Homebrew Decrypting Mii QR Codes?

drfsupercenter

drfsupercenter

Flash Cart Aficionado
OP
Member
Level 7
Joined
Mar 26, 2008
Messages
1,909
Trophies
1
XP
1,163
Country
United States
Hey guys,

I apologize if there's already a topic about this, but I haven't seen one in my time browsing here so I thought I'd make one.

I was talking about how Mii data is stored with a friend, and I ended up looking it up on 3DBrew. They seem to have the entire mapping of the QR data figured out:
http://3dbrew.org/wiki/Mii_Maker

The main thing I'm interested in editing is the "copiable" value. Most of the QR codes I scan from random strangers are locked so I can't edit them at all - and while I appreciate that someone else made it, sometimes I think there's something that could be done better and I want to change it. Or, in the case of Tomodachi Life, I want to be able to rename the darn thing, which isn't an option if it's set to not copiable.

So let's take a look at one I got from MiiCharacters.com.
http://www.miicharacters.com/miis/qr_large/1972_peterg.jpg

That's just a random Peter Griffin one I found. So I parse the data:
http://zxing.org/w/decode?u=http://www.miicharacters.com/miis/qr_large/1972_peterg.jpg

I end up getting this as the raw bytes.
Code: 
40 07 09 12 cf d2 5a 4c   0e 10 1c 44 cf 94 e1 67
e5 60 4e f5 12 b5 11 3e   3c 58 5f 48 b1 32 97 43
32 ab 4b 4e f3 15 6b 41   cd 08 e8 29 cd f0 c0 92
50 9d e2 3a 28 85 40 26   80 6c 20 ab 46 5d 6c 94
3b ee d1 bf 0b c5 1a ab   9a 5e 1b a3 73 02 01 ba
f9 a3 7a 42 8d 59 30 ea   d6 a2 12 d3 30 7b 4a ef
6b ee b3 cb 7b 92 f8 01   3a 47 82 9a 19 90 36 7b
e8 f8 00 ec 11 ec 11 ec   11 ec

Obviously this isn't very useful as-is, because most of that data is encrypted. However, 3DBrew says it can be decrypted using known text strings...?

I notice the value at 0x9 is "10", not sure if the 1 represents "is copiable" or not, but I would assume that's just a coincidence since everything else is encrypted too.

Essentially, if I could plug the raw data in somewhere and be able to decrypt and then re-encrypt it, that would be fantastic. I just want to play around with the Mii format a bit.
 
  • Like
Reactions: cearp
Duo8

Duo8

Well-Known Member
Member
Level 12
Joined
Jul 16, 2013
Messages
3,613
Trophies
2
XP
3,022
Country
Vietnam
Apparently only the first 8 bytes are unencrypted "(cleartext MiiID+MAC address)". From there on (including 0x9) data is encrypted.
Known text I'm assuming something already known in the Mii format or something that can be rebuilt to the format: "QR codes made from the same 3DS for the same Mii are use the same AES-CCM nonce (you can recreate the xorpad by xoring with known values from this table).".

Oh look there's also AES-CCM MAC.
 
drfsupercenter

drfsupercenter

Flash Cart Aficionado
OP
Member
Level 7
Joined
Mar 26, 2008
Messages
1,909
Trophies
1
XP
1,163
Country
United States
Yeah, I read all that.

So if I exported a few QR's from my own 3DS, you could somehow use the common data to decrypt the rest? I'm willing to try it if someone can help :P
 
gudenau

gudenau

Largely ignored
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,357
Country
United States
I think that this is doable, I will look into this more when I have the time.

Edit:
All the data might be there, it would just take a good amount of time to create the xorpad, or create a launcher.dat to make the xorpad.
 
W

windwakr

Well-Known Member
Member
Level 9
Joined
Sep 13, 2009
Messages
502
Trophies
1
Website
windwakr.github.io
XP
1,789
Country
United States
gudenaurock said:
I think that this is doable, I will look into this more when I have the time.

Edit:
All the data might be there, it would just take a good amount of time to create the xorpad, or create a launcher.dat to make the xorpad.
Click to expand...

It would probably be easier to build a rop chain that calls APT:Unwrap using:
https://github.com/naehrwert/p3ds


Or build a homebrew to do it.
 
NicEXE

NicEXE

Well-Known Member
Member
Level 5
Joined
Dec 6, 2009
Messages
411
Trophies
1
XP
706
Country
Cyprus
I would have made lets say 20 different miis all exactly the same (including "(cleartext MiiID+MAC address)" if possible) except from one value (position of the nose for example). Then I would have tried to bruteforce the key until all different mii data are by at least 90% the same. If that happens I probably have fount the key (and I probably know how to move a mii's nose)

I don't think its worth the time to try and bruteforce the mii qr decryption key
 
gudenau

gudenau

Largely ignored
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,357
Country
United States
NicEXE said:
I would have made lets say 20 different miis all exactly the same (including "(cleartext MiiID+MAC address)" if possible) except from one value (position of the nose for example). Then I would have tried to bruteforce the key until all different mii data are by at least 90% the same. If that happens I probably have fount the key (and I probably know how to move a mii's nose)

I don't think its worth the time to try and bruteforce the mii qr decryption key
Click to expand...

Well to make an editor for PC would be worth it imo, might be able to move the sliders more than on the 3DS.
 
drfsupercenter

drfsupercenter

Flash Cart Aficionado
OP
Member
Level 7
Joined
Mar 26, 2008
Messages
1,909
Trophies
1
XP
1,163
Country
United States
gudenaurock said:
Well to make an editor for PC would be worth it imo, might be able to move the sliders more than on the 3DS.
Click to expand...

