OK I've figured out the encryption sakura 1.34

Discussion in 'M3 Adapter' started by SeaofTea, Jan 18, 2009.

Jan 18, 2009
  1. SeaofTea
    OP

    Newcomer SeaofTea Member

    Joined:
    Jun 16, 2007
    Messages:
    22
    Country:
    United States
    I need someone that has run m3 Sakura 1.34 jap successfully on they're card to send me g6dsload.1 out of they're /system dir. It seems the new encryption some how inserts a block of code after you choose an option in the m3 sakura start menu that corrupts the g6dsload.1 if it doesn't insert the correct block, and I need someone to send me they're g6dsload.1 so I can see what the successful block is. Either way I think I'm going to quit for a while as I've been at it for about 10 hours now.
     


  2. Densetsu

    Former Staff Densetsu Pubic Ninja

    Joined:
    Feb 2, 2008
    Messages:
    3,435
    Location:
    Wouldn't YOU like to know?
    Country:
    United States
  3. liipod

    Newcomer liipod Member

    Joined:
    Jun 3, 2008
    Messages:
    45
    Country:
    France
    Hi

    I've opened the g6dsload.1 with hexedit and found that there it lot of texts in french ,english ,and other....Any idea?

    EDIT: i think it's for "touchpod" ...


    i've compared many version of g6dsloa.* here are my notifications "CRC" i'm using XVI32

    M3ENG :lastest firmware eu/us "touchpod"
    M3JAP :lastest jap "touchpod"
    112JAP :112+1 official
    112ENG: unoficial english translation
    134JAP :lastest sakura jap

    g6dsload.1
    ----------

    M3ENG
    g6dsload.1 (4194304 Bytes)
    CRC32 (PKZIP) of file: 5F5B4D13
    CRC16 (Standard) of file: 5A6D

    M3JAP & 134JAP
    g6dsload.1 (4194304 Bytes)
    CRC32 (PKZIP) of file: 6FD0F895
    CRC16 (Standard) of file: C83E

    112JAP & 112ENG
    g6dsload.1 (4194304 Bytes)
    CRC32 (PKZIP) of file: 80FD3C8B
    CRC16 (Standard) of file: DC2D

    --------------------------------------------------------
    g6dsload.2
    ----------

    M3ENG & M3JAP & 134JAP
    g6dsload.2 (233 Bytes)
    CRC32 (PKZIP) of file: 2FF009B6
    CRC16 (Standard) of file: EA8C

    112ENG &112 JAP
    NOT USED

    --------------------------------------------------------
    g6dsload.eng
    ------------

    M3ENG
    g6dsload.eng (44032 Bytes)
    CRC32 (PKZIP) of file: EC556DFB
    CRC16 (Standard) of file: 982F

    M3JAP & 134JAP
    NOT USED

    112ENG
    g6dsload.eng (36864 Bytes)
    CRC32 (PKZIP) of file: 7DEA06E6
    CRC16 (Standard) of file: C0AB

    112JAP
    g6dsload.eng (536576 Bytes)
    CRC32 (PKZIP) of file: 9FFAE6FE
    CRC16 (Standard) of file: 665
    --------------------------------------------------------
    g6dsload.jp
    -----------

    M3ENG
    NOT USED

    M3JAP
    g6dsload.jp (37376 Bytes)
    CRC32 (PKZIP) of file: 4B6568FB
    CRC16 (Standard) of file: 8069

    134JAP
    g6dsload.jp (810496 Bytes)
    CRC32 (PKZIP) of file: 615D3FD2
    CRC16 (Standard) of file: 9BED

    112ENG
    g6dsload.jp (36864 Bytes)
    CRC32 (PKZIP) of file: 131E260A
    CRC16 (Standard) of file: BEA4

    112JAP
    g6dsload.jp (36864 Bytes)
    CRC32 (PKZIP) of file: 131E260A
    CRC16 (Standard) of file: BEA4

    like SeaofTea i think there's some think in g6dsload.1

    Hope it will help.

