Hacking OK I've figured out the encryption sakura 1.34

[junker_man32]

make commercial games work and please KEEP hacking this, i hate m3 for what they did to moonlight, M3 can suck on it!

 

[Styles420]

New discovery - the section containing ROBERT codes from startnds.ext (1.12) doesn't exist in 1.34 startnds.jp - it must have been moved... I'm guessing that when I check startgba, I will find the same, so now I need to find out where these files were moved to... Wish me luck!

 

[Styles420]

Just noticed something in the headers of some of the JP files - startnds and startgba both contain DSBooter in their headers. Menu, minigame and homebrew, when XORed by 0x07, also have DSBooter in the same location. So it seems that some headers are XOR encrypted, while some aren't, or only partially so. The pattern I've noticed is that JP files have a lot of 07's in them where Eng files would have 12's - it seems that this is the regional encoding built into the cards. I'm not positive yet since I still haven't made it past the OS selection, but my guess is that, for example, the JP cards XOR headers by 07, thereby leaving 00's in place of the 07's. So the Eng cards would use 12, and Asian cards would use 23.

So I'm off to try something new with the headers - converting all of them using this new information, to see if it gets me anywhere new.

 

[SeaofTea]

Just noticed something in the headers of some of the JP files - startnds and startgba both contain DSBooter in their headers. Menu, minigame and homebrew, when XORed by 0x07, also have DSBooter in the same location. So it seems that some headers are XOR encrypted, while some aren't, or only partially so. The pattern I've noticed is that JP files have a lot of 07's in them where Eng files would have 12's - it seems that this is the regional encoding built into the cards. I'm not positive yet since I still haven't made it past the OS selection, but my guess is that, for example, the JP cards XOR headers by 07, thereby leaving 00's in place of the 07's. So the Eng cards would use 12, and Asian cards would use 23.

So I'm off to try something new with the headers - converting all of them using this new information, to see if it gets me anywhere new.

sorry I should have explained that also, I believe it has something to do with the way the information passes through the physical card it self. To decode any of the headers do bitwise XOR with the number you believe is meant to be 0, so if you wish to decode the jp header just XOR with 07 and you get a decoded header.

also the DSbooter stuff is just just a flashme/passme code.

I've been playing around with how much region information is needed to load g6dsload.jp/eng and this is what I've found:

0x00-0xc4
0xd4-0x1ff

DO NOT need to be encoded to boot

Thats as far as I got before my microsd card reader died. But I believe that it may only be like 8 bytes that need to be encoded with region information, possibly 0xcc - 0xd3. If we can find what information is needed then we can search the rest of the files for checks on that information and correct/remove them.

 

[Skyline969]

Wow... all of this makes my head spin. But it looks like you all are making good progress. Keep up the great work!

 

[glitchbit]

I've been playing around with how much region information is needed to load g6dsload.jp/eng and this is what I've found:

0x00-0xc4
0xd4-0x1ff

DO NOT need to be encoded to boot

Thats as far as I got before my microsd card reader died. But I believe that it may only be like 8 bytes that need to be encoded with region information, possibly 0xcc - 0xd3. If we can find what information is needed then we can search the rest of the files for checks on that information and correct/remove them.

Encoded in what way? I mean I can't even get 1.11 g6dsload.jp to load with the 0x00-0x1ff header from the .eng (1.11) file.. it would seem like it is more than just that section like some encryption scheme further down in the file. I just mean that the encoding would had to have changed from the previous versions (for the region code to all of sudden need to be different from the previous versions) or there is still a chunk of code we are over looking somewhere else in the file imo. Later tonight or tomorrow I will start comparing the .jp with the .eng files again and with each highlighted area I will see what the XOR result is (using good math this time oo, I was a bit lazy last go around lol).

Another question to pose is what does the debug from Ensata or another DS emulator look like when you try to run the nds file of sakura? Maybe that could tell us what we should be looking for regarding the region information. Also does anyone know how that nds file was created?

