Organized code more

Now the link-specific stuff is abstracted into its own file, and the
code for negotiating the "different" multiboot protocol is in its own
file. Also, removed support for compiling for GC because eventually we
will be using Wii-only features. Also put the main extractor code into a
thread so that we can monitor for the user pressing the start button to
exit.

5 files changed, 550 insertions, 471 deletions

@@ -5,18 +5,159 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 #include "link.h"
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <malloc.h>
 
-u32 waitForButtons(u32 mask)
+//from my tests 50us seems to be the lowest
+//safe si transfer delay in between calls
+#define SI_TRANS_DELAY 50
+
+static u8* resbuf;
+static u8* cmdbuf;
+
+void initLink()
+{
+  cmdbuf = memalign(32,32);
+  resbuf = memalign(32,32);
+}
+
+static volatile u32 transval = 0;
+void transcb(s32 chan, u32 ret)
+{
+  transval = 1;
+}
+
+static volatile u32 resval = 0;
+void acb(s32 res, u32 val)
+{
+  resval = val;
+}
+
+void doreset()
+{
+  cmdbuf[0] = 0xFF; //reset
+  transval = 0;
+  SI_Transfer(1, cmdbuf, 1, resbuf, 3, transcb, SI_TRANS_DELAY);
+
+  while (transval == 0);
+}
+
+void getstatus()
 {
-  for (;;)
+  cmdbuf[0] = 0; //status
+  transval = 0;
+  SI_Transfer(1, cmdbuf, 1, resbuf, 3, transcb, SI_TRANS_DELAY);
+
+  while (transval == 0);
+}
+
+u32 recv()
+{
+  memset(resbuf,0,32);
+  cmdbuf[0]=0x14; //read
+  transval = 0;
+  SI_Transfer(1, cmdbuf, 1, resbuf, 5, transcb, SI_TRANS_DELAY);
+
+  while (transval == 0);
+  printf("%08lx\n", *(vu32*)resbuf);
+  return *(vu32*)resbuf;
+}
+
+void send(u32 msg)
+{
+  cmdbuf[0] = 0x15;
+  cmdbuf[1] = (msg >> 0) & 0xFF;
+  cmdbuf[2] = (msg >> 8) & 0xFF;
+  cmdbuf[3] = (msg >> 16) & 0xFF;
+  cmdbuf[4] = (msg >> 24) & 0xFF;
+
+  transval = 0;
+  resbuf[0] = 0;
+  SI_Transfer(1, cmdbuf, 5, resbuf, 1, transcb, SI_TRANS_DELAY);
+
+  while (transval == 0);
+}
+
+u32 getMsg()
+{
+  u32 val = 0;
+  while (val == 0)
   {
-    PAD_ScanPads();
-    VIDEO_WaitVSync();
+    val = __builtin_bswap32(recv());
+    sleep(1);
+  }
 
-    u32 btns = PAD_ButtonsDown(0);
-    if (btns & mask)
+  send(0);
+  while (recv()!=0) {sleep(1);}
+  send(0);
+
+  return val;
+}
+
+void getMsgArr(u32* arr, int len)
+{
+  for (int i=0; i<len; i++)
+  {
+    *(vu32*)(arr+i) = __builtin_bswap32(recv());
+    usleep(500000);
+  }
+}
+
+void sendMsg(u32 msg)
+{
+  while (recv()==0) {sleep(1);}
+  send(msg);
+  while (recv()!=0) {sleep(1);}
+  send(0);
+}
+
+void waitForGBA()
+{
+  resval = 0;
+
+  do
+  {
+    SI_GetTypeAsync(1, acb);
+
+    for (;;)
     {
-      return btns;
+      if (resval)
+      {
+        if (resval == 0x80 || resval & 8)
+        {
+          resval = 0;
+          SI_GetTypeAsync(1, acb);
+        } else if (resval)
+        {
+          break;
+        }
+      }
     }
-  }
+  } while (!(resval & SI_GBA));
+}
+
+void waitForBIOS()
+{
+  resbuf[2]=0;
+
+  do
+  {
+    doreset();
+  } while (!(resbuf[1] > 4));
+}
+
+void waitForGame()
+{
+  do
+  {
+    doreset();
+  } while ((resbuf[0] != 0) || !(resbuf[2] & 0x10));
+}
+
+void waitForAck()
+{
+  while (recv() != 0) {sleep(1);};
+  send(0);
 }
@@ -9,6 +9,18 @@
 
