ROM Hack [Development] Smash 3DS Save Map

[shinyquagsire23]

The last few days I've been working on figuring out and basically mapping out the entire Smash 3DS save file. My end goal is to be able to individually and collectively edit all unlocked characters, trophys, custom moves, and any other tedious stuff which is difficult to unlock under normal circumstances.

Why?
The main reason for me personally is that some things are a bit annoying to unlock. Trophies are OK since they aren't necessary to the game itself and can be bought anyways, but Custom Moves are, however, a lot more difficult to gain, and duplicates are very, very common in any mode used to gain them. This can also be beneficial for the competitive scene in getting these unlocks quickly as well as for documentation reasons (Wikis, strategy guides, trivia, etc).

Current Progress
Currently the following items have been found and documented in the below save map:

• Unlocking all Characters, including individual bitmasks
• Unlocking all Trophies (588 total)
• Setting the amount of gold
• Changing account info, including all taunt phrases, your set phrase, icon, and name

Files

• account_data.bin - Stores account information used and shared online, probably personal settings as well
• system_data.bin - Stores all unlocked, progress, statistics, etc

Map
account_data.bin

0x8 - u16, version number of save. Version formatted as (major << 12 + minor << 5 + revision). 1.1.2 would be 0x1022.
0x12-0x16 - anti-savegame restore bytes, compared on the system side
0x20 - Unknown, number of bootups maybe? Increments.
0x100 - Character Icon, 0x78 is max amount. !!Having this over 0x78 will cause online matches to crash before the results screen!!
0x102 - Set Phrase "Let's do this!"
0x16E - Name utf-16 <Your Name>
0x1B4 - Up Taunt utf-16 "Hello!"
0x1DE - Down Taunt utf-16 "Oh, no!
0x208 - Left Taunt utf-16 "Thanks!"
0x232 - Right Taunt utf-16 "Yay!"

system_data.bin

0x8 - u16, version number of save. Version formatted as (major << 12 + minor << 5 + revision). 1.1.2 would be 0x1022.
0x12-0x16 - anti-savegame restore bytes, compared on the system side
0x20 - u64, full unlock is DB B6 6D DB 06 00 00 00. See below for individual character bits
0x30 - Something with Character Unlocks (or stages, idk)
0x37 - Incremented after buying a trophy for 1000 and doing one battle. Statistics?
0x61C - Power on Counts
0x82C - Incremented from 0 ti 0x3E8 after buying a trophy
0x858 - Incremented from 3 to 4 after buying a trophy
0xD98 - Gold Amount, u32
0xB60C - Start of trophy array, each entry is an 8 byte (u64) timestamp. Setting every entry to a valid timestamp will unlock every trophy
0xBC1C - Changed from 00 00 01 00 00 00 00 00 to DF 17 6B DD 01 94 02 00. Timestamp is 0x00029401DD6B17DF, or
<????><month 4 bits><year 24 bits>
0xC6EC - Changed from 00 00 01 00 00 00 00 to DF 17 5B 05 01 D3 02 after trophy purchase.
0xC86C - End of trophy array (588)
0xE004 - 38 bytes Changed from 00 00 01 00 ... to 77 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 3B 02 00 00 45 01 00 00 7D 02 00 00 C1 00 00 00 20 02 00 00 00 00 00 00 05 00 00 04 04 00 00 08

[B]RandomUser: [/B]Equip Powers (not badges), need to scan other areas of the saves for specific power selection. FFh actually removes equipped power. I think these are the location of power slots, but not sure. Needs testing help finding them to confirm.
0x21F02 - Slot 1
0x21F04 - Slot 2
0x21F06 - Slot 3
0x21F08 - Slot 4
0x21F0A - Slot 5
0x21F0C - Slot 6

