Hacking OK I've figured out the encryption sakura 1.34

[Mr.Seiko]

I hate IDA Pro.

I downloaded the Trial here where I have internet access, and over the weekend, installed in on My home PC, and all it did was say that the Trial was expired...

FAIL...

 

[Mr.Seiko]

Good point... I just don't know enough about assembly - all of my training was in C and C++, so my assembly "knowledge" is all based on experimentation, and is both incomplete and prone to false guesses. (I'm not giving up though, damnit

)

I've decided to break off from the g6dsload files for a bit to take a fresh look at some of the other files with my new-found understanding of some of the hex code. Has anyone else determined anything definite about, for example, the menu.* files? I've found a lot of text strings in them that seem to pertain more to the areas I had thought should be in the g6dsload file, and if we assume that the files' names mean anything, then it seems logical to me that the menu file would have the code for the menu... (Though I've learned from experience in the real world that a lot of times, if logic seems to apply, it doesn't

)

@SeaofTea, haven't heard from you in a while - been busy with real life? No worries, just wondering if you're having any luck, since all I've been able to find are a bunch of small patterns, still working on how they relate to each other.

EDIT: Went back to a post from Densetsu3000, and he was able to get to the Sakura menu with just the g6dsload.jp and .1 files on his card, so maybe I need to start looking into .1 again... in fact, I should try to look for cross references between the two as well...

UPDATE: I think I have a nearly complete disassembly of g6dsload.1 from JP Sakura 1.34 2nd Edition. Still looking for links to the region lock, but I did see something interesting (which I might have already posted about, forgive me if this is a repeat) - g6dsload.1 contains many strings of text about many functions, but what's interesting is that there are sections in each language - not just JP, Chinese and Eng, but all others as well. I recognized Spanish, French, and references to Turkish, and what I think was German.

I need to figure out whether the JP and GB versions use english fonts for these messages, or their native alphabet. If they don't use english, then that means that some of the other bits of code that were detected as possible strings could be JIS unicode etc. - Which means I may need to isolate them and send them to Densetsu for a translation...

So that's the update at this point... on to more tests...

I would open up the messages.932 file, and see of the english text that your seeing corresponds to the identifiers used there.
EG:
CD_CheckDisk_Start=????????????????
CD_CheckDisk_End=???????????????????

The messages file has a whole bunch of english message calls, and then the Localized text.

 

[Styles420]

Good thought, but they don't match... but maybe I can use Densetsu's translation to identify single words that do, and search for those...

With Densetsu's help, we have determined with a fair amount of certainty that the Sakura menu is somewhere in the g6dsload.jp and/or .1 files... But I still haven't been able to get it to show up on my english cart, so I haven't found the right parts of the files to modify...

The M3 team seems to have gone to a lot more trouble to lock 1.34 to specific regions, which seems a little spiteful considering they were considering using the first unofficial hack to make the official one... It almost seems like they've decided not to release Sakura in our region.

Either that, or they really want us to work hard to get this one working, which would be messed up since we all know they'll never pay any of us for the trouble... I'm at a loss as to any good reasons, unless they really are going to have our version out soon, but given their past history, that doesn't seem likely... I'm about a week away from an undeniable urge to fly to China so I can personally smack every one of the developers, lol

 

[Mr.Seiko]

I agree with the Smacking of said developers....


I don't really see why they are going to all of the Trouble to release Region locked versions of the Software, just seems like a major waste of time to code the differences.

 

[Toni Plutonij]

I agree with the Smacking of said developers....


I don't really see why they are going to all of the Trouble to release Region locked versions of the Software, just seems like a major waste of time to code the differences.

I think it has something to do with their internal stuff..within the team, because they have few teams, and every team handles their updates I'm guessing...also, I think they are paid differently..So that is possible the main reason for region lock!

 

[psionicme]

Mr.Seiko:
http://www.postpacific.com/archive/index.php/t-9563.html

 

[Zerrix]

What's major new in the new update?
I mean RTS or something else in this 1.34 version?

 

[Styles420]

I agree with the Smacking of said developers....


I don't really see why they are going to all of the Trouble to release Region locked versions of the Software, just seems like a major waste of time to code the differences.

I think it has something to do with their internal stuff..within the team, because they have few teams, and every team handles their updates I'm guessing...also, I think they are paid differently..So that is possible the main reason for region lock!

So where would we go to get paid for doing the European team's work?

 

[Densetsu]

So where would we go to get paid for doing the European team's work?

Go to Croatia, Toni will pay you

So I started deleting even more files from my flashcart to find the bare minimum files required to boot Sakura, and this is what I've got now:

Spoiler

Going into the "m3sakura" folder, this is what I see:

Spoiler

I've got it down to 14 files and 3 folders inside the "m3sakura" folder. It turns out that the majority of the 200+ files were from the Moonshell 1.71+1 that was packaged with the firmware. It was like having Sakura packaged within Sakura!

