From d4e309bb19b74c4b21ca19952c9b1cdd067c667a Mon Sep 17 00:00:00 2001 From: slipstream/RoL Date: Sun, 19 Feb 2017 01:19:35 +0000 Subject: Initial commit of the fork Forking gba-link-cable-dumper to gba-gen3multiboot --- LICENSE | 1 + Makefile.gc | 2 +- Makefile.wii | 2 +- README.md | 16 +- build.bat | 3 +- gba/Makefile | 13 +- gba/gba_pkjb.ld | 296 +++++++++++++++++++++++++++ gba/gba_pkjb.specs | 8 + gba/source/main.c | 262 +++--------------------- gba/start/pkjb_crt0.s | 98 +++++++++ source/main.c | 551 ++++++++++++++------------------------------------ 11 files changed, 616 insertions(+), 636 deletions(-) create mode 100644 gba/gba_pkjb.ld create mode 100644 gba/gba_pkjb.specs create mode 100644 gba/start/pkjb_crt0.s diff --git a/LICENSE b/LICENSE index bd6e929..3bef6d6 100644 --- a/LICENSE +++ b/LICENSE @@ -1,5 +1,6 @@ The MIT License (MIT) +Copyright (c) 2017 slipstream/RoL Copyright (c) 2016 FIX94 Permission is hereby granted, free of charge, to any person obtaining a copy diff --git a/Makefile.gc b/Makefile.gc index 431c094..3fddc9b 100644 --- a/Makefile.gc +++ b/Makefile.gc @@ -15,7 +15,7 @@ include $(DEVKITPPC)/gamecube_rules # SOURCES is a list of directories containing source code # INCLUDES is a list of directories containing extra header files #--------------------------------------------------------------------------------- -TARGET := linkcabledump_gc +TARGET := gen3multiboot_gc BUILD := build SOURCES := source DATA := data diff --git a/Makefile.wii b/Makefile.wii index 4de7f71..15afd9d 100644 --- a/Makefile.wii +++ b/Makefile.wii @@ -15,7 +15,7 @@ include $(DEVKITPPC)/wii_rules # SOURCES is a list of directories containing source code # INCLUDES is a list of directories containing extra header files #--------------------------------------------------------------------------------- -TARGET := linkcabledump_wii +TARGET := gen3multiboot_wii BUILD := build SOURCES := source DATA := data diff --git a/README.md b/README.md index 91d29d0..4483a83 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,12 @@ -# GBA Link Cable Dumper -A GC and Wii Homebrew App to get GBA BIOS, ROMs and saves via the GC GBA Link Cable. -Save Support based on SendSave by Chishm. -GBA BIOS Dumper by Dark Fader. +# GBA Gen3 Multiboot +A GC and Wii homebrew app that sends a binary to the GBA using the different multiboot protocol used by the third generation of Pokémon games (Ruby, Sapphire, Emerald, FireRed, LeafGreen). # Usage -Just have a GC Controller in Port 1 and a GBA without a game inserted or aborted game launch by holding select+start in Port 2. -The bin, gba and sav files dumped will be placed in a folder called "dumps" on your main device (SD Gecko on gamecube and SD/USB on Wii). Please note that dumping GBA ROMs can take a long time (32mb takes about 48 minutes) because of the cable protocol limitations, a estimation will be displayed on screen before you dump it as a reference. +Have a GC Controller in Port 1 and a GBA with Gen3 game in Port 2. +Put your payload code to do some interesting stuff with the Pokémon game you have in `gba` dir. Example code that changes first character of player name to 'z' on Pokémon Ruby English (v1.0-1.2) provided. +Recompile, send to Wii or GC, turn on your GBA, hope that your code runs after the initial copyright screen of the game. +(Code execution rate is for some reason not 100% reliable, PR to fix would be greatly appreciated. Sometimes KeyC derivation fails, sometimes GBA ignores the sent multiboot image, could be due to failure of a few different sends) + +# Acknowledgements +Thanks to FIX94 for your multiboot game dumper, which the multiboot code is loosely based on (differences in crypto & protocol...) +Without it, this would have taken longer to do than the 2 days or so that it took. \ No newline at end of file diff --git a/build.bat b/build.bat index aece78f..8a35180 100644 --- a/build.bat +++ b/build.bat @@ -1,8 +1,9 @@ +@echo off cd gba make clean make cd .. -mv -f gba/gba_mb.gba data/gba_mb.gba +mv -f gba/gba_pkjb.gba data/gba_mb.gba make -f Makefile.gc clean make -f Makefile.gc make -f Makefile.wii clean diff --git a/gba/Makefile b/gba/Makefile index 99dfbb6..f9cb296 100644 --- a/gba/Makefile +++ b/gba/Makefile @@ -7,6 +7,10 @@ ifeq ($(strip $(DEVKITARM)),) $(error "Please set DEVKITARM in your environment. export DEVKITARM=devkitARM) endif +%_pkjb.elf: + @echo linking pkjb + @$(LD) -specs=../gba_pkjb.specs $(LDFLAGS) $(OFILES) $(LIBPATHS) $(LIBS) -o $@ + include $(DEVKITARM)/gba_rules #--------------------------------------------------------------------------------- @@ -16,7 +20,7 @@ include $(DEVKITARM)/gba_rules # DATA is a list of directories containing data files # INCLUDES is a list of directories containing header files #--------------------------------------------------------------------------------- -TARGET := $(shell basename $(CURDIR))_mb +TARGET := $(shell basename $(CURDIR))_pkjb BUILD := build SOURCES := source DATA := @@ -38,8 +42,8 @@ CFLAGS += $(INCLUDE) CXXFLAGS := $(CFLAGS) -fno-rtti -fno-exceptions -ASFLAGS := $(ARCH) -LDFLAGS = -g $(ARCH) -Wl,-Map,$(notdir $@).map +ASFLAGS := -g $(ARCH) +LDFLAGS = $(ARCH) -Wl,-Map,$(notdir $@).map #--------------------------------------------------------------------------------- # any extra libraries we wish to link with the project @@ -109,6 +113,7 @@ export LIBPATHS := $(foreach dir,$(LIBDIRS),-L$(dir)/lib) #--------------------------------------------------------------------------------- $(BUILD): @[ -d $@ ] || mkdir -p $@ + $(CC) -MMD -MP -MF start/pkjb_crt0.d -x assembler-with-cpp $(ASFLAGS) -c start/pkjb_crt0.s -o start/pkjb_crt0.o $(ERROR_FILTER) @make --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile all : $(BUILD) @@ -150,7 +155,7 @@ $(OUTPUT).elf : $(OFILES) #--------------------------------------------------------------------------------- @echo $(notdir $<) @$(bin2o) - + #--------------------------------------------------------------------------------- # This rule creates assembly source files using grit # grit takes an image file and a .grit describing how the file is to be processed diff --git a/gba/gba_pkjb.ld b/gba/gba_pkjb.ld new file mode 100644 index 0000000..102cb42 --- /dev/null +++ b/gba/gba_pkjb.ld @@ -0,0 +1,296 @@ +/* Linker Script Original v1.3 by Jeff Frohwein */ +/* v1.0 - Original release */ +/* v1.1 - Added proper .data section support */ +/* v1.2 - Added support for c++ & iwram overlays */ +/* - Major contributions by Jason Wilkins. */ +/* v1.3 - .ewram section now can be used when */ +/* compiling for MULTIBOOT mode. This fixes */ +/* malloc() in DevKitAdvance which depends */ +/* on __eheap_start instead of end to define*/ +/* the starting location of heap space. */ +/* External global variable __gba_iwram_heap*/ +/* support added to allow labels end, _end, */ +/* & __end__ to point to end of iwram or */ +/* the end of ewram. */ +/* Additions by WinterMute */ +/* v1.4 - .sbss section added for unitialised */ +/* data in ewram */ +/* v1.5 - padding section added to stop EZF */ +/* stripping important data */ +/* v1.6 - added memory sections */ + +/* This file is released into the public domain */ +/* for commercial or non-commercial use with no */ +/* restrictions placed upon it. */ + +/* NOTE!!!: This linker script defines the RAM & */ +/* ROM start addresses. In order for it to work */ +/* properly, remove -Ttext and -Tbss linker */ +/* options from your makefile if they are */ +/* present. */ + +/* You can use the following to view section */ +/* addresses in your .elf file: */ +/* objdump -h file.elf */ +/* Please note that empty sections may incorrectly*/ +/* list the lma address as the vma address for */ +/* some versions of objdump. */ + +OUTPUT_FORMAT("elf32-littlearm", "elf32-bigarm", "elf32-littlearm") +OUTPUT_ARCH(arm) +ENTRY(_start) + +MEMORY { + + rom : ORIGIN = 0x08000000, LENGTH = 32M + iwram : ORIGIN = 0x03000000, LENGTH = 32K + ewram : ORIGIN = 0x02000000, LENGTH = 256K +} + + + +__text_start = ORIGIN(ewram); +__eheap_end = ORIGIN(ewram) + LENGTH(ewram); +__iwram_start = ORIGIN(iwram); +__iwram_top = ORIGIN(iwram) + LENGTH(iwram);; + +__sp_irq = __iwram_top - 0x060; +__sp_usr = __sp_irq - 0x0a0; +__irq_flags = 0x03007ff8; + +SECTIONS +{ + . = __text_start; + .init : + { + KEEP (*(.init)) + . = ALIGN(4); + } >ewram =0xff + + .plt : + { + *(.plt) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + } >ewram + + .text ALIGN (4): + { + *(EXCLUDE_FILE (*.iwram*) .text) + *(.text .stub .text.* .gnu.linkonce.t.*) + KEEP (*(.text.*personality*)) + /* .gnu.warning sections are handled specially by elf32.em. */ + *(.gnu.warning) + *(.glue_7t) *(.glue_7) *(.vfp11_veneer) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + } >ewram = 0xff + + __text_end = .; + .fini : + { + KEEP (*(.fini)) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + } >ewram =0 + + .rodata : + { + *(.rodata) + *all.rodata*(*) + *(.roda) + *(.rodata.*) + *(.gnu.linkonce.r*) + SORT(CONSTRUCTORS) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + } >ewram = 0xff + + .ARM.extab : { *(.ARM.extab* .gnu.linkonce.armextab.*) } >ewram + __exidx_start = .; + .ARM.exidx : { *(.ARM.exidx* .gnu.linkonce.armexidx.*) } >ewram + __exidx_end = .; + /* Ensure the __preinit_array_start label is properly aligned. We + could instead move the label definition inside the section, but + the linker would then create the section even if it turns out to + be empty, which isn't pretty. */ + . = ALIGN(32 / 8); + PROVIDE (__preinit_array_start = .); + .preinit_array : { KEEP (*(.preinit_array)) } >ewram = 0xff + PROVIDE (__preinit_array_end = .); + PROVIDE (__init_array_start = .); + .init_array : { KEEP (*(.init_array)) } >ewram = 0xff + PROVIDE (__init_array_end = .); + PROVIDE (__fini_array_start = .); + .fini_array : { KEEP (*(.fini_array)) } >ewram = 0xff + PROVIDE (__fini_array_end = .); + .ctors : + { + /* gcc uses crtbegin.o to find the start of the constructors, so + we make sure it is first. Because this is a wildcard, it + doesn't matter if the user does not actually link against + crtbegin.o; the linker won't look for a file to match a + wildcard. The wildcard also means that it doesn't matter which + directory crtbegin.o is in. */ + KEEP (*crtbegin.o(.ctors)) + KEEP (*(EXCLUDE_FILE (*crtend.o) .ctors)) + KEEP (*(SORT(.ctors.