Decrypting Mii QR Codes?

Discussion in '3DS - Homebrew Development and Emulators' started by drfsupercenter, Oct 31, 2014.

  1. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States
    Hey guys,

    I apologize if there's already a topic about this, but I haven't seen one in my time browsing here so I thought I'd make one.

    I was talking about how Mii data is stored with a friend, and I ended up looking it up on 3DBrew. They seem to have the entire mapping of the QR data figured out:
    http://3dbrew.org/wiki/Mii_Maker

    The main thing I'm interested in editing is the "copiable" value. Most of the QR codes I scan from random strangers are locked so I can't edit them at all - and while I appreciate that someone else made it, sometimes I think there's something that could be done better and I want to change it. Or, in the case of Tomodachi Life, I want to be able to rename the darn thing, which isn't an option if it's set to not copiable.

    So let's take a look at one I got from MiiCharacters.com.
    http://www.miicharacters.com/miis/qr_large/1972_peterg.jpg

    That's just a random Peter Griffin one I found. So I parse the data:
    http://zxing.org/w/decode?u=http://www.miicharacters.com/miis/qr_large/1972_peterg.jpg

    I end up getting this as the raw bytes.
    Code:
    40 07 09 12 cf d2 5a 4c   0e 10 1c 44 cf 94 e1 67
    e5 60 4e f5 12 b5 11 3e   3c 58 5f 48 b1 32 97 43
    32 ab 4b 4e f3 15 6b 41   cd 08 e8 29 cd f0 c0 92
    50 9d e2 3a 28 85 40 26   80 6c 20 ab 46 5d 6c 94
    3b ee d1 bf 0b c5 1a ab   9a 5e 1b a3 73 02 01 ba
    f9 a3 7a 42 8d 59 30 ea   d6 a2 12 d3 30 7b 4a ef
    6b ee b3 cb 7b 92 f8 01   3a 47 82 9a 19 90 36 7b
    e8 f8 00 ec 11 ec 11 ec   11 ec
    
    Obviously this isn't very useful as-is, because most of that data is encrypted. However, 3DBrew says it can be decrypted using known text strings...?

    I notice the value at 0x9 is "10", not sure if the 1 represents "is copiable" or not, but I would assume that's just a coincidence since everything else is encrypted too.

    Essentially, if I could plug the raw data in somewhere and be able to decrypt and then re-encrypt it, that would be fantastic. I just want to play around with the Mii format a bit.
     
    cearp likes this.
  2. Duo8

    Duo8 I don't like video games

    Member
    3,444
    1,144
    Jul 16, 2013
    Apparently only the first 8 bytes are unencrypted "(cleartext MiiID+MAC address)". From there on (including 0x9) data is encrypted.
    Known text I'm assuming something already known in the Mii format or something that can be rebuilt to the format: "QR codes made from the same 3DS for the same Mii are use the same AES-CCM nonce (you can recreate the xorpad by xoring with known values from this table).".

    Oh look there's also AES-CCM MAC.
     
  3. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States
    Yeah, I read all that.

    So if I exported a few QR's from my own 3DS, you could somehow use the common data to decrypt the rest? I'm willing to try it if someone can help :P
     
  4. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,287
    1,252
    Jul 7, 2010
    United States
    /dev/random
    I think that this is doable, I will look into this more when I have the time.

    Edit:
    All the data might be there, it would just take a good amount of time to create the xorpad, or create a launcher.dat to make the xorpad.
     
  5. Bond697
    This message by Bond697 has been removed from public view by BORTZ, Oct 31, 2014, Reason: empty.
    Oct 31, 2014
  6. windwakr

    windwakr GBAtemp Fan

    Member
    483
    112
    Sep 13, 2009
    United States
    It would probably be easier to build a rop chain that calls APT:Unwrap using:
    https://github.com/naehrwert/p3ds


    Or build a homebrew to do it.
     
  7. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,287
    1,252
    Jul 7, 2010
    United States
    /dev/random
    That is what I was getting at.
     
