Hacking [Question] Restoring save backup from before CFW

Kwyjor · Nov 17, 2018

Hmm. I apologize if I'm not giving useful advice. This is somewhat unexplored territory, made all the more complicated by all the outdated advice out there. Like I said, if you're weary of messing with this, steelminer is likely to cause far fewer headaches.

I did a little Googling and found this tidbit, which makes a lot of sense.
https://gbatemp.net/threads/help-in...her-3ds-for-new-2ds-xl-for-11-4.476340/page-3

I found that because I was thinking you may also be able to install oot3dhax directly with JKSM or Checkpoint: export the save on the cartridge and then import system.dat (from the export), save01.bin (a renamed copy of save0x.bin.usa from the offline installer) and payload.bin (the renamed otherapp.bin from Smea). But I'm not sure if that will work.

StageProps · Nov 17, 2018

I'm such an idiot. This whole time, I assumed steelminer required a paid game. I didn't realize Steel Diver received a freemium sequel. I'm downloading it on my friend's 3DS now. I blame ADHD for my singleminded pursuit of the most labyrinthine exploit method when a much easier one was mentioned several times in this topic and I didn't even look it up.

Part of me wants to pursue that oot3dhax-JKSM lead, since I feel so close to actually making it work and it would be kind of cool and satisfying to successfully navigate this uncharted territory, but maybe that's an adventure for another day. I'll update with how steelminer goes.

StageProps · Nov 17, 2018

OKAY. Man I wish I had just read up on steelminer. Sorry for wasting so much of y'all's time trying to get oot3dhax working. I now have my movable.sed. I can mount the SD card backup using fuse-3ds. However, I have no idea to get 3ds-save-tool working. I assume that, since I can mount the SD backup, the saves are now decrypted? But when I try to run python disa-extract.py on my .sav file I get "Error: Not a DISA format." Any ideas? Am I doing something wrong?

Kwyjor · Nov 17, 2018

Congratulations on making it this far. (Incidentally, what did you do to get Seedstarter working? The instructions mention something about selecting a target application, but I've not been quite clear on exactly what application should be targeted.)

Once you've mounted your SD card backup with fuse-3DS, you still need to copy the .sav file to somewhere else on your hard drive in order to actually decrypt it. Did you do that?

StageProps · Nov 17, 2018

Kwyjor said:
Congratulations on making it this far. (Incidentally, what did you do to get Seedstarter working? The instructions mention something about selecting a target application, but I've not been quite clear on exactly what application should be targeted.)

I had to add an xml file to the same directory as the seedstarter .3dsx that enabled app targeting, basically.

Kwyjor said:
Once you've mounted your SD card backup with fuse-3DS, you still need to copy the .sav file to somewhere else on your hard drive in order to actually decrypt it. Did you do that?

I've copied the folder structure containing the .sav files to my hard drive, yes. To be clear, the .sav files I copied are from the "backup" folder that my 3DS made when I backed the games up in the memory manager utility thing on the 3DS, PRIOR to hacking.

TurdPooCharger · Nov 17, 2018

StageProps said:
I had to add an xml file to the same directory as the seedstarter .3dsx that enabled app targeting, basically.

I've copied the folder structure containing the .sav files to my hard drive, yes. To be clear, the .sav files I copied are from the "backup" folder that my 3DS made when I backed the games up in the memory manager utility thing on the 3DS, PRIOR to hacking.

If you mounted your Nintendo 3DS folder with that movable.sed, look at some of the *.sav files in a hex editor. Use HxD if you never used one before.

Do they look like this?

StageProps · Nov 17, 2018

Ugh. No, they look like this:

It looks like they're still encrypted, which I don't understand. Fuse-3ds successfully mounts the SD card backup. When I open my movable.sed in a hex editor, it's mostly zeroed out, except at 0x110~0x11F. I don't think that reflects the structure of a normal movable.sed. I have no idea what the issue is. Edit: the same .sav file looks different if I open it in a hex editor straight from my SD card backup, unmounted, but it's still garbage like this. I don't see any DISA header or anything like that.

TurdPooCharger · Nov 17, 2018

StageProps said:
Ugh. No, they look like this:

It looks like they're still encrypted, which I don't understand. Fuse-3ds successfully mounts the SD card backup. When I open my movable.sed in a hex editor, it's mostly zeroed out, except at 0x110~0x11F. I don't think that reflects the structure of a normal movable.sed. I have no idea what the issue is.

That's because you received a stripped down version of the movable.sed for security reasons. That 0x110 to 0x11F portion is the keyY. This is the 0x10 bytes that controls encrypting your Nintendo 3DS folder. I was still working on the images in trying to show how that <ID0> is derived from that keyY.

Edit - Don't bother trying to copy that LocalFriendCodeSeed_B as it's fake.

Kwyjor · Nov 17, 2018

Your movable.sed should start with the word "SEED" if it was created correctly. (I might have expected fuse-3DS to give you an error message if it was lacking that.)

StageProps said:
I had to add an xml file to the same directory as the seedstarter .3dsx that enabled app targeting, basically.