*))) + KEEP (*(.ctors)) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + } >ewram = 0 + + .dtors : + { + KEEP (*crtbegin.o(.dtors)) + KEEP (*(EXCLUDE_FILE (*crtend.o) .dtors)) + KEEP (*(SORT(.dtors.*))) + KEEP (*(.dtors)) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + } >ewram = 0 + + .jcr : { KEEP (*(.jcr)) } >ewram + .eh_frame : + { + KEEP (*(.eh_frame)) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + } >ewram = 0 + + .gcc_except_table : + { + *(.gcc_except_table) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + } >ewram = 0 + + __iwram_lma = .; + + .iwram __iwram_start : AT (__iwram_lma) + { + __iwram_start__ = ABSOLUTE(.) ; + *(.iwram) + *iwram.*(.text) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + __iwram_end__ = ABSOLUTE(.) ; + } >iwram = 0xff + + __data_lma = __iwram_lma + SIZEOF(.iwram) ; + + .bss ALIGN(4) (NOLOAD): + { + __bss_start__ = ABSOLUTE(.); + *(.dynbss) + *(.gnu.linkonce.b*) + *(.bss*) + *(COMMON) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + __bss_end__ = ABSOLUTE(.) ; + } + + .data ALIGN(4) : AT (__data_lma) + { + __data_start__ = ABSOLUTE(.); + *(.data) + *(.data.*) + *(.gnu.linkonce.d*) + CONSTRUCTORS + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + __data_end__ = ABSOLUTE(.); + } >iwram = 0xff + + __iwram_overlay_lma = __data_lma + SIZEOF(.data); + + PROVIDE (edata = .); + __iwram_overlay_start = . ; + + OVERLAY ALIGN(4) : NOCROSSREFS AT (__iwram_overlay_lma) + { + .iwram0 { *(.iwram0) . = ALIGN(4);} + .iwram1 { *(.iwram1) . = ALIGN(4);} + .iwram2 { *(.iwram2) . = ALIGN(4);} + .iwram3 { *(.iwram3) . = ALIGN(4);} + .iwram4 { *(.iwram4) . = ALIGN(4);} + .iwram5 { *(.iwram5) . = ALIGN(4);} + .iwram6 { *(.iwram6) . = ALIGN(4);} + .iwram7 { *(.iwram7) . = ALIGN(4);} + .iwram8 { *(.iwram8) . = ALIGN(4);} + .iwram9 { *(.iwram9) . = ALIGN(4);} + } >iwram = 0xff + + __ewram_lma = LOADADDR(.iwram0) + SIZEOF(.iwram0)+SIZEOF(.iwram1)+SIZEOF(.iwram2)+SIZEOF(.iwram3)+SIZEOF(.iwram4)+SIZEOF(.iwram5)+SIZEOF(.iwram6)+SIZEOF(.iwram7)+SIZEOF(.iwram8)+SIZEOF(.iwram9); + + __iwram_overlay_end = __ewram_lma ; + + /* v1.3 */ + __ewram_start = __ewram_lma ; + + .ewram __ewram_start : AT (__ewram_lma) + { + *(.ewram) + . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ + __ewram_end = ABSOLUTE(.); + } >ewram = 0xff + + __ewram_overlay_lma = __ewram_lma + SIZEOF(.ewram); + + .sbss ALIGN(4)(NOLOAD): + { + __sbss_start__ = ABSOLUTE(.); + *(.sbss) + . = ALIGN(4); + __sbss_end__ = ABSOLUTE(.); + __end__ = ABSOLUTE(.); + __eheap_start = ABSOLUTE(.); + } + + OVERLAY ALIGN(4): NOCROSSREFS AT (__ewram_overlay_lma) + { + .ewram0 { *(.ewram0) . = ALIGN(4);} + .ewram1 { *(.ewram1) . = ALIGN(4);} + .ewram2 { *(.ewram2) . = ALIGN(4);} + .ewram3 { *(.ewram3) . = ALIGN(4);} + .ewram4 { *(.ewram4) . = ALIGN(4);} + .ewram5 { *(.ewram5) . = ALIGN(4);} + .ewram6 { *(.ewram6) . = ALIGN(4);} + .ewram7 { *(.ewram7) . = ALIGN(4);} + .ewram8 { *(.ewram8) . = ALIGN(4);} + .ewram9 { *(.ewram9) . = ALIGN(4);} + } >ewram = 0xff + __ewram_overlay_end = ABSOLUTE(.); + + __eheap_start = __ewram_overlay_end ; + + _end = __ewram_overlay_end; + __end__ = __ewram_overlay_end; + __rom_end__ = __ewram_overlay_end; + + /* Stabs debugging sections. */ + .stab 0 : { *(.stab) } + .stabstr 0 : { *(.stabstr) } + .stab.excl 0 : { *(.stab.excl) } + .stab.exclstr 0 : { *(.stab.exclstr) } + .stab.index 0 : { *(.stab.index) } + .stab.indexstr 0 : { *(.stab.indexstr) } + .comment 0 : { *(.comment) } + /* DWARF debug sections. + Symbols in the DWARF debugging sections are relative to the beginning + of the section so we begin them at 0. */ + /* DWARF 1 */ + .debug 0 : { *(.debug) } + .line 0 : { *(.line) } + /* GNU DWARF 1 extensions */ + .debug_srcinfo 0 : { *(.debug_srcinfo) } + .debug_sfnames 0 : { *(.debug_sfnames) } + /* DWARF 1.1 and DWARF 2 */ + .debug_aranges 0 : { *(.debug_aranges) } + .debug_pubnames 0 : { *(.debug_pubnames) } + /* DWARF 2 */ + .debug_info 0 : { *(.debug_info) } + .debug_abbrev 0 : { *(.debug_abbrev) } + .debug_line 0 : { *(.debug_line) } + .debug_frame 0 : { *(.debug_frame) } + .debug_str 0 : { *(.debug_str) } + .debug_loc 0 : { *(.debug_loc) } + .debug_macinfo 0 : { *(.debug_macinfo) } + /* SGI/MIPS DWARF 2 extensions */ + .debug_weaknames 0 : { *(.debug_weaknames) } + .debug_funcnames 0 : { *(.debug_funcnames) } + .debug_typenames 0 : { *(.debug_typenames) } + .debug_varnames 0 : { *(.debug_varnames) } + .stack 0x80000 : { _stack = .; *(.stack) } + /* These must appear regardless of . */ +} diff --git a/gba/gba_pkjb.specs b/gba/gba_pkjb.specs new file mode 100644 index 0000000..7c9027b --- /dev/null +++ b/gba/gba_pkjb.specs @@ -0,0 +1,8 @@ +%rename link old_link + +*link: +-T ../gba_pkjb.ld%s %(old_link) --gc-sections + +*startfile: +../start/pkjb_crt0%O%s crti%O%s crtbegin%O%s + diff --git a/gba/source/main.c b/gba/source/main.c index ee94c35..ce6969b 100644 --- a/gba/source/main.c +++ b/gba/source/main.c @@ -1,241 +1,45 @@ /* - * Copyright (C) 2016 FIX94 + * Example Gen3-multiboot payload by slipstream/RoL 2017. + * Supports only English Ruby, v1.0-1.2. * * This software may be modified and distributed under the terms * of the MIT license. See the LICENSE file for details. */ #include -#include -#include -#include "libSave.h" -#define REG_WAITCNT *(vu16 *)(REG_BASE + 0x204) -#define JOY_WRITE 2 -#define JOY_READ 4 -#define JOY_RW 6 - -u8 save_data[0x20000] __attribute__ ((section (".sbss"))); - -s32 getGameSize(void) -{ - if(*(vu32*)(0x08000004) != 0x51AEFF24) - return -1; - s32 i; - for(i = (1<<20); i < (1<<25); i<<=1) - { - vu16 *rompos = (vu16*)(0x08000000+i); - int j; - bool romend = true; - for(j = 0; j < 0x1000; j++) - { - if(rompos[j] != j) - { - romend = false; - break; - } - } - if(romend) break; - } - return i; -} - -//--------------------------------------------------------------------------------- -// Program entry point -//--------------------------------------------------------------------------------- int main(void) { -//--------------------------------------------------------------------------------- - - // the vblank interrupt must be enabled for VBlankIntrWait() to work - // since the default dispatcher handles the bios flags no vblank handler - // is required - irqInit(); - irqEnable(IRQ_VBLANK); - - consoleDemoInit(); - REG_JOYTR = 0; - // ansi escape sequence to set print co-ordinates - // /x1b[line;columnH - u32 i; - iprintf("\x1b[9;2HGBA Link Cable Dumper v1.6\n"); - iprintf("\x1b[10;4HPlease look at the TV\n"); - // disable this, needs power - SNDSTAT = 0; - SNDBIAS = 0; - // Set up waitstates for EEPROM access etc. - REG_WAITCNT = 0x0317; - //clear out previous messages - REG_HS_CTRL |= JOY_RW; - while (1) { - if(REG_HS_CTRL&JOY_READ) - { - REG_HS_CTRL |= JOY_RW; - s32 gamesize = getGameSize(); - u32 savesize = SaveSize(save_data,gamesize); - REG_JOYTR = gamesize; - //wait for a cmd receive for safety - while((REG_HS_CTRL&JOY_WRITE) == 0) ; - REG_HS_CTRL |= JOY_RW; - REG_JOYTR = savesize; - //wait for a cmd receive for safety - while((REG_HS_CTRL&JOY_WRITE) == 0) ; - REG_HS_CTRL |= JOY_RW; - if(gamesize == -1) - { - REG_JOYTR = 0; - continue; //nothing to read - } - //game in, send header - for(i = 0; i < 0xC0; i+=4) - { - REG_JOYTR = *(vu32*)(0x08000000+i); - while((REG_HS_CTRL&JOY_READ) == 0) ; - REG_HS_CTRL |= JOY_RW; - } - REG_JOYTR = 0; - //wait for other side to choose - while((REG_HS_CTRL&JOY_WRITE) == 0) ; - REG_HS_CTRL |= JOY_RW; - u32 choseval = REG_JOYRE; - if(choseval == 0) - { - REG_JOYTR = 0; - continue; //nothing to read - } - else if(choseval == 1) - { - //disable interrupts - u32 prevIrqMask = REG_IME; - REG_IME = 0; - //dump the game - for(i = 0; i < gamesize; i+=4) - { - REG_JOYTR = *(vu32*)(0x08000000+i); - while((REG_HS_CTRL&JOY_READ) == 0) ; - REG_HS_CTRL |= JOY_RW; - } - //restore interrupts - REG_IME = prevIrqMask; - } - else if(choseval == 2) - { - //disable interrupts - u32 prevIrqMask = REG_IME; - REG_IME = 0; - //backup save - switch (savesize){ - case 0x200: - GetSave_EEPROM_512B(save_data); - break; - case 0x2000: - GetSave_EEPROM_8KB(save_data); - break; - case 0x8000: - GetSave_SRAM_32KB(save_data); - break; - case 0x10000: - GetSave_FLASH_64KB(save_data); - break; - case 0x20000: - GetSave_FLASH_128KB(save_data); - break; - default: - break; - } - //restore interrupts - REG_IME = prevIrqMask; - //say gc side we read it - REG_JOYTR = savesize; - //wait for a cmd receive for safety - while((REG_HS_CTRL&JOY_WRITE) == 0) ; - REG_HS_CTRL |= JOY_RW; - //send the save - for(i = 0; i < savesize; i+=4) - { - REG_JOYTR = *(vu32*)(save_data+i); - while((REG_HS_CTRL&JOY_READ) == 0) ; - REG_HS_CTRL |= JOY_RW; - } - } - else if(choseval == 3 || choseval == 4) - { - REG_JOYTR = savesize; - if(choseval == 3) - { - //receive the save - for(i = 0; i < savesize; i+=4) - { - while((REG_HS_CTRL&JOY_WRITE) == 0) ; - REG_HS_CTRL |= JOY_RW; - *(vu32*)(save_data+i) = REG_JOYRE; - } - } - else - { - //clear the save - for(i = 0; i < savesize; i+=4) - *(vu32*)(save_data+i) = 0; - } - //disable interrupts - u32 prevIrqMask = REG_IME; - REG_IME = 0; - //write it - switch (savesize){ - case 0x200: - PutSave_EEPROM_512B(save_data); - break; - case 0x2000: - PutSave_EEPROM_8KB(save_data); - break; - case 0x8000: - PutSave_SRAM_32KB(save_data); - break; - case 0x10000: - PutSave_FLASH_64KB(save_data); - break; - case 0x20000: - PutSave_FLASH_128KB(save_data); - break; - default: - break; - } - //restore interrupts - REG_IME = prevIrqMask; - //say gc side we're done - REG_JOYTR = 0; - //wait for a cmd receive for safety - while((REG_HS_CTRL&JOY_WRITE) == 0) ; - REG_HS_CTRL |= JOY_RW; - } - REG_JOYTR = 0; - } - else if(REG_HS_CTRL&JOY_WRITE) - { - REG_HS_CTRL |= JOY_RW; - u32 choseval = REG_JOYRE; - if(choseval == 5) - { - //disable interrupts - u32 prevIrqMask = REG_IME; - REG_IME = 0; - //dump BIOS - for (i = 0; i < 0x4000; i+=4) - { - // the lower bits are inaccurate, so just get it four times :) - u32 a = MidiKey2Freq((WaveData *)(i-4), 180-12, 0) * 2; - u32 b = MidiKey2Freq((WaveData *)(i-3), 180-12, 0) * 2; - u32 