Jump to content

X / Y Save File Research


Kaphotics

Recommended Posts

  • Replies 213
  • Created
  • Last Reply

Top Posters In This Topic

A modded 3DS is required.

Just curious but if someone was to upload their own pokemon X/Y save and send it to someone who owns a modded 3ds that can decrypt their own save be able to decrypt it and modify and be able to send it back without issues?

I am aware retail carts have their saves locked to its desired cart but i am curious if its possible now.. or if we would have to wait to crack that save lock first if at all possible.

I could see something similar to powersave happening as a paid service that could really make a lot of money off of ppl IF there is any plans to make it all public.

Link to comment
Share on other sites

Just curious but if someone was to upload their own pokemon X/Y save and send it to someone who owns a modded 3ds that can decrypt their own save be able to decrypt it and modify and be able to send it back without issues?

I am aware retail carts have their saves locked to its desired cart but i am curious if its possible now.. or if we would have to wait to crack that save lock first if at all possible.

I could see something similar to powersave happening as a paid service that could really make a lot of money off of ppl IF there is any plans to make it all public.

I proposed the same thing a week ago. OmegaDonut mentioned that he'd set aside a 3DS for the idea as well. I can think of a few issues though. It'll require some specialized software and potentially hardware as well. Someone would have to develop that (or get it designed and built in the case of hardware). All the while we'd be hoping that no other way to edit saves comes about or whoever invested would be out money.

Link to comment
Share on other sites

The current problem is that save file encryption uses an RSA key which is 0'd at at FIRM launch. To recover the information needed to actually decrypt these saves we need: a 6.0+ exploit, a hardware ram dumper, or a dump of the bootrom. Right now we have none of these and there's no promises we'll get any of those any time soon.

Link to comment
Share on other sites

The current problem is that save file encryption uses an RSA key which is 0'd at at FIRM launch. To recover the information needed to actually decrypt these saves we need: a 6.0+ exploit, a hardware ram dumper, or a dump of the bootrom. Right now we have none of these and there's no promises we'll get any of those any time soon.

Datel must have one of the above for their save editing service to work, right? (I'm assuming you were responding to scarfaceguns and myself; if not, ignore me.)

BTW thanks for the work you and bond have been doing!

Link to comment
Share on other sites

The current problem is that save file encryption uses an RSA key which is 0'd at at FIRM launch. To recover the information needed to actually decrypt these saves we need: a 6.0+ exploit, a hardware ram dumper, or a dump of the bootrom. Right now we have none of these and there's no promises we'll get any of those any time soon.

Would the 6.0+ exploit (ssspwn) that is allegedly out there be sufficient for this purpose, or is it too limited to be of use here?

Link to comment
Share on other sites

because hoopa and volcanion aren't comfirmed yet, and the nintendo crap that happend, vecause of that they never added a feature for either so I don't think it's possible yet. that was also the reason diancie got removed

Link to comment
Share on other sites

I proposed the same thing a week ago. OmegaDonut mentioned that he'd set aside a 3DS for the idea as well. I can think of a few issues though. It'll require some specialized software and potentially hardware as well. Someone would have to develop that (or get it designed and built in the case of hardware). All the while we'd be hoping that no other way to edit saves comes about or whoever invested would be out money.

I think i do remember seeing you say something like that but since a save has just now been 100% decrypted i had my hopes up for a just a homebrew method on a hacked 3ds to be able to decrypt and whatnot but it seems i was wrong however.

Also i have been thinking about modifying a 3DS for a while for other purposes included so forgive me if this isn't allowed to be asked but where would all this detailed information be found in order to hack a 4.5 3DS? things like required tools and hardware etc.

Link to comment
Share on other sites

Guide to completely decrypting Save1:

Download my brute forcer: http://www.mediafire.com/download/sk2o1qt9t161j6q/Pokemon_XY_Save_File_Brute_Forcer.exe

Complete the steps listed in my earlier post on getting saves open with PKHeX: http://projectpokemon.org/forums/showthread.php?37269-X-Y-Save-File-Research&p=183148

In the first brute forcer box, select + open save1keystream.bin.

Now (make sure you have a backup of your current save file before doing this), Delete your save file from the in-game menu (hit up+x+b at title screen) and start a new game. Save once. ONLY SAVE ONCE. THIS IS IMPORTANT.

Backup your save using powersaves. In the second brute forcer box, select this backup.