 #include <gccore.h>
 
-u32 waitForButtons(u32 mask);
+void initLink();
+
+u32 recv();
+void send(u32 msg);
+
+u32 getMsg();
+void getMsgArr(u32* arr, int len);
+void sendMsg(u32 msg);
+
+void waitForGBA();
+void waitForBIOS();
+void waitForGame();
+void waitForAck();
 
 #endif
@@ -10,17 +10,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <string.h>
-#include <malloc.h>
 #include "link.h"
 #include "encoding.h"
-
-//from my tests 50us seems to be the lowest
-//safe si transfer delay in between calls
-#define SI_TRANS_DELAY 50
-
-extern u8 gba_mb_gba[];
-extern u32 gba_mb_gba_size;
+#include "multiboot.h"
 
 void printmain()
 {
@@ -31,91 +23,27 @@ void printmain()
   printf("Based on GBA Link Cable Dumper v1.6 by FIX94\n");
 }
 
-u8 *resbuf,*cmdbuf;
-
-volatile u32 transval = 0;
-void transcb(s32 chan, u32 ret)
-{
-  transval = 1;
-}
-
-volatile u32 resval = 0;
-void acb(s32 res, u32 val)
-{
-  resval = val;
-}
-
-unsigned int docrc(u32 crc,u32 val)
-{
-  u32 result;
-
-  result = val ^ crc;
-  for (int i = 0; i < 0x20; i++)
-  {
-    if (result & 1)
-    {
-      result >>= 1;
-      result ^= 0xA1C1;
-    } else {
-      result >>= 1;
-    }
-  }
-
-  return result;
-}
-
-void doreset()
-{
-  cmdbuf[0] = 0xFF; //reset
-  transval = 0;
-  SI_Transfer(1, cmdbuf, 1, resbuf, 3, transcb, SI_TRANS_DELAY);
-
-  while (transval == 0);
-}
-
-void getstatus()
-{
-  cmdbuf[0] = 0; //status
-  transval = 0;
-  SI_Transfer(1, cmdbuf, 1, resbuf, 3, transcb, SI_TRANS_DELAY);
-
-  while (transval == 0);
-}
-
 void endproc()
 {
-  doreset();
   printf("Start pressed, exit\n");
   VIDEO_WaitVSync();
   VIDEO_WaitVSync();
   exit(0);
 }
 
-u32 recv()
-{
-  memset(resbuf,0,32);
-  cmdbuf[0]=0x14; //read
-  transval = 0;
-  SI_Transfer(1, cmdbuf, 1, resbuf, 5, transcb, SI_TRANS_DELAY);
-
-  while (transval == 0);
-  printf("%08lx\n", *(vu32*)resbuf);
-  return *(vu32*)resbuf;
-}
-
-void send(u32 msg)
+u32 waitForButtons(u32 mask)
 {
-  cmdbuf[0] = 0x15;
-  cmdbuf[1] = (msg >> 0) & 0xFF;
-  cmdbuf[2] = (msg >> 8) & 0xFF;
-  cmdbuf[3] = (msg >> 16) & 0xFF;
-  cmdbuf[4] = (msg >> 24) & 0xFF;
-
-  transval = 0;
-  resbuf[0] = 0;
-  SI_Transfer(1, cmdbuf, 5, resbuf, 1, transcb, SI_TRANS_DELAY);
+  for (;;)
+  {
+    PAD_ScanPads();
+    VIDEO_WaitVSync();
 
-  while (transval == 0);
+    u32 btns = PAD_ButtonsDown(0);
+    if (btns & mask)
+    {
+      return btns;
+    }
+  }
 }
 
 void warnError(char *msg)
@@ -135,132 +63,148 @@ void fatalError(char *msg)
   exit(0);
 }
 
-u32 genKeyA()
+void* extractor(void* userdata)
 {
-  u32 retries = 0;
-
   for (;;)
   {
-    u32 key = 0;
+    printmain();
 
