Difference between revisions of "Gamecards"
m (The 0x200 byte header is not the product code. CTR-P-ALGP is the product code in this case.) |
(update PDF datasheet URL) |
||
Line 83: | Line 83: | ||
===SPI flash=== | ===SPI flash=== | ||
− | So far, only one savegame FLASH chip has been identified. The chip identifies as a 0xC22211. The JEDEC manufacturer ID is Macronix, and despite the chip label saying 25L1001, the JEDEC ID matches the MX25L1021E. Datasheet at: http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/ | + | So far, only one savegame FLASH chip has been identified. The chip identifies as a 0xC22211. The JEDEC manufacturer ID is Macronix, and despite the chip label saying 25L1001, the JEDEC ID matches the MX25L1021E. Datasheet at:<br> |
+ | http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/3F21BAC2E121E17848257639003A3146/$File/MX25L1021E%2C%203V%2C%201Mb%2C%20v1.1.pdf?OpenElement <br> | ||
+ | http://www.beilenet.com/download/MX25L1021E,%203V,%201Mb,%20v0.01.pdf (old version mirror) <br> | ||
+ | However, the MX25L1021E doesn't support the 4 bit wide transmission that the 3DS uses to talk to the SPI flash. It is thus likely that this is a custom flash chip. | ||
===Format=== | ===Format=== |
Revision as of 16:47, 17 May 2013
Physical interface
The 3DS gamecards have the same physical interface as regular DS and DSi gamecards. There is only a minor cosmetic difference in the plastic case, which has a small extruding notch on the top-right side. As such, it prevents insertion of the gamecard into old Nintendo DS or DSi systems.
When modifying the case so that the 3DS gamecard fits in a DS or DSi system, those systems will refuse to detect the gamecard and show no banner icon.
Pin | Name | Description |
---|---|---|
1 | GND | Ground |
2 | CLK | Clock. Frequencies 6.7MHz and 4.2MHz for DS/DSi gamecards, up to 16.6MHz for 3DS gamecards (for both SPI and ROM transfers). |
3 | NC | Not connected. Possibly used to program cards. |
4 | RCS | ROM select, active low. Pulled low to start a ROM transfer. |
5 | RST | Reset, active low. |
6 | ECS | Savegame chip select, active low. Pulled low to start a savegame SPI transfer. |
7 | IRQ | Removal detection. |
8 | VCC | Powersupply 3.3V. |
9 | DAT0 | Bidirectional data bus. |
10 | DAT1 | Bidirectional data bus. |
11 | DAT2 | Bidirectional data bus. |
12 | DAT3 | Bidirectional data bus. |
13 | DAT4 | Bidirectional data bus / pin NC/SIO3 on savegame chip. |
14 | DAT5 | Bidirectional data bus / pin WP#/SIO2 on savegame chip. |
15 | DAT6 | Bidirectional data bus / pin SO/SIO1 on savegame chip. |
16 | DAT7 | Bidirectional data bus / pin SI/SIO0 on savegame chip. |
17 | GND | Ground |
SPI flash
So far, only one savegame FLASH chip has been identified. The chip identifies as a 0xC22211. The JEDEC manufacturer ID is Macronix, and despite the chip label saying 25L1001, the JEDEC ID matches the MX25L1021E. Datasheet at:
http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/3F21BAC2E121E17848257639003A3146/$File/MX25L1021E%2C%203V%2C%201Mb%2C%20v1.1.pdf?OpenElement
http://www.beilenet.com/download/MX25L1021E,%203V,%201Mb,%20v0.01.pdf (old version mirror)
However, the MX25L1021E doesn't support the 4 bit wide transmission that the 3DS uses to talk to the SPI flash. It is thus likely that this is a custom flash chip.
Format
Cartridges can come in several sizes and include system updates in a region reserved for this. In ROMs less than 1GB the update region can be found with: CART_SIZE_MAX-( 0x280000*(CART_SIZE_MAX/CART_SIZE_128MB) )-0x2000000. The region is then 0x2000000 bytes.
Protocol
The communication protocol between the 3DS system and the 3DS gamecard has changed almost completely in comparison with the DS and DSi gamecard communication protocol.
After the sixth transfer, commands change size from 8 bytes to 16 bytes. Possibly a new encryption is used, such as AES CTR. When 16-byte commands are used, the data bus maintains the value 0x00 until the card signals it is ready by clocking a single byte 0x01, followed by the actual data. After each 0x200-byte block of actual data, a 4-byte standard CRC32 of the block data (before encryption) follows.
