3DS Save File Hacking Discussion Thread

Discussion in '3DS - Flashcards & Custom Firmwares' started by Kentoss, Apr 1, 2011.

Apr 1, 2011
  1. Kentoss
    OP

    Member Kentoss GBAtemp Regular

    Joined:
    May 29, 2008
    Messages:
    137
    Location:
    Ontario, Canada
    Country:
    Canada
    About
    So for those of us who splurged on an NDS Adaptor Plus and are able to rip save files from 3DS cartridges, let's get a proper thread going in regards to our findings found within the save files themselves. I personally would like to learn more about them. This thread is for anyone who's genuinely interested in the same thing, and others are encouraged to contribute their findings and/or save files as well.

    As far as I'm aware, both Lego Star Wars III and Ridge Racer are encrypted (as discussed in another topic on this forum). Whether or not they follow the same encryption is yet to be seen. What I'd like to know is if ALL 3DS game saves are encrypted or if it's just the few we've looked at so far.

    List of Save File Downloads
    Lego Star Wars III:
    http://www.fileize.com/files/798bcd5b/83c/LSW3.zip - Kentoss (4 in a Zip file)

    My contribution comes from my NDS Adaptor Plus Review thread which ended up turning into a discussion about my Lego Star Wars III save file:

     
  2. 9th_Sage

    Member 9th_Sage GBAtemp Maniac

    Joined:
    Apr 30, 2008
    Messages:
    1,481
    Country:
    United States
    You might want to contact Crediar and/or Erant. It seems they are looking into this kind of thing currently (or at least Erant is for sure).

    From Crediar's twitter:
    Not sure what it'd be good for yet, but interesting just the same.
     
  3. DigitalDeviant

    Member DigitalDeviant GBAtemp Addict

    Joined:
    Feb 14, 2010
    Messages:
    2,002
    Location:
    Solar Federation
    Country:
    United States
    buffer overflow hack, like twilight hack? I don't know anyone can shed some light on the potential of a save hack?
     
  4. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,713
    Country:
    United Kingdom
    Possibly a bit of speculation in the following reply but I stand by it.

    Some existing work for the DSi, probably a fair good springboard for this.
    http://dsibrew.org/wiki/DSiWare_VulnList

    Save file encryption can be twofold- one you have the signing and possible encryption that the 3ds hardware presumably does to all saves (the wii does it and unless I am mistaken the dsi does it for DSi code at least (see some of the early hacks) and I see no reason for Nintendo to have regressed in such regards). This is hardware specific and traditionally happens with a per console key (not much of a problem if you can share saves with your friends or otherwise transfer them if you can resign just one game- you can often "ban" or blacklist saves made with certain keys with microsoft and the earlier days of the 360 providing a good example- nowadays people tend to strip identifying code from it). Nothing stopping Nintendo from having multiple levels either (the PS3 and to some extents the wii provide good examples here) and/or having parts hashed.

    On the other hand there is the developer encryption, checksums/hashing or possibly signing- this is the one that save hackers traditionally bypass or mess around with. Any would be console hacker will probably have to do this as well. This can be anything, Nintendo might have provided a basic method in the 3ds SDK to do it and often they are very weak from a cryptographic standpoint (simple bytesums even) but we have seen developers use their own (custom or off the shelf) for years now. When doing the simple change to narrow down locations method you usually see the minor changes in location, time and your chosen thing to change (coins in the example above) along with the saves new hash value.
    Such protections need not be whole file either- it can be something like have a mirrored and inverted value. Cheat makers have to deal with this all the time where saves might not- this means save hackers, savestate hackers and cheat makers often feed from each other (the savestate hack derives usually from a cheat and as the game will take the data from the memory as provided from a savestate and make it into a nice entirely valid save for you and vice versa a save might be nice and simple with simple checks which allows you to inject whatever values you like into the memory (and the game happily sorts any counter cheat methods for you and in doing so tends to light them up like a Christmas tree).

