PS3 Save Game Tools Pack Updated by Flat_z, PFDTool v0.2.0 Fix
Following up on his initial release, this weekend PlayStation 3 developer Flat_z has updated his PS3 Save Game Tools hacking pack alongside a fix for PFDTool v0.2.0 followed by v0.2.1 and v0.2.2 with details below.
From the included ReadMe file: Guys, here is an updated version of pfdtool.
Please test it carefully because I have no time at the moment to test it by myself.
Support of PARAM.PFD for trophies (without keys, of course)
Support of PARAM.PFD v4 which used in a newer SDK
Fixed a bug with verify operation on signature hashes
Now you can use a list of product codes delimeted by '/' (slash), for example: [BLUS31142/BLES01403], they should use the same disc hash key and secure file IDs
Show an information about .PFD type and version
The format for 'global.conf' is different. Please add these changes to your files:
1. Add a new parameter called 'user_id' which set the user identifier (the same number as used in your home folder: /dev_hdd0/home/[user_id]/)
2. Add a new parameter called 'keygen_key'. Open 'Talk:Keys' page on the PS3DevWiki and search for string 'KeygenV4'
3. Rename the parameter 'param_sfo_key' to 'savegame_param_sfo_key' (see below)
4. There a bunch of new keys for trophies: 'trophy_param_sfo_key', 'tropsys_dat_key', 'tropusr_dat_key', 'troptrns_dat_key', 'tropconf_sfm_key' and they are not public so left them as XX.
Also I noticed that some of you use a kernel swapping feature in the REX firmware. Don't forget to use your current (!) console ID. For example, if you made a save game on a DEX then you need to specify a DEX console ID.
Disc hash keys are sent to the PS3 by the Blu Ray Drive itself (well, not the actual disc hash key but some data from the disc which will be encrypted after that and used as a disc hash key).
PFDTool 0.2.1 Changelog:
Fixed issues with the file size.
PFDTool 0.2.2 Changelog:
Now encrypt and decrypt operations update hashes automatically (be sure to use all keys!).
Fixed another issue with the file size of modified files.
Removed a verbose flag because it is not used at the moment.
PS3 Save Game Tools Pack Updated by Flat_z, PFDTool v0.2.3 Out
Following up on his previous update, today PlayStation 3 developer Flat_z has updated the PS3 Save Game Tools Pack to include SFOPatcher v0.2.0 and PFDTool version 0.2.3 alongside an update to the BruteforceSaveData GUI by aldostools below.
From Flat_z: Some people asked me about the source code of pfd & sfo tools.. here they are (linked above).
Guys, here is an update of my tools. It contains an update to sfopatcher (see the changelog below) and a small update to pfdtool. Previously you should make a save game for your game on your console and then use PARAM.SFO from it as a template to PARAM.SFO from a foreign save game to build a new PARAM.SFO which will contain the data specific to your console. A newer version of sfopatcher will use a foreign save data directory and params only if you specify these options.
From aldostools: A new version of the frontend is available with the updated tools from flatz and new settings to take advantage of these features.
Changes: new "Rebuild" option, new "Restore" option, updated the database with secure_file_id for more than 750 games (over 3140 title ids). Added a new "date" column. Special thanks to flatz, Alex at CMP, acab, skillerCMP, gingerbread and many others
Added an option to specify the relative offset to advance each time while bruteforcing a secure file ID.
Below is a guide from zorrolaro on how to use PFDTool without PS3 CFW using Borderlands 2 as an example:
.net 1.1 runtimes (for PS3 PoxyServer): [Register or Login to view links]
Create a folder near your root drive for pfdtool (i.e. c:/pfdtool/), then extract all files into that folder from the linked archive.
Download and install wireshark and winPcap (included with the wireshark installer)
Download and install the .net runtimes
Download and install PS3 ProxyServer
Open a command prompt (start menu -> all programs -> accessories -> command prompt) and enter command "ipconfig". Write down the IPv4 address (should look like 192.168.0.10 or something similar)
Open PS3 ProxyServer and copy the IPv4 address you wrote down into the IP Address field and check of PS3 mode, leave the other options alone. Hit the big start button. Keep you IPv4 number handy, you'll need it again. Leave this program running.
Open Wireshark. On the left side there is an option to start capture. Left click with your mouse to select the appropriate network adapter listed below the start command. If you are not sure about which adapter to use, select them all using ctrl + left mouse click. Hit the start button once you've highlighted the appropriate adapters. Leave this program running.
Boot up your PS3 and navigate to Settings -> Network Settings -> Internet Connection Settings. on the first page select Custom, on the second select whether you are connected wirelessly or wired. Skip all other options by hitting right on your controller until you get to the Proxy Server page, then select use for that option. input the IPv4 address you wrote down earlier into the top field.