    EDIT2:from these checks we can conclude that the security in the 112+1 was in the g6dsload.eng ,but there's no more g6dsload.eng in the 134JAP


    Sorry For My English.
     
  4. Styles420

    Member Styles420 GBAtemp Regular

    Joined:
    Dec 27, 2008
    Messages:
    248
    Location:
    Denver, Colorado
    Country:
    United States
    I just did that comparison about 20 min. ago, didn't know what the significance of it was at the time... but at address 0x000000fe, the original is 'ff' and after successful execution it was changed to 'fe'

    (Thanks again, Densetsu, for the files)

    I think it's time to take a break again from staring at hex bytes, and set up the IRC you messenged me about. Keep an eye out for my PM once I have a username etc. then we can try to set up a time if we can gather everyone who is working on this.
     
  5. liipod

    Newcomer liipod Member

    Joined:
    Jun 3, 2008
    Messages:
    45
    Country:
    France
    I think the
    "ff" means that you stil don't chose default loader
    "fe" means tht default loader is sakura.

    please Densetsu3000 try to change default loader to "touchpod" and check if the g6dsload.1 change again.

    if ,it changes that mean that its not the region lock,just the default firmware to load.
     
  6. Styles420

    Member Styles420 GBAtemp Regular

    Joined:
    Dec 27, 2008
    Messages:
    248
    Location:
    Denver, Colorado
    Country:
    United States
    sounds reasonable... besides, at start up the card looks for a g6dsload.eng (or .gb or .jp based on region) - not sure if there's another, universal file that directs it that way yet, I think it's hard-coded into the chip. Still working on it, not much new to report
     
  7. Densetsu

    Former Staff Densetsu Pubic Ninja

    Joined:
    Feb 2, 2008
    Messages:
    3,435
    Location:
    Wouldn't YOU like to know?
    Country:
    United States
    I've uploaded the files you've requested here. It looks like it does change. I noticed that the CRCs are different.
     
  8. SeaofTea
    OP

    Newcomer SeaofTea Member

    Joined:
    Jun 16, 2007
    Messages:
    22
    Country:
    United States
    liipod is correct, the change in g6dsload.1 at 0fe from ff to fe is the setting for the default loader.

    0x000000fe: ff ff = Choice screen
    0x000000fe: fe ff = Sakura
    0x000000fe: fe fe = Touchpod

    I'm going to tell you what I know so far so maybe somebody else can play around with it also. In order to change headers(0x00000000 - 0x000001ff) and there for switch between the different m3 cards one must do bitwise XOR operation on all of the bytes in that block. Here's a break down of how to switch the g6dsload.jp executable file to the different cards.

    jap to US/EUR M3 15
    jap to chinese 24
    jap to US/EUR itouch 35

    Step by step example
    1. Open the g6dsload.jp in a hex editor of your choice, I prefer Hex Editor Neo.
    2. Select the hex block you want to change.
    3. For this example just select from 0x00 to 0x07

    0x00000000: 29 07 07 ed 23 f8 a9 56 ANSI )í#ø©V

    4. Preform bitwise XOR operation of 15 hex on the block
    5. You should now be left with

    0x00000000: 3c 12 12 f8 36 ed bc 43 ANSI
     
  9. Beige

    Member Beige GBAtemp Regular

    Joined:
    Nov 2, 2008
    Messages:
    266
    Location:
    Volcano Bakemeat
    Country:
    United States
    Wait, you did it? Wow. Seems like all is going well. I'll have to get set up later, this is looking good.
    PS: M3, if you are reading this and frowning at us, deal. If you are smiling, yay.
     
