242
edits
Changes
Jump to navigation
Jump to search
Line 36:
Line 36: + Line 43:
Line 44: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→File system
[[User talk:Matyapiro31|Matyapiro]]
[[User talk:Matyapiro31|Matyapiro]]
* Con'''cat'''enated. Attached, joined, appended. One follows after the other. lol.
* Con'''cat'''enated. Attached, joined, appended. One follows after the other. lol.
I looked into that blockmap structure thing, but I fear I didn't get it right...
I looked into that blockmap structure thing, but I fear I didn't get it right...
* bit7 of phys_sec in blockmap entries is set when the entry's checksum isn't zero
* bit7 of phys_sec in blockmap entries is set when the entry's checksum isn't zero
--[[User:Luigi2us|Luigi2us]] 18:29, 4 August 2011 (CEST)
--[[User:Luigi2us|Luigi2us]] 18:29, 4 August 2011 (CEST)
3DS Save De/Encrypter
3DS Save De/Encrypter application needs useful info on the header Blockmap\Journal foe save modification. I'm so close i can feel it.
--[[User:Immortal|Immortal]] 10:10, 18 August 2011 (GMT)
Let's look into those blockmap/journal checksums
* there's one 8bit checksum per 0x200 block
* blocks containing only 0xFF yield a checksum of 0x0F
* blocks containing only 0x00 yield a checksum of 0xB9
* checksums seem to apply to encrypted blocks. In the case of Ridge Racer, all-zero 0x200 blocks yield 0xE4 instead of Rayman3D's 0xB9. However, all-FF blocks always yield 0x0F since they aren't encrypted.
<del>This is most likely a custom checksum algorithm. Standard CRC8 would yield zero for a zero block.</del> Wrong. Checksums of zero blocks are actually equivalent to the checksum of the game's XOR key.
--[[User:Luigi2us|Luigi2us]] 19:59, 28 August 2011 (CEST)
@Luigi2us the checksum algorithm can be a crc because XorIn as well as XorOut can be use that result in non zero results
there is a way to find out if it is a crc or something like that or something simple
xor the message by B1 than the checkbit change by C1 xor the message with B2 and the checkbyte change by C2 xor the message by (B1 xor B2) and the checkbyte should change by (C1 xor C2)
example crc in this case crc-16 but also work with crc-8
06 06 01 05 crc is 1A21
06 06 01 05 xor 01 02 03 04 = 07 04 02 01 crc is 1580
06 06 01 05 xor 08 09 01 02 = 0E 0F 00 07 crc is 2973
06 06 01 05 xor 01 02 03 04 xor 08 09 01 02 = 0F 0D 03 03 crc is 26D2 (2973 xor 1580 xor 1A21)
that also work if a unknown XorIn or XorOut is used
that don't work for most hash functions
ADD:Sorry for my bad English
--[[User:ichfly|ichfly]]
Sounds like a good idea. We just need to find 4 blocks A,B,C,D in one save so that B=A^x, C=A^y and D=A^x^y. --[[User:Luigi2us|Luigi2us]] 22:54, 29 August 2011 (CEST)
Hi everyone...
I'm adding save opening support to [[3DSExplorer]] and i'm having trouble understanding the SAVE filesystem.
btw Thanks [[CHR15x94]] for the effort but I don't want to search the "SAVE" string. I want to find it programmaticaly. I'm using the DIFI blob as a reference, starting from [0x2000 + DIFI's Paritition Hash Length] the SAVE should be there and it is for all files at the first partition.
but the second partition I can't always find. I'm using the 3 encrypted saves in the [[Games]] page. --[[User:Elisherer|Elisherer]] 08:43, 19 September 2011 (CEST)
When I search for the journal's magic (0x080d6ce0) I can't find anything in all saves..? Is it an endian problem?--[[User:Lazymarek9614|Lazymarek9614]] 14:29, 30 September 2011 (CEST)
:After many files I looked at...There's no such thing as journal's magic..it's just the same as the first one. and it can be sometimes 0xffffffff so i wouldn't count on it as a stop flag for reading the journal. just use logic...you can see an example at 3dsexplorer source. --[[User:Elisherer|Elisherer]] 18:19, 30 September 2011 (CEST)
Magic isn't always 0x080D6CE0, sometimes it is 0x080D6C80 or something in the like...
Unrelatedly, I wonder what kind of data unused blocks are mapped to (zeros or FF). Because those Rayman3D saves say that data goes up to 0xF000 (the end of the dewearleveled image), however there are usually no more than 4 blocks in use. --[[User:Luigi2us|Luigi2us]] 00:05, 1 February 2012 (CET)
[http://dl.dropbox.com/u/37418652/3DS/MH3G.sav|MH3G save file]
I think this game is also using the new save encryption.--Matyapiro31 09:47, 19 February 2012 (CET)
== Encryption method ==
@Yellows8, I think the old encryption is just [http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 AES-ECB] which is the same as AES-CTR whose counter isn't progressing... --[[User:Elisherer|Elisherer]] 15:07, 25 March 2012 (CEST)
:It is *not* AES-ECB. If it were,(and Nintendo has *never* used AES-ECB *directly*) you would see the same encrypted 16-byte block for *every* all-zero 16-byte block. The CTR *does* increase, it just gets reset every X bytes. An encryption method only counts as direct AES-ECB only if the encrypted data is used as the AES input block, and the output block is used as the strait decrypted block. --[[User:Yellows8|Yellows8]] 18:31, 25 March 2012 (CEST)
== Hashes ==
@Yellows8, That's awesome! Can you explain a bit more about the buffer padding (maybe give an example) I want to add the foundings to 3dsexplorer and complete the saving algorithm (without the MAC signing ofcourse) --[[User:Elisherer|Elisherer]] 07:12, 3 September 2012 (CEST)
:Is it more clear with my last edit? The RomFS [https://github.com/3dshax/ctr/blob/master/ctrtool/ivfc.c IVFC] is basically identical to savegames, except savegames have the additional filesystem level.(Didn't realize that when I figured out the savegame hashes though) And it's not actually possible to generate the MAC yet with the AES engine, since the keyY for gamecard savegames is currently unknown. --[[User:Yellows8|Yellows8]] 16:57, 3 September 2012 (CEST)
::That's really interesting. I wonder what is the general idea here...Do savegames use the romFS structure.. --[[User:Elisherer|Elisherer]] 00:00, 4 September 2012 (CEST)
== Savegame keyY CardId ==
Are those two u32 cardIDs mentiond in keyY generation for the first version of savegamy encryption just ROM chip type ID repeated twice, like 45FA009045FA0090 or ROMID/EEPROMID combination? --[[User:Duke srg|Duke srg]] 10:43, 23 February 2015 (CET)
== File system ==
Data of one file in SAVE partition / filestore seems sometimes fragmented into several blocks, and BlockMap probably describes how to link and build them. Is this already known? And I think what is stored in BlockMap forms linked lists, and an entry is {uint32 previous_block; uint32 next_block; }. (Note that I was looking into CECD system savegame, which is the only savegame I looked, and which contains a relative complicated folder structure, where files and folders can be added and deleted frequently) --[[User:Wwylele|Wwylele]] ([[User talk:Wwylele|talk]]) 15:01, 18 August 2016 (CEST)
Also the SAVE partition looks very similar to [[Extdata#Filesystem|extdata VSXE partition]], especially the folder and file entries. --[[User:Wwylele|Wwylele]] ([[User talk:Wwylele|talk]]) 13:52, 19 August 2016 (CEST)