PS3 Save Game Tools PlayStation 3 Hacking Pack by Flat_z Arrives


73w ago - Following up on the previous release, this weekend PlayStation 3 hacker Flat_z has released PS3 Save Game Tools including a Data Dumper, Disc Hash Key Dumper, PFD SFO Tools, Secure File ID Dumper, and a PFD Tool update with details below.

Download: PS3 Save Game Tools / PS3 Save Game Tools (Mirror) / PFD Tool Update / BruteforceSaveData v1.2.0 by aldostools

From Twitter: A save game tool in a testing phase before tomorrow's release save game tools. hehe, dunno yet maybe I will make a managed dll for pfd stuff. An another link if you experience a troubles with downloading. Little update of pfdtool (I fixed an issue with 4 version for some games. They should be fine now.)

Trophies will work in the next release but I'm afraid to add support for them because you can easily hack your trophies with it and synchronize them with the server. I'll release a port of my dumpers to 4.21 soon. I'm working on a new payload which I think allow me to not to replace sprx. And newer version will write keys directly to the file.

You don't need to replace modules and launch a dumper if you only want to resign files. A dumper required only for extracting a save game key directly from the memory of the game. And trophy keys are the same for every console because they are constant. In addition, you don't need to extract/read/write keys every time.

A .PFD file for save games is a bit complex than trophy's .PFD. And games uses different keys for their save files. Trophy keys are constants as I mentioned above. I don't like a name PSID because there are two different PSIDs on the PS3: PSID and OpenPSID. So I call the first one as Console ID (it should contains the Target ID of your console). The second one seems to be random bytes (or encrypted bytes) which widely used on PSN stuff.

There are different ways to get your console ID. If you have a flasher then you can make a dump of your flash, then locate your EID0 there and the first 16 bytes will be your Console ID. The second way is using a proxy server as you mentioned. A PS3 will send your console ID in different queries (for example, when you try to login to PSN, when it fetches your act.dat, etc).

It used as a HMAC key to hash a file content along with another keys. I suppose that current firmwares don't check these hashes. That's why Xploder don't need your Console ID. You can check it by yourself making a different console ID and resign your save game and then try to load it. But I want to generate all hashes correctly. That's why I used all real parameters. But you can omit some of them.

You don't need to specify a full file path, only a file name inside a folder (actually it is an entry name inside .PFD). By the way, specifying a zero offset causes a very slow processing. Because .ELF files have a 70-80% of code and not data. And I recommend to use a dumper instead of bruteforcing.

It is better than Xploder because it is not server based, so you can do what you want with your save game and I think Xploder doesn't allow you to decrypt/encrypt data (I can be wrong because I don't use the Xploder's software). Trophies are also supported but not in current version because I didn't include keys for them in the release.

From the included ReadMe Files: Data Dumper (data_dumper.pkg)

Requirements:

  • 3.55 CFW (e.g. Kmeaw)
  • MultiMAN or original dev_blind application and FTP client

1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin

2. Every time you're want to dump a data from my applications (e.g. Klicensee Dumper) you're need to reboot a console to clear a data storage in LV2 memory.

3. Run a dumper loader, then start your game.

4. After exiting from the game you need to run Data Dumper, you will hear some beeps.

5. Then run any FTP client (e.g. builtin in MultiMAN) and download a dumped data from /dev_hdd0/tmp/dumps.bin.

Disc Hash Key Dumper (disc_hash_key_dumper_loader.pkg)

Requirements:

  • 3.55 CFW (e.g. Kmeaw)
  • MultiMAN or another FTP client

1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin A data which stored there is written by dumper loaders, e.g. by Disc Hash Key Dumper.

2. Install Disc Hash Key Dumper Loader (disc_hash_key_dumper_loader.pkg). It stores a disc hash key if your game is not a PSN/SEN game.