Files inside the "SYSTEM" folder:

• \SYSTEM\g6dsload.1
  \SYSTEM\g6dsload.jp

Files inside the "m3sakura" folder:

• \SYSTEM\m3sakura\bgbmp
• \SYSTEM\m3sakura\default.skn - Sakura won't boot without default.skn, but I think we all know that default.skin has absolutely nothing to do with anything relevant to this thread.
• \SYSTEM\m3sakura\dldibody
• \SYSTEM\m3sakura\launch
• \SYSTEM\m3sakura\m3sakura
• \SYSTEM\m3sakura\resume
• \SYSTEM\m3sakura\rq_table
• \SYSTEM\m3sakura\saveback
• \SYSTEM\m3sakura\sjis2uni.tbl
• \SYSTEM\m3sakura\splash - "splash" is a 5.62MB file that I'm assuming is the new animated Sakura logo splash screen you see when you boot Sakura (I'll delete it and try to run Sakura later to make sure).
• \SYSTEM\m3sakura\swapfile.$$$
• \SYSTEM\m3sakura\language\chrglyph.932 - Deleting this file causes Sakura to boot into a top black screen.
• \SYSTEM\m3sakura\language\messages.932 - Deleting this file causes Sakura to boot into a top black screen. Since this is the file I translated, I'm almost certain that it has nothing to do with anything other than language.
• \SYSTEM\m3sakura\sndeff\sndeff - Deleting this file causes Sakura to boot into a top black screen.

So far, with just g6dsload.jp, g6dsload.1 and the 14 files in the "m3sakura folder," I can get to the dual-boot screen, select and boot into Sakura, run DiskCheck, go into the Sakura Initial Settings and navigate folders in Sakura perfectly.

I can't imagine that the region lock would be contained in one of these 14 files, but at least we've narrowed it down to a much, MUCH smaller number of files. I'm actually surprised at how few of the SYSTEM files are required to run Sakura.

These are the SYSTEM files on my flashcart at this very moment. As stated above, with just these files, I can access the dual-boot screen, select Sakura (which runs DiskCheck automatically), and navigate folders just fine. I can still view videos (both DPG and DSM). It's just that there are no sound effects, I can't open any pictures, text files or MP3s and I can no longer load GBA or NDS ROMs.

I can say this much with absolute certainty: the 3 folders (language, launch and sndeff) and the 3 files within them (chrglyph.932, messages.932 and sndeff.dat) must be present otherwise Sakura will boot into a top black screen. I have no idea what the remaining ~10 files do, but I'll continue stripping files from the folder and isolate the absolute minimum files required to boot into Sakura. Right now I have to head out of the house, but I'll update this post later tonight.

 

[kubbik]

Hi all,

Just one word for Densetsu3000: thanks (for what you do here).


My little contribution, i'm pretty sure that the location restriction is winthin the g6dsload.jp
Why?
I tested to replace files from new sakura firmware with files from the latest M3 firmware.
Some files are exactly the same.
The only file which is different is the g6dsload.jp
g6dsload.jp (sakura) ~ 792 ko
g6dsload.jp (m3) ~ 37 ko

if i used the g6dsload.jp from m3 firmware, i'm booting on the original firmware of the m3real.
so if i replace the g6dsload.jp from sakura i'm booting with a black screen.

The g6dsload.1 from sakura has the same CRC like the one from the latest M3 Japan firmware.
So... will see to check the g6dsload.jp and why not find something more.

Hope that help.

 

[AXYPB]

I don't know if this was tried yet, but I took my iSakuReal install and replaced the m3sakura folder with the one from 1.34. I had to supply language.set from my original m3sakura, but I did get past the black screens. I get the message "Language file overflow. Application halted!!" It doesn't generate a logbuf.txt.

[Edit]I got the messages.932 from the old m3sakura and now I get this message:
"Shell_FAT_fopen_Data=/SYSTEM/M3SAKURA/SPLASH.ANI
Fatal error: Can not read. Illigal size or buffer. (-489037095,0)

Application halted!!"

[Edit]Replacing splash.ani produces:
"Fatal error: Skin file 'Setup_BG_Bottom.b15' not found.

Application halted!!"

I've never seen such a file before. I can't find anything named that in the new m3sakura system files or my old system files. What is it?

 

[Styles420]

@Densetsu - Thanks as always for your invaluable help, very thorough indeed!

