Post by dlevere on Dec 1, 2012 9:25:10 GMT -4
Well known PS3 Developer flatz has released Game Save Tools, his tools are used for save game decryption/encryption, resigning and patching SFO, here is a quote from the read me:
‘pfdtool’ & ‘sfopatcher’ (beta version) by flatz
ATTENTION!!! Be careful with ‘pfdtool’ because it is working with the directory you specify so it will overwrite files inside it.
Some notes about keys:
1. ‘Syscon Manager Key’ (syscon_manager_key): a constant key from a Syscon Manager.
2. ‘PARAM.SFO Key’ (param_sfo_key): a constant key used for PARAM.SFO entry.
3. ‘Fallback Disc Hash Key’ (fallback_disc_hash_key): a constant key used for discless PSN/SEN games.
4. ‘Authentication ID’ (authentication_id): an additional constant key.
5. ‘Console ID’ (console_id): your unique console identifier.
6. ‘Secure File ID’ (secure_file_id): per a game file, almost the same for all files of the game, specified by a game developer (used to encrypt save game files and to hash their content).
7. ‘Disc Hash Key’ (disc_hash_key): per a game disc or a constant key for PSN/SEN games (used to hash a file entry). You need to use an original game disc and extract it from the disc. For PSN/SEN games they used a fallback disc hash key. ‘Disc Hash Key’ hash is not verified by PS3 so you can omit this key.
Attention! Some game developers (for example, creators of Metal Gear Solid 4) uses a custom additional encryption layer for their save files. In these cases you need to reverse-engineer the game itself.
1. Paste your console specific data inside ‘global.conf’.
You need to paste your console ID (IDPS) and needed keys.
Open ‘Keys’ page on the PS3DevWiki and look into the ‘Key lists – sc_iso module 1.00-4.00′. There is a ‘Syscon Manager Key’ at the #2.
Open ‘Talk:Keys’ page on the PS3DevWiki and search for strings ‘Params’ and ‘Fallback key’. They are ‘PARAM.SFO Key’ and ‘Fallback Disc Hash Key’.
2. Prepare required keys for the game and place them inside ‘games.conf’.
You need these keys only to verify your .PFD file (it is an optional feature) or to play with save game data encryption.
So if you want only to resign a foreign save game then you need only your console ID and skip some hash updates by specifying some flags at ‘pfdtool’.
For secure file IDs you can specify an exact file name or use wildcards to match a file name (for example, you don’t need to specify the same key for all game files if the game uses the same key for all of them).
A disc hash key can be extracted only from an original game disc. For PSN/SEN games a fallback disc hash key is used. This type of hash is not verified by PS3 so you can omit its key but they can add a check in the future firmware versions.
So if you want to use ‘Disc Hash Key’=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and ‘Secure File ID’=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY for a save file named ‘SAVE.DAT’ and your game have a product code=’BLZZZZZZZ’ place them inside a config file:
[BLZZZZZZZ]
disc_hash_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
secure_file_id:SAVE.DAT=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
3. Make a custom save game to use it as a pattern for ‘sfopatcher’.
1) You may also need to patch a copy protection flag inside your PARAM.SFO because some games uses it:
sfopatcher patch <input PARAM.SFO> <output PARAM.SFO> –remove-copy-protection
After copying it to the PS3 you need to update a game cache. You have two solutions:
a) ‘Rebuild Database’ in the system recovery menu. Be careful with it because it can corrupt your file system in rarely cases.
b) Manually copy your save game to the corresponding folder by using a FTP client (for example, embedded in MultiMAN).
2) You need to patch a foreign PARAM.SFO with data from your PARAM.SFO (the tool uses your account ID, save parameters, optional title and description values):
sfopatcher build <foreign PARAM.SFO> <your PARAM.SFO> <patched PARAM.SFO>
If you also want to patch title and description use a command below:
sfopatcher build <foreign PARAM.SFO> <your PARAM.SFO> <patched PARAM.SFO> –copy-title –copy-detail
4. Import your optionally patched save game folder to ‘pfdtool’ and use it.
Make sure that you specify a game setting set (from ‘games.conf’) otherwise you will get some fails.