3. Reboot a console to clear a data storage in LV2 memory.

4. Now you need to start Disc Hash Key Dumper Loader, then start your game.

5. After exiting from the game you need to run Data Dumper, you will hear some beeps.

6. Then run any FTP client (e.g. builtin in MultiMAN) and download a dumped disc hash key from /dev_hdd0/tmp/dumps.bin.

PFDTool & SFOPatcher Beta version (pfd_sfo_tools: pfdtool.exe and sfopatcher.exe)

ATTENTION!!! Be careful with 'pfdtool' because it is working with the directory you specify so it will overwrite files inside it.

Some notes about keys:

1. 'Syscon Manager Key' (syscon_manager_key): a constant key from a Syscon Manager.
2. 'PARAM.SFO Key' (param_sfo_key): a constant key used for PARAM.SFO entry.
3. 'Fallback Disc Hash Key' (fallback_disc_hash_key): a constant key used for discless PSN/SEN games.
4. 'Authentication ID' (authentication_id): an additional constant key.
5. 'Console ID' (console_id): your unique console identifier.
6. 'Secure File ID' (secure_file_id): per a game file, almost the same for all files of the game, specified by a game developer (used to encrypt save game files and to hash their content).
7. 'Disc Hash Key' (disc_hash_key): per a game disc or a constant key for PSN/SEN games (used to hash a file entry). You need to use an original game disc and extract it from the disc. For PSN/SEN games they used a fallback disc hash key. 'Disc Hash Key' hash is not verified by PS3 so you can omit this key.

Attention! Some game developers (for example, creators of Metal Gear Solid 4) uses a custom additional encryption layer for their save files. In these cases you need to reverse-engineer the game itself.

1. Paste your console specific data inside 'global.conf'. You need to paste your console ID (IDPS) and needed keys. Open 'Keys' page on the PS3 Dev Wiki and look into the 'Key lists - sc_iso module 1.00-4.00'. There is a 'Syscon Manager Key' at the #2.

Open 'Talk:Keys' page on the PS3 Dev Wiki and search for strings 'Params' and 'Fallback key'. They are 'PARAM.SFO Key' and 'Fallback Disc Hash Key'.

2. Prepare required keys for the game and place them inside 'games.conf'. You need these keys only to verify your .PFD file (it is an optional feature) or to play with save game data encryption. So if you want only to resign a foreign save game then you need only your console ID and skip some hash updates by specifying some flags at 'pfdtool'.

For secure file IDs you can specify an exact file name or use wildcards to match a file name (for example, you don't need to specify the same key for all game files if the game uses the same key for all of them). A disc hash key can be extracted only from an original game disc. For PSN/SEN games a fallback disc hash key is used. This type of hash is not verified by PS3 so you can omit its key but they can add a check in the future firmware versions.

So if you want to use 'Disc Hash Key'=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and 'Secure File ID'=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY for a save file named 'SAVE.DAT' and your game have a product code='BLZZZZZZZ' place them inside a config file:

3. Make a custom save game to use it as a pattern for 'sfopatcher'.

1) You may also need to patch a copy protection flag inside your PARAM.SFO because some games uses it:

After copying it to the PS3 you need to update a game cache. You have two solutions:

a) 'Rebuild Database' in the system recovery menu. Be careful with it because it can corrupt your file system in rarely cases.
b) Manually copy your save game to the corresponding folder by using a FTP client (for example, embedded in MultiMAN).

2) You need to patch a foreign PARAM.SFO with data from your PARAM.SFO (the tool uses your account ID, save parameters, optional title and description values):

If you also want to patch title and description use a command below:

4. Import your optionally patched save game folder to 'pfdtool' and use it.

Make sure that you specify a game setting set (from 'games.conf') otherwise you will get some fails.

Attention!

a) You will always get a 'Disc Hash Key FAIL' if you don't use a valid disc hash key. It is not important because it is not checked.
b) If you will get a 'Console ID Hash FAIL' then you use a wrong console ID.
c) If you will get a 'Secure File ID Hash FAIL' then you use a wrong secure file ID for a corresponding file.

You don't need to get a valid console ID for foreign save, just use your console ID and update a save game.

1) To list all entries from PARAM.PFD use a 'list' command:

2) To check the validity of PARAM.PFD use a 'check' command.