There's that blurb in the Seedstarter readme about using "app takeover to get the required frd:u service", and I've wondered if it's picky about the app you select. But I suppose it isn't.

So let's be clear here: you started seedstarter.3dsx on your friend's 3DS, and you pressed B, and you got a file named [xxx]_part1.sed, where [xxx] is the friend code of your old 3DS, right? Was that file zeroed out?

TurdPooCharger · Nov 17, 2018

Kwyjor said:
Your movable.sed should start with the word "SEED" if it was created correctly. (I might have expected fuse-3DS to give you an error message if it was lacking that.)

There's that blurb in the Seedstarter readme about using "app takeover to get the required frd:u service", and I've wondered if it's picky about the app you select. But I suppose it isn't.

So let's be clear here: you started seedstarter.3dsx on your friend's 3DS, and you pressed B, and you got a file named [xxx]_part1.sed, where [xxx] is the friend code of your old 3DS, right? Was that file zeroed out?

I tested fuse-3ds a day ago, and the program is perfectly fine with a mostly blank movable.sed.

Decryption will work as long as:

(1) the keyY is correct and is located 0x110 to 0x11F
(2) the <ID0> matches that keyY (through a SHA-256 mathematical formula)
(3) the *.sav are located in the correct directories

Edit: <ID1> does not matter as long as it's correct character length.

StageProps · Nov 17, 2018

Kwyjor said:
So let's be clear here: you started seedstarter.3dsx on your friend's 3DS, and you pressed B, and you got a file named [xxx]_part1.sed, where [xxx] is the friend code of your old 3DS, right? Was that file zeroed out?

Yes, I generated a movable_part1.sed, where "movable" in the filename was initially my old friend code. When I open this file in a hex editor, it is almost entirely blank except for the first four bytes.

TurdPooCharger said:
I tested fuse-3ds a day ago, and the program is perfectly fine with a mostly blank movable.sed.

Decryption will work as long as:

(1) the keyY is correct and is located 0x110 to 0x11F
(2) the <ID0> matches that keyY (through a SHA-256 mathematical formula)
(3) the *.sav are located in the correct directories

Now this is interesting--my backups are nested in a "backup" folder my 3DS made. The structure is as follows:

Nintendo 3DS
- ID0
  - ID1 (?)
    - backup
      - 000
        
        TitleID
        
        00000001.sav
      - 001
        
        TitleID
        
        00000001.sav
      - 002
        
        TitleID
        
        00000001.sav

Would this folder structure interfere with the decryption in some way?

TurdPooCharger · Nov 17, 2018

StageProps said:
Yes, I generated a movable_part1.sed, where "movable" in the filename was initially my old friend code. When I open this file in a hex editor, it is almost entirely blank except for the first four bytes.

Now this is interesting--my backups are nested in a "backup" folder my 3DS made. The structure is as follows:

Nintendo 3DS

ID0

ID1 (?)

backup

000

TitleID

00000001.sav

001

TitleID

00000001.sav

002

TitleID

00000001.sav

Would this folder structure interfere with the decryption in some way?

YES THIS WILL MESS UP DECRYPTION!!!

How they should look like is this:

Nintendo 3DS/

<ID0>/

<ID1>/

title/

00040000/

<Title ID #1>/

content/
data/

00000001.sav

<Title ID #2>

content/
data/

00000001.sav
.
.
.

<Title ID #N>

content/
data/

00000001.sav

0004000e/

***

How to calculate <ID0> with the keyY

Using the (fake) movable.sed for example, here is how the <ID0> is derived from the keyY.

1. Calculate the SHA-256 hash of keyY.

keyY = 20 72 EE FA 02 00 00 00 CA E7 1A D2 F8 92 70 E1
SHA-256 hash = 3DA6C887153C51B388B23370357B606587476DEBC75ED52B57777FC747618717

2. Take the first half of that hash and discard the rest.

3DA6C887153C51B388B23370357B6065

3. Let's clean that up a bit by making those letters into lower cases. Use this website: https://convertcase.net/

3da6c887153c51b388b23370357b6065

4. Separate into four (4) equal sections and add spaces.

[3da6c887][153c51b3][88b23370][357b6065]
[3d a6 c8 87][15 3c 51 b3][88 b2 33 70][35 7b 60 65]

5. Flip the order within each of the sections.

[3d a6 c8 87][15 3c 51 b3][88 b2 33 70][35 7b 60 65]
[87 c8 a6 3d][b3 51 3c 15][70 33 b2 88][65 60 7b 35]

6. Remove the brackets [..] and spaces. This is the <ID0> derived from this keyY.

87c8a63db3513c157033b28865607b35

StageProps · Nov 17, 2018

My god. Thank you for being so patient. Okay. I looked in the title folder and located my ~~Animal Crossing~~ DQVII folder and the .sav within. I used 3ds-save-tool and it successfully extracted the .sav! I now have four files: cardinfo.bin, save000.bin, save001.bin, and system.bin. What do I need to do in JKSM to restore my save?

Thanks you so much! I'm so close!!!

