Extracting savegames without trucha

Hi,
I'm developing the final version of BrawlStats (http://wiibrew.org/wiki/BrawlStats) and I have a question.
My application needs a cIOS or trucha bug in order to read Super Smash Bros. Brawl save data. I have no problem on that, but I'm aware that other users don't want to install a cIOS or to patch an IOS.
I was wondering if there is any way to read the save data without having to use a cIOS or trucha.

I tried with ES_SetUID(0x1000052534250ULL); before initializing NAND but it always returns -1017. (note: (0x0001000052534250 is the title id)
I also have been trying with ES_Identify but I'm a beginner when talking about permissions. I copied the code from another application that get certs from /sys/cert.sys, generates a ticket (I don't know if this is valid) and gets title's TMD, all these commands (seems to) work perfectly, but ES_Identify fails again returning another -1017.

Anyone can tell me if this is possible? And if it's possible, what's the best and clean way to achieve it?
BrawlStats only reads savedata from NAND, it doesn't modify anything so I only need read rights.



Edited 1 time(s). Last edit at 08/19/2010 12:41AM by marc_max.

I'm working on this too - Right now I'm trying settings the irqs to zero (essentially killing IOS) and using powerpc to access the NAND filesystem. Although, I really haven't put much time into yet...



Edited 1 time(s). Last edit at 08/19/2010 04:15AM by Arikado.

Then it's harder than I thought.

If you get some results, please post them here, I'm very interested :)

you dont need trucha bug to read files from the nand. you will need to do some trickery to get the IOS to let you access those files. most of the stuff you are trying needs really old IOS or patched up IOS to work like you are expecting it to... ES_Identify, ES_SetUID, ISFS_Open( some random file ). there is, however a really simple way that will work on the newest of IOS with no patches.

just open the game partition of that game. that it, put the disc in your wii, open the partition at 0xf800000 and you get access to that game's save data. basically it just tells the DI in the IOS to do its own ES_Identify(). you can test this by doing ES_GetTitleID(). it will usually give you nothing, error, or using the latest HBC & libogc, it will give you the TID of HBC. then open the game partition and check the TID again.



other possible options includes reading the nand directly from the PPC. you can use the MINI and ppcskel/brickmii as a template. the code is enough to read the entire contents of the nand without dealing with permissions. the drawbacks of doing it this way are
1) if you use the MINI route, there is not libogc and all the nice framework libraries. youre stuck with basic GFX and no ubs/network/etc
2) with the ahbprot given by HBC now, it is possible to read the nand directly from PPC and have no permission issues. But as of now, I dont think there is publicly available a library made for this. you would have to write one, convert the one from MINI, or something like this.

given the available options, the easiest that is guaranteed to always work is just opening the game partition.



Edited 2 time(s). Last edit at 08/21/2010 12:29AM by giantpune.

Thanks for your answer, giantpune :)

However, the idea of having the disc is not an option. I know almost all of you here are against backups, but some users play from hard disk instead of the original disc. I don't want to open the same discussion again.
But... Is it possible to make a legit disc check? Explanation: the user inserts the original Brawl disc and BrawlStats saves the game partition information somehow (maybe the ticket data?) for the next runs (so it won't need the disc anymore, it will only be needed once). Is that possible?

The other solutions are not possible for me. I can't go past libogc, I'm just a 'beginner' Wii coder :) And also, the last BrawlStats version is using GRRLIB for graphics, and I'm not going to reject all the new code and GUI.
The AHBPROT looks good, but I'm also thinking on users without HBC.

Quote
giantpune
you dont need trucha bug to read files from the nand. you will need to do some trickery to get the IOS to let you access those files. most of the stuff you are trying needs really old IOS or patched up IOS to work like you are expecting it to... ES_Identify, ES_SetUID, ISFS_Open( some random file ). there is, however a really simple way that will work on the newest of IOS with no patches.

just open the game partition of that game. that it, put the disc in your wii, open the partition at 0xf800000 and you get access to that game's save data. basically it just tells the DI in the IOS to do its own ES_Identify(). you can test this by doing ES_GetTitleID(). it will usually give you nothing, error, or using the latest HBC & libogc, it will give you the TID of HBC. then open the game partition and check the TID again.



other possible options includes reading the nand directly from the PPC. you can use the MINI and ppcskel/brickmii as a template. the code is enough to read the entire contents of the nand without dealing with permissions. the drawbacks of doing it this way are
1) if you use the MINI route, there is not libogc and all the nice framework libraries. youre stuck with basic GFX and no ubs/network/etc
2) with the ahbprot given by HBC now, it is possible to read the nand directly from PPC and have no permission issues. But as of now, I dont think there is publicly available a library made for this. you would have to write one, convert the one from MINI, or something like this.

given the available options, the easiest that is guaranteed to always work is just opening the game partition.

you can use smashstack to start your program, at least for users with the correct version of the game. as long as you dont reload the IOS before you read the save data, the IOS should think that what is talking from the PPC ( your program ) is still the game and it will still let whatever is running on the PPC access that save data.

another thought...
Im not sure if this will work or not, but if you start your program with bannerbomb and no disc in the drive, you should inherit the system menu's ID & privileges. i think ES_SetUID() might work for you then. either way, there should be some way you can access save data using the system menu's privileges.



Edited 2 time(s). Last edit at 08/23/2010 10:25AM by giantpune.

Thank you again, giantpune.
Both Stack Smash & Bannerbomb sound good, but I was looking for an universal method.
Stack Smash could be the best solution because it's ran within the game. Main problem is that it's only for NTSC users (and I'm a PAL).

Quote
giantpune
just open the game partition of that game. that it, put the disc in your wii, open the partition at 0xf800000 and you get access to that game's save data. basically it just tells the DI in the IOS to do its own ES_Identify(). you can test this by doing ES_GetTitleID(). it will usually give you nothing, error, or using the latest HBC & libogc, it will give you the TID of HBC. then open the game partition and check the TID again.

Does anyone have sample code for opening the game partition? I'm writing an application to deal with the SMG2 save file and I can't find it anywhere.

look in geckoOS, apploader.c, dvd_switchios(). its not commented at all, but basically, you init the DVD drive read the list of partitions, find the partition that is type 0, and open that one. that function does a lot more, but just stop at opening the partition and then check to see that you have the correct TID with ES_GetTitleID(). if you do, then you should be able to read the save.