3) If you don't plan to modify save game files and you want only to resign a save game for your console then just use an 'update' command with a 'partial' update option:

4) If you plan to modify save game files then use an 'update' command without the option above:

5) To encrypt or decrypt specified save game files use 'encrypt' or 'decrypt' command:

6) To bruteforce a secure file ID use a 'brute' command along with the .ELF file from the game and specified decimal offset (I recommend to specify an offset of data segment which is usually started at 70-80% of the entire file):

Bruteforcing a secure file ID takes a lot of time because it is based on hashing of the game file. The larger the file size, the longer the wait. And bruteforcing don't guarantee that you will get a secure file ID because it can not be specified in the plaintext inside an ELF file.

Once again, if you want to easily resign a save game (as publicly known commercial tools does) you just need to place your console ID and use the command:

I also recommend to use my 'Disc Key Dumper' (incorrectly named because it is a disc hash key really) and 'Secure File ID Dumper' to dump keys directly from the memory of a game. But they are written for 3.55 CFW. I will port them to the 4.21 soon.

I will be glad to see if someone will write a batch script for automate the process or a GUI application because I have no time to do it personally. Also will be nice if someone will create a centralized storage of game setting' sets to find keys there. In the future the tool needs to be improved for error handling because it is poor at the moment. I will plan to improve it in further versions.

Secure File ID Dumper (secure_file_id_dumper: ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx and secure_file_id_dumper_loader.pkg)

A secure file ID is specified by developer of the game. There are can be more than one secure file IDs, one ID per file. There are cases when these bytes stored at EBOOT.ELF as is, so you can use my PFD tool to bruteforce them by specifying a PARAM.PFD and file name.

In other cases you need skills of reverse-engineering and a disassembler to find a secure file ID. That's why I had created this dumper. It dumps a secure file ID from memory itself.

Requirements:

  • 3.55 CFW (e.g. Kmeaw)
  • MultiMAN or original dev_blind application and FTP client

1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin. A data which stored there is written by dumper loaders, e.g. by Klicensee Dumper.

2. Install Secure File ID Dumper Loader (secure_file_id_dumper_loader.pkg). It stores a file path to the file which used in your save data and a secure file ID of this file.

3. Now you need to replace original libraries located at dev_flash/vsh/module by modified versions. There are ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx. I use a dev_blind feature from MultiMAN, you can use any other way. Don't forget to backup original files.

4. Reboot a console to clear a data storage in LV2 memory.

5. Now you need to start Secure File ID Dumper, then start your game.

6. Then you need to make a game save.

7. After exiting from the game you need to run Data Dumper, you will hear some beeps.

8. Then run any FTP client (e.g. builtin in MultiMAN) and download dumped secure file IDs from /dev_hdd0/tmp/dumps.bin.

9. Restore original libraries ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx using the same method as at step 3.

Notes: Not all of these libraries used with all games, there is one library per game type.

From gingerbread: Save Data Information

Let me say a few words about the process of signing. There are two types of files - system file object (PARAM.SFO) and game files (which are encrypted by the secure file ID). The first one contains 3 or 4 hashes (depending on whether it is a trophy file database or not).

So for game saves they are a static key embedded in the prx module, your unique console ID, disc hash key and authentication ID (it is static too). So if you take a foreign save game you probably don't have its console ID and the disc hash key (you can only take a disc hash key if you have an original game disc for it).

Also if you don't have a secure file ID and you are lazy to get it (by bruteforcing it/reversing the game executable/dumping from the memory) then you can't calculate hashes for game files too. That's why I created two different modes of signing/checking - one for these people who want only to resign a foreign save game and nothing more and the second one is for people who have all data to update all hashes for their save game.

The first mode called partial update/check (see the corresponding option at pfdtool), and for full update you don't need to specify this option. The partial update only updates hashes which are easy to calculate (based on static data such as authentication ID and console ID).

So if you have a filled global.conf (all keys and your console ID) and run a partial update on the foreign save game to resign it for your console then you got a fully working resigned save game.