Here's a set of sample gamecard commands that a 3DS sends to a 3DS gamecard:
Size | Command | Decrypted command | Description |
---|---|---|---|
2000 | 9F00000000000000 | Reset | |
0000 | 71C93FE9BB0A3B18 | Unknown | |
0004 | 9000000000000000 | Get gamecard ID, response=9000FEC2 | |
0004 | 9000000000000000 | Get gamecard ID, response=9000FEC2 | |
0004 | A000000000000000 | Unknown, response=00000000 | |
0000 | 3E00000000000000 | Enter 16-byte command mode. | |
0200 | 82000000000000000000000000000000 | Get header | |
0000 | F32C92D85C9D44DED3E0E41DBE7C90D9 | 8300000000000000708DF1A731717D0B | Seed |
0004 | 696B9D8582FB55D31B68CAFE70C74A95 | A200000000000000708DF1A731717D0B | Get secured gamecard ID, response=9000FEC2 |
0004 | BAA4812CA0AC9C5D19399530E3ACCCAB | A300000000000000708DF1A731717D0B | Unknown |
0000 | 178E427C22D87ADB86387249A97D321A | C500000000000000708DF1A731717D0B | Unknown |
0004 | E06019B1BD5C9130ED6A4D9F4A9E7193 | A200000000000000708DF1A731717D0B | Get secured gamecard ID, response=9000FEC2 |
0004 | 4E0D224862523BBFE2E6255F80E15F37 | A200000000000000708DF1A731717D0B | Get secured gamecard ID, response=9000FEC2 |
0004 | 4CDF93D319FB62D0DB632A45E3E8D84C | A200000000000000708DF1A731717D0B | Get secured gamecard ID, response=9000FEC2 |
0004 | 9AA5D80551002F955546D296A57F0FEF | A200000000000000708DF1A731717D0B | Get secured gamecard ID, response=9000FEC2 |
0004 | C12BA81AEF30DDDBD93FAD5D544C6334 | A200000000000000708DF1A731717D0B | Get secured gamecard ID, response=9000FEC2 |
0200 | 62EC5FB7F420AE1DC6253AE18AFA5BB3 | BF000000000000000000000000000000 | Read address 0 |
0200 | E3FA23AA016BE0C93430D1F42FF41324 | BF000000000040000000000000000000 | Read address 0x4000 |
The header command has some initial dummy bytes, and eventually responds with a 0x200 byte header. Here's an example for Lego Starwars 3:
0000000: 00 8c 03 00 00 00 04 00 00 00 00 00 00 00 00 00 ................ 0000010: b3 cf fb c6 6a b1 cb 20 32 af ce 35 d4 1c 74 c9 ....j.. 2..5..t. 0000020: 8e 6b 27 2f 08 01 28 3b d4 30 de 44 37 f5 b0 46 .k'/..(;.0.D7..F 0000030: 91 59 d7 38 33 48 df 83 fd 71 84 2c 00 00 00 00 .Y.83H...q.,.... 0000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000100: 4e 43 43 48 7a 7f 0e 00 00 8c 03 00 00 00 04 00 NCCHz........... 0000110: 36 34 02 00 00 00 00 00 00 8c 03 00 00 00 04 00 64.............. 0000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000150: 43 54 52 2d 50 2d 41 4c 47 50 00 00 00 00 00 00 CTR-P-ALGP...... 0000160: 0c 27 e3 c1 de 7b 2a e2 d3 11 4f 32 a4 ee bf 46 .'...{*...O2...F 0000170: 9a fd 0c f3 52 c1 1d 49 84 c2 a9 f1 d2 14 4c 63 ....R..I......Lc 0000180: 00 04 00 00 00 00 00 00 00 00 00 00 01 03 00 00 ................ 0000190: 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 00001a0: 06 00 00 00 1c 0a 00 00 01 00 00 00 00 00 00 00 ................ 00001b0: 22 0a 00 00 58 75 0e 00 01 00 00 00 00 00 00 00 "...Xu.......... 00001c0: 13 0c 04 26 15 f6 47 c4 c6 32 25 ea 9e 67 f8 a2 ...&..G..2%..g.. 00001d0: 7b 15 24 6b 88 fb c7 a9 27 25 7b 84 97 7b 78 7b {.$k....'%{..{x{ 00001e0: a6 5b ee 10 60 bb 6a 68 21 bb ce c6 00 03 5b 7e .[..`.jh!.....[~ 00001f0: 64 fb 6e ac a7 f0 96 0c fb 1f 5a 37 08 77 28 f7 d.n.......Z7.w(.