-    if (retries > 32)
-    {
-      key = 0xDD654321;
-    } else {
-      key = (rand() & 0x00ffffff) | 0xDD000000;
-    }
+    printf("Press A when GBA is plugged in and turned off.\n");
+    waitForButtons(PAD_BUTTON_A);
+
+    printf("Turn on your GBA.\n");
+    printf("Waiting for a GBA in port 2...\n");
+    waitForGBA();
 
-    u32 unk = (key % 2 != 0);
-    u32 v12 = key;
-    for (u32 v13 = 1; v13 < 32; v13++)
+    printf("GBA Found! Sending multiboot image...\n");
+    if (!sendMultibootImage())
     {
-      v12 >>= 1;
-      unk += (v12 % 2 != 0);
+      warnError("Failed sending multiboot image.\n");
+
+      continue;
     }
 
-    if ((unk >= 10 && unk <= 24))
+    printf("Waiting for GBA...\n");
+    waitForAck();
+
+    VIDEO_WaitVSync();
+
+    // Get game
+    // -1 - unsupported game
+    //  1 - Ruby
+    //  2 - Sapphire
+    //  3 - FireRed
+    //  4 - LeafGreen
+    //  5 - Emerald
+    u32 gameId = getMsg();
+    if (gameId == -1)
     {
-      if (retries > 4)
-      {
-        printf("KeyA retries = %ld", retries);
-      }
+      warnError("ERROR: Unsupported GBA game inserted!\n");
 
-      printf("KeyA = 0x%08lx\n", key);
+      continue;
+    }
 
-      return key;
+    printf("\nPokemon ");
+    switch (gameId)
+    {
+      case 1: printf("Ruby"); break;
+      case 2: printf("Sapphire"); break;
+      case 3: printf("FireRed"); break;
+      case 4: printf("LeafGreen"); break;
+      case 5: printf("Emerald"); break;
     }
 
-    retries++;
-  }
-}
+    printf("\n");
+    VIDEO_WaitVSync();
 
-u32 checkKeyB(u32 KeyBRaw)
-{
-  if ((KeyBRaw & 0xFF) != 0xEE)
-  {
-    printf("Invalid KeyB - lowest 8 bits should be 0xEE, actually 0x%02x\n",
-        ((u8)(KeyBRaw)));
+    u32 isValid = getMsg();
+    if (isValid == -1)
+    {
+      warnError("ERROR: Unsupported game version inserted!\n");
 
-    return 0;
-  }
+      continue;
+    }
 
-  u32 KeyB = KeyBRaw & 0xffffff00;
-  u32 val = KeyB;
-  u32 unk = (val < 0);
-  for (u32 i = 1; i < 24; i++)
-  {
-    val <<= 1;
-    unk += (val < 0);
-  }
+    // Get trainer name
+    u8 trainerName[8];
 
-  if (unk > 14)
-  {
-    printf("Invalid KeyB - high 24 bits bad: 0x%08lx\n", KeyB);
+    u32 tnd = getMsg();
+    trainerName[0] = (tnd & 0xFF000000) >> 24;
+    trainerName[1] = (tnd & 0x00FF0000) >> 16;
+    trainerName[2] = (tnd & 0x0000FF00) >> 8;
+    trainerName[3] = (tnd & 0x000000FF);
 
-    return 0;
-  }
+    tnd = getMsg();
+    trainerName[4] = (tnd & 0xFF000000) >> 24;
+    trainerName[5] = (tnd & 0x00FF0000) >> 16;
+    trainerName[6] = (tnd & 0x0000FF00) >> 8;
+    trainerName[7] = (tnd & 0x000000FF);
 
-  printf("Valid KeyB: 0x%08lx\n", KeyB);
+    // Get trainer ID
+    u32 trainerId = getMsg();
 
-  return KeyB;
-}
+    printf("Trainer: ");
 
-u32 deriveKeyC(u32 keyCderive, u32 kcrc)
-{
-  u32 keyc = 0;
-  u32 keyCi = 0;
+    for (int i = 0; i < 8; i++)
+    {
+      if (trainerName[i] == 0xFF)
+      {
+        break;
+      } else {
+        printf("%c", debugGen3Decode(trainerName[i]));
+      }
+    }
 
