Removing 'copy protection' from saved games

Discussion in 'Wii - Hacking' started by Lukeage, May 4, 2008.

May 4, 2008
  1. Lukeage
    OP

    Member Lukeage GBAtemp Regular

    Joined:
    Feb 24, 2004
    Messages:
    178
    Country:
    Australia
    I've been playing around with Waninkoko's save game tools which is great, but its a lot of hassle to backup/install saved games, especially if I want to take them to a friends place where running homebrew might be a bigger hassle. So I started looking around the saves and this is what I've got so far.

    Firstly, I started with Eledees. Datel has a freely available powersave for it which is 'unprotected' so this was an excellent choice to start with. So I made a backup of my original save using the extractor. I then deleted my save and copied over the datel one, which I then also copied off with the extractor. As a reference to what was common between saved games, I also make a copy of the Excite Truck save.

    I noticed that between Eledees and Excite Truck there were only 2 common files, FILELIST.DAT and BANNER.BIN. As the file lists are small, I had a quick look, but there wasn't much that could be changed in them. The two eledees saves had the files in a different order, but it was unlikely that made any difference. This obviously left only the BANNER.BIN.

    I assumed that it would merely be a flag near the top of the file so I compared the 3 files and these were the first 16 bytes of each:

    CODEOriginal Eledees:
    00000000h: 57 49 42 4E 00 00 00 11 AA AA 00 00 00 00 00 00 ; WIBN....ªª......

    Powersave Eledees:
    00000000h: 57 49 42 4E 00 00 00 00 00 02 00 00 00 00 00 00 ; WIBN............

    Excite Truck:
    00000000h: 57 49 42 4E 00 00 00 00 55 55 00 00 00 00 00 00 ; WIBN....UU......


    Only 3 bytes difference between them. As Excite truck used 2 bytes, my initial reaction was that the byte 0x07 was important, but firstly, I replaced the first line of the original eledees save with the powersave one. I copied this back to the Wii and sucess!! My original save could now be copied to SD from the Wii menu.

    Being impateient, and rather than playing around with Eledees, I quickly copied my Mario Kart save and had a look at it:

    CODEMario Kart:
    00000000h: 57 49 42 4E 00 00 00 01 00 02 00 00 00 00 00 00 ; WIBN............


    Now this looks oddly familiar to the Eledees save, but what is this, byte 0x07 is different. I changed this to a 00 and copied it back. Once again, sucess!!

    Looks like this is the key. Unfortunately, I don't have any other locked games to test (well, I have GH3, but the extractor cannot copy that currently). If anyone has dumped their saves of other protected games, can you open up the BANNER.BIN and post the first 16 bytes?

    I am currently unsure why Eledees has 11 and Mario Kart has 01, but changing these both to 0 has made no noticable difference so far (I've only checked the saved games still worked with the games breifly).

    Bytes 0x08 and 0x09 seem to relate to the animation of the games icon in the Wii menu. Mario Kart's icon is static and so is the Powersave. The original Eledees save was animated, but became static when I replaced it with 00 02. The Excite Truck icon is also animated. Perhaps it relates to the number of frames?

    Hopefully this is helpful to anyone who is keen to play around. If you find anything new, please post it here for all to enjoy.

    ------------------------------------------

    Update:

    I went back to the Eledees save and modified this again. This time, rather than changing byte 0x08 and 0x09, I left them as AA AA. This keeps the icon animated. More importantly, I changed byte 0x07 from 11 to 10 instead, hence only changing a single bit. The save can still be copied! Since I don't know what the other bits are for, it is probably a good idea from now just to change the single bit rather than the whole byte.

    -------------------------------------------

    For the lazy:

    Command line app to edit the bit:
    http://www.filefactory.com/file/387074/

    Usage: sgunprot filename
    eg. sgunprot BANNER.BIN
     


  2. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,745
    Country:
    United Kingdom
    A simple flag huh. I find it odd with all the signing that happens they did not do whole save signing but then again it makes my life easier so I am not complaining.

    Nice work Lukeage.
     
  3. Dylaan

    Member Dylaan GBAtemp Fan

    Joined:
    Jul 5, 2007
    Messages:
    384
    Location:
    Gold Coast, Australia
    Country:
    Australia
    Nice! Anyone care to make application for the lazy among us? Also, is there a way to get a regular save onto your Wii without first playing the game? (For MKWii Unlock, I have American Save, need Euro... Read the editor didn't work with data.bin files)
     
  4. Lukeage
    OP

    Member Lukeage GBAtemp Regular

    Joined:
    Feb 24, 2004
    Messages:
    178
    Country:
    Australia
    Done. Added link to the original post.

    Edit: To answer the rest of your post, no it won't work on the data.bin files as they are encrypted (and you can't get the protected ones anyway). It needs the unencrypted files (BANNER.BIN to be exact) as extracted by Waninkoko's tool.
     
  5. Knocks

    Member Knocks GBAtemp Advanced Fan

    Joined:
    Jun 12, 2006
    Messages:
    559
    Country:
    Great work, congrats. The next step is now to do the editing directly from the Wii, so we can skip the dumping in the future.
     
  6. otto888

    Member otto888 I break things for a living.

    Joined:
    Mar 12, 2008
    Messages:
    310
    Country:
    United States
    So..a 100% US mario kart save with the same FC as last save is possible?
     
