Hacking Hacking with 3DS Save DeEncrypter

Status
Not open for further replies.

Arisotura

rise of melonism
Member
Joined
Dec 5, 2009
Messages
820
Trophies
1
Age
27
Location
center of the Sun
Website
kuribo64.net
XP
2,185
Country
France
I didn't think about that. I'll try it tomorrow 'cause now it's getting really really late
tongue.gif
 

ichichfly

Well-Known Member
Member
Joined
Sep 23, 2009
Messages
619
Trophies
0
XP
1,050
Country
Gambia, The
okey I have an other idear that only work if this function is used for the checkbyte f(crc(data)) f is an unknown "simpel" function.

so we use this f(crc(data with last bit set)) xor f(crc(same data with last bit not set)) we should result in f(Polynome) or is this wrong I am not sure ?
 

lazymarek

Active Member
Newcomer
Joined
Dec 18, 2010
Messages
30
Trophies
0
XP
99
Country
Gambia, The
news at http://www.3dbrew.org/wiki/Savegames:

QUOTE said:
The checksums in the blockmap/journal entries work as follows:

each byte is the checksum of an encrypted 0x200 bytes large block
to calculate the checksum, a CRC16 of the block (with starting value 0xFFFF) is calculated, and the two bytes of the CRC16 are XORed together to produce the 8bit checksum
 

ichichfly

Well-Known Member
Member
Joined
Sep 23, 2009
Messages
619
Trophies
0
XP
1,050
Country
Gambia, The
ichichfly said:
May it is a crc 16 with a xor or something of both bytes.

I think this is the end for this.

since there are 1000 of ways the checkbyte can be calculated


lazymarek said:
news at http://www.3dbrew.org/wiki/Savegames:

QUOTEThe checksums in the blockmap/journal entries work as follows:

each byte is the checksum of an encrypted 0x200 bytes large block
to calculate the checksum, a CRC16 of the block (with starting value 0xFFFF) is calculated, and the two bytes of the CRC16 are XORed together to produce the 8bit checksum

omg my gess was right (not good english but right). I thought there are 1000 of possible ways and it is not worth testing omg omg omg

ADD: I will add this soon to the 3dssaveresorter.exe and also a way to get the raw encrypted file out of a modif virtual file.
 

lazymarek

Active Member
Newcomer
Joined
Dec 18, 2010
Messages
30
Trophies
0
XP
99
Country
Gambia, The
QUOTE said:
omg my gess was right (not good english but right). I thought there are 1000 of possible ways and it is not worth testing omg omg omg
haha, nice
wink.gif


Well, can we create a not corrupted savegame now?
 

ichichfly

Well-Known Member
Member
Joined
Sep 23, 2009
Messages
619
Trophies
0
XP
1,050
Country
Gambia, The
ron975 said:
So we know how to calculate the checksums now?


I think 3 are still missing

2 at the start of the hash block and the one in the DIFI

but the 3ds may don't check them.
 

Arisotura

rise of melonism
Member
Joined
Dec 5, 2009
Messages
820
Trophies
1
Age
27
Location
center of the Sun
Website
kuribo64.net
XP
2,185
Country
France
Why would Nintendo put in checksums/hashes and not verify them? Such a mistake is rather something Sony would do
tongue.gif


And don't forget, even if we find all the checksums/hashes, we still can't have useful exploits! We need knowledge of the hardware first!
 

lazymarek

Active Member
Newcomer
Joined
Dec 18, 2010
Messages
30
Trophies
0
XP
99
Country
Gambia, The
QUOTE said:
I think 3 are still missing

2 at the start of the hash block and the one in the DIFI

but the 3ds may don't check them.

stupid Nintendo!

PS: I've written you a PM, ichichfly!
 

ichichfly

Well-Known Member
Member
Joined
Sep 23, 2009
Messages
619
Trophies
0
XP
1,050
Country
Gambia, The
Mega-Mario said:
Why would Nintendo put in checksums/hashes and not verify them? Such a mistake is rather something Sony would do
tongue.gif


And don't forget, even if we find all the checksums/hashes, we still can't have useful exploits! We need knowledge of the hardware first!


Some developer add checksum in ther files but don't verify them or only check them if something is wrong like an other checksum.

ADD: I currently am only interrested in mod my saves not hacking(may later).
 

Immortal_no1

Well-Known Member
OP
Member
Joined
Jul 17, 2003
Messages
266
Trophies
0
XP
292
Country
I think i'm overlooking something, i've been through this the last few days and didn't come up with anything, i didn't try this starting 0xFFFF part which must make the difference.... but i can't create the CRC value....