c = MidiKey2Freq((WaveData *)(i-2), 180-12, 0) * 2; - u32 d = MidiKey2Freq((WaveData *)(i-1), 180-12, 0) * 2; - REG_JOYTR = ((a>>24<<24) | (d>>24<<16) | (c>>24<<8) | (b>>24)); - while((REG_HS_CTRL&JOY_READ) == 0) ; - REG_HS_CTRL |= JOY_RW; - } - //restore interrupts - REG_IME = prevIrqMask; - } - REG_JOYTR = 0; - } - Halt(); + // check the ROM code, make sure this game is supported. + char* ROM = 0x8000000; + + if ((*(u32*)(&ROM[0xAC])) != 'EVXA') return 0; // Pokémon Ruby english, nothing else supported! + + void(*loadsave)(char a1); + // get the address of the save loading function. + switch (ROM[0xBC]) { // version number + case 0: + loadsave = 0x8125EC9; + break; + case 1: + case 2: + loadsave = 0x8125EE9; + break; + default: + return 0; //bail out } + loadsave(0); + // now the save is loaded, we can do what we want with the loaded blocks. + // here as a small PoC, changing first letter of player name to 'z'. + u8* gSaveBlock2 = 0x2024EA4; + gSaveBlock2[0] = 0xee; // 'z' + // Now we've done what we want, time to return to the game. + // Can't just return, the game will reload the save. + // So let's just call the main-loop directly ;) + void(*mainloop)() = 0x80002A5; + // turn the sound back on before we head back to the game + *(vu16 *)(REG_BASE + 0x84) = 0x8f; + mainloop(); + // Anything past here will not be executed. + return 0; } diff --git a/gba/start/pkjb_crt0.s b/gba/start/pkjb_crt0.s new file mode 100644 index 0000000..1bf5bd7 --- /dev/null +++ b/gba/start/pkjb_crt0.s @@ -0,0 +1,98 @@ + .section ".init" + .global _start + .align + .arm +@--------------------------------------------------------------------------------- +_start: +@--------------------------------------------------------------------------------- + b rom_header_end + + .fill 156,1,0 @ Nintendo Logo Character Data (8000004h) + .fill 16,1,0 @ Game Title + .byte 0x30,0x31 @ Maker Code (80000B0h) + .byte 0x96 @ Fixed Value (80000B2h) + .byte 0x00 @ Main Unit Code (80000B3h) + .byte 0x00 @ Device Type (80000B4h) + .fill 7,1,0 @ unused + .byte 0x00 @ Software Version No (80000BCh) + .byte 0xf0 @ Complement Check (80000BDh) + .byte 0x00,0x00 @ Checksum (80000BEh) + +@--------------------------------------------------------------------------------- +rom_header_end: +@--------------------------------------------------------------------------------- + b start_vector @ This branch must be here for proper + @ positioning of the following header. + + .GLOBAL __boot_method, __slave_number +@--------------------------------------------------------------------------------- +__boot_method: +@--------------------------------------------------------------------------------- + .byte 0 @ boot method (0=ROM boot, 3=Multiplay boot) +@--------------------------------------------------------------------------------- +__slave_number: +@--------------------------------------------------------------------------------- + .byte 0 @ slave # (1=slave#1, 2=slave#2, 3=slave#3) + + .byte 0 @ reserved + .byte 0 @ reserved + .word 0 @ reserved + .word 0 @ reserved + .word 0 @ reserved + .word 0 @ reserved + .word 0 @ reserved + .word 0 @ reserved + + .fill 4096,1,0 @ 4kb of filler so no useful code gets overwritten when flash bytes get copied over the top. + .global start_vector + .align +@--------------------------------------------------------------------------------- +start_vector: +@--------------------------------------------------------------------------------- + +@--------------------------------------------------------------------------------- +@ Enter Thumb mode +@--------------------------------------------------------------------------------- + add r0, pc, #1 + bx r0 + + .thumb +@ Turn off sound + ldr r1, =0x4000084 + eor r0, r0, r0 + strh r0, [r1] + +@--------------------------------------------------------------------------------- +@ set heap end +@--------------------------------------------------------------------------------- + ldr r1, =fake_heap_end + ldr r0, =__eheap_end + str r0, [r1] +@--------------------------------------------------------------------------------- +@ global constructors +@--------------------------------------------------------------------------------- + ldr r3, =__libc_init_array + push {lr} + bl _blx_r3_stub +@--------------------------------------------------------------------------------- +@ Jump to user code +@--------------------------------------------------------------------------------- + mov r0, #0 @ int argc + mov r1, #0 @ char *argv[] + ldr r3, =main + bl _blx_r3_stub +@; If we're here, turn the sound back on before we return + ldr r1, =0x4000084 + mov r0, #0x8F + strh r0, [r1] + pop {pc} + +@--------------------------------------------------------------------------------- +_blx_r3_stub: +@--------------------------------------------------------------------------------- + bx r3 + + .align + .pool + .end + diff --git a/source/main.c b/source/main.c index 7fd5683..ad34eff 100644 --- a/source/main.c +++ b/source/main.c @@ -1,4 +1,5 @@ /* + * Copyright (c) 2017 slipstream/RoL * Copyright (C) 2016 FIX94 * * This