 

[Styles420]

Just noticed something in the headers of some of the JP files - startnds and startgba both contain DSBooter in their headers. Menu, minigame and homebrew, when XORed by 0x07, also have DSBooter in the same location. So it seems that some headers are XOR encrypted, while some aren't, or only partially so. The pattern I've noticed is that JP files have a lot of 07's in them where Eng files would have 12's - it seems that this is the regional encoding built into the cards. I'm not positive yet since I still haven't made it past the OS selection, but my guess is that, for example, the JP cards XOR headers by 07, thereby leaving 00's in place of the 07's. So the Eng cards would use 12, and Asian cards would use 23.

So I'm off to try something new with the headers - converting all of them using this new information, to see if it gets me anywhere new.

sorry I should have explained that also, I believe it has something to do with the way the information passes through the physical card it self. To decode any of the headers do bitwise XOR with the number you believe is meant to be 0, so if you wish to decode the jp header just XOR with 07 and you get a decoded header.

also the DSbooter stuff is just just a flashme/passme code.

I've been playing around with how much region information is needed to load g6dsload.jp/eng and this is what I've found:

0x00-0xc4
0xd4-0x1ff

DO NOT need to be encoded to boot

Thats as far as I got before my microsd card reader died. But I believe that it may only be like 8 bytes that need to be encoded with region information, possibly 0xcc - 0xd3. If we can find what information is needed then we can search the rest of the files for checks on that information and correct/remove them.

No worries, at least I know I'm heading in the right direction... I have been wondering whether the files absolutely had to be encrypted, since I noticed some of the .jp files weren't - I'll experiment further with that section of the header that requires it, hopefully a pattern will present itself. I still think that, even when we modify g6dsload.jp and rename it to .eng, it still looks for the other files with .jp on them - maybe if we remove all unneccessary encoding from those files, we won't have to make copies of them. Then it should just be a matter of identifying any other region-specific functions so that we can redirect them to the proper locations on the English cards. In other words, I don't think we'll be breaking the region lock (i.e. region free), rather we will be replacing the parts with our own region. But that may prove to be too difficult, and we may have to find a way to completly disable the lock. Densetsu has both English and Jp cards, so he should be able to verify that for us once we succeed.

 

[Densetsu]

@Styles420: Sorry I didn't have time to run the tests on my card like you wanted this morning. I just got home, and right now I'm going to try removing files from the SYSTEM folder and booting to look for changes. Is there any systematic way you want me to do it? Or should I start removing files at random?

I'll post my findings here as soon as I go through the files. Stay tuned!

 

[Styles420]

I'd say start by leaving only the g6dsload files and one of the other .jp files - I'm thinking menu, but I really don't know. What I'm hoping for is that you'll be able to get the menu that comes after selecting an OS (or the screen it boots to after the selection has already been saved) with the bare minimum files needed. Then we should be able to say with some certainty what file(s) are responsible for the menu, and that will be the next file I try to decrypt.

 

[Densetsu]

I'd say start by leaving only the g6dsload files and one of the other .jp files - I'm thinking menu, but I really don't know. What I'm hoping for is that you'll be able to get the menu that comes after selecting an OS (or the screen it boots to after the selection has already been saved) with the bare minimum files needed. Then we should be able to say with some certainty what file(s) are responsible for the menu, and that will be the next file I try to decrypt.

Oh, so you want me to remove all of the files in the SYSTEM folder, leaving only the g6dsload files in the folder, then start adding files one by one until I get a successful boot?

Or do you want me to remove files one by one until I can no longer boot? Guess it doesn't matter, huh?

 

[Styles420]

Either way, I suppose - you see the idea, to isolate what file is next in line in the bootup process.

 

[Densetsu]

I left these files on my card:

And these are the files that I deleted from my card:

Result: I was able to select between Sakura and TouchPod, and when I selected Sakura I was able to boot into the firmware perfectly.

However, I turned off my DS and tried to reboot, holding A down to get back to the dual-boot screen. It worked fine, and this time I selected TouchPod. Then I got two black screens. Now I can't get back to the dual-boot screen when I hold down A anymore. I keep getting the black screens.

*EDIT1*
I added all of the files from the "Deleted from SYSTEM" folder back to my card, and I was able to access the dual-boot screen again (and boot both Sakura and TouchPod successfully). Now I'm going to delete them and start adding stuff one by one.

