Hacking How to Unlock M3 Sakura firmware

[glitchbit]

*UPDATE*
With the Japanese firmware release it looks plausible again but there are still changes that were made that may make it difficult..

*UPDATE*
Sorry I just found out this is a dead end they have now encrypted or scrambled it beyond hex editing, none of it makes any sense anymore. Every reference to Create ISO and sakura are gone in 1.33 and 1.34. There is very little hope that we will see an unofficial english version of those imho.


-old-
Ok after looking at the g6dsload.eng and jp file in a hex editor I know what bytes need to be changed. I also know that the ISO header stays the same between version 1.11 and 1.12. I assume that iso headers must contain the information that locks the firmware to specific cards, but I am uncertain if it contains any MFT information, I think it would be larger if it did contain a MFT so I think that is unlikely.

Please take a look at address 0000 5BB0 or "Create ISO" and you will find that the following bytes start to change and it also shifts the data some.

 

[Densetsu]

I was wondering if someone was going to take a look at the firmware. Thanks for trying!

 

[AMPonzi]

Good attempt, makes you wonder why they try so hard to protect it when they can just release it in the US and be done with it. Oh well, the story continues on this craziness.

 

[Styles420]

*UPDATE*
Sorry I just found out this is a dead end they have now encrypted or scrambled it beyond hex editing, none of it makes any sense anymore. Every reference to Create ISO and sakura are gone in 1.33 and 1.34. There is very little hope that we will see an unofficial english version of those imho.


-old-
Ok after looking at the g6dsload.eng and jp file in a hex editor I know what bytes need to be changed. I also know that the ISO header stays the same between version 1.11 and 1.12. I assume that iso headers must contain the information that locks the firmware to specific cards, but I am uncertain if it contains any MFT information, I think it would be larger if it did contain a MFT so I think that is unlikely.

Please take a look at address 0000 5BB0 or "Create ISO" and you will find that the following bytes start to change and it also shifts the data some.

Which version's file did you find this in? I can't find it in the hacked version of 1.12, maybe I'm misunderstanding something?

(I know it's a dead end, but I'm hoping with a little luck I might stumble on something that might have been missed, or might help figure out just how they encoded the newer versions)

 

[glitchbit]

*removed*

Info inaccurate

and it would make me look stupid..

I see it now. I just need to study it.

 

[glitchbit]

I made a mistake, when the asian/chinese version came out I compared the gs6load.gb file to g6dsload.jp and g6dsload.eng files which share similarities but are a good deal different from the gb formatted releases.

There is absolutely no technical reason that I can find that would make converting 1.34 to english any more difficult the 1.11 or 1.12. We just need to find out how those were done...


*UPDATE*

After having talked to iq_132 I have found out he basically says the changes need to be made in the first few hundred bytes of the file as he had done earlier, well I don't know if he forgot but that is not entirely true... I have replaced the header on the older 1.11 and 1.12 files with his .eng file (position 0000-01F0) and it fails the firmware / hardware check. I have found that extending my copy and paste to position 5B30 does not change anything (otherwords I have verified that no values change between those positions). After 5B30 is where the Create ISO section begins where I know values change and data gets shifted a few bytes. But firmware 1.34 does not have a Create ISO section so I am back to square 1...

Basically I believe Create ISO section sets the %s variable which is used throughout the g6dsload.eng file and that variable is your Language ID. So I am looking for something that would look like s = English, where english would be in hex and not the hex value for english sadly...

Also the difference between the English and Japanese firmwares first few hundred bytes is that the bytes are shifted by 5+ hex values. (positions 0000-01F0) (thx for the tip iq_132, but I still need more info -.- )

I am throwing in the towel I just ran it through a hex editor that compares the code and I can tell that this thing goes well beyond hex editing. You need a tool that can either decompile, decrypt, extract or one of the above to get anywhere. Oh yea robert was there...

 

[SeaofTea]

Also the difference between the English and Japanese firmwares first few hundred bytes is that the bytes are shifted by 5+ hex values. (positions 0000-01F0) (thx for the tip iq_132, but I still need more info -.- )

I am throwing in the towel I just ran it through a hex editor that compares the code and I can tell that this thing goes well beyond hex editing. You need a tool that can either decompile, decrypt, extract or one of the above to get anywhere. Oh yea robert was there...

I've just stumble upon this after reading your thread and have figured out the difference between the english and japanese firmwares and its not that they're bitshifted but it like you originaly posted that they're changed by bitwise XOR by 15. I can successfully decrypt between the english, japanese and chinese firmwares now at least 1.12. In the 1.34 though somethings different between the g6dsload.gb and g6dsload.jp from 0x70 to 0x7c.

 

[glitchbit]

I am not so certain that the bit shift I said is correct or not, I only calculated it with some random positions near the beginning positions 0-01F0, but I am not so sure if that shift rule of 5 between jp and eng versions is correct because I found some values that changed by more than 5..)

I have not been able to successfully convert the 1.11 jp version to eng, and after having compared them in another hex editor all I see is that there are more changes between them than what I expected and some guy named Robert who apparently was the one or had helped in converting it...

 

[Styles420]

Also the difference between the English and Japanese firmwares first few hundred bytes is that the bytes are shifted by 5+ hex values. (positions 0000-01F0) (thx for the tip iq_132, but I still need more info -.- )

I am throwing in the towel I just ran it through a hex editor that compares the code and I can tell that this thing goes well beyond hex editing. You need a tool that can either decompile, decrypt, extract or one of the above to get anywhere. Oh yea robert was there...

I've just stumble upon this after reading your thread and have figured out the difference between the english and japanese firmwares and its not that they're bitshifted but it like you originaly posted that they're changed by bitwise XOR by 15. I can successfully decrypt between the english, japanese and chinese firmwares now at least 1.12. In the 1.34 though somethings different between the g6dsload.gb and g6dsload.jp from 0x70 to 0x7c.

Just tried the XOR on the jp version of 1.34 g6dsloader - it becomes nearly identical to the asian version, I'm guessing the modified sections are language specific... now I'm looking for any small sections of differences that could be a language ID... this is interesting...

(that's hex 15, my first attempt was with decimal and was way off)