Hacking OK I've figured out the encryption sakura 1.34

SeaofTea

Member
OP
Newcomer
Joined
Jun 16, 2007
Messages
22
Trophies
0
XP
53
Country
United States
I need someone that has run m3 Sakura 1.34 jap successfully on they're card to send me g6dsload.1 out of they're /system dir. It seems the new encryption some how inserts a block of code after you choose an option in the m3 sakura start menu that corrupts the g6dsload.1 if it doesn't insert the correct block, and I need someone to send me they're g6dsload.1 so I can see what the successful block is. Either way I think I'm going to quit for a while as I've been at it for about 10 hours now.
 

liipod

Well-Known Member
Newcomer
Joined
Jun 3, 2008
Messages
48
Trophies
0
XP
535
Country
France
Hi

I've opened the g6dsload.1 with hexedit and found that there it lot of texts in french ,english ,and other....Any idea?

EDIT: i think it's for "touchpod" ...


i've compared many version of g6dsloa.* here are my notifications "CRC" i'm using XVI32

M3ENG :lastest firmware eu/us "touchpod"
M3JAP :lastest jap "touchpod"
112JAP :112+1 official
112ENG: unoficial english translation
134JAP :lastest sakura jap

g6dsload.1
----------

M3ENG
g6dsload.1 (4194304 Bytes)
CRC32 (PKZIP) of file: 5F5B4D13
CRC16 (Standard) of file: 5A6D

M3JAP & 134JAP
g6dsload.1 (4194304 Bytes)
CRC32 (PKZIP) of file: 6FD0F895
CRC16 (Standard) of file: C83E

112JAP & 112ENG
g6dsload.1 (4194304 Bytes)
CRC32 (PKZIP) of file: 80FD3C8B
CRC16 (Standard) of file: DC2D

--------------------------------------------------------
g6dsload.2
----------

M3ENG & M3JAP & 134JAP
g6dsload.2 (233 Bytes)
CRC32 (PKZIP) of file: 2FF009B6
CRC16 (Standard) of file: EA8C

112ENG &112 JAP
NOT USED

--------------------------------------------------------
g6dsload.eng
------------

M3ENG
g6dsload.eng (44032 Bytes)
CRC32 (PKZIP) of file: EC556DFB
CRC16 (Standard) of file: 982F

M3JAP & 134JAP
NOT USED

112ENG
g6dsload.eng (36864 Bytes)
CRC32 (PKZIP) of file: 7DEA06E6
CRC16 (Standard) of file: C0AB

112JAP
g6dsload.eng (536576 Bytes)
CRC32 (PKZIP) of file: 9FFAE6FE
CRC16 (Standard) of file: 665
--------------------------------------------------------
g6dsload.jp
-----------

M3ENG
NOT USED

M3JAP
g6dsload.jp (37376 Bytes)
CRC32 (PKZIP) of file: 4B6568FB
CRC16 (Standard) of file: 8069

134JAP
g6dsload.jp (810496 Bytes)
CRC32 (PKZIP) of file: 615D3FD2
CRC16 (Standard) of file: 9BED

112ENG
g6dsload.jp (36864 Bytes)
CRC32 (PKZIP) of file: 131E260A
CRC16 (Standard) of file: BEA4

112JAP
g6dsload.jp (36864 Bytes)
CRC32 (PKZIP) of file: 131E260A
CRC16 (Standard) of file: BEA4

like SeaofTea i think there's some think in g6dsload.1

Hope it will help.

EDIT2:from these checks we can conclude that the security in the 112+1 was in the g6dsload.eng ,but there's no more g6dsload.eng in the 134JAP


Sorry For My English.
 

