24w ago - Following up on the previous release, this weekend PlayStation 3 hacker Flat_z has released PS3 Save Game Tools including a Data Dumper, Disc Hash Key Dumper, PFD SFO Tools, Secure File ID Dumper, and a PFD Tool update with details below.
From Twitter: A save game tool in a testing phase before tomorrow's release save game tools. hehe, dunno yet maybe I will make a managed dll for pfd stuff. An another link if you experience a troubles with downloading. Little update of pfdtool (I fixed an issue with 4 version for some games. They should be fine now.)
Trophies will work in the next release but I'm afraid to add support for them because you can easily hack your trophies with it and synchronize them with the server. I'll release a port of my dumpers to 4.21 soon. I'm working on a new payload which I think allow me to not to replace sprx. And newer version will write keys directly to the file.
You don't need to replace modules and launch a dumper if you only want to resign files. A dumper required only for extracting a save game key directly from the memory of the game. And trophy keys are the same for every console because they are constant. In addition, you don't need to extract/read/write keys every time.
A .PFD file for save games is a bit complex than trophy's .PFD. And games uses different keys for their save files. Trophy keys are constants as I mentioned above. I don't like a name PSID because there are two different PSIDs on the PS3: PSID and OpenPSID. So I call the first one as Console ID (it should contains the Target ID of your console). The second one seems to be random bytes (or encrypted bytes) which widely used on PSN stuff.
There are different ways to get your console ID. If you have a flasher then you can make a dump of your flash, then locate your EID0 there and the first 16 bytes will be your Console ID. The second way is using a proxy server as you mentioned. A PS3 will send your console ID in different queries (for example, when you try to login to PSN, when it fetches your act.dat, etc).
It used as a HMAC key to hash a file content along with another keys. I suppose that current firmwares don't check these hashes. That's why Xploder don't need your Console ID. You can check it by yourself making a different console ID and resign your save game and then try to load it. But I want to generate all hashes correctly. That's why I used all real parameters. But you can omit some of them.
You don't need to specify a full file path, only a file name inside a folder (actually it is an entry name inside .PFD). By the way, specifying a zero offset causes a very slow processing. Because .ELF files have a 70-80% of code and not data. And I recommend to use a dumper instead of bruteforcing.
It is better than Xploder because it is not server based, so you can do what you want with your save game and I think Xploder doesn't allow you to decrypt/encrypt data (I can be wrong because I don't use the Xploder's software). Trophies are also supported but not in current version because I didn't include keys for them in the release.
From the included ReadMe Files: Data Dumper (data_dumper.pkg)
3.55 CFW (e.g. Kmeaw)
MultiMAN or original dev_blind application and FTP client
1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin
2. Every time you're want to dump a data from my applications (e.g. Klicensee Dumper) you're need to reboot a console to clear a data storage in LV2 memory.
3. Run a dumper loader, then start your game.
4. After exiting from the game you need to run Data Dumper, you will hear some beeps.
5. Then run any FTP client (e.g. builtin in MultiMAN) and download a dumped data from /dev_hdd0/tmp/dumps.bin.
1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin A data which stored there is written by dumper loaders, e.g. by Disc Hash Key Dumper.
2. Install Disc Hash Key Dumper Loader (disc_hash_key_dumper_loader.