Hacking Neimod making progress, nothing released

[DanielJavierGuzz]

It's probably just a save file hack. Either change the value in RAM on his highly modified 3DS, then save, or else use that 3DS to extract the save in decrypted form, edit it, then replace it and have the game re-encrypt it. Either that or he figured out save file decryption/encryption.

Oh, and by the way... did I mention this is with an unmodified 3DS? ;-)

So it is not the first option. Maybe he already knows how to [de]encrypt the save file.

 

[McHaggis]

My bet? He played the game on his modded 3DS, injected certain values, saved the game, placed the game in an unmodified 3DS and presto! Oh, Neimod - you troll you!

Alternatively he did something godlike and actually found an exploit that gave him RAM access, but I'd put that in the realm of fairies for now.

Either that or he worked out the missing links for editing save files, I certainly wouldn't put it past him and his previous RAM hack could have helped a lot. If he's figured out some or all of the checksums, then editing some in game currency should be a piece of cake.

he is to the DSi/3ds scene as mathieulh is to the ps3 scene, lots of smoke and mirrors but no proof.

Except mathieulh sends people code and solutions that have no chance of even working wheras neimod is simply secretive. I find him genuine, just reluctant to share his findings with a wide crowd.

Yes, mathieulh was all smoke and mirrors. His actual contributions to the scene were mostly worthless, despite claiming to have had a big part in the original jailbreaking dongles. Neimod, on the other hand, is looking like the driving force behind 3DS hacking. He's not really being that secretive, he's added a lot to 3DBrew (though he has kept some stuff to himself). I just don't think the things he posts to flickr and github are meant for anyone but the friends in his hacking circle. It's kind of sad, really: if he never achieves the goal of blowing the 3DS wide open, he'll be labelled a troll by the people who don't really understand exactly how difficult things are and how irrelevant these things are compared to the big picture.

Even if this did turn out to be a modified save file, I think he deserves a lot of credit just for figuring that out.

It's probably just a save file hack. Either change the value in RAM on his highly modified 3DS, then save, or else use that 3DS to extract the save in decrypted form, edit it, then replace it and have the game re-encrypt it. Either that or he figured out save file decryption/encryption.

Lego Star Wars III is an old game, so decryption is already possible using the XOR key length vulnerability. Reversing the checksums would be needed to modify game saves, something that would be an even more impressive feat.

 

[Cyan]

I think Sifjar is right, and he (certainly, let's keep it a supposition until he confirms it himself) found a way to edit saves.

Few users on gbatemp tried to decipher the CRC but they missed few areas. Maybe he found the missing algorithms.
Or he found another way to exploit save files without re-encrypting them (unlikely, but who knows. it worked like that for the Wii).

 

[TheDreamLord]

Are save files exploitable in such a way like the Twilight hack worked? Funnily enough if it is, another Zelda game could be the cause of a hack. There's a buffer overflow in OoT.

 

[SifJar]

It's probably just a save file hack. Either change the value in RAM on his highly modified 3DS, then save, or else use that 3DS to extract the save in decrypted form, edit it, then replace it and have the game re-encrypt it. Either that or he figured out save file decryption/encryption.

Oh, and by the way... did I mention this is with an unmodified 3DS? ;-)

So it is not the first option. Maybe i already know how to [de]encrypt the save file.

Sure, the picture is on an unmodified 3DS. Doesn't mean that a modified one wasn't used in the process of getting that save there. Considering it's neimod, I'd say it's quite possible he has figured out decryption/encryption of the game save. As mentioned above, it was an early game, so decryption is already known, reverse engineering the checksum probably wouldn't be too hard when you can decrypt code, as neimod can.

 

[3DSGuy]

Just check, he can edit cool stuff now

http://www.flickr.co.../in/photostream

Yeah they can generate a proper gamecard savegame MAC now. So editing saves for HAX is possible. All he did in the photo was change the stud count in the save, to show that he can edit saves and have the 3DS accept them.

