136
edits
Changes
Jump to navigation
Jump to search
mLine 19:
Line 19: − + Line 83:
Line 83: − + + + + + + + + − + + Line 99:
Line 107: − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − +
→SPI flash: Clock polarity and phase.
| 2
| 2
| CLK
| CLK
| Clock. Frequencies 6.7MHz and 4.2MHz, 16.6MHz for SPI communication.
| Clock. Frequencies 6.7MHz and 4.2MHz for DS/DSi gamecards, up to 16.6MHz for 3DS gamecards (for both SPI and ROM transfers).
|-
|-
| 3
| 3
===SPI flash===
===SPI flash===
So far, only one savegame FLASH chip has been identified. The chip identifies as a 0xC22211. The JEDEC manufacturer ID is Macronix, and despite the chip label saying 25L1001, the JEDEC ID matches the MX25L1021E. Datasheet at: http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/3F21BAC2E121E17848257639003A3146/$File/MX25L1021E,%203V,%201Mb,%20v0.01.pdf. However, the MX25L1021E doesn't support the 4 bit wide transmission that the 3DS uses to talk to the SPI flash. It is thus likely that this is a custom flash chip.
Savegame SPI flash transfers use CPOL=1 and CPHA=1. So far, only one savegame FLASH chip has been identified. The chip identifies as a 0xC22211. The JEDEC manufacturer ID is Macronix, and despite the chip label saying 25L1001, the JEDEC ID matches the MX25L1021E. Datasheet at:<br>
http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/3F21BAC2E121E17848257639003A3146/$File/MX25L1021E%2C%203V%2C%201Mb%2C%20v1.1.pdf?OpenElement <br>
http://www.beilenet.com/download/MX25L1021E,%203V,%201Mb,%20v0.01.pdf (old version mirror) <br>
However, the MX25L1021E doesn't support the 4 bit wide transmission that the 3DS uses to talk to the SPI flash. It is thus likely that this is a custom flash chip.
===Format===
Cartridges can come in several sizes and include system updates in a region reserved for this. In ROMs less than 1GB the update region can be found with:
CART_SIZE_MAX-( 0x280000*(CART_SIZE_MAX/CART_SIZE_128MB) )-0x2000000. The region is then 0x2000000 bytes.
===Protocol===
===Protocol===
The communication protocol between the 3DS system and the 3DS gamecard has changed almost completely in comparison with the DS and DSi gamecard communication protocol.
The communication protocol between the 3DS system and the 3DS gamecard has changed almost completely in comparison with the [http://problemkaputt.de/gbatek.htm#dscartridgeprotocol DS and DSi gamecard communication protocol].
After the sixth transfer, commands change size from 8 bytes to 16 bytes. Possibly a new encryption is used, such as AES CTR.
After the sixth transfer, commands change size from 8 bytes to 16 bytes. Possibly a new encryption is used, such as AES CTR.
When 16-byte commands are used, the data bus maintains the value 0x00 until the card signals it is ready by clocking a single byte 0x01, followed by the actual data. After each 0x200-byte block of actual data, a 4-byte standard CRC32 of the block data (before encryption) follows.
Here's a set of sample gamecard commands that a 3DS sends to a 3DS gamecard:
Here's a set of sample gamecard commands that a 3DS sends to a 3DS gamecard:
! Description
! Description
|-
|-
|2000
|<tt>2000</tt>
|9F00000000000000
|<tt>9F00000000000000</tt>
|
|?
| Reset
|Reset
|-
|-
|0000
|<tt>0000</tt>
|71C93FE9BB0A3B18
|<tt>71C93FE9BB0A3B18</tt>
|
|?
| Unknown
|Unknown
|-
|-
|0004
|<tt>0004</tt>
|9000000000000000
|<tt>9000000000000000</tt>
|
|?
| Get gamecard ID, response=9000FEC2
|Get gamecard ID, response=9000FEC2
|-
|-
|0004
|<tt>0004</tt>
|9000000000000000
|<tt>9000000000000000</tt>
|
|?
| Get gamecard ID, response=9000FEC2
| Get gamecard ID, response=9000FEC2
|-
|-
|0004
|<tt>0004</tt>
|A000000000000000
|<tt>A000000000000000</tt>
|
|?
| Unknown, response=00000000
| Unknown, response=00000000
|-
|-
|0000
|<tt>0000</tt>
|3E00000000000000
|<tt>3E00000000000000</tt>
|
|?
