Jump to content

X / Y Save File Research


Kaphotics

Recommended Posts

From what I understand, since powersaves sends your save to their hacked 3ds farm to sign the save and send it back... Could you take a save, edit it by adding a Pokemon in your box or whatever, and then send it to powersaves servers to get that final AES signing (as long as the other checksums and hashs are correct)?

Link to comment
Share on other sites

  • Replies 213
  • Created
  • Last Reply

Top Posters In This Topic

From what I understand, since powersaves sends your save to their hacked 3ds farm to sign the save and send it back... Could you take a save, edit it by adding a Pokemon in your box or whatever, and then send it to powersaves servers to get that final AES signing (as long as the other checksums and hashs are correct)?

Honestly, that's what I was gonna try.. problem for me right now is, even though I can calculate just about all the hashes, they are no good unless they were calculated with the 'correct' data..By that i mean for instance, the region 0x5000 - 0x5FFF is partially unknown 'static' data that was xord out and part known data.. if i were to get that original unknown data, i could hash it and than dump the correct xorpad, but otherwise im stuck. The alternative method is to wait till someone figures out how the 3DS generates xorpads so we can calculate everything and generate a xorpad and slap it on there.

Link to comment
Share on other sites

Would it be worthwhile for someone (or the community as a whole) to try to set up their own 3DS farm (or perhaps just 1 3DS with a queue system) and open it up to the public? It could be a reasonably priced paid service at least until the initial cost of a 3DS and whatever specialized hardware/software necessary is recouped. There's not some other magical solution to the save encryption problem "just around the corner" is there?

Link to comment
Share on other sites

Would it be worthwhile for someone (or the community as a whole) to try to set up their own 3DS farm (or perhaps just 1 3DS with a queue system) and open it up to the public? It could be a reasonably priced paid service at least until the initial cost of a 3DS and whatever specialized hardware/software necessary is recouped. There's not some other magical solution to the save encryption problem "just around the corner" is there?

I have a 4.5 3DS I've been setting aside for this very reason.

Link to comment
Share on other sites

Guide to getting your save file open in PKHeX:

Make a backup with Powersaves.

Make a copy of that backup, and replace all of the bytes in the copy past 0x9C with FF: http://i.snag.gy/lem0O.jpg

Next, download my Datel checksum corrector ( http://www.mediafire.com/download/kn2am0u4ae66s21/Datel_Checksum_Fixer.zip ). Open it up and open the edited copy, then hit save. (Remove the " - [fixed]" from the savename so that powersaves will see it.).

Now, open powersaves, and restore the edited FF save file. (You should see two saves with identical names, it's the second one.).

Put your cartridge into your 3ds, and go to the main menu. Then, close the game and put the cartridge back in the powersaves dongle.

In powersaves, apply the "Slot 1 x999 modifier code." After doing that, remove your cart from the powersaves dongle, then stick it back in. Now make a backup of your cartridge's save file.

At this point, you can restore your original save file backup.

The backup you just made after applying the code, removing the cart, and putting it back in has garbage default data in SAVE2, but a completely blank SAVE1 -- this means it is just your xorpad for save1.

At this point, make a copy of the backup you just made and rename it save1keystream.bin for easy remembering ability.

You can now use this to open a save in PKHeX! If you want to open a save, XOR save1keystream.bin with the powersaves backup of whatever save you want to check out (I recommend http://www.nirsoft.net/utils/xorfiles.html ), and then delete the first 0x9C bytes in a hex editor (I use HxD). Save the file with the 0x9C header removed, and you can open it in PKHeX totally fine: http://i.snag.gy/x2jJ8.jpg

Link to comment
Share on other sites

So replace every byte past 0x9C with FF 0000009C - 010009C I had to ask to be more specific.

Yes, I tried it too myself.. the trick works. You can already view your pokémon in PKHex that way. The only way to fully decrypt it is - as it's been often said - using a hacked 3DS.

Actually what I was wondering.. as PowerSaves can use 3DS to decrypt existing savegames and determine their xorpads - are people here able to determine the xorpads of savegames of other people (I would happily pay a little amount to get my xorpad revealed). Otherwise: seeing how rednand might be released in the near future I assume hacking a 7.x 3DS isn't so far out of nowhere in the future. It depends if their method allows extracting savegames though.

Link to comment
Share on other sites

Guide to getting your save file open in PKHeX:

Make a backup with Powersaves.

Make a copy of that backup, and replace all of the bytes in the copy past 0x9C with FF: http://i.snag.gy/lem0O.jpg

Next, download my Datel checksum corrector ( http://www.mediafire.com/download/kn2am0u4ae66s21/Datel_Checksum_Fixer.zip ). Open it up and open the edited copy, then hit save. (Remove the " - [fixed]" from the savename so that powersaves will see it.).

Now, open powersaves, and restore the edited FF save file. (You should see two saves with identical names, it's the second one.).

