セーブデータ

Revision as of 14:22, 13 April 2011 by Matyapiro31 (talk | contribs)

暗号化方式

3DSのセーブデータはゲームカートにまさにDSのそれと同じように保存されています。 DSではこのようなセーブデータはそのまま保存されていましたが、3DSにおいては暗号化して保存する仕組みが加わりました。 これはとてもストリームの暗号化に似ています。排他的論理和を取ることによって、セーブデータの復号鍵が 得られます。                                                                                            

このアルゴリズムを解読できるのは、たった512バイトのキーによって暗号化されているためです。言ってみれば、512バイト周期で同じように復号しているわけです。つまり、暗号化されても、その排他的論理和を取る事によってキーを作ることができます。残念ながら、既存の平文をを暗号化するときにこの方法を使うと、誰でもキーを得ることができるのです。

ということで、ここからどうやって3DSでセーブデータを復号するのでしょうか?まず、データを512バイトの区切りに分けます。次に、データで最も多いのは0xFFであるはずなので、ある値がそれにあてはまるはずです。そこで最もよく使われている値を探します。これを基準値とします。そして、元のセーブデータとを取ることで完全な復号化されたデータをえることができます。もう一度基準値とその排他的論理和を取れば、データを復号化することができます。

Wearleveling

The 3DS employs a wearleveling scheme on the savegame FLASH chips. This is done trough blockmaps and a journal. The blockmap is located at offset 0 of the flash chip, and is immediately followed by the journal. The initial state is dictated by the blockmap, and the journal is then applied to that.

The blockmap structure is simple:

struct header_entry {
        uint8_t chksums[8];
        uint8_t phys_sec;
        uint8_t alloc_cnt;
} __attribute__((__packed__));

The journal structure is as follows:

struct sector_entry {
        uint8_t virt_sec;       // Mapped to sector
        uint8_t prev_virt_sec;  // Physical sector previously mapped to
        uint8_t phys_sec;       // Mapped from sector
        uint8_t prev_phys_sec;  // Virtual sector previously mapped to
        uint8_t phys_realloc_cnt;       // Amount of times physical sector has been remapped
        uint8_t virt_realloc_cnt;       // Amount of times virtual sector has been remapped
        uint8_t chksums[8];
} __attribute__((__packed__));

struct long_sector_entry{
        struct sector_entry sector;
        struct sector_entry dupe;
        uint32_t magic;
}__attribute__((__packed__));

With magic being a constant 0x080d6ce0.

Partitions

There can be multiple partitions on the chip. For some games one is a backup partition, some other games seem to use only one partition, yet other games actually use multiple partitions. Partitions are defined at the start of the de-wearleveled blob. At offset 0x200 into the image, the DIFI blobs start. These 0x130 large blobs describe the partitions. Every DIFI blob describes a partition. In order to find the partitions, you will need the uint32_t at 0x9C into the DIFI blob, and the uint32_t at 0xA4. The uint32_t at 0x9C describes the beginning of the filesystem from the base of the partition, the uint32_t at 0xA4 is the length of the filesystem. Partitions are catted together, so the end of one partition is the beginning of the next. The first partition starts at 0x2000.

ファイルシステム

Savefiles are stored on the FLASH in a custom filesystem called SAVE. SAVE has a header which describes where the various bits of the filesystem live. The most important is the FST or filesystem table. You can find the FST by first finding the file base offset which is the offset to which all the entries in the FST are relative. The file base offset is a uint16_t at 0x58 from the filesystem start. The FST offset is a uint32_t at 0x6C and is in blocks (which are 0x200 bytes large).

Once you've found the FST, parsing it is fairly straightforward.

 struct fs_entry {
     u32 node_cnt;
     u8  filename[0x10];
     u32 index;
     u32 unk1; // magic?
     u32 block_offset;
     u32 file_size;
     u32 unk2;
     u32 unk3; // flags and/or date?
     u32 unk4;
 }

The first entry is the root directory, easily identifiable by the node_cnt being larger than 1. The node_cnt includes the root directory itself, so there are node_cnt - 1 files in the root directory. The entries that follow after the root directory are the actual files. Reading them out is as simple as taking the file base offset and adding (block_offset * 0x200) to it.

Example from Super MonkeyBall 3D:

0003800: 04000000 21000000 00000000 00000000  ....!...........
0003810: 00000000 00000000 00000000 00000000  ................
0003820: 00000000 00000000 00000000 00000000  ................
0003830: 01000000 736d6233 64732e64 61740000  ....smb3ds.dat..
0003840: 00000000 00000000 d57b1100 05000000  .........{......
0003850: e4060000 00000000 c8cf0008 00000000  ................
0003860: 01000000 6d677265 706c6179 30302e64  ....mgreplay00.d
0003870: 61740000 01000000 d57b1100 09000000  at.......{......
0003880: 1c210000 00000000 cd331000 00000000  .!.......3......
0003890: 01000000 6d677265 706c6179 30312e64  ....mgreplay01.d
00038a0: 61740000 02000000 d57b1100 1a000000  at.......{......
00038b0: 1c210000 00000000 00000000 00000000  .!..............

English