But if you want to modify save game files which are encrypted then you need to get all data and specify them in configuration files and then use a full update to resign it. By the way the PS3 itself doesn't check some hashes such as a hash which was calculated using a disc hash key.

So you can omit some of them (I only omitted the hash which I said and it works fine). But I don't know what situation will be in the future, maybe S0ny will add a check for them.

Finally, from aldostools: I have updated the BruteforceSaveData tool with the suggested changes. Also if you press the buttons holding Ctrl it will allow to edit the command line

TIP: Hold Ctrl key and press Enter or double-click on a game to skip the bruteforce using the keys in the database. This feature can be use useful for savegames with large data (eg. >4MB and that you already know that the key is unknown)








Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 90 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

babyjoe00069's Avatar
#60 - babyjoe00069 - 70w ago
I believe and I'm hoping this program is basically used to lets say take your save on your slim ps3 saved with profile "aa" and copied to your phat console, and still be capable of resuming the save data with account "bb" on other console am i right, cause damn i just restarted 2 games that I had gotten pretty far with, this would have came in handy. When using saves from a different console, I got a cant save error and trophies wouldn't work. Good up if i'm correct in what it does.

smokyyuwe's Avatar
#59 - smokyyuwe - 70w ago
Your saves on your PS3 are encrypted, this is meant to unencrypted them. There is not a whole lot of information on how to "cheat" with an unencrypted save because it is still a somewhat new area.

PS3 News's Avatar
#58 - PS3 News - 70w ago
Following up on the PS3 Save Game Tools Pack by Flat_z, today PlayStation 3 developer K.G 971 has released a PS3 Save Resigner and updates below that allow the resigning of game save files for retail OFW or on CFW from any regions and any accounts.

Download: PS3 Save Resigner Homebrew Application / PS3 Save Resigner Homebrew Application (Mirror) / PS3 Save Resigner v1.1 Homebrew Application / PS3 Save Resigner v1.3 Homebrew Application / PS3 Save Resigner v1.4 Homebrew Application / PS3 Save Resigner v1.4 Homebrew Application (Mirror) / .NET Framework 4 (Required)

To quote: Hi guys this is a PS3 save resigner. Thanks to flat_z for his amazing work. The games.conf is from aldostool. This is just for people who needs an easier way to use flat_z's tool. Credit goes to flat_z for his pfdtool.

You can resign any saves from any regions to any regions. From any accounts to any accounts. You can also remove the copy-protection.

It's easy to use, and very user-friendly. It works for Retail PS3. All you have to do is search for the keys on Internet (watch the video).

Updates: PS3 Save Resigner v1.1 homebrew application is now available (linked above) and includes the following updates:

  • added an option for modders: Decrypt the entire game save folder. It decrypts the game save folder for you, then it waits for you to mod what you want in it, and then it recrypts and resigns it.

How it works:

Follow the video exept that instead of clicking "resign", you will click decrypt. Then , once you are done modding, click "Encrypt & Resign". Done. You can still select the first way if you are not planning to mod the file, just hit "Resign".

PS3 Save Resigner 1.3 Changelog:

  • Added some features
  • Added "Copy params of a specified game" option: To all those who were getting corruption errors (Tekken ect..), this version may fix them.
  • Make sure to select the "Copy params of a specified game" option, and load the PARAM.SFO of your version of the game that you try to resign a save to.
  • Decrypt option updated: When you decrypt a game save folder, it's now in the folder "Decrypted Save Folders".
  • Attempt to fix the XP problem.

PS3 Save Resigner 1.4 Changelog:

  • Fixed Windows XP problems. Now it works for everyone. BIG thanks to RuiGR for his great help.

Note: the games.conf is updated regularly by aldostools, so i will update the new file each times in the "dropbox folder". You will have to replace the old one by the updated one in the tool's folder.








