Kodewerx

Our culture has advanced beyond all that you could possibly comprehend with one hundred percent of your brain.
It is currently Sat Jan 25, 2020 12:44 am

All times are UTC - 8 hours [ DST ]




Post new topic Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Mon Jun 08, 2009 7:12 pm 
Offline
Kommunist
Kommunist

Joined: Mon Jun 08, 2009 7:07 pm
Posts: 9
Title: Tyler
Trying to access data from the MicroSD inside the R4 directly, without using libfat.

It appears that the card is accepting commands, and responding, but no data is being read... help?
Code:
@ ------------------------------------------------------------------------------
@  card.s - Talks to the R4.
@
@  See function for parameters and list of destroyed registers.
@ ------------------------------------------------------------------------------



@ ------------------------------------------------------------------------------
@  Global declarations
@ ------------------------------------------------------------------------------
.global _card_write_command
.global _card_read_data



@ ------------------------------------------------------------------------------
@  Sends a command to the DS card.
@
@  r0 - Command
@  r1 - Address
@  r2 - Flags
@
@  Destroys r4-r5
@ ------------------------------------------------------------------------------
_card_write_command:
   mov   r4, #0x04000001                 @ Prepare to write to card
   add   r4, r4, #0x1A0
   mov   r5, #(0x0080 | 0x0040)
   strb   r5, [r4, #0x00]

   strb   r0, [r4, #0x07]                 @ Write the command and address
   mov   r5, r1, lsr #24         @ while accounting for the
   strb   r5, [r4, #0x09]                 @ endian-ness of the card reader
   mov   r5, r1, lsr #16
   strb   r5, [r4, #0x0B]
   mov   r5, r1, lsr #8
   strb   r5, [r4, #0x0D]
   mov   r5, r1, lsr #0
   strb   r5, [r4, #0x0F]

   str   r2, [r4, #0x03]                 @ Write card control flags

_card_write_command_wait:
   ldr   r5, [r4, #0x03]         @ Check card control register
   ands   r5, r5, #(1 << 23)              @ to see if we can proceed
   beq   _card_write_command_wait

   mov   pc, lr



@ ------------------------------------------------------------------------------
@  Reads from the DS (R4) card by sending commands to it.
@
@  r1 - Address
@  r6 - Destination
@  r7 - Length
@
@  Destroys r4-r6
@ ------------------------------------------------------------------------------
_card_read_data:
   mov   r8, lr

   mov   r0, #0xB9                       @ Write commands and flags
   ldr   r2, =0xa7586000
   bl   _card_write_command

   mov   r0, #0xBA                       @ Write commands and flags
   ldr   r2, =0xa1586000                 @ Undocumented values... not
   bl   _card_write_command             @ sure what they do...

   mov   r4, #0x04000001                 @ Prepare to write to card
   add   r4, r4, #0x1A0
   str   r2, [r4, #0x03]                 @ Write card control flags

_card_read_data_loop:
   mov   r4, #0x4000001                  @ Check card control register
   add   r4, r4, #0x1A0                  @ to see if the card is ready
   ldr   r5, [r4, #0x03]                 @ for us to read data
   ands   r5, r5, #(1 << 23)
   beq   _card_read_data_wait

   mov   r4, #0x04100000                 @ Card is ready, copy data
   ldr   r5, [r4, #0x10]                 @ to the destination location
   str   r5, [r6, #4]!

   subs   r7, r7, #4
   beq   _card_read_data_done

_card_read_data_wait:
   mov   r4, #0x4000001                  @ Check card control register
   add   r4, r4, #0x1A0                  @ to see if the card is still
   ldr   r5, [r4, #0x03]                 @ busy... if not, we're done
   ands   r5, r5, #(1 << 31)
   bne   _card_read_data_loop

_card_read_data_done:
   mov   pc, r8



Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 08, 2009 9:41 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3765
Title: All in a day's work.
That's some fairly nice source. I haven't looked over it, and I'm unfamiliar with R4 hardware. I have plenty of experience with NDS development and pirate devices for it, and I dislike them all because of it. If they worked like proper NDS cards, I wouldn't have any problem with it.

