Hacking Editing Activity Log on emuNAND

[drfsupercenter]

Hey guys,

One of the things I was hoping to accomplish while my "vanilla" system with all its games was in my emuNAND was to edit the activity log to fix a couple glaring issues.

One of them being that I have PlayCoinSetter by 3DSGuy in my software library as well as the daily activities portion. Sure, I can hide it from the list, but it's still blatantly obvious that's there and Nintendo would know right away I was using a Gateway if I ever needed to send it in.

A couple other problems were just related to the clock, as I was trying to get loads of play coins before we had PlayCoinSetter, I had the clock set back to January 2011 and opened some games like Pokémon Y. Oops, now it shows first played as before the 3DS even existed.

Anyway, thanks to 3DSFAT16tool, I was able to extract my emuNAND, decrypt it and open the FAT16 folder. I tried editing the file named 00000000 in data/ID/sysdata/00010022.

The title ID of PlayCoinSetter, according to Gateway ROM Patcher, is 000400000FF40D00. Since the 3DS stores it in little endian with the first 4 bytes first, that would be 0x00000400000DF40F

I searched for and replaced a bunch of those with 0xFFFFFFFFFFFFFFFF. There were like 500 total. Saved the image, re-encrypted and injected it back into the emuNAND file.

Now, it didn't brick my system or anything, but when I open Activity Log it just hangs. It gives me the little loading symbol forever, I've had it open a few minutes now and nothing. (3DBrew says if it detects invalid data it'll just wipe it and start over)

So obviously I did something wrong. Also, I'm not sure how to get individual .dat files out of the raw files... 3DBrew mentions PlayHistory.dat as part of the PTM Savegame. Obviously I'm in the right file, but I don't know how to extract that portion and I assume part of the raw file is a checksum which is why it became invalidated.

Any ideas? I'm sure there's a way, we can do so much else with 3DSes now, and I really want to get all traces of hacking out of there (ironically by hacking) before transferring it back to my legit system.

Edit: OK, so it finally opened. And what? Play Coin Setter is still there!

Maybe the part I edited was *only* the calendar-based view, where the other stuff is stored elsewhere? I know 00020212 is the folder for the Activity Log's savegame - but what I tried was opening a title I hadn't played since yesterday again, which changed "last played" from 5/4/2015 to 5/5/2015 - and both files in 00020212 were identical when I compared. So clearly that data isn't stored in that file... maybe it has the software library itself, but the first/last played must be stored somewhere else... possibly even a third location?

 

[drfsupercenter]

To add to my observations - after researching some more, I realized that games don't show up in the activity log until after you actually open activity log for them to do so (hence why 20212 didn't change)

And the file I edited, 10022, is just some sort of raw log file which stores the date of each execution (did a test with a legit game card I have never played before, oddly it created 6 entries for the *one* time I booted it, and it was only running for 20 seconds.)

A friend suggested that I search-and-replace the game I want to purge from the log with something else, I used 0xFFFFFFFFFFFFFFFF as a test, but I could just as easily use something like system settings. And they said also delete the Activity Log save, let it recreate itself from that raw logfile. So I tried it, and surely enough that worked. The title I had launched that one time is no longer in my software library, and doesn't even show up at all on the calendar view (which means using 0xFFs actually makes it completely hidden, not like some of the hackware/custom stuff like BigBlueMenu which shows as a ????? title)

A couple concerns with this though. One, apparently there is an icon cache stored in the NAND extdata. I have absolutely no idea how that works or how to edit it, but theoretically the game's icon will still be there even if I fudge the raw logfile.
Two, and this one is a bit more noticeable - there seems to be a huge gap of activity anywhere from January 2011 (you know, when I had reset my clock to 1/1/2011 to try to farm play coins) and September 2013. Like, it's almost as if the logs get truncated after a certain amount of time, and yet for some odd reason it keeps the early January 2011 stuff.

Actually.... looking at it, it shows a ???????? title with 24 hours a day all the way from early 2011 until late 2013. That might have been why the stuff vanished. Uh, what the heck though? I'll have to see what happens if I use an unedited raw logfile and just delete the save, either I edited it incorrectly or something else got massively broken.

Anyway, that's just some more rambling on the subject. If anyone else has something to add, please do reply, I'm shooting in the dark here.

Edit: OK, so it appears I did mess something up, but at the same time I'm confused. If I just open the FAT16 folder, delete the activity log save, and re-encrypt it, the result is that once it rebuilds the save it still sees no activity between early 2011 and late 2013. Though I did spot a couple minutes here and there of System Settings (you know, just to change the date), no other titles. No ???????? taking up all the time, but no actual games there either.