Public Keys:

  • syscon_manager_key=D413B89663E1FE9F75143D3BB4565274
  • keygen_key=6B1ACEA246B745FD8F93763B920594CD53483B82
  • savegame_param_sfo_key=0C08000E090504040D010F000406020209060D03
  • fallback_disc_hash_key=D1C1E10B9C547E689B805DCD9710CE8D








How to Use Someone Else's PS3 Game Save Guide - Liberating Your PS3 Game Save from gingerbread:

Method 1 - Pseudo Save Resigning

Step 1: You have to be on CFW to perform these steps. Open PARAM.SFO in any Hex Editor (i.e HxD, Hex Workshop, Ultra Edit and etc.). It does not matter which hex editor you use because all can represent data in raw and have copy/paste/find options which are sufficient.

Step 2: The "Account ID" which identifies Your user account and PSN. The Account ID always starts at (0x140) and always have 16 bytes and the length is 10.

Step 3: Replace it with your values and you have to do it twice. First at 0x140. The second offset address is somewhere in the file. Use Search and use the original value to perform a search and replace it. The address of 2nd "Account ID" is constant only with the same game save title, it's different for different games.

s3nint3!
Step 4: The Second ID is "console id" which identifies Your console (don't mislead it with IDPS). It also have 16 bytes and also is not on constant offset.

s3nint3!
Step 5: Third ID is user number account (for example: for "dev_hdd0/home/00000001/" will be 01)). In the example above, it is 48. There are in two position that 48 is.

Step 6: You can't simply copy back your save using XMB. It will most likely give you an error. You have to FTP back to your save folder and overwrite the files.

Note: The method works most of the time but could result in corrupted saves. If the game is design to regenerate a new save, it usually creates a new working save.

Method 2 - Fake Save Data Owner

Info: Only available in Debug FW or Rebug's CFW.

s3nint3!
Info: Allows use of save data from other users and displays a warning message at every load/save during the game. Once a save data has been saved with this features activated, that save couldn't be read with this function deactivated.

Off: deactivate the Fake Save Data Owner function.

On: activate the Fake Save Data Owner function.

Note: There is a notification of the "Caution: Fake Save Data Owner On" every-time when any game is saving. It can be very annoying.

Method 3 - Changing Your PS3's Console ID. WARNING: May cause RSOD if done wrongly.

Step 1: Use FTP to transfer a file name xRegistry.sys from your CFW PS3 to your PC (located at /dev_flash2/etc/)
Step 2: Useing Hex Editor application to open a file named PARAM.SFO from any of your save data. Go to offset 140 you'll see your PSN account serial in a 16 digits format, copy that 16 digits and paste it somewhere (notepad or something). Look at Method 1.
Step 3: Open xRegistry.sys with the xRegistry editor (I recommend you to BACKUP the file before you edit it)

s3nint3!Step 4: Now you have to edit the following fields:

Step 5: Save the file and FTP it back to your CFW PS3.

Note: Now you suppose to be able to share your save data (that locked to PSN ID) between the 2 PS3s like they're the same machine. You can also hack the game with cheat PKG or other solutions on CFW PS3 and then transfer the save to OFW PS3 and continue collecting trophies with hacked saves.

Method 4 - PS3 Save Resigner by K.G (100% Real Save Resigning)

Download: PS3 Save Resigner Homebrew Application by K.G 971

Method 5 - PS3 Bruteforce Save Data by Aldostools (100% Real Save Resigning)

Download: aldostools.org/temp/BruteforceSaveData.rar

For Resigning PS3 Save Data

Step 1: Edit the global.conf and enter your console_id. (Ctrl+H)
Step 2: Click "Set PARAM.SFO as Template" and Select "Configure Profiles" and Pick a Profile from 1 - 5
Step 3: A Dialog Box will appear, Select "PARAM.SFO" from your save.
Step 4: Give a Name For your Profile.
Step 5: Bulit PARAM.SFO from template (Ctrl+B)

