[Development] Smash 3DS Save Map

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by shinyquagsire23, Jan 21, 2015.

  1. shinyquagsire23
    OP

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    The last few days I've been working on figuring out and basically mapping out the entire Smash 3DS save file. My end goal is to be able to individually and collectively edit all unlocked characters, trophys, custom moves, and any other tedious stuff which is difficult to unlock under normal circumstances.

    Why?
    The main reason for me personally is that some things are a bit annoying to unlock. Trophies are OK since they aren't necessary to the game itself and can be bought anyways, but Custom Moves are, however, a lot more difficult to gain, and duplicates are very, very common in any mode used to gain them. This can also be beneficial for the competitive scene in getting these unlocks quickly as well as for documentation reasons (Wikis, strategy guides, trivia, etc).

    Current Progress
    Currently the following items have been found and documented in the below save map:
    • Unlocking all Characters, including individual bitmasks
    • Unlocking all Trophies (588 total)
    • Setting the amount of gold
    • Changing account info, including all taunt phrases, your set phrase, icon, and name
    Files
    • account_data.bin - Stores account information used and shared online, probably personal settings as well
    • system_data.bin - Stores all unlocked, progress, statistics, etc
    Map
    account_data.bin
    Code:
    0x8 - u16, version number of save. Version formatted as (major << 12 + minor << 5 + revision). 1.1.2 would be 0x1022.
    0x12-0x16 - anti-savegame restore bytes, compared on the system side
    0x20 - Unknown, number of bootups maybe? Increments.
    0x100 - Character Icon, 0x78 is max amount. !!Having this over 0x78 will cause online matches to crash before the results screen!!
    0x102 - Set Phrase "Let's do this!"
    0x16E - Name utf-16 <Your Name>
    0x1B4 - Up Taunt utf-16 "Hello!"
    0x1DE - Down Taunt utf-16 "Oh, no!
    0x208 - Left Taunt utf-16 "Thanks!"
    0x232 - Right Taunt utf-16 "Yay!"
    
    system_data.bin
    Code:
    0x8 - u16, version number of save. Version formatted as (major << 12 + minor << 5 + revision). 1.1.2 would be 0x1022.
    0x12-0x16 - anti-savegame restore bytes, compared on the system side
    0x20 - u64, full unlock is DB B6 6D DB 06 00 00 00. See below for individual character bits
    0x30 - Something with Character Unlocks (or stages, idk)
    0x37 - Incremented after buying a trophy for 1000 and doing one battle. Statistics?
    0x61C - Power on Counts
    0x82C - Incremented from 0 ti 0x3E8 after buying a trophy
    0x858 - Incremented from 3 to 4 after buying a trophy
    0xD98 - Gold Amount, u32
    0xB60C - Start of trophy array, each entry is an 8 byte (u64) timestamp. Setting every entry to a valid timestamp will unlock every trophy
    0xBC1C - Changed from 00 00 01 00 00 00 00 00 to DF 17 6B DD 01 94 02 00. Timestamp is 0x00029401DD6B17DF, or
    <????><month 4 bits><year 24 bits>
    0xC6EC - Changed from 00 00 01 00 00 00 00 to DF 17 5B 05 01 D3 02 after trophy purchase.
    0xC86C - End of trophy array (588)
    0xE004 - 38 bytes Changed from 00 00 01 00 ... to 77 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 3B 02 00 00 45 01 00 00 7D 02 00 00 C1 00 00 00 20 02 00 00 00 00 00 00 05 00 00 04 04 00 00 08
    
    [B]RandomUser: [/B]Equip Powers (not badges), need to scan other areas of the saves for specific power selection. FFh actually removes equipped power. I think these are the location of power slots, but not sure. Needs testing help finding them to confirm.
    0x21F02 - Slot 1
    0x21F04 - Slot 2
    0x21F06 - Slot 3
    0x21F08 - Slot 4
    0x21F0A - Slot 5
    0x21F0C - Slot 6
    