Make sure that the port number on this page matches the port number on PS3 ProxyServer (should both say 8080). Skip to the last page on the configuration and hit x. Test connection when prompted by hitting x again. As long as the top 3 fields say succeeded you can carry on to the next step. if not, review your settings in this step and steps 5 and 6 and retry.
Sign into the playstation network and login to the psn store.
Go back to your pc and check Wireshark. There should be a whole bunch of information displayed on the screen, don't worry you don't need to know what it means. Press [ctrl]+ e to stop capturing, then press [ctrl]+f to bring up your search dialogue. Under "find" check of "string" and under "Search In" check off "Packet bytes". Enter 0000000100 as your search criteria and hit enter. If the necessary packet was found, in the bottom frame it should show the number highlighted on the right side (plaintext view) to ensure you have the right packet, right before the highlighted text it should say "devideID":" and then the numbers you searched for.
Take all the numbers and letters starting with your highlighted numbers and copy everything down until you find the next quotation mark in the plaintext. You should have a total of 32 digits written down. Should look something like 000000010084 followed by a bunch of letters and numbers. This is your console id.
Go to the folder you installed pfdtool in. Open global.conf in notepad. Eidt the line where it says console_id=by adding the console id you just captured after the =. Also change the other fields that are bolded below to match
Save file and exit (make sure you save as .conf not .txt)
Open the games.conf file in the same folder. Edit it as follows for NA retail disc version only. You'll have a different game id (the BLUS30982) and secure_file_id. You'll need to ask for someone on the forums to get those for you if you are using a different region, version or entirely differnt game. You can add additional games follwing the same layout by adding more lines. The disc_hash_key is commented out, so you will get a notifaction everytime you use pfdtool, but it still works fine.
Save and close the file once you are done adding games. Again make sure you save as .conf, not .txt.
Make sure you have a copy of your save game on your pc. I like to copy them right into the same folder as pfdtool to make for shorter commands.
You are now ready to actually use pfdtool. Navigate your command prompt to the folder you installed it (command to use is simply the path of the folder, ie "c:/pfdtool"). To decrypt we use the following command:
Where the part in quotations will be changed to reflect your actual drive location and the name of the file will be changed to your actual file name. The file name and path are case sensitive, make sure you double check you have the right case.
You now have a decrypted save file. Use your hex editor of choice or in the case of Borderlands 2 you can use the latest version of Gibbed's Borderlands 2 Save Editor. Once you are done editing, sae your game again and onto the last step.
All that's left at this point is to encrypt the file again. See below, same notes as when decrypting about file path and name.
You can now transfer your save game back to your PS3.
A couple of quick notes: I have tried to make this as noob friendly as possible, but you still need some basic knowledge to follow this guide. Also, atm I really have no interest in modding any other save games so I do not have the info for other games to place in your games.conf file, though if anyone wants to post them I will be happy to add them to the guide. I did not write nor do I support any of the software mentioned in this guide.
Unfortunately we can't extract it from .PFD because IDPS is not stored there. They used it as a HMAC key to hash the content of PARAM.SFO.
I already said many times that some hashes are not checked. That's why Xploder works fine without your console ID. But my goal was the correct generation of the PFD (because S0ny can add new checks in the future) and I had managed to use all keys but you can omit some of them (based on your console id or disc hash key, for example).
From cheetahh: I can confirm that flat_z tool can be used to decrypt TROPTRANS.DAT file and if you know how to modify all the files correctly (there are different checksums and hashes in the files) you can sync those unlocked trophies to PSN as well.
From Sunny992: All information should be free, don't conceal it if it's already leaked, which it was.
Finally, from <GEEK> comes a VB.NET/C# PARAM.PFD Code Snippet below, as follows:
Figured I would share this as it is a starting point to anyone who wants to work with PARAM.PFD files within VB.NET/C#. Use it, change it, do what you want with it. I used a code converter to avoid rewriting everything between the 2 languages, and then went through and fixed what broke during the conversion.
The code could be optimized... Most of the classes/functions could easily be combined down to just a few classes/functions, and global variables should be avoided when possible other than for this demonstration. The reason it is the way it is now is so that it is easier to see what is going on. If anyone actually uses this, and wants an optimized set of functions or classes just ask.
With that said, all that is needed is a decryption/encryption (AES 128 CTR Mode) function/class for save files and you can be on your way to making your own cheat editor without the need of bundling in flatz pfdtools.
Can anyone able to communicate with the devs ask them if they could include multicore support for bruteforcing? I've got a fairly crappy quad core and each core can't do much on its own, but pfdtool seems to be locked to a single core.
Either that, or CUDA/OpenCL. one or both of those options should really speed up the bruteforcing.
