Sponsored Links

Sponsored Links

Page 1 of 2 12 LastLast
Results 1 to 10 of 14



  1. #1
    Senior Member Transient's Avatar
    Join Date
    Apr 2007
    Posts
    334
    Sponsored Links

    Question PS3 savegame file format

    Sponsored Links
    I was wondering if anyone has attempted to figure out the PS3 savegame file format? Specifically, I'm referring to the savedata itself (not the images, sounds and other supporting files). I've searched around but there is very little information available on it.

    From what I can tell, the PS3 savedata (SYS-DATA) file is encoded somehow and most likely encrypted.

    If it is encrypted, I wonder if it's possible to discover the key using a dev unit? We already know PS3 saves can be shared among different consoles, so it can't be console specific.

  2. #2
    Senior Member jabberosx's Avatar
    Join Date
    Dec 2006
    Posts
    199
    Sponsored Links
    Sponsored Links
    they are actually game specific and grow in size is relation to the amount of info unlocked in the game. e.g. COD4 save differ in size based on how far in the game you are in. That they are encrypted or not.. Is something i am not sure off but am sure some of the resident devs will be able to shed more light on it.

    Interestingly, I too havent heard much on this end.. considering two of the bigger exploits in PSP and WII are save game exploits.. LCS and Twilight. Hopefully someone will comment on this ..

  3. #3
    Contributor d4ny's Avatar
    Join Date
    Sep 2007
    Posts
    24
    Sponsored Links
    Sponsored Links
    I'm sure that save game exploits are buffer overflows on these platforms. PS3 has execution environment that taking care of stack overflow, stack smashing, buffer overflow attacks etc. There must be serious implementation bug in application (game) which could load save game data into code segment to execute it, because execution of code placed in data segmets is strictly secured by execution environment.

    So in my opinion it is not the way that our lovely PS3 could be hacked.

  4. #4
    Senior Member Transient's Avatar
    Join Date
    Apr 2007
    Posts
    334
    Quote Originally Posted by d4ny View Post
    So in my opinion it is not the way that our lovely PS3 could be hacked.
    Perhaps, but that wasn't my goal. I simply wanted to map out the savegame file format. There's a fairly large number of people who enjoy editing their save files for any number of reasons.

    I've only looked at a small sample of game saves, but from what I've seen the files appear encrypted. That may not be the case.

    One mutli-platform example I've been looking at is Oblivion. Save games can be interchanged between PC and Xbox 360 with a bit of work, however games saved on a PS3 don't appear to follow the same format. It would seem unlikely that the publisher would rewrite the save routines only on the PS3 version.

    I'll keep working at it, but if anyone has any further details I'd appreciate it.

  5. #5
    Contributor puppero's Avatar
    Join Date
    Jul 2008
    Posts
    38
    Quote Originally Posted by Transient View Post
    One mutli-platform example I've been looking at is Oblivion. Save games can be interchanged between PC and Xbox 360 with a bit of work, however games saved on a PS3 don't appear to follow the same format. It would seem unlikely that the publisher would rewrite the save routines only on the PS3 version.
    I think this is actually quite possible. Or maybe there is some byte order issue.

    I've taken a quick glance at ps3 savegame download from the net. I'd say that profile.sav is really encrypted, probably with a game specific key. PARAM.PFD is interesting. It seems to me that after the file name of PARAM.SFO and PROFILE.SAV there is some kind of encrypted/hash block. At the end of the file there are 20 byte obsessively repeated. I guess those are the hash (maybe sha1) of the unencrypted profile.sav. This is just a guess of course.
    Last edited by puppero; 08-20-2008 at 09:17 AM Reason: Automerged Doublepost

  6. #6
    Contributor d4ny's Avatar
    Join Date
    Sep 2007
    Posts
    24
    I've looked for a while into SDK and got some interesting informations about managing game saves on PS3.

    1. It looks like there (in system libs for security reasons) are some methods to perform save game like cellSaveDataFixedSave2, cellSaveDataAutoSave2. These methods takes a funcFile parameter of type CellSaveDataFileCallback.
    In body of funcFile implementation the value of CELL_SAVEDATA_FILETYPE_SECUREFILE is assigned to fileType field of CellSaveDataFileSet structure. There is also possibility to assign CELL_SAVEDATA_FILETYPE_NORMALFILE to a "fileType" field (and other values regarding icons - forget it in this case).

    So, it confirms that writing encrypted/unencrypted game saves is application specific.

    2. There is also another very interesting field in CellSaveDataFileSet structure. The field name is "secureFileId" and it contains 16 bytes array. Application have to set it to unique value. I can't confirm that, but I guess that this value is used as key to encrypt/decrypt save data. The 16 bytes perfectly matches requirements for storing GUID values (read more at [Register or Login to view links]).

    So it looks like:
    - every game have own 128bit key
    - functions which manages game saves are in firmware and uses symmetric key algorithm
    - the encryption algorithm is not game specific

    Regards

  7. #7
    Contributor puppero's Avatar
    Join Date
    Jul 2008
    Posts
    38
    I guess the algorithm is AES, so breaking it is not an option. But the key may be interesting, if it is a guid and not a random number it may have some kind of structure that narrows the key space. This is just a speculation of course.

  8. #8
    Contributor d4ny's Avatar
    Join Date
    Sep 2007
    Posts
    24
    Yes, it's more than possible that the algorithm is AES.

    This is from sysutil/savedata sample readme file: "Please specify unique 16 bytes of secureFileId before compiling the program."

    So it says unique not random.

  9. #9
    Senior Member Transient's Avatar
    Join Date
    Apr 2007
    Posts
    334
    Thanks for the useful information.

    Maybe this is already known, but I noticed something while looking at several PS3 save files. If you open an SFO file from a save game and look after the word "TITLE" (for reference only) you'll see 16 bytes. This seems to be console specific and is always the same no matter which game.

    Also, at the end of the PFD files, that 20 byte sequence which appears to repeat, well that isn't always the case. After looking at several files, it seems the 20 byte sequence usually repeats, but sometimes one of the sequences is different. Try adjusting your display so you can see it in neatly aligned columns and you'll see what I mean.

  10. #10
    Contributor angelbemine3's Avatar
    Join Date
    Aug 2005
    Posts
    23
    It occured to me that if this is AES then whats the possiblity that the hypervisor does on the fly aes encyption? Also is it possible that any data the ps3 writes it will incorperate a general public certificate.

    Think about it this way. If you have ever set up an open vpn network you know that every client needs to have a certificate to tell the network who it is. Then it will also have a key file that was signed by the master key saying that it is ok to go onto the network.

    Here is the theory. Lets say that the certs are created on the ps3 itself and the key is also created on the same machine. Boots up, runs and app to create random digits and uses those digits to create the certs and the keys. Now how does the certs get signed? Easy. They incorperate a script inside everygame to sign them for you. When ever a game creates a save it creates the cert as well as the key. The cert might be diffrent but the key will be the same. Ok soo its a b.s. idea but its what i got.

 
Sponsored Links

Page 1 of 2 12 LastLast
Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News