Line 19: |
Line 19: |
| | 2 | | | 2 |
| | CLK | | | CLK |
− | | Clock. Frequencies 6.7MHz and 4.2MHz, 16.6MHz for SPI communication. | + | | Clock. Frequencies 6.7MHz and 4.2MHz for DS/DSi gamecards, up to 16.6MHz for 3DS gamecards (for both SPI and ROM transfers). |
| |- | | |- |
| | 3 | | | 3 |
Line 83: |
Line 83: |
| | | |
| ===SPI flash=== | | ===SPI flash=== |
− | So far, only one savegame FLASH chip has been identified. The chip identifies as a 0xC22211. The JEDEC manufacturer ID is Macronix, and despite the chip label saying 25L1001, the JEDEC ID matches the MX25L1021E. Datasheet at: http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/3F21BAC2E121E17848257639003A3146/$File/MX25L1021E,%203V,%201Mb,%20v0.01.pdf. However, the MX25L1021E doesn't support the 4 bit wide transmission that the 3DS uses to talk to the SPI flash. It is thus likely that this is a custom flash chip. | + | Savegame SPI flash transfers use CPOL=1 and CPHA=1. So far, only one savegame FLASH chip has been identified. The chip identifies as a 0xC22211. The JEDEC manufacturer ID is Macronix, and despite the chip label saying 25L1001, the JEDEC ID matches the MX25L1021E. Datasheet at:<br> |
| + | http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/3F21BAC2E121E17848257639003A3146/$File/MX25L1021E%2C%203V%2C%201Mb%2C%20v1.1.pdf?OpenElement <br> |
| + | http://www.beilenet.com/download/MX25L1021E,%203V,%201Mb,%20v0.01.pdf (old version mirror) <br> |
| + | However, the MX25L1021E doesn't support the 4 bit wide transmission that the 3DS uses to talk to the SPI flash. It is thus likely that this is a custom flash chip. |
| + | |
| + | ===Format=== |
| + | Cartridges can come in several sizes and include system updates in a region reserved for this. In ROMs less than 1GB the update region can be found with: |
| + | CART_SIZE_MAX-( 0x280000*(CART_SIZE_MAX/CART_SIZE_128MB) )-0x2000000. The region is then 0x2000000 bytes. |
| | | |
| ===Protocol=== | | ===Protocol=== |
− | The communication protocol between the 3DS system and the 3DS gamecard has changed almost completely in comparison with the DS and DSi gamecard communication protocol. | + | The communication protocol between the 3DS system and the 3DS gamecard has changed almost completely in comparison with the [http://problemkaputt.de/gbatek.htm#dscartridgeprotocol DS and DSi gamecard communication protocol]. |
| | | |
| After the sixth transfer, commands change size from 8 bytes to 16 bytes. Possibly a new encryption is used, such as AES CTR. | | After the sixth transfer, commands change size from 8 bytes to 16 bytes. Possibly a new encryption is used, such as AES CTR. |
| + | When 16-byte commands are used, the data bus maintains the value 0x00 until the card signals it is ready by clocking a single byte 0x01, followed by the actual data. After each 0x200-byte block of actual data, a 4-byte standard CRC32 of the block data (before encryption) follows. |
| | | |
| Here's a set of sample gamecard commands that a 3DS sends to a 3DS gamecard: | | Here's a set of sample gamecard commands that a 3DS sends to a 3DS gamecard: |
Line 99: |
Line 107: |
| ! Description | | ! Description |
| |- | | |- |
− | |2000 | + | |<tt>2000</tt> |
− | |9F00000000000000 | + | |<tt>9F00000000000000</tt> |
− | | | + | |? |
− | | Reset | + | |Reset |
| |- | | |- |
− | |0000 | + | |<tt>0000</tt> |
− | |71C93FE9BB0A3B18 | + | |<tt>71C93FE9BB0A3B18</tt> |
− | | | + | |? |
− | | Unknown | + | |Unknown |
| |- | | |- |
− | |0004 | + | |<tt>0004</tt> |
− | |9000000000000000 | + | |<tt>9000000000000000</tt> |
− | | | + | |? |
− | | Get gamecard ID, response=9000FEC2 | + | |Get gamecard ID, response=9000FEC2 |
| |- | | |- |
− | |0004 | + | |<tt>0004</tt> |
− | |9000000000000000 | + | |<tt>9000000000000000</tt> |