    Character Bitmask
    Code:
    Completely Unlocked All Characters
    DB B6 6D DB 06 , or 0x00000006DB6DB6DB
    Completely Cleared, no unlocks
    49 92 24 49 02, or 0x0000000249249249
    Bitmask Values:
    -------------
    Default            - 0x0000000249249249
    Ness              - 0x0000000000000002
    Falco              - 0x0000000000000010
    Wario              - 0x0000000000000080
    Lucina            - 0x0000000000000400
    Dark Pit          - 0x0000000000002000
    Dr. Mario          - 0x0000000000010000
    R.O.B              - 0x0000000000080000
    Ganondorf          - 0x0000000000400000
    Mr. Game And Watch - 0x0000000002000000
    Bowser Jr.        - 0x0000000010000000
    Duck Hunt Dog      - 0x0000000080000000
    Jigglypuff        - 0x0000000400000000
    
     
    Last edited by shinyquagsire23, Nov 2, 2015


  2. flarn2006

    flarn2006 GBAtemp Fan

    Member
    376
    165
    Apr 6, 2014
    United States
    What reason would they have to try and prevent you from backing up and restoring saves? It's not like Pokemon where you could trade a Pokemon and then restore a backup.
     
  3. shinyquagsire23
    OP

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    No idea. Real easy to bypass though, if your save corrupts just back up the "corrupted" save, go through with the save deletion, and then back up the new save. Then just take the old save and copy the 4 bytes from 0x12 in both the new files to the old files.
     
  4. Zidapi

    Zidapi GBAtemp Psycho!

    Member
    3,033
    1,817
    Dec 1, 2002
    Phenomenal work! This is sure to be useful for many people.
     
  5. bobmcjr

    bobmcjr GBAtemp Advanced Fan

    Member
    896
    335
    Apr 26, 2013
    United States
    So is this in the retail version, digital version, or both?
    Code:
    0x12 - anti-savegame restore u32, compared on the system side
    
    So that number is written to the NAND like with Pokemon and Animal Crossing and compared to check if you've "cheated"?
     
  6. shinyquagsire23
    OP

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    Basically. Luckily though since we know the offset where it keeps the anti-savegame restore number we can easily fix "cheated" saves. Optimally in the future it would be best to just patch it out (hopefully), or maybe Gateway will be able to patch it system-side to always generate the same number so old saves would still work. Not entirely sure how the number is generated, but it's definitely system side and in the NAND. I actually had this false-trigger in emuNAND once because while switching between my linked sysNAND and emuNAND the number changed, so emuNAND showed a corrupted file while sysNAND said it was all just fine.
     
  7. SpongeFreak52

    SpongeFreak52 GBAtemp Fan

    Member
    405
    213
    Apr 8, 2007
    United States
    C:\WINDOWS\system32\cmd.exe
    Wow, this is very nice work! I was just today thinking about if I wanted to try and unlock everything again after dumping my retail cart. This will definitely help! :)
     
  8. henn64

    henn64 I don't know what I'm doing with my life.

    Member
    679
    343
    Dec 26, 2012
    Canada
    The Great White South
    Good luck! I know how it feels.
    My previous save with 104/105 challenges and 670 trophies were lost when downgrading with GW 3.0 because I had a 6.x save. Luckily I make a 9.2 nand.bin and cartridge/cartridge save backups, but copying 943MB files back and forth just for that is inconvenient.
    I want the profile exploit, blue card and Sm4sh :cry:
     
  9. shinyquagsire23
    OP

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    If you still have the save intact (ie you didn't wipe it) you should be able to use SaveDataFiler to dump it (with 9.2 sysNAND) and then downgrade, go through with the save deletion, dump the clean save, copy the 4 bytes at 0x12 to your old saves, overwrite the clean save on your SD card with your patched old saves, and then write it back. Unless you have Sm4sh on a cart, in which case there's not much which can be done to dump :/

    If you have the eShop version though, fixing/transferring saves is super easy.
     
  10. henn64

    henn64 I don't know what I'm doing with my life.

