Pushmo/Pullblox QR codes analyzed

Discussion in '3DS - Flashcards & Custom Firmwares' started by celcodioc, Jan 2, 2012.

Jan 2, 2012
  1. celcodioc
    OP

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden
    LATEST MAJOR EDIT: Added sections "Manhole/pullout switch location data" and "Coordinates"
    POST STATUS: Messy

    Note that these facts and theories are based on a few hours of research and comparing files. I'm still working on this and some facts may be incorrect.
    Also, please remember that I'm not an experienced hacker, I just wanted to analyze these QR codes (and share my findings) because it seems like nobody else has yet.

    The facts:
    • The file is always 718 bytes (722 including common QR data)
    • 512 of these contain block data and locations
    • Each block is encoded into a half-byte, 0-9 based on block colour (up to 1024 blocks per level - 32x32)
    • Half-byte [0xA] = No block
    • Each level has specific values for "locked" and "unlocked" states
    • Every byte after the QR header needs to be moved 4 bits to the right (for example, [0x4C, 0x86, 0xB2] --> [0x04, 0xC8, 0x6B, 0x20]), thanks elisherer :)

    The theories:
    • The file might contain an obfuscated timestamp (pretty sure these are random values though)
    • The locked/unlocked values are based on those values
    • There is a byte tells the 3DS how long the level name is somewhere

    To-do list:
    • Fix the pictures...



    Manhole/pullout switch location data
    [​IMG]



    Coordinates
    [​IMG]



    Downloads
    easy_fixed.bin
    easythree_fixed.bin
    easy.bin - including QR data
    easythree.bin - including QR data
     
    FM360, tlyee61 and frogboy like this.


  2. tigris

    Member tigris Sentient Existential Anthropomorphic Sweet Potato

    Joined:
    Jun 19, 2010
    Messages:
    2,689
    Location:
    The Tibetan Himalayas
    Country:
    United Kingdom
    Woah, time for a Mii QR code analysis xD
    Good job, bro(dette).
     
  3. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    awesome!!!! we could make pushmos out of pictures!!!!
     
  4. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    both links (easy + easythree) are for the same file easy.bin...adding the "three" to the "easy" gives the real link...
     
  5. celcodioc
    OP

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden
    Thanks :)
    Unfortunately, if I recall correcly, Mii data files are encrypted. I could be wrong though ;)

    If I could find a working encoder we could probably test and see if the game accepts our edited levels.

    Fixed, thanks.
     
  6. frogboy

    Member frogboy lacking both style and grace

    Joined:
    Dec 6, 2011
    Messages:
    2,249
    Country:
    United States
    Nice theory. Don't worry, if I ever produce a Pushmo PC level editor, I'll give you credit!

    too bad i'm not great at coding...
     
  7. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    correction: every byte is aligned to the nearest 4bits...

    I shifted the two files 4 bits to the left.. and see this..

    easythree.bin
    Code:
    
    00000000 02 CE 8D 06 00 00 00 00 00 00 B6 25 9D 52 01 07 .. ........% R..
    00000010 07 20 77 21 3D 2A 2E 23 51 1C 0F 0F 00 00 FF FF . w!=*.#Q.......
    00000020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
    00000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
    00000040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
    00000050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
    00000060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF 45 00 ..............E.
    00000070 61 00 73 00 79 00 00 00 14 08 78 41 14 08 5C 69 a.s.y.....xA..\i
    00000080 2A 00 00 00 00 00 00 00 00 00 B8 3B 14 08 00 00 *..........;....
    00000090 00 00 C4 5B 2A 00 C0 3E 14 08 04 00 00 00 00 00 .. [*..>........
    000000A0 14 08 C0 3E 14 08 00 00 A0 C1 00 00 80 3F 00 00 ...>.... ... ?..
    000000B0 00 00 04 00 00 00 FF FF FF FF FF FF FF FF FF FF ................
    000000C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
    000000D0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000000E0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000000F0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000100 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000110 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000120 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000130 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000140 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000150 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000160 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000170 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000180 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA A2				
    00000190 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001A0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001B0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001C0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001D0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001E0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001F0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000200 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000210 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000220 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000230 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000240 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000250 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000260 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000270 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000280 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000290 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000002A0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000002B0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000002C0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000002D0 0A 0A										   ..			  
    
    easy.bin
    Code:
    
