Removing 'copy protection' from saved games

Discussion in 'Wii - Hacking' started by Lukeage, May 4, 2008.

  1. Lukeage
    OP

    Lukeage GBAtemp Regular

    Member
    178
    0
    Feb 24, 2004
    I've been playing around with Waninkoko's save game tools which is great, but its a lot of hassle to backup/install saved games, especially if I want to take them to a friends place where running homebrew might be a bigger hassle. So I started looking around the saves and this is what I've got so far.

    Firstly, I started with Eledees. Datel has a freely available powersave for it which is 'unprotected' so this was an excellent choice to start with. So I made a backup of my original save using the extractor. I then deleted my save and copied over the datel one, which I then also copied off with the extractor. As a reference to what was common between saved games, I also make a copy of the Excite Truck save.

    I noticed that between Eledees and Excite Truck there were only 2 common files, FILELIST.DAT and BANNER.BIN. As the file lists are small, I had a quick look, but there wasn't much that could be changed in them. The two eledees saves had the files in a different order, but it was unlikely that made any difference. This obviously left only the BANNER.BIN.

    I assumed that it would merely be a flag near the top of the file so I compared the 3 files and these were the first 16 bytes of each:

    CODEOriginal Eledees:
    00000000h: 57 49 42 4E 00 00 00 11 AA AA 00 00 00 00 00 00 ; WIBN....ªª......

    Powersave Eledees:
    00000000h: 57 49 42 4E 00 00 00 00 00 02 00 00 00 00 00 00 ; WIBN............

    Excite Truck:
    00000000h: 57 49 42 4E 00 00 00 00 55 55 00 00 00 00 00 00 ; WIBN....UU......


    Only 3 bytes difference between them. As Excite truck used 2 bytes, my initial reaction was that the byte 0x07 was important, but firstly, I replaced the first line of the original eledees save with the powersave one. I copied this back to the Wii and sucess!! My original save could now be copied to SD from the Wii menu.

    Being impateient, and rather than playing around with Eledees, I quickly copied my Mario Kart save and had a look at it:

    CODEMario Kart:
    00000000h: 57 49 42 4E 00 00 00 01 00 02 00 00 00 00 00 00 ; WIBN............


    Now this looks oddly familiar to the Eledees save, but what is this, byte 0x07 is different. I changed this to a 00 and copied it back. Once again, sucess!!

    Looks like this is the key. Unfortunately, I don't have any other locked games to test (well, I have GH3, but the extractor cannot copy that currently). If anyone has dumped their saves of other protected games, can you open up the BANNER.BIN and post the first 16 bytes?

    I am currently unsure why Eledees has 11 and Mario Kart has 01, but changing these both to 0 has made no noticable difference so far (I've only checked the saved games still worked with the games breifly).

    Bytes 0x08 and 0x09 seem to relate to the animation of the games icon in the Wii menu. Mario Kart's icon is static and so is the Powersave. The original Eledees save was animated, but became static when I replaced it with 00 02. The Excite Truck icon is also animated. Perhaps it relates to the number of frames?

    Hopefully this is helpful to anyone who is keen to play around. If you find anything new, please post it here for all to enjoy.

    ------------------------------------------

    Update:

    I went back to the Eledees save and modified this again. This time, rather than changing byte 0x08 and 0x09, I left them as AA AA. This keeps the icon animated. More importantly, I changed byte 0x07 from 11 to 10 instead, hence only changing a single bit. The save can still be copied! Since I don't know what the other bits are for, it is probably a good idea from now just to change the single bit rather than the whole byte.

    -------------------------------------------

    For the lazy:

    Command line app to edit the bit:
    http://www.filefactory.com/file/387074/

    Usage: sgunprot filename
    eg. sgunprot BANNER.BIN
     


  2. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,363
    9,165
    Nov 21, 2005
    A simple flag huh. I find it odd with all the signing that happens they did not do whole save signing but then again it makes my life easier so I am not complaining.

    Nice work Lukeage.
     
  3. Dylaan

    Dylaan GBAtemp Fan

    Member
    384
    0
    Jul 5, 2007
    Nice! Anyone care to make application for the lazy among us? Also, is there a way to get a regular save onto your Wii without first playing the game? (For MKWii Unlock, I have American Save, need Euro... Read the editor didn't work with data.bin files)
     
  4. Lukeage
    OP

    Lukeage GBAtemp Regular

    Member
    178
    0
    Feb 24, 2004
    Done. Added link to the original post.

    Edit: To answer the rest of your post, no it won't work on the data.bin files as they are encrypted (and you can't get the protected ones anyway). It needs the unencrypted files (BANNER.BIN to be exact) as extracted by Waninkoko's tool.
     
  5. Knocks

    Knocks GBAtemp Advanced Fan

    Member
    559
    0
    Jun 12, 2006
    Great work, congrats. The next step is now to do the editing directly from the Wii, so we can skip the dumping in the future.
     
  6. otto888

    otto888 I break things for a living.

    Member
    312
    42
    Mar 12, 2008
    United States
    So..a 100% US mario kart save with the same FC as last save is possible?
     
