Mii research lab

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by Goombi, Mar 31, 2016.

  1. Goombi
    OP

    Goombi Meme crypto = my crypto

    Member
    143
    53
    Jun 1, 2014
    France
    RnVja1lvdU15RHVkZQ
    Okay, here we go, I found a fix for the QRcode export thing. That still has an online dependency (on PHP on my server tho, someone who wants to rehost it can PM me if you want the PHP files).

    Since some Mii research were freshly published, this thread will keep track of it.
    We still don't know what does many bytes of a decrypted Mii.
    The goal of this thread is understanding which bit define what on a Mii.

    - Ressources -
    3dbrew
    Those pages are full of useful information:
    Mii
    Mii Maker

    Mii formats
    In decrypted state they are 0x60 bytes long or 0x5c bytes long in CFL_DB.dat.
    The 4 bytes of difference are 2 null bytes and a 2 bytes of CRC16.
    Let's call those 0x60 bytes long, ".mii" files.

    In encrypted state they are 0x70 bytes long. Simply the 0x60 decrypted bytes passed through APT:Wrap (AES-CMM adds 16 bytes of integrity checks).
    As those are encrypted, let's call them ".bin" files.

    Finally, the only stuff you could get without homebrew, QR codes. It's simply a .bin encoded in QR code format.

    Tools
    QR <-> .bin
    Webapp: editMii.
    You can open .bin or images and exports them to .bin or image.
    You can also open .mii and re-export it in .mii right away, that will fix the CRC before downloading.
    .bin <-> .mii
    Homebrew: cipherMii Calls APT:Wrap on input.mii and APT:Unwrap on input.bin (input and output should be placed in the .3dsx folder)
    Extract CFL_DB.dat
    Homebrew: extdata_dump will do. config.txt is already set to dump CFL_DB.dat
    Real time edition
    CFW: NTR (with NTR debugger or RAM explorer). Sorry for non CFW users, but the RAM viewing is one of the best tools we have.

    Research
    - I'm now sure that putting a wrong CRC 16 at the end of a .mii doesn't do anything when scanned back in Mii Maker.
    - Also, editing the special Mii (gold pants) then ciphering the Mii produces an invalid Mii (CRC fixed or not). This probably means there are more about how the Mii datas are moved when put inside a QR code.
    - The "CFOG" section of CFL_DB.dat is loaded in RAM at 0x14895a20. It is only written when saving. You can watch a Mii with RAM explorer, do a change+save, reopen an see if you can spot what changed.
    - If you edit the special bit in RAM with NTR then load the Mii for editing, it crashes the editor and reboots the console.

    What's to be done
    - Understand better the Mii <-> QR code done by Mii Maker. That will probably need some REing.
    - Map each Mii variable to the bits in a .mii. The Mii page on 3D brew contains all my findings about those values order in RAM and possible values range.
    - Port the 3DS APT:Wrap and APT:Unwrap to PC. More testing than anything (and we have to get the 0x31 key. With Miitomo that has to have it, we have 2 ways to get our hands on the key). That would greatly speed things up.

    Feel free to post any offset you found or tool you made that could help, I'll keep the OP up to date :) (but since I don't know anything about true REing, I'll need some help, if someone could tell me about an ARM dissassembler that a noob in RE can use AND that does not cost two legs would be really nice).
     
    Last edited by Goombi, Apr 2, 2016


  2. that girl

    that girl Entrepreneur

    Member
    411
    65
    Jul 25, 2015
    Canada
    Omnipresent
    Uhm, at the time I posted this editMii's link in OP goes to the wrong URL…

    Clear your cache for homebrew.is-best.net webpages and try scanning this, if you can.
    Should load a one-time Special Mii that can not be scanned again.
    [​IMG] [​IMG]

    If I can, it will be made re-usable later on.
    ----------------------------------
    To be more clear, it's one-use per 3DS.
     
    Last edited by that girl, Apr 1, 2016 - Reason: Clarifying.
  3. Ryccardo

    Ryccardo WiiUaboo

    Member
    2,896
    1,353
    Feb 13, 2015
    Italy
    Imola
    Yep, that's my leading theory on CFHE.

    Or maybe it has to do with blocking Mii Plaza users through Maker (press left+x+y)...
     
    Last edited by Ryccardo, Apr 1, 2016
  4. that girl

    that girl Entrepreneur

    Member
    411
    65
    Jul 25, 2015
    Canada
    Omnipresent
    Can someone test this QR Code in Mii Maker?
    [​IMG]
    I'm pretty sure I did it right.
     
  5. Ryccardo

    Ryccardo WiiUaboo

    Member
    2,896
    1,353
    Feb 13, 2015
    Italy
    Imola
    Not a Mii...

