X / Y Save File Research

[Kaphotics]

It's an event bitflag and only for female characters. I do think I added it to the Event Flag editor, not sure if it's there or not.

[Timeboy]

Ah, makes sense - I had no idea female characters woke up holding a 3DS for the few minutes until they get dressed! There's not much point of it since it doesn't show up on your trainer card or in battle. If anyone wants to do it, clear 14D21 and 14E47:

[XD4rkCha0sX]

[@Kaphotics]

How much further till the NTSC-U Version of X/Y will we be able to decrypt easy for editing ?

[Kaphotics]

[@Kaphotics]

How much further till the NTSC-U Version of X/Y will we be able to decrypt easy for editing ?

Decrypting is one thing, re-signing is another. We can decrypt save files, however, the 3DS is required for re-signing and only the Cyber Save Editor dongle offers this service for Japanese Cartridges.

3DS encryption (for 6.0+ firmware games) uses parts of the ROM data, and the necessary part for encryption differs between Japanese/International copies, and even for different version revisions (which is why prepatched games have had problems with Cyber Save Editor support).

[XD4rkCha0sX]

Decrypting is one thing, re-signing is another. We can decrypt save files, however, the 3DS is required for re-signing and only the Cyber Save Editor dongle offers this service for Japanese Cartridges.

3DS encryption (for 6.0+ firmware games) uses parts of the ROM data, and the necessary part for encryption differs between Japanese/International copies, and even for different version revisions (which is why prepatched games have had problems with Cyber Save Editor support).

So has anyone in the community found a way to re-sign a U.S. game cartridge yet using a 3rd party software/or hardware ?

What about the digital saves from the eshop versions ?

[Kaphotics]

So has anyone in the community found a way to re-sign a U.S. game cartridge yet using a 3rd party software/or hardware ?

What about the digital saves from the eshop versions ?

If it were possible at the moment, it would have been mentioned somewhere.

Digital save editing will never happen, Powersaves now blocks any edited saves, and Cyber Save Editor only accepts Japanese ROM data (because the ROM data is different between regions). You'd have to wait until a public re-signing solution happens, and this would be via homebrew on hacked firmware consoles. There is no ETA.

[Devreese]

Has anyone done much research into powersaves and cyber gadget as far as how they work? cuz I feel like i'm probably reinventing the wheel ._.

I got the CG servers figured out for the most part, but there are still some questions about the parsed data and what not. I've been using both CG and powersaves in conjunction to find answers, but..

here's some questions:

1. How is Header CRC derived? I've tried using CRC16 CCITT on a bunch of variations of the NCCH to no avail. It was my best guess at what Ninty might have used

2. Where is the Card ID parsed from exactly? I didnt see it in any of the data pulled from PS or CG.

3. For powersaves, has anyone figured out the card2 read/write calls? what I've observed is that there are several different calls that dump chunks of data that could possibly be related to the save but they definitively dont look like the save.. so my guess is either they encrypt that data over usb and the program decrypts it or its not related to the save at all lol.

what is this site

[Kaphotics]

what is this site

It's Cyber Gadget's web upload form they use within their program. Nothing you can abuse.

[Devreese]

It's Cyber Gadget's web upload form they use within their program. Nothing you can abuse.

oh ok

[Favna]

So I've been wondering for the past day here. With all the data dumped of both X/Y and ORAS, was there ever any info found on which programming language was used to create both mentioned games? I've been trying to find it on google but the only thing I can find is that R/B/Y were made in Assembly. Nothing related to X/Y/OR/AS.

[Guest]

It's C++.

[Favna]

It's C++.

Ah ok thanks.

[Pokehexlover]

I have a friend who is willing to help us if we can give him the details to build a re-signing program. Also, would it be too much to ask if a tutorial video can be made to show us how to decrypt a backed up save file from powersave?

[Favna]

I have a friend who is willing to help us if we can give him the details to build a re-signing program. Also, would it be too much to ask if a tutorial video can be made to show us how to decrypt a backed up save file from powersave?

Uh I could perhaps work on that video tutorial but I'm on vacation at the moment so it'll be a while until I can get started

[Pokehexlover]

That's fine, but I was hoping Kaphotics could do it.

[Favna]

If that truly means so much to you. I only wanted to show off what other people consider my awesome voice again... #TooBrag4Me

I kid. People have actually said my voice is good for tuto's but I never felt special about it.

