Homebrew CTR-GCS 0.3 : Finally, transfer F-zero savegames!

[NikoozFreymouz]

My guess is that stats.bin is a 64 byte file, containing the directory entry (which is the header of the gci file) and the other file is the savegame data itself, but if that's right I don't think the conversion is wrong.

First things first: do the games work fine with NMM? I mean, do they create a new save and load it correctly afterwards? If it does you can try leaving the stats.bin created by dios mios and overwrite only the other file (the actual savegame data)

Also, have you tried other games? Do they work?

Anyway, as I said dios-mios is going to have gci importing-exporting capabilities (I don't know when though)

I MADE IT, I tried with the last version of GCMM and the 0.3b of ctr-gcs, i converted the files first with gci2nmm, then with DMLizard, the savegames worked fine. I think the previous version didn't work to be used with nmm. I don't know what corrections you added for this new one and gcmm, but it worked fine !

Thanks for all, if i have issues with other games I'll take you up to date !

 

[suloku]

I MADE IT, I tried with the last version of GCMM and the 0.3b of ctr-gcs, i converted the files first with gci2nmm, then with DMLizard, the savegames worked fine. I think the previous version didn't work to be used with nmm. I don't know what corrections you added for this new one and gcmm, but it worked fine !

Thanks for all, if i have issues with other games I'll take you up to date !

Then it's because I'm now using getstatusex and setstatusex, which makes an exact copy/restore of the directory entry (which is the gci header and if my guess is correct, the stats.bin file)
Glad it works

 

[NikoozFreymouz]

Then it's because I'm now using getstatusex and setstatusex, which makes an exact copy/restore of the directory entry (which is the gci header and if my guess is correct, the stats.bin file)
Glad it works

Ok I tried again with MGS Twin Snakes, and it did not work. It appears that the game also refuse to save with NMM on Dios Mios, so i could not create a save with it. I have 4 games saved on my memory card, when i extract them with ctr or gcmm i have 4 files. When i convert them with gci2nmm that makes me 4 files and 1 header. Or when i launch MGS, and i load my game, there is only 1 game recognized in spite of the 4.

I send you copies of my files, maybe you can see what's happening : MGSTSSaves.zip - 26 KB

 

[suloku]

It appears that the game also refuse to save with NMM on Dios Mios, so i could not create a save with it.

Then the problem is related to Dios Mios and I can't do nothing about it, report it in Dios Mios thread and maybe Creadiar will fix twin snakes in another Dios Mios version.

 

[NikoozFreymouz]

Then the problem is related to Dios Mios and I can't do nothing about it, report it in Dios Mios thread and maybe Creadiar will fix twin snakes in another Dios Mios version.

OK I'll copy/paste our conversation. Thanks for your help !

 

[suloku]

Some interesting news, just to keep them posted and see if someone discovers something:

F-zero (and probably the other protected savegames) DOESN'T use the flash ID of the memory card to identify it, it uses the card serial number.

Now, what is the serial number? I'ts an 8 byte long hexadecimal string (or number or whathever). I suspect the Flash ID (probably unscrambled) is used with the SRAM Bias to generate the serial number. I'll explain.

A card's header has this componentes:

Scrambled flash ID (12 bytes) + Time of format (8 bytes, it is used to descramble the flash ID and obtain the REAL flash ID of the card (which for unofficial cards it's always 12 zeroes)) + SRAM bias (4 bytes).

Well, these are the components that influence the serial number (as far as I know). Interesting fact: 2 different memory cards can theoretically have the same serial number, even though they have different flash IDs.

This means that If we find how the serial number is generated, then it will be possible to assign that serial number to a raw image (or .hdr file), making the f-zero savegame usable.

The use of .hdr files would be useful in order to not unnecessarily write all the card, just block 1.

I'm gonna continue research on this, but from wednesday onwards I'll only be able to test in dolphin...