TurdPooCharger · Nov 17, 2018

StageProps said:
My god. Thank you for being so patient. Okay. I looked in the title folder and located my Animal Crossing folder and the .sav within. I used 3ds-save-tool and it successfully extracted the .sav! I now have four files: cardinfo.bin, save000.bin, save001.bin, and system.bin. What do I need to do in JKSM to restore my save?

Thanks you so much! I'm so close!!!

Dude, I had serious doubts what you did worked after studying how one goes about retrieving the keyY. Although early to celebrate *knock on wood*, congrats!

***

Make blank backups in either Checkpoint or JKSM for the n3DS for those games. Look in their respective directories:

3ds/Checkpoint/saves
JKSV/Saves

There should be individual games and saves subfolders. You create a folder and drop in the decrypted save components into them.

Run the save manager again and restore.

Edit - Actually, something is really wrong. ACNL backed up save should be *.dat files.

StageProps · Nov 17, 2018

Wmw3gDoAaTkB_iZE4R1dB7_KhaFwiJQTCX5k-PGerTklhbY_azTf9xDMImWzNjjFparEL-ndpL5VghliB6cC_I2Cka2whDCasfKP4KU-YrHFwrDILD_WMyptlZniSQJpj3RCsfDVNLQimtBKLwK6ZbLSbcz8ew3HJ0OQxtmDEnU78GOMaELuWu5pOr5jOnd1xGaKqo_QZ9iH7_uVIelHhHu7eCZSIGeH1impKrU2twI2rMnrBbvjMKXCIJWfkGQS4wse6QTBNDqvJ3N_TdE39TTMY9LoBGWOzG8cXCRdG_F_1eCJLNfp24rq09iGhq76UDmgB64tEtieLX3AGys9YB2Zsnu4AaJofz3RRKqdNWXCGjYWRPHVQCyLxtfd6C1ApPABor8yOn7zeDq6MjItF4Rycq36MXUQJ9r2o1qbkM6xGCCJ_Q3dAFOuT95ZPc9064P-y3OQW6WrdsJQ3LJmBvPK5ivHZC2Fywxs3e6ubdah81iULL97tpgD4amW-ZmylbPp8xytxYp53HXbe96Hrv62albGu-F_BXjhQ3dlMJi9GVEG3uF7aAl2KDTkiDLocVRdqQpy54gRm3WWB2UrckpPUUGtjhcyIzqVkxV7jm_DHEQ8nBfMpPFk_z_tHOutnbm0QmgkZNywIuZvee-ubkZ0=w1541-h1156-no

I can't believe we actually managed this. I thought this data was just gone. Thank you both so much!

TurdPooCharger · Nov 17, 2018

StageProps said:
I can't believe we actually managed this. I thought this data was just gone. Thank you both so much!

This is all you and @Kwyjor, who really stuck through (but mostly you who did the heavy lifting).

Thank you for starting this thread, as I've now gotten the chance to study the movable.sed further and learned a thing or two about data recovery.

***

While not related to brute force seed mining per se, I did find out it's possible to retrieve the exact keyY after one does System Memory Format due to a single byte counter value change. This knowledge will make it possible in recovering data for those in this case scenario.

Kwyjor · Nov 18, 2018

StageProps said:
I can't believe we actually managed this. I thought this data was just gone. Thank you both so much!

This has been quite educational. Thanks for sticking around.

StageProps · Nov 19, 2018

Thanks again to both of you. For posterity, here's the method that actually worked:

Use the steelminer exploit on friend's 3DS, which had my old friend code (my N3DS's friend code before I used system transfer to hack it)
Once I had access to homebrew menu on my friend's 3DS, add seedstarter.3dsx and seedstarter.xml (containing the line <targets selectable="true"></targets>) to the 3ds folder on the root of their SD card
Launch seedstarter on friend's 3DS and press B to dump movable_part1.sed for people in the 3DS's friends list
Upload the movable_part1.sed corresponding to my N3DS to this website. Input N3DS's ID0, derived from the SD card backup of my N3DS
Using the movable.sed the site generates, mount N3DS's SD card backup in fuse-3ds.
NOTE: If the backups you want to restore are in a "backup" folder, enable writing before mounting in order to copy those .sav files into their proper locations
If SD card backup has a "backup" folder containing backup .sav files that your 3DS made, copy them into the proper folders (<ID0>\<ID1>\title\00040000\<Second part of title ID#>\data\).
NOTE: In the case of games where you need to uninstall them to get the 3DS to make a backup of the save (e.g., Animal Crossing: New Leaf), recreate the folder structure shown above using that game's title ID#, and copy the .sav into the data directory
Download 3ds-save-tool. Use the commands that extract decrypted save data to unpack the .sav files
On the N3DS, install JKSM and make blank backups for the games whose backups you want to restore. This should create a JKSV folder on the root of the SD card, containing folders for each game it has backed up
Create new folders in each game's backup folder and drop the extracted saves into them. Open JKSM and restore

Hacking [Question] Restoring save backup from before CFW

Well-Known Member

Active Member

Active Member

Well-Known Member

Active Member

Meh.

Active Member

Meh.

Well-Known Member

Meh.

Active Member

Meh.

Active Member

Meh.

Active Member

Meh.

Well-Known Member

Active Member

Similar threads

Popular threads in this forum