software may be modified and distributed under the terms @@ -13,8 +14,6 @@ #include #include #include -#include -#include //from my tests 50us seems to be the lowest //safe si transfer delay in between calls @@ -27,9 +26,8 @@ void printmain() { printf("\x1b[2J"); printf("\x1b[37m"); - printf("GBA Link Cable Dumper v1.6 by FIX94\n"); - printf("Save Support based on SendSave by Chishm\n"); - printf("GBA BIOS Dumper by Dark Fader\n \n"); + printf("Pokemon Gen 3 GBA Multiboot PoC by slipstream/RoL\n"); + printf("Based on GBA Link Cable Dumper by FIX94\n\n"); } u8 *resbuf,*cmdbuf; @@ -46,21 +44,17 @@ void acb(s32 res, u32 val) resval = val; } -unsigned int docrc(u32 crc, u32 val) -{ - int i; - for(i = 0; i < 0x20; i++) - { - if((crc^val)&1) - { - crc>>=1; - crc^=0xa1c1; - } - else - crc>>=1; - val>>=1; +unsigned int docrc(u32 crc,u32 val) { + u32 result; + + result = val ^ crc; + for (int i = 0; i < 0x20; i++) { + if (result & 1) { + result >>= 1; + result ^= 0xA1C1; + } else result >>= 1; } - return crc; + return result; } void endproc() @@ -70,64 +64,7 @@ void endproc() VIDEO_WaitVSync(); exit(0); } -void fixFName(char *str) -{ - u8 i = 0; - for(i = 0; i < strlen(str); ++i) - { - if(str[i] < 0x20 || str[i] > 0x7F) - str[i] = '_'; - else switch(str[i]) - { - case '\\': - case '/': - case ':': - case '*': - case '?': - case '\"': - case '<': - case '>': - case '|': - str[i] = '_'; - break; - default: - break; - } - } -} -unsigned int calckey(unsigned int size) -{ - unsigned int ret = 0; - size=(size-0x200) >> 3; - int res1 = (size&0x3F80) << 1; - res1 |= (size&0x4000) << 2; - res1 |= (size&0x7F); - res1 |= 0x380000; - int res2 = res1; - res1 = res2 >> 0x10; - int res3 = res2 >> 8; - res3 += res1; - res3 += res2; - res3 <<= 24; - res3 |= res2; - res3 |= 0x80808080; - if((res3&0x200) == 0) - { - ret |= (((res3)&0xFF)^0x4B)<<24; - ret |= (((res3>>8)&0xFF)^0x61)<<16; - ret |= (((res3>>16)&0xFF)^0x77)<<8; - ret |= (((res3>>24)&0xFF)^0x61); - } - else - { - ret |= (((res3)&0xFF)^0x73)<<24; - ret |= (((res3>>8)&0xFF)^0x65)<<16; - ret |= (((res3>>16)&0xFF)^0x64)<<8; - ret |= (((res3>>24)&0xFF)^0x6F); - } - return ret; -} void doreset() { cmdbuf[0] = 0xFF; //reset @@ -135,6 +72,7 @@ void doreset() SI_Transfer(1,cmdbuf,1,resbuf,3,transcb,SI_TRANS_DELAY); while(transval == 0) ; } + void getstatus() { cmdbuf[0] = 0; //status @@ -142,6 +80,7 @@ void getstatus() SI_Transfer(1,cmdbuf,1,resbuf,3,transcb,SI_TRANS_DELAY); while(transval == 0) ; } + u32 recv() { memset(resbuf,0,32); @@ -151,6 +90,7 @@ u32 recv() while(transval == 0) ; return *(vu32*)resbuf; } + void send(u32 msg) { cmdbuf[0]=0x15;cmdbuf[1]=(msg>>0)&0xFF;cmdbuf[2]=(msg>>8)&0xFF; @@ -160,26 +100,7 @@ void send(u32 msg) SI_Transfer(1,cmdbuf,5,resbuf,1,transcb,SI_TRANS_DELAY); while(transval == 0) ; } -bool dirExists(const char *path) -{ - DIR *dir; - dir = opendir(path); - if(dir) - { - closedir(dir); - return true; - } - return false; -} -void createFile(const char *path, size_t size) -{ - int fd = open(path, O_WRONLY|O_CREAT); - if(fd >= 0) - { - ftruncate(fd, size); - close(fd); - } -} + void warnError(char *msg) { puts(msg); @@ -195,6 +116,68 @@ void fatalError(char *msg) sleep(5); exit(0); } + +u32 genKeyA() { + u32 retries = 0; + while (true) { + u32 key = 0; + if (retries > 32) { + key = 0xDD654321; + } else { + key = (rand() & 0x00ffffff) | 0xDD000000; + } + u32 unk = (key % 2 != 0); + u32 v12 = key; + for (u32 v13 = 1; v13 < 32; v13++) { + v12 >>= 1; + unk += (v12 % 2 != 0); + } + if ((unk >= 10 && unk <= 24)) { + if (retries > 4) printf("KeyA retries = %d",retries); + printf("KeyA = 0x%08x\n",key); + return key; + } + retries++; + } +} + +u32 checkKeyB(u32 KeyBRaw) { + if ((KeyBRaw & 0xFF) != 0xEE) { + printf("Invalid KeyB - lowest 8 bits should be 0xEE, actually 0x%02x\n",((u8)(KeyBRaw))); + return 0; + } + u32 KeyB = KeyBRaw & 0xffffff00; + u32 val = KeyB; + u32 unk = (val < 0); + for (u32 i = 1; i < 24; i++) { + val <<= 1; + unk += (val < 0); + } + if (unk > 14) { + printf("Invalid KeyB - high 24 bits bad: 0x%08x\n",KeyB); + return 0; + } + printf("Valid KeyB: 0x%08x\n",KeyB); + return KeyB; +} + +u32 deriveKeyC(u32 keyCderive, u32 kcrc) { + u32 keyc = 0; + u32 keyCi = 0; + do { + u32 v5 = 0x1000000 * keyCi - 1; + u32 keyCattempt = docrc(kcrc,v5); + //printf("i = %d; keyCderive = %08x; keyCattempt = %08x\n",keyCi,keyCderive,keyCattempt); + if (keyCderive == keyCattempt) { + keyc = v5; + printf("Found keyC: %08x\n",keyc); + return keyc; + } + keyCi++; + } while (keyCi < 256); + return keyc; +} + int main(int argc, char *argv[]) { void *xfb = NULL; @@ -216,19 +199,6 @@ int main(int argc, char *argv[]) PAD_Init(); cmdbuf = memalign(32,32); resbuf = memalign(32,32); - u8 *testdump = memalign(32,0x400000); - if(!testdump) return 0; - if(!fatInitDefault()) - { - printmain(); - fatalError("ERROR: No usable device found to write dumped files to!"); - } - mkdir("/dumps", S_IREAD | S_IWRITE); - if(!dirExists("/dumps")) - { - printmain(); - fatalError("ERROR: Could not create dumps folder, make sure you have a supported device connected!"); - } int i; while(1) { @@ -251,305 +221,98 @@ int main(int argc, char *argv[]) } PAD_ScanPads(); VIDEO_WaitVSync(); - if(PAD_ButtonsHeld(0)) + if(PAD_ButtonsDown(0) & PAD_BUTTON_START) endproc(); } - if(resval & SI_GBA) + if (resval & SI_GBA) { printf("GBA Found! Waiting on BIOS\n"); resbuf[2]=0; - while(!