BTW, here's an old post I had saved from tehskeen forums by jeremy654:

The dol that marc_max posted will tell you your memcard serial number. It is a hex string. One of my cards was ba c8 b7 da d5 d6 91 d5 (I added spaces to make it easier to read).

Looking in my f-zero save, I found the serial number. It was split up. ba c8 was at 20A6-20A7. b7 da was at 20A0-20A1. d5 d6 was at 75C0-75C1. 91 d5 was at 2240-2241.

I confirmed this by looking at f-zero saves from three different memory cards. The unique serial number for each card waw found in the same locations. I tried changing them for different memory cards, but it didn't work. That must be the checksum. I have no idea how checksums work, so if anyone else wants to take a crack at it, go for it. But at least we now know how to find the serial number. Good luck.

Also, If the f-zero save is backed up, I think it has to be restored to the same spot on the memory card, although I'm not entirely sure. I think I read something about this once. The block offset for all gc saves is supposed to be located at 0036-0037. This is the block on the memory card where the save begins. I tried changing this along with the serial number and I think I got the save file in the right spot, but it didn't work.

And if my explanation confused you, sorry, I don't know much about hex either.

As for other copy protected saves, Medal of Honor: Frontline and Fire Emblem are the only other games I have that appear to be copy protected. I can backup the fire emblem save to the sd card and transfer it to another memory card without problems. I'm not sure about the MoH save though.

Edit: serial number byte 4 is the sram language of cards header..
EDIT2: nope, byte 4 isn't the sram language, sram language influences byte 4, what happened is that in one of my cards what appears in serial number is the sram language.

// Serial in libogc
u8 serial[12]; //0x0000 12 ?
u64 formatTime; //0x000c 8 time of format (OSTime value)
u32 SramBias; //0x0014 4 sram bias at time of format
u32 SramLang; //0x0018 4 sram language
u8 Unk2[4]; //0x001c 4 ? almost always 0


The 4 unkwnown bytes have a rol in the 4 last bytes of the serial number

EDIT3: ok, after some testing I've found an "easy" way of setting a cards serial number

Sram bias affects the last 4 bytes of the serial number
Sram lang affects the first 4 bytes of the serial number

The 4 unkwnown bytes affect the same bytes as sram bias, but if set to 0 they are neutral.

The scrambled flash id first 8 bytes work as a base, then the remaining 4 bytes of flash id, format time, sram bias, sram lang and unknown modify it, either at the first 4 bytes or at the last 4 bytes.

Right now I'm gonna try manually getting a card to have the same serial as an f-zero savegame I have, if it works I'll look into generating the serial, in order to be able to change it at will.


EDIT4: OK, works with dolphin. Tomorrow I'll test with real hardware. If it woks it's just a matter of writing a function to get the serial, forcing a cards serial is easy, as explained above.

 

[tueidj]

Try treating the first 32 bytes of the memcard header as 4 u64s, xor them all together and see if it matches the required 8 byte serial.

 

[suloku]

OK, I've just confirmed this method works: I transfered an F-zero savegame to my official memory card and it worked perfectly fine.

Try treating the first 32 bytes of the memcard header as 4 u64s, xor them all together and see if it matches the required 8 byte serial.

Thank you, I'll try that, I think that the possibilities of it being generated that way are high.

EDIT: you where right, that's how the serial is generated.

 

[tueidj]

I had a poke around Medal of Honor: Frontline too and there's no checking of the card's serial number in that game, it just sets the nocopy/nomove flags on the savefile.

 

[suloku]

I had a poke around Medal of Honor: Frontline too and there's no checking of the card's serial number in that game, it just sets the nocopy/nomove flags on the savefile.

Thanks, the other ones I know that use real protection (and not only the permision flags) are the phantasy star only savegames. I have PSO Episode I&2, I'll check it later, but my guess is that it also uses the serial number for the protection.

I've already coded a simple app that gets the serial from a raw card and puts it in another card by modifying the SRAM Bias and SRAM Lang of the card. It seems to work properly.