Attention!
a) You will always get a ‘Disc Hash Key FAIL’ if you don’t use a valid disc hash key. It is not important because it is not checked.
b) If you will get a ‘Console ID Hash FAIL’ then you use a wrong console ID.
c) If you will get a ‘Secure File ID Hash FAIL’ then you use a wrong secure file ID for a corresponding file.
You don’t need to get a valid console ID for foreign save, just use your console ID and update a save game.
1) To list all entries from PARAM.PFD use a ‘list’ command:
pfdtool -l <save game folder>
2) To check the validity of PARAM.PFD use a ‘check’ command.
pfdtool -g <game setting set> -c <save game folder>
3) If you don’t plan to modify save game files and you want only to resign a save game for your console then just use an ‘update’ command with a ‘partial’ update option:
pfdtool -g <game setting set> -p -u <save game folder>
4) If you plan to modify save game files then use an ‘update’ command without the option above:
pfdtool -g <game setting set> -u <save game folder>
5) To encrypt or decrypt specified save game files use ‘encrypt’ or ‘decrypt’ command:
pfdtool -g <game setting set> -e <save game folder> <file1 file2…>
pfdtool -g <game setting set> -d <save game folder> <file1 file2…>
6) To bruteforce a secure file ID use a ‘brute’ command along with the .ELF file from the game and specified decimal offset (I recommend to specify an offset of data segment which is usually started at 70-80% of the entire file):
pfdtool -b <save game folder> <elf file> <starting offset in decimal> <file1 file2…>
Bruteforcing a secure file ID takes a lot of time because it is based on hashing of the game file. The larger the file size, the longer the wait. And bruteforcing don’t guarantee that you will get a secure file ID because it can not be specified in the plaintext inside an ELF file.
Once again, if you want to easily resign a save game (as publicly known commercial tools does) you just need to place your console ID and use the command:
pfdtool -p -u <save game folder>
I also recommend to use my ‘Disc Key Dumper’ (incorrectly named because it is a disc hash key really) and ‘Secure File ID Dumper’ to dump keys directly from the memory of a game. But they are written for 3.55 CFW. I will port them to the 4.21 soon.
I will be glad to see if someone will write a batch script for automate the process or a GUI application because I have no time to do it personally.
Also will be nice if someone will create a centralized storage of game setting’ sets to find keys there.
In the future the tool needs to be improved for error handling because it is poor at the moment. I will plan to improve it in further versions.
flatz has also added Secure File ID dumper to the bundle of tools, here is a read-me for that file:
Secure File ID Dumper
A secure file ID is specified by developer of the game. There are can be more than one secure file ID's, one ID per file.
There are cases when these bytes stored at EBOOT.ELF as is, so you can use my PFD tool to bruteforce them by specifying a PARAM.PFD and file name.
In other cases you need skills of reverse-engineering and a disassembler to find a secure file ID.
That’s why I had created this dumper. It dumps a secure file ID from memory itself.
Requirements:
- 3.55 CFW (e.g. Kmeaw)
- MultiMAN or original dev_blind application and FTP client
1. Install `Data Dumper` (data_dumper.pkg) if you didn’t installed it before.
It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin
A data which stored there is written by dumper loaders, e.g. by Klicensee Dumper.
2. Install `Secure File ID Dumper Loader` (secure_file_id_dumper_loader.pkg).
It stores a file path to the file which used in your save data and a secure file ID of this file.
3. Now you need to replace original libraries located at `dev_flash/vsh/module` by modified versions. There are `ps3_savedata_plugin.sprx`, `ps3_savedata_plugin_game.sprx`, `ps3_savedata_plugin_game_mini.sprx`. I use a dev_blind feature from MultiMAN, you can use any other way. Don’t forget to backup original files.
4. Reboot a console to clear a data storage in LV2 memory.
5. Now you need to start `Secure File ID Dumper`, then start your game.
6. Then you need to make a game save.
7. After exiting from the game you need to run `Data Dumper`, you will hear some beeps.
8. Then run any FTP client (e.g. builtin in MultiMAN) and download dumped secure file IDs from /dev_hdd0/tmp/dumps.bin.
9. Restore original libraries `ps3_savedata_plugin.sprx`, `ps3_savedata_plugin_game.sprx`, `ps3_savedata_plugin_game_mini.sprx` using the same method as at step 3.