Put your cartridge into your 3ds, and go to the main menu. Then, close the game and put the cartridge back in the powersaves dongle.

In powersaves, apply the "Slot 1 x999 modifier code." After doing that, remove your cart from the powersaves dongle, then stick it back in. Now make a backup of your cartridge's save file.

At this point, you can restore your original save file backup.

The backup you just made after applying the code, removing the cart, and putting it back in has garbage default data in SAVE2, but a completely blank SAVE1 -- this means it is just your xorpad for save1.

At this point, make a copy of the backup you just made and rename it save1keystream.bin for easy remembering ability.

You can now use this to open a save in PKHeX! If you want to open a save, XOR save1keystream.bin with the powersaves backup of whatever save you want to check out (I recommend http://www.nirsoft.net/utils/xorfiles.html ), and then delete the first 0x9C bytes in a hex editor (I use HxD). Save the file with the 0x9C header removed, and you can open it in PKHeX totally fine: http://i.snag.gy/x2jJ8.jpg

Can you save it and then write it back to your cart?

Sent from my SGH-T599N using Tapatalk

Link to comment
Share on other sites

No, because that's only a partially decrypted save. Plus the whole AES MAC re-signing isn't a thing yet.

Still no 'true' save editing for those without a hacked console+cfw.

Oh ok. Thanks anyway. Will there ever be pkx injecting without a hacked console?

Link to comment
Share on other sites

Hi:

Try help make your partial decrypt save:

1.- Download: OSX: http://x.co/4JBf0 OR Windows: http://x.co/4JBgp

2.- Create a backup with PowerSaves

3.- Open backup with "Open SAV1" in app

4.- Press "Clean SAV1"

5.- Copy new file to your PowerSaves directory and remove "-Fixed"

6.- Restore fixed save

8.- Run game, go to selection language, and exit from the game

9.- Put your game in power saves and apply "Slot 1 x999 modifier code."

10.- Remove yor game and put again in PowerSaves and create new backup and named Keystream

11.- Open Keystram whit "Open SAV1" in app an open other save in "Open SAV2"

12.- Press "XOR ..." and the result can view with PKHeX

NOTE: Mono requrired in OSX and .Net 3.5 in Windows

Edited by swarzesherz
Link to comment
Share on other sites

I just moved a bunch of posts regarding save file support to this thread: http://projectpokemon.org/forums/showthread.php?37955-X-Y-Save-Help-Thread

I also deleted some posts that didn't contribute at all. While I do appreciate our members helping each other out, this is a research thread, and posts should contribute or ask research-related questions. Help requests should either be PMed or posted in the Save Editing Help forum.

Thank you!

Link to comment
Share on other sites

Just a small thing I found on accident, but the first 4 bytes of the 0x6C00 region is the timestamp of the save it seems..

from that offset, the hours are 2 bytes, and the minutes are in the 3rd byte.. the 4th byte seems too fast/random to be seconds. not sure what it is.. as for the other 4 bytes next to it.. its also still a mystery.. the first one doesnt seem to change amongst any of my saves, the 2nd does rarely, 3rd one a bit less rarely, and the 4th is fast/random.

Link to comment
Share on other sites

please explain how you did this also i dont have a powersaves is there anyway i can decrypt a gateway sav thats been extracted from the rom as all the ways i have seen use powersaves thanks

He did it on a retail cart on current firmware.

Not helpful at all if you don't care about giving instructions to learn from for the rest of us.

He's already given you instructions to decrypt the entire first save block... plus, proof of concept is better than nothing. I don't blame him for not wanting to share; he doesn't want to be the one who opens the floodgates.

Link to comment
Share on other sites

He's already given you instructions to decrypt the entire first save block... plus, proof of concept is better than nothing. I don't blame him for not wanting to share; he doesn't want to be the one who opens the floodgates.

I can see the servers overloaded if it did get released. Great job on the research, there are a few of questions I would like to ask.

How long did it take you to crack the encryption?

How difficult was it to crack the encryption?

Did you use a New Save or Your own Personal Save?

Can you use other people's saves with this method?

Did you use a Gateway Firmware or Current Firmware?

Also did you have to use a Powersave code in order encrypt it back in the cartridge?

Link to comment
Share on other sites

1) How long did it take you to crack the encryption?

2) How difficult was it to crack the encryption?

3) Did you use a New Save or Your own Personal Save?

4) Can you use other people's saves with this method?

5) Did you use a Gateway Firmware or Current Firmware?

6) Also did you have to use a Powersave code in order encrypt it back in the cartridge?

1) The whole process took ~7 weeks, the 'cracking' was just XORpad guessing and didn't take much time at all.

2) Difficult; required intelligent brute forcing of certain areas for an uncooperative save.

3) Any save; even decrypted saves from another cart/version.

4) Yes, so long as the 0x05400-0x6B000 region has been properly decrypted.

5) Current Firmware.

6) It's not necessary.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...