-  do
-  {
-    u32 v5 = 0x1000000 * keyCi - 1;
-    u32 keyCattempt = docrc(kcrc,v5);
+    printf(" (%ld)\n", trainerId);
+
+    // Wait for confirmation.
+    printf("Press A to import the data from this game.\n");
+    printf("Press B to cancel.\n");
+    VIDEO_WaitVSync();
 
-    if (keyCderive == keyCattempt)
+    if (waitForButtons(PAD_BUTTON_A | PAD_BUTTON_B) & PAD_BUTTON_B)
     {
-      keyc = v5;
+      printf("Cancelling...\n");
+      VIDEO_WaitVSync();
 
-      printf("Found keyC: %08lx\n",keyc);
+      sendMsg(0);
 
-      return keyc;
+      continue;
     }
 
-    keyCi++;
-  } while (keyCi < 256);
+    printf("Importing...\n");
+    VIDEO_WaitVSync();
 
-  return keyc;
-}
+    sendMsg(1);
 
-u32 getMsg()
-{
-  u32 val = 0;
-  while (val == 0)
-  {
-    val = __builtin_bswap32(recv());
-    sleep(1);
-  }
+    // Get Pokédex data
+    u32 pokedexSeen[13];
+    u32 pokedexCaught[13];
 
-  send(0);
-  while (recv()!=0) {sleep(1);}
-  send(0);
+    getMsgArr(pokedexSeen, 13);
+    getMsgArr(pokedexCaught, 13);
+    int numCaught = 0;
+    int numSeen = 0;
+    for (int i=0; i<(13*32); i++)
+    {
+      if (pokedexCaught[i >> 5] >> (i & 31) & 1)
+      {
+        //printf("Caught #%d\n", i);
+        numCaught++;
+        numSeen++;
+      } else if (pokedexSeen[i >> 5] >> (i & 31) & 1)
+      {
+        //printf("Saw #%d\n", i);
+        numSeen++;
+      }
+    }
 
-  return val;
-}
+    printf("Caught: %d\nSeen: %d\n", numCaught, numSeen);
 
-void getMsgArr(u32* arr, int len)
-{
-  for (int i=0; i<len; i++)
-  {
-    *(vu32*)(arr+i) = __builtin_bswap32(recv());
-    usleep(500000);
+    waitForButtons(PAD_BUTTON_START);
   }
-}
 
-void sendMsg(u32 msg)
-{
-  while (recv()==0) {sleep(1);}
-  send(msg);
-  while (recv()!=0) {sleep(1);}
-  send(0);
+  return NULL;
 }
 
 int main(int argc, char *argv[])
@@ -282,299 +226,27 @@ int main(int argc, char *argv[])
   CON_InitEx(rmode, x, y, w, h);
   VIDEO_ClearFrameBuffer(rmode, xfb, COLOR_BLACK);
   PAD_Init();
-  cmdbuf = memalign(32,32);
-  resbuf = memalign(32,32);
 
-  for (;;)
-  {
-    printmain();
+  initLink();
 
-    printf("Press A to begin, press Start to quit.\n");
-    if (waitForButtons(PAD_BUTTON_A | PAD_BUTTON_START) & PAD_BUTTON_START)
-    {
-      endproc();
-    }
+  lwp_t extractorHandle = (lwp_t)NULL;
 
-    printf("Waiting for a GBA in port 2...\n");
-    resval = 0;
+  LWP_CreateThread(
+    &extractorHandle,   // thread handle
+    extractor,          // code
+    NULL,               // userdata
+    NULL,               // stack base
+    16*1024,            // stack size
+    LWP_PRIO_HIGHEST);  // thread priority
 
-    SI_GetTypeAsync(1,acb);
-    while(1)
-    {
-      if (resval)
-      {
-        if (resval == 0x80 || resval & 8)
-        {
-          resval = 0;
-          SI_GetTypeAsync(1,acb);
-        } else if (resval)
-        {
-          break;
-        }
-      }
-
-      PAD_ScanPads();
-      VIDEO_WaitVSync();
-      if (PAD_ButtonsHeld(0) & PAD_BUTTON_START)
-      {
-        getstatus();
-        endproc();
-      }
-    }
+  for (;;)
+  {
+    VIDEO_WaitVSync();
+    PAD_ScanPads();
 
