Difference between revisions of "Card hardware"
Line 122: | Line 122: | ||
|} | |} | ||
− | So far, this matches up with a normal DS bootup - with minor differences such as CARDID (90) coming before HEADER (00), | + | So far, this matches up with a normal DS bootup - with minor differences such as CARDID (90) coming before HEADER (00), the header being queried for 0x1000 bytes, and the size of responses changed for some commands from 0x910 to 0x9F8. |
After these commands, the sequence changes. A raw all zeroes command is sent, followed by a raw command that always starts with 0x3D. The following commands are all shown in raw format, as I've been unable to decrypt them yet. However, some obvious similarities exist by simply looking at the response size of the commands. | After these commands, the sequence changes. A raw all zeroes command is sent, followed by a raw command that always starts with 0x3D. The following commands are all shown in raw format, as I've been unable to decrypt them yet. However, some obvious similarities exist by simply looking at the response size of the commands. | ||
Revision as of 00:31, 31 July 2009
Here's a set of sample card commands that an old DS sends to a DSi enhanced card upon bootup:
Size | Command | Description |
---|---|---|
2000 | 9F00000000000000 | RESET |
0200 | 0000000000000000 | HEADER |
0004 | 9000000000000000 | CARDID 40001FC2 |
0000 | 3C02DD38BEC62AC2 | ENTER KEY1 |
0910 | 475C7973528EC62A | ENTER KEY2 |
0914 | 175C702DD38EC62B | CARDID 40001FC2 |
0914 | 175C702DD38EC62C | CARDID 40001FC2 |
19B8 | 2000502DD38EC62D | SEC 5 |
19B8 | 2000402DD38EC62E | SEC 4 |
19B8 | 2000702DD38EC62F | SEC 7 |
19B8 | 2000602DD38EC630 | SEC 6 |
0910 | A75C702DD38EC631 | ENTER MAIN |
0004 | B800000000000000 | CARDID 40001FC2 |
0200 | B7001C7200000000 | ROM READ |
0200 | B7001C7400000000 | ROM READ |
Note that the KEY1 and KEY2 commands shown here are already decrypted.
Now here's a set of sample commands that a DSi sends to a DSi enhanced card:
Size | Command | Description |
---|---|---|
2000 | 9F00000000000000 | RESET |
0004 | 9000000000000000 | CARDID 40001FC2 |
1000 | 0000000000000000 | HEADER |
0000 | 3CA3BD240F4B7400 | ENTER KEY1 |
09F8 | 400008867A9F4B74 | ENTER KEY2 |
0914 | 10000A3BD24F4B75 | CARDID 40001FC2 |
19B8 | 20004A3BD24F4B76 | SEC 4 |
19B8 | 20005A3BD24F4B77 | SEC 5 |
19B8 | 20006A3BD24F4B78 | SEC 6 |
19B8 | 20007A3BD24F4B79 | SEC 7 |
So far, this matches up with a normal DS bootup - with minor differences such as CARDID (90) coming before HEADER (00), the header being queried for 0x1000 bytes, and the size of responses changed for some commands from 0x910 to 0x9F8. After these commands, the sequence changes. A raw all zeroes command is sent, followed by a raw command that always starts with 0x3D. The following commands are all shown in raw format, as I've been unable to decrypt them yet. However, some obvious similarities exist by simply looking at the response size of the commands.
Size | Command | Description |
---|---|---|
0200 | 0000000000000000 | HEADER again? |
0000 | 3DBA1F0A0E91C100 | ENTER KEY1 again? |
09F8 | 67DCFB8E9CC369DF | ENTER KEY2 again? |
0914 | A1FF8184D5312ACD | CARDID again? |
19B8 | E1B09DEAABE3D960 | SEC again? |
19B8 | 082289FB6F52EC75 | SEC again? |
19B8 | 854F68025AAC4B6D | SEC again? |
19B8 | 994FAFFDD8993548 | SEC again? |
09F8 | 049D1DB7297CCE7F | ENTER MAIN ? |
0004 | 247D01C82FD0D964 | CARDID? |
0200 | 1300E4799B395232 | ROM READ? |
0200 | 14C25EC1E7F63C27 | ROM READ? |
0200 | BA11CDA5BDB17489 | ROM READ? |
More to come...