So I'm really not sure what's going on. Does that log actually get truncated to save space and hence rebuilding the save loses all of that activity. And if so, why does it show early 2011 but not anything else... unless it goes in order of when it was written to, and date changes taking place after I bought the system in March 2011 are actually later on in the log.

So preferably I'd like a way to edit both the raw log and the save data so that I can get titles out of there while keeping all my history over the past 4 years...

 

[drfsupercenter]

Bump.

Decided to take a look at the actual Activity Log save data, since it's obvious I'll have to edit that as well.
Here's what I found, but I need some help parsing the data. Pardon the crudeness, this was me thinking out loud to a friend on IRC who wasn't able to help me, hence why I'm posting it here instead.

• Looking at Activity Log save data in hex, the first System Settings entry is at the same point before/after launching PCS
• The line is: 00 10 02 00 10 00 04 00 10 C7 DE 1C 3C 00 00 00
• like a date/timestamp or something?
• 00 10 02 00 being the US system settings ID
• hmm, definitely seems like some sort of timestamp. File 2 is after opening PCS and play log, file 1 was before:
• http://i.imgur.com/rkvvbQE.png
• http://i.imgur.com/cBiskhe.png
• I can see the 00 00 04 00 after the low ID, but I wonder what 90 8D F2 1C is, possibly the date? Only difference between the previous row in file 2 (system settings) and the PCS row is the B4/3C byte
• hmm, next occurrance is here: http://i.imgur.com/hAiw3PV.png vs http://i.imgur.com/C8Sgejh.png <- I wonder if the 02 vs. 01 is the number of times played? Since I did open Activity Log a second time to add PCS to its list
• and that might have been what caused the save to crash, since I didn't try to fudge those numbers
• hm OK yeah, I see some redundancy. Basically, I open one title and it shows up four times. First screenshot looks like a timestamp, second screenshot looks like number of times played and possibly the other stats about it; third looks like first, fourth looks like second. Could be repeated data? I didn't check
• but if someone could try to figure out what the data after the title IDs is, that could help

As for fudging the numbers - I did a very simple test where I replaced all instances of 0x000DF40F (Play Coin Setter's low ID) with 0x00080300 (Mario Kart 7 USA)
When I tried to open up Activity Log after making the edit, it froze after less than a second, before it even fully faded in from black. Tried several times, got the same result, so it's definitely a result of corrupting something.

 

[drfsupercenter]

Tried working on this again.

I finally found a hex editor that could search for hex data inside a ton of files, so I extracted the FAT16 folder and searched for 0x000DF40F. Here's what it found:

To test something else, rather than trying to *wipe* the activity, I tried changing it to a game that I hadn't played before. I tried The LEGO Movie Game, mainly because it came out in April 2014 and my PlayCoinSetter shows being played in May 2014 first, it just makes sense.

Something got screwy, though - I try to open it and get "An error has occurred, forcing the software to close. The system will now restart. (Unsaved data may be lost.)"
All I did was open both 20212\00000000 and 10022\00000000 and replace all 0x000DF40F with 0x005A1000.

Really running out of ideas here.

 

[cearp]

@drfsupercenter - maybe you needed to fix a checksum, or maybe the game you changed it to (lego), your 3ds did not have any pictures of it to display.
i doubt the 3ds contains all of the little images, and i think your 3ds would save them from the cart when you play it.

 

[drfsupercenter]

@drfsupercenter - maybe you needed to fix a checksum, or maybe the game you changed it to (lego), your 3ds did not have any pictures of it to display.
i doubt the 3ds contains all of the little images, and i think your 3ds would save them from the cart when you play it.

You are correct that there's an icon cache, that (I believe) is the first file from my screenshot, the one in extdata.

It might be a checksum thing. I've edited data and then passed it through SaveDataFiler and it works, but directly editing files on the NAND there's nothing to rebuild that checksum. What would you suggest?

 

[cearp]

You are correct that there's an icon cache, that (I believe) is the first file from my screenshot, the one in extdata.

It might be a checksum thing. I've edited data and then passed it through SaveDataFiler and it works, but directly editing files on the NAND there's nothing to rebuild that checksum. What would you suggest?

i couldn't help with the checksum, sorry

 

[drfsupercenter]

OK, another observation.

The raw log file (called PTM Savegame on 3DBrew), in 00010022 in sysdata, seems to overwrite itself once it reaches a certain number of records.
Using the LEGO movie game, I did a test - it's a game I bought on eShop during a sale so I had the icon already in my icon cache, just never actually played it. Put a copy of the retail ROM on my Sky3DS (not sure if the system differentiates between launched-from-cart and launched-from-SD but I figured I'd try to be consistent) and ran it once, went back to home menu. Didn't open the activity log itself, so there would still be no record of it.

