EZ-Flash USA Forum

OK, alot of people bug me for these PASS patchers all the time, basically if the GBA header gamecode on a cart is "PASS" flashme will autoboot it. I have just had my first bit of success at disassembly and reassembly (and hopefully more will follow), but essentially I have a tool and some code to share and will get on with it.

Limitations: It will only work on the lite deluxe at this point.
PatchPass_EZ4.zip
*.ez4.nds = ds.gba version for flashcart/PSRAM use. Ran it from EZ4 DS menu with no problems.
*.nds = ran it from my EZV with no problems.

There is a chip (M6MGT321S8TP) that stores the loader, it is a dual purpose chip with 4MByte NOR and 8MBit SRAM. I'm hoping it is the same in all the EZ4 carts, but I only have the EZ4 deluxe to test with.

What this code is/does - it dumps the first bit of the "OS" NOR (1/4 of the part that usually does not get updated by the updater), changes the GBA gamecode to nulls, and fixes the CRC so GBA mode booting will still work. Every time you run it, it will reverse the operation (so if the CRC for the PASS header is there, it will swap it to the nopass header, and vice versa). Note that in NOR write prototype, the length is more likely a delay.

Practical use: can stop/enable EZ4 to boot automatically with flashme

Have fun and please let me know immediately if you have a problem with it. Also, if you happen to have a moonshell bricked EZ, there is now a very real possibility of being able to recover it.

edit:/ updated the title of the thread. Had EZ5 on the brain that day apparently.

the compact has the 4MB NOR as well, as I well found out some weeks back, so it theoretically should work with all of them.

Cory, I think you're my hero.

If I disable the automatic booting, will I still be able to boot the NDS loader from the DS Menu without having to switch the mode using your program?

and we have full protection over viruses, not that they are a big threat. flashme saves ds, format garbled sd card, and use program to maybe revive EZ4. sounds like we're more protected than m3/supercard.

I've not tried the patch pass myself or anything, but I assume you can just choose which slot to boot up like what happens if you put in a normal cart in ^_^ (without autobooting being on in the actual DS settings itself)

With flashme, hold ABXY while turning the DS on to force it to boot the GBA slot in DS mode. It shouldn't change the DS' operation if you use passme or similar.

I think this program is the answer to my problem....

I was looking for an "unflashme" back to dsl, but what I really want is just to auto boot my ez5 while having my ez4lite deluxe in slot 2. By changing PASS to null and setting dsl to auto with ez5 in slot 1 it will default boot to slot 1 and if I hold A B X Y, I can force flashmev7 to boot slot 2 ds mode, or hold L to boot ez5 in update/passme mode to boot slot 2 ds mode, and I assume I can hold select to allow flashmev7 to boot to ds menu and choose slot 2 gba mode. Or I can use corys tool to boot to gba mode from ds mode.

If all that is correct I'm in as soon as my microsd gets here. Pny from newegg hopefully japan ver on its way tues and ritek 115x from meritline to hedge my bets.

Thanks cory for all the work you do for the scene and my gaming experience.

there is a noflashme in the gba/nds section that came out if ppl still want that

@cory, on my compact i ran the .ez4.bin version, and it says: GBA crc does not match: c1
am i doing something wrong? when i power off and on it goes right back to menu instead of main screen

Let's assume I have a EZ4-Deluxe which does not boot (white screens after NDS health screen when using an EZ-Pass 3). Let's also assume it is only detected as a 'DS option pack' according to the NDS main menu. Finally, let's assume I've tried cleaning the contacts, wedging paper, etc.

Are these the sort of symptoms this tool might be able to repair? If so, what are the steps involved?

You rock, I've been wanting something like this for ages.

Thanks.

I guess this will be really handy for all those people using DS-link with their EZ4s as well

I did some digging in my old archives, and the EZ4 miniSD has an identical bootstrap/updater core as my EZ4 deluxe does, so this app should work great with it as well.

yonwei: That was my only reasonable fear, that the compact has a different bootstrap/hardware chip. The app itself isn't very intelligent, if the GBA header is different from what it expects (which basically could only happen on hardware that I don't have) then it will give that error, tell the CRC of the header and exit. Use this app:
EZ4dump-bootstrap.zip
to produce a dump of your compact's bootstrap, send it to me (cory1492 (at) gmail.com) and I will do some checks to make sure it will work with the compact and add the compact's CRC to the app if the NOR updater code looks compatible. (edit:/ it also occurs to me that if the header is different in the compact, then at least moonshell could detect that simply enough )

scrawl: this app in itself will not be able to fix it, but the NOR writing code will be able to (if it is not a hardware failure). If you run the above app on your EZ5 and send me the resulting dump too, I will know more for certain. Either way, I will finish testing the EZ4restore app shortly and if you like you can give it a go. BTW: I recall a fellow getting a EZ with a debug bootstrap on it, EZrestore probably could have cured it, too.
The basic steps of the restore process would be:
-put the file on a card that can run it
-run it
-swap in EZ4 if needed, press A
-start ez4 with an updater on the sd/microsd card
I'll toss you a link by PM (edit:/PM sent) when I finish it and test it. It won't be let loose until I know more about the compact.

JonoBG: it works very well when using EZ5 too. I like my flashme, and this makes it much simpler to use EZ4 for GBA and EZ5 for nds.

First of all, a big big Thanks, I really deserve that.
I didn't know you were bugged a lot for a patcher like this one, and as I already said, sorry for bothering, it wasn't my intention, but I didn't find any message with a request similar to the one I posted, and so I asked.

As soon as my Lite Deluxe is delivered, count on me for testing the patcher.



I've just tried it on my EZ4 MiniSD, and it behaves in a strange way. The output it gives is this one:



and then it locks up. How much time it is supposed to take for the erasing part?

I dumped the header before and after the patching, and it is the same, same CRC and no modifications at all. I can send it to you if you want, but since the patcher doesn't throw an error, I think it contains the data it expected.
I disassembled the cart and I confirm that it does has the same chip of your EZ4 Lite-deluxe.
I have the EZ4 NDS Loader v1.73 (patched with a different skin), running it on a Jap DS Lite Dark Blue (if it could help).

If you want me to run it againt with some added debug code (to check exactly where it is freezing), just ask. My email address is mynick (at) inwind.it .

erase header should take about 1/2 a second (going by NOR stats and experimentation). If it is halting at the erase, it is because the NOR is never saying "ok, I'm ready, now what?". It's quite possible the initial blocks are locked (and perhaps me using my card with EZ3's client unlocked it?), I will look into it and see if I can find a way to get additional status messages from the NOR and weasel the NOR unlock out of the disassembly as well.

A conundrum. Has anyone successfully run this app (besides myself) yet?

Here is an update: I've just received my EZ4 Lite Deluxe, the patch was applied without a single problem (I haven't tryed to unpatch it, yet).

I've also compared the loader dumps (miniSD and EZ4LiteDlx), and they're exactly the same. Perhaps the two versions differ a little...

I traced down a routine that does flash chip ID, and does an unlock routine depending on that ID (0x60 to NOR chip). So far my assembly of the function is returning bad data (I haven't figured out exactly what data is sent to the function yet). There is definitely an unlock in there, but why it is not needed on the deluxe (even with the same chip as the others) probably comes down to inital programming at the factory.

Thanks for testing it on your Deluxe PsychoWood, I'm glad to know that I'm not potentially crazy/the only one it works for