Hacking Hacking with 3DS Save DeEncrypter

[Arisotura]

I didn't think about that. I'll try it tomorrow 'cause now it's getting really really late

 

[ichichfly]

okey I have an other idear that only work if this function is used for the checkbyte f(crc(data)) f is an unknown "simpel" function.

so we use this f(crc(data with last bit set)) xor f(crc(same data with last bit not set)) we should result in f(Polynome) or is this wrong I am not sure ?

 

[lazymarek]

news at http://www.3dbrew.org/wiki/Savegames:

The checksums in the blockmap/journal entries work as follows:

each byte is the checksum of an encrypted 0x200 bytes large block
to calculate the checksum, a CRC16 of the block (with starting value 0xFFFF) is calculated, and the two bytes of the CRC16 are XORed together to produce the 8bit checksum

 

[ichichfly]

May it is a crc 16 with a xor or something of both bytes.

I think this is the end for this.

since there are 1000 of ways the checkbyte can be calculated

news at http://www.3dbrew.org/wiki/Savegames:

QUOTEThe checksums in the blockmap/journal entries work as follows:

each byte is the checksum of an encrypted 0x200 bytes large block
to calculate the checksum, a CRC16 of the block (with starting value 0xFFFF) is calculated, and the two bytes of the CRC16 are XORed together to produce the 8bit checksum

omg my gess was right (not good english but right). I thought there are 1000 of possible ways and it is not worth testing omg omg omg

ADD: I will add this soon to the 3dssaveresorter.exe and also a way to get the raw encrypted file out of a modif virtual file.

 

[chyyran]

So we know how to calculate the checksums now?

 

[lazymarek]

omg my gess was right (not good english but right). I thought there are 1000 of possible ways and it is not worth testing omg omg omg

haha, nice

Well, can we create a not corrupted savegame now?

 

[ichichfly]

So we know how to calculate the checksums now?

I think 3 are still missing

2 at the start of the hash block and the one in the DIFI

but the 3ds may don't check them.

 

[Arisotura]

Why would Nintendo put in checksums/hashes and not verify them? Such a mistake is rather something Sony would do

And don't forget, even if we find all the checksums/hashes, we still can't have useful exploits! We need knowledge of the hardware first!

 

[lazymarek]

I think 3 are still missing

2 at the start of the hash block and the one in the DIFI

but the 3ds may don't check them.

stupid Nintendo!

PS: I've written you a PM, ichichfly!

 

[ichichfly]

Why would Nintendo put in checksums/hashes and not verify them? Such a mistake is rather something Sony would do

And don't forget, even if we find all the checksums/hashes, we still can't have useful exploits! We need knowledge of the hardware first!

Some developer add checksum in ther files but don't verify them or only check them if something is wrong like an other checksum.

ADD: I currently am only interrested in mod my saves not hacking(may later).

 

[Immortal_no1]

I think i'm overlooking something, i've been through this the last few days and didn't come up with anything, i didn't try this starting 0xFFFF part which must make the difference.... but i can't create the CRC value....

So here's some Data:

a 0x200 byte block that should generate the the value 0x48. Ichi you or someone else please explain the process to generate the CRC.

F5 39 EE 28 1E 6B 4A F6 7C BF 9A 52 ED 19 27 0C 17 BF 89 15 76 6B 35 E0 55 9C 40 6D 50 80 97 B1 AA 14 98 8A EA 7B 3F 35 2E 46 5F 83 5C 8F 94 25 B5 6D 34 43 A4 D3 59 F6 25 06 F4 FF C0 62 EA C9 DB 0B 96 3B 47 0C 6E DA 9E D9 EF 35 D9 94 9D BC F7 D8 DE 26 B4 53 B4 70 F1 D0 7C 19 CF 4D E7 90 D5 AC 45 CF 5B DE 1D 67 6A 99 CD 0E 29 83 54 94 98 90 E1 40 E2 C1 19 05 02 17 DE 1E E6 A3 B4 9C 7C C9 C6 3F C0 F4 E2 2B 82 D3 86 07 74 8A D4 A7 CA AE 72 BE 9D 26 3B E5 AD FC A6 91 DE 77 8A 07 95 F2 28 4C 62 F2 0E 68 12 C3 2E F3 28 BE 87 96 97 F5 63 73 F3 2A E5 86 3C 91 05 09 44 30 0C 76 09 D5 FD 8B DA AD 80 20 F0 94 CD 6A F7 B9 52 55 53 8C 0C 7C D5 98 85 5C 10 46 FF E1 0E 10 C4 06 47 31 31 A2 F4 F4 D4 CF 82 01 5E DF 96 1C 44 03 AE 52 C9 58 DD 7D 26 36 93 DF E6 66 F8 D8 65 11 CC AC 22 D3 77 6A 8E 19 AF 3A E1 A2 09 05 C2 34 23 BF 5C DF 03 C8 4D BF 57 0C 1F 1F 1A 0A 0C A0 6E 6B 90 B5 DC 42 EE 60 BF AE 4B FF EF A8 37 DF 8B E4 DE 73 A5 64 4F D6 64 6D BD 45 D4 88 AB 3F F0 2E B2 98 65 F5 23 BE AC FC C3 B6 AF 45 11 D4 A7 FD 1B AD 1C 74 50 C2 C5 45 BE 64 DF 5D 51 CD 73 DE D8 56 DA F7 A1 9C 33 D6 5F 69 40 9D 67 67 51 7A 9C 4B E8 BB 63 94 F6 2A 8E 6B 7D 96 EC FA 70 32 B5 1C 88 50 D2 63 27 3D 66 C5 B1 F1 F8 5B BD 25 1F AB 58 1E 64 ED B1 07 BB DB 78 AE 4C 86 08 B6 DA 44 B9 44 5E CA B3 25 32 97 1A 72 ED AB 57 E5 84 FC 9C CB F6 C5 4F 6A 9F A3 87 A8 E2 17 AF 9C BA B9 DA 5F 87 5C F3 7E 4D 23 0F B1 28 AB 67 5B F7 37 8A B1 7B 93 DA 4F 8E 51 5B 3C 4A 2E FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

I'll add this to the app asap, as soon as i gain the understanding of what is being said.