*EDIT2*
It appears that all I need in the SYSTEM folder is the g6dsload.1 and g6dsload.jp file to get to the dual-boot screen, and also to boot into Sakura. In addition to these two files, I have the FONT, m3sakura, saverDB, skin1 and skin2 folders inside of the SYSTEM folder.

*EDIT3*
I deleted g6dsload.1 and replaced it with g6dsload.2. When I booted, I got two black screens, and the bottom screen said "[LANGUAGE: JAPAN] No system file found! Put system file in"

Then I deleted g6dsload.2 and replaced it with g6dsload.1 again. As in EDIT2 above, I was able to get to the dual-boot screen and boot into Sakura. My card currently looks like this and I can boot into Sakura with no problems:

The boot, g6ds and gba_info .ini files were created automatically by the system.

Should I start investigating the five folders on my card?

 

[Styles420]

Awesome! That's very helpful... so it seems that the main interface files are all embedded in the g6dsload files .jp and .1 - which means there is more to be found, I had thought we were done with those. Your help continues to be invaluable

Coincidentally, could you work on a list of other functions and their related files? For example, even though you get the main interface up, what file is needed to be able to run .NDS files? .GBA? (I think we can guess on those, but you see where I'm going - which file does what?)

You can wait on this until we actually manage to get the rest of the interface to boot up - I wouldn't want you to waste your time if we can't get past the current wall.

In other news, I've been doing more comparisons between decrypted headers for touch pod and Sakura, for all three regions. It seems that, in a lot of cases, the English files are actually more often identical to the Asian files. (@Densetsu - that doesn't mean you can't help out - your findings will still tell us the functions of each file)

Update: I think I may have already tested this, but I double checked the comparison between different versions of g6dsload.1, and found them to be identical between US touchpod/Asian touchpod and Asian Sakura... Conclusion: The code to look for is in g6dsload.eng (.gb or .jp) - Happy hunting! First prize for the race to find it: Epic bragging rights

 

[Densetsu]

Excellent, I'm glad it helped

Yeah, I think I'll wait until you can boot into Sakura before I test the functions of the other files.

I'm certain I can eliminate the skin1 and skin2 folders, but even excluding those folders, there are still 220 files in the remaining 3 folders

 

[Styles420]

When we get to that point, I'll provide you with a list of suspect files if I can - with the right comparisons, we should be able to rule some of them out, so we can narrow down the search. There are a fair amount of files that didn't change between touchpod and sakura, so those won't be related to the interface - or they're part of the touch pod side of things... I'll have to remember to include 1.12 in the comparisons, since that version of Sakura didn't have touchpod built in.

I've located four parts of the g6dsload.eng/jp/gb file that are new as of this sakura - I think I will compare those sections to 1.12 and see what I can find...

Stay tuned! We'll be back after these messages from our sponsors...

(Okay, so I'm cracking up a bit... it will all be better once this puzzle is solved, lol)

 

[Densetsu]

(Okay, so I'm cracking up a bit... it will all be better once this puzzle is solved, lol)

Dude, you're in Michigan...I'm in California and it's nearly 1am here! That must mean it's 3 or 4 am where you are! Get some rest man!

 

[Styles420]

Lol thanks for your concern... but I'm a night owl anyway, and I work third shift, so I have a couple hours left before bed time

Besides, I feel like I'm just on the verge of discovering another pattern... I'm going to see how long I can hold out on this, but if a pattern doesn't emerge soon I'm quitting for the night... I haven't actually played my DS in about three days now, lol

 

[Densetsu]

In other news, I've been doing more comparisons between decrypted headers for touch pod and Sakura, for all three regions. It seems that, in a lot of cases, the English files are actually more often identical to the Asian files.

Hmmm, is there anyone following along with this thread who has a Chinese flashcart?

 

[deviant.zero]

Yep! Right here. Don't know anything about hacking and programming though.. But I would be willing to try out builds after my net is uncapped on the 28th!

 

[Densetsu]

Yep! Right here. Don't know anything about hacking and programming though.. But I would be willing to try out builds after my net is uncapped on the 28th!

Where have you been all this time?

So you've been using v1.34 as well? It was available for Chinese carts way before it was released for Japanese carts.

Styles420 and the others may be able to benefit from your "unique" booting ability as well.