  10. Styles420

    Member Styles420 GBAtemp Regular

    Joined:
    Dec 27, 2008
    Messages:
    248
    Location:
    Denver, Colorado
    Country:
    United States
    Awesome! Finally, something that actually feels like progress! I'll check your findings, and see if anything else pops out at me. Seems like every time I take a nap, you guys figure more out without me, lol. Maybe I'll just hibernate for a week (j/k)

    Anything I find will be edited into this post, so for those following along, check back here in, say, a year or three (again, kidding... don't know how long it will be though)

    [UPDATES SO FAR]

    Confirmed SeaofTea's observation about g6dsload.1 (fe ff = Sakura setting, fe fe = Touchpod)

    Also confirmed the XOR trick on the headers - also appears to work on regular touchpod files (not fully tested yet)
    To add to the list of conversions, Eng to GB(Asian) = XOR 0x31
    These conversions work both ways, of course, i.e. XORing jp files by 15 twice in a row will restore them to original (Any decent programmer should already know that, but for those of you who are experimenting, thought that might help)

    File comparisons (work in progress):
    homebrew.eng is identical between the Asian Sakura and Asian touchpod, yet different from the english touchpod - further analysis is needed

    While comparing menu.jp between 1.34 and 1.12 (unhacked) Sakura, I've noticed a number of places where the order of 8 bytes has been reversed - swapping the first 4 bytes with the second 4
    i.e. 11 22 33 44 55 66 77 88 becomes 55 66 77 88 11 22 33 44

    @SeaofTea - I checked out those Robert codes and noticed more to the pattern. In the original files, each line starts with:

    08 40 2d e9 xx xx a0 e3

    The modified files have a similar pattern:

    a4 xx a0 e3

    (I used 'xx' in place of bits that aren't pertinent, although they are all the same in the modified files, they vary in the originals)

    Instead of 8 parts, there now appear to be 11 in startnds.jp that match this pattern

    So it looks like the xx xx part might be important, some sort of address maybe, while the 08 40 2d e9 might be the region code... though why our region code would be one byte compared to their 4 bytes, I can't begin to guess. I'm still studying the differences. Going to try something soon, updates to follow

    Also, the ROBERT part seems to be unimportant, maybe it's detected as text somewhere in the code - And I'm guessing that iamnobody's real name might be Robert [​IMG]
    The four bytes preceding 'ROBERT' seem to go with this, as they aren't all the same in the original, though they are in the modified version. Perhaps they are formatting codes?
     
  11. mc_B3oWoLF

    Member mc_B3oWoLF GBAtemp Regular

    Joined:
    Jun 12, 2008
    Messages:
    195
    Location:
    Russian Federation
    Country:
    Russia
    Mates, You're doing much better, than me =)))
    That's why I didn't post any news lately)))
    I had to wait for any clues from you as my ideas all went wrong and proved to be false))
    Also I've had little time to sit an' think about this problem((

    Thank you for the clues you gave here))) They're very informative & useful)))
    By the way, about that 'ROBERT' code:
    You know, these files must be of definite size (It's a fact), so, as the 'hack' needed much less text,
    the files would become shorter, and the system would give up an error
    (It's a guess, that can be checked by deleting all the 'Robert's from one file and turning on the system))).

    Unfortunately, I've got no time to use all your clues right now, but I'll do use them a bit later & if I get some results, I'll post them in this topic ;-)
    Thanks again!)
     
  12. illithid

    Newcomer illithid Advanced Member

    Joined:
    Feb 18, 2008
    Messages:
    68
    Country:
    Indonesia
    Just for reference to you all, M3 Team have updated their download page with 2nd version of their Japanese firmware.
    Anyway, great job guys...
     
  13. Styles420

    Member Styles420 GBAtemp Regular

    Joined:
    Dec 27, 2008
    Messages:
    248
    Location:
    Denver, Colorado
    Country:
    United States
    Awesome, thanks for the heads up.

    Here's my update - I noticed that the Asian version of Sakura already has most of the .eng files (probably still region locked, but may have at least a half-acceptable english translation)

    Successfully XORed the header of g6dsloader.gb, saved it as a .eng, and it booted! But, as SeaofTea noticed with the jp version, upon selecting Sakura as my default loader, I was presented with black screens... but I think we're close now, going to keep looking for the region lock in other parts of the loader, and in other files... more updates to come

    CORRECTION It looks like I was a little hasty, the Asian Sakura has homebrew.eng but not the others... still, it might provide something useful...