-    if (resval & SI_GBA)
+    if (PAD_ButtonsDown(0) & PAD_BUTTON_START)
     {
-      printf("GBA Found! Waiting on BIOS\n");
-
-      resbuf[2]=0;
-
-      // wait for the BIOS to hand over to the game
-      do
-      {
-        doreset();
-      } while (!(resbuf[1] > 4));
-
-      printf("BIOS handed over to game, waiting on game\n");
-
-      do
-      {
-        doreset();
-      } while ((resbuf[0] != 0) || !(resbuf[2] & 0x10));
-
-      // receive the game-code from GBA side.
-      u32 gamecode = recv();
-
-      printf("Ready, sending multiboot ROM\n");
-
-      unsigned int sendsize = ((gba_mb_gba_size+7)&~7);
-
-      // generate KeyA
-      unsigned int ourkey = genKeyA();
-
-      //printf("Our Key: %08x\n", ourkey);
-      printf("Sending game code that we got: 0x%08lx\n",
-          __builtin_bswap32(gamecode));
-
-      // send the game code back, then KeyA.
-      send(__builtin_bswap32(gamecode));
-      send(ourkey);
-
-      // get KeyB from GBA, check it to make sure its valid, then xor with KeyA
-      // to derive the initial CRC value and the sessionkey.
-      u32 sessionkeyraw = 0;
-      do
-      {
-        sessionkeyraw = recv();
-      } while (sessionkeyraw == gamecode);
-
-      sessionkeyraw = checkKeyB(__builtin_bswap32(sessionkeyraw));
-      if (sessionkeyraw == 0)
-      {
-        warnError("Cannot continue.\n");
-
-        continue;
-      }
-
-      u32 sessionkey = sessionkeyraw ^ ourkey;
-      u32 kcrc = sessionkey;
-      printf("start kCRC=%08lx\n",kcrc);
-
-      sessionkey = (sessionkey*0x6177614b)+1;
-
-      // send hacked up send-size in uint32s
-      u32 hackedupsize = (sendsize >> 3) - 1;
-
-      printf("Sending hacked up size 0x%08lx\n",hackedupsize);
-      send(hackedupsize);
-
-      //unsigned int fcrc = 0x00bb;
-      // send over multiboot binary header, in the clear until the end of the
-      // nintendo logo. GBA checks this, if nintendo logo does not match the
-      // one in currently inserted cart's ROM, it will not accept any more data.
-      for (int i = 0; i < 0xA0; i+=4)
-      {
-        vu32 rom_dword = *(vu32*)(gba_mb_gba+i);
-        send(__builtin_bswap32(rom_dword));
-      }
-
-      printf("\n");
-      printf("Header done! Sending ROM...\n");
-
-      // Add each uint32 of the multiboot image to the checksum, encrypt the
-      // uint32 with the session key, increment the session key, send the
-      // encrypted uint32.
-      for (int i = 0xA0; i < sendsize; i+=4)
-      {
-        u32 dec = (
-            (((gba_mb_gba[i+3]) << 24) & 0xff000000) |
-            (((gba_mb_gba[i+2]) << 16) & 0x00ff0000) |
-            (((gba_mb_gba[i+1]) << 8)  & 0x0000ff00) |
-            (((gba_mb_gba[i])   << 0)  & 0x000000ff)
-            );
-
-        u32 enc = (dec - kcrc) ^ sessionkey;
-        kcrc = docrc(kcrc,dec);
-        sessionkey = (sessionkey * 0x6177614B) + 1;
-        //enc^=((~(i+(0x20<<20)))+1);
-        //enc^=0x6f646573;//0x20796220;
-
-        send(enc);
-      }
-
-      //fcrc |= (sendsize<<16);
-      printf("ROM done! CRC: %08lx\n", kcrc);
-      //get crc back (unused)
-
-      // Get KeyC derivation material from GBA (eventually)
-      u32 keyCderive = 0;
-      do
-      {
-        keyCderive = recv();
-      } while (keyCderive <= 0xfeffffff);
-
-      keyCderive = __builtin_bswap32(keyCderive);
-      keyCderive >>= 8;
-
-      printf("KeyC derivation material: %08lx\n",keyCderive);
-
-      // (try to) find the KeyC, using the checksum of the multiboot image, and