D3 and I also collaborated on a set of tests to determine the functions of a few bytes found in the header of g6dsload.jp, and thanks to his results, I can make the following assertions:

The byte at 0x0071 is an offset for the location of the touchpod portion within g6dsload - only affected loading of touchpod, causing at least one black screen when changed to the GB value

The byte at 0x0079 caused a graphical glitch on the load screen's button, and prevented touchpod from loading as well.
These two bytes are each in the four-byte sections that appear to not be XORed when comparing the .jp and .gb versions (0x0070-73 and 0x0078-7b respectively)

The third byte is a little more mysterious, with just that byte changed Densetsu had no noticeable problems - further exploration is needed, but I will put that off for now as it doesn't appear to be part of the region lock at this time - my first priority is to get at least the Sakura menu to load.

I don't know if this was tried yet, but I took my iSakuReal install and replaced the m3sakura folder with the one from 1.34. I had to supply language.set from my original m3sakura, but I did get past the black screens. I get the message "Language file overflow. Application halted!!" It doesn't generate a logbuf.txt.

[Edit]I got the messages.932 from the old m3sakura and now I get this message:
"Shell_FAT_fopen_Data=/SYSTEM/M3SAKURA/SPLASH.ANI
Fatal error: Can not read. Illigal size or buffer. (-489037095,0)

Application halted!!"

[Edit]Replacing splash.ani produces:
"Fatal error: Skin file 'Setup_BG_Bottom.b15' not found.

Application halted!!"

I've never seen such a file before. I can't find anything named that in the new m3sakura system files or my old system files. What is it?

[Edit] Forgot to answer your last question, AXYPB - I believe the .skn files are a sort of custom archive (like a .zip file, but maybe without compression). So the file Setup_BG_Bottom.b15 is probably embedded in the skin file, and, it seems, has been moved or renamed during the update. Try using the .skn file from the other Sakura and let us know what happens

Great observations! Maybe we will be able to locate the parts that determine the expected filesizes, and modify them to match - it would be a hybrid 1.12+1 - 1.34...
Every question answered reveals more questions to be asked... but at least we've made another step or two in what I hope is the right direction. I have renewed energy to try some new ideas - hopefully a positive update will follow!

[Edit] Currently awaiting results on a test to confirm a hypothesis from the previous test, more to come on that. So for now I'm leaving those bytes behind and hunting around for other possible region locking bytes...

 

[AXYPB]

I took default.skn from my old /m3sakura/. With the files message.932, splash.ani and default.skn from 1.12+1 transplanted into 1.34, I now have nothing more than a Frankenstein that plays videos but doesn't load any homebrew or ROMs.

Note that I'm still using the same g6dsload.* files of iSakuReal. I think this further proves that the locks are in those files themselves and not in /m3sakura/.

 

[Styles420]

AXYPB's post gave me an idea, so I checked out just how much had actually changed in the m3sakura folder between JP's 1.12 and 1.34 -

The .skn file has three blocks of code with changes - the first one appears to be minor alterations, as the sections were detected as being similar in my comparison. The other two sections appear to be completely reworked, with the exception of one or two lines at the beginning of each. Either the M3 team encoded the data, or changed the format - the related sections are roughly equal in size between versions.

launch.dat is completely different, but I think this file only stores data about recently ran programs or something along those lines - in other words, data that changes every time you run Sakura.

m3sakura.dat starts out almost identical, but then is completely different from the old version. Could be encoded differently, but I don't really know - I think a comparison between jp and gb files of the same version is necessary to shed light on this one.

saveback.dat is another one that I think will change during use anyway, no surprise that it was different

splash.ani is completely different, and considerably smaller in the new version - this makes me think that perhaps they've compressed the image data, or switched to a format that uses less space. But I'm not sure what is actually stored in this file yet - I'm pretty sure that the startup screens have all been changed completely

the swapfile was different, of course

finally, the language file has a lot more data in the new version. There seemed to be only 5 lines that were completely changed, the first line was slightly altered (the seemingly random characters at the very beginning), and the rest of the differences were all new data that didn't exist in the 1.12 file

The rest of the files in the m3sakura folder and subfolders came up as completely identical.


[EDIT] AYXPB Posted while I was writing my post so I missed it, but good work! I guess the next step is to figure out what parts of the new g6dsload are encrypted... I found four other bytes that were '07' in the jp file that councided with a '23' in the gb file, and changing those yielded similar results to my tests with Densetsu, but with Sakura instead of Touchpod (Bottom screen does not go black like it normally does with just the header XORed) - I think I might send a new batch of test files to have him test those bytes on his JP card, to see how it affects the system where it would normally work.

 

[AXYPB]

I should probably point out that I can still access ROM options with the Frankenstein (for lack of a better term at 3 in the morning) I made.

[Edit]Actually, before I switched out default.skn, I tried switching out m3sakura.dat and got the same result.

 

[Styles420]

M3 Team has drastically changed a lot of the structure, the biggest reason being the incorporation of touchpod - their earlier method was more of a proof-of-concept hack, this time they've gone the full 9 yards with that. So they've changed the organization of everything by adding the initial OS selection menu and fusing the firmwares.

