Hacking Removing 'copy protection' from saved games

Lukeage · May 4, 2008

I've been playing around with Waninkoko's save game tools which is great, but its a lot of hassle to backup/install saved games, especially if I want to take them to a friends place where running homebrew might be a bigger hassle. So I started looking around the saves and this is what I've got so far.

Firstly, I started with Eledees. Datel has a freely available powersave for it which is 'unprotected' so this was an excellent choice to start with. So I made a backup of my original save using the extractor. I then deleted my save and copied over the datel one, which I then also copied off with the extractor. As a reference to what was common between saved games, I also make a copy of the Excite Truck save.

I noticed that between Eledees and Excite Truck there were only 2 common files, FILELIST.DAT and BANNER.BIN. As the file lists are small, I had a quick look, but there wasn't much that could be changed in them. The two eledees saves had the files in a different order, but it was unlikely that made any difference. This obviously left only the BANNER.BIN.

I assumed that it would merely be a flag near the top of the file so I compared the 3 files and these were the first 16 bytes of each:

CODEOriginal Eledees:
00000000h: 57 49 42 4E 00 00 00 11 AA AA 00 00 00 00 00 00 ; WIBN....ªª......

Powersave Eledees:
00000000h: 57 49 42 4E 00 00 00 00 00 02 00 00 00 00 00 00 ; WIBN............

Excite Truck:
00000000h: 57 49 42 4E 00 00 00 00 55 55 00 00 00 00 00 00 ; WIBN....UU......

Only 3 bytes difference between them. As Excite truck used 2 bytes, my initial reaction was that the byte 0x07 was important, but firstly, I replaced the first line of the original eledees save with the powersave one. I copied this back to the Wii and sucess!! My original save could now be copied to SD from the Wii menu.

Being impateient, and rather than playing around with Eledees, I quickly copied my Mario Kart save and had a look at it:

CODEMario Kart:
00000000h: 57 49 42 4E 00 00 00 01 00 02 00 00 00 00 00 00 ; WIBN............

Now this looks oddly familiar to the Eledees save, but what is this, byte 0x07 is different. I changed this to a 00 and copied it back. Once again, sucess!!

Looks like this is the key. Unfortunately, I don't have any other locked games to test (well, I have GH3, but the extractor cannot copy that currently). If anyone has dumped their saves of other protected games, can you open up the BANNER.BIN and post the first 16 bytes?

I am currently unsure why Eledees has 11 and Mario Kart has 01, but changing these both to 0 has made no noticable difference so far (I've only checked the saved games still worked with the games breifly).

Bytes 0x08 and 0x09 seem to relate to the animation of the games icon in the Wii menu. Mario Kart's icon is static and so is the Powersave. The original Eledees save was animated, but became static when I replaced it with 00 02. The Excite Truck icon is also animated. Perhaps it relates to the number of frames?

Hopefully this is helpful to anyone who is keen to play around. If you find anything new, please post it here for all to enjoy.

------------------------------------------

Update:

I went back to the Eledees save and modified this again. This time, rather than changing byte 0x08 and 0x09, I left them as AA AA. This keeps the icon animated. More importantly, I changed byte 0x07 from 11 to 10 instead, hence only changing a single bit. The save can still be copied! Since I don't know what the other bits are for, it is probably a good idea from now just to change the single bit rather than the whole byte.

-------------------------------------------

For the lazy:

Command line app to edit the bit:
http://www.filefactory.com/file/387074/

Usage: sgunprot filename
eg. sgunprot BANNER.BIN

FAST6191 · May 4, 2008

A simple flag huh. I find it odd with all the signing that happens they did not do whole save signing but then again it makes my life easier so I am not complaining.

Nice work Lukeage.

Dylaan · May 4, 2008

Nice! Anyone care to make application for the lazy among us? Also, is there a way to get a regular save onto your Wii without first playing the game? (For MKWii Unlock, I have American Save, need Euro... Read the editor didn't work with data.bin files)

Lukeage · May 4, 2008

Dylaan said:
Nice! Anyone care to make application for the lazy among us? Also, is there a way to get a regular save onto your Wii without first playing the game? (For MKWii Unlock, I have American Save, need Euro... Read the editor didn't work with data.bin files)

Done. Added link to the original post.

Edit: To answer the rest of your post, no it won't work on the data.bin files as they are encrypted (and you can't get the protected ones anyway). It needs the unencrypted files (BANNER.BIN to be exact) as extracted by Waninkoko's tool.

Knocks · May 4, 2008

Great work, congrats. The next step is now to do the editing directly from the Wii, so we can skip the dumping in the future.

otto888 · May 4, 2008

Lukeage said:
(LONG POST GOES HERE)

So..a 100% US mario kart save with the same FC as last save is possible?

Lukeage · May 4, 2008

otto888 said:
Lukeage said:

(LONG POST GOES HERE)

Click to expand...

So..a 100% US mario kart save with the same FC as last save is possible?

I have no idea what happens if the save is transferred to another Wii. Anyone with access to two wiis able to test this?

Pikachu025 · May 4, 2008

I can confirm that editing Elebits' banner.bin to remove the copy-lock works. Changed the 11 to a 10 and the save will now copy to SD card without any problems, and is loaded and saved fine by the game itself. The copy-lock doesn't even get re-set when the game saves! Oh, and by the way, it's the 8th byte, not the 7th (Although, it's at 0x07, that's probably what you were refering to).

