So it is not the first option. Maybe he already knows how to [de]encrypt the save file.
Hacking Neimod making progress, nothing released
- Thread starter KvinMoreaux
- Start date
- Views 27,325
- Replies 82
- Likes 4
Either that or he worked out the missing links for editing save files, I certainly wouldn't put it past him and his previous RAM hack could have helped a lot. If he's figured out some or all of the checksums, then editing some in game currency should be a piece of cake.My bet? He played the game on his modded 3DS, injected certain values, saved the game, placed the game in an unmodified 3DS and presto! Oh, Neimod - you troll you!
Alternatively he did something godlike and actually found an exploit that gave him RAM access, but I'd put that in the realm of fairies for now.
Yes, mathieulh was all smoke and mirrors. His actual contributions to the scene were mostly worthless, despite claiming to have had a big part in the original jailbreaking dongles. Neimod, on the other hand, is looking like the driving force behind 3DS hacking. He's not really being that secretive, he's added a lot to 3DBrew (though he has kept some stuff to himself). I just don't think the things he posts to flickr and github are meant for anyone but the friends in his hacking circle. It's kind of sad, really: if he never achieves the goal of blowing the 3DS wide open, he'll be labelled a troll by the people who don't really understand exactly how difficult things are and how irrelevant these things are compared to the big picture.
Even if this did turn out to be a modified save file, I think he deserves a lot of credit just for figuring that out.
Lego Star Wars III is an old game, so decryption is already possible using the XOR key length vulnerability. Reversing the checksums would be needed to modify game saves, something that would be an even more impressive feat.
- Joined
- Oct 27, 2002
- Messages
- 23,749
- Trophies
- 4
- Age
- 45
- Location
- Engine room, learning
- XP
- 15,650
- Country
I think Sifjar is right, and he (certainly, let's keep it a supposition until he confirms it himself) found a way to edit saves.
Few users on gbatemp tried to decipher the CRC but they missed few areas. Maybe he found the missing algorithms.
Or he found another way to exploit save files without re-encrypting them (unlikely, but who knows. it worked like that for the Wii).
Few users on gbatemp tried to decipher the CRC but they missed few areas. Maybe he found the missing algorithms.
Or he found another way to exploit save files without re-encrypting them (unlikely, but who knows. it worked like that for the Wii).
- Joined
- Jun 8, 2011
- Messages
- 939
- Trophies
- 0
- Age
- 24
- Location
- Ireland
- Website
- darkraino1.zymichost.com
- XP
- 476
- Country
Are save files exploitable in such a way like the Twilight hack worked? Funnily enough if it is, another Zelda game could be the cause of a hack. There's a buffer overflow in OoT.
Sure, the picture is on an unmodified 3DS. Doesn't mean that a modified one wasn't used in the process of getting that save there. Considering it's neimod, I'd say it's quite possible he has figured out decryption/encryption of the game save. As mentioned above, it was an early game, so decryption is already known, reverse engineering the checksum probably wouldn't be too hard when you can decrypt code, as neimod can.
Yeah they can generate a proper gamecard savegame MAC now. So editing saves for HAX is possible. All he did in the photo was change the stud count in the save, to show that he can edit saves and have the 3DS accept them.
- Joined
- Nov 15, 2011
- Messages
- 5,210
- Trophies
- 0
- Age
- 40
- Location
- Deep in GBAtemp addiction
- Website
- gbadev.googlecode.com
- XP
- 1,709
- Country
Interesting, so, basically, we can fake a save base on an existing save made before 2.2.0-4 ... I'd assume 2.2.0-4 was still able to accept the older encryption format in order to not just wipe out everyone's saved progress when they update so the trick on a newer system would be figuring out what the value to use to encrypt the file the old way so it would accept it, right?
If this is true then why aren't there hacked save files for all the original 3DS games? I would think someone would do it for fun....
Its easy hacking saves before the firmware 2.X.ect update. After that though, no one knows that to do.
- it a unmodified 3ds soo there no save extractor
- if he did the 3ds wud not accepted the modded save (unless he used a exploit to make it think it was unmodified)
Do you even know what you're talking about?
The common R4i SaveDongle can backup and restore 3DS saves. Also, the 3DS does not check save integrity (except for the DSi-exploit games, from what I've heard).
- Joined
- Oct 27, 2002
- Messages
- 23,749
- Trophies
- 4
- Age
- 45
- Location
- Engine room, learning
- XP
- 15,650
- Country
It doesn't check integrity?
Few users tried to change save data and re-inject it to the card.
The game didn't accept it and said it was corrupted.
There are (multiple?) checks.
Few users tried to change save data and re-inject it to the card.
The game didn't accept it and said it was corrupted.
There are (multiple?) checks.
can someone explain this to me?
Decrypted save files are already possible for everyonw with the XOR length vulnarity (which also can be used with LEGO star wars). Shouldn't is be quite easy then to edit the save files like neimod did?
p.s. I actually bought a save dongle tot test it with, i am expecting it this day
Decrypted save files are already possible for everyonw with the XOR length vulnarity (which also can be used with LEGO star wars). Shouldn't is be quite easy then to edit the save files like neimod did?
p.s. I actually bought a save dongle tot test it with, i am expecting it this day
- Joined
- Oct 27, 2002
- Messages
- 23,749
- Trophies
- 4
- Age
- 45
- Location
- Engine room, learning
- XP
- 15,650
- Country
When you decrypt the raw save using the XOR key, you get data in readable form.
That data contains different areas (the game information, progress, etc.) and a checksum from all these datas.
If you edit the game content, you need to also edit the checksum value, which is used to verify the savegame integrity, if it didn't get edited, or corrupted by a wrong save progress. then re-encrypt it using the same XOR key, and put it back on the cartridge.
The checksum algorithm wasn't known.
Writing back a save file without the correct checksum resulted in an error/savegame corrupted message.
Question:
The save file contains a full backup of the previous known woking save data, right? Doesn't it use the backup if the first one is corrupted?
That data contains different areas (the game information, progress, etc.) and a checksum from all these datas.
If you edit the game content, you need to also edit the checksum value, which is used to verify the savegame integrity, if it didn't get edited, or corrupted by a wrong save progress. then re-encrypt it using the same XOR key, and put it back on the cartridge.
The checksum algorithm wasn't known.
Writing back a save file without the correct checksum resulted in an error/savegame corrupted message.
Question:
The save file contains a full backup of the previous known woking save data, right? Doesn't it use the backup if the first one is corrupted?