Update: From <GEEK>: I suppose I sort of used the wrong term when I said this code could be optimized, to be honest, since it is working with byte arrays, you cannot really get more speed out of it unless you are constantly reading/writing large sections of bytes (which if you are, feel free to hit me up for some optimization tips on your current code). However, like I said previously, the code could be shrunk way down to a few functions and I only wrote it the way I did for people to easily learn from. Here is all the above code complete in a few functions:
When reading the protected files table (Read_PF_Table function) you can specify what you want to read out of it by pointing to another value in the PF_TABLE_SECTION structure, just be sure to also point to the correct data size for the value in the PF_TABLE_SECTION_SIZE structure.
Reads each file name (in hexadecimal, you could convert this to any encoding type you want for display purposes):
Depending on what you are reading, data is either stored in a byte array, or a list of byte arrays. If the data is in a list of byte arrays and you want to simply read a specific item from the array, do not loop through the list just output the byte array at the index within the list that you want:
In all reality, unless you are wanting to display the data, you should leave it in a byte array and work with it from there due to potential loss of data (encoding types), and speed. I have some other code some may find useful but it is on my other pc, I'll post it later on.
sorry for dumb questions. what do you use this for? how do we use/enter cheats for games. I have zero experience with this on PS3 can we enter cheats from ps3usercheat by using hex editing? or any other way? (I don't have a dongle)
please can someone give me some detailed advice because I haven't seen much clear detailed info on this that I can actually understand
how are you all doing this exactly? please enlighten me I'm using rebug 4.21
well the only game i want to try to use it on, the save file id key is unknown. I've gotten as far as decrypting the eboot to try to find the key, but brute-forcing it is going rather slowly. BLES01396/BLES01765.
the cheats that are applied directly to the eboot wouldn't be the same cheats that you could apply to the save game.
Easiest things you can do with unprotected save data is: use someone else's save as your own. modify your save data with save editors.
if there's not a save editor for the game you want to edit, you have to go in with a hex editor and look for what you want to change.
Video: PS3 Save Resigner Homebrew Application by K.G 971 Out
Following up on the PS3 Save Game Tools Pack by Flat_z, today PlayStation 3 developer K.G 971 has released a PS3 Save Resigner and updates below that allow the resigning of game save files for retail OFW or on CFW from any regions and any accounts.
To quote: Hi guys this is a PS3 save resigner. Thanks to flat_z for his amazing work. The games.conf is from aldostool. This is just for people who needs an easier way to use flat_z's tool. Credit goes to flat_z for his pfdtool.
You can resign any saves from any regions to any regions. From any accounts to any accounts. You can also remove the copy-protection.
It's easy to use, and very user-friendly. It works for Retail PS3. All you have to do is search for the keys on Internet (watch the video).
Updates: PS3 Save Resigner v1.1 homebrew application is now available (linked above) and includes the following updates:
added an option for modders: Decrypt the entire game save folder. It decrypts the game save folder for you, then it waits for you to mod what you want in it, and then it recrypts and resigns it.
How it works:
Follow the video exept that instead of clicking "resign", you will click decrypt. Then , once you are done modding, click "Encrypt & Resign". Done. You can still select the first way if you are not planning to mod the file, just hit "Resign".
PS3 Save Resigner 1.3 Changelog:
Added some features
Added "Copy params of a specified game" option: To all those who were getting corruption errors (Tekken ect..), this version may fix them.
Make sure to select the "Copy params of a specified game" option, and load the PARAM.SFO of your version of the game that you try to resign a save to.
Decrypt option updated: When you decrypt a game save folder, it's now in the folder "Decrypted Save Folders".
Attempt to fix the XP problem.
PS3 Save Resigner 1.4 Changelog:
Fixed Windows XP problems. Now it works for everyone. BIG thanks to RuiGR for his great help.
Note: the games.conf is updated regularly by aldostools, so i will update the new file each times in the "dropbox folder". You will have to replace the old one by the updated one in the tool's folder.
How to Use Someone Else's PS3 Game Save Guide - Liberating Your PS3 Game Save from gingerbread:
Method 1 - Pseudo Save Resigning
Step 1: You have to be on CFW to perform these steps. Open PARAM.SFO in any Hex Editor (i.e HxD, Hex Workshop, Ultra Edit and etc.). It does not matter which hex editor you use because all can represent data in raw and have copy/paste/find options which are sufficient.
Step 2: The "Account ID" which identifies Your user account and PSN. The Account ID always starts at (0x140) and always have 16 bytes and the length is 10.
Step 3: Replace it with your values and you have to do it twice. First at 0x140. The second offset address is somewhere in the file. Use Search and use the original value to perform a search and replace it. The address of 2nd "Account ID" is constant only with the same game save title, it's different for different games.
Step 4: The Second ID is "console id" which identifies Your console (don't mislead it with IDPS). It also have 16 bytes and also is not on constant offset.
