Final Fantasy X savegame editing (specifically, how to break the CRC/checksum)

[LJH]

I used the Search feature and found an old topic on this, but no real answer.
So, did anyone ever work out how the CRC/checksum/whatever is calculated for the saves?

If it helps, I'm using the raw save (copied via uLaunchELF) rather than any fancy format, and I don't have any cheat device to use for a bypass code.

[LJH]

I'm guessing I'm meant to take that as a no?

[LJH]

I've found the checksum/CRC is stored at 1A and again at the 3rd and 4th bytes from the end of the file, but I can't work out how it's calculated... whether it's just finding the right range, or an actual weird calculation, I dunno. :/

On one file, the 1s complement CRC-16 for the range starting from 4 bytes after the first checksum, with the final byte being the one two before the second checksum, was correct except for being backwards, but on the others, it's nowhere near.
Anyone got any ideas on what I'm doing wrong?

[LJH]

Anyone?

[Cyberman]

If they are using a CRC-16 (CITT 16 seems to be used on FF8 I don't know about FF9) that's relatively straight forward.

There are a few things needed,

• polynomial (CITT 16 uses 0x1021 for example)
• initial state (CITT 16 uses 0xFFFF)
• final state (CITT inverts the bits of the CRC data)
• range of data is the next thing.  It might be very difficult to discern what data is being checked without actually running FFX under a debugger of some sort.
  

that's what I can think of off the top of my head.  I have a large number of FFX savestates on an old card, problem is I have only the Sony save state mover for the PS3. Haven't found any way to hook it to a PC and use it for anything on that.

Cyb

[LJH]

Here's a few saves you can try messing with:

http://www.randomblackguy.net/ffxsaves.rar

They're all in raw format, copied directly from the memory card rather than using any manager like SharkPort.


I've also noticed the hex string 5D6256 near the start and end of each save, not sure if it means anything. :/

[LJH]

Any luck?

Can anyone tell me how other FF save games calculate theirs? It might be something similar so worth a try.

I've tried CRC16 and CITT but neither work, I'm thinking this may be a CRC with a custom polynomial or initial value?

[LJH]

About that 5D6256 hex string... it's a character's name. >_> (Not their default one)

I've worked out where the names are stored in the save now, and the character encoding used, although that's not much help without the checksum/CRC being broken.

The only other thing I've found is that the data before the first checksum is NOT accounted for in it. You can change this as much as you like and the save may have weird results in the menu, but it will still load perfectly, no corruption message.

Also: I now have a cheat device I can use to bypass it, but that's not much help either without a bypass code, and plus I'd still rather know how to calculate it properly.

[LJH]

And yes, I've tried searching the site for that info, both on FFX and older FFs. The only thing I've found anywhere for older FFs is to do with FF8 and it didn't help much...

(EDIT: Sorry about the multiple posts - I'm used to GameFAQs which doesn't have an edit button and therefore multiple posting is considered acceptable... and this board doesn't have a delete button for users so I can't remove the extra posts either...)

[Cyberman]

Welll you might try the BFI method. (Brute Force and Ignorant).

Basically if you start poking locations you believe are outside the CRC check until you get an error you will find your range.
You probably already have an idea about where it starts and ends.  So twiddle with the data a bit until you get the right data I guess?

I have the gameshark file transfer toy to move files from FFX to the PC via USB device. I suppose I could use that to transfer old data back and forth between a data card and watch when it throws up.  I can run FFX using PCSX2 also.  That might actually be faster.  In essence make a lot of saves to the memory card (100 each) and then diddle the data.

I am busy however maybe sometime next week I can get time.  Designing complicated things takes a lot of time. Sigh.

Cyb

[LJH]

I think it's from 2 bytes after the first checksum, until the very last byte before the second one...

I did notice, the entire save is copied into active memory in a save state, but there are some differences and the checksum is replaced with A747, not sure if this is helpful in any way...

[Cyberman]

Have you added any data to the wiki?
Also I'm trying to figure out the structure of the 8M Sony cards. It's rather interesting as they are actually 8448K in size.  It appears the store data in 1K blocks too.  256K likely is used for directory structure (leaving 32 bytes per block) I've noticed cards that go up to 64M which indicates 8*8192 = 64K or uint16 sized block numbering.

Once beyond basic structure. I'll poke through the save data next.

Cyb

[LJH]

Um... you shouldn't need to break the structure at all. You can use homebrew software to transfer the raw save files, or PS2 Save Builder to extract them from the cheat device save file of your choice. For PCSX2 memory card files, there's a program called MyMC that can insert and extract them.

[LJH]

Okay, if you haven't already cracked much, don't worry about it (unless you're wanting to do it anyway), as I've found a way to bypass the checksum test altogether without the use of a cheat device.

[Cyberman]

Okay, if you haven't already cracked much, don't worry about it (unless you're wanting to do it anyway), as I've found a way to bypass the checksum test altogether without the use of a cheat device.

LOL Ummm actually I was working on an editor.  I prefer to directly edit the save file. Hence why I wanted to know the structure.  I'm looking at FFXII too gotta collected enough saves to make it worth it I guess.

Erstwhile it's rather interesting to examine how people store data.  So I am continuing twiddling with the data.

Cyb