| Enter 16-byte command mode.
| Enter 16-byte command mode.
|-
|-
|0200
|<tt>0200</tt>
|82000000000000000000000000000000
|<tt>82000000000000000000000000000000</tt>
|
|?
| Get header
| Get header
|-
|-
|0000
|<tt>0000</tt>
|F32C92D85C9D44DED3E0E41DBE7C90D9
|<tt>F32C92D85C9D44DED3E0E41DBE7C90D9</tt>
|
|<tt>8300000000000000708DF1A731717D0B</tt>
| Encrypted, unknown
| Seed
|-
|-
|0004
|<tt>0004</tt>
|696B9D8582FB55D31B68CAFE70C74A95
|<tt>696B9D8582FB55D31B68CAFE70C74A95</tt>
|
|<tt>A200000000000000708DF1A731717D0B</tt>
| Encrypted, unknown
| Get secured gamecard ID, response=9000FEC2
|-
|-
|0004
|<tt>0004</tt>
|BAA4812CA0AC9C5D19399530E3ACCCAB
|<tt>BAA4812CA0AC9C5D19399530E3ACCCAB</tt>
|A300000000000000708DF1A731717D0B
|<tt>A300000000000000708DF1A731717D0B</tt>
| Unknown
| Unknown
|-
|-
|0000
|<tt>0000</tt>
|178E427C22D87ADB86387249A97D321A
|<tt>178E427C22D87ADB86387249A97D321A</tt>
|C500000000000000708DF1A731717D0B
|<tt>C500000000000000708DF1A731717D0B</tt>
| Unknown
| Unknown
|-
|-
|0004
|<tt>0004</tt>
|E06019B1BD5C9130ED6A4D9F4A9E7193
|<tt>E06019B1BD5C9130ED6A4D9F4A9E7193</tt>
|A200000000000000708DF1A731717D0B
|<tt>A200000000000000708DF1A731717D0B</tt>
| Get secured gamecard ID
| Get secured gamecard ID, response=9000FEC2
|-
|-
|0004
|<tt>0004</tt>
|4E0D224862523BBFE2E6255F80E15F37
|<tt>4E0D224862523BBFE2E6255F80E15F37</tt>
|A200000000000000708DF1A731717D0B
|<tt>A200000000000000708DF1A731717D0B</tt>
| Get secured gamecard ID
| Get secured gamecard ID, response=9000FEC2
|-
|-
|0004
|<tt>0004</tt>
|4CDF93D319FB62D0DB632A45E3E8D84C
|<tt>4CDF93D319FB62D0DB632A45E3E8D84C</tt>
|A200000000000000708DF1A731717D0B
|<tt>A200000000000000708DF1A731717D0B</tt>
| Get secured gamecard ID
| Get secured gamecard ID, response=9000FEC2
|-
|-
|0004
|<tt>0004</tt>
|9AA5D80551002F955546D296A57F0FEF
|<tt>9AA5D80551002F955546D296A57F0FEF</tt>
|A200000000000000708DF1A731717D0B
|<tt>A200000000000000708DF1A731717D0B</tt>
| Get secured gamecard ID
| Get secured gamecard ID, response=9000FEC2
|-
|-
|0004
|<tt>0004</tt>
|C12BA81AEF30DDDBD93FAD5D544C6334
|<tt>C12BA81AEF30DDDBD93FAD5D544C6334</tt>
|A200000000000000708DF1A731717D0B
|<tt>A200000000000000708DF1A731717D0B</tt>
| Get secured gamecard ID
| Get secured gamecard ID, response=9000FEC2
|-
|-
|0200
|<tt>0200</tt>
|62EC5FB7F420AE1DC6253AE18AFA5BB3
|<tt>62EC5FB7F420AE1DC6253AE18AFA5BB3</tt>
|BF000000000000000000000000000000
|<tt>BF000000000000000000000000000000</tt>
| Read address 0
| Read address 0
|-
|-
|0200
|<tt>0200</tt>
|E3FA23AA016BE0C93430D1F42FF41324
|<tt>E3FA23AA016BE0C93430D1F42FF41324</tt>
|BF000000000040000000000000000000
|<tt>BF000000000040000000000000000000</tt>
| Read address 0x4000
| Read address 0x4000
|}
|}