  7. Lukeage
    OP

    Lukeage GBAtemp Regular

    Member
    178
    0
    Feb 24, 2004
    I have no idea what happens if the save is transferred to another Wii. Anyone with access to two wiis able to test this?
     
  8. Pikachu025

    Pikachu025 GBAtemp Advanced Fan

    Member
    969
    34
    May 3, 2006
    Australia
    Austria
    I can confirm that editing Elebits' banner.bin to remove the copy-lock works. Changed the 11 to a 10 and the save will now copy to SD card without any problems, and is loaded and saved fine by the game itself. The copy-lock doesn't even get re-set when the game saves! Oh, and by the way, it's the 8th byte, not the 7th (Although, it's at 0x07, that's probably what you were refering to).

    One small thing: When loading Elebits, I got an error that said that WiiConnect24 was unavailable, with an error code of 000000 and my Wii number below. This is probably totally unrelated to the save-editing, as my Internet is currently a bit clogged with uploads from torrents, but I thought I'd mention it.
     
  9. mattlouf

    mattlouf GBAtemp Regular

    Member
    219
    0
    Sep 19, 2004
    United States
    Earth
     
  10. duncans_pumpkin

    duncans_pumpkin Advanced Member

    Newcomer
    50
    0
    Feb 21, 2008
    well if thats the case i cant see it being too hard to make a wii program that just changes that bit and then no need on the waninkoko save dumper.
     
  11. Lukeage
    OP

    Lukeage GBAtemp Regular

    Member
    178
    0
    Feb 24, 2004
    Thanks, I think we can pretty much confirm that the 01 at 0x07 is the flag.
     
  12. Dingler

    Dingler GBAtemp Fan

    Member
    400
    3
    Apr 19, 2007
    Anyone tried using the edited save-file on another Wii, never exposed to a save-file for the game in question?

    Awesome job btw!
     
  13. arrghus8

    arrghus8 Newbie

    Newcomer
    3
    0
    Apr 27, 2007
    United States
    used this on splinter cell: double agent and worked perfectly. thanks
     
  14. duncans_pumpkin

    duncans_pumpkin Advanced Member

    Newcomer
    50
    0
    Feb 21, 2008
    someone should inform WiiBrew see if we can get a homebrew to do this all automaticly.
     
  15. mattlouf

    mattlouf GBAtemp Regular

    Member
    219
    0
    Sep 19, 2004
    United States
    Earth
    I couldn't get battalion wars savegame and have no more mario strick soccer but this would be interesting to see their first 16 bytes as both games are differents from other:

    0 and you can copy it
    1 and you cannot copy it

    BUT these 2 games only allow to copy HALF savegame : the save on WII is 2 blocks and the save on SD card is 1 block


    Hope my engrish is clear ^^
     
  16. nanika

    nanika 文鎮じゃダメ!まぁ、こんな文字小さしすぎてどうせ読めないっしょ。

    Member
    249
    27
    Apr 22, 2008
    United States
    Or possibly the save is, on the wii, something like 1.001 blocks, rounded to 2, but when compressed to SD, it becomes something like 0.999, which is then rounded to 1.

    Or is actually only half of the stuff in the save copied?
     
  17. mattlouf

    mattlouf GBAtemp Regular

    Member
    219
    0
    Sep 19, 2004
    United States
    Earth
    There is, because a message saying that some data couldn't be copied
     
  18. Lukeage
    OP

    Lukeage GBAtemp Regular

    Member
    178
    0
    Feb 24, 2004
    It is more likely that the Wii's memory and SD have different block sizes or overhead in storing the files. I just checked and the Mario Kart save is 23 blocks on the Wii and 24 on the SD.

    Edit: Just went a borrowed a copy from a friend who lives right near by. You are right that it only copies part of it. I tried to extract it but get the same error as GH3.
     
  19. mattlouf

    mattlouf GBAtemp Regular

    Member
    219
    0
    Sep 19, 2004
    United States
    Earth
    I did extract savegame of battalion wars with version 2 of Waninkoko's tool and i got :

    Code:
    00000000h: 57 49 42 4E 00 00 00 00 AA AA 00 00 00 00 00 00
    which mean you can copy it (bit is 0, but remember, we could get only part of it) but there is a folder inside the savegame which is called "NOCOPY" : this is obviously what you cannot copy with the wii data management.

    For information, in Pokemon the bit is 1 (cannot copy).
    I presume the reason why it couldn't be dumped by Waninikoko's tool v1.1 was because it also has a folder. This folder is called "GENIUSPB".
     
  20. Pikachu025

    Pikachu025 GBAtemp Advanced Fan

    Member
    969
    34
    May 3, 2006
    Australia
    Austria
    I just tried to "un-copy-protect" my Pokémon Battle Revolution and Endless Ocean saves, and have to report a failure. The save was indeed made copyable, and I could copy it, and both games could read the save fine. However, upon saving in either game, its save was copy-protected again, unlike Elebits which keeps the save as copyable even after saving.