Table of Contents
PassMe 2
In the article about «FlashMe», I wrote about the vicious circle where you needed to buy a PassMe or a special WiFiMe board to install this custom firmware, only to eventually stop using these two devices.
Everything would have been fine, but the main problem came from where no one expected it. Nintendo, releasing later versions of the Nintendo DS, changed the firmware. PassMe and WiFiMe simply stopped working and became obsolete instantly.
Of course, this didn't happen without reason. PassMe was a cool device used by all homebrew developers. But while the device wasn't very popular, Nintendo didn't pay much attention to it. However, when pirates got involved and started releasing ready-made kits for piracy, Nintendo got worried.
One of the first ready-made piracy kits - SuperPass cartridge and SuperCard.
Both PassMe and WiFiMe used the same vulnerability – the address of the game's executable file in the cartridge header was replaced with an address space located in the GBA flash cartridge. Then the ARM7 processor loaded the executable file into the console's RAM, and the ARM9 immediately started loading the game (since the game autoload was forcibly enabled). For more details, read the article: «PassMe».
Let's take a closer look at the changes.
Firmware Changes
Nintendo couldn't make deep changes to the console, as it would either make old games incompatible with new consoles or new games incompatible with old consoles. This means that the console's firmware could only be changed within a limited range, and the processors' BIOS couldn't be touched at all. This, in turn, means that other vulnerabilities remained that could be exploited, but more on that later.
To fix the PassMe issue, it was enough to check where the code was executed from. After all the changes, the game's entry point had to be strictly in the console's RAM, at the address: from 2000000h to 227FFFFh. That is, the new firmware checked that the ARM7 processor's "entrypoint" wasn't set to 080000C0h (this was the value set by the first version of PassMe).
The problem is that this solution broke PassMe and WiFiMe but didn't eliminate other security gaps.
All this led to the creation of the PassMe 2 device.
History of PassMe 2
This story begins with posts from users who bought new Nintendo DS consoles and noticed that they no longer worked with PassMe. Complaints started appearing on various forums, but this didn't help find a solution to the situation.
For homebrew developers, the main problem was that they needed to buy a console with the new firmware. And, as you understand, there was no indication on the consoles whether they were new or old. Sellers still had plenty of old consoles in stock.
The first to get a new console was Loopy (the main developer of FlashMe). He managed to get his hands on an iQue DS version. And it was definitely new, as its sales started only on July 23, 2005.
Loopy quickly figured out what changes were made in the new firmware. He found a way to bypass the introduced restrictions through the SRAM memory of the GBA flash cartridge, the entry point of which was located in the RAM address range. He even modified his PassMe and uploaded all the necessary files so that other users could follow his path.
What did he come up with?
He found an interesting solution related to the SWI interrupt.
So, you turn on the console, and various procedures start, checking the cartridge for authenticity. At some point, while reading the code from the cartridge, the ARM7 processor reaches the first non-zero SWI function.
And here PassMe2 came into play – it replaced the code that was supposed to run from the SWI function with a non-standard call to the ARM7 processor's BIOS, which switched to the SRAM memory and started working with it. And this is where the main substitution took place. The SRAM memory contained code that told the ARM7 processor to load the game's executable file into the RAM. Then everything followed the standard scenario: when the ARM7 finished loading, it told the ARM9 processor that everything was fine and it could continue working, and the latter started autoloading the game.
But two problems remained:
First, a cartridge with SRAM memory was needed, and they were expensive.
Second, the SWI interrupt was in different places in all original cartridges, and in some places, it simply didn't exist.
The need for a flash cartridge with SRAM memory was a user problem that could be solved with money, something homebrew developers couldn't do anything about. But how to find out where the SWI interrupt was located in each specific game was a big question. Especially considering how many different games users already had.
Natrium42 wrote a program callfinder.ds.gba (despite the .gba extension – it's a DS game) that could be run on an old Nintendo DS using PassMe.
This program tested the game and returned the addresses of the SWI functions. However, these functions weren't always used in every game, so sometimes it returned the value 00000000. If all four places had the value 00000000, the game wasn't suitable.
Then DarkFader manually adjusted the code that needed to be flashed onto PassMe for each specific game. On his website, you could see a table with ready-made files.
If there are no files in the right columns (PassMe CPLD and PassMe SRAM), the game is not suitable.
All that was left was to reflash PassMe for a specific game and write the save to the SRAM memory. After that, everything should have worked.
PassMe and PassMe 2 are 99% similar. The main difference is in the firmware. Moreover, if PassMe 1 works with any game, PassMe 2 only works with the game (cartridge) it was originally programmed for.
Epilogue
Nintendo couldn't defeat the homebrew developer community. It didn't even take three months after the release of the Nintendo DS with the new firmware for PassMe 2 to appear. This device became even less convenient than the classic PassMe, but it still performed its functions.
But it can't be said that all this was useless: PassMe and PassMe2 became important milestones in the development of Nintendo DS flash cartridges. The appearance of the NoPass device, which we will discuss in the next article, was just around the corner.
