Sponsored Links

Sponsored Links

PS3 Save Game Tools Pack Updated by Flat_z, PFDTool v0.2.3 Out

Sponsored Links
84w ago - Following up on his previous update, today PlayStation 3 developer Flat_z has updated the PS3 Save Game Tools Pack to include SFOPatcher v0.2.0 and PFDTool version 0.2.3 alongside an update to the BruteforceSaveData GUI by aldostools below.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links]

From Flat_z: Some people asked me about the source code of pfd & sfo tools.. here they are (linked above).

Guys, here is an update of my tools. It contains an update to sfopatcher (see the changelog below) and a small update to pfdtool. Previously you should make a save game for your game on your console and then use PARAM.SFO from it as a template to PARAM.SFO from a foreign save game to build a new PARAM.SFO which will contain the data specific to your console. A newer version of sfopatcher will use a foreign save data directory and params only if you specify these options.

From aldostools: A new version of the frontend is available with the updated tools from flatz and new settings to take advantage of these features.

Changes: new "Rebuild" option, new "Restore" option, updated the database with secure_file_id for more than 750 games (over 3140 title ids). Added a new "date" column. Special thanks to flatz, Alex at CMP, acab, skillerCMP, gingerbread and many others


pfdtool 0.2.3

  • Added an option to specify the relative offset to advance each time while bruteforcing a secure file ID.

Below is a guide from zorrolaro on how to use PFDTool without PS3 CFW using Borderlands 2 as an example:

Required Tools:


  • Create a folder near your root drive for pfdtool (i.e. c:/pfdtool/), then extract all files into that folder from the linked archive.
  • Download and install wireshark and winPcap (included with the wireshark installer)
  • Download and install the .net runtimes
  • Download and install PS3 ProxyServer
  • Open a command prompt (start menu -> all programs -> accessories -> command prompt) and enter command "ipconfig". Write down the IPv4 address (should look like or something similar)
  • Open PS3 ProxyServer and copy the IPv4 address you wrote down into the IP Address field and check of PS3 mode, leave the other options alone. Hit the big start button. Keep you IPv4 number handy, you'll need it again. Leave this program running.
  • Open Wireshark. On the left side there is an option to start capture. Left click with your mouse to select the appropriate network adapter listed below the start command. If you are not sure about which adapter to use, select them all using ctrl + left mouse click. Hit the start button once you've highlighted the appropriate adapters. Leave this program running.
  • Boot up your PS3 and navigate to Settings -> Network Settings -> Internet Connection Settings. on the first page select Custom, on the second select whether you are connected wirelessly or wired. Skip all other options by hitting right on your controller until you get to the Proxy Server page, then select use for that option. input the IPv4 address you wrote down earlier into the top field.

    Make sure that the port number on this page matches the port number on PS3 ProxyServer (should both say 8080). Skip to the last page on the configuration and hit x. Test connection when prompted by hitting x again. As long as the top 3 fields say succeeded you can carry on to the next step. if not, review your settings in this step and steps 5 and 6 and retry.
  • Sign into the playstation network and login to the psn store.
  • Go back to your pc and check Wireshark. There should be a whole bunch of information displayed on the screen, don't worry you don't need to know what it means. Press [ctrl]+ e to stop capturing, then press [ctrl]+f to bring up your search dialogue. Under "find" check of "string" and under "Search In" check off "Packet bytes". Enter 0000000100 as your search criteria and hit enter. If the necessary packet was found, in the bottom frame it should show the number highlighted on the right side (plaintext view) to ensure you have the right packet, right before the highlighted text it should say "devideID":" and then the numbers you searched for.

    Take all the numbers and letters starting with your highlighted numbers and copy everything down until you find the next quotation mark in the plaintext. You should have a total of 32 digits written down. Should look something like 000000010084 followed by a bunch of letters and numbers. This is your console id.
  • Go to the folder you installed pfdtool in. Open global.conf in notepad. Eidt the line where it says console_id=by adding the console id you just captured after the =. Also change the other fields that are bolded below to match

  • Save file and exit (make sure you save as .conf not .txt)
  • Open the games.conf file in the same folder. Edit it as follows for NA retail disc version only. You'll have a different game id (the BLUS30982) and secure_file_id. You'll need to ask for someone on the forums to get those for you if you are using a different region, version or entirely differnt game. You can add additional games follwing the same layout by adding more lines. The disc_hash_key is commented out, so you will get a notifaction everytime you use pfdtool, but it still works fine.

  • Save and close the file once you are done adding games. Again make sure you save as .conf, not .txt.
  • Make sure you have a copy of your save game on your pc. I like to copy them right into the same folder as pfdtool to make for shorter commands.
  • You are now ready to actually use pfdtool. Navigate your command prompt to the folder you installed it (command to use is simply the path of the folder, ie "c:/pfdtool"). To decrypt we use the following command:

  • Where the part in quotations will be changed to reflect your actual drive location and the name of the file will be changed to your actual file name. The file name and path are case sensitive, make sure you double check you have the right case.
  • You now have a decrypted save file. Use your hex editor of choice or in the case of Borderlands 2 you can use the latest version of Gibbed's Borderlands 2 Save Editor. Once you are done editing, sae your game again and onto the last step.
  • All that's left at this point is to encrypt the file again. See below, same notes as when decrypting about file path and name.

