399
edits
Changes
SAVE finally cracked!!! I found all the information I need...
=== Partitions ===
=== Partitions ===
There can be multiple partitions on the chip. For some games one is a backup partition, some other games seem to use only one partition, yet other games actually use multiple partitions. Partitions are defined at the start of the de-wearleveled blob. At offset 0x200 into the image, the DIFI blobs start. These 0x130 large blobs describe the partitions. Every DIFI blob describes a partition. In order to find the partitions, you will need the uint32_t at 0x9C into the DIFI block, and the uint32_t at 0xA4. The uint32_t at 0x9C describes the length of the hash table at the start of the partition, the uint32_t at 0xA4 is the length of the filesystem. Partitions are catted together, so the end of one partition is the beginning of the next.
There can be multiple partitions on the chip.
The partitions are represented by tables of DIFI blobs inside a DISA structure.
The order of the DIFI blobs is the order of the partitions in the chip.
* If the uint32 @ 0x168 into the image in the DISA is a %1=1, then first table is is hashed, otherwise the second DIFI table is hashed.
* If the table has more then 1 DIFI then the uint32 @ 0x168 is the offset from the DATA partition to the file base (masked with 0xFFFFFFFE).
<pre>
* The first two hashes don't seem to be associated with any 0x1000 block.
struct disa_header {
char magic[4];
u8 unknown0[0xC];
u64 first_difi_table_offset;
u64 second_difi_table_offset;
u64 table_size;
u64 Padding;
u64 hash_size;
u8 unknown1[0x30];
u32 active_table; // and the offset to the filebase
u8 hash[0x20];
u8 unknown2[0x74];
} __attribute__((__packed__));
</pre>
* The hash in the DISA blob hashes 'hash_size' bytes of the 'active_table'.
The DIFIs table @ 0x200 (into the image) is written twice, (Meaning, if there's 4 DIFI blobs then the table is 2 DIFIs long).
The second table is for backup. The active table is mentioned at 0x13C into the image (1=First table, other=Second Table)
'''DIFI'''
These 0x130 large blobs describe the partitions. Every DIFI blob describes a partition. In order to find the partitions, you will need the uint32_t at 0x9C into the DIFI block, and the uint32_t at 0xA4. The uint32_t at 0x9C describes the length of the hash table at the start of the partition, the uint32_t at 0xA4 is the length of the filesystem. Partitions are catted together, so after the end of one partition is the beginning of the next (on the next 0x1000 block).
Actually DIFI blobs are 0x12C large because the last 4 are not used and appear 0xFFFFFFFF at the encrypted image.
For most games there's only 1 partition (The SAVE partition) and some (like Ashpalt 3D and Steel Diver) has 2 partitions.
* 2 Partitions means that the files inside the SAVE partition is on the other partition (we would call it DATA partition).
* If the uint32 before the hash in the DISA is 0x01, the first DIFI blob is hashed, if it's 0x00 the second DIFI is hashed. The offsets and size for each DIFI can be found beneath the DISA tag (10h, 20h and 18h, 30h relative to the DISA location).
* No more than 2 paritions have been seen yet.
The last 4 bytes in each DIFI blob are garbage; they appear as FF FF FF FF in an encrypted savegame.
==== The SAVE partition ====
Savefiles are stored on the FLASH in a custom filesystem called SAVE. SAVE has a header which describes where the various bits of the filesystem live.
Savefiles are stored on the FLASH in a custom filesystem called SAVE. SAVE has a header which describes where the various bits of the filesystem live.
The most important information in the savefile is the FST or filesystem table. You can find the FST by first finding the file base offset which is the offset to which all the entries in the FST are relative. The file base offset is a uint16_t at 0x58 from the filesystem start. The FST offset is a uint32_t at 0x6C and is in blocks (which are 0x200 bytes large).
The first partition starts at 0x2000. The hashtable at the start of the partition describe each in-use block in the partition with a SHA256 of the 0x1000 sized block.
* The first two hashes don't seem to be associated with any 0x1000 block.
Finding the file system file base:
* If there's no DATA partiton the file base will be at the uint32 @ 0x58 into the SAVE header.
* Otherwise the file base will be at ('active_table' & 0xFFFFFFFE) into the DATA partition.
Finiding the file system table:
* If the uint32 @ 0x58 and uint32 @ 0x6C into the SAVE header aren't 0 then the table is at [@0x58] + [@0x6C]*0x200.
* Otherwise, (meaning the files are at another partition) the exact offset into the SAVE is @ 0x68.
Once you've found the FST, parsing it is fairly straightforward.
Once you've found the FST, parsing it is fairly straightforward.
char magic[4]; //'SAVE'
char magic[4]; //'SAVE'
u8 unknown0[0x54];
u8 unknown0[0x54];
u32 fst_offset;
u32 file_base_offset;
u8 unknown1[0x10];
u8 unknown1[0x10];
u32 fst_block_offset; //FST is in [fst_block_offset] * 0x200 + [fst_offset]
u32 fst_block_offset; //FST is in [file_base_offset] * 0x200 + [fst_block_offset]
u8 unknown2[8]; //or
u8 unknown2[8]; //or (if no filebase)
uint32 fst_exact_offset; //the exact offset from the header start
uint32 fst_exact_offset; //The exact offset from the header start
}
}
</pre>
</pre>
When a save EEPROM contains all xFFFF blocks it's assumed uninitialized by the game cartridges and it initializes default data in place, without prompting the user.
When a save EEPROM contains all xFFFF blocks it's assumed uninitialized by the game cartridges and it initializes default data in place, without prompting the user.
[[セーブデータ|Japanese]]
[[セーブデータ|Japanese]]