Now, apply the "Master Ballsx999" cheat over your new game in powersaves. Remove your cart from the dongle. Re-insert your cart into the dongle. (Doing that is ALSO important.)

Backup your save with the cheat applied using powersaves. In the third brute forcer box, select this backup.

Now, hit the "Brute force saves" box. If all goes well (And it should), you should get a success message and the ability to save Save1Key.bin.

Save Save1Key.bin wherever you want. You can now use it the way you used save1keystream.bin before now, but it completely 100% decrypts all of save1. (50% of your saves will open with no "hash verification failed" messages in PKHeX". Before Datel patched my exploit, this allowed you to inject things into the game. You can no longer use this to inject new things.)

Link to comment
Share on other sites

After all of that hard work then Datel had to patch it. I would be really pissed off!, Well Karma will get to Datel when everything gets hacked and we don't have to use their Powersaves anymore. I have a great idea make use of the Powersaves Adapter and create a 3DS Project Pokemon Backup Program just like Powersaves but better and for Pokemon X & Y without the uses of Servers and your own Encryption & Decryption Files. I'm sure that it would piss them off but they do deserve it.

Link to comment
Share on other sites

It perfectly worked for me, thanks for sharing the whole process of decryption (even if it's not working anymore).

However, how did you manage to inject back the edited sav through powersave to the cartridge?

Link to comment
Share on other sites

It perfectly worked for me, thanks for sharing the whole process of decryption (even if it's not working anymore).

However, how did you manage to inject back the edited sav through powersave to the cartridge?

Previous programs were linked to checksum the data so that the Powersaves program recognized it as a valid save to write back to the cartridge.

Upon applying the code, they now (didn't earlier) check the AES MAC. Games still read it as a corrupted savegame if the AES MAC is wrong.

Link to comment
Share on other sites

First of all.. thanks for all the steps.. I did the entire procedure twice and it seems it is working fine, PKHex is able to open the savegame.

Other than that: great work to all savegame hackers, you guys are truly amazing folks!

So I can confirm this works!

After all of that hard work then Datel had to patch it. I would be really pissed off!, Well Karma will get to Datel when everything gets hacked and we don't have to use their Powersaves anymore. I have a great idea make use of the Powersaves Adapter and create a 3DS Project Pokemon Backup Program just like Powersaves but better and for Pokemon X & Y without the uses of Servers and your own Encryption & Decryption Files. I'm sure that it would piss them off but they do deserve it.

To be very frank. Datel used to support the homebrew community on the Gamecube and such by creating homebrew loaders using SD card adapters.. in their hearts I imagine many of the folks there would probably love to help us but after the Diancie debacle where they had to remove everything else unreleased (Latiosnite and such) - I imagine they decided to tighten up things on their side to ensure they can continue selling their adapters - and that included securing their structures. In the end: Datel is a company, they want to make money: if people were to buy PowerSaves adapters to hack their games, while this wouldn't harm their business model, it would certainly harm their model if Nintendo strikes against them for DMCA stuff.

Link to comment
Share on other sites

I mean I used the method for full decryption of save files and followed the steps but I still get the message when I try to open the file in pkhex.

It's not full decryption for the entire file; it is full decryption for save file 1.

The error listed in the SAV tab will give you more information. In order to save, the active save index (at 0x168) must refer to the correct hashes. If the hashes are invalid or if it's pointing to the wrong hash, then the save isn't properly decrypted.

There's no point saving your changes as there's no way to get them ingame unless you can re-sign your AES MAC. If you can do that, it's expected that you can properly decrypt.

Link to comment
Share on other sites

It's not full decryption for the entire file; it is full decryption for save file 1.

The error listed in the SAV tab will give you more information. In order to save, the active save index (at 0x168) must refer to the correct hashes. If the hashes are invalid or if it's pointing to the wrong hash, then the save isn't properly decrypted.

There's no point saving your changes as there's no way to get them ingame unless you can re-sign your AES MAC. If you can do that, it's expected that you can properly decrypt.

I still don't get it. In the previous version of PKHeX, once I got the keystream through XORpad I was able to fully drecrypt the saves brute forcing them, obtaining the Save1key, which allowed me to completely decrypts all of save1. Now it seems like is not fully decrypted when I try to open it with PKHex...

So what has changed? Is there a new procedure to get save1 fully decrypted, or is it just me that I'm not doing it rightly?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...