Notes:
Not all of these libraries used with all games, there is one library per game type.
Download
Follow flatz on Twitter.
‘pfdtool’ & ‘sfopatcher’ (beta version) by flatz
ATTENTION!!! Be careful with ‘pfdtool’ because it is working with the directory you specify so it will overwrite files inside it.
Some notes about keys:
1. ‘Syscon Manager Key’ (syscon_manager_key): a constant key from a Syscon Manager.
2. ‘PARAM.SFO Key’ (param_sfo_key): a constant key used for PARAM.SFO entry.
3. ‘Fallback Disc Hash Key’ (fallback_disc_hash_key): a constant key used for discless PSN/SEN games.
4. ‘Authentication ID’ (authentication_id): an additional constant key.
5. ‘Console ID’ (console_id): your unique console identifier.
6. ‘Secure File ID’ (secure_file_id): per a game file, almost the same for all files of the game, specified by a game developer (used to encrypt save game files and to hash their content).
7. ‘Disc Hash Key’ (disc_hash_key): per a game disc or a constant key for PSN/SEN games (used to hash a file entry). You need to use an original game disc and extract it from the disc. For PSN/SEN games they used a fallback disc hash key. ‘Disc Hash Key’ hash is not verified by PS3 so you can omit this key.
Attention! Some game developers (for example, creators of Metal Gear Solid 4) uses a custom additional encryption layer for their save files. In these cases you need to reverse-engineer the game itself.
1. Paste your console specific data inside ‘global.conf’.
You need to paste your console ID (IDPS) and needed keys.
Open ‘Keys’ page on the PS3DevWiki and look into the ‘Key lists – sc_iso module 1.00-4.00′. There is a ‘Syscon Manager Key’ at the #2.
Open ‘Talk:Keys’ page on the PS3DevWiki and search for strings ‘Params’ and ‘Fallback key’. They are ‘PARAM.SFO Key’ and ‘Fallback Disc Hash Key’.
2. Prepare required keys for the game and place them inside ‘games.conf’.
You need these keys only to verify your .PFD file (it is an optional feature) or to play with save game data encryption.
So if you want only to resign a foreign save game then you need only your console ID and skip some hash updates by specifying some flags at ‘pfdtool’.
For secure file IDs you can specify an exact file name or use wildcards to match a file name (for example, you don’t need to specify the same key for all game files if the game uses the same key for all of them).
A disc hash key can be extracted only from an original game disc. For PSN/SEN games a fallback disc hash key is used. This type of hash is not verified by PS3 so you can omit its key but they can add a check in the future firmware versions.
So if you want to use ‘Disc Hash Key’=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and ‘Secure File ID’=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY for a save file named ‘SAVE.DAT’ and your game have a product code=’BLZZZZZZZ’ place them inside a config file:
[BLZZZZZZZ]
disc_hash_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
secure_file_id:SAVE.DAT=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
3. Make a custom save game to use it as a pattern for ‘sfopatcher’.
1) You may also need to patch a copy protection flag inside your PARAM.SFO because some games uses it:
sfopatcher patch <input PARAM.SFO> <output PARAM.SFO> –remove-copy-protection
After copying it to the PS3 you need to update a game cache. You have two solutions:
a) ‘Rebuild Database’ in the system recovery menu. Be careful with it because it can corrupt your file system in rarely cases.
b) Manually copy your save game to the corresponding folder by using a FTP client (for example, embedded in MultiMAN).
2) You need to patch a foreign PARAM.SFO with data from your PARAM.SFO (the tool uses your account ID, save parameters, optional title and description values):
sfopatcher build <foreign PARAM.SFO> <your PARAM.SFO> <patched PARAM.SFO>
If you also want to patch title and description use a command below:
sfopatcher build <foreign PARAM.SFO> <your PARAM.SFO> <patched PARAM.SFO> –copy-title –copy-detail
4. Import your optionally patched save game folder to ‘pfdtool’ and use it.
Make sure that you specify a game setting set (from ‘games.conf’) otherwise you will get some fails.
Attention!
a) You will always get a ‘Disc Hash Key FAIL’ if you don’t use a valid disc hash key. It is not important because it is not checked.
b) If you will get a ‘Console ID Hash FAIL’ then you use a wrong console ID.
c) If you will get a ‘Secure File ID Hash FAIL’ then you use a wrong secure file ID for a corresponding file.