Styles420

Well-Known Member
Member
Joined
Dec 27, 2008
Messages
248
Trophies
0
Age
38
Location
Denver, Colorado
XP
153
Country
United States
I just did that comparison about 20 min. ago, didn't know what the significance of it was at the time... but at address 0x000000fe, the original is 'ff' and after successful execution it was changed to 'fe'

(Thanks again, Densetsu, for the files)

I think it's time to take a break again from staring at hex bytes, and set up the IRC you messenged me about. Keep an eye out for my PM once I have a username etc. then we can try to set up a time if we can gather everyone who is working on this.
 

liipod

Well-Known Member
Newcomer
Joined
Jun 3, 2008
Messages
48
Trophies
0
XP
535
Country
France
I think the
"ff" means that you stil don't chose default loader
"fe" means tht default loader is sakura.

please Densetsu3000 try to change default loader to "touchpod" and check if the g6dsload.1 change again.

if ,it changes that mean that its not the region lock,just the default firmware to load.
 

Styles420

Well-Known Member
Member
Joined
Dec 27, 2008
Messages
248
Trophies
0
Age
38
Location
Denver, Colorado
XP
153
Country
United States
sounds reasonable... besides, at start up the card looks for a g6dsload.eng (or .gb or .jp based on region) - not sure if there's another, universal file that directs it that way yet, I think it's hard-coded into the chip. Still working on it, not much new to report
 

Densetsu

Pubic Ninja
Former Staff
Joined
Feb 2, 2008
Messages
3,434
Trophies
0
Location
Wouldn't YOU like to know?
Website
gbatemp.net
XP
2,687
Country
United States
liipod said:
please Densetsu3000 try to change default loader to "touchpod" and check if the g6dsload.1 change again.

if ,it changes that mean that its not the region lock,just the default firmware to load.
I've uploaded the files you've requested here. It looks like it does change. I noticed that the CRCs are different.
 

SeaofTea

Member
OP
Newcomer
Joined
Jun 16, 2007
Messages
22
Trophies
0
XP
53
Country
United States
liipod is correct, the change in g6dsload.1 at 0fe from ff to fe is the setting for the default loader.

0x000000fe: ff ff = Choice screen
0x000000fe: fe ff = Sakura
0x000000fe: fe fe = Touchpod

I'm going to tell you what I know so far so maybe somebody else can play around with it also. In order to change headers(0x00000000 - 0x000001ff) and there for switch between the different m3 cards one must do bitwise XOR operation on all of the bytes in that block. Here's a break down of how to switch the g6dsload.jp executable file to the different cards.

jap to US/EUR M3 15
jap to chinese 24
jap to US/EUR itouch 35

Step by step example
1. Open the g6dsload.jp in a hex editor of your choice, I prefer Hex Editor Neo.
2. Select the hex block you want to change.
3. For this example just select from 0x00 to 0x07

0x00000000: 29 07 07 ed 23 f8 a9 56 ANSI )í#ø©V

4. Preform bitwise XOR operation of 15 hex on the block
5. You should now be left with

0x00000000: 3c 12 12 f8 36 ed bc 43 ANSI
 

Beige

Well-Known Member
Member
Joined
Nov 2, 2008
Messages
266
Trophies
0
Age
32
Location
Volcano Bakemeat
Website
Visit site
XP
205
Country
United States
Wait, you did it? Wow. Seems like all is going well. I'll have to get set up later, this is looking good.
PS: M3, if you are reading this and frowning at us, deal. If you are smiling, yay.
 

Styles420

Well-Known Member
Member
Joined
Dec 27, 2008
Messages
248
Trophies
0
Age
38
Location
Denver, Colorado
XP
153
Country
United States
Awesome! Finally, something that actually feels like progress! I'll check your findings, and see if anything else pops out at me. Seems like every time I take a nap, you guys figure more out without me, lol. Maybe I'll just hibernate for a week (j/k)

Anything I find will be edited into this post, so for those following along, check back here in, say, a year or three (again, kidding... don't know how long it will be though)

[UPDATES SO FAR]

Confirmed SeaofTea's observation about g6dsload.1 (fe ff = Sakura setting, fe fe = Touchpod)

Also confirmed the XOR trick on the headers - also appears to work on regular touchpod files (not fully tested yet)
To add to the list of conversions, Eng to GB(Asian) = XOR 0x31
These conversions work both ways, of course, i.e. XORing jp files by 15 twice in a row will restore them to original (Any decent programmer should already know that, but for those of you who are experimenting, thought that might help)

File comparisons (work in progress):
homebrew.eng is identical between the Asian Sakura and Asian touchpod, yet different from the english touchpod - further analysis is needed