 

[suloku]

Ok, here's GCSerial, It has been tested by me and Mark, both working with official memory cards.

http://code.google.com/p/gcmm/downloads/detail?name=GCSerial.rar&can=2&q=

---------------------------
GCSerial 0.1 by suloku 2012
---------------------------



This program will change the serial number of a .raw or .hdr file using another
.raw or .hdr file as source.

Usage:

gcserial.exe original_card.raw destination_card.raw
gcserial.exe original_header.hdr destination_header.hdr

To get your F-zero savegame to work you should make this steps:

-Extract the original card with f-zero savegame raw image (using GCMM 1.2d or CTR-GCS 0.3b) or .hdr (using CTR-GCS 0.3b)
-Do the same with the destination image

-Use gcserial and a new card image or header will be generated.

-Again, use GCMM 1.2d or CTR-GCS 0.3b to write the raw image/header to the destination memory card.

-Then you can install your f-zero gci file by any method available to your card and it should work (this step can be done prior to extracting the destination memory card raw image/serial).

Why use header (.hdr) files instead of raw images? Because flashing the whole card is slower and unneeded, we all want to preserve our memory cards lifespan.



ABOUT F-ZERO SAVEGAME
______________________

Thanks to jeremy654 we know where the serial number is stored in the F-zero savegame, so there's actually no need to have the original raw image/header of the F-zero savegame. (This has been confirmed for the PAL savegame)

For example, if the serial number of the card is "ba c8 b7 da d5 d6 91 d5"

ba c8 is at 20A6-20A7.
b7 da is at 20A0-20A1.
d5 d6 is at 75C0-75C1.
91 d5 is at 2240-2241.

note: the offsets are for a .gci savegame

So, you can now the serial number of the card by looking at the gci savegame.
The you can create with an hex editor a 32 byte file, all zeroes, then write the serial at the begining of the file.

The resulting hex view for this example should look like this:

0000h: BA C8 B7 DA D5 D6 91 D5 00 00 00 00 00 00 00 00
0010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

This file will be correctly loaded by GCSerial and properly changed in the destination raw image.

Note that the probability of the serial number being stored in the same way in other serial protected savegames (Phantasy Star Online games as far as I know) is high, research should be done in those savegames to locate the adresses where the serial number is stored.


------------------------
Special thanks to tueidj!
Dedicated to Mark R.!

 

[themanuel]

Ok, here's GCSerial, It has been tested by me and Mark, both working with official memory cards.

http://code.google.c...al.rar&can=2&q=

Nice development.
Can you incorporate this functionality into GCMM?
I'm thinking that when you extract a protected save file, you could create another file with the same name but different extension that has the necessary serial number information to be restored on the destination card.
Also, doesn't this method guarantee that you will only be able to transfer one protected save file to a particular memory card, because if you change the serial number again to accommodate a second protected savefile, then the original won't work?
If that is the case, then the cheat codes would still be the preferred method.

 

[suloku]

Nice development.
Can you incorporate this functionality into GCMM?
I'm thinking that when you extract a protected save file, you could create another file with the same name but different extension that has the necessary serial number information to be restored on the destination card.

The only protected savegames that I know of are F-zero and phantasy star online (all of the games). I've already added showing the "true" serial number to GCMM (I'll upload it later), but I don't think it's worth the trouble and work to add support for these specific games,
I think the pc application is enough and works with all these protected savegames. Adding individual savegame support would require examinating a savegame of each region and probably the offsets change in each game (and they could change even between regions). Also, as you said, Action Replay codes are a better method than changing the serial number of the card.
The "extract/recover header along with the gci file for specific games" approach would be easier to implement, but still, since gcmm now has raw image capabilities (and ctr-gcs has header backup/restore) I don't see an actual need for it.

I've already spent too much time in this matter, I just finished this as a personal project (I don't even have a savegame I'd like to transfer, but I like the positibility of being able to do it.)