    Markiplier works, though: do you recognize this sequence in his code -- 01000000 14e433f7 e00c7f1f 2d010000 ?
     
    Last edited by Ryccardo, Apr 1, 2016
  6. that girl

    that girl Entrepreneur

    Member
    411
    65
    Jul 25, 2015
    Canada
    Omnipresent
    Hmm, should I?
    Is it important?
     
  7. Ryccardo

    Ryccardo WiiUaboo

    Member
    2,896
    1,353
    Feb 13, 2015
    Italy
    Imola
    Maybe. It appeared in the save for Mii Maker itself (not CFL), so that could be the list of already scanned gold Miis (the suspicious middle section in CFL was untouched, btw)
     
  8. that girl

    that girl Entrepreneur

    Member
    411
    65
    Jul 25, 2015
    Canada
    Omnipresent
    Well, Markiplier was the only one I got to work.
    It's also the only one that went straight from .mii to QR.
    I have not been able to get a .mii file before, nor after, that attempt.
     
  9. Monty Kensicle

    Monty Kensicle Yay!

    Member
    1,120
    268
    Aug 4, 2008
    United States
    Commonwealth of Virginia
    How were you able to generate a .mii file? I know it's rather easy on Wii but I cannot find anything for 3DS.
     
  10. that girl

    that girl Entrepreneur

    Member
    411
    65
    Jul 25, 2015
    Canada
    Omnipresent
    I'm surprised you found anything on the Wii, then, seeing as the OP explains it.
     
  11. Monty Kensicle

    Monty Kensicle Yay!

    Member
    1,120
    268
    Aug 4, 2008
    United States
    Commonwealth of Virginia
    The six lines of code that make up each Mii in the dump don't seem to yield anything valid.
     
  12. Naked_Snake

    Naked_Snake Constant Miscreant

    Member
    1,117
    279
    Oct 6, 2013
    Hyrule Field
    You could try with this special mii
     

    Attached Files:

  13. Goombi
    OP

    Goombi Meme crypto = my crypto

    Member
    143
    53
    Jun 1, 2014
    France
    RnVja1lvdU15RHVkZQ
    A QR code contains an encrypted Mii, you can't do anything with it.
    You have to decrypt it first with the homebrew I linked in the OP.
    Also be careful how you scans the QR code, many reader I found expects regular text in it and reads it in an unwanted encoding, outputing sh*t.
    I suggest you use the editMii webapp (also in the OP).
     
  14. Naked_Snake

    Naked_Snake Constant Miscreant

    Member
    1,117
    279
    Oct 6, 2013
    Hyrule Field
    I'm a little confused have we worked out how to make our own gold pants mii into a QR code or not I know @Huntereb has done it but he never revealed his method as far as I know
     
  15. Goombi
    OP

    Goombi Meme crypto = my crypto

    Member
    143
    53
    Jun 1, 2014
    France
    RnVja1lvdU15RHVkZQ
    There is a problem when you encrypt a .mii with the gold pant bit set: the 3DS does not read the resulting QR code.
     
  16. Naked_Snake

    Naked_Snake Constant Miscreant

    Member
    1,117
    279
    Oct 6, 2013
    Hyrule Field
    I wonder if you could hack miitomo to give you're mini good pants
     
  17. Goombi
    OP

    Goombi Meme crypto = my crypto

    Member
    143
    53
    Jun 1, 2014
    France
    RnVja1lvdU15RHVkZQ
    No way unfortunately. Miitomo is a dumb graphical interface for a big webservice. Every single touch on your screen requires Internet access to process your request. Even Mii decryption is handled server side.
     
  18. that girl

    that girl Entrepreneur

    Member
    411
    65
    Jul 25, 2015
    Canada
    Omnipresent
    Besides, the Mii actually starts with default pants and shirt, regardless of what colour they are on the source mii.
    The scanable Markiplier code was a .mii your webapp allowed straight to QR code, but I haven't been able to do it since.
     
  19. Ryccardo

    Ryccardo WiiUaboo

    Member
    2,896
    1,353
    Feb 13, 2015
    Italy
    Imola
    ...I don't know why I posted my (disputed) findings on position on grid and system ID in this topic instead of the PC editor's...

    Anyway, favorites: at 0x19 from the start of a Mii, the bit worth 0x40 marks a favorite (crown)!


    UPDATE on Personal Mii: I have successfully changed it through manual editing. I literally copied and pasted a(nother favorite) Mii (I created) to the first position of the file, while meanwhile swapping the original personal Mii to the original position of its to-be-successor, saved, recalculated CRC, saved, installed and... bam, it was changed!
     
    Last edited by Ryccardo, Apr 26, 2016 - Reason: We might have as well won!
  20. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,615
    1,190
    Oct 8, 2015
    Italy
    Hyrule Castle
    how to dump a .bin or a .mii?