A Bricker (sometimes known as CrashME) is a program that turns some nice piece of electronic into a useless hunk of plastic. Usually by overwriting the firmware rendering it inoperable.
On October 7 2005 DarkFader released the first bricker for the DS. The first version disguised as a hentai slideshow did not get widely spread, but the second version disguised as a loader for commercial roms did.
The bricker only overwrites the upper parts of the firmware. The lower layers are not accessible unless you short out the SL1 on the DS board. This means that if you have installed Flashme you have recovery code in the lower layers that lets you recover from the bricking. However if your DS has vanilla firmware... it's bricked.
There were two versions of the bricker released, first taihen.zip and then r0mloader.zip.
Recently a 3rd, yet unconfirmed new variant, was discovered disguised as a Mario Party DS ROM. The file is 58,5 MB (61 350 912 bytes), contained a legit header, and was not flagged by DSLazy as being the DS Bricker.
- r0mloader.nds, 151 361 bytes, CRC32 1EFB58BA
- r0mloader.txt with the following contents
r0m loader for Nintendo DS It automatically patches the game during load. You can switch DS card/GBA cart save and save settings per game. Put the loader on a CF or SD card together with the NDS files. Start the loader and select the NDS to play! Enjoy. Currently supports: * Supercard * GBA Movie player Future support: * G6 * M3
- taihen.nds, 548 673 bytes, CRC32 08AA2D30
- taihen.txt with the following contents
This is a small hentai slideshow for the Nintendo DS. Enjoy!An interesting note: "Taihen" in Japanese means "dreadful" or "terrible", it is also an anagram of "Hentai."
Unbricking the DS
It is easiest to recover a bricked DS if FlashMe was previously installed, so consider installing FlashMe as protection against permanent bricking. If your DS has FlashMe installed, and you own a flash cart, you only need to reinstall FlashMe by following these steps:
- Download FlashMe
- Put FlashMe on your flash cart by itself, without any loader. If your flash cart software mangles the header, you must prepend a loader to the nds file. To do this:
- Put flashme.nds and ndsloader.bin in "c:\flash"
- Click Start->Run and type "cmd" if you are using Windows 2000 or XP, or type "command" if you are using Windows 95, 98 or ME
- In the box that opens type "cd c:\flash"
- Type "copy /b ndsloader.bin + flashme.nds flashme.nds.gba"
- Flash flashme.nds.gba to your flash cart, by itself, without any other loaders
- Put the flash cart in your DS
- Hold down A+B+Start+Select and while still holding the buttons down turn on your DS
- Run FlashMe as instructed on screen
If FlashMe was not previously installed there is still a way to recover. It involves a hardware hack and requires soldering skills. To repair the DS in this way, download the parallel port flasher from DarkFader's site. Follow the instructions included in the zip.
Unbricking the GBA Movie Player / Supercard
To do this, you will require either another GBAMP/SC, a flash cart, a DS with FlashMe installed and a WMB compatible WiFi card, or a GBA and a multiboot cable.
- Download the latest GBAMP flasher by Chishm or locate DF's flashmp.zip for SC
- Start one of the files in the zip which ever way you can. Use flashme.gba if you are using a flashcart, a multiboot cable or another GBAMP. Use flashme.nds if you are using WMB on a DS.
- While the flasher is still loaded, and the GBA/DS is turned on, pull out the flash cart or good GBAMP and insert the bricked GBAMP
- Hold L+R and press Start to run the repair utility
- Download the latest GBAMP update
- Put the update on the root directory of your CF card and put the CF card in your GBAMP. If Windows asks, allow it to format your CF card
- Run the GBAMP update and press Start when prompted
- Remove the update file and put flashmp.gba on the CF card
- Start the GBAMP with the CF card inserted
- Go to Game, and run flashmp.gba
- This time, hold L+R and press Select to install the NDS hack
Congratulations, you have just recovered your GBAMP.
Response From Darkfader's Web Site
I want to say sorry to everyone out there. I should have realized the impact. Not just few DS'es that were hurt, but all the damn media and whatnot. I cannot really justify my actions. It was also very selfish to draw some attention, which I tend to do in odd ways. It caused some harm to some non-targetted and targetted people owning a DS with non-Nintendo-approved hardware. And that is a terrible thing to do. Even more so with the reputation I had in the DS homebrew scene that now completely abandoned me. I do not have clear reasons and I can't blaim the little headache I had at the time. I just had to realize the idea I had after seeing the PSP variant of a bricker. The files do not come with any form of name/signature of me, a thing I would do if it could be trusted. I won't release any more of this crap for DS and I don't think parts of this trojan or the idea itself will emerge in future homebrew releases. The point is probably clear. Do not run any form of untrusted code that just suddenly appears without any name. If you only use official Nintendo games, there is absolutely nothing to worry about. Untrusted code includes ROM loaders and that sort of stuff. It's probably not a very good reason since it has been proven before. I can tell that the negative feedback is far greater than the positive ones. I received one donation of $6.66 and I'm not proud of it. One news site completely ignores the r0mloader version and reasoning behind it. grrrrr. Another common mistake: A TROJAN IS NOT A VIRUS! That means that it does not propagate on its own. And thus non-intrusive.
The trojan was released in two forms: Trojan.DSBrick.A, 151361 bytes, md5sum a959cfa514f4c7162a81421ee99d3356, r0mloader.nds Version A was intended for the so called ROM-pirates. Hence the name of the filename and description.
Trojan.DSBrick.B, 548673 bytes, md5sum 8e7a3728759df265ca3a78553cf27bb8, taihen.nds Version B was not really released into public and should rarely be seen. It was only directly released in a closed IRC channel with prior notice of what it did and a comment that might have triggered some (less evil than me) persons to pass it along.
I cannot control the propagation of the files or the names it might be disguised as.
Ok, on to the more technical details: The trojan _tries_ (but not definately succeeds) to:
- Erase DS firmware. Practically the first 64 KBytes are write-protected and thus is recoverable when the FlashMe firmware was installed.
- Erase first few sectors of CompactFlash card inside GBA movieplayer. You can try to sort out your data sectors if you really want something back.
- Erase GBA movieplayer firmware. Fairly easy to fix using flashmp utility.
- Erase Supercard firmware. A fix is currently being worked on.
- Erase/lock XG/Neo flash card. Seems it was forgotten to be mentioned in r0mloader.txt.
If you have a legal use for these functions like testing recovery tools, you're welcome.
Here are some fixing utilities and links: ppflash.zip - Contains info, sourcecode and binary to flash the fail-safe loader also contained in FlashMe using a parallel port connection. Some soldering skills are required to perform this operation. Don't worry about voiding your warranty because you already have according to the DS manuals. FlashMe - The page to get FlashMe. You can't survive without it. flashmp.zip - Firmware flasher for GBA Movie Player. Supports writing to Supercard, but the included firmware IS NOT WORKING probably because of a bad firmware dump! If you have an original firmware version and Flash Advance Linker, let me know. Probably more to come. You can detect DSbrick by using DSbrick.signature and the utility grep: grep -F -U -f DSbrick.signature FileToBeTested.nds A good way to prevent malicious firmware access is to keep a record of known ARM7 binaries. This could be incorporated into ndstool.