Also, doesn't this method guarantee that you will only be able to transfer one protected save file to a particular memory card, because if you change the serial number again to accommodate a second protected savefile, then the original won't work?
If that is the case, then the cheat codes would still be the preferred method.

You are right, Action Replay codes are a better solution, this is just an alternate method and has that flaw: only one serial per card, so only savegames with that serial work.

Maybe PSO savegames aren't encrypted or checksumed like f-zero and the serial can be changed prior to restoring (I doub it though), but still, AR codes are simpler.

BTW, the PAL code for F-zero has still to be confirmed to work, anyone succesfully tried it?

 

[themanuel]

The only protected savegames that I know of are F-zero and phantasy star online (all of the games). I've already added showing the "true" serial number to GCMM (I'll upload it later), but I don't think it's worth the trouble and work to add support for these specific games,
I think the pc application is enough and works with all these protected savegames. Adding individual savegame support would require examinating a savegame of each region and probably the offsets change in each game (and they could change even between regions). Also, as you said, Action Replay codes are a better method than changing the serial number of the card.

That sounds very reasonable and you are right, no need for so much work to accommodate the one or two games that can more easily be handled with cheat codes. By the way, as it stands now, you've made GCMM the best GCN save game manager out there and I'm loving it.
Thanks for all your recent work!

 

[suloku]

I've looked with bm123456's help at Phantasy Star Online EPI&II savegame and the serial is at the same position for PAL and USA savegame

It is at position 0x2198 to 0x219F (these offsets are for a GCI file) of the system savegame. Just changing the serial number doesn't work, I think the checksum is right after the serial number in the savegame.

Character and Guildcard savegames don't seem to be protected, but the system file might have something on it that relates it to the character and guildcard files.

Also, that offset is for a fresh new created savegame, and I think that the position of the serial and checksum may change as the game progresses, because the fresh save actual data is only a little more than 1 block in size, but the save is 3 blocks long.

If someone wants to mess with the checksum or something, here's some info (it may be useful for f-zero too)

http://www.hkems.com/qa%20tactics.htm

 

[suloku]

EDIT2: working now, at least with dolphin

http://www.mediafire.com/download.php?x6lnkxr3hmescit

EDIT: this doens't seem to work, I'll look into it later

I've written a little application by request, GCpadder. It will make a raw image bigger (a 59 blocks image can be converted to 251, 1019 or 2043 blocks). You should be able to use the new image with devolution, have your savegames and extra space without the need of copying savegames to a bigger card image.

Also, if combined with GCheader, you can use it to write a raw image of a card to another card of bigger size. (Use gcpadder in the raw you want to restore, then gcheader to insert the destination's card header to the raw).

---------------------------
GCPadder 0.2 by suloku 2012
---------------------------

Usage:

GCPadder.exe image.raw size[251|1019|2043]
If no size is specified the image will be padded to the next card size

You can drag and drop a raw image to gcpadder.exe and a card of the next size will be generated (if you drag a 59 blocks card you'll get one of 251; if it has 251 you get 1019 and if it has 1019 you get 2043)

example:

"gcpadder.exe mycardimageof59blocks.raw 2043" will create a 2043 blocks card
"gcpadder.exe mmycardimageof251blocks.raw" will create a 1019 blocks cards

Changelog

0.2:
- 0.1 didn't work at all because fat tables weren't updated to the new size

0.1:
- initial release

 

[Subotnik]

Suloku, this post might be of interest for you:

http://board.gscentral.org/retro-hacking/53093.htm#post188949

 

[themanuel]

Suloku, this post might be of interest for you:

http://board.gscentr....htm#post188949

If I understood correctly, this will allow you to change the serial stored in the save file to match the destination card's serial number.
This sounds really cool.

 

[suloku]

Suloku, this post might be of interest for you:

http://board.gscentr....htm#post188949

That is just AWESOME, so simple, so easy... this should be added to dolphin's memory card manager too!

I'm gonna add it to gcmm and look for some testers, lots of thanks!

 

[tueidj]

Who came up with these functions? The person posting them (Ralf) ?