Encryption
On the 3DS savegames are stored much like on the DS, that is on a FLASH chip in the gamecart. On the DS these savegames were stored in plain-text but on the 3DS a layer of encryption was added. This is highly likely a streamcipher, as the contents of several savegames exhibit the odd behavior that xor-ing certain parts of the savegame together will result in the plain-text appearing.
The reason this works is because the stream cipher used has a period of 512 bytes. That is to say, it will repeat the same keystream after 512 bytes. The way you encrypt with a stream cipher is you XOR your data with the keystream as it is produced. Unfortunately, if your streamcipher repeats and you are encrypting a known plain-text (in our case, zeros) you are basically giving away your valuable keystream.
So how do you use this to decrypt a savegame on a 3DS? First off, you chunk up the savegame into 512 byte chunks. Then, you bin these chunks by their contents, discarding any that contain only FF. Now look for the most common chunk. This is your keystream. Now XOR the keystream with your original savegame and you should have a fully decrypted savegame. XOR with the keystream again to produce an encrypted savegame.
Wear leveling
The 3DS employs a wear leveling scheme on the savegame FLASH chips. This is done through the usage of blockmaps and a journal. The blockmap is located at offset 0 of the flash chip, and is immediately followed by the journal. The initial state is dictated by the blockmap, and the journal is then applied to that.
First, there are 8 bytes whose purposes are currently unknown. Then comes the actual blockmap. The blockmap structure is simple:
struct header_entry { uint8_t phys_sec; // when bit7 is set, block has checksums, otherwise checksums are all zero uint8_t alloc_cnt; uint8_t chksums[8]; } __attribute__((__packed__));
There's one entry per sector, counting from physical sector 1 (sector 0 contains the blockmap/journal).
The 2 bytes that follow the blockmap are the CRC16 (with starting value 0xFFFF (like modbus)) of the first 8 bytes and the blockmap.
Then comes the journal. The journal structure is as follows:
struct sector_entry { uint8_t virt_sec; // Mapped to sector uint8_t prev_virt_sec; // Physical sector previously mapped to uint8_t phys_sec; // Mapped from sector uint8_t prev_phys_sec; // Virtual sector previously mapped to uint8_t phys_realloc_cnt; // Amount of times physical sector has been remapped uint8_t virt_realloc_cnt; // Amount of times virtual sector has been remapped uint8_t chksums[8]; } __attribute__((__packed__)); struct long_sector_entry{ struct sector_entry sector; struct sector_entry dupe; uint32_t magic; }__attribute__((__packed__));
With magic being a constant 0x080d6ce0.
The checksums in the blockmap/journal entries work as follows:
- each byte is the checksum of an encrypted 0x200 bytes large block
- to calculate the checksum, a CRC16 of the block (with starting value 0xFFFF) is calculated, and the two bytes of the CRC16 are XORed together to produce the 8bit checksum
Partitions
There can be multiple partitions on the chip. For some games one is a backup partition, some other games seem to use only one partition, yet other games actually use multiple partitions. Partitions are defined at the start of the de-wearleveled blob. At offset 0x200 into the image, the DIFI blobs start. These 0x130 large blobs describe the partitions. Every DIFI blob describes a partition. In order to find the partitions, you will need the uint32_t at 0x9C into the DIFI block, and the uint32_t at 0xA4. The uint32_t at 0x9C describes the length of the hash table at the start of the partition, the uint32_t at 0xA4 is the length of the filesystem. Partitions are catted together, so the end of one partition is the beginning of the next.
The first partition starts at 0x2000. The hashtable at the start of the partitions describe each in-use block in the partition with a SHA256 of the 0x1000 sized block.
- The exact location of the partition can vary in each save/game.
- The first two hashes don't seem to be associated with any 0x1000 block.
- (edit) The last 0x20 bytes of the hash table, doesn't appear to change along with the rest of the data and repeats at the end of all other hash-tables, even when the hashes/data are different. (edit) The last 0x20 bytes of the hash table is NULL data, it is because the Hash table is only 0x1E0 in size and the XOR hash is 0x200 in size, so the 0x20 bytes you see at the end is actually 0x20 bytes of (FF) xor'd with the last 0x20 bytes of the key. Thus the data recurs. --Immortal 09:14, 19 August 2011 (GMT)
The hash in the DISA blob hashes 300 bytes of the first DIFI blob.
- If the uint32 before the hash in the DISA is 0x01, the first DIFI blob is hashed, if it's 0x00 the second DIFI is hashed. The offsets and size for each DIFI can be found beneath the DISA tag (10h, 20h and 18h, 30h relative to the DISA location).
The last 4 bytes in each DIFI blob are garbage; they appear as FF FF FF FF in an encrypted savegame.
Filesystem
Savefiles are stored on the FLASH in a custom filesystem called SAVE. SAVE has a header which describes where the various bits of the filesystem live. The most important is the FST or filesystem table. You can find the FST by first finding the file base offset which is the offset to which all the entries in the FST are relative. The file base offset is a uint16_t at 0x58 from the filesystem start. The FST offset is a uint32_t at 0x6C and is in blocks (which are 0x200 bytes large).
Once you've found the FST, parsing it is fairly straightforward.
struct fs_entry { u32 node_cnt; u8 filename[0x10]; u32 index; u32 unk1; // magic? u32 block_offset; u32 file_size; u32 unk2; u32 unk3; // flags and/or date? u32 unk4; }
The first entry is the root directory, easily identifiable by the node_cnt being larger than 1. The node_cnt includes the root directory itself, so there are node_cnt - 1 files in the root directory. The entries that follow after the root directory are the actual files. Reading them out is as simple as taking the file base offset and adding (block_offset * 0x200) to it.
Example from Super MonkeyBall 3D:
0003800: 04000000 21000000 00000000 00000000 ....!........... 0003810: 00000000 00000000 00000000 00000000 ................ 0003820: 00000000 00000000 00000000 00000000 ................ 0003830: 01000000 736d6233 64732e64 61740000 ....smb3ds.dat.. 0003840: 00000000 00000000 d57b1100 05000000 .........{...... 0003850: e4060000 00000000 c8cf0008 00000000 ................ 0003860: 01000000 6d677265 706c6179 30302e64 ....mgreplay00.d 0003870: 61740000 01000000 d57b1100 09000000 at.......{...... 0003880: 1c210000 00000000 cd331000 00000000 .!.......3...... 0003890: 01000000 6d677265 706c6179 30312e64 ....mgreplay01.d 00038a0: 61740000 02000000 d57b1100 1a000000 at.......{...... 00038b0: 1c210000 00000000 00000000 00000000 .!..............
Initialization
When a save EEPROM contains all xFFFF blocks it's assumed uninitialized by the game cartridges and it initializes default data in place, without prompting the user.