DSTWO FPGA Interface
I don’t know the details, but here is some information necessary to implement ntrcardhax.
#Ports FIFO: 0xB4000000
Control: 0xB4000002
Control2: 0xB4000004
##Control 5: FIFO clear
7: Mode for compatibility?
10: Mode
#Initialization ```C #define GPIO_ADDR_RECOVER() \ do { \ REG_GPIO_PXFUNS(2) = 0x065Cffff; \ REG_GPIO_PXSELC(2) = 0x065Cffff; \ REG_GPIO_PXPES(2) = 0x065Cffff; \ REG_GPIO_PXFUNC(2) = 0x00820000; \ REG_GPIO_PXSELC(2) = 0x00820000; \ REG_GPIO_PXPES(2) = 0x00820000; \ REG_GPIO_PXDIRS(2) = 0x00820000; \ REG_GPIO_PXDATC(2) = GPIO_ADDR_15; \ } while(0)
#define INITFPGAPORTTIME() \ do{ \ REG_EMC_SMCR2 = ((0«24)|/strv/(3«20)|/taw r */(2«16)|/tbp w /(2«12) |/tah/(3«8) |/tas / (1«6)|/bw 16 / (0«3)|/bcm / (0«1)|/bl/(0«0) /smt / );\ REG_EMC_SACR2 =( (0x14«8)|/BASE/(0xfc«0));/MASK */\ } while (0) #endif
#define SET_ADDR_GROUP(n) \ do { \ ndelay(); \ REG_GPIO_PXDATS(2) = n; \ REG_GPIO_PXDATC(2) = n ^ (SA4 | SA3);\ } while(0)
#define SET_ADDR_DEFT() \ ndelay(); \ SET_ADDR_GROUP(0)
void init() { GPIO_ADDR_RECOVER(); INITFPGAPORTTIME(); SET_ADDR_GROUP(1«23); FIFO=0x6bf3; Control=0xf0c2; Control2=0x9252; SET_ADDR_DEFT(); Control=0;
udelay(1); } ```
#NTR Command It corresponds to CARD_COMMAND in libnds. The command length is 64 bit, so read the FIFO port 4 times.
##IRQ Enable IRQ for GPIO Port 107. See Jz4740 document for the details.
#Response It corresponds to REG_CARD_DATA_RD in libnds.
Write to the mode port: Mode = 1, Mode for compatibility = 1, FIFO clear = 1.
Write the response to the FIFO port using DMA. See Jz4740 document for the details of DMA.
#How to exploit As you can see, you can send arbitrary data. Usually 3DS requests 0x200 bytes, so, we should send valid information if it requests 0x200 bytes. However, if it requests 0x4000 bytes, which is the sign of ARM11 attack, reply the payload, and boom.
#Further Improvement for ntrcardhax In the presentation of 32C3, ARM11 overwrites the lengh of the response. What if we can modify the length in DSTWO FPGA? It depends on whether the controller of NTRCARD in 3DS accepts the corrupted response.