For Decrypting/Encrypting PS3 Save Data

Step 1: Edit the global.conf and enter your console_id. (Ctrl+H)
Step 2: Copy a PARAM.SFO with your account_id as template.sfo in the folder of Bruteforce Save Data (Ctrl+T)
Step 3: Scan the folder with the saves (the Key should be listed).
Step 4: If the key is not available, double click on the save and select the EBOOT.ELF to bruteforce the key (use the scetool commands above to extract the ELF)
Step 5: Once you have the secure_file_id for your game, select the following command in that order:
Step 5a: Update Account ID and Copy Parameters
Step 5b: Patch SFO: Remove Copy Protection
Step 5c: Decrypt PFD
Step 5d: Update PFD
Step 5e: Encrypt PFD
Step 5f: Verify PFD

The buttons are placed in that order... so it is easy to select:

Update Account ID -> Patch SFO -> Decrypt PFD -> Update PFD -> Encrypt PFD -> Verify PFD

Method 6 - Game Genie: Save Editor for PS3 (100% Real Save Resigning)

Commercial method: Game Genie for PS3 (thegamegenie.com/ps3/ -and- forum.thegamegenie.com/viewforum.php?f=8) is a save editor. The main function of this product is to modify your saves. There is also a secondary function to Resign your someone else's save and make it yours. It even works for copy-protected saves (You need CFW).

Method 7 - Xploder PS3 Ultimate Cheats System

Commercial method: xploder.net/playstation-3/products/244/Xploder-PS3-Ultimate-Cheats-System.htm

From JeoWay comes a PS3 Save Resigner by K.G Tutorial, as follows:

Hello! To start off, all tools and programs are linked at the end. REQUIRES .Net Framework 4 and msvr100.dll !!!

1) Open up the Save Resigner.
2) In the tabs, go to "Customized Profile Settings"
3) Go the options to "Enter Public Keys"
4) Enter in the Public Keys into the Correct Lines.

PUBLIC KEYS

5) Press "Save Keys" (So you don't have to enter on startup)
6) Copy over *YOUR* save data from the PS3.
7) Locate "Enter Private Keys".
8) Either enter the values in yourself or load YOUR param.sfo from YOUR Save.
9) Now click save Profile (As either 01, 02, or 03)
10) On the tabs, go back to "Save Resigner"
11) Go to File > Open > Locate Modded Save Data
12) After mod save is loaded, you can change region by editing the Game ID.
13) (Don't edit the Console, Account, or User ID's)
14) Now select a profile to resign to.
15) Either decrypt the save and then edit and re-encrypt and resign OR...
16) Simply click "Resign" and use it.
17) Sometimes it still says corrupt after resign so you need to copy params.

FIXING CORRUPT ISSUES

1) Check the box of copy params of a specific game.
2) If you get an error, you need to install msvr100.dll (Link Below)
3. Now select "Resign", and it MAY fix the corrupt issue.

(I have had this problem with Sound Shapes Game Save)

DOWNLOAD LINKS

  • msvr100.dll = http://www.microsoft.com/en-us/download/confirmation.aspx?id=5555
  • Microsoft .Net Framework 4 = http://www.microsoft.com/en-us/download/search.aspx?q=net%20framework%204.0
  • PS3 Save Game Resigner by K.G = https://www.dropbox.com/sh/x8tvy92l6d8wgeq/A_HuXl2bDm

Finally, Flat_z has also Tweeted (twitter.com/flat_z/status/294371165760274432) that he has reversed the whole PS3 emu encryption, stating: ps2_netemu (config, .enc, virtual memory cards cryptography) pwned

More PlayStation 3 News...

boxbundy's Avatar
#57 - boxbundy - 71w ago
can someone please point me to a cheat tutorial or can someone at least help me with an answer?

BerserkLeon's Avatar
#56 - BerserkLeon - 71w ago
well the only game i want to try to use it on, the save file id key is unknown. I've gotten as far as decrypting the eboot to try to find the key, but brute-forcing it is going rather slowly. BLES01396/BLES01765.

the cheats that are applied directly to the eboot wouldn't be the same cheats that you could apply to the save game.

Easiest things you can do with unprotected save data is: use someone else's save as your own. modify your save data with save editors.

if there's not a save editor for the game you want to edit, you have to go in with a hex editor and look for what you want to change.













Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News