  • You can now transfer your save game back to your PS3.

A couple of quick notes: I have tried to make this as noob friendly as possible, but you still need some basic knowledge to follow this guide. Also, atm I really have no interest in modding any other save games so I do not have the info for other games to place in your games.conf file, though if anyone wants to post them I will be happy to add them to the guide. I did not write nor do I support any of the software mentioned in this guide.

Unfortunately we can't extract it from .PFD because IDPS is not stored there. They used it as a HMAC key to hash the content of PARAM.SFO.

I already said many times that some hashes are not checked. That's why Xploder works fine without your console ID. But my goal was the correct generation of the PFD (because S0ny can add new checks in the future) and I had managed to use all keys but you can omit some of them (based on your console id or disc hash key, for example).

From cheetahh: I can confirm that flat_z tool can be used to decrypt TROPTRANS.DAT file and if you know how to modify all the files correctly (there are different checksums and hashes in the files) you can sync those unlocked trophies to PSN as well.

From Sunny992: All information should be free, don't conceal it if it's already leaked, which it was.

It was leaked on NGU.

Finally, from comes a VB.NET/C# PARAM.PFD Code Snippet below, as follows:

Figured I would share this as it is a starting point to anyone who wants to work with PARAM.PFD files within VB.NET/C#. Use it, change it, do what you want with it. I used a code converter to avoid rewriting everything between the 2 languages, and then went through and fixed what broke during the conversion.

The code could be optimized... Most of the classes/functions could easily be combined down to just a few classes/functions, and global variables should be avoided when possible other than for this demonstration. The reason it is the way it is now is so that it is easier to see what is going on. If anyone actually uses this, and wants an optimized set of functions or classes just ask.

With that said, all that is needed is a decryption/encryption (AES 128 CTR Mode) function/class for save files and you can be on your way to making your own cheat editor without the need of bundling in flatz pfdtools.


C# Code

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 90 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

boxbundy's Avatar
#55 - boxbundy - 84w ago
sorry for dumb questions. what do you use this for? how do we use/enter cheats for games. I have zero experience with this on PS3 can we enter cheats from ps3usercheat by using hex editing? or any other way? (I don't have a dongle)

please can someone give me some detailed advice because I haven't seen much clear detailed info on this that I can actually understand
how are you all doing this exactly? please enlighten me I'm using rebug 4.21

BerserkLeon's Avatar
#54 - BerserkLeon - 84w ago
Can anyone able to communicate with the devs ask them if they could include multicore support for bruteforcing? I've got a fairly crappy quad core and each core can't do much on its own, but pfdtool seems to be locked to a single core.

Either that, or CUDA/OpenCL. one or both of those options should really speed up the bruteforcing.

Update: From : I suppose I sort of used the wrong term when I said this code could be optimized, to be honest, since it is working with byte arrays, you cannot really get more speed out of it unless you are constantly reading/writing large sections of bytes (which if you are, feel free to hit me up for some optimization tips on your current code). However, like I said previously, the code could be shrunk way down to a few functions and I only wrote it the way I did for people to easily learn from. Here is all the above code complete in a few functions:


C# Code
Add to a class:

using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;

static class clsGlobal
public static byte[] SYSCON_MANAGER_KEY = new byte[] {
public struct PFD_HEADER_SECTION
public const int MAGIC_OFFSET = 0x0;
public const int VERSION_OFFSET = 0x8;
public const int IV_OFFSET = 0x10;
public const int SIGNATURE_OFFSET = 0x20;
public const int TOP_HASH_OFFSET = 0x0;
public const int BOTTOM_HASH_OFFSET = 0x14;
public const int MAGIC_SIZE = 8;
public const int VERSION_SIZE = 8;
public const int IV_SIZE = 16;
public const int SIGNATURE_SIZE = 64;
public const int HASH_SIZE = 20;
public struct PFD_HEADER
public const int OFFSET = 0x0;
public const int SIZE = 96;
public struct HASH_TABLE
public const int OFFSET = 0x60;
public const int SIZE = 456;
public const int MAX_ENTRIES = 57;
public const int HEADER_OFFSET = 0x60;
public const int HEADER_SIZE = 24;
public const int ENTRY_OFFSET = 0x78;
public const int ENTRY_SIZE = 8;
public struct PF_TABLE_SECTION
public const int INDEX = 0;
public const int NAME = 8;
public const int GARBAGE = 73;
public const int DATA = 80;
public const int ENTRY_KEY = 80;
public const int HASHES = 144;
public const int HASH1 = 144;
public const int HASH2 = 164;
public const int HASH3 = 184;
public const int HASH4 = 204;
public const int PADDING = 224;
public const int FILE_SIZE = 264;
public const int INDEX = 8;
public const int NAME = 65;
public const int GARBAGE = 7;
public const int DATA = 192;
public const int ENTRY_KEY = 64;
public const int HASHES = 80;
public const int HASH = 20;
public const int PADDING = 40;
public const int FILE_SIZE = 8;
public struct PF_TABLE
public const int OFFSET = 0x240;
public const int SIZE = 31008;
public const int MAX_ENTRIES = 113;
public const int ENTRY_SIZE = 272;
public struct Y_TABLE
public const int MAX_ENTRIES = 56;
public const int OFFSET = 0x7b60;
public const int SIZE = 1140;
public const int ENTRY_SIZE = 20;
public struct BOTTOM_PADDING
public const int OFFSET = 0x7fd4;
public const int SIZE = 44;