    Member
    679
    343
    Dec 26, 2012
    Canada
    The Great White South
    I still have the cartridge and .sav dump.
    Oh well!
    EDIT: Here's an idea- take the .sav dumped by GW and use my personal dump as a .3dz with 9.2 sysnand Nope.
    I'll try to figure things out from there.
     
  11. shinyquagsire23
    OP

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    OK, so did some messing around. Apparently having an icon over 0x78 will cause it to be blank. This causes no issues with local play, however, it will cause your 3DS (maybe the other persons?) to crash just before the results screen online. No fun.
     
  12. Lord M

    Lord M GBAtemp Advanced Fan

    Member
    886
    192
    Oct 31, 2014
    Italy
    shinyquagsire?? the same of pokecommunity? XD
     
  13. RandomUser

    RandomUser What has gotten into you Rosie?

    Member
    584
    205
    May 9, 2010
    United States
    I would like to contribute my own finding, however they are incomplete. We need more people looking into this:).
    Code:
    Coins are actually located at 0xD98
    0x61C - Power on Counts
    Equip Powers (not badges), need to scan other areas of the saves for specific power selection. FFh actually removes equipped power. I think these are the location of power slots, but not sure. Needs testing help finding them to confirm.
    0x21F02 - Slot 1
    0x21F04 - Slot 2
    0x21F06 - Slot 3
    0x21F08 - Slot 4
    0x21F0A - Slot 5
    0x21F0C - Slot 6
    Try using numbers like 03 or 08. It does weird stuff and equip mismatch powers.
     
  14. shinyquagsire23
    OP

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    Added and noted, probably will look at this one a bit carefully to see what there is. Also kinda want to find the "Unlocked Hats" array, wherever that one is. I should have known the coin one actually, I guess I was just tired when I was doing that one and thought 65535 was the max on a u32 not a u16.
     
  15. RandomUser

    RandomUser What has gotten into you Rosie?

    Member
    584
    205
    May 9, 2010
    United States
    I think the coins is 4 bytes. However a lil confusing, if you go to address 0xD9A and add a 01 your coin count should surpass the 65535 limit. You can go ahead and continue searching whatever you are searching for, I don't mind. It seems that just me and you are the only ones looking into the saves. I wander what happened to the people in badge thread? One person found many badges and locations and another wrote a program for easy badge editing and what not.
     
  16. marcoz9999

    marcoz9999 GBAtemp Regular

    Member
    124
    19
    May 27, 2012
    Mexico
    Hi my save got corrupted can yo post a tutorial on how to edit and bypass the security with the 4 bytes on 0x12 like you say please thanks
     
  17. RandomUser

    RandomUser What has gotten into you Rosie?

    Member
    584
    205
    May 9, 2010
    United States
    Perhaps this picture will help you
    Warning: Spoilers inside!
    @ shinyquagsire23
    I forgot to mention that the power slot address is for Peach in her first slot of custom character. I believe I may have found the trophy locations with quantity, but I need a 100% save in CIA format to be able to properly figure out the start address to the end address for all trophies.
    So if anyone has a complete save and is able to convert them to cia format, that would be great.
     
  18. marcoz9999

    marcoz9999 GBAtemp Regular

    Member
    124
    19
    May 27, 2012
    Mexico
    I think i have a 100 of all trophies lemme see if i find it and thanks RandomUser
     
  19. zarx1554

    zarx1554 Newbie

    Newcomer
    6
    0
    Nov 30, 2014
    United States
    Sorry to ask, but what hex editor do you use to view the save file?
     
  20. RandomUser

    RandomUser What has gotten into you Rosie?

    Member
    584
    205
    May 9, 2010
    United States
    You're welcome and am glad to be of help. If you do find it, I would appreciate the share.

    You can use any hex editor really. I use HexWorkshop, as that is my favorite hex editor. I have been using it for a long time and has advance compare feature.


    EDIT: I think I may have found the Beginning and the ending location of the trophies.