Character Bitmask

Completely Unlocked All Characters
DB B6 6D DB 06 , or 0x00000006DB6DB6DB
Completely Cleared, no unlocks
49 92 24 49 02, or 0x0000000249249249
Bitmask Values:
-------------
Default            - 0x0000000249249249
Ness              - 0x0000000000000002
Falco              - 0x0000000000000010
Wario              - 0x0000000000000080
Lucina            - 0x0000000000000400
Dark Pit          - 0x0000000000002000
Dr. Mario          - 0x0000000000010000
R.O.B              - 0x0000000000080000
Ganondorf          - 0x0000000000400000
Mr. Game And Watch - 0x0000000002000000
Bowser Jr.        - 0x0000000010000000
Duck Hunt Dog      - 0x0000000080000000
Jigglypuff        - 0x0000000400000000

 

[flarn2006]

0x12 - anti-savegame restore u32, compared on the system side

What reason would they have to try and prevent you from backing up and restoring saves? It's not like Pokemon where you could trade a Pokemon and then restore a backup.

 

[shinyquagsire23]

What reason would they have to try and prevent you from backing up and restoring saves? It's not like Pokemon where you could trade a Pokemon and then restore a backup.

No idea. Real easy to bypass though, if your save corrupts just back up the "corrupted" save, go through with the save deletion, and then back up the new save. Then just take the old save and copy the 4 bytes from 0x12 in both the new files to the old files.

 

[Zidapi]

Phenomenal work! This is sure to be useful for many people.

 

[bobmcjr]

So is this in the retail version, digital version, or both?

0x12 - anti-savegame restore u32, compared on the system side

So that number is written to the NAND like with Pokemon and Animal Crossing and compared to check if you've "cheated"?

 

[shinyquagsire23]

So is this in the retail version, digital version, or both?

0x12 - anti-savegame restore u32, compared on the system side

So that number is written to the NAND like with Pokemon and Animal Crossing and compared to check if you've "cheated"?

Basically. Luckily though since we know the offset where it keeps the anti-savegame restore number we can easily fix "cheated" saves. Optimally in the future it would be best to just patch it out (hopefully), or maybe Gateway will be able to patch it system-side to always generate the same number so old saves would still work. Not entirely sure how the number is generated, but it's definitely system side and in the NAND. I actually had this false-trigger in emuNAND once because while switching between my linked sysNAND and emuNAND the number changed, so emuNAND showed a corrupted file while sysNAND said it was all just fine.

 

[SpongeFreak52]

Wow, this is very nice work! I was just today thinking about if I wanted to try and unlock everything again after dumping my retail cart. This will definitely help!

 

[henn64]

The last few days I've been working on figuring out and basically mapping out the entire Smash 3DS save file. My end goal is to be able to individually and collectively edit all unlocked characters, trophys, custom moves, and any other tedious stuff which is difficult to unlock under normal circumstances.

Good luck! I know how it feels.
My previous save with 104/105 challenges and 670 trophies were lost when downgrading with GW 3.0 because I had a 6.x save. Luckily I make a 9.2 nand.bin and cartridge/cartridge save backups, but copying 943MB files back and forth just for that is inconvenient.
I want the profile exploit, blue card and Sm4sh

 

[shinyquagsire23]

Good luck! I know how it feels.
My previous save with 104/105 challenges and 670 trophies were lost when downgrading with GW 3.0 because I had a 6.x save. Luckily I make a 9.2 nand.bin and cartridge/cartridge save backups, but copying 943MB files back and forth just for that is inconvenient.
I want the profile exploit, blue card and Sm4sh

If you still have the save intact (ie you didn't wipe it) you should be able to use SaveDataFiler to dump it (with 9.2 sysNAND) and then downgrade, go through with the save deletion, dump the clean save, copy the 4 bytes at 0x12 to your old saves, overwrite the clean save on your SD card with your patched old saves, and then write it back. Unless you have Sm4sh on a cart, in which case there's not much which can be done to dump :/

If you have the eShop version though, fixing/transferring saves is super easy.

 

[henn64]

If you still have the save intact (ie you didn't wipe it) you should be able to use SaveDataFiler to dump it (with 9.2 sysNAND) and then downgrade, go through with the save deletion, dump the clean save, copy the 4 bytes at 0x12 to your old saves, overwrite the clean save on your SD card with your patched old saves, and then write it back. Unless you have Sm4sh on a cart, in which case there's not much which can be done to dump :/

If you have the eShop version though, fixing/transferring saves is super easy.

