Difference between revisions of "CrashMe"

From Rare Gaming Dump
 
(2 intermediate revisions by one other user not shown)
Line 23: Line 23:
 
Enjoy!</nowiki>
 
Enjoy!</nowiki>
 
The program was disguised as a hentai viewer which would show 5 images of uncensored hentai. But before these images, the following things will happen without the user knowing:
 
The program was disguised as a hentai viewer which would show 5 images of uncensored hentai. But before these images, the following things will happen without the user knowing:
*The first 64kb of the DS's firmware is overwritten by junk data, preventing the unit from starting up. Unless you have FlashMe installed, you could recover
+
*The first 64kb of the DS's firmware is overwritten by junk data, preventing the unit from starting up. Unless, and only if you have FlashMe installed, you could recover.
 
*The first sectors of a inserted GBA Movie Player gets erased, but can be recovered.
 
*The first sectors of a inserted GBA Movie Player gets erased, but can be recovered.
 
*The firmware for both the SuperCard and the XG/Neo get erased. This cannot be recovered.
 
*The firmware for both the SuperCard and the XG/Neo get erased. This cannot be recovered.
Line 97: Line 97:
 
Contents: taihen.nds, taihen.txt
 
Contents: taihen.nds, taihen.txt
 
NDS MD5 Hash: 8e7a3728759df265ca3a78553cf27bb8
 
NDS MD5 Hash: 8e7a3728759df265ca3a78553cf27bb8
NDS SHA1 Hash: Unknown?
+
NDS SHA1 Hash: 016e6a6f4eae4fa60960c7617849430cb3e52814
 
NDS CRC32 Hash: 08aa2d30
 
NDS CRC32 Hash: 08aa2d30
 
NDS Filesize: 548 673 bytes</nowiki>
 
NDS Filesize: 548 673 bytes</nowiki>
  
'''Dragon Quest IX (DS Owata):'''
+
'''DS Owata (Dragon Quest IX):'''
 
  <nowiki>
 
  <nowiki>
 
Filename: Dragon_Quest_IX_JPN_DSi_Enhanced_NDS-iND.rar</nowiki>
 
Filename: Dragon_Quest_IX_JPN_DSi_Enhanced_NDS-iND.rar</nowiki>
Line 183: Line 183:
 
*[https://www.youtube.com/watch?v=pNO_Vfl_aQk A video of Trojan.DSBrick.A]
 
*[https://www.youtube.com/watch?v=pNO_Vfl_aQk A video of Trojan.DSBrick.A]
 
*[https://www.youtube.com/watch?v=7CWI5Rs5Qwk A video of Trojan.DSBrick.B '''(NSFW warning)''']
 
*[https://www.youtube.com/watch?v=7CWI5Rs5Qwk A video of Trojan.DSBrick.B '''(NSFW warning)''']
*[http://www.ds-scene.net/?s=viewtopic&nid=7978 A warning from DS-Scene.net]
+
*[http://www.ds-scene.net/?s=viewtopic&nid=7978 A warning from DS-Scene.net regarding the fake Dragon Quest IX rom]
 
*[https://www.youtube.com/watch?v=wSIIOAZ-0s0 CrashMe on Nintendo 3DS (Another unknown variant known as "Firmware Programmer")]
 
*[https://www.youtube.com/watch?v=wSIIOAZ-0s0 CrashMe on Nintendo 3DS (Another unknown variant known as "Firmware Programmer")]
 
*[https://www.gamespot.com/articles/ds-coder-apologizes-for-trojan/1100-6135944/ Gamespot covering DarkFader's appology]
 
*[https://www.gamespot.com/articles/ds-coder-apologizes-for-trojan/1100-6135944/ Gamespot covering DarkFader's appology]
 
*[https://gbatemp.net/threads/new-crashme-ds-bricker-discovered.305443/ GBAtemp staff "Another World" covers the Mario Party DS bricker]
 
*[https://gbatemp.net/threads/new-crashme-ds-bricker-discovered.305443/ GBAtemp staff "Another World" covers the Mario Party DS bricker]
 +
*[http://www.sharebee.com/816a15bc Original link to Owata DS (dead link)] [https://web.archive.org/web/20090707025809/www.sharebee.com/816a15bc (webpage archive with more dead links can be found here)]
 
*[http://akusho.xs4all.nl/temp/r0mloader.zip Original link to r0mloader.zip (dead link)]
 
*[http://akusho.xs4all.nl/temp/r0mloader.zip Original link to r0mloader.zip (dead link)]
 
*[http://akusho.xs4all.nl/temp/taihen.zip Original link to taihen.zip (dead link)]
 
*[http://akusho.xs4all.nl/temp/taihen.zip Original link to taihen.zip (dead link)]

Latest revision as of 23:30, 11 March 2020

CrashMe is a series of trojan horses developed for the Nintendo DS. The main purpose of these roms was to ruin your day, as it will flood the Nintendo DS firmware with junk data, rendering your DS unusable.