So here's some Data:

a 0x200 byte block that should generate the the value 0x48. Ichi you or someone else please explain the process to generate the CRC.

F5 39 EE 28 1E 6B 4A F6 7C BF 9A 52 ED 19 27 0C 17 BF 89 15 76 6B 35 E0 55 9C 40 6D 50 80 97 B1 AA 14 98 8A EA 7B 3F 35 2E 46 5F 83 5C 8F 94 25 B5 6D 34 43 A4 D3 59 F6 25 06 F4 FF C0 62 EA C9 DB 0B 96 3B 47 0C 6E DA 9E D9 EF 35 D9 94 9D BC F7 D8 DE 26 B4 53 B4 70 F1 D0 7C 19 CF 4D E7 90 D5 AC 45 CF 5B DE 1D 67 6A 99 CD 0E 29 83 54 94 98 90 E1 40 E2 C1 19 05 02 17 DE 1E E6 A3 B4 9C 7C C9 C6 3F C0 F4 E2 2B 82 D3 86 07 74 8A D4 A7 CA AE 72 BE 9D 26 3B E5 AD FC A6 91 DE 77 8A 07 95 F2 28 4C 62 F2 0E 68 12 C3 2E F3 28 BE 87 96 97 F5 63 73 F3 2A E5 86 3C 91 05 09 44 30 0C 76 09 D5 FD 8B DA AD 80 20 F0 94 CD 6A F7 B9 52 55 53 8C 0C 7C D5 98 85 5C 10 46 FF E1 0E 10 C4 06 47 31 31 A2 F4 F4 D4 CF 82 01 5E DF 96 1C 44 03 AE 52 C9 58 DD 7D 26 36 93 DF E6 66 F8 D8 65 11 CC AC 22 D3 77 6A 8E 19 AF 3A E1 A2 09 05 C2 34 23 BF 5C DF 03 C8 4D BF 57 0C 1F 1F 1A 0A 0C A0 6E 6B 90 B5 DC 42 EE 60 BF AE 4B FF EF A8 37 DF 8B E4 DE 73 A5 64 4F D6 64 6D BD 45 D4 88 AB 3F F0 2E B2 98 65 F5 23 BE AC FC C3 B6 AF 45 11 D4 A7 FD 1B AD 1C 74 50 C2 C5 45 BE 64 DF 5D 51 CD 73 DE D8 56 DA F7 A1 9C 33 D6 5F 69 40 9D 67 67 51 7A 9C 4B E8 BB 63 94 F6 2A 8E 6B 7D 96 EC FA 70 32 B5 1C 88 50 D2 63 27 3D 66 C5 B1 F1 F8 5B BD 25 1F AB 58 1E 64 ED B1 07 BB DB 78 AE 4C 86 08 B6 DA 44 B9 44 5E CA B3 25 32 97 1A 72 ED AB 57 E5 84 FC 9C CB F6 C5 4F 6A 9F A3 87 A8 E2 17 AF 9C BA B9 DA 5F 87 5C F3 7E 4D 23 0F B1 28 AB 67 5B F7 37 8A B1 7B 93 DA 4F 8E 51 5B 3C 4A 2E FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

I'll add this to the app asap, as soon as i gain the understanding of what is being said.

What is the Polynomial value used?
 

ichichfly

Well-Known Member
Member
Joined
Sep 23, 2009
Messages
619
Trophies
0
XP
1,050
Country
Gambia, The
Immortal_no1 said:
I think i'm overlooking something, i've been through this the last few days and didn't come up with anything, i didn't try this starting 0xFFFF part which must make the difference.... but i can't create the CRC value....

So here's some Data:

a 0x200 byte block that should generate the the value 0x48. Ichi you or someone else please explain the process to generate the CRC.

