NeoFlash Private Source Released

Quote:

Here we have a leaked version of the NeoFlash tool source code for you. Hope you like it . Expect more from us in the future..

Discuss this release here and you can read more in the nfo file.

is the actual attachment supposed to be here or just the nfo? still excellent news.

best news ive heard all day

Private Source ? Not so private, they give it to every "good dev" who have got a free Neoflash.
And it's useless since it don't have anything really interesting to dump or start NDS roms...
The only "fun" things is that the true name of Neoflash is "XG3 Flash" ... not a surprise...

the source is the source code for the program, aka it contains the source code for the loader, which can be ripped, recompiled, removed all the damn encryption and made to run on ANY flash cart.

DarkCube, there is no NEO ndsloader, just a dll to tell the app what to do wiht extensions like nds and neo. As far as I can tell there is no encryption present in the neokit, but the last time I looked it was at .91...

The gst roms do not appear to be encrypted, they just have ALL the FAT addresses in the filesystem and binaries patched/altered to load from the gba slot instead of the ds slot, which are also hardwired into the XG"3" cart, aside from the savegame which is still mapped to the nds slot. Likely the neokit will not see a multibooter capable of loading 2 separate commercial roms off the gba cart because of the static locations patched in.

If anything, the default bootloader in the roms has been changed slightly to detect a special revision of the PASSME called NEOKEY.

I still have no clue how to reverse the damage done to the roms to proove without a doubt to myself that this is what has been done...

At any rate, nice nfo file, where is the download?

u know whats sad, once somebody finally removes the patch for neokey detection theyll either stop releasing dumps or hard code it more. this is not a scene contribution but a money hungry attempt to own the scene. funny how nothing else has been mention about the usb loader tool.

Ah well, I knew the leaked source would be nearly as tough to get as the official source...

Quote:

Originally posted by cory149
DarkCube, there is no NEO ndsloader, just a dll to tell the app what to do wiht extensions like nds and neo. As far as I can tell there is no encryption present in the neokit, but the last time I looked it was at .91...

The gst roms do not appear to be encrypted, they just have ALL the FAT addresses in the filesystem and binaries patched/altered to load from the gba slot instead of the ds slot, which are also hardwired into the XG"3" cart, aside from the savegame which is still mapped to the nds slot.
Likely the neokit will not see a multibooter capable of loading 2 separate commercial roms off the gba cart because of the static locations patched in.

If anything, the default bootloader in the roms has been changed slightly to detect a special revision of the PASSME called NEOKEY.

I still have no clue how to reverse the damage done to the roms to proove without a doubt to myself that this is what has been done...

At any rate, nice nfo file, where is the download?

I was wondering for a little while how the GST roms we're patched exactly.. this gives me a better insight view I gues..

So if I understand correctly original NDS roms make use of the NDS filesystem and do all file acessing through that, while the GST patched roms have just hardcoded adresses to *somewhere* on the GBA cart. That would require quite some calculation I guess? Or do they just rip out all the start adresses from the FAT and add a certain value or something?

Quote:

which are also hardwired into the XG"3" cart

I don't get this fully.. what do you mean by hardwired?

And why are the GST roms way bigger then the DFv2's? I can understand that some patching would get you some overhead, but not that much

Did you ever look at the NDS header in the GST roms? they have very strange ARM7/ARM9 load addy's and such.. (totally impossible ones it seems to me)
And the "boot signature" is different too I believe. the normal PassMe works by searching for the "DSbooter" string in the header, but this one had a different one if I recall correctly (was a while ago when I last looked at this.. )

Quote:

u know whats sad, once somebody finally removes the patch for neokey detection theyll either stop releasing dumps or hard code it more. this is not a scene contribution but a money hungry attempt to own the scene. funny how nothing else has been mention about the usb loader tool.

Like said above by corey, there probably isn't even a real check for the NEOKEY..

Anyhow, let's investigate this further so we can get our own patcher out (and make it work on all flashcarts offcourse)

PS. yay, my first maxconsole post ;-P

I think they have recursively patched all the addresses in the FAT as well as the code excepting the save eeprom locations. They would likely have been patched to GBA locations, the only thing I can think of that would explain the odd arm9/7 locations is if part of that was code that is interpreted by the XG cart, but I could be waaaay off on that and like darkfader seems to beleive they could very well be encrypted by GST, but I have my doubts about that.

It seems likely they have the aid of a DS dev machine with full debugging support.

As to the size difference, the DF dumps were decrypted and had left out sections of the ROM that were encrypted differently than the random number method. When unpacked from the zips both metroids (df and gst) come out to 16,777,216bytes.