 

[Ericthegreat]

Just check, he can edit cool stuff now

http://www.flickr.co.../in/photostream

Yeah they can generate a proper gamecard savegame MAC now. So editing saves for HAX is possible. All he did in the photo was change the stud count in the save, to show that he can edit saves and have the 3DS accept them.

Where did you hear this lol?

 

[CollosalPokemon]

Just check, he can edit cool stuff now

http://www.flickr.co.../in/photostream

Yeah they can generate a proper gamecard savegame MAC now. So editing saves for HAX is possible. All he did in the photo was change the stud count in the save, to show that he can edit saves and have the 3DS accept them.

Where did you hear this lol?

http://3dbrew.org/wiki/Savegames

 

[Maxternal]

http://3dbrew.org/wiki/Savegames

Interesting, so, basically, we can fake a save base on an existing save made before 2.2.0-4 ... I'd assume 2.2.0-4 was still able to accept the older encryption format in order to not just wipe out everyone's saved progress when they update so the trick on a newer system would be figuring out what the value to use to encrypt the file the old way so it would accept it, right?

 

[Ericthegreat]

If this is true then why aren't there hacked save files for all the original 3DS games? I would think someone would do it for fun....

 

[rondoh70]

If this is true then why aren't there hacked save files for all the original 3DS games? I would think someone would do it for fun....

There are no save game hacks because neimod has not released how he changed the save file

 

[someonewhodied]

Its easy hacking saves before the firmware 2.X.ect update. After that though, no one knows that to do.

 

[synce]

This makes me miss the days of Tips & Tricks... This fucking anti-cheat generation has people resorting to hacking just to share saves

 

[Ericthegreat]

This makes me miss the days of Tips & Tricks... This fucking anti-cheat generation has people resorting to hacking just to share saves

If you mean the magazine, then yea it was awesome

 

[samljer]

He hex edited a save file and reuploaded it to the rom.
Everyone already has the tool to do this yea?
From what I can tell nothing special is going on here

 

[nukeboy95]

He hex edited a save file and re uploaded it to the rom.
Everyone already has the tool to do this yea?
From what I can tell nothing special is going on here

1. it a unmodified 3ds soo there no save extractor
2. if he did the 3ds wud not accepted the modded save (unless he used a exploit to make it think it was unmodified)

he prob used his ram board and change some things on the card then put in back in

 

[Fishaman P]

He hex edited a save file and re uploaded it to the rom.
Everyone already has the tool to do this yea?
From what I can tell nothing special is going on here

1. it a unmodified 3ds soo there no save extractor
2. if he did the 3ds wud not accepted the modded save (unless he used a exploit to make it think it was unmodified)

he prob used his ram board and change some things on the card then put in back in

Do you even know what you're talking about?
The common R4i SaveDongle can backup and restore 3DS saves. Also, the 3DS does not check save integrity (except for the DSi-exploit games, from what I've heard).

 

[Cyan]

It doesn't check integrity?

Few users tried to change save data and re-inject it to the card.
The game didn't accept it and said it was corrupted.

There are (multiple?) checks.

 

[ground]

can someone explain this to me?

Decrypted save files are already possible for everyonw with the XOR length vulnarity (which also can be used with LEGO star wars). Shouldn't is be quite easy then to edit the save files like neimod did?

p.s. I actually bought a save dongle tot test it with, i am expecting it this day

 

[Cyan]

When you decrypt the raw save using the XOR key, you get data in readable form.

That data contains different areas (the game information, progress, etc.) and a checksum from all these datas.
If you edit the game content, you need to also edit the checksum value, which is used to verify the savegame integrity, if it didn't get edited, or corrupted by a wrong save progress. then re-encrypt it using the same XOR key, and put it back on the cartridge.

The checksum algorithm wasn't known.
Writing back a save file without the correct checksum resulted in an error/savegame corrupted message.



Question:

The save file contains a full backup of the previous known woking save data, right? Doesn't it use the backup if the first one is corrupted?