The PassMe device watches the communication between the DS and the Game Card.
The Game is required to convince the DS that it is talking to a Game Card.
Most of the communication is encrypted with a key that changes every time the DS is booted. The PassMe cannot understand or modify this communication.
The part of the communication that the PassMe is able to understand and modify includes the header of the game.
The header contains the addresses in memory where the 2 game binaries are to be loaded (one for each CPU) and the addresses within those binaries where the CPU should start execution from. The header also contains a checksum of its contents, which is checked by the DS.
The DS stores the header it reads from the Card in RAM when it is turned on.
The PassMe modifies several parts of the header as it is being read by the DS -
o The ARM7 start address is changed to 0x080000C0 - an address near the start of the ROM in the GBA slot. o An infinite loop replaces an unused part of the header. o The ARM9 start address is changed to point to the location of this infinite loop in RAM. o A flag is set which makes the DS automatically try to run from the DS slot. o The checksum is recalculated.
Only one CPU can access the GBA slot at a time. At boot this CPU is the ARM7, so the ARM7 is the one that is given the GBA slot address. DSLinux jumps through some hoops to get the ARM9 executing from the GBA slot.
When the DS reads this modified header, it tries to start the Game immediately. The Game is copied into RAM, and both CPUs go to the modified start addresses.
The ARM7 runs whatever code is on the GBA flash cart. The ARM9 runs the infinite loop in RAM.
The code on the GBA flash cart is responsible for loading the binaries from the flash cart into RAM, making the ARM9 execute its new binary, and then jumping to the new ARM7 binary.
How Nintendo Stopped PassMe From Working
Nintendo modified the firmware in the DS so that it checks the start addresses in the header:
o The ARM7 start address is required to be in main RAM or in the ARM7 RAM. o The ARM7 start address cannot point at the copy of the header in RAM. o The ARM9 start address is required to be in main RAM. o The ARM9 start address cannot point at the copy of the header in RAM.
To get around this, PassMe2 was created. See HowPassMe2Works.