    I need to take a break, been at it all night now and the hex digits are starting to show up in places they shouldn't... like my TV... [​IMG]

    So far, no luck - created the missing .eng files from the .gb files, XORing headers as necessary... still looking for the region lock though, can't determine what's going on from black screens... just had another idea though...

    New Idea! So far it looks like the Korean files are fairly similar to the English files in the touchpod software, and since Korean exists in both the English and Asian releases... maybe those are the files we should try to modify in Sakura, Asian release... then we'll need to figure out a translation for Korean - but if it gets the system booting on English cards, it might be worth the trouble.
     
  14. dfgged

    Member dfgged GBAtemp Regular

    Joined:
    Dec 24, 2008
    Messages:
    107
    Location:
    Somewhere
    Country:
    United States
    This is so cool. I was wondering if you could also hack this for iTouch, if so you guys are the best,if not thanks if you tried.
     
  15. liipod

    Newcomer liipod Member

    Joined:
    Jun 3, 2008
    Messages:
    45
    Country:
    France
    Thank's Densetsu3000 for multiple tests "I have little troubles with my internet connection",and you guys for sharing .

    I haven't work this night ,but i think the Job is finished with g6dsload.jp .gb ,it's time to look in the other parts.
     
  16. Styles420

    Member Styles420 GBAtemp Regular

    Joined:
    Dec 27, 2008
    Messages:
    248
    Location:
    Denver, Colorado
    Country:
    United States
    I think I agree with you - I'm starting with menu.* since it sounds like the next file to be loaded... startnds and startgba appeared to be nearly identical between the Asian and Japanese versions, so I think those files are less likely to have what we're looking for (doesn't mean I won't look, but they're lower on the priority list for now)
     
  17. Densetsu

    Former Staff Densetsu Pubic Ninja

    Joined:
    Feb 2, 2008
    Messages:
    3,435
    Location:
    Wouldn't YOU like to know?
    Country:
    United States
    I'm downloading Sakura 1.34 2nd edition right now, but handheldsources.com is taking forever (an abysmal 7.23KB/sec) and linfoxdomain.com doesn't have the file up for some reason. The file is there, but when I download and open it, it's the wrong file. He must've made a mistake in naming the file or something. I couldn't find the Japanese version on gbalpha.cn (or maybe it's there, but I just can't read Chinese to navigate the page to the version I want). If anyone knows of another mirror for the Japanese version, I'll check it for homebrew compatibility and other changes.

    You guys are full of AWESOME. I only wish I knew how to do what you guys are doing. Seeing as how the only unique contribution I have is my "ability" to boot the firmware, if anyone wants me to run some tests, just let me know.
     
  18. mhkwong

    Member mhkwong GBAtemp Regular

    Joined:
    Feb 29, 2008
    Messages:
    208
    Country:
    United Kingdom

    here.... this is the link to sakura 1.34 2nd edition

    http://www.gbalpha.cn/China/GBalpha_Downlo...amp;SoftID=2916


    EDIT:
    the link above dont work. gbalpha doesn't link ppl hot linking their downloads. here is the page where u can find it.
    http://www.gbalpha.cn/China/GBalpha_Downlo...asp?SoftID=2916

    EDIT 2:
    ok. got rid of the hotlink thing. here is the direct download link.
    http://down.gbalpha.com/GBalpha/Softwares/M3SAKURA_A03.zip
     
  19. Densetsu

    Former Staff Densetsu Pubic Ninja

    Joined:
    Feb 2, 2008
    Messages:
    3,435
    Location:
    Wouldn't YOU like to know?
    Country:
    United States
  20. mhkwong

    Member mhkwong GBAtemp Regular

    Joined:
    Feb 29, 2008
    Messages:
    208
    Country:
    United Kingdom
    updated the links.
    i noticed it didnt work after i posted it. but it works now... its faster i think.
     

Share This Page