</rant>

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 08, 2009 10:00 pm 
Offline
Kommunist
Kommunist

Joined: Mon Jun 08, 2009 7:07 pm
Posts: 9
Title: Tyler
Parasyte wrote:
That's some fairly nice source. I haven't looked over it, and I'm unfamiliar with R4 hardware. I have plenty of experience with NDS development and pirate devices for it, and I dislike them all because of it. If they worked like proper NDS cards, I wouldn't have any problem with it.

</rant>


Thanks.

Yeah, I hear ya... not a fan of all the various cards and various methods of reading/writing/whatnot out there... if they all had a similar method of reading and writing, I probably wouldn't be struggling as much as I am now.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 09, 2009 8:42 am 
Offline
Kommunist
Kommunist

Joined: Mon Jun 08, 2009 7:07 pm
Posts: 9
Title: Tyler
I think I actually pulled a miracle, and got it to work. I'll post the not-so-messy code later if that's the case.

I ripped the first 64 bytes of the MicroSD card (or at least, I think that's what I ripped :D), which I'm assuming is the FAT32 header, no?

Anyways, here's what I got for the 64 bytes...
Code:
0000:0000 - 00000008
0000:0004 - 00010000
0000:0008 - 00000000
0000:000C - 00000000
0000:0010 - 00000000
0000:0014 - 00A8FE60
0000:0018 - 31D241A0
0000:001C - 9CFF1F0D
0000:0020 - 39E16F00
0000:0024 - 2D364CD1
0000:0028 - 9FC96C8C
0000:002C - 0240634D
0000:0030 - 1011A440
0000:0034 - 34DFF0AC
0000:0038 - FD941020
0000:003C - 3B0032DF

ASCII representation: ¨þ`1ÒA �ÿ
9áo-6LÑ�Él�@cM¤@4ßð¬ý� ;2ß


Nevermind. It doesn't work. Regardless of what start address I supply, I always get the same 64b of data.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 09, 2009 6:35 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3765
Title: All in a day's work.
The first 512-byte block from the SD card will be the MBR (Master Boot Record) which is very well documented. The "MBR signature" at the end of the block is the tell-tale sign that you have what you want (but not entirely fool proof!)

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 09, 2009 8:59 pm 
Offline
Kommunist
Kommunist

Joined: Mon Jun 08, 2009 7:07 pm
Posts: 9
Title: Tyler
Ah, I suppose you would be right. Either way, I've put so many hours into this simple thing and it won't work...

I need documentation.

What frustrates me is that I'm so close... I'm able to write commands to the card okay, at least, I think I am because the check for the R4 does not pass on the emulator, but it does on real hardware. Also, when I try to read in a long stream of data, all I get is zero-ed out data... however, when I pull out the cart, about a quarter of a second later I get all sorts of qwerky, random output.

I just don't understand why I'm getting zeroes instead of actual data :(


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 18, 2009 3:29 am 
Offline
Kommunist
Kommunist

Joined: Thu Aug 07, 2008 8:43 pm
Posts: 1
Quote:
strb r5, [r4, #0x09] @ endian-ness of the card reader
mov r5, r1, lsr #16
strb r5, [r4, #0x0B]
mov r5, r1, lsr #8
strb r5, [r4, #0x0D]
mov r5, r1, lsr #0
strb r5, [r4, #0x0F]

Shouldn't those be #0x08,#0x09,#0x0A and #0x0B


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 18, 2009 12:24 pm 
Offline
Kommunist
Kommunist

Joined: Mon Jun 08, 2009 7:07 pm
Posts: 9
Title: Tyler
Matty123 wrote:
Quote:
strb r5, [r4, #0x09] @ endian-ness of the card reader
mov r5, r1, lsr #16
strb r5, [r4, #0x0B]
mov r5, r1, lsr #8
strb r5, [r4, #0x0D]
mov r5, r1, lsr #0
strb r5, [r4, #0x0F]

Shouldn't those be #0x08,#0x09,#0x0A and #0x0B


There were a whole lot of problems with the source, and that was one of them. A user on the boards "kenobi" figured it out... I haven't gotten it to exactly work on my end yet but I'll be sure to post a solution when I get it :D


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 19, 2009 2:30 pm 
Offline
Kommunist
Kommunist

Joined: Mon Jun 08, 2009 7:07 pm
Posts: 9
Title: Tyler
Tyler24 wrote:
Trying to access data from the MicroSD inside the R4 directly, without using libfat.

