[Help wanted] Test all kinds of cartridge save

[wwylele]

Due to my limited resource of cartridge games, I couldn't test all kinds of wear leveling / encryption schemes. Specifically, the following cases need test:

• Very early cartridge releases that have the exploit known as the "repeat CTR failure".
• (Not sure if this exists at all) Very-but-not-the-most early cartridge release that have the same exploit but v2 key generation method. save3ds currently assumes this doesn't exist, and would gives a verification error if it does exist.
• N3DS exclusive games. Note that you need to provide the correct --key19x and --key1ax to test this.
• other than 128KB, 512KB and 1MB, any other Card1 flash size ?

[Cu3PO42]

I just tested my copy of Cubic Ninja (released shortly after the 3DS itself), which has crypto version 0.
All data was extracted using GodMode9.

Unfortunately, I get the following error:

Signature mismatch, caused by corrupted data
Error: SignatureMismatch

Let me know how I can help with debugging this.

[wwylele]

@Cu3PO42 could you test it again on 4ee749a ?

[Cu3PO42]

Unfortunately I still get the same error as before. I could probably log the CartFormat data and send you the save file to help with debugging, though. I never actually played that game (I wonder why that is...), so there's nothing personal on it.

[wwylele]

@Cu3PO42 Sure, I'd like to look into the file

[Cu3PO42]

Sent you an e-mail to your GMail address.

[wwylele]

@Cu3PO42 Unfortunately I couldn't figure it out with what you sent to me... I need to look at the ROM header and the private header but I guess you can't send me them. If you have any idea please tell me.

[wwylele]

@Cu3PO42 What's is the region of your cubic ninja (JPN/USA/EUR...)?
Could you test it with the follow code change:

save3ds/libsave3ds/src/lib.rs

Line 143 in 4ee749a

priv_header.read_exact(&mut cart_id_short)?;

Instead of reading 8 bytes, read 4 bytes instead, and fill the rest with 0xFF

priv_header.read_exact(&mut cart_id_short[0..4])?;
cart_id_short[4]=cart_id_short[5]=cart_id_short[6]=cart_id_short[7]=0xFF;

If this doesn't work. Maybe you could bruteforce the last four bytes...?

[Cu3PO42]

My copy of Cubic Ninja is the European version. I can, indeed, not send you those files for the reason boot9 doesn't come hardcoded in this project. I am, however, happy to run any number of tests or check specific things in the headers.

I tried the change you suggested with a minor fix to get it to compile: In Rust assignments don't return their values, but the unit object (), so I split it up into multiple statements.

Unfortunately, it still yields the same error. Bruteforcing those four bytes is something I can look into. My Rust skills need a bit of work anyway, so implementing that is as good an exercise as any. I'll probably try that after Christmas.

Happy holidays to you!

[wwylele]

@Cu3PO42 hmm one thing looks weird to me. The save you sent to me is a 1MB card1 save, which I originally believed was a chip type only available to very later game (like Pokemon Sun/Moon you previously mentioned).

I found a friend that had a copy this game. To avoid legal issue I only let him run ctrtool and give me the save data size info, and it turned out in the game's exheader it says the save data size is 128 KB, which is a different size from what you sent to me.

I want you to verify your copy using ctrtool by running the command

./ctrtool CubicNinjaFile | grep 'Savedata'

and report what it prints. Additionally, run the same command on Pokemon Sun and report the savedata size. Thank you!

[wwylele]

Actually, I feel you might have sent me a pokemon sun save instead of cubic ninja's, because its wear levelling relocation table has some strange similarity with the old pokemon sun save you sent to me.

[Cu3PO42]

I just checked and you're right, ctrtool gives me a 128KB save size for Cubic Ninja. I double checked my 3DS' SD card and found the correct save, which decrypts with the code from current master. Hooray!

For future reference I also checked Sun and it reports 1016K.

I'm really sorry for the confusion I caused, but I have absolutely no idea what happened there. The file I have labeled as a Cubic Ninja save is not equal to any of the files from gm9/out and doesn't decrypt with the data for my Sun either (I also didn't create more than one backup of it, and this is not the file I have for that). And I currently do not own any physical copies of Moon or US/UM.

After a quick consultation of the script I use to take backups of these files, I didn't manage to spot an obvious bug either... I really am a bit stumped. I hope I didn't cause too much unnecessary work or frustration.

I'll try to borrow a few more games from friends and test them when I get back home in the new year!

[wwylele]

No description provided.