Crashmo QR data research thread

Discussion in '3DS - Flashcards & Custom Firmwares' started by elisherer, Nov 3, 2012.

Nov 3, 2012
  1. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    [​IMG]

    Hello there,

    As we did when pushmo was out, now we have the mission of figuring out how crashmo works to enable the pc level editor (and by that enable importing images and stuff to the game).

    Official level editor: INTELLIGENT level editor (this will work as an all around editor for these games)

    I'll present here what we know and hope to keep it updated:

    Endianess: Little Endian (Intel, lowest byte first)

    QR Data

    0x00000AAD - Magic (like pushmo had 0x068D)
    0x00000001 - uint32 (always 1, probably version) (was zero on pushmo)
    0x???????? - uint32 size of the compressed data
    [Data] - 720 bytes compressed with LZ10 (starts with 0x10)

    Data

    Code:
    {
        char[4] Magic        // MTUA
        byte[4] CustomCrc32
        uint32 Unknown1        // always = 7
        byte[16] Zeros0
        byte[22] Author        // UTF-16 string
        byte[34] LevelName    // UTF-16 string
        byte Zero1        // ??
        uint32 Difficulty
        byte[7] Unknown3    // = 042C0920010000
        byte[10] PaletteData
        byte[6] Zeros2
        uint32 Flags
        CrashmoPosition FlagPosition
        CrashmoPosition[21] Utilities
        byte[0x200] LevelData
        byte Protection        // 4-locked, 3-open
        byte[3] Footer        // = FAFF0F
    } //4+4+4+16+22+34+1+4+7+10+6+4+4+21*4+0x200+1+3 = 720 bytes
    Code:
    CrashmoPosition {
        uint16 Pos  // x = bits 12..16 , y = bits 7..11 *negated*
        byte Type    // 1 = flag, 2 = manhole, 3 = shiftswitches, 4 = doors, 5 = cloud
        byte Flags
        // for manholes & doors it's the color 0=red, 1=yellow...
        // for shiftswitches it's the color (1st nibble) from the palette, 2nd nibble = direction (push, pull, left, right).
        // for flag & clouds it's nothing
    }
    You can find the files i worked on here

    Open questions:

    [Answered: 5] 1. (Clouds) How many clouds can be put on a map?
    2. (Clouds) on the crashmo studio, what happens when you put a cloud on an empty space?
    3. (Switches) On Crashmo studio, how switches are used, do they have a color, do you rotate it?
    [Answered: 4 one for each direction] 4. (Switches) How many can be put on the map?
    [Answered: 3 & 3] 5. (Doors+Manholes) How many colors are there?
     


  2. celcodioc

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden
    Didn't you say it wasn't lz10? :P
    Anyway, I don't have anything data-related to add here, but interestingly setting the difficulty byte to certain values in Pushmo would display strings such as "Excellent" and even messages that are too long to fit in the difficulty text box (which, IIRC, is 60x240 px) suggesting that it actually is a string identifier (or some kind of overflow but I highly doubt it is).
     
  3. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    Yeah I thought it wasn't lz10 because it didn't start with 0x10 like the pyramids qr codes did. but then noticed the 0x10 was at offset 0xC so after trying to decompress it from there it worked.. (with some help from #3dsdev i might add)
     
  4. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    Apperantly, cloud blocks (floating blocks) are like a pin, meaning that one cloud affects the entire one colored block it stands on,
    I would have to make a flood fill for the visible effect.

    p.s. the crc32 position is verified
     
  5. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    Can someone help figure out how they encode the x,y position of the utilities:

    [​IMG]

    This is a picture of link with the utilities positions written in the middle.

    Blue - Flag
    Red - Red Ladder
    Yellow - Yellow Ladder
    Grey - Clouds

    on the right is the decoded information from the qr code.
    the right column is readable, 0x1 , 0x2, 0x5 means the type of utility and the 0x1 on the manhole is the color (probably yellow, not sure)

    To encode the position you'll need 10 bits, 5 for x, 5 for y so a byte isn't enough (8 bits) , so they need 2 more bits, hence the extra byte which uses only
    the 2 lsb (values=0,1,2,3) but i can't figure how they did it...

    thanks for the helpers...
     
  6. celcodioc

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden

    The method or the code they used to do it?
     
  7. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    Nevermind...figured it out...

    uint16 = 0000 00zz zzzx xxxx (binary representation)

    x is just clear x
    z is y negated...

    sneaky nintendo :wacko:

    EDIT:
    Code:
    in the example above:
     
    Flag = 0x0353 = 0b0000 0011 0101 0011
     
    0b0000 0011 0101 0011
    0b0000 00zz zzzx xxxx
     
    x = 0b10011 = 19
    z = 0b11010 = 26
    y = neg(z) = 0b00101 = 5
     
  8. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    Helpers / Beta testers needed for help creating a level editor...

    Requirements: have (or getting) the game!
     
  9. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    The level editor is almost done. It can read crashmo levels already and edit them but not save them because i need the crc32 method.

    Anybody cares to help?
     
  10. celcodioc

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden
    Sure, but I don't have access to gadgets in the studio, I'm on puzzle #25.
     
  11. Immortal_no1

    Member Immortal_no1 GBAtemp Regular

    Joined:
    Jul 17, 2003
    Messages:
    266
    Country:
    United Kingdom
    I'll give it a go. have you determined whether or not the CRC just covers the Data partition of the QR code? seems like it's almost complete, and there i was just starting out.
     
  12. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    judging from pushmo it covers all the data after crc32.. but i could be wrong..
    it isn't the same crc from pushmo from the tryouts i made...
    I could easily make a hacked qr code by xor'ing 2 bin files and compress them back... maybe we could start from that..
    because if for DATA1 there is CRC1 and for DATA2 there is CRC2 then for DATA1(xor)DATA2 there is CRC1(xor)CRC2.
     
  13. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    Tried to make a hack.

    Try at your own risk. It should crash the game...

    cm_mario_xored_withheader_clean.png
     
  14. ground

    Member ground GBAtemp Advanced Fan

    Joined:
    Mar 22, 2007
    Messages:
    906
    Country:
    Netherlands
    it think a hack isn't going to work, according the attemps with pushmo
     
  15. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    Yeah, I think so too, this is just for fun :)
     
  16. celcodioc

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden
    "Something is wrong with this QR code, I can't read it" when reading the QR. But yeah, it shouldn't work anyway. It would be funny if Crashmo could be exploited even though Pushmo wasn't exploitable.
     
  17. morphius

    Member morphius The King of the Cosmos

    Joined:
    Nov 21, 2008
    Messages:
    298
    Country:
    United States
    hey eli .. got your msg on swapnote. I can't get this game yet .. not available till nov22 in the usa. PM me , maybe i can help w/o it.
     
  18. Immortal_no1

    Member Immortal_no1 GBAtemp Regular

    Joined:
    Jul 17, 2003
    Messages:
    266
    Country:
    United Kingdom
    Working on reproducing the CRC now, it appears to be a CRC32, but what the polynomials are i don't know i'm leaving my pc to figure that out. after this run i'll let it do a alder32 CRC and see if that's of anyu use. if none of those work than i'll change the endian of the data and the CRC and read from the end first to the begining. try to cover all the bases, or at least as many as i can.
     
  19. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
  20. elisherer
    OP

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    Got some breakthrough... I got the polynomial of the crc... now to figure out the xor values...
     

Share This Page