While comparing menu.jp between 1.34 and 1.12 (unhacked) Sakura, I've noticed a number of places where the order of 8 bytes has been reversed - swapping the first 4 bytes with the second 4
i.e. 11 22 33 44 55 66 77 88 becomes 55 66 77 88 11 22 33 44

@SeaofTea - I checked out those Robert codes and noticed more to the pattern. In the original files, each line starts with:

08 40 2d e9 xx xx a0 e3

The modified files have a similar pattern:

a4 xx a0 e3

(I used 'xx' in place of bits that aren't pertinent, although they are all the same in the modified files, they vary in the originals)

Instead of 8 parts, there now appear to be 11 in startnds.jp that match this pattern

So it looks like the xx xx part might be important, some sort of address maybe, while the 08 40 2d e9 might be the region code... though why our region code would be one byte compared to their 4 bytes, I can't begin to guess. I'm still studying the differences. Going to try something soon, updates to follow

Also, the ROBERT part seems to be unimportant, maybe it's detected as text somewhere in the code - And I'm guessing that iamnobody's real name might be Robert
wink.gif

The four bytes preceding 'ROBERT' seem to go with this, as they aren't all the same in the original, though they are in the modified version. Perhaps they are formatting codes?
 

mc_B3oWoLF

Well-Known Member
Member
Joined
Jun 12, 2008
Messages
195
Trophies
0
Age
35
Location
Russian Federation
Website
mc-b3owolf.narod.ru
XP
143
Country
Serbia, Republic of
SeaofTea said:
I'm going to tell you what I know so far so maybe somebody else can play around with it also.

These blocks are all replaced with the same thing.
a4 00 a0 e3 1e ff 2f e1 52 4f 42 45 52 54 ....../.ROBERT
QUOTE(Styles420 @ Jan 19 2009, 08:50 AM) I checked out those Robert codes and noticed more to the pattern. In the original files, each line starts with...

Mates, You're doing much better, than me =)))
That's why I didn't post any news lately)))
I had to wait for any clues from you as my ideas all went wrong and proved to be false))
Also I've had little time to sit an' think about this problem((

Thank you for the clues you gave here))) They're very informative & useful)))
By the way, about that 'ROBERT' code:
You know, these files must be of definite size (It's a fact), so, as the 'hack' needed much less text,
the files would become shorter, and the system would give up an error
(It's a guess, that can be checked by deleting all the 'Robert's from one file and turning on the system))).

Unfortunately, I've got no time to use all your clues right now, but I'll do use them a bit later & if I get some results, I'll post them in this topic ;-)
Thanks again!)
 

illithid

Well-Known Member
Newcomer
Joined
Feb 18, 2008
Messages
68
Trophies
0
XP
111
Country
Indonesia
Just for reference to you all, M3 Team have updated their download page with 2nd version of their Japanese firmware.
Anyway, great job guys...
 

Styles420

Well-Known Member
Member
Joined
Dec 27, 2008
Messages
248
Trophies
0
Age
38
Location
Denver, Colorado
XP
153
Country
United States
Awesome, thanks for the heads up.

Here's my update - I noticed that the Asian version of Sakura already has most of the .eng files (probably still region locked, but may have at least a half-acceptable english translation)

Successfully XORed the header of g6dsloader.gb, saved it as a .eng, and it booted! But, as SeaofTea noticed with the jp version, upon selecting Sakura as my default loader, I was presented with black screens... but I think we're close now, going to keep looking for the region lock in other parts of the loader, and in other files... more updates to come

CORRECTION It looks like I was a little hasty, the Asian Sakura has homebrew.eng but not the others... still, it might provide something useful...

I need to take a break, been at it all night now and the hex digits are starting to show up in places they shouldn't... like my TV...
wink.gif


So far, no luck - created the missing .eng files from the .gb files, XORing headers as necessary... still looking for the region lock though, can't determine what's going on from black screens... just had another idea though...

