NDS/Passthrough
From Dev-Scene
[edit] Passthrough Device
A Passthrough Device allows the running of homebrew code on the Nintendo DS. The current series of passthrough devices allow booting of custom code by exploiting the DS card port, tricking the DS to boot from the traditional GBA cartridge port.
The passthrough technique is required due to encryption used while loading code on the DS. The encryption is not fully understood and so far cannot be completely bypassed.
[edit] Tricking the DS - A short history lesson
The DS can play DS games from the DS slot and GBA games from the GBA slot. Normally, it is not possible to play DS software from the GBA slot. Normally, I say :-) There are no flashable DS Cartridges yet but several Flash Carts for the GBA that can also be used in the DS. And this is where it starts.
[edit] The PassMe - The device that started it all
Natrium42 and DarkFader thought it would be cool if you could somehow trick the DS into running DS code from the GBA slot, thus enabling DS homebrew to be stored on GBA flash carts. They reverse engineered the communication protocol between the DS and the DS Cartridges and found out that the DS Cartridge tells the DS the address where the beginning of the code is stored on the card. Then the DS jumps to this position and executes that code. The idea of PassMe, a device that sits between the DS and the cartridge, is to basically pass through all communications between the DS and the cartridge until the execution pointer is sent to the DS. This pointer is replaced by the address of the GBA slot, so that the DS starts the code from there instead of from the DS cartridge.
[edit] WifiMe - The Wireless PassMe
The DS has the possibility to download game demos using the integrated WiFi capabilities. It uses a custom network protocol (NiFi) made by Nintendo that is incompatible to TCP/IP. Firefly has reverse engineered this protocol and figured out how to emulate a DS download station using a special kind of WLAN Adapter, a customized driver for it, and an application he called WMB (Wireless Multiboot). Using this, it is possible to send software to the DS, but still with one major problem: The software has to be digitally signed by Nintendo. Faking such a signature is close to impossible because a 1024 bit RSA signature is just not that easy to guess. But Firefly had another idea how to work around this problem which was similar to the idea of the PassMe: Like the hardware game cartridges, the game binaries that are sent via WiFi contain a pointer to the beginning of the code, two pointers to be precise. One of them is signed and thus cannot be changed as this would invalidate the binary, but the other pointer is not signed. So, Firefly modified a game dump that was signed by Nintendo (the Mario 64 DS multiplayer binary) and set the unsigned pointer to the address of the GBA slot. This modified binary, known as WifiMe, now accomplishes the same as PassMe. You download it to your DS using Firefly's WMB and it runs code that is stored on a GBA cartridge.
WifiMe does not work with a DS with new firmware.
[edit] FlashMe - Voiding the warranty
PassMe and WifiMe are pretty cool, but require either custom-made hardware or a special WLAN adapter and also a GBA flash cart. Loopy created a modified version of the DS firmware that just does not check for the Nintendo signature of a game from an inserted DS Cartridge or that is downloaded via WiFi. This makes it possible to run code from an inserted GBA Flash-Cartridge without having to use PassMe or WifiMe. Also, custom code can be sent to the DS via Firefly's WMB. But to install FlashMe, you must already have the possibility to run homebrew code, so either PassMe or WifiMe is required. Also, FlashMe of course voids your warranty and although the process is rather easy, it is a little risky.The FlashMe is something that should not be done unless you are CERTAIN that you know what you are doing. Otherwise you can seriously mess up your DS.
[edit] The new DS Firmware - Nintendo strikes back
Because the tools developed by the homebrew community were starting to get used by software pirates to illegally play dumped DS games, Nintendo was forced to improve the protection of the DS. So, starting with the Chinese iQue DS, the DS units were shipped with a new firmware that no longer uses the unsigned pointer of a downloaded binary, but the signed pointer that cannot be changed. For games played from cart, it also rejects pointers that go to the GBA slot, or the header of the game. Loopy found out how to work around this protection and still run homebrew code with the new firmware, but the method requires PassMe to be programmed to a specific DS game and it also requires a GBA flash cart that has SRAM (i.e. memory for game saves). This is not the case with some compact flash adapters for the GBA slot like the GBAMP. So, people with the new firmware have to buy (or build) a PassMe2 programmed for a DS game they have.
[edit] NoPass - A PassMe without the PassMe
When the homebrew scene found out how the DS's cartridge encryption worked, it was (in theory, at least) possible to make their own DS cartridges that behave exactly like DS games and could thus be used even on unmodified DSes. Using this method, it was also possible to build an alternative for PassME, called NoPass, which is just a DS cartridge that tells the DS to run code from the GBA slot. They do the same as PassME, but NoPass devices do not stick out of the DS and are compatible with old and new firmware DSes (i.e. also with the DS Lite).