Hacking 3DS Save File Hacking Discussion Thread

[Kentoss]

About
So for those of us who splurged on an NDS Adaptor Plus and are able to rip save files from 3DS cartridges, let's get a proper thread going in regards to our findings found within the save files themselves. I personally would like to learn more about them. This thread is for anyone who's genuinely interested in the same thing, and others are encouraged to contribute their findings and/or save files as well.

As far as I'm aware, both Lego Star Wars III and Ridge Racer are encrypted (as discussed in another topic on this forum). Whether or not they follow the same encryption is yet to be seen. What I'd like to know is if ALL 3DS game saves are encrypted or if it's just the few we've looked at so far.

List of Save File Downloads
Lego Star Wars III:
http://www.fileize.com/files/798bcd5b/83c/LSW3.zip - Kentoss (4 in a Zip file)

My contribution comes from my NDS Adaptor Plus Review thread which ended up turning into a discussion about my Lego Star Wars III save file:

I did a bunch more searching but I still can't find anything that says it's not encrypted. Could just be the game though.

If anyone wants to take a look at my Lego Star Wars III save file, you can download it from here:

http://www.fileize.com/files/aad8011d/90e/...ar_Wars_III.zip

It is an EEPROM, according to NDS Adaptor Plus, and I have 15680 coins on it. I know Lego games don't use the last digit so I also looked around for just 1568 in hex but still couldn't find anything, or any combination thereof.
-------
I'm going to save my game up and then run some save file comparisons to see where the changes are being made. I'm going to try to limit the changes to my coins only. I'll post the results.

Edit:

Far too much changes, even if all I'm doing is buying a 500 point hint. I'm going to keep hunting, but due to the fact that there's a lot going on I'm not holding out hope for a quick discovery.

Edit 2:

I managed to get 2 save files that are relatively close to one another. There's still a lot going on every time I save the game, despite the small change I make, but at least I'm a bit closer. I figure if I can find the offset that the coin value is stored at I can play with it and see what happens, then record the results. See if there's some kind of pattern to it.

Sub Edit: I don't know why I didn't do this sooner, but if anyone wants to take a look with me, here are the 4 save files I've ripped so far:

http://www.fileize.com/files/798bcd5b/83c/LSW3.zip

3 and 4 are the most alike. The first one on there was saved coming out of story mode, the rest were saved after buying a 500 coin hint.

LSW3(1): 89550 coins
LSW3(2): 89050 coins
LSW3(3): 88550 coins
LSW3(4): 88050 coins

Comparisons seem to indicate huge blocks of data being shifted, inserted, removed and replaced upon each save.

 

[9th_Sage]

You might want to contact Crediar and/or Erant. It seems they are looking into this kind of thing currently (or at least Erant is for sure).

From Crediar's twitter:

Good news everyone! Erant found a slight flaw in the savefile encryption of Ridge Racer! Line 405 is my nick

http://bit.ly/g4SNUR

Not sure what it'd be good for yet, but interesting just the same.

 

[DigitalDeviant]

You might want to contact Crediar and/or Erant. It seems they are looking into this kind of thing currently (or at least Erant is for sure).

From Crediar's twitter:

Good news everyone! Erant found a slight flaw in the savefile encryption of Ridge Racer! Line 405 is my nick

http://bit.ly/g4SNUR

Not sure what it'd be good for yet, but interesting just the same.

buffer overflow hack, like twilight hack? I don't know anyone can shed some light on the potential of a save hack?

 

[FAST6191]

Possibly a bit of speculation in the following reply but I stand by it.

Some existing work for the DSi, probably a fair good springboard for this.
http://dsibrew.org/wiki/DSiWare_VulnList

Save file encryption can be twofold- one you have the signing and possible encryption that the 3ds hardware presumably does to all saves (the wii does it and unless I am mistaken the dsi does it for DSi code at least (see some of the early hacks) and I see no reason for Nintendo to have regressed in such regards). This is hardware specific and traditionally happens with a per console key (not much of a problem if you can share saves with your friends or otherwise transfer them if you can resign just one game- you can often "ban" or blacklist saves made with certain keys with microsoft and the earlier days of the 360 providing a good example- nowadays people tend to strip identifying code from it). Nothing stopping Nintendo from having multiple levels either (the PS3 and to some extents the wii provide good examples here) and/or having parts hashed.

