d 41 4c 47 50 00 00 00 00 00 00  CTR-P-ALGP......
0000160: 0c 27 e3 c1 de 7b 2a e2 d3 11 4f 32 a4 ee bf 46  .'...{*...O2...F
0000170: 9a fd 0c f3 52 c1 1d 49 84 c2 a9 f1 d2 14 4c 63  ....R..I......Lc
0000180: 00 04 00 00 00 00 00 00 00 00 00 00 01 03 00 00  ................
0000190: 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
00001a0: 06 00 00 00 1c 0a 00 00 01 00 00 00 00 00 00 00  ................
00001b0: 22 0a 00 00 58 75 0e 00 01 00 00 00 00 00 00 00  "...Xu..........
00001c0: 13 0c 04 26 15 f6 47 c4 c6 32 25 ea 9e 67 f8 a2  ...&..G..2%..g..
00001d0: 7b 15 24 6b 88 fb c7 a9 27 25 7b 84 97 7b 78 7b  {.$k....'%{..{x{
00001e0: a6 5b ee 10 60 bb 6a 68 21 bb ce c6 00 03 5b 7e  .[..`.jh!.....[~
00001f0: 64 fb 6e ac a7 f0 96 0c fb 1f 5a 37 08 77 28 f7  d.n.......Z7.w(.