How can I found the DS Trojans Horses ?

[Theraptor33]

CrashMe, better known as DSBrick, is a trojan horse created in 2005 by Darkfader and distributed on Nintendo DS under the name "r0mloader" or "taihen" depending on the version.
There were 2 versions of CrashMe.
The malware pretended to be either a ROM patcher or a visionary of hentai photos (Japanese pornographic drawings).

Once the trojan was executed, it deleted the firmware, subsequently preventing the poor DS from booting.
Then he would then display either a brick wall or the said porn drawings.

Quickly, the discredited developer will apologize, however thereafter many variants were created for DS and 3DS by other people who were inspired by the original malware.
These malwares were also posted on pirated ROM sites with the name "Dragon Quest IX" or "Mario Party DS".

I would like to analyze these trojans and test them on an emulator, but they cannot be found due to the removal of the old download links.
The developer who regrets these actions no longer wishes to distribute them.

Do you have any idea where I could find them ?

 

[FAST6191]

By and large we frown upon the distribution of such things and thus you need to have a very good reason, and very good track record (neither of which are generally available to 1 post accounts, though you could be some security researcher) to have someone around here even consider it.

"many variants for the DS"
Oh? As trivial as it would have been (what is the only thing you can do that won't be wiped by resetting the device? Oh look it is a simple command technically included with most of the games post Mario Kart and far from unknown before then) I am now aware of any beyond a few padded out things on some ROM sites, and some similar social engineering efforts when some charming fellows managed to squeak a copy.

 

[Tomato123]

I actually do have both of these. However, I won't share them due to the reason above. I doubt anyone could cause any real damage by releasing these nowadays, but still not a great look to be sharing around literal malware. If you are determined to get them, I will at least give you a hint that you can google one of the file names and you might come across something on Twitter.

 

[Theraptor33]

I actually do have both of these. However, I won't share them due to the reason above. I doubt anyone could cause any real damage by releasing these nowadays, but still not a great look to be sharing around literal malware. If you are determined to get them, I will at least give you a hint that you can google one of the file names and you might come across something on Twitter.

Thank you very much Tomato123.
After some research, I finally found them, I did not think that my request could pose a problem because as you said it is software that cannot do much damage today, in addition to the fact that they are quite complicated to install on a real Nintendo DS for the average person.

I don't intend to distribute them, I really intend to test them on an emulator and decompile them to understand how they work.

And to answer FAST6191, I had an account before but I lost the identifiers, suddenly, I recreated an account for the occasion of my request.
Thanks anyway, have a nice day

 

[Jokey_Carrot]

Don't you need to like jam tweezers in the back of your ds to flash the firmware?

 

[DinohScene]

Don't you need to like jam tweezers in the back of your ds to flash the firmware?

It won't save you if you don't have FlashMe installed prior to executing the trojans on real hardware.

Part of the "bios" is write protected until you bridge the said connection on the back, FlashMe installations require the points to be bridged for a successful installation.
If one has FlashMe installed and would launch said trojans, a Slot2 card could then be utilised to unbrick the DS by flashing a FW back to the handheld.

 

[Tomato123]

Don't you need to like jam tweezers in the back of your ds to flash the firmware?

If you want to be able to re-write the whole thing yes. But for a brick, you only need to be able to destroy enough to cause an error somewhere else to occur. If I had to guess, it's because information like the date and whatever else is actually writable inside of the firmware as to why the brick happens. But I'm far from an expert on the internals of the NDS. This is what the author of it said it does:

The trojan _tries_ (but not definately succeeds) to:
* Erase DS firmware. Practically the first 64 KBytes are write-protected and thus is recoverable when the FlashMe firmware was installed.
* Erase first few sectors of CompactFlash card inside GBA movieplayer. You can try to sort out your data sectors if you really want something back.
* Erase GBA movieplayer firmware. Fairly easy to fix using flashmp utility.
* Erase Supercard firmware. A fix is currently being worked on.
* Erase XG/Neo flash card. Seems it was forgotten to be mentioned in r0mloader.txt.

 

[FAST6191]

Don't you need to like jam tweezers in the back of your ds to flash the firmware?

Technically the tweezers was a Wii related hack, though the same principle (closing a write enable connection in hardware that software can't touch) was in play. DS lites you need to short all the time and thus I believe immune to this (give or take you further social engineering someone into doing it), original DS had a section you would write without needing to manually and that included enough area that you could brick a device* if messed with (and the minimal boot options of flashme or equivalent were not present).

*you could replace the firmware with another like we have seen recently and ppflash if you wanted to play further with hardware http://web.archive.org/web/20221127042957/https://www.darkfader.net/ds/

 

[rvtr]

If you want to be able to re-write the whole thing yes. But for a brick, you only need to be able to destroy enough to cause an error somewhere else to occur. If I had to guess, it's because information like the date and whatever else is actually writable inside of the firmware as to why the brick happens. But I'm far from an expert on the internals of the NDS. This is what the author of it said it does:

I've run r0mloader and taihen on real hardware (not bridging SL1) and didn't have a brick. It just wiped the settings region and made me go through the system setup again. Does anyone know if this varies between firmware versions?

It will 100% brick if you bridge SL1 though. At least unbricking is pretty easy (buy $0.33 WiFi board and hotswap it to restore the original).

Edit: I only mentioned the method for DS lites. For phats you can extract the flash chip from the WiFi board and write new firmware to it with a SOP8 programmer (or do a transplant with a DS cartridge save chip flashed with the firmware lmao).

 

[Tomato123]

I've run r0mloader and taihen on real hardware (not bridging SL1) and didn't have a brick. It just wiped the settings region and made me go through the system setup again. Does anyone know if this varies between firmware versions?

It will 100% brick if you bridge SL1 though. At least unbricking is pretty easy (buy $0.33 WiFi board and hotswap it to restore the original).

Was it a lite you ran it on? I think those have more protection on the firmware so it's harder to brick by the methods this uses.

 

[rvtr]

Was it a lite you ran it on? I think those have more protection on the firmware so it's harder to brick by the methods this uses.

Yeah, I was using lites. That would explain it. Thanks!

Also does anyone have the hashes to the dragon quest and mario party versions of the trojan?

 

[Tomato123]

Yeah, I was using lites. That would explain it. Thanks!

Also does anyone have the hashes to the dragon quest and mario party versions of the trojan?

As far as I can tell, the dragon quest one seems to be identical to "taihen". The Mario Party one is a larger size but I suspect it's just "r0mloader" padded with extra junk data to make it look more legit. Can't find a rom or hash for either of those so can't verify that.

 

[rvtr]

As far as I can tell, the dragon quest one seems to be identical to "taihen". The Mario Party one is a larger size but I suspect it's just "r0mloader" padded with extra junk data to make it look more legit. Can't find a rom or hash for either of those so can't verify that.

I know very little about the mario party one but dragon quest seems to be slightly different from taihen.
(left: taihen, right: dragon quest)

 

[Tomato123]

I know very little about the mario party one but dragon quest seems to be slightly different from taihen.
(left: taihen, right: dragon quest)
View attachment 358317View attachment 358318

Well then there might be more changes than I thought. Think it's lost to history now though. Probably for the best, really.