Cartridge format
The binary cartridge format (also known as SRL or ROM) is the way to pack
the information and files for a DS and DSi program. This is the format that
physical cartridge carts have, but also the format used by digital content like
DSiWare and utility programs from the DSi firmware.
Note
These documents refer to DS/DSi programs. This also includes games.
Cartridge memory map
The raw binary format of the cartridge is based on four different regions. It maps the different commands we need to send to the cartridge chip to retrieve the data:
| Offset | Length | Description |
|---|---|---|
| 0x00 | 0x1000 | Header |
| 0x1000 | 0x3000 | Unknown, not readable |
| 0x4000 | 0x8000 | Secure area, first 2 KB with KEY1 encryption |
| 0x8000 | ... | Data area |
| 0xZZ00000 | 0x3000 | Unknown, not readable |
| 0xZZ03000 | 0x4000 | ARM9i secure area, usually with modcrypt encryption |
| 0xZZ07000 | ... | DSi data area |
Note
For details in KEY1 and modcrypt encryptions see section security.
DS / DSi program sections
Practically speaking, official DS / DSi program maps these memory map areas to the following sections:
- Header
- Unknown, not readable, usually
0x00 - ARM9 processor program (actual program code):
- Program code: starts at
0x4000so first 2 KB are KEY1 encrypted. - Program extended parameters (DS only)
- Overlay table info
- Overlay files
- Program code: starts at
- ARM7 processor program (system code):
- Program code
- Overlay table info
- Overlay files (usually empty)
- File name table
- File access table
- Banner
- Files data
- Additionally, for DSi programs:
Padding
Every section, including each file data is padded to blocks of 512 bytes with
the byte 0xFF.
On DS programs, the last file is not padded.
A DS program region (nitro) ends after the digest HMACs. The additional DSi
program region (twilight) starts with the unknown region. Between these two
regions there is a special padding to fill the last block of 1 MB with the byte
0xFF.
Unknown regions
The header contains 0x3000 unknown bytes. These bytes cannot be read as the
cartridge protocol does not support getting data from this address. On digital
programs like firmware utilities (like the launcher), this area seems to have
random bytes.
This is similar to what happen at the DSi program region. It starts with
0x3000 unknown bytes. These bytes cannot be dumped because the cartridge
protocol silently redirect any read command from these region to 0x8000. These
means that if we try to dump these 0x3000 bytes, we will get from the physical
cart three times 0x1000 bytes of data from 0x8000 (arm9 after secure area).