F5 39 EE 28 1E 6B 4A F6 7C BF 9A 52 ED 19 27 0C 17 BF 89 15 76 6B 35 E0 55 9C 40 6D 50 80 97 B1 AA 14 98 8A EA 7B 3F 35 2E 46 5F 83 5C 8F 94 25 B5 6D 34 43 A4 D3 59 F6 25 06 F4 FF C0 62 EA C9 DB 0B 96 3B 47 0C 6E DA 9E D9 EF 35 D9 94 9D BC F7 D8 DE 26 B4 53 B4 70 F1 D0 7C 19 CF 4D E7 90 D5 AC 45 CF 5B DE 1D 67 6A 99 CD 0E 29 83 54 94 98 90 E1 40 E2 C1 19 05 02 17 DE 1E E6 A3 B4 9C 7C C9 C6 3F C0 F4 E2 2B 82 D3 86 07 74 8A D4 A7 CA AE 72 BE 9D 26 3B E5 AD FC A6 91 DE 77 8A 07 95 F2 28 4C 62 F2 0E 68 12 C3 2E F3 28 BE 87 96 97 F5 63 73 F3 2A E5 86 3C 91 05 09 44 30 0C 76 09 D5 FD 8B DA AD 80 20 F0 94 CD 6A F7 B9 52 55 53 8C 0C 7C D5 98 85 5C 10 46 FF E1 0E 10 C4 06 47 31 31 A2 F4 F4 D4 CF 82 01 5E DF 96 1C 44 03 AE 52 C9 58 DD 7D 26 36 93 DF E6 66 F8 D8 65 11 CC AC 22 D3 77 6A 8E 19 AF 3A E1 A2 09 05 C2 34 23 BF 5C DF 03 C8 4D BF 57 0C 1F 1F 1A 0A 0C A0 6E 6B 90 B5 DC 42 EE 60 BF AE 4B FF EF A8 37 DF 8B E4 DE 73 A5 64 4F D6 64 6D BD 45 D4 88 AB 3F F0 2E B2 98 65 F5 23 BE AC FC C3 B6 AF 45 11 D4 A7 FD 1B AD 1C 74 50 C2 C5 45 BE 64 DF 5D 51 CD 73 DE D8 56 DA F7 A1 9C 33 D6 5F 69 40 9D 67 67 51 7A 9C 4B E8 BB 63 94 F6 2A 8E 6B 7D 96 EC FA 70 32 B5 1C 88 50 D2 63 27 3D 66 C5 B1 F1 F8 5B BD 25 1F AB 58 1E 64 ED B1 07 BB DB 78 AE 4C 86 08 B6 DA 44 B9 44 5E CA B3 25 32 97 1A 72 ED AB 57 E5 84 FC 9C CB F6 C5 4F 6A 9F A3 87 A8 E2 17 AF 9C BA B9 DA 5F 87 5C F3 7E 4D 23 0F B1 28 AB 67 5B F7 37 8A B1 7B 93 DA 4F 8E 51 5B 3C 4A 2E FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

I'll add this to the app asap, as soon as i gain the understanding of what is being said.

What is the Polynomial value used?

I think it is the swi 0E crc function but I am here with my handy so I can't test it at the moment.
 

silentblue1987

New Member
Newbie
Joined
Sep 2, 2011
Messages
2
Trophies
0
XP
1
Country
United States
You have full permission to shoot me down as necessary but I have a question.

Is it possible that the system is based on unix like coding?

I'm basing this on the previous posts with the plaintext parts.
In unix/linux hidden files are indicated by ".foldername" and ".filename"
 

Immortal_no1

Well-Known Member
OP
Member
Joined
Jul 17, 2003
Messages
266
Trophies
0
XP
292
Country
silentblue1987 said:
You have full permission to shoot me down as necessary but I have a question.

Is it possible that the system is based on unix like coding?

I'm basing this on the previous posts with the plaintext parts.
In unix/linux hidden files are indicated by ".foldername" and ".filename"

No you're not completely crazy. however, which plaintext parts are you referring to?
There haven't been any mention of foldernames/filenames, as far as i can remember.

You got the right thread?
 

Immortal_no1

Well-Known Member
OP
Member
Joined
Jul 17, 2003
Messages
266
Trophies
0
XP
292
Country
Yeah i had 0x8005 set,

the problem was that i didn't have the Input and the Output reflected. I'm getting the correct data now.
 

Immortal_no1

Well-Known Member
OP
Member
Joined
Jul 17, 2003
Messages
266
Trophies
0
XP
292
Country
Well i modded my resident evil save, i think it may have been to extensive, and says it was corrupt. i'll try the Super MonkeyBall in the morning, a simple change and see what i get. if it works, good we don't need to change the other CRCs but looks like we will have to move onto the next CRC value.

But good job everyone for getting this far.

Thanks Luigi2us for figuring out the header CRC, and goodjob to ichichfly for guessing correctly the process
tongue.gif
 

lazymarek

Active Member
Newcomer
Joined
Dec 18, 2010
Messages
30
Trophies
0
XP
99
Country
Gambia, The
Does it work, immortal? I will try it with zelda 3d.
ichichfly, I have sent you a PM!

Can you post a tutorial, like Immortal did, about mod a savegame correctly?
 
Status
Not open for further replies.
General chit-chat
Help Users
    FAST6191 @ FAST6191: Far worse things than a finger have been sliced off when you sleep (gotta do it some time and...