How to Unlock M3 Sakura firmware

Discussion in 'M3 Adapter' started by glitchbit, Jan 6, 2009.

  1. glitchbit
    OP

    glitchbit GBAtemp Regular

    Member
    114
    0
    Dec 27, 2006
    United States
    *UPDATE*
    With the Japanese firmware release it looks plausible again but there are still changes that were made that may make it difficult..

    *UPDATE*
    Sorry I just found out this is a dead end they have now encrypted or scrambled it beyond hex editing, none of it makes any sense anymore. Every reference to Create ISO and sakura are gone in 1.33 and 1.34. There is very little hope that we will see an unofficial english version of those imho.



    -old-
    Ok after looking at the g6dsload.eng and jp file in a hex editor I know what bytes need to be changed. I also know that the ISO header stays the same between version 1.11 and 1.12. I assume that iso headers must contain the information that locks the firmware to specific cards, but I am uncertain if it contains any MFT information, I think it would be larger if it did contain a MFT so I think that is unlikely.

    Please take a look at address 0000 5BB0 or "Create ISO" and you will find that the following bytes start to change and it also shifts the data some.
     
  2. Densetsu

    Densetsu Pubic Ninja

    Former Staff
    3,435
    2,869
    Feb 2, 2008
    United States
    Wouldn't YOU like to know?
    I was wondering if someone was going to take a look at the firmware. Thanks for trying!
     
  3. AMPonzi

    AMPonzi GBAtemp Fan

    Member
    316
    1
    Dec 20, 2002
    United States
    The Lost City of Atlantis
    Good attempt, makes you wonder why they try so hard to protect it when they can just release it in the US and be done with it. Oh well, the story continues on this craziness.
     
  4. Styles420

    Styles420 GBAtemp Regular

    Member
    248
    0
    Dec 27, 2008
    United States
    Denver, Colorado
    Which version's file did you find this in? I can't find it in the hacked version of 1.12, maybe I'm misunderstanding something?

    (I know it's a dead end, but I'm hoping with a little luck I might stumble on something that might have been missed, or might help figure out just how they encoded the newer versions)
     
  5. glitchbit
    OP

    glitchbit GBAtemp Regular

    Member
    114
    0
    Dec 27, 2006
    United States
    *removed*

    Info inaccurate

    and it would make me look stupid..

    I see it now. I just need to study it.
     
  6. glitchbit
    OP

    glitchbit GBAtemp Regular

    Member
    114
    0
    Dec 27, 2006
    United States
    I made a mistake, when the asian/chinese version came out I compared the gs6load.gb file to g6dsload.jp and g6dsload.eng files which share similarities but are a good deal different from the gb formatted releases.

    There is absolutely no technical reason that I can find that would make converting 1.34 to english any more difficult the 1.11 or 1.12. We just need to find out how those were done...


    *UPDATE*

    After having talked to iq_132 I have found out he basically says the changes need to be made in the first few hundred bytes of the file as he had done earlier, well I don't know if he forgot but that is not entirely true... I have replaced the header on the older 1.11 and 1.12 files with his .eng file (position 0000-01F0) and it fails the firmware / hardware check. I have found that extending my copy and paste to position 5B30 does not change anything (otherwords I have verified that no values change between those positions). After 5B30 is where the Create ISO section begins where I know values change and data gets shifted a few bytes. But firmware 1.34 does not have a Create ISO section so I am back to square 1...

    Basically I believe Create ISO section sets the %s variable which is used throughout the g6dsload.eng file and that variable is your Language ID. So I am looking for something that would look like s = English, where english would be in hex and not the hex value for english sadly...

    Also the difference between the English and Japanese firmwares first few hundred bytes is that the bytes are shifted by 5+ hex values. (positions 0000-01F0) (thx for the tip iq_132, but I still need more info -.- )

    I am throwing in the towel I just ran it through a hex editor that compares the code and I can tell that this thing goes well beyond hex editing. You need a tool that can either decompile, decrypt, extract or one of the above to get anywhere. Oh yea robert was there...
     
  7. SeaofTea

    SeaofTea Member

    Newcomer
    22
    0
    Jun 16, 2007
    United States
    I've just stumble upon this after reading your thread and have figured out the difference between the english and japanese firmwares and its not that they're bitshifted but it like you originaly posted that they're changed by bitwise XOR by 15. I can successfully decrypt between the english, japanese and chinese firmwares now at least 1.12. In the 1.34 though somethings different between the g6dsload.gb and g6dsload.jp from 0x70 to 0x7c.
     
  8. glitchbit
    OP

    glitchbit GBAtemp Regular

    Member
    114
    0
    Dec 27, 2006
    United States
    I am not so certain that the bit shift I said is correct or not, I only calculated it with some random positions near the beginning positions 0-01F0, but I am not so sure if that shift rule of 5 between jp and eng versions is correct because I found some values that changed by more than 5..)

    I have not been able to successfully convert the 1.11 jp version to eng, and after having compared them in another hex editor all I see is that there are more changes between them than what I expected and some guy named Robert who apparently was the one or had helped in converting it...
     
  9. Styles420

    Styles420 GBAtemp Regular

    Member
    248
    0
    Dec 27, 2008
    United States
    Denver, Colorado
    Just tried the XOR on the jp version of 1.34 g6dsloader - it becomes nearly identical to the asian version, I'm guessing the modified sections are language specific... now I'm looking for any small sections of differences that could be a language ID... this is interesting...

    (that's hex 15, my first attempt was with decimal and was way off)