-      // the derivation material that GBA sent to us
-      u32 keyc = deriveKeyC(keyCderive,kcrc);
-      if (keyc == 0)
-      {
-        printf("Could not find keyC - kcrc=0x%08lx\n",kcrc);
-        warnError("Cannot continue.\n");
-
-        continue;
-      }
-
-      // derive the boot key from the found KeyC, and send to GBA. if this is
-      // not correct, GBA will not jump to the multiboot image it was sent.
-      u32 bootkey = docrc(0xBB,keyc) | 0xbb000000;
-      printf("BootKey = 0x%08lx\n",bootkey);
-
-      send(bootkey);
-      sleep(2);
-
-      printf("Waiting for GBA...\n");
-      while (recv() != 0) {sleep(1);};
-      send(0);
-
-      VIDEO_WaitVSync();
-
-      // Get game
-      // -1 - unsupported game
-      //  1 - Ruby
-      //  2 - Sapphire
-      //  3 - FireRed
-      //  4 - LeafGreen
-      //  5 - Emerald
-      u32 gameId = getMsg();
-      if (gameId == -1)
-      {
-        warnError("ERROR: Unsupported GBA game inserted!\n");
-
-        continue;
-      }
-
-      printf("\nPokemon ");
-      switch (gameId)
-      {
-        case 1: printf("Ruby"); break;
-        case 2: printf("Sapphire"); break;
-        case 3: printf("FireRed"); break;
-        case 4: printf("LeafGreen"); break;
-        case 5: printf("Emerald"); break;
-      }
-
-      printf("\n");
-      VIDEO_WaitVSync();
-
-      u32 isValid = getMsg();
-      if (isValid == -1)
-      {
-        warnError("ERROR: Unsupported game version inserted!\n");
-
-        continue;
-      }
-
-      // Get trainer name
-      u8 trainerName[8];
-
-      u32 tnd = getMsg();
-      trainerName[0] = (tnd & 0xFF000000) >> 24;
-      trainerName[1] = (tnd & 0x00FF0000) >> 16;
-      trainerName[2] = (tnd & 0x0000FF00) >> 8;
-      trainerName[3] = (tnd & 0x000000FF);
-
-      tnd = getMsg();
-      trainerName[4] = (tnd & 0xFF000000) >> 24;
-      trainerName[5] = (tnd & 0x00FF0000) >> 16;
-      trainerName[6] = (tnd & 0x0000FF00) >> 8;
-      trainerName[7] = (tnd & 0x000000FF);
-
-      // Get trainer ID
-      u32 trainerId = getMsg();
-
-      printf("Trainer: ");
-
-      for (int i = 0; i < 8; i++)
-      {
-        if (trainerName[i] == 0xFF)
-        {
-          break;
-        } else {
-          printf("%c", debugGen3Decode(trainerName[i]));
-        }
-      }
-
-      printf(" (%ld)\n", trainerId);
-
-      // Wait for confirmation.
-      printf("Press A to import the data from this game.\n");
-      printf("Press B to cancel.\n");
-      VIDEO_WaitVSync();
-
-      if (waitForButtons(PAD_BUTTON_A | PAD_BUTTON_B) & PAD_BUTTON_B)
-      {
-        printf("Cancelling...\n");
-        VIDEO_WaitVSync();
-
-        sendMsg(0);
-
-        continue;
-      }
-
-      printf("Importing...\n");
-      VIDEO_WaitVSync();
-
-      sendMsg(1);
-
-      // Get Pokédex data
-      u32 pokedexSeen[13];
-      u32 pokedexCaught[13];
-
-      getMsgArr(pokedexSeen, 13);
-      getMsgArr(pokedexCaught, 13);
-      int numCaught = 0;
-      int numSeen = 0;
-      for (int i=0; i<(13*32); i++)
-      {
-        if (pokedexCaught[i >> 5] >> (i & 31) & 1)
-        {
-          //printf("Caught #%d\n", i);
-          numCaught++;
-          numSeen++;
-        } else if (pokedexSeen[i >> 5] >> (i & 31) & 1)
-        {
-          //printf("Saw #%d\n", i);
-          numSeen++;
-        }
-      }
-
-      printf("Caught: %d\nSeen: %d\n", numCaught, numSeen);
-
-      waitForButtons(PAD_BUTTON_START);
+      endproc();
     }
   }
 
