Hacking Ripping Save Data and Demos.

[xsp]

557,672,362 bytes. That's the size of the Rayman Legends Demo. I've been yanking different things out of the Wii U today. Even though it's encrypted, you can easily pull just the demo out in a few steps. My question is has anyone else been doing this? After pulling it out in a big chunk, it looks like you can separate it by files as well. Again, it is still encrypted, but a least we can get an idea of what's inside. Another thing I am curious about is if it is compressed or not. I attempted to compress the demo and ended up with a file larger than the chunk I pulled out. That can be a good sign of compression, but not always the case.

Looks like the first file in the demo is 10,833 bytes. My guess is that this chunk of data is a directory (or group of directories). Just trying to get some fresh ideas flowing. If nobody objects, I'll explain what I did to dump the Demo.

 

[officialjunk]

Go on...

 

[Rydian]

Another thing I am curious about is if it is compressed or not. I attempted to compress the demo and ended up with a file larger than the chunk I pulled out. That can be a good sign of compression, but not always the case.

File-by-file encryption would do that as well, as the resulting data stream is designed to not have repeating patterns (which kills lossless compression).

 

[xsp]

The process is dead simple.

1. Blank a Flash Drive with zeros.
2. Allow the Wii U to format it.
3. Do a dump of the drive.
4. Pop it back in the Wii and transfer the the demo or save in question.
5. Do a second dump of the drive.
6. Do a hex comparison of the two dumps.

Now you're going to notice that there are several differences and depending on which program you used to dump the drive, there may be added header and footer information, so be sure to pay attention to like hex values. For instance, the Rayman Legends Demo was at offset 0x6EE50 in the dump I performed due to extra information at the beginning of the dump. Determining the demo location was easy.The Wii U is your friend here. It tells you the size of the demos in megabytes. It just so happens that its entry point is also that last location replacement in our comparison.

The reason we blanked the drive to zeros was to easily see where files end in the hexadecimal output of our dumps. The demo was located at 0x6EE50 through 0x214455F8, which is 557,672,362 bytes, which is 531 megabytes: The size that the Wii U told us the demo was. Now we can meticulously go through the hex dump and see where files exist using our zero values as file separators.

I believe that we can deduce what the other differences are as well without decryption. For instance, a blank formatted Wii U drive has an entry value of #10. Once the demo is present, the entry point value became 15 (#0F). My guess is that with enough minds, we can figure out with certain confidence, the general structure of the file system without ever decrypting the data.

EDIT: Also, blanking the drive to zeros allows us to terminate the dump where the data ends. It's the equivalent of a NULL terminating character at the end of a character array.

 

[xsp]

I'd like to point out my coding laziness here a say it would be really simple to write a program that looked at the zero teriminated areas and wrote the files to seperately to disk. Given the encryption key, you would be set. Being completely new to the whole idea of homebrew, I just wanted to try and get some ideas flowing. Any input would be great. This just seems like it would be a really fun system to develop for and I certainly don't see Nintendo handing me a license and devkit, so I hope several like-minded individuals will help open it up. I see the potential piracy issues and genuinely wish it were preventable. I just want to be able to make software for a piece of hardware I purchased.