Card hardware
Here's a set of sample card commands that an old DS sends to a DSi enhanced card upon bootup:
| Size | Command | Description |
|---|---|---|
| 2000 | 9F00000000000000 | RESET |
| 0200 | 0000000000000000 | HEADER |
| 0004 | 9000000000000000 | CARDID 40001FC2 |
| 0000 | 3C02DD38BEC62AC2 | ENTER KEY1 |
| 0910 | 475C7973528EC62A | ENTER KEY2 |
| 0914 | 175C702DD38EC62B | CARDID 40001FC2 |
| 0914 | 175C702DD38EC62C | CARDID 40001FC2 |
| 19B8 | 2000502DD38EC62D | SEC 5 |
| 19B8 | 2000402DD38EC62E | SEC 4 |
| 19B8 | 2000702DD38EC62F | SEC 7 |
| 19B8 | 2000602DD38EC630 | SEC 6 |
| 0910 | A75C702DD38EC631 | ENTER MAIN |
| 0004 | B800000000000000 | CARDID 40001FC2 |
| 0200 | B7001C7200000000 | ROM READ |
| 0200 | B7001C7400000000 | ROM READ |
Note that the KEY1 and KEY2 commands shown here are already decrypted.
Now here's a set of sample commands that a DSi sends to a DSi enhanced card:
| Size | Command | Description |
|---|---|---|
| 2000 | 9F00000000000000 | RESET |
| 0004 | 9000000000000000 | CARDID 40001FC2 |
| 1000 | 0000000000000000 | HEADER |
| 0000 | 3CA3BD240F4B7400 | ENTER KEY1 |
| 09F8 | 400008867A9F4B74 | ENTER KEY2 |
| 0914 | 10000A3BD24F4B75 | CARDID 40001FC2 |
| 19B8 | 20004A3BD24F4B76 | SEC 4 |
| 19B8 | 20005A3BD24F4B77 | SEC 5 |
| 19B8 | 20006A3BD24F4B78 | SEC 6 |
| 19B8 | 20007A3BD24F4B79 | SEC 7 |
So far, this matches up with a normal DS bootup - with minor differences such as CARDID (90) coming before HEADER (00), the header being queried for 0x1000 bytes, and the size of responses changed for some commands from 0x910 to 0x9F8. After these commands, the sequence changes. A raw all zeroes command is sent, followed by a raw command that always starts with 0x3D. The following commands are all shown in raw format, as I've been unable to decrypt them yet. However, some obvious similarities exist by simply looking at the response size of the commands.
| Size | Command | Description |
|---|---|---|
| 0200 | 0000000000000000 | HEADER again? |
| 0000 | 3DBA1F0A0E91C100 | ENTER KEY1 again? |
| 09F8 | 67DCFB8E9CC369DF | ENTER KEY2 again? |
| 0914 | A1FF8184D5312ACD | CARDID again? |
| 19B8 | E1B09DEAABE3D960 | SEC again? |
| 19B8 | 082289FB6F52EC75 | SEC again? |
| 19B8 | 854F68025AAC4B6D | SEC again? |
| 19B8 | 994FAFFDD8993548 | SEC again? |
| 09F8 | 049D1DB7297CCE7F | ENTER MAIN ? |
| 0004 | 247D01C82FD0D964 | CARDID? |
| 0200 | 1300E4799B395232 | ROM READ? |
| 0200 | 14C25EC1E7F63C27 | ROM READ? |
| 0200 | BA11CDA5BDB17489 | ROM READ? |
The command after 0x3D can not be decrypted using the previous KEY1, it is likely that the Blowfish P and/or S arrays are switched with a new set. The 0x9F8 response for this command is identical to the previous ENTER KEY2 command (which is a fixed stream), so it is also very likely that this command is issueing a new LFSR seed.
More to come...