Hacking Save Game swapping

[crumpster]

I have been cleared its legal to swap save games, so if u have a Red Steel savegame and want to swap it for hacking purposes then please pm me. OR I will also take a wii sports save game. That is the only 2 games I own. I am going to make public the savegames on usenet at alt.binaries.nintendo.wii There has been 4 new usenet groups added for wii discussion. I won't list them cause I don't want this to be closed again, but you can search usenet for them. That is where other resources will be posted.

 

[crumpster]

Sorta off topic but:

Below is the file layout for Sonic after copied to SD card (virtual console game)

Directory of C:\Documents and Settings\x\Desktop\sonic\

C:\Documents and Settings\x\Desktop\sonic\title
C:\Documents and Settings\x\Desktop\sonic\title\MAHE
C:\Documents and Settings\x\Desktop\sonic\title\RZDE


C:\Documents and Settings\x\Desktop\sonic\
=====================================================

Total 0 file(s); Size: 0 Byte(s)


C:\Documents and Settings\x\Desktop\sonic\title
==========================================================

Total 0 file(s); Size: 0 Byte(s)


C:\Documents and Settings\x\Desktop\sonic\title\MAHE
===============================================================
content.bin 2975 KB 11/21/2006 03:45:08 PM a

Total 1 file(s); Size: 3047360 Byte(s)


C:\Documents and Settings\x\Desktop\sonic\title\RZDE
===============================================================
data.bin 77 KB 11/21/2006 03:43:30 PM a

Total 1 file(s); Size: 79104 Byte(s)


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Total 3 folder(s); 2 file(s)

Total files size: 3 MB; 3053 KB; 3126464 Bytes

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 

[The_Pope]

In all the files, is there anything in human readable cleartext? For example, a SHA-1 hash, maybe with a salt?

 

[crumpster]

In all the files, is there anything in human readable cleartext? For example, a SHA-1 hash, maybe with a salt?

Absolutely not, I also am investigating my savegames. I have tried running a Virtual Console Game that wasn't mine (came off my other wii) and it will say "Cannot copy to the system" They are using some sort of system check. I wonder if its by the system MAC address.

 

[bryehn]

the 77kb "data.bin" is actually the save file.

all of the ROMs are "content.bin"

 

[The_Pope]

At the moment I am trying to 'obtain' two VC games from differant consoles to compare the content.bin files to see if these files are completly differant (indicating encryption), or mostly the same (indicating no encryption). After obtaining two differant samples, I will post my results. Content.bin is most likely an archive, by the way, so would anybody mind PMing say, the 1st 5KB of data so I can try and identify the headers?

 

[corbs132]

I say we do a compare function and see if the content.bin is byte for byte exactly the same on all consoles. If not, we determine where it is wrong. i am good with reverse engineering stuff like that, so just ask for help if you need any.

 

[The_Pope]

We could capture a ROM transfer off the air/wire and compare it to a ROM after it has been on a Wii and see if the ROM is tied to a console before transmittion, or after. If before, I could try manually letting data through to nintendo and seeing if I can generate a untied ROM. If after, then we maybe able to play ROMs captured directly off the wire without being tied if Nintendo was stupid...

 

[wiigamer]

In all the files, is there anything in human readable cleartext? For example, a SHA-1 hash, maybe with a salt?


Absolutely not, I also am investigating my savegames. I have tried running a Virtual Console Game that wasn't mine (came off my other wii) and it will say "Cannot copy to the system" They are using some sort of system check. I wonder if its by the system MAC address.

seems like they are using the mac address system check way similar to they way sony used it on socom ftb2 for the psp

 

[Ben_j]

I say we do a compare function and see if the content.bin is byte for byte exactly the same on all consoles. If not, we determine where it is wrong. i am good with reverse engineering stuff like that, so just ask for help if you need any.

I don't think it will be that simple. They must use a better protection, using the game AND the console. That way, the code is diferent on every game, even on the same Wii...