− | | | + | |? |
| | Get gamecard ID, response=9000FEC2 | | | Get gamecard ID, response=9000FEC2 |
| |- | | |- |
− | |0004 | + | |<tt>0004</tt> |
− | |A000000000000000 | + | |<tt>A000000000000000</tt> |
− | | | + | |? |
| | Unknown, response=00000000 | | | Unknown, response=00000000 |
| |- | | |- |
− | |0000 | + | |<tt>0000</tt> |
− | |3E00000000000000 | + | |<tt>3E00000000000000</tt> |
− | | | + | |? |
| | Enter 16-byte command mode. | | | Enter 16-byte command mode. |
| |- | | |- |
− | |0200 | + | |<tt>0200</tt> |
− | |82000000000000000000000000000000 | + | |<tt>82000000000000000000000000000000</tt> |
− | | | + | |? |
| | Get header | | | Get header |
| |- | | |- |
− | |0000 | + | |<tt>0000</tt> |
− | |F32C92D85C9D44DED3E0E41DBE7C90D9 | + | |<tt>F32C92D85C9D44DED3E0E41DBE7C90D9</tt> |
− | | | + | |<tt>8300000000000000708DF1A731717D0B</tt> |
− | | Encrypted, unknown | + | | Seed |
| |- | | |- |
− | |0004 | + | |<tt>0004</tt> |
− | |696B9D8582FB55D31B68CAFE70C74A95 | + | |<tt>696B9D8582FB55D31B68CAFE70C74A95</tt> |
− | | | + | |<tt>A200000000000000708DF1A731717D0B</tt> |
− | | Encrypted, unknown | + | | Get secured gamecard ID, response=9000FEC2 |
| |- | | |- |
− | |0004 | + | |<tt>0004</tt> |
− | |BAA4812CA0AC9C5D19399530E3ACCCAB | + | |<tt>BAA4812CA0AC9C5D19399530E3ACCCAB</tt> |
− | |A300000000000000708DF1A731717D0B | + | |<tt>A300000000000000708DF1A731717D0B</tt> |
| | Unknown | | | Unknown |
| |- | | |- |
− | |0000 | + | |<tt>0000</tt> |
− | |178E427C22D87ADB86387249A97D321A | + | |<tt>178E427C22D87ADB86387249A97D321A</tt> |
− | |C500000000000000708DF1A731717D0B | + | |<tt>C500000000000000708DF1A731717D0B</tt> |
| | Unknown | | | Unknown |
| |- | | |- |
− | |0004 | + | |<tt>0004</tt> |
− | |E06019B1BD5C9130ED6A4D9F4A9E7193 | + | |<tt>E06019B1BD5C9130ED6A4D9F4A9E7193</tt> |
− | |A200000000000000708DF1A731717D0B | + | |<tt>A200000000000000708DF1A731717D0B</tt> |
− | | Get secured gamecard ID | + | | Get secured gamecard ID, response=9000FEC2 |
| |- | | |- |
− | |0004 | + | |<tt>0004</tt> |
− | |4E0D224862523BBFE2E6255F80E15F37 | + | |<tt>4E0D224862523BBFE2E6255F80E15F37</tt> |
− | |A200000000000000708DF1A731717D0B | + | |<tt>A200000000000000708DF1A731717D0B</tt> |
− | | Get secured gamecard ID | + | | Get secured gamecard ID, response=9000FEC2 |
| |- | | |- |
− | |0004 | + | |<tt>0004</tt> |
− | |4CDF93D319FB62D0DB632A45E3E8D84C | + | |<tt>4CDF93D319FB62D0DB632A45E3E8D84C</tt> |
− | |A200000000000000708DF1A731717D0B | + | |<tt>A200000000000000708DF1A731717D0B</tt> |
− | | Get secured gamecard ID | + | | Get secured gamecard ID, response=9000FEC2 |
| |- | | |- |
− | |0004 | + | |<tt>0004</tt> |
− | |9AA5D80551002F955546D296A57F0FEF | + | |<tt>9AA5D80551002F955546D296A57F0FEF</tt> |
− | |A200000000000000708DF1A731717D0B | + | |<tt>A200000000000000708DF1A731717D0B</tt> |
− | | Get secured gamecard ID | + | | Get secured gamecard ID, response=9000FEC2 |
| |- | | |- |
− | |0004 | + | |<tt>0004</tt> |
− | |C12BA81AEF30DDDBD93FAD5D544C6334 | + | |<tt>C12BA81AEF30DDDBD93FAD5D544C6334</tt> |
− | |A200000000000000708DF1A731717D0B | + | |<tt>A200000000000000708DF1A731717D0B</tt> |
− | | Get secured gamecard ID | + | | Get secured gamecard ID, response=9000FEC2 |
| |- | | |- |
− | |0200 | + | |<tt>0200</tt> |
− | |62EC5FB7F420AE1DC6253AE18AFA5BB3 | + | |<tt>62EC5FB7F420AE1DC6253AE18AFA5BB3</tt> |
− | |BF000000000000000000000000000000 | + | |<tt>BF000000000000000000000000000000</tt> |
| | Read address 0 | | | Read address 0 |
| |- | | |- |
− | |0200 | + | |<tt>0200</tt> |
− | |E3FA23AA016BE0C93430D1F42FF41324 | + | |<tt>E3FA23AA016BE0C93430D1F42FF41324</tt> |
− | |BF000000000040000000000000000000 | + | |<tt>BF000000000040000000000000000000</tt> |
| | Read address 0x4000 | | | Read address 0x4000 |
| |} | | |} |