(resbuf[2]&0x10)) + u32 oldresult = 0; + u32 newresult = 0; + // wait for the BIOS to hand over to the game + do { + doreset(); + } while (!(resbuf[1] > 4)); + printf("BIOS handed over to game, waiting on game\n"); + do { doreset(); - getstatus(); - } - printf("Ready, sending dumper\n"); + } while((resbuf[0] != 0) || !(resbuf[2]&0x10)); + // receive the game-code from GBA side. + u32 gamecode = recv(); + printf("Ready, sending multiboot ROM\n"); unsigned int sendsize = ((gba_mb_gba_size+7)&~7); - unsigned int ourkey = calckey(sendsize); + // generate KeyA + unsigned int ourkey = genKeyA(); //printf("Our Key: %08x\n", ourkey); - //get current sessionkey - u32 sessionkeyraw = recv(); - u32 sessionkey = __builtin_bswap32(sessionkeyraw^0x7365646F); - //send over our own key - send(__builtin_bswap32(ourkey)); - unsigned int fcrc = 0x15a0; - //send over gba header - for(i = 0; i < 0xC0; i+=4) - send(__builtin_bswap32(*(vu32*)(gba_mb_gba+i))); - //printf("Header done! Sending ROM...\n"); - for(i = 0xC0; i < sendsize; i+=4) + printf("Sending game code that we got: 0x%08x\n",__builtin_bswap32(gamecode)); + // send the game code back, then KeyA. + send(__builtin_bswap32(gamecode)); + send(ourkey); + // get KeyB from GBA, check it to make sure its valid, then xor with KeyA to derive the initial CRC value and the sessionkey. + u32 sessionkeyraw = 0; + do { + sessionkeyraw = recv(); + } while (sessionkeyraw == gamecode); + sessionkeyraw = checkKeyB(__builtin_bswap32(sessionkeyraw)); + u32 sessionkey = sessionkeyraw ^ ourkey; + u32 kcrc = sessionkey; + printf("start kCRC=%08x\n",kcrc); + sessionkey = (sessionkey*0x6177614b)+1; + // send hacked up send-size in uint32s + u32 hackedupsize = (sendsize >> 3) - 1; + printf("Sending hacked up size 0x%08x\n",hackedupsize); + send(hackedupsize); + //unsigned int fcrc = 0x00bb; + // send over multiboot binary header, in the clear until the end of the nintendo logo. + // GBA checks this, if nintendo logo does not match the one in currently inserted cart's ROM, it will not accept any more data. + for(i = 0; i < 0xA0; i+=4) { + vu32 rom_dword = *(vu32*)(gba_mb_gba+i); + send(__builtin_bswap32(rom_dword)); + } + printf("\n"); + printf("Header done! Sending ROM...\n"); + // Add each uint32 of the multiboot image to the checksum, encrypt the uint32 with the session key, increment the session key, send the encrypted uint32. + for(i = 0xA0; i < sendsize; i+=4) { - u32 enc = ((gba_mb_gba[i+3]<<24)|(gba_mb_gba[i+2]<<16)|(gba_mb_gba[i+1]<<8)|(gba_mb_gba[i])); - fcrc=docrc(fcrc,enc); + u32 dec = ( + ((gba_mb_gba[i+3]) << 24) & 0xff000000 | + ((gba_mb_gba[i+2]) << 16) & 0x00ff0000 | + ((gba_mb_gba[i+1]) << 8) & 0x0000ff00 | + ((gba_mb_gba[i]) << 0) & 0x000000ff + ); + u32 enc = (dec - kcrc) ^ sessionkey; + kcrc=docrc(kcrc,dec); sessionkey = (sessionkey*0x6177614B)+1; - enc^=sessionkey; - enc^=((~(i+(0x20<<20)))+1); - enc^=0x20796220; + //enc^=((~(i+(0x20<<20)))+1); + //enc^=0x6f646573;//0x20796220; send(enc); } - fcrc |= (sendsize<<16); - //printf("ROM done! CRC: %08x\n", fcrc); - //send over CRC - sessionkey = (sessionkey*0x6177614B)+1; - fcrc^=sessionkey; - fcrc^=((~(i+(0x20<<20)))+1); - fcrc^=0x20796220; - send(fcrc); + //fcrc |= (sendsize<<16); + printf("ROM done! CRC: %08x\n", kcrc); //get crc back (unused) - recv(); - printf("Done!\n"); - sleep(2); - //hm - while(1) - { - printmain(); - printf("Press A once you have a GBA Game inserted.\n"); - printf("Press Y to backup the GBA BIOS.\n \n"); - PAD_ScanPads(); - VIDEO_WaitVSync(); - u32 btns = PAD_ButtonsDown(0); - if(btns&PAD_BUTTON_START) - endproc(); - else if(btns&PAD_BUTTON_A) - { - if(recv() == 0) //ready - { - printf("Waiting for GBA\n"); - VIDEO_WaitVSync(); - int gbasize = 0; - while(gbasize == 0) - gbasize = __builtin_bswap32(recv()); - send(0); //got gbasize - u32 savesize = __builtin_bswap32(recv()); - send(0); //got savesize - if(gbasize == -1) - { - warnError("ERROR: No (Valid) GBA Card inserted!\n"); - continue; - } - //get rom header - for(i = 0; i < 0xC0; i+=4) - *(vu32*)(testdump+i) = recv(); - //print out all the info from the game - printf("Game Name: %.12s\n",(char*)(testdump+0xA0)); - printf("Game ID: %.4s\n",(char*)(testdump+0xAC)); - printf("Company ID: %.2s\n",(char*)(testdump+0xB0)); - printf("ROM Size: %02.02f MB\n",((float)(gbasize/1024))/1024.f); - if(savesize > 0) - printf("Save Size: %02.02f KB\n \n",((float)(savesize))/1024.f); - else - printf("No Save File\n \n"); - //generate file paths - char gamename[64]; - sprintf(gamename,"/dumps/%.12s [%.4s%.2s].gba", - (char*)(testdump+0xA0),(char*)(testdump+0xAC),(char*)(testdump+0xB0)); - fixFName(gamename+7); //fix name behind "/dumps/" - char savename[64]; - sprintf(savename,"/dumps/%.12s [%.4s%.2s].sav", - (char*)(testdump+0xA0),(char*)(testdump+0xAC),(char*)(testdump+0xB0)); - fixFName(savename+7); //fix name behind "/dumps/" - //let the user choose the option - printf("Press A to dump this game, it will take about %i minutes.