For example, they do an md5 with the title of the game and the mac adress altogether.

 

[niklasnyfiken]

Someone with a VC game, check if it's the same as one of these nintendo links on this page: http://akusho.maidlab.jp/wii/

 

[crumpster]

the pope, corbs, whoever else, shoot me a pm with your email address. anyone who is interested in this, pm me, i have some interesting stuff.

niklasnyfiken, i have sonic the hedgehog what do you want me to look for...

content.bin hexedit header
9F605494BF22C40CF1ABD130B9792296B3DB852A038D8861697F5BB670B4FCE3CAB09CCA56086046
16B736B610F94B80E88C0B2887BA0C0376988A170BB52B1B36658BA90E03F60654FB4B386F3F77F0
338339C6D39C90B7A25F5EA6B250A48161EBA45B92931AC05C0A33B3C8F31BB2076F8B4E2D2F0D84
0B8820F760E0C8D69DA025C86BD4F9D5FF7CA488667012ED6CAAE3660BCEE077CDCBE9CF8A453B50
D60134CCCCD7C66A3CFBC0C8C5B455BBC271FC0610E71CDABAB4B65F71580B486BC5EB4C6CBCEAC3
47B0E8B6DB282D7B26B978C1E07427FFF695DC64EC3874B123B6CE0F3CC7ACBC93198F869B6A1CEF
71D501CFA6A695C852F7D8D9C01E98106608F18E7EFFCEDFA8C89A5EDF9BC0F9DBB91B6605

data.bin hexedit header
915FFD1EE4B664B139EC84D72470CF5D7D4098771F28B31F840B8E3D795BCF604323DE547AF4A770
2AECBAAE6A1EDFDEE1250A6B5ED84B1589E4A8B858F3E5136D7D2D08830968D4B4325EB3B16D553E
7899D9429089AB7578F061E728E36395F77E44E54F6C98A8EAD21D6E67BB659D16D7AEE64D710AD6
20F9BD6CC2358CC21B169F996DA62BF411D9EE0C12679D915771A69419785B1CA4CC67ABFD8EE20A
327FEF27416DCE30E061BD05113B8D5A2655FBF91C8DC765452B8BC94BAFFCA86DAB870F2D472817
ECF3497E2CD4281A305DF4DF8BBAC7C549F14FBED448DD8CA967A0FF96C490478A9AE28068C05B02
E42A7D2723D757DE6A

 

[The_Pope]

If those are genuine data from games, I believe we may have something. Root-CA00000001-CP00000004 appears alot through the tmd files. (http://akusho.maidlab.jp/wii/) This appears in them all, reguardless of what game it is. This is most likely an internal system serial number, and is IMO, the data that ties it to a specific console. However, I can't check out this theory, because I have no Wii to test on.

 

[crumpster]

If those are genuine data from games, I believe we may have something. Root-CA00000001

of course they are genuine, lol... i told u to pm me with ur email.

 

[The_Pope]

Ok, using some samples of sonic, I've located some data similar too the Root-CA* data mentioned in my previous post, in both content.bin and data.bin. At the end of the files. I won't list them, incase the persong gets in trouble, but they are both in content.bin and data.bin. I presume that this is identifiable information. I believe the next step is comparison (the files on http://akusho.maidlab.jp/wii/ are weird, and not in the format mentioned in this topic), and then a packet dump.

 

[Dirtie]

Off-topic, but Pope do you even have a Wii yet? (I ask because NZ doesn't get it until the 7th)

I'll be happy to help out with any packet sniffing/intercepting or data analyzing as soon as I get mine

Not because I exactly want to see it exploited so fast, but just out of interest of how this stuff works.

 

[The_Pope]

Unfortunatly, I do not have a Wii yet, so I cannot test out my theories. My theory, for getting Wii VC 'backups' to work is the following.

1. Purchace a Wii VC game, legally.
2. Back up this game to your computer.
3. Open your legal game, and locate all Root-CA* references
4. Replace all references to Root-CA and the obvious serial numbers with the ones obtained from your legally backed up game.
5. Save this file.
6. Put it on SD and try and play it on your Wii.

I can't test, as stated above, I don't have a Wii

However, what I am really interested in is a packet dump of an update, or something else. Please supply if anyone has!

 

[The_Pope]

Sorry for the double post, but I believe I'm wrong. I just realised what a Root-CA is. A root certificate authority (doh!). This just means they are signed, by Nintendo.

 

[mr.slacker]

my appologies if this has already been explained, but what exactly are we looking at at http://akusho.maidlab.jp/wii/ ? I mean, i see that the base url for the links is http://ccs.shop.wii.com/ccs/download/0001000146414945/tmd, is this actually where the wii downloads the vc games?? and what exacly does all the info listed mean? this may be pointless overthinking, but here's my analysis what i could figure out:

- The only part changing in the links between games is the directory between /download and /(whatever file your getting) ex. download/0001000146414945/tmd

- The part that is changing in the url mentioned above varies according to the hex value of the game code (ex. 0x46414945 = F A I E in ascii, the code for soccer, the corresponding download. the first 8 numbers, 00010001, don't change from game to game, and are either meaningless hex, or binary for "11")

- All game codes end in "E", nes games begin in "FA", snes with "JA", masterdrive/genesis with "MA", n64 with "NA", and whatever PCE/TG16 is with "PA" (the second letter is always "A" whatever the system, and the third letter varies between games on the system)

- the url corresponds to the hex of the tmd file (see my hex analysis)

I doubt this is helpful, but just a pattern i noticed... also, is this all the vc games? or are there more out there?

Okay, and now my analysis of the hex itself (likely also obvious and boring, but, whatev), of at least the tmd files , as I haven't got a chance to look at the rest or the vc headers crumpster posted

- like the_pope said, Root-CA00000001-CP00000004 appears throughout all the tmd files at the same location (3 times in each file, at beginning at 0x140, 0x420, and 0x820, though the last one dosn't have the CP00000004 part)

- the game code is listed beginning at 0x190, with what appears to be some sort of a publisher code at 0x198 (this is just a guess though. but it seems that nintendo and for some reason tecmo = 01, sega = 8p, and hudson soft = 18)

- the changing part of the download url (ex. http://ccs.shop.wii.com/ccs/download/0001000146414945/tmd) is the hex from 0x18c to 0x193

That's about it that i can gather from observation, though I'll look at the other files when i get some sleep... the only thing that comes to mind looking at the hex, is that as the game code and whatever this root-ca stuff is appears in plaintext, it would seem that at least the tmd files are unencrypted (though it could be that just data in certain areas is, or the 01, 02, etc. files are encrypted in some way).

So, i can't really see any immediate connection or significance in this, but maybe someone else can. I guess i'll think on it some more and look at some more stuff. Oh yeah, and has anyone been able to copy a vc game to sd card, hex edit something insignificant, put it back on their card and run it? this could possibly be a way to check if the files are signed or anything (and then if it does work or give an error, editing different parts, like what could possibly be the consel identification, could be used to see if it gives different errors). anyway, happy hacking.

edit: ah, shoot, just read the_pope's post (ha, guess it took me a long time to write my post...) about what the CA meant, that kind of sucks... but i still am interested in what error changing values gives you in a vc game. and yeah, a packet dump of any of the network related stuff would be very interesting if anyone has one (if anyone needs help with it, just ask, I think i could help, and it sounds like the_pope knows what he's doing too).

 

[niklasnyfiken]

Here's some more interesting links:
http://mozy.org/wii/
http://www.auby.no/files/wii/wii.txt
http://rafb.net/paste/results/vkUgDj22.html

00010001 = shopping channel id