    Some parts of the game can and do fall outside these "protections" though- in theory it only has to be the signature itself (you can not take the signature of the signature if you have not calculated it yet- if you can predict your method is far far too weak to be useful) but in practice other things can fall outside it- sometimes it is beneficial (mainly as you do not have to decrypt it to read it) to say have a value for the names (character or user name), location, play time, gold count and whatever else you see on the "select your save to load" screen stored unchecked along with the hash/signature value and this can be the exception for both sides of save protection. Exploitable errors here are ideal as it means you do not have to deal with much if anything on the save protection front. Best example here is some of the early wii region free hacks- parts of the header which included a measure of region protection (not all of it but some) and they went unsigned or perhaps the shader/king kong hack on the 360- here the code intended for the shader memory fell outside signing which helped with the exploit.

    I could go into detail about memory corruption but this guy does it better:
    http://www.ustream.tv/recorded/5167328
    Ignoring the lessons of the video above for a moment the general idea is buffer overflows require that the read commands use something like a stop when you get a 00 or some stop command (a similar effect was used for the false signatures/trucha bug for the wii and kind of similar thing was used at some lower levels of the 360 hacks- king kong and the like). The hacker then comes along and removes the 00 and the game just keeps reading code (hopefully into the memory and even better hopefully overwriting the actual game code- your new instruction loads eventually and bam you have yourself your own code running on the system (there are various tweaks and sometimes you might want to take out the stack, sometimes you might want to just change a pointer, sometimes you might want to wipe out a flag or set one and there are loads of other nice things you might want to do but the idea is the same)
    This is OK if you do not have hostile code but if you are up against hackers you have to consider it hostile and code defensively- this some developers have trouble doing (such things are not necessarily taught in coding school and you are not usually hired by game developers for your defensive coding prowess rather than your abilities to say animate sprites or generate 3d physics models) and as save data is more or less left up to developers who are on a deadline and maybe not skilled in countering hackers it usually provides an easy in (there are various counters Nintendo could have done- for one the 360 encrypts the entire memory with a new key generated at every boot so you can not just write good code to the memory, various consoles have a so called hypervisor that, if you code it for such a thing, should allow code to run but not trouble the higher system functions- the wii, the 360 and the PS3 all have a measure of this but they have varying levels of effectiveness).

    Other things that might be useful are characters the game has no idea about (if your game say uses ascii then actual characters ASCII technically run from 20 to 7f but before and after that are other possibilities- this is not quite as useful as it once was but still worth knowing about.
     
  5. spiritofcat

    Member spiritofcat GBAtemp Advanced Fan

    Joined:
    Dec 20, 2007
    Messages:
    577
    Country:
    Australia
    I haven't played this game, but I know that in a lot of other LEGO Star Wars games there are objects in the hub area that you can smash to earn coins.
    If you wanted to make two saves as similar as possible to each other then it might be better to just smash one object and collect one coin so that only your coin count changes and the state of the shop is left exactly the same.
     
  6. Kentoss
    OP

    Member Kentoss GBAtemp Regular

    Joined:
    May 29, 2008
    Messages:
    137
    Location:
    Ontario, Canada
    Country:
    Canada
    @spiritofcat: Yeah there are items I can smash, but the problem is I can't save the game without buying something. Unless I'm missing the option somewhere lol

    @FAST6191: Thanks a lot for all the info, some tidbits in there that I was not entirely sure of. [​IMG] I'm gonna keep searching and doing comparisons to see if I can find anything conclusive, but I would love to have something else to compare my findings to (such as another game's save file entirely), so I'll probably end up picking up another 3DS game to play around with. That way I can at least figure out if the encryption is done per-developer or is a system-wide function.

    At this point I'm not 100% interested in decryption and dissection for the sake of a possible hack, even though that would be nice; I'm more interested in simply how it works at this point. Figuring this out could lead to clues as to how the rest of the system works in exchange.

    At any rate I just got home from work, so I'll be poking around a bit more to see if I can come up with anything.
     

Share This Page