Now, if I boot up activity log, it will say "new title added!" and show the LEGO Movie Game. So I searched for 0x00000400005A1000, and it was in there six times. Weird since I only launched it once, but whatever. I made note of the first one and what offset it started at. Opened the dump from before I launched the game, went to that offset, and it's 0x0000040000230600, which is Sonic Generations if reversed to deal with the endianness.

So what does that mean? Well, I've certainly launched Sonic Generations several hundred times since I got it in 2011, but I can tell that the logfile is basically writing over itself at this point. Which would explain why if I delete the save data for Activity Log and reopen it, it doesn't put back all of the games, just most - ones I haven't played in years disappear.

So... the problem of the logfiles *might* resolve itself if I just keep playing normal games. Those entries will eventually overwrite the PlayCoinSetter one, removing any traces in there that I ever played it.

The problem is just getting it out of Activity Log, however. That's what seems to be more difficult. Obviously deleting it doesn't do anything, it's still there, probably just marked as hidden. I want it actually gone, and due to what I said about the overwriting logfiles, I can't afford to just wipe the Activity Log save itself.

Edit: And I'm confused again. I replaced all instances of PlayCoinSetter with LEGO Movie Game in the logfile. Since I hadn't opened Activity Log yet, naturally the only way it would be able to find that I played the game was through the logfile. When I booted it up and opened it, though, it still only showed me as having played it once, not many times, despite my edited log...

Edit 2: Just as I thought. I took the "after booting game" NAND dump and replaced the file in 00010022 with the one from "before booting game." The result: I load of Activity Log, click software library, no notification about "new titles added to library!" and it's obviously not in my library.
I left everything else unchanged from the "after booting game" image - including the StreetPass/SpotPass and extdata stuff.

So as far as I am able to tell, Activity Log reads ONLY from that logfile to determine what you played between the last time you ran it and now. So why did my earlier attempt backfire? On a random note, with my past experiment, while it did add the LEGO Movie Game, showing that I played it only once, it made Sonic: Triple Trouble (for Game Gear) completely disappear from my software library. Which is the strangest thing ever as I didn't even touch that game's ID.

Edit 3: more rambling

OK, so out of boredom I thought I'd try the reverse. Took "before booting game", replaced the 00010022\000000 file with the one from "after booting game."
Was expecting it to show up in activity log, but nope! I opened it up and the software library and it still showed 209 titles played.

So I popped in the Sky3DS and booted it up. Opened Activity Log again... there we go, "new title added."
But the number stayed at 209. Huh? So I looked - Sonic disappeared again, LEGO was there and it says times played: 2. That would be correct, given that I injected the raw log of me opening it once, without touching the Activity Log save.

So what does this tell me? Well, for one, I'm hitting some sort of limit. I knew there was one, but I thought it was 300, not 209. Second, there's something *else* that tells Activity Log a new title was played, not just the raw log. But once it gets that notification, it goes to the raw log and checks, and that's the number that shows up for "times played"

Edit 4:
OK, hm. Restored my initial NAND backup from this morning - shows 208 titles played. Start the LEGO Movie Game, it becomes 209. I get "A new software title has been added to the library!" with the game's icon.

BUT, Sonic still disappears! The icon vanishes from page 8 of my log. LEGO appears at the very end on page 22.

So now I need to figure out why Sonic is disappearing - this is without me messing with any files, I just popped the cart in legit and started it up...

Edit 5:
OK, now I'm just rambling. Opened Sonic The Hedgehog: Triple Trouble again, it's back in my play log in the same place it was before, no new titles added. Odd, too - it shows Times Played is 2, first played 4/3/2012, last played 7/15/2015 (today)

So I'm theorizing that it removes games you haven't played in years to "make room" even though it's not actually removing them?? Time to restore the initial NAND backup, boot up Sonic and THEN LEGO and see what happens.

Edit 6:
Hopefully my last rambling of the day.
So I found that if I opened Sonic first, then LEGO, it would show all 209 games and noine were missing. Very strange indeed.

So I took a new "before" NAND dump - after opening Sonic, but before opening LEGO. Then played LEGO, didn't open activity log, made an "after". Took activity log from after, injected it into before. The result: 208 icons but it says titles played: 209. No notification. If I open LEGO a second time, I then get "A new title has been added to the software library!", the count remains at 209, and it's now at the end of my logbook with times played: 2.

So I can theorize that the "titles played" is reading from the raw log looking for IDs, but that since the icon wasn't in the title cache (I guess you have to actually launch the game for its icon to be cached, not just having the cartridge in) it didn't know what to display and didn't show up.


If anyone can enlighten me on any part of this, please do, I don't like writing walls of text.