What is the Polynomial value used?

 

[ichichfly]

I think i'm overlooking something, i've been through this the last few days and didn't come up with anything, i didn't try this starting 0xFFFF part which must make the difference.... but i can't create the CRC value....

So here's some Data:

a 0x200 byte block that should generate the the value 0x48. Ichi you or someone else please explain the process to generate the CRC.

F5 39 EE 28 1E 6B 4A F6 7C BF 9A 52 ED 19 27 0C 17 BF 89 15 76 6B 35 E0 55 9C 40 6D 50 80 97 B1 AA 14 98 8A EA 7B 3F 35 2E 46 5F 83 5C 8F 94 25 B5 6D 34 43 A4 D3 59 F6 25 06 F4 FF C0 62 EA C9 DB 0B 96 3B 47 0C 6E DA 9E D9 EF 35 D9 94 9D BC F7 D8 DE 26 B4 53 B4 70 F1 D0 7C 19 CF 4D E7 90 D5 AC 45 CF 5B DE 1D 67 6A 99 CD 0E 29 83 54 94 98 90 E1 40 E2 C1 19 05 02 17 DE 1E E6 A3 B4 9C 7C C9 C6 3F C0 F4 E2 2B 82 D3 86 07 74 8A D4 A7 CA AE 72 BE 9D 26 3B E5 AD FC A6 91 DE 77 8A 07 95 F2 28 4C 62 F2 0E 68 12 C3 2E F3 28 BE 87 96 97 F5 63 73 F3 2A E5 86 3C 91 05 09 44 30 0C 76 09 D5 FD 8B DA AD 80 20 F0 94 CD 6A F7 B9 52 55 53 8C 0C 7C D5 98 85 5C 10 46 FF E1 0E 10 C4 06 47 31 31 A2 F4 F4 D4 CF 82 01 5E DF 96 1C 44 03 AE 52 C9 58 DD 7D 26 36 93 DF E6 66 F8 D8 65 11 CC AC 22 D3 77 6A 8E 19 AF 3A E1 A2 09 05 C2 34 23 BF 5C DF 03 C8 4D BF 57 0C 1F 1F 1A 0A 0C A0 6E 6B 90 B5 DC 42 EE 60 BF AE 4B FF EF A8 37 DF 8B E4 DE 73 A5 64 4F D6 64 6D BD 45 D4 88 AB 3F F0 2E B2 98 65 F5 23 BE AC FC C3 B6 AF 45 11 D4 A7 FD 1B AD 1C 74 50 C2 C5 45 BE 64 DF 5D 51 CD 73 DE D8 56 DA F7 A1 9C 33 D6 5F 69 40 9D 67 67 51 7A 9C 4B E8 BB 63 94 F6 2A 8E 6B 7D 96 EC FA 70 32 B5 1C 88 50 D2 63 27 3D 66 C5 B1 F1 F8 5B BD 25 1F AB 58 1E 64 ED B1 07 BB DB 78 AE 4C 86 08 B6 DA 44 B9 44 5E CA B3 25 32 97 1A 72 ED AB 57 E5 84 FC 9C CB F6 C5 4F 6A 9F A3 87 A8 E2 17 AF 9C BA B9 DA 5F 87 5C F3 7E 4D 23 0F B1 28 AB 67 5B F7 37 8A B1 7B 93 DA 4F 8E 51 5B 3C 4A 2E FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

I'll add this to the app asap, as soon as i gain the understanding of what is being said.

What is the Polynomial value used?

I think it is the swi 0E crc function but I am here with my handy so I can't test it at the moment.

 

[silentblue1987]

You have full permission to shoot me down as necessary but I have a question.

Is it possible that the system is based on unix like coding?

I'm basing this on the previous posts with the plaintext parts.
In unix/linux hidden files are indicated by ".foldername" and ".filename"

 

[Immortal_no1]

swi 0E?

0E polynomial?

 

[Immortal_no1]

You have full permission to shoot me down as necessary but I have a question.

Is it possible that the system is based on unix like coding?

I'm basing this on the previous posts with the plaintext parts.
In unix/linux hidden files are indicated by ".foldername" and ".filename"

No you're not completely crazy. however, which plaintext parts are you referring to?
There haven't been any mention of foldernames/filenames, as far as i can remember.

You got the right thread?

 

[Uninitialized]

What is the Polynomial value used?

Try 0x8005.

 

[Immortal_no1]

Yeah i had 0x8005 set,

the problem was that i didn't have the Input and the Output reflected. I'm getting the correct data now.

 

[Immortal_no1]

Well i modded my resident evil save, i think it may have been to extensive, and says it was corrupt. i'll try the Super MonkeyBall in the morning, a simple change and see what i get. if it works, good we don't need to change the other CRCs but looks like we will have to move onto the next CRC value.

But good job everyone for getting this far.

Thanks Luigi2us for figuring out the header CRC, and goodjob to ichichfly for guessing correctly the process

 

[lazymarek]

Does it work, immortal? I will try it with zelda 3d.
ichichfly, I have sent you a PM!

Can you post a tutorial, like Immortal did, about mod a savegame correctly?

 

[ichichfly]

swi 0E?

0E polynomial?

the nds bios function 0E getcrc16