Step 5: Third ID is user number account (for example: for "dev_hdd0/home/00000001/" will be 01)). In the example above, it is 48. There are in two position that 48 is.
Step 6: You can't simply copy back your save using XMB. It will most likely give you an error. You have to FTP back to your save folder and overwrite the files.
Note: The method works most of the time but could result in corrupted saves. If the game is design to regenerate a new save, it usually creates a new working save.
Method 2 - Fake Save Data Owner
Info: Only available in Debug FW or Rebug's CFW.
Info: Allows use of save data from other users and displays a warning message at every load/save during the game. Once a save data has been saved with this features activated, that save couldn't be read with this function deactivated.
Off: deactivate the Fake Save Data Owner function.
On: activate the Fake Save Data Owner function.
Note: There is a notification of the "Caution: Fake Save Data Owner On" every-time when any game is saving. It can be very annoying.
Method 3 - Changing Your PS3's Console ID. WARNING: May cause RSOD if done wrongly.
Step 1: Use FTP to transfer a file name xRegistry.sys from your CFW PS3 to your PC (located at /dev_flash2/etc/)
Step 2: Useing Hex Editor application to open a file named PARAM.SFO from any of your save data. Go to offset 140 you'll see your PSN account serial in a 16 digits format, copy that 16 digits and paste it somewhere (notepad or something). Look at Method 1.
Step 3: Open xRegistry.sys with the xRegistry editor (I recommend you to BACKUP the file before you edit it)
Step 4: Now you have to edit the following fields:
Step 5: Save the file and FTP it back to your CFW PS3.
Note: Now you suppose to be able to share your save data (that locked to PSN ID) between the 2 PS3s like they're the same machine. You can also hack the game with cheat PKG or other solutions on CFW PS3 and then transfer the save to OFW PS3 and continue collecting trophies with hacked saves.
Method 4 - PS3 Save Resigner by K.G (100% Real Save Resigning)
Step 1: Edit the global.conf and enter your console_id. (Ctrl+H)
Step 2: Click "Set PARAM.SFO as Template" and Select "Configure Profiles" and Pick a Profile from 1 - 5
Step 3: A Dialog Box will appear, Select "PARAM.SFO" from your save.
Step 4: Give a Name For your Profile.
Step 5: Bulit PARAM.SFO from template (Ctrl+B)
For Decrypting/Encrypting PS3 Save Data
Step 1: Edit the global.conf and enter your console_id. (Ctrl+H)
Step 2: Copy a PARAM.SFO with your account_id as template.sfo in the folder of Bruteforce Save Data (Ctrl+T)
Step 3: Scan the folder with the saves (the Key should be listed).
Step 4: If the key is not available, double click on the save and select the EBOOT.ELF to bruteforce the key (use the scetool commands above to extract the ELF)
Step 5: Once you have the secure_file_id for your game, select the following command in that order:
Step 5a: Update Account ID and Copy Parameters
Step 5b: Patch SFO: Remove Copy Protection
Step 5c: Decrypt PFD
Step 5d: Update PFD
Step 5e: Encrypt PFD
Step 5f: Verify PFD
The buttons are placed in that order... so it is easy to select:
Method 6 - Game Genie: Save Editor for PS3 (100% Real Save Resigning)
Commercial method: Game Genie for PS3 (thegamegenie.com/ps3/ -and- forum.thegamegenie.com/viewforum.php?f=8) is a save editor. The main function of this product is to modify your saves. There is also a secondary function to Resign your someone else's save and make it yours. It even works for copy-protected saves (You need CFW).
5) Press "Save Keys" (So you don't have to enter on startup)
6) Copy over *YOUR* save data from the PS3.
7) Locate "Enter Private Keys".
8) Either enter the values in yourself or load YOUR param.sfo from YOUR Save.
9) Now click save Profile (As either 01, 02, or 03)
10) On the tabs, go back to "Save Resigner"
11) Go to File > Open > Locate Modded Save Data
12) After mod save is loaded, you can change region by editing the Game ID.
13) (Don't edit the Console, Account, or User ID's)
14) Now select a profile to resign to.
15) Either decrypt the save and then edit and re-encrypt and resign OR...
16) Simply click "Resign" and use it.
17) Sometimes it still says corrupt after resign so you need to copy params.
FIXING CORRUPT ISSUES
1) Check the box of copy params of a specific game.
2) If you get an error, you need to install msvr100.dll (Link Below)
3. Now select "Resign", and it MAY fix the corrupt issue.
(I have had this problem with Sound Shapes Game Save)
PS3 Save Game Resigner by K.G = [Register or Login to view links]
Finally, Flat_z has also Tweeted (twitter.com/flat_z/status/294371165760274432) that he has reversed the whole PS3 emu encryption, stating: ps2_netemu (config, .enc, virtual memory cards cryptography) pwned