Origin

The origin of these trojans started back in 2005 with the PlayStation Portable, known as a trojan simply known as Trojan.PSPBrick. The trojan was hidden away as a "version downgrader", as it would delete critical files that would restart the PSP, and replace those files with the following messages:

Your 2.0 is hacked please reboot
Thank you PSP Team the french team
FuCk yoshihiro and SonyxTeam Looser
PSP TEAM 2.0 Exploit Hack the 2.0 firmware
Thank's to toc2rta for the 2.0 exploit
A bricked PSP. You can still boot it up, but that's about it.

Trying to open any application after that would simply freeze the unit, and with there being no real recovery method possible (except by replacing the entire motherboard), you were out of luck. This trojan is what inspired DarkFader, to create a version for the Nintendo DS, with similarities shown.

Trojan.DSBrick.B (taihen.zip)

On October 8th 2005, just a few days from the discovery of Trojan.PSPBrick, DarkFader privately released a trojan for the Nintendo DS on IRC, which later made its way onto people's DS'es. The link pretended it was link from XS4All (a Dutch internet provider), and the trojan came in an archive known as taihen.zip. The only contents were taihen.nds and taihen.txt, which was a simple .txt with this text:

This is a small hentai slideshow for the Nintendo DS.
Enjoy!

The program was disguised as a hentai viewer which would show 5 images of uncensored hentai. But before these images, the following things will happen without the user knowing:

  • The first 64kb of the DS's firmware is overwritten by junk data, preventing the unit from starting up. Unless, and only if you have FlashMe installed, you could recover.
  • The first sectors of a inserted GBA Movie Player gets erased, but can be recovered.
  • The firmware for both the SuperCard and the XG/Neo get erased. This cannot be recovered.

Plus, a secondth modified version was uploaded named "DS Owata" in 2009 with some altered text, with the rom pretending to be Dragon Quest IX. After the erasing job is done without your knowledge, some text and hentai will be displayed on the screen:

Yuck, hentai.
A slightly modified version of Taihen.

Taihen:

DS taihen v1.0

This is a small hentai
slideshow. Just sit back
and relax :)
Wait several seconds to
see the next picture.

Owata:

DS owata :)

This is a DS owata :)
slideshow. Just sit back
and relax :)
Wait several seconds to
see the next picture.

The swapped screens and the different text was probably to get around DSLazy's CrashMe check. When the user would turn the DS off and back on again, they will be greeted with a black screen.

Trojan.DSBrick.A (r0mloader.zip)

A day later, a more wildspread and more approperiate version was uploaded on multible IRC channels and a forum as well, named r0mloader.zip. The trojan pretended it was a tool that would "automatically patch your .nds roms uppon launch", but its functionality was the same as Taihen.

I've never been scared by a brick wall before.

Included was a .txt file that reads:

r0m loader for Nintendo DS
It automatically patches the game during load.
You can switch DS card / GBA cart save and save settings per game.
Put the loader on a CF or SD card together with the NDS files.
Start the loader and select the NDS to play!
Enjoy.

Currently supports:
* Supercard
* GBA Movie player

Future support:
* G6
* M3

After the erasing job is done, an image of a brick wall is shown on the top screen, with no activity. Because this version of CrashMe was more wildspread, the news was covered on multible websites and forums, being mostly virus-alert sites, with a warning for people telling them to keep an eye out and to always get roms from trusted sources.

Another trojan popped up around 2011, found by a GBAtemp user known as osm70, with the rom pretending to be Mario Party DS. Besides the rom file size being larger (probably filled with junk data) and having a different header, the rom behaves identical to r0mloader. It shows the same brick wall and it does the same overwriting job.

Rom details

r0mloader.zip:

Filename: r0mloader.zip
Contents: r0mloader.nds, r0mloader.txt
NDS MD5 Hash: a959cfa514f4c7162a81421ee99d3356
NDS SHA1 Hash: 862e8e46a922d46244506a963519f18207d5b20f
NDS CRC32 Hash: 1efb58ba
NDS Filesize: 151 361 bytes

taihen.zip:

Filename: taihen.zip
Contents: taihen.nds, taihen.txt
NDS MD5 Hash: 8e7a3728759df265ca3a78553cf27bb8
NDS SHA1 Hash: 016e6a6f4eae4fa60960c7617849430cb3e52814
NDS CRC32 Hash: 08aa2d30
NDS Filesize: 548 673 bytes

DS Owata (Dragon Quest IX):

Filename: Dragon_Quest_IX_JPN_DSi_Enhanced_NDS-iND.rar

r0mloader (Mario Party DS):

NDS Filesize: 61 350 912 bytes

DarkFader's apology (2005)

After everything went down, DarkFader has appologised for his actions and behaviour as he clears everything up, including some recovery tools for bricked consoles and flashcarts.

