119
edits
Changes
Jump to navigation
Jump to search
Line 280:
Line 280: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→Development Card Info Header Extension: filled in a bunch of missing pieces
| CardDeviceReserved2
| CardDeviceReserved2
|}
|}
== Development Card Info Header Extension ==
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x1200
| 0x200
| CardDeviceReserved1
|-
| 0x1400
| 0x10
| TitleKey
|-
| 0x1410
| 0xF0
| CardDeviceReserved2
|-
| 0x1500
| 0x1B00
| CardDeviceReserved3
|-
| 0x3000
| 0x1000
| Test pattern
|}
"TitleKey" is the decrypted version of the title key at 0x1000-0x103B ("Encrypted card seed"). This field appears to be what development--and maybe retail?--cards read to know what card encryption seed to use in the CTR protocol.
Note that a particular flashcard vendor puts what many refer to as "private headers" here in place of actual development card information. This header is constituted by a cartridge-unique Id obtained from [[Process_Services_PXI|pxi:ps9::GetRomId]] and the title-unique cart ID (identical for all carts of the same title; can be retrieved using the NTR gamecard protocol command 0x90 or through the CTR protocol commands 0x90 or 0xA2).
Note that a particular flashcard vendor puts what many refer to as "private headers" here in place of actual development card information. This header is constituted by a cartridge-unique Id obtained from [[Process_Services_PXI|pxi:ps9::GetRomId]] and the title-unique cart ID (identical for all carts of the same title; can be retrieved using the NTR gamecard protocol command 0x90 or through the CTR protocol commands 0x90 or 0xA2).
The CardDeviceReserved areas have random-looking data whose purpose is unknown, other than perhaps to hide the TitleKey.
The test pattern is the same one encountered in development DS/DSi cartridges. Its layout is as follows:
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x3000
| 8
| The bytes FF,00,FF,00,AA,55,AA,55.
|-
| 0x3008
| 0x1F8
| An ascending byte sequence equal to the offset mod 256 (08,09,0A, ..., FE,FF,00,01, ..., FF).
|-
| 0x3200
| 0x200
| A descending byte sequence equal to 255 minus the offset mod 256 (FF,FE,FD, ..., 00,FF,DE, ..., 00).
|-
| 0x3400
| 0x200
| Filled with 00 bytes.
|-
| 0x3600
| 0x200
| Filled with FF bytes.
|-
| 0x3800
| 0x200
| Filled with 0F bytes.
|-
| 0x3A00
| 0x200
| Filled with F0 bytes.
|-
| 0x3C00
| 0x200
| Filled with 55 bytes.
|-
| 0x3E00
| 0x1FF
| Filled with AA bytes.
|-
| 0x3FFF
| 1
| The final byte is a 00.
|}
Retail cards always return FF when attempting to read 0x1200-0x3FFF. They probably actually have the same data as development cards, but there's no way to read it.
== Tools ==
== Tools ==