One small thing: When loading Elebits, I got an error that said that WiiConnect24 was unavailable, with an error code of 000000 and my Wii number below. This is probably totally unrelated to the save-editing, as my Internet is currently a bit clogged with uploads from torrents, but I thought I'd mention it.

mattlouf · May 4, 2008

Lukeage said:
Looks like this is the key. Unfortunately, I don't have any other locked games to test (well, I have GH3, but the extractor cannot copy that currently). If anyone has dumped their saves of other protected games, can you open up the BANNER.BIN and post the first 16 bytes?

CODEPES2008:
00000000h: 57 49 42 4E 00 00 00 01 AA AA 00 00 00 00 00 00
Pokemon:
00000000h: 57 49 42 4E 00 00 00 01 AA AA 00 00 00 00 00 00
Mario & Sonic olympic games:
00000000h: 57 49 42 4E 00 00 00 01 00 02 00 00 00 00 00 00

duncans_pumpkin · May 4, 2008

well if thats the case i cant see it being too hard to make a wii program that just changes that bit and then no need on the waninkoko save dumper.

Lukeage · May 4, 2008

Pikachu025 said:
I can confirm that editing Elebits' banner.bin to remove the copy-lock works. Changed the 11 to a 10 and the save will now copy to SD card without any problems, and is loaded and saved fine by the game itself. The copy-lock doesn't even get re-set when the game saves! Oh, and by the way, it's the 8th byte, not the 7th (Although, it's at 0x07, that's probably what you were refering to).

One small thing: When loading Elebits, I got an error that said that WiiConnect24 was unavailable, with an error code of 000000 and my Wii number below. This is probably totally unrelated to the save-editing, as my Internet is currently a bit clogged with uploads from torrents, but I thought I'd mention it.

I jumped online with Mario Kart and didn't have any issues. Have also changed the first post to the offsets, when you spend most of your time counting from 0, you forget to add one elsewhere

mattlouf said:

Lukeage said:

Looks like this is the key. Unfortunately, I don't have any other locked games to test (well, I have GH3, but the extractor cannot copy that currently). If anyone has dumped their saves of other protected games, can you open up the BANNER.BIN and post the first 16 bytes?

CODE

Click to expand...

PES2008:
00000000h: 57 49 42 4E 00 00 00 01 AA AA 00 00 00 00 00 00
Pokemon:
00000000h: 57 49 42 4E 00 00 00 01 AA AA 00 00 00 00 00 00
Mario & Sonic olympic games:
00000000h: 57 49 42 4E 00 00 00 01 00 02 00 00 00 00 00 00

Click to expand...

Thanks, I think we can pretty much confirm that the 01 at 0x07 is the flag.

Dingler · May 4, 2008

Anyone tried using the edited save-file on another Wii, never exposed to a save-file for the game in question?

Awesome job btw!

arrghus8 · May 4, 2008

used this on splinter cell: double agent and worked perfectly. thanks

duncans_pumpkin · May 4, 2008

someone should inform WiiBrew see if we can get a homebrew to do this all automaticly.

mattlouf · May 4, 2008

I couldn't get battalion wars savegame and have no more mario strick soccer but this would be interesting to see their first 16 bytes as both games are differents from other:

0 and you can copy it
1 and you cannot copy it

BUT these 2 games only allow to copy HALF savegame : the save on WII is 2 blocks and the save on SD card is 1 block

Hope my engrish is clear ^^

nanika · May 4, 2008

Or possibly the save is, on the wii, something like 1.001 blocks, rounded to 2, but when compressed to SD, it becomes something like 0.999, which is then rounded to 1.

Or is actually only half of the stuff in the save copied?

mattlouf · May 5, 2008

nanika said:
Or possibly the save is, on the wii, something like 1.001 blocks, rounded to 2, but when compressed to SD, it becomes something like 0.999, which is then rounded to 1.

Or is actually only half of the stuff in the save copied?

There is, because a message saying that some data couldn't be copied

Lukeage · May 5, 2008

mattlouf said:
I couldn't get battalion wars savegame and have no more mario strick soccer but this would be interesting to see their first 16 bytes as both games are differents from other:

0 and you can copy it
1 and you cannot copy it

BUT these 2 games only allow to copy HALF savegame : the save on WII is 2 blocks and the save on SD card is 1 block

Hope my engrish is clear ^^

It is more likely that the Wii's memory and SD have different block sizes or overhead in storing the files. I just checked and the Mario Kart save is 23 blocks on the Wii and 24 on the SD.

Edit: Just went a borrowed a copy from a friend who lives right near by. You are right that it only copies part of it. I tried to extract it but get the same error as GH3.

mattlouf · May 6, 2008

I did extract savegame of battalion wars with version 2 of Waninkoko's tool and i got :

Code:

00000000h: 57 49 42 4E 00 00 00 00 AA AA 00 00 00 00 00 00

which mean you can copy it (bit is 0, but remember, we could get only part of it) but there is a folder inside the savegame which is called "NOCOPY" : this is obviously what you cannot copy with the wii data management.

For information, in Pokemon the bit is 1 (cannot copy).
I presume the reason why it couldn't be dumped by Waninikoko's tool v1.1 was because it also has a folder. This folder is called "GENIUSPB".

Pikachu025 · May 9, 2008

I just tried to "un-copy-protect" my Pokémon Battle Revolution and Endless Ocean saves, and have to report a failure. The save was indeed made copyable, and I could copy it, and both games could read the save fine. However, upon saving in either game, its save was copy-protected again, unlike Elebits which keeps the save as copyable even after saving.

Hacking Removing 'copy protection' from saved games

Well-Known Member

Techromancer

Well-Known Member

Well-Known Member

Well-Known Member

I break things for a living.

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

New Member

Well-Known Member

Well-Known Member

文鎮じゃダメ！まぁ、こんな文字小さしすぎてどうせ読めないっしょ。

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Similar threads

Popular threads in this forum