I want to say sorry to everyone out there. I should have realized the impact. Not just few DS'es that were hurt, but all the damn media and whatnot.
I cannot really justify my actions. It was also very selfish to draw some attention, which I tend to do in odd ways.
It caused some harm to some non-targetted and targetted people owning a DS with non-Nintendo-approved hardware.
And that is a terrible thing to do. Even more so with the reputation I had in the DS homebrew scene that now completely abandoned me.
I do not have clear reasons and I can't blaim the little headache I had at the time. I just had to realize the idea I had after seeing the PSP variant of a bricker.
The files do not come with any form of name/signature of me, a thing I would do if it could be trusted.
I won't release any more of this crap for DS and I don't think parts of this trojan or the idea itself will emerge in future homebrew releases.
The point is probably clear. Do not run any form of untrusted code that just suddenly appears without any name.
If you only use official Nintendo games, there is absolutely nothing to worry about.
Untrusted code includes ROM loaders and that sort of stuff. It's probably not a very good reason since it has been proven before.
I can tell that the negative feedback is far greater than the positive ones. I received one donation of $6.66 and I'm not proud of it.
One news site completely ignores the r0mloader version and reasoning behind it. grrrrr.
Another common mistake: A TROJAN IS NOT A VIRUS! That means that it does not propagate on its own. And thus non-intrusive.

The trojan was released in two forms:
Trojan.DSBrick.A, 151361 bytes, md5sum a959cfa514f4c7162a81421ee99d3356, r0mloader.nds
Version A was intended for the so called ROM-pirates. Hence the name of the filename and description. It was anonymously posted to just a few IRC channels and one forum. Elsewhere, it was known that is was a trojan.
After doing its thing, it shows a picture of a brick wall. Apropriate to the situation.

Trojan.DSBrick.B, 548673 bytes, md5sum 8e7a3728759df265ca3a78553cf27bb8, taihen.nds
Version B was not really released into public and should rarely be seen. It was only directly released in a closed IRC channel with prior notice of what it did and a comment that might have triggered some (less evil than me) persons to pass it along.
After doing its thing, it cycles through five attractive drawings.

I cannot control the propagation of the files or the names it might be disguised as.

Ok, on to the more technical details:
The trojan _tries_ (but not definately succeeds) to:
* Erase DS firmware. Practically the first 64 KBytes are write-protected and thus is recoverable when the FlashMe firmware was installed.
* Erase first few sectors of CompactFlash card inside GBA movieplayer. You can try to sort out your data sectors if you really want something back.
* Erase GBA movieplayer firmware. Fairly easy to fix using flashmp utility.
* Erase Supercard firmware. A fix is currently being worked on.
* Erase/lock XG/Neo flash card. Seems it was forgotten to be mentioned in r0mloader.txt.
If you have a legal use for these functions like testing recovery tools, you're welcome.

Here are some fixing utilities and links:
ppflash.zip - Contains info, sourcecode and binary to flash the fail-safe loader also contained in FlashMe using a parallel port connection. Some soldering skills are required to perform this operation. Don't worry about voiding your warranty because you already have according to the DS manuals.
FlashMe - The page to get FlashMe. You can't survive without it.
flashmp.zip - Firmware flasher for GBA Movie Player. Supports writing to Supercard, but the included firmware IS NOT WORKING probably because of a bad firmware dump! If you have an original firmware version and Flash Advance Linker, let me know.
Probably more to come.
You can detect DSbrick by using DSbrick.signature and the utility grep:
grep -F -U -f DSbrick.signature FileToBeTested.nds
A good way to prevent malicious firmware access is to keep a record of known ARM7 binaries. This could be incorporated into ndstool.

IRC Log (r0mloader)

This appears to be a log from some Swedish IRC server. DarkFader was not actually on this IRC server.

Original:

23:46 @<xxx> 23:45 +<djPepse> <DarkFader> shall I make different version that's a supposedly loader? ;)
23:46 @<xxx> 23:46 +<djPepse> <DarkFader> http://akusho.xs4all.nl/temp/r0mloader.zip >:)
23:46 @<xxx> idiot
23:46 @<xxx> kille som har gjort en "rom loader" till nintendo ds
23:46 @<xxx> som inte alls laddar rommar
23:46 @<xxx> utan istället kvaddar firmwaren
23:46 @<xxx> så ens nintendo ds går sönder ;/

Translation:

23:46 @<xxx> 23:45 +<djPepse> <DarkFader> shall I make different version that's a supposedly loader? ;)
23:46 @<xxx> 23:46 +<djPepse> <DarkFader> http://akusho.xs4all.nl/temp/r0mloader.zip >:)
23:46 @<xxx> idiot
23:46 @<xxx> he's the guy who made a "rom loader" for the nintendo ds
23:46 @<xxx> that does not change roms at all
23:46 @<xxx> but instead bricks the firmware
23:46 @<xxx> so it even breaks your nintendo ds ;/

References