New Idea! So far it looks like the Korean files are fairly similar to the English files in the touchpod software, and since Korean exists in both the English and Asian releases... maybe those are the files we should try to modify in Sakura, Asian release... then we'll need to figure out a translation for Korean - but if it gets the system booting on English cards, it might be worth the trouble.
 

liipod

Well-Known Member
Newcomer
Joined
Jun 3, 2008
Messages
48
Trophies
0
XP
535
Country
France
Thank's Densetsu3000 for multiple tests "I have little troubles with my internet connection",and you guys for sharing .

I haven't work this night ,but i think the Job is finished with g6dsload.jp .gb ,it's time to look in the other parts.
 

Styles420

Well-Known Member
Member
Joined
Dec 27, 2008
Messages
248
Trophies
0
Age
38
Location
Denver, Colorado
XP
153
Country
United States
dfgged said:
This is so cool. I was wondering if you could also hack this for iTouch, if so you guys are the best,if not thanks if you tried.

Look up at SeaofTea's last post, it sounds like he found at least part of the puzzle for iTouch - since he has one, I'm sure he'll be testing it out whenever we manage to unlock everything.

QUOTE(liipod @ Jan 19 2009, 11:01 AM) Thank's Densetsu3000 for multiple tests "I have little troubles with my internet connection",and you guys for sharing .

I haven't work this night ,but i think the Job is finished with g6dsload.jp .gb ,it's time to look in the other parts.

I think I agree with you - I'm starting with menu.* since it sounds like the next file to be loaded... startnds and startgba appeared to be nearly identical between the Asian and Japanese versions, so I think those files are less likely to have what we're looking for (doesn't mean I won't look, but they're lower on the priority list for now)
 

Densetsu

Pubic Ninja
Former Staff
Joined
Feb 2, 2008
Messages
3,434
Trophies
0
Location
Wouldn't YOU like to know?
Website
gbatemp.net
XP
2,687
Country
United States
I'm downloading Sakura 1.34 2nd edition right now, but handheldsources.com is taking forever (an abysmal 7.23KB/sec) and linfoxdomain.com doesn't have the file up for some reason. The file is there, but when I download and open it, it's the wrong file. He must've made a mistake in naming the file or something. I couldn't find the Japanese version on gbalpha.cn (or maybe it's there, but I just can't read Chinese to navigate the page to the version I want). If anyone knows of another mirror for the Japanese version, I'll check it for homebrew compatibility and other changes.

You guys are full of AWESOME. I only wish I knew how to do what you guys are doing. Seeing as how the only unique contribution I have is my "ability" to boot the firmware, if anyone wants me to run some tests, just let me know.
 

mhkwong

Well-Known Member
Member
Joined
Feb 29, 2008
Messages
208
Trophies
0
Age
37
Website
Visit site
XP
166
Country
Densetsu3000 said:
I'm downloading Sakura 1.34 2nd edition right now, but handheldsources.com is taking forever (an abysmal 7.23KB/sec) and linfoxdomain.com doesn't have the file up for some reason. The file is there, but when I download and open it, it's the wrong file. He must've made a mistake in naming the file or something. I couldn't find the Japanese version on gbalpha.cn (or maybe it's there, but I just can't read Chinese to navigate the page to the version I want). If anyone knows of another mirror for the Japanese version, I'll check it for homebrew compatibility and other changes.

You guys are full of AWESOME. I only wish I knew how to do what you guys are doing. Seeing as how the only unique contribution I have is my "ability" to boot the firmware, if anyone wants me to run some tests, just let me know.


here.... this is the link to sakura 1.34 2nd edition

http://www.gbalpha.cn/China/GBalpha_Downlo...amp;SoftID=2916


EDIT:
the link above dont work. gbalpha doesn't link ppl hot linking their downloads. here is the page where u can find it.
http://www.gbalpha.cn/China/GBalpha_Downlo...asp?SoftID=2916

EDIT 2:
ok. got rid of the hotlink thing. here is the direct download link.
http://down.gbalpha.com/GBalpha/Softwares/M3SAKURA_A03.zip
 

mhkwong

Well-Known Member
Member
Joined
Feb 29, 2008
Messages
208
Trophies
0
Age
37
Website
Visit site
XP
166
Country

You may also like...

General chit-chat
Help Users
    K3N1 @ K3N1: