ROM Hack Discussion smash bros ultimate amiibo editor?

[odwdinc]

I am trying to edit the stats of smash bros ultimate FP Fighter amiibos.
If use a SSB amiibo with smash bros ultimate it need to port the data to a new format to be used.
After this convention I can no longer edit the stats with the normal SSB amiibo edit tools.
I have been able to use amiitool to decrypt the amiibo.bin,.
After doing some digging I found the location of Attack and defense values.
in little endian
@ offset 150 for Attack
@ offset 152 for Defense

Without changing anything and re-encrypting, the end file buffer of 32 bytes of 0xFF is no-longer there. it still loads in game and works as expected.
Changing eater the Attack or Defense values, the amiibo will no longer load in game.

my best guess is there is some check sum that needs to be updated

anyone what to give it a go?

 

[coppertj]

Would like an update on this. 3DS had one for its smash.
I think it's a matter of decrypting the character save data on the NFC chip in the amiibo for this new smash game (unless theres some saves uploaded already of amiibo save data for ultimate?) and make a app like the one on 3ds that maxes out the character stats so the process becomes automatic and done on the switch.

 

[odwdinc]

I did some digging I was able to transfer the stats, moves, etc form one amiibo to the another amiibo with out changing the name, owner, type, etc. you have to move the following for it to work
32 bytes for Checksum @ (0x08-0x27)
220 bytes for Data @(0xD8 - 0X1B3)
The checksum changes on each save of amiibo, without any changes to any to the data block.
There are counters located at 0x2C and 0xB5 that increase with each save but do not have impact on the checksum. Changing eater of these locations will still load the amiibo.
Any of the previous checksum work if the data block is the same.
Resetting a checksum to previous value will still load as long as the data block is the same.

 

[odwdinc]

32 bytes for Checksum @ (0x08-0x27) is confirmed to be SHA-256 of data block Data @(0xD8 - 0X1B3)
data block is check as well
maybe at 4 bytes @ 0xDC ?? idk
I was able to replace the Checksum with a SHA-256 of data block and it loaded fine with out changes to the amiibo.
changing any data in the data block no go..

 

[froggestspirit]

Do amiibo's have unique ID's for same characters? I'm wondering if the game's save file stores something to compare against the amiibo's data, although that's null if you load it on another switch...

 

[odwdinc]

Do amiibo's have unique ID's for same characters? I'm wondering if the game's save file stores something to compare against the amiibo's data, although that's null if you load it on another switch...

I have test on other switch, all load fine.
It seems to be another checksum, something in the 220 bytes for the Data block @(0xD8 - 0X1B3)
I'm gussying its a 4 byte ??? @ (0xDC - 0xDF)

 

[odwdinc]

Did a test with a fresh amiibo.
By setting Customize -> Learn to OFF. I was able to do a one bit change to the data block,

Learn On

82 4B 8D 0D 77 6A 7C 70 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


Learn OFF

82 4B 8D 0D FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 

[novakirby]

ieee crc32 polynomial with inXOR = 0x0 and outXOR = 0xFFFFFFFF

 

[odwdinc]

ieee crc32 polynomial with inXOR = 0x0 and outXOR = 0xFFFFFFFF

any clue how to go about finding the polynomial?
I have been trying reveng with out much luck.
I have tried with the check sum at the beginning and the end of the data block on "Learn on" both produce "no models found"

running on "Learn OFF" check sum at the beginning produces

width=32  poly=0x04c11db7  init=0xffffffff  refin=false  refout=false  xorout=0x00000000  check=0x0376e6e7  residue=0x00000000  name="CRC-32/MPEG-2"
width=32  poly=0x04c11db7  init=0xffffffff  refin=true  refout=true  xorout=0x00000000  check=0x340bc6d9  residue=0x00000000  name="CRC-32/JAMCRC"

check sum at the end produces

width=32  poly=0x04c11db7  init=0x00000000  refin=false  refout=false  xorout=0xffffffff  check=0x765e7680  residue=0xc704dd7b  name="CRC-32/CKSUM"

Once any changes are made to the data block i get "no models found"
For reference hear is a dump just after one upgrade note the 64 bits at the bottom is this yet another hash? or 2??

82 4B 8D 0D      //Unknown but constant
75 98 2B B2      //?? ieee crc32 checksum ??
00 00
00                    //Learning On/Off
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 1B           //Exp ??? unconfirmed
00 00 00
14 01           //Attack
BC 00          //Defense
00 00 
00 00         //Gift and count
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
C5 62 4E FC 7D A2 58 2C E6 7E DF F7 FD 8A A2 F8   //
13 BF F7 EE 10 DF DD 3D F8 C0 EF F7 FB FD 3E 9F   // I have No clue!! maybe SHA-512??
4F 17 5D 74 D1 45 17 5D 74 D1 45 17 5D E0 C0 81  //
03 07 0E 1C 38 70 54 55 A9 54                               //
00 00       //Fighter Color
03 FF FF FF 
00 00 00 00 00 00 00 00 00 00 00 00

 

[odwdinc]

Confirmed !!!

width=32
poly=0x04c11db7
init=0xf884bc2d
refin=true
refout=true
xorout=0x00000000

The checksum is in big endian!!

00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

computes to 70 7C 6A 77
check sum is 77 6A 7C 70

--------------------- MERGED ---------------------------

well that was easy,

going to start work on an editor now...

 

[novakirby]

any clue how to go about finding the polynomial?

https://gist.github.com/novakirby/1a7736224e9668013397958eb015931f

 

[odwdinc]

https://gist.github.com/novakirby/1a7736224e9668013397958eb015931f

thanks, I needle to run with python3
seems top work fine

 

[novakirby]

iirc, for python2, change:
class crc32r: -> class crc32r(object):
u0.clear() -> del u0[:]
t = crc32.calc0(f.read(0xD4), 0x0) -> t = crc32.calc0(bytes(f.read(0xD4)), 0x0)

 

[odwdinc]

thanks for the quick help, any interest in helping whit parsing the rest of the data block?

 

[Beerus]

god damn u u on fire nice job man

 

[odwdinc]

for Gifts started a table any one make seance of it?
@ 0x156

26 01 == 1x Snack S
27 01 == 1x Snack S
27 02 == 15x sp ,  1x Snack S
27 03 == 45x sp ,  1x Snack S
27 04 == 30x sp ,  2x Snack S
27 05 == 50x gl ,  60x sp
27 06 == 50x gl ,  45x sp, 1x Snack S
27 07 == 75x sp, 1x show fs charging, 1x Snack S
00 01 == 1x Snack S
01 01 == 30x sp
01 07 == 100x gl, 15x sp
00 04 == 1x Snack M
00 00 == No Gift Trigerd
01 00 == Not able to recive

edit, it seem to be a uint16 and the code do not reproduce the same gifts.
the higher the number the better the gift seems to be, no patterns found yet.

 

[odwdinc]

I was able to find the fallowing location in the data block.
un0-un3 are unknowns right now

'learn un0 move1 move2 move3 un1 xp un2 atc hp un3 gift' = "<?9sBBB91sIHhhHH" , DataOffset in the data block = 0x02

Quick Gui for testing

 

[AbnormalAdept]

as for dumping the amiibo, does this support a dump with smash amiibo cheat tool or do i need to use tagmo?

 

[odwdinc]

as for dumping the amiibo, does this support a dump with smash amiibo cheat tool or do i need to use tagmo?

To my understanding the "mash amiibo cheat tool" was just editing the data block of the amiibo, you will need to "upgrade the amiibo" first by syncing with ultimate, this will convert the data block to the new format.
You will need to get a dump of the converted amiibo, any amiibo backup tool will work fine hear.
Once you have your bin file you can then use my tool to edit basic stats, this is just a work in progress...

 

[AbnormalAdept]

what do u use to dump the amiibo then? i was thinking of using the backup feature in smash amiibo cheat tool but it doesnt work if its in the ultimate format