Whether there is still all/enough of the data still in there to actually play the dump without the real cart present is beyond me, but I have read that it does play on the neoflash just without savegame support.

any idea where to start? I was thinking a stepping disasm may reveal somthing but I dont have the hardware/software to even think of doing such a thing...

Quote:

They would likely have been patched to GBA locations, the only thing I can think of that would explain the odd arm9/7 locations is if part of that was code that is interpreted by the XG cart

Hmm yes... I guess the XG cart features some kind of bank/adressing switching which get you the really odd adresses instead of the normal 0x80000000+ (iirc) addy's..

Quote:

It seems likely they have the aid of a DS dev machine with full debugging support.

Im quite sure they (or he *wink*) doesn't

Quote:

As to the size difference, the DF dumps were decrypted and had left out sections of the ROM that were encrypted differently than the random number method. When unpacked from the zips both metroids (df and gst) come out to 16,777,216bytes.

the sections you are talking about is the so-called "secure area" ?

Quote:

Whether there is still all/enough of the data still in there to actually play the dump without the real cart present is beyond me, but I have read that it does play on the neoflash just without savegame support.

The GST dumps play on an ordinary XG2 + regular Passme too.. so I think it would be something hardware specific on the XG2/XG3 hardware side, or in the flasher software.. But also confirmed is, that if you flash the GST roms using the XG2 flasher (not neoflash software) it also works on a regular Passme + XG2.

Quote:

any idea where to start? I was thinking a stepping disasm may reveal somthing but I dont have the hardware/software to even think of doing such a thing...

Well, you could disasm the ROMs using a ARM disassembler. rip off the NDS/GBA header and chop it into IDA :-) Oh wait, I believe there is a .NDS extension for IDA out.. (check DF's DS page)

Quote:

Originally posted by fRUiTDEV

The GST dumps play on an ordinary XG2 + regular Passme too.. so I think it would be something hardware specific on the XG2/XG3 hardware side, or in the flasher software.. But also confirmed is, that if you flash the GST roms using the XG2 flasher (not neoflash software) it also works on a regular Passme + XG2.

So this means you can take a normal xg2 and use the flasher and a passme and you could play the roms? Dont get me wrong but several people around this forums stated that this method wont work. And some have tested it before and confirmed that this wont work.

But if this method works there´s no need for a neoflash at all and everyone could use a xg2 and the flasher with a passme? But I wonder why noone really uses this.

Another question is if you use the hacked firmware and flash it to the ds (i think it was called flashme) is this a replacement to the hardware passme?

Quote:

Originally posted by cubenoob
So this means you can take a normal xg2 and use the flasher and a passme and you could play the roms? Dont get me wrong but several people around this forums stated that this method wont work. And some have tested it before and confirmed that this wont work.

Yep, this has been tested by Acey- from 64scener.com.

Quote:

But if this method works there´s no need for a neoflash at all and everyone could use a xg2 and the flasher with a passme? But I wonder why noone really uses this.

Indeed, there is no real need for Neoflash

Quote:

Another question is if you use the hacked firmware and flash it to the ds (i think it was called flashme) is this a replacement to the hardware passme?

Yep, wifime is a replacement for the passme. It works in the same way (looks for a signature on the GBA flash, then run).

Oh thats great! Now I´m really only one click away from ordering an xg2 flash card. But I still have some more questions:

1. Should I buy an xg2 flash card?
2. What else do I need? I want to use the wifime and this is like you have a passme. So I´ll need a wireless pci card? I have no laptop and I heard only a few chipsets will work on this but I´m not sure if it was the other thing which was streaming the games from pc to ds.
3. What software to use to flash the new firmware and to flash the roms to the flashcard?

TIA

I have my doubts though, dshacker.com, that this is a real release, nevermind with any direct value to finding the method that the gst roms were patched...

Fruitdev: That said, after the first 2 dumps (metroid and mario64) the gst roms supposedly no longer work with flashme and possibly passme, but I havent verified this in person. The XG/passme combo is supposedly extremely picky about the cpld version that is used in the passme (by a guess, if any would work you'd be looking for the cpld code that enabled/uses the led just like the neokey has, removed from later revisions around the same time neoflash was announced)

the nds loader for ida 4.7 does not recognize the gst roms as valid nds files and I personally dont have the patience to dehack those releases anyways.

If you recall looking at them (gst releases) with ndstool then you would also remember not only are the addresses really weird but all the crcs failed. The loader is based on darkfaders work with ndstool, so without mods its kinda unlikely it will load roms with odd addresses to the binaries...

not sure how else one would learn to debug/patch a rom that large without being able to disasm it or live patch it in memory as its running. I really dont have the skill or desire to reverse the gst dumps, but am still interested in the unique solution that XG and GST came up with.

Its nearly as fascinating as that large/prototype passme that DF used way back when the DS was near impossible to get.