  7. Lukeage
    OP

    Member Lukeage GBAtemp Regular

    Joined:
    Feb 24, 2004
    Messages:
    178
    Country:
    Australia
    I have no idea what happens if the save is transferred to another Wii. Anyone with access to two wiis able to test this?
     
  8. Pikachu025

    Member Pikachu025 GBAtemp Advanced Fan

    Joined:
    May 3, 2006
    Messages:
    960
    Location:
    Austria
    Country:
    Austria
    I can confirm that editing Elebits' banner.bin to remove the copy-lock works. Changed the 11 to a 10 and the save will now copy to SD card without any problems, and is loaded and saved fine by the game itself. The copy-lock doesn't even get re-set when the game saves! Oh, and by the way, it's the 8th byte, not the 7th (Although, it's at 0x07, that's probably what you were refering to).

    One small thing: When loading Elebits, I got an error that said that WiiConnect24 was unavailable, with an error code of 000000 and my Wii number below. This is probably totally unrelated to the save-editing, as my Internet is currently a bit clogged with uploads from torrents, but I thought I'd mention it.
     
  9. mattlouf

    Member mattlouf GBAtemp Regular

    Joined:
    Sep 19, 2004
    Messages:
    219
    Location:
    Earth
    Country:
    United States
     
  10. duncans_pumpkin

    Newcomer duncans_pumpkin Advanced Member

    Joined:
    Feb 21, 2008
    Messages:
    50
    Country:
    United Kingdom
    well if thats the case i cant see it being too hard to make a wii program that just changes that bit and then no need on the waninkoko save dumper.
     
  11. Lukeage
    OP

    Member Lukeage GBAtemp Regular

    Joined:
    Feb 24, 2004
    Messages:
    178
    Country:
    Australia
    Thanks, I think we can pretty much confirm that the 01 at 0x07 is the flag.
     
  12. Dingler

    Member Dingler GBAtemp Fan

    Joined:
    Apr 19, 2007
    Messages:
    398
    Country:
    Denmark
    Anyone tried using the edited save-file on another Wii, never exposed to a save-file for the game in question?

    Awesome job btw!
     
  13. arrghus8

    Newcomer arrghus8 Newbie

    Joined:
    Apr 27, 2007
    Messages:
    3
    Country:
    United States
    used this on splinter cell: double agent and worked perfectly. thanks
     
  14. duncans_pumpkin

    Newcomer duncans_pumpkin Advanced Member

    Joined:
    Feb 21, 2008
    Messages:
    50
    Country:
    United Kingdom
    someone should inform WiiBrew see if we can get a homebrew to do this all automaticly.
     
  15. mattlouf

    Member mattlouf GBAtemp Regular

    Joined:
    Sep 19, 2004
    Messages:
    219
    Location:
    Earth
    Country:
    United States
    I couldn't get battalion wars savegame and have no more mario strick soccer but this would be interesting to see their first 16 bytes as both games are differents from other:

    0 and you can copy it
    1 and you cannot copy it

    BUT these 2 games only allow to copy HALF savegame : the save on WII is 2 blocks and the save on SD card is 1 block


    Hope my engrish is clear ^^
     
  16. nanika

    Member nanika 文鎮じゃダメ!まぁ、こんな文字小さしすぎてどうせ読めないっしょ。

    Joined:
    Apr 22, 2008
    Messages:
    249
    Country:
    United States
    Or possibly the save is, on the wii, something like 1.001 blocks, rounded to 2, but when compressed to SD, it becomes something like 0.999, which is then rounded to 1.

    Or is actually only half of the stuff in the save copied?
     
  17. mattlouf

    Member mattlouf GBAtemp Regular

    Joined:
    Sep 19, 2004
    Messages:
    219
    Location:
    Earth
    Country:
    United States
    There is, because a message saying that some data couldn't be copied
     
  18. Lukeage
    OP

    Member Lukeage GBAtemp Regular

    Joined:
    Feb 24, 2004
    Messages:
    178
    Country:
    Australia
    It is more likely that the Wii's memory and SD have different block sizes or overhead in storing the files. I just checked and the Mario Kart save is 23 blocks on the Wii and 24 on the SD.

    Edit: Just went a borrowed a copy from a friend who lives right near by. You are right that it only copies part of it. I tried to extract it but get the same error as GH3.
     
  19. mattlouf

    Member mattlouf GBAtemp Regular

    Joined:
    Sep 19, 2004
    Messages:
    219
    Location:
    Earth
    Country:
    United States
    I did extract savegame of battalion wars with version 2 of Waninkoko's tool and i got :

    Code:
    00000000h: 57 49 42 4E 00 00 00 00 AA AA 00 00 00 00 00 00
    which mean you can copy it (bit is 0, but remember, we could get only part of it) but there is a folder inside the savegame which is called "NOCOPY" : this is obviously what you cannot copy with the wii data management.

    For information, in Pokemon the bit is 1 (cannot copy).
    I presume the reason why it couldn't be dumped by Waninikoko's tool v1.1 was because it also has a folder. This folder is called "GENIUSPB".
     
  20. Pikachu025

    Member Pikachu025 GBAtemp Advanced Fan

    Joined:
    May 3, 2006
    Messages:
    960
    Location:
    Austria
    Country:
    Austria
    I just tried to "un-copy-protect" my Pokémon Battle Revolution and Endless Ocean saves, and have to report a failure. The save was indeed made copyable, and I could copy it, and both games could read the save fine. However, upon saving in either game, its save was copy-protected again, unlike Elebits which keeps the save as copyable even after saving.
     

Share This Page