\n",gbasize/1024/1024*3/2); - printf("Press B if you want to cancel dumping this game.\n"); - if(savesize > 0) - { - printf("Press Y to backup this save file.\n"); - printf("Press X to restore this save file.\n"); - printf("Press Z to clear the save file on the GBA Cartridge.\n\n"); - } - else - printf("\n"); - int command = 0; - while(1) - { - PAD_ScanPads(); - VIDEO_WaitVSync(); - u32 btns = PAD_ButtonsDown(0); - if(btns&PAD_BUTTON_START) - endproc(); - else if(btns&PAD_BUTTON_A) - { - command = 1; - break; - } - else if(btns&PAD_BUTTON_B) - break; - else if(savesize > 0) - { - if(btns&PAD_BUTTON_Y) - { - command = 2; - break; - } - else if(btns&PAD_BUTTON_X) - { - command = 3; - break; - } - else if(btns&PAD_TRIGGER_Z) - { - command = 4; - break; - } - } - } - if(command == 1) - { - FILE *f = fopen(gamename,"rb"); - if(f) - { - fclose(f); - command = 0; - warnError("ERROR: Game already dumped!\n"); - } - } - else if(command == 2) - { - FILE *f = fopen(savename,"rb"); - if(f) - { - fclose(f); - command = 0; - warnError("ERROR: Save already backed up!\n"); - } - } - else if(command == 3) - { - size_t readsize = 0; - FILE *f = fopen(savename,"rb"); - if(f) - { - fseek(f,0,SEEK_END); - readsize = ftell(f); - if(readsize != savesize) - { - command = 0; - warnError("ERROR: Save has the wrong size, aborting restore!\n"); - } - else - { - rewind(f); - fread(testdump,readsize,1,f); - } - fclose(f); - } - else - { - command = 0; - warnError("ERROR: No Save to restore!\n"); - } - } - send(command); - //let gba prepare - sleep(1); - if(command == 0) - continue; - else if(command == 1) - { - //create base file with size - printf("Preparing file...\n"); - createFile(gamename,gbasize); - FILE *f = fopen(gamename,"wb"); - if(!f) - fatalError("ERROR: Could not create file! Exit..."); - printf("Dumping...\n"); - u32 bytes_read = 0; - while(gbasize > 0) - { - int toread = (gbasize > 0x400000 ? 0x400000 : gbasize); - int j; - for(j = 0; j < toread; j+=4) - { - *(vu32*)(testdump+j) = recv(); - bytes_read+=4; - if((bytes_read&0xFFFF) == 0) - printf("\r%02.02f MB done",(float)(bytes_read/1024)/1024.f); - } - fwrite(testdump,toread,1,f); - gbasize -= toread; - } - printf("\nClosing file\n"); - fclose(f); - printf("Game dumped!\n"); - sleep(5); - } - else if(command == 2) - { - //create base file with size - printf("Preparing file...\n"); - createFile(savename,savesize); - FILE *f = fopen(savename,"wb"); - if(!f) - fatalError("ERROR: Could not create file! Exit..."); - printf("Waiting for GBA\n"); - VIDEO_WaitVSync(); - u32 readval = 0; - while(readval != savesize) - readval = __builtin_bswap32(recv()); - send(0); //got savesize - printf("Receiving...\n"); - for(i = 0; i < savesize; i+=4) - *(vu32*)(testdump+i) = recv(); - printf("Writing save...\n"); - fwrite(testdump,savesize,1,f); - fclose(f); - printf("Save backed up!\n"); - sleep(5); - } - else if(command == 3 || command == 4) - { - u32 readval = 0; - while(readval != savesize) - readval = __builtin_bswap32(recv()); - if(command == 3) - { - printf("Sending save\n"); - VIDEO_WaitVSync(); - for(i = 0; i < savesize; i+=4) - send(__builtin_bswap32(*(vu32*)(testdump+i))); - } - printf("Waiting for GBA\n"); - while(recv() != 0) - VIDEO_WaitVSync(); - printf(command == 3 ? "Save restored!\n" : "Save cleared!\n"); - send(0); - sleep(5); - } - } - } - else if(btns&PAD_BUTTON_Y) - { - const char *biosname = "/dumps/gba_bios.bin"; - FILE *f = fopen(biosname,"rb"); - if(f) - { - fclose(f); - warnError("ERROR: BIOS already backed up!\n"); - } - else - { - //create base file with size - printf("Preparing file...\n"); - createFile(biosname,0x4000); - f = fopen(biosname,"wb"); - if(!f) - fatalError("ERROR: Could not create file! Exit..."); - //send over bios dump command - send(5); - //the gba might still be in a loop itself - sleep(1); - //lets go! - printf("Dumping...\n"); - for(i = 0; i < 0x4000; i+=4) - *(vu32*)(testdump+i) = recv(); - fwrite(testdump,0x4000,1,f); - printf("Closing file\n"); - fclose(f); - printf("BIOS dumped!\n"); - sleep(5); - } - } - } + // Get KeyC derivation material from GBA (eventually) + u32 keyCderive = 0; + do { + keyCderive = recv(); + } while (keyCderive <= 0xfeffffff); + keyCderive = __builtin_bswap32(keyCderive); + keyCderive >>= 8; + printf("KeyC derivation material: %08x\n",keyCderive); + + // (try to) find the KeyC, using the checksum of the multiboot image, and the derivation material that GBA sent to us + + u32 keyc = deriveKeyC(keyCderive,kcrc); + if (keyc == 0) printf("Could not find keyC - kcrc=0x%08x\n",kcrc); + + // derive the boot key from the found KeyC, and send to GBA. if this is not correct, GBA will not jump to the multiboot image it was sent. + u32 bootkey = docrc(0xBB,keyc) | 0xbb000000; + printf("BootKey = 0x%08x\n",bootkey); + send(bootkey); + + printf("Done! Press any key to start sending again.\n"); + do { PAD_ScanPads(); } while (!PAD_ButtonsDown(0)); } } return 0; -- cgit 1.4.1