[Timeboy]

I have a friend who is willing to help us if we can give him the details to build a re-signing program. Also, would it be too much to ask if a tutorial video can be made to show us how to decrypt a backed up save file from powersave?

I don't think it's possible for someone to simply "build a re-signing program", and if it were, it'd be posted on here. There's a tool for every current possible task imaginable, including a re-signing program that only works with the Cyber Gadget Save Editor dongle. Which piece of hardware is your friend hoping to utilise? The Powersaves and Cyber Gadget work server-side, and the R4i dongle can only decrypt older 3DS games, not games with X/Y's encryption. For about 24 hours (probably less) you could abuse the Powersaves dongle and brute force Pokemon in, but they patched that immediately.

Either way, there's a (written) tutorial on here that is pretty easy to follow. http://projectpokemon.org/forums/showthread.php?37269-X-Y-Save-File-Research&p=183148&viewfull=1#post183148

You can only partially decrypt, through.

[AppleSquash14]

Google --3DS "Save Bank"-- (without dashes)

Then tell me it's 'impossible'. :biggrin:

Is it possible to use the save bank dongle with the cyber save editor software? Has anyone tried this?

[Favna]

I don't think it's possible for someone to simply "build a re-signing program", and if it were, it'd be posted on here. There's a tool for every current possible task imaginable, including a re-signing program that only works with the Cyber Gadget Save Editor dongle. Which piece of hardware is your friend hoping to utilise? The Powersaves and Cyber Gadget work server-side, and the R4i dongle can only decrypt older 3DS games, not games with X/Y's encryption. For about 24 hours (probably less) you could abuse the Powersaves dongle and brute force Pokemon in, but they patched that immediately.

Either way, there's a (written) tutorial on here that is pretty easy to follow. http://projectpokemon.org/forums/showthread.php?37269-X-Y-Save-File-Research&p=183148&viewfull=1#post183148

You can only partially decrypt, through.

Actually SciresM continues the tutorial towards a fully decrypted save1 file here: Full Decryption. Not that powersaves, as you say, does re-signing however so having it is one thing, being able to do something with it is .. something else.

[Gamertron300]

Guide to completely decrypting Save1:

Download my brute forcer: http://www.mediafire.com/download/sk2o1qt9t161j6q/Pokemon_XY_Save_File_Brute_Forcer.exe

Complete the steps listed in my earlier post on getting saves open with PKHeX: http://projectpokemon.org/forums/showthread.php?37269-X-Y-Save-File-Research&p=183148

In the first brute forcer box, select + open save1keystream.bin.

Now (make sure you have a backup of your current save file before doing this), Delete your save file from the in-game menu (hit up+x+b at title screen) and start a new game. Save once. ONLY SAVE ONCE. THIS IS IMPORTANT.

Backup your save using powersaves. In the second brute forcer box, select this backup.

Now, apply the "Master Ballsx999" cheat over your new game in powersaves. Remove your cart from the dongle. Re-insert your cart into the dongle. (Doing that is ALSO important.)

Backup your save with the cheat applied using powersaves. In the third brute forcer box, select this backup.

Now, hit the "Brute force saves" box. If all goes well (And it should), you should get a success message and the ability to save Save1Key.bin.

Save Save1Key.bin wherever you want. You can now use it the way you used save1keystream.bin before now, but it completely 100% decrypts all of save1. (50% of your saves will open with no "hash verification failed" messages in PKHeX". Before Datel patched my exploit, this allowed you to inject things into the game. You can no longer use this to inject new things.)

Does this brute forcer still work regardless?

[Kaphotics]

It works if you use it properly, however the only benefit of having a fully decrypted save is having it fully decrypted; there's no method to get it re-signed.

[Gamertron300]

I know, a few friends and I are working with a modded 3DS and have successfully reencrypted the save into a legit NA cartridge. Now we are trying to figure out how to reencrypt for a non-modded 3DS manually.

[Favna]

I know, a few friends and I are working with a modded 3DS and have successfully reencrypted the save into a legit NA cartridge. Now we are trying to figure out how to reencrypt for a non-modded 3DS manually.

All I can say is .. Keep us updated and mainly keep up the work. Would be awesome if it works out.

[Darkness 194]

I wish you luck

[Favna]

So uhm someone was requesting a video tutorial for full decryption of a US / Europe (in my case the latter) save before. If there are others that would be interested in this I could make it one of these days but I kinda do want appeal up front because of the fact that having a fully decrypted save file, as said many times, is pretty pointless at the current stage of research.