@@ -0,0 +1,246 @@
+#include "multiboot.h"
+#include <gccore.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "link.h"
+
+extern u8 gba_mb_gba[];
+extern u32 gba_mb_gba_size;
+
+unsigned int docrc(u32 crc,u32 val)
+{
+  u32 result;
+
+  result = val ^ crc;
+  for (int i = 0; i < 0x20; i++)
+  {
+    if (result & 1)
+    {
+      result >>= 1;
+      result ^= 0xA1C1;
+    } else {
+      result >>= 1;
+    }
+  }
+
+  return result;
+}
+
+u32 genKeyA()
+{
+  u32 retries = 0;
+
+  for (;;)
+  {
+    u32 key = 0;
+
+    if (retries > 32)
+    {
+      key = 0xDD654321;
+    } else {
+      key = (rand() & 0x00ffffff) | 0xDD000000;
+    }
+
+    u32 unk = (key % 2 != 0);
+    u32 v12 = key;
+    for (u32 v13 = 1; v13 < 32; v13++)
+    {
+      v12 >>= 1;
+      unk += (v12 % 2 != 0);
+    }
+
+    if ((unk >= 10 && unk <= 24))
+    {
+      if (retries > 4)
+      {
+        printf("KeyA retries = %ld", retries);
+      }
+
+      printf("KeyA = 0x%08lx\n", key);
+
+      return key;
+    }
+
+    retries++;
+  }
+}
+
+u32 checkKeyB(u32 KeyBRaw)
+{
+  if ((KeyBRaw & 0xFF) != 0xEE)
+  {
+    printf("Invalid KeyB - lowest 8 bits should be 0xEE, actually 0x%02x\n",
+        ((u8)(KeyBRaw)));
+
+    return 0;
+  }
+
+  u32 KeyB = KeyBRaw & 0xffffff00;
+  u32 val = KeyB;
+  u32 unk = (val < 0);
+  for (u32 i = 1; i < 24; i++)
+  {
+    val <<= 1;
+    unk += (val < 0);
+  }
+
+  if (unk > 14)
+  {
+    printf("Invalid KeyB - high 24 bits bad: 0x%08lx\n", KeyB);
+
+    return 0;
+  }
+
+  printf("Valid KeyB: 0x%08lx\n", KeyB);
+
+  return KeyB;
+}
+
+u32 deriveKeyC(u32 keyCderive, u32 kcrc)
+{
+  u32 keyc = 0;
+  u32 keyCi = 0;
+
+  do
+  {
+    u32 v5 = 0x1000000 * keyCi - 1;
+    u32 keyCattempt = docrc(kcrc,v5);
+
+    if (keyCderive == keyCattempt)
+    {
+      keyc = v5;
+
+      printf("Found keyC: %08lx\n",keyc);
+
+      return keyc;
+    }
+
+    keyCi++;
+  } while (keyCi < 256);
+
+  return keyc;
+}
+
+bool sendMultibootImage()
+{
+  printf("Waiting on BIOS\n");
+  waitForBIOS();
+
+  printf("BIOS handed over to game, waiting on game\n");
+  waitForGame();
+
+  // receive the game-code from GBA side.
+  u32 gamecode = recv();
+
+  printf("Ready, sending multiboot ROM\n");
+
+  unsigned int sendsize = ((gba_mb_gba_size+7)&~7);
+
+  // generate KeyA
+  unsigned int ourkey = genKeyA();
+
+  //printf("Our Key: %08x\n", ourkey);
+  printf("Sending game code that we got: 0x%08lx\n",
+      __builtin_bswap32(gamecode));
+
+  // send the game code back, then KeyA.
+  send(__builtin_bswap32(gamecode));
+  send(ourkey);
+
+  // get KeyB from GBA, check it to make sure its valid, then xor with KeyA
+  // to derive the initial CRC value and the sessionkey.
+  u32 sessionkeyraw = 0;
+  do
+  {
+    sessionkeyraw = recv();