What we need to figure out is where the new menu is located (I think we're about 90% certain it has to be in g6dsload.jp), and where it links to with either selection - those areas are most likely encrypted in some way, and if we get this second encryption figured out, we may have a working English version...

 

[Densetsu]

Just one word for Densetsu3000: thanks (for what you do here).

My little contribution, i'm pretty sure that the location restriction is winthin the g6dsload.jp

[omitted text]I really haven't done much other than boot Sakura using the files Styles420 sends me. He and everyone else hacking this are doing all the legwork, so they deserve much more of the credit than I do. Thanks for corroborating the fact that the region lock is contained within g6dsload.jp!

I took default.skn from my old /m3sakura/. With the files message.932, splash.ani and default.skn from 1.12+1 transplanted into 1.34, I now have nothing more than a Frankenstein that plays videos but doesn't load any homebrew or ROMs.

Note that I'm still using the same g6dsload.* files of iSakuReal. I think this further proves that the locks are in those files themselves and not in /m3sakura/.Cool, so I guess I don't have to go through those 10 files in the /m3sakura/ folder

But I probably will anyway just so we can eliminate all possible variables without a shadow of a doubt.

QUOTE(Styles420 @ Jan 26 2009, 01:04 AM)

The .skn file has three blocks of code with changes - the first one appears to be minor alterations, as the sections were detected as being similar in my comparison. The other two sections appear to be completely reworked, with the exception of one or two lines at the beginning of each. Either the M3 team encoded the data, or changed the format - the related sections are roughly equal in size between versions.

So what does this suggest about default.skn? I took mercenary96's default.skn from Sakura 1.12+1 and transplanted it into the 1.34 SYSTEM folder, overwriting the original Japanese one included in the 1.34 package. The result: I was still able to boot Sakura 1.34 without any problems.

*EDIT*
@AXYPB: A better term than Frankenstein? I don't know...maybe Sakurankenstein?

 

[Styles420]

The .skn file has three blocks of code with changes - the first one appears to be minor alterations, as the sections were detected as being similar in my comparison. The other two sections appear to be completely reworked, with the exception of one or two lines at the beginning of each. Either the M3 team encoded the data, or changed the format - the related sections are roughly equal in size between versions.

So what does this suggest about default.skn? I took mercenary96's default.skn from Sakura 1.12+1 and transplanted it into the 1.34 SYSTEM folder, overwriting the original Japanese one included in the 1.34 package. The result: I was still able to boot Sakura 1.34 without any problems.

*EDIT*
@AXYPB: A better term than Frankenstein? I don't know...maybe Sakurankenstein?

I'm starting to really doubt Windiff's ability to make a fair comparison - I went back and compared the .skn files in my hex editor, and it turns out the differences can't be broken up into large chunks - there are a huge amount of little sections that are the same, and little sections that differ. My guess would be that it's due to changes to the images, but I need to find out what format they use when they're packed into the .skn file.

This still shouldn't be a big deal, since Densetsu was able to boot with either skin file... and because we're almost 100% certain that the region lock *has* to be in g6dsload - which makes sense in a lot of ways (I may be prone to changing my mind on that... a lot... lol)

@Densetsu - One thing I am curious about is how much of the skin actually looked different both before and after you switched files? Were there any noticeable graphic changes to speak of? I doubt it will help with the region lock, more just for curiosity's sake.

And I'll add my vote for Sakurankenstein

 

[mc_B3oWoLF]

Hi, guys!)

Sorry was in the countryside for a weekend =)

I've totally forgotten to post the results a week or so ago..
The results of mixing the 1.12 & 1.34 files trying to boot NEW sakura..
The results were similar to AXYPB's: Sakura told me 'bout some missing/corrupt files, so I was replacing them (using the old version files)
As far as I remember, I got finally a hybrid that had the 1.12 kernel, so even NDS-Rom settings were old-stylish...

Hense I'd like to ask AXYPB 1 question: Did you manage to see the new-version NDS/GBA-Rom settings?

And again I want to thank EVERYONE, who's working on hacking the FW..
P.S.: I regret to suppose, but, apparently, M3 Team isn't going to release the official EU/US version of Sakura at all =(
(We've even never seen the official 1.12+1/a version)

By the way, I'm going to try the 'decompiler' that was suggested on previous pages to try to turn the binary code to 'Pseudo C'.. Maybe this would clarify/reveal anything.

I suppose that the major part of regional locking IS in g6dsload, BUT we should be ready to find out, that g6dsload file may have a link to any bit of ANY file (of the latest D3k's 'minimum required files' list) to 'finalize' the regional lock process

Upd. And almost forgotten to add my vote for Sakurankenstein (or Sakustein for short, maybe?

)

 

[AXYPB]

I did see the newer settings for NDS-GBA linkage.

I would find it hilariously ironic if someone came up with a Frankenstein-inspired 1.34 skin for Halloween.