On the other hand there is the developer encryption, checksums/hashing or possibly signing- this is the one that save hackers traditionally bypass or mess around with. Any would be console hacker will probably have to do this as well. This can be anything, Nintendo might have provided a basic method in the 3ds SDK to do it and often they are very weak from a cryptographic standpoint (simple bytesums even) but we have seen developers use their own (custom or off the shelf) for years now. When doing the simple change to narrow down locations method you usually see the minor changes in location, time and your chosen thing to change (coins in the example above) along with the saves new hash value.
Such protections need not be whole file either- it can be something like have a mirrored and inverted value. Cheat makers have to deal with this all the time where saves might not- this means save hackers, savestate hackers and cheat makers often feed from each other (the savestate hack derives usually from a cheat and as the game will take the data from the memory as provided from a savestate and make it into a nice entirely valid save for you and vice versa a save might be nice and simple with simple checks which allows you to inject whatever values you like into the memory (and the game happily sorts any counter cheat methods for you and in doing so tends to light them up like a Christmas tree).

Some parts of the game can and do fall outside these "protections" though- in theory it only has to be the signature itself (you can not take the signature of the signature if you have not calculated it yet- if you can predict your method is far far too weak to be useful) but in practice other things can fall outside it- sometimes it is beneficial (mainly as you do not have to decrypt it to read it) to say have a value for the names (character or user name), location, play time, gold count and whatever else you see on the "select your save to load" screen stored unchecked along with the hash/signature value and this can be the exception for both sides of save protection. Exploitable errors here are ideal as it means you do not have to deal with much if anything on the save protection front. Best example here is some of the early wii region free hacks- parts of the header which included a measure of region protection (not all of it but some) and they went unsigned or perhaps the shader/king kong hack on the 360- here the code intended for the shader memory fell outside signing which helped with the exploit.

I could go into detail about memory corruption but this guy does it better:
http://www.ustream.tv/recorded/5167328
Ignoring the lessons of the video above for a moment the general idea is buffer overflows require that the read commands use something like a stop when you get a 00 or some stop command (a similar effect was used for the false signatures/trucha bug for the wii and kind of similar thing was used at some lower levels of the 360 hacks- king kong and the like). The hacker then comes along and removes the 00 and the game just keeps reading code (hopefully into the memory and even better hopefully overwriting the actual game code- your new instruction loads eventually and bam you have yourself your own code running on the system (there are various tweaks and sometimes you might want to take out the stack, sometimes you might want to just change a pointer, sometimes you might want to wipe out a flag or set one and there are loads of other nice things you might want to do but the idea is the same)
This is OK if you do not have hostile code but if you are up against hackers you have to consider it hostile and code defensively- this some developers have trouble doing (such things are not necessarily taught in coding school and you are not usually hired by game developers for your defensive coding prowess rather than your abilities to say animate sprites or generate 3d physics models) and as save data is more or less left up to developers who are on a deadline and maybe not skilled in countering hackers it usually provides an easy in (there are various counters Nintendo could have done- for one the 360 encrypts the entire memory with a new key generated at every boot so you can not just write good code to the memory, various consoles have a so called hypervisor that, if you code it for such a thing, should allow code to run but not trouble the higher system functions- the wii, the 360 and the PS3 all have a measure of this but they have varying levels of effectiveness).

Other things that might be useful are characters the game has no idea about (if your game say uses ascii then actual characters ASCII technically run from 20 to 7f but before and after that are other possibilities- this is not quite as useful as it once was but still worth knowing about.

 

[spiritofcat]

3 and 4 are the most alike. The first one on there was saved coming out of story mode, the rest were saved after buying a 500 coin hint.

LSW3(1): 89550 coins
LSW3(2): 89050 coins
LSW3(3): 88550 coins
LSW3(4): 88050 coins

Comparisons seem to indicate huge blocks of data being shifted, inserted, removed and replaced upon each save.

I haven't played this game, but I know that in a lot of other LEGO Star Wars games there are objects in the hub area that you can smash to earn coins.
If you wanted to make two saves as similar as possible to each other then it might be better to just smash one object and collect one coin so that only your coin count changes and the state of the shop is left exactly the same.

 

[Kentoss]

@spiritofcat: Yeah there are items I can smash, but the problem is I can't save the game without buying something. Unless I'm missing the option somewhere lol

@FAST6191: Thanks a lot for all the info, some tidbits in there that I was not entirely sure of.

I'm gonna keep searching and doing comparisons to see if I can find anything conclusive, but I would love to have something else to compare my findings to (such as another game's save file entirely), so I'll probably end up picking up another 3DS game to play around with. That way I can at least figure out if the encryption is done per-developer or is a system-wide function.

At this point I'm not 100% interested in decryption and dissection for the sake of a possible hack, even though that would be nice; I'm more interested in simply how it works at this point. Figuring this out could lead to clues as to how the rest of the system works in exchange.

At any rate I just got home from work, so I'll be poking around a bit more to see if I can come up with anything.