+  } while (sessionkeyraw == gamecode);
+
+  sessionkeyraw = checkKeyB(__builtin_bswap32(sessionkeyraw));
+  if (sessionkeyraw == 0)
+  {
+    return false;
+  }
+
+  u32 sessionkey = sessionkeyraw ^ ourkey;
+  u32 kcrc = sessionkey;
+  printf("start kCRC=%08lx\n",kcrc);
+
+  sessionkey = (sessionkey*0x6177614b)+1;
+
+  // send hacked up send-size in uint32s
+  u32 hackedupsize = (sendsize >> 3) - 1;
+
+  printf("Sending hacked up size 0x%08lx\n",hackedupsize);
+  send(hackedupsize);
+
+  //unsigned int fcrc = 0x00bb;
+  // send over multiboot binary header, in the clear until the end of the
+  // nintendo logo. GBA checks this, if nintendo logo does not match the
+  // one in currently inserted cart's ROM, it will not accept any more data.
+  for (int i = 0; i < 0xA0; i+=4)
+  {
+    vu32 rom_dword = *(vu32*)(gba_mb_gba+i);
+    send(__builtin_bswap32(rom_dword));
+  }
+
+  printf("\n");
+  printf("Header done! Sending ROM...\n");
+
+  // Add each uint32 of the multiboot image to the checksum, encrypt the
+  // uint32 with the session key, increment the session key, send the
+  // encrypted uint32.
+  for (int i = 0xA0; i < sendsize; i+=4)
+  {
+    u32 dec = (
+        (((gba_mb_gba[i+3]) << 24) & 0xff000000) |
+        (((gba_mb_gba[i+2]) << 16) & 0x00ff0000) |
+        (((gba_mb_gba[i+1]) << 8)  & 0x0000ff00) |
+        (((gba_mb_gba[i])   << 0)  & 0x000000ff)
+        );
+
+    u32 enc = (dec - kcrc) ^ sessionkey;
+    kcrc = docrc(kcrc,dec);
+    sessionkey = (sessionkey * 0x6177614B) + 1;
+    //enc^=((~(i+(0x20<<20)))+1);
+    //enc^=0x6f646573;//0x20796220;
+
+    send(enc);
+  }
+
+  //fcrc |= (sendsize<<16);
+  printf("ROM done! CRC: %08lx\n", kcrc);
+  //get crc back (unused)
+
+  // Get KeyC derivation material from GBA (eventually)
+  u32 keyCderive = 0;
+  do
+  {
+    keyCderive = recv();
+  } while (keyCderive <= 0xfeffffff);
+
+  keyCderive = __builtin_bswap32(keyCderive);
+  keyCderive >>= 8;
+
+  printf("KeyC derivation material: %08lx\n",keyCderive);
+
+  // (try to) find the KeyC, using the checksum of the multiboot image, and
+  // the derivation material that GBA sent to us
+  u32 keyc = deriveKeyC(keyCderive,kcrc);
+  if (keyc == 0)
+  {
+    printf("Could not find keyC - kcrc=0x%08lx\n",kcrc);
+
+    return false;
+  }
+
+  // derive the boot key from the found KeyC, and send to GBA. if this is
+  // not correct, GBA will not jump to the multiboot image it was sent.
+  u32 bootkey = docrc(0xBB,keyc) | 0xbb000000;
+  printf("BootKey = 0x%08lx\n",bootkey);
+
+  send(bootkey);
+  sleep(2);
+
+  return true;
+}
@@ -0,0 +1,8 @@
+#ifndef MULTIBOOT_H_5C3CB904
+#define MULTIBOOT_H_5C3CB904
+
+#include <stdbool.h>
+
+bool sendMultibootImage();
+
+#endif /* end of include guard: MULTIBOOT_H_5C3CB904 */