Yeah, definitely.

There was a program I used to use called "My Mii Manager", I think it was a Datel product, it was for the Wii, and that's basically what it let you do. So much easier to create Miis that way because you don't have to use idiotic motion controls :P

Problem with the 3DS is, I'll scan a QR code and think "wow that looks cool" but then I can't change the nickname because it's created by someone else who set sharing to off... like literally if I could change *just* that, I'd be happy
 
SSG Vegeta

SSG Vegeta

Well-Known Member
Member
Level 8
Joined
Jul 25, 2013
Messages
682
Trophies
1
XP
1,413
Country
United States
drfsupercenter said:
Hey guys,

I apologize if there's already a topic about this, but I haven't seen one in my time browsing here so I thought I'd make one.

I was talking about how Mii data is stored with a friend, and I ended up looking it up on 3DBrew. They seem to have the entire mapping of the QR data figured out:
http://3dbrew.org/wiki/Mii_Maker

The main thing I'm interested in editing is the "copiable" value. Most of the QR codes I scan from random strangers are locked so I can't edit them at all - and while I appreciate that someone else made it, sometimes I think there's something that could be done better and I want to change it. Or, in the case of Tomodachi Life, I want to be able to rename the darn thing, which isn't an option if it's set to not copiable.

So let's take a look at one I got from MiiCharacters.com.
http://www.miicharacters.com/miis/qr_large/1972_peterg.jpg

That's just a random Peter Griffin one I found. So I parse the data:
http://zxing.org/w/decode?u=http://www.miicharacters.com/miis/qr_large/1972_peterg.jpg

I end up getting this as the raw bytes.
Code: 
40 07 09 12 cf d2 5a 4c  0e 10 1c 44 cf 94 e1 67
e5 60 4e f5 12 b5 11 3e  3c 58 5f 48 b1 32 97 43
32 ab 4b 4e f3 15 6b 41  cd 08 e8 29 cd f0 c0 92
50 9d e2 3a 28 85 40 26  80 6c 20 ab 46 5d 6c 94
3b ee d1 bf 0b c5 1a ab  9a 5e 1b a3 73 02 01 ba
f9 a3 7a 42 8d 59 30 ea  d6 a2 12 d3 30 7b 4a ef
6b ee b3 cb 7b 92 f8 01  3a 47 82 9a 19 90 36 7b
e8 f8 00 ec 11 ec 11 ec  11 ec

Obviously this isn't very useful as-is, because most of that data is encrypted. However, 3DBrew says it can be decrypted using known text strings...?

I notice the value at 0x9 is "10", not sure if the 1 represents "is copiable" or not, but I would assume that's just a coincidence since everything else is encrypted too.

Essentially, if I could plug the raw data in somewhere and be able to decrypt and then re-encrypt it, that would be fantastic. I just want to play around with the Mii format a bit.
Click to expand...


If you do please make custom anime miis I'd really like to have a mii based on Goku
 
I pwned U!

I pwned U!

I am pleased to beat you!
Member
Level 5
Joined
Jun 14, 2013
Messages
927
Trophies
3
Age
28
Website
gbatemp.net
XP
680
Country
United States
Huntereb said:
That's what I wanna see! Anyone think it's possible to make your Primary Mii a "Special" Mii? Would be cool to streetpass people, and on their screens they see "I'm Huntereb from Nintendo!". B-)
Click to expand...
I wonder if it will also be possible to change where we come from (such as "I am I pwned U! from GBATemp.")
 
drfsupercenter

drfsupercenter

Flash Cart Aficionado
OP
Member
Level 7
Joined
Mar 26, 2008
Messages
1,909
Trophies
1
XP
1,163
Country
United States
SSG Vegeta said:
If you do please make custom anime miis I'd really like to have a mii based on Goku
Click to expand...

If you've got a Wii, you can already do this.
http://us.codejunkies.com/Products/Wii-My-Mii-Manager__EF000244.aspx
You'll just need a Bluetooth dongle in your computer so you can transfer the Mii off of your Wii remote. I actually own the software if anyone would like me to upload it somewhere. I don't think Datel is still producing it anymore so it shouldn't hurt their sales any.

I pwned U! said:
I wonder if we can get golden pants now...
Click to expand...
In theory you could, but weren't there golden pants ones on the Wii too? I never saw any, but 3DBrew mentions it, and I don't think those are encrypted so you could probably use the same sort of thing to spoof them.

windwakr said:
I decrypted the Mii in the QR code from the first post:
https://www.sendspace.com/file/iuw4jo
Click to expand...

Awesome! May I ask how you did it? That way I could re-encrypt it by reversing the process (theoretically)
And since it's just text, you shouldn't even need a Launcher.dat or anything like others were mentioning... it would take the 3DS literally less than a second to spit out a xorpad anyway.
 
Duo8

Duo8

Well-Known Member
Member
Level 12
Joined
Jul 16, 2013
Messages
3,613
Trophies
2
XP
3,022
Country
Vietnam
Huntereb said:
That's what I wanna see! Anyone think it's possible to make your Primary Mii a "Special" Mii? Would be cool to streetpass people, and on their screens they see "I'm Huntereb from Nintendo!". B-)
Click to expand...

You can't do that with just QR. You'd have to edit your ơn Mii.
Also aren't those Miis spotpass only?
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

After the 8th of April, will it still be possible to create a new NNID (Nintendo Network ID) and/or transfer a NNID from one console to another?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking  New 2ds Refuses to boot

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Translation Project  DQM2SP translation

3DS won't boot into DS Mode, Extended Memory Mode and more

General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: https://www.youtube.com/@legolambs