Add to a class:

using System;
using System.Windows.Forms;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using System.IO;
using System.Text;
using System.Security.Cryptography;
using glb = clsGlobal;

static class clsClasses
public static string File_Dialog(string sTitle, string sFilter, string sFileName)
OpenFileDialog OFD = new OpenFileDialog();

String retval = string.Empty;

OFD.Filter = sFilter;
OFD.InitialDirectory = Application.ExecutablePath;
OFD.Title = sTitle;
OFD.Filter = sFilter;
OFD.FileName = sFileName;

if (OFD.ShowDialog() == DialogResult.OK)
retval = OFD.FileName;
if (retval == String.Empty)
return string.Empty;
return retval;
public static byte[] AES_Decrypt(byte[] bytes, int block_size, int key_size, byte[] aes_iv, byte[] aes_key)
// AES Crypto Service Provider
AesCryptoServiceProvider AES = new AesCryptoServiceProvider();
// AES Crypto Service Provider parameters
AES.BlockSize = block_size;
AES.KeySize = key_size;
AES.IV = aes_iv;
AES.Key = aes_key;
AES.Mode = CipherMode.CBC;
AES.Padding = PaddingMode.None;
// Decrypt the bytes : AES 128 CBC mode
using (ICryptoTransform AES_Dec = AES.CreateDecryptor()) {
byte[] dec_bytes = AES_Dec.TransformFinalBlock(bytes, 0, bytes.Length);
// Return the byte array of decrypted bytes
return dec_bytes;
public static string ByteArray_To_Hex(byte[] bytes, string separator = null)
string retval = string.Empty;
StringBuilder strHex = new StringBuilder(bytes.Length * 2);

foreach (byte b in bytes) {
strHex.Append((b.ToString("X2")) + separator);

retval = strHex.ToString().ToUpper();

return retval.Trim();

public static List Read_Hash_Table(string pfd_file, int start_offset, int section_size)
List output_bytes = new List();
long curr_offset = start_offset;

for (int i = 0; i

GMOTE's Avatar
#53 - GMOTE - 85w ago
Nice news.

eric994's Avatar
#52 - eric994 - 85w ago
this is a favour i want to ask for anyone who understands this stuff.

Could it be possible to fix the "corrupt save data" dilemma in the call of duty: black ops II(BLES01717) with will highly appreciated by me and many others with the same copies of this amazing game.

PS3 News's Avatar
#51 - PS3 News - 85w ago
Following up on his initial release, this weekend PlayStation 3 developer Flat_z has updated his PS3 Save Game Tools hacking pack alongside a fix for PFDTool v0.2.0 followed by v0.2.1 and v0.2.2 with details below.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] (Removed) / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] (Required)

From the included ReadMe file: Guys, here is an updated version of pfdtool.

Please test it carefully because I have no time at the moment to test it by myself.


  • Support of PARAM.PFD for trophies (without keys, of course)
  • Support of PARAM.PFD v4 which used in a newer SDK
  • Fixed a bug with verify operation on signature hashes
  • Now you can use a list of product codes delimeted by '/' (slash), for example: [BLUS31142/BLES01403], they should use the same disc hash key and secure file IDs
  • Show an information about .PFD type and version

The format for 'global.conf' is different. Please add these changes to your files:

1. Add a new parameter called 'user_id' which set the user identifier (the same number as used in your home folder: /dev_hdd0/home/[user_id]/)
2. Add a new parameter called 'keygen_key'. Open 'Talk:Keys' page on the PS3DevWiki and search for string 'KeygenV4'
3. Rename the parameter 'param_sfo_key' to 'savegame_param_sfo_key' (see below)
4. There a bunch of new keys for trophies: 'trophy_param_sfo_key', 'tropsys_dat_key', 'tropusr_dat_key', 'troptrns_dat_key', 'tropconf_sfm_key' and they are not public so left them as XX.

Also I noticed that some of you use a kernel swapping feature in the REX firmware. Don't forget to use your current (!) console ID. For example, if you made a save game on a DEX then you need to specify a DEX console ID.

Disc hash keys are sent to the PS3 by the Blu Ray Drive itself (well, not the actual disc hash key but some data from the disc which will be encrypted after that and used as a disc hash key).

PFDTool 0.2.1 Changelog:

  • Fixed issues with the file size.

PFDTool 0.2.2 Changelog:

  • Now encrypt and decrypt operations update hashes automatically (be sure to use all keys!).
  • Fixed another issue with the file size of modified files.
  • Removed a verbose flag because it is not used at the moment.

More PlayStation 3 News...

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links

Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News