You don’t need to get a valid console ID for foreign save, just use your console ID and update a save game.
1) To list all entries from PARAM.PFD use a ‘list’ command:
pfdtool -l <save game folder>
2) To check the validity of PARAM.PFD use a ‘check’ command.
pfdtool -g <game setting set> -c <save game folder>
3) If you don’t plan to modify save game files and you want only to resign a save game for your console then just use an ‘update’ command with a ‘partial’ update option:
pfdtool -g <game setting set> -p -u <save game folder>
4) If you plan to modify save game files then use an ‘update’ command without the option above:
pfdtool -g <game setting set> -u <save game folder>
5) To encrypt or decrypt specified save game files use ‘encrypt’ or ‘decrypt’ command:
pfdtool -g <game setting set> -e <save game folder> <file1 file2…>
pfdtool -g <game setting set> -d <save game folder> <file1 file2…>
6) To bruteforce a secure file ID use a ‘brute’ command along with the .ELF file from the game and specified decimal offset (I recommend to specify an offset of data segment which is usually started at 70-80% of the entire file):
pfdtool -b <save game folder> <elf file> <starting offset in decimal> <file1 file2…>
Bruteforcing a secure file ID takes a lot of time because it is based on hashing of the game file. The larger the file size, the longer the wait. And bruteforcing don’t guarantee that you will get a secure file ID because it can not be specified in the plaintext inside an ELF file.
Once again, if you want to easily resign a save game (as publicly known commercial tools does) you just need to place your console ID and use the command:
pfdtool -p -u <save game folder>
I also recommend to use my ‘Disc Key Dumper’ (incorrectly named because it is a disc hash key really) and ‘Secure File ID Dumper’ to dump keys directly from the memory of a game. But they are written for 3.55 CFW. I will port them to the 4.21 soon.
I will be glad to see if someone will write a batch script for automate the process or a GUI application because I have no time to do it personally.
Also will be nice if someone will create a centralized storage of game setting’ sets to find keys there.
In the future the tool needs to be improved for error handling because it is poor at the moment. I will plan to improve it in further versions.
flatz has also added Secure File ID dumper to the bundle of tools, here is a read-me for that file:
Secure File ID Dumper
A secure file ID is specified by developer of the game. There are can be more than one secure file ID's, one ID per file.
There are cases when these bytes stored at EBOOT.ELF as is, so you can use my PFD tool to bruteforce them by specifying a PARAM.PFD and file name.
In other cases you need skills of reverse-engineering and a disassembler to find a secure file ID.
That’s why I had created this dumper. It dumps a secure file ID from memory itself.
Requirements:
- 3.55 CFW (e.g. Kmeaw)
- MultiMAN or original dev_blind application and FTP client
1. Install `Data Dumper` (data_dumper.pkg) if you didn’t installed it before.
It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin
A data which stored there is written by dumper loaders, e.g. by Klicensee Dumper.
2. Install `Secure File ID Dumper Loader` (secure_file_id_dumper_loader.pkg).
It stores a file path to the file which used in your save data and a secure file ID of this file.
3. Now you need to replace original libraries located at `dev_flash/vsh/module` by modified versions. There are `ps3_savedata_plugin.sprx`, `ps3_savedata_plugin_game.sprx`, `ps3_savedata_plugin_game_mini.sprx`. I use a dev_blind feature from MultiMAN, you can use any other way. Don’t forget to backup original files.
4. Reboot a console to clear a data storage in LV2 memory.
5. Now you need to start `Secure File ID Dumper`, then start your game.
6. Then you need to make a game save.
7. After exiting from the game you need to run `Data Dumper`, you will hear some beeps.
8. Then run any FTP client (e.g. builtin in MultiMAN) and download dumped secure file IDs from /dev_hdd0/tmp/dumps.bin.
9. Restore original libraries `ps3_savedata_plugin.sprx`, `ps3_savedata_plugin_game.sprx`, `ps3_savedata_plugin_game_mini.sprx` using the same method as at step 3.
Notes:
Not all of these libraries used with all games, there is one library per game type.
Download
Follow flatz on Twitter.