    00000000 02 CE 8D 06 00 00 00 00 00 00 E2 4C 5D B8 01 07 .. ........L]...
    00000010 07 20 7F 21 3D 2A 2E 23 51 1C 0F 0F 00 00 FF FF . !=*.#Q.......
    00000020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
    00000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
    00000040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
    00000050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
    00000060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF 45 00 ..............E.
    00000070 61 00 73 00 79 00 00 00 6C 00 6F 00 78 00 20 00 a.s.y...l.o.x. .
    00000080 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1...............
    00000090 04 01 C4 5B 2A 00 C0 3E 14 08 0A 00 00 00 50 00 .. [*..>......P.
    000000A0 75 00 6C 00 6C 00 62 00 6C 00 6F 00 78 00 20 00 u.l.l.b.l.o.x. .
    000000B0 31 00 04 00 00 00 FF FF FF FF FF FF FF FF FF FF 1...............
    000000C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
    000000D0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000000E0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000000F0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000100 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000110 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000120 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000130 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000140 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000150 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000160 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000170 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000180 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA A2				
    00000190 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001A0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001B0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001C0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001D0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001E0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000001F0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000200 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000210 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000220 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000230 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000240 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000250 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000260 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000270 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000280 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    00000290 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000002A0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000002B0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000002C0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA				
    000002D0 0A 0A										   ..			  
    
    plus don't forget to find:


    10 pullout switches
    10 manholes (should be connected some how)
    level = 1-5 (Easy, Pretty Simple, Average, Tricky, Hard)
    flag = 16x16 / 32x32
     
  8. celcodioc
    OP

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden
    Whoa, that's really interesting. Thanks :) (Actually, even ZXing detected that. Common QR code pattern?)

    10 pullout switches - already done
    10 manholes (should be connected some how) - already done
    level = 1-5 (Easy, Pretty Simple, Average, Tricky, Hard) - forgot about that thing :P
    flag = 16x16 / 32x32 - I can't create 32x32 levels yet so someone else has to find that.

    Just updated the picture with more accurate information.
     
  9. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    I'll be happy to write a simple program to read your findings...
     
  10. celcodioc
    OP

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden
    Feel free to do that anything. I haven't copyrighted them, have I? ;)
    Also, if the first four bits aren't needed... it means I have to redo the entire picture D:
     
  11. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    I don't want to steal your thunder...you were the first one to work on this, so you would be the one credited. :)
     
  12. celcodioc
    OP

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden
    The picture has been updated; it's much cleaner now... or at least I hope so.
     
  13. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    see this http://www.thonky.co...-1-encode-data/

    To summarize:
    The qr data starts with a nibble (half-byte) which sets the mode... 4 is binary.
    because it's 4 and the version of the pushmo qr code is 18 then the data length is 16 bits after the mode.
    which in this case is 0x2CE meaning that it doesn't include the last 0xA0.
    so...
    It has a 20-bit header (=0x402ce).
    a 0x2CE block of data
    and an 8-bit trailer which is 0xA0.

    focus your efforts on that 0x2CE blob. :)
     
  14. celcodioc
    OP

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden
    I've been working a bit slowly, but this is what I found a while ago:
    • What I thought was a checksum might be some kind of an obfuscated timestamp or just random values (pretty sure it's random values) and the specific values for locked/unlocked state are most likely based on those
    • There is no flag that tells whether the level is 16x16 or 32x32

    Time to figure out exactly how pullout switch/manhole locations are encoded (should be easy)
    I need a working bytes -> QR Code encoder to test my theories though, encoding them manually is such a pain :P

    Thanks, I'm fairly inexperienced with QR codes.
     
  15. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    I'm working on it...will be ready in no time...
     
  16. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
  17. vashgs

    Member vashgs GBAtemp Regular

    Joined:
    Feb 1, 2008
    Messages:
    236
    Country:
    United States
    You're close with this analysis, but no cigar ;-)

    Your checksum location is incorrect, and the garbage data is, in fact, just garbage data. It's a buffer to hold the name. You can confirm this by changing the name twice, then saving your level. You will see remnants of the old name in the garbage data, after the new name. We already have a QR encoder/decoder and much more research on the actual layout of the files. We'll keep you posted on any developments :-) Glad to see somebody else as interested in this as we are!

    EDIT: If you're interested in "fixing" the garbage data for identical garbage across differing levels, do the name change trick. This can be useful in identifying other aspects of the level data :-)

    EDIT 2: Removed some information ;-) Can't give away too much!
     
  18. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    The maximum name is 16 letters meaning 32 bytes (in unicode) so the rest of the 'buffer' is unknown...sometimes it's says 'Pushmo 1' or 2 or 'Pullbox 1'...sometimes just gibberish...
     
  19. celcodioc
    OP

    Member celcodioc Major A$$hole

    Joined:
    Nov 13, 2011
    Messages:
    278
    Country:
    Sweden
    elisherer, your encoder works (:D) but the game does apparently not accept edited levels. It detects that it is a Pullblox QR code but says that "there is something wrong with it". Probably because of invalid locked/unlocked values since these are based on almost the entire level.

    I've already tried fixing it, but the garbage data in file #1 was very different from the garbage data in file #2 and there were no names in it (and yes, I did remove the QR header). I'll fix the incorrect "checksum" location, though.


    Anyway, I guess I should check the file header instead of thinking that "ZXing does all the decoding and gives me the full file" next time ^^
     
  20. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    [​IMG]

    Uploaded with ImageShack.us

    lol, the colors seems ok but the arrangment probably tiled (like the ds/3ds textures)
     

Share This Page