It appears that the card is accepting commands, and responding, but no data is being read... help?
Code:
@ ------------------------------------------------------------------------------
@  card.s - Talks to the R4.
@
@  See function for parameters and list of destroyed registers.
@ ------------------------------------------------------------------------------



@ ------------------------------------------------------------------------------
@  Global declarations
@ ------------------------------------------------------------------------------
.global _card_write_command
.global _card_read_data



@ ------------------------------------------------------------------------------
@  Sends a command to the DS card.
@
@  r0 - Command
@  r1 - Address
@  r2 - Flags
@
@  Destroys r4-r5
@ ------------------------------------------------------------------------------
_card_write_command:
   mov   r4, #0x04000001                 @ Prepare to write to card
   add   r4, r4, #0x1A0
   mov   r5, #(0x0080 | 0x0040)
   strb   r5, [r4, #0x00]

   strb   r0, [r4, #0x07]                 @ Write the command and address
   mov   r5, r1, lsr #24         @ while accounting for the
   strb   r5, [r4, #0x09]                 @ endian-ness of the card reader
   mov   r5, r1, lsr #16
   strb   r5, [r4, #0x0B]
   mov   r5, r1, lsr #8
   strb   r5, [r4, #0x0D]
   mov   r5, r1, lsr #0
   strb   r5, [r4, #0x0F]

   str   r2, [r4, #0x03]                 @ Write card control flags

_card_write_command_wait:
   ldr   r5, [r4, #0x03]         @ Check card control register
   ands   r5, r5, #(1 << 23)              @ to see if we can proceed
   beq   _card_write_command_wait

   mov   pc, lr



@ ------------------------------------------------------------------------------
@  Reads from the DS (R4) card by sending commands to it.
@
@  r1 - Address
@  r6 - Destination
@  r7 - Length
@
@  Destroys r4-r6
@ ------------------------------------------------------------------------------
_card_read_data:
   mov   r8, lr

   mov   r0, #0xB9                       @ Write commands and flags
   ldr   r2, =0xa7586000
   bl   _card_write_command

   mov   r0, #0xBA                       @ Write commands and flags
   ldr   r2, =0xa1586000                 @ Undocumented values... not
   bl   _card_write_command             @ sure what they do...

   mov   r4, #0x04000001                 @ Prepare to write to card
   add   r4, r4, #0x1A0
   str   r2, [r4, #0x03]                 @ Write card control flags

_card_read_data_loop:
   mov   r4, #0x4000001                  @ Check card control register
   add   r4, r4, #0x1A0                  @ to see if the card is ready
   ldr   r5, [r4, #0x03]                 @ for us to read data
   ands   r5, r5, #(1 << 23)
   beq   _card_read_data_wait

   mov   r4, #0x04100000                 @ Card is ready, copy data
   ldr   r5, [r4, #0x10]                 @ to the destination location
   str   r5, [r6, #4]!

   subs   r7, r7, #4
   beq   _card_read_data_done

_card_read_data_wait:
   mov   r4, #0x4000001                  @ Check card control register
   add   r4, r4, #0x1A0                  @ to see if the card is still
   ldr   r5, [r4, #0x03]                 @ busy... if not, we're done
   ands   r5, r5, #(1 << 31)
   bne   _card_read_data_loop

_card_read_data_done:
   mov   pc, r8



Kenobi found the bugs, and after a lot of debugging and hex editing figured it out!

In my _card_write_command implementation, I write the bits in the wrong order. I write the command, the address, and then some zero bytes, when in reality it should be some zero bytes, the address, and then the command. I also screwed up when writing to CARD_CR1H (0x040001A1)... one needs to load from 0x040001A0, load a half word and perform a logical OR with the data at the location with 0x0C00.

Apparently, for some weird reason, Kenobi reports that he needs to add a 0x1FE00 offset when addressing data... that is, if he wants data at card address 0x0, he needs to tell the program to read from 0x1FE00. On the other hand, I don't need an offset. When I want to read from 0x18000000, I simply tell the program to read from that address. I don't think the DS's card encryption is playing a role here... but it is a possibility... I tested at a much higher address than Kenobi did because most of the data in the beginning of my card is zeroed out for some reason.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group