I still have the cartridge and .sav dump.
Oh well!
EDIT: Here's an idea- take the .sav dumped by GW and use my personal dump as a .3dz with 9.2 sysnand Nope.
I'll try to figure things out from there.

 

[shinyquagsire23]

OK, so did some messing around. Apparently having an icon over 0x78 will cause it to be blank. This causes no issues with local play, however, it will cause your 3DS (maybe the other persons?) to crash just before the results screen online. No fun.

 

[Lord M]

shinyquagsire?? the same of pokecommunity? XD

 

[RandomUser]

I would like to contribute my own finding, however they are incomplete. We need more people looking into this.

Coins are actually located at 0xD98
0x61C - Power on Counts
Equip Powers (not badges), need to scan other areas of the saves for specific power selection. FFh actually removes equipped power. I think these are the location of power slots, but not sure. Needs testing help finding them to confirm.
0x21F02 - Slot 1
0x21F04 - Slot 2
0x21F06 - Slot 3
0x21F08 - Slot 4
0x21F0A - Slot 5
0x21F0C - Slot 6
Try using numbers like 03 or 08. It does weird stuff and equip mismatch powers.

 

[shinyquagsire23]

I would like to contribute my own finding, however they are incomplete. We need more people looking into this.

Coins are actually located at 0xD98
0x61C - Power on Counts
Equip Powers (not badges), need to scan other areas of the saves for specific power selection. FFh actually removes equipped power. I think these are the location of power slots, but not sure. Needs testing help finding them to confirm.
0x21F02 - Slot 1
0x21F04 - Slot 2
0x21F06 - Slot 3
0x21F08 - Slot 4
0x21F0A - Slot 5
0x21F0C - Slot 6
Try using numbers like 03 or 08. It does weird stuff and equip mismatch powers.

Added and noted, probably will look at this one a bit carefully to see what there is. Also kinda want to find the "Unlocked Hats" array, wherever that one is. I should have known the coin one actually, I guess I was just tired when I was doing that one and thought 65535 was the max on a u32 not a u16.

 

[RandomUser]

Added and noted, probably will look at this one a bit carefully to see what there is. Also kinda want to find the "Unlocked Hats" array, wherever that one is. I should have known the coin one actually, I guess I was just tired when I was doing that one and thought 65535 was the max on a u32 not a u16.

I think the coins is 4 bytes. However a lil confusing, if you go to address 0xD9A and add a 01 your coin count should surpass the 65535 limit. You can go ahead and continue searching whatever you are searching for, I don't mind. It seems that just me and you are the only ones looking into the saves. I wander what happened to the people in badge thread? One person found many badges and locations and another wrote a program for easy badge editing and what not.

 

[marcoz9999]

Hi my save got corrupted can yo post a tutorial on how to edit and bypass the security with the 4 bytes on 0x12 like you say please thanks

 

[RandomUser]

Hi my save got corrupted can yo post a tutorial on how to edit and bypass the security with the 4 bytes on 0x12 like you say please thanks

Perhaps this picture will help you

Spoiler

@ shinyquagsire23
I forgot to mention that the power slot address is for Peach in her first slot of custom character. I believe I may have found the trophy locations with quantity, but I need a 100% save in CIA format to be able to properly figure out the start address to the end address for all trophies.
So if anyone has a complete save and is able to convert them to cia format, that would be great.

 

[marcoz9999]

I think i have a 100 of all trophies lemme see if i find it and thanks RandomUser

 

[zarx1554]

Sorry to ask, but what hex editor do you use to view the save file?

 

[RandomUser]

I think i have a 100 of all trophies lemme see if i find it and thanks RandomUser

You're welcome and am glad to be of help. If you do find it, I would appreciate the share.

Sorry to ask, but what hex editor do you use to view the save file?

You can use any hex editor really. I use HexWorkshop, as that is my favorite hex editor. I have been using it for a long time and has advance compare feature.


EDIT: I think I may have found the Beginning and the ending location of the trophies.