  8. NicEXE

    NicEXE GBAtemp Fan

    Member
    397
    124
    Dec 6, 2009
    Cyprus
    I would have made lets say 20 different miis all exactly the same (including "(cleartext MiiID+MAC address)" if possible) except from one value (position of the nose for example). Then I would have tried to bruteforce the key until all different mii data are by at least 90% the same. If that happens I probably have fount the key (and I probably know how to move a mii's nose)

    I don't think its worth the time to try and bruteforce the mii qr decryption key
     
  9. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,287
    1,252
    Jul 7, 2010
    United States
    /dev/random
    Well to make an editor for PC would be worth it imo, might be able to move the sliders more than on the 3DS.
     
  10. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States
    Yeah, definitely.

    There was a program I used to use called "My Mii Manager", I think it was a Datel product, it was for the Wii, and that's basically what it let you do. So much easier to create Miis that way because you don't have to use idiotic motion controls :P

    Problem with the 3DS is, I'll scan a QR code and think "wow that looks cool" but then I can't change the nickname because it's created by someone else who set sharing to off... like literally if I could change *just* that, I'd be happy
     
  11. windwakr

    windwakr GBAtemp Fan

    Member
    483
    112
    Sep 13, 2009
    United States
    I pwned U! likes this.
  12. SSG Vegeta

    SSG Vegeta GBAtemp Fan

    Member
    457
    95
    Jul 25, 2013
    United States

    If you do please make custom anime miis I'd really like to have a mii based on Goku
     
  13. Huntereb

    Huntereb GBAtemp Addict

    Member
    2,748
    949
    Sep 1, 2013
    United States
  14. I pwned U!

    I pwned U! GBAtemp Advanced Fan

    Member
    GBAtemp Patron
    I pwned U! is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    843
    1,118
    Jun 14, 2013
    United States
    I wonder if we can get golden pants now...
     
    Queno138 and Huntereb like this.
  15. Huntereb

    Huntereb GBAtemp Addict

    Member
    2,748
    949
    Sep 1, 2013
    United States

    That's what I wanna see! Anyone think it's possible to make your Primary Mii a "Special" Mii? Would be cool to streetpass people, and on their screens they see "I'm Huntereb from Nintendo!". B-)
     
    DrakeLyon and I pwned U! like this.
  16. I pwned U!

    I pwned U! GBAtemp Advanced Fan

    Member
    GBAtemp Patron
    I pwned U! is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    843
    1,118
    Jun 14, 2013
    United States
    I wonder if it will also be possible to change where we come from (such as "I am I pwned U! from GBATemp.")
     
  17. drfsupercenter
    OP

    drfsupercenter Flash Cart Aficionado

    Member
    1,898
    234
    Mar 26, 2008
    United States
    If you've got a Wii, you can already do this.
    http://us.codejunkies.com/Products/Wii-My-Mii-Manager__EF000244.aspx
    You'll just need a Bluetooth dongle in your computer so you can transfer the Mii off of your Wii remote. I actually own the software if anyone would like me to upload it somewhere. I don't think Datel is still producing it anymore so it shouldn't hurt their sales any.

    In theory you could, but weren't there golden pants ones on the Wii too? I never saw any, but 3DBrew mentions it, and I don't think those are encrypted so you could probably use the same sort of thing to spoof them.

    Awesome! May I ask how you did it? That way I could re-encrypt it by reversing the process (theoretically)
    And since it's just text, you shouldn't even need a Launcher.dat or anything like others were mentioning... it would take the 3DS literally less than a second to spit out a xorpad anyway.
     
  18. Nurio

    Nurio That Kirby fan

    Member
    842
    191
    Mar 31, 2009
    Netherlands
    The Netherlands
    N-Not Vegeta? Honestly that would've been my first guess...
     
  19. SSG Vegeta

    SSG Vegeta GBAtemp Fan

    Member
    457
    95
    Jul 25, 2013
    United States
    Super Saiyan God Vegeta to be exact & what do you mean bro :)
     
  20. Duo8

    Duo8 I don't like video games

    Member
    3,444
    1,144
    Jul 16, 2013
    You can't do that with just QR. You'd have to edit your ơn Mii.
    Also aren't those Miis spotpass only?
     
  21. that girl

    that girl Entrepreneur

    Member
    413
    67
    Jul 25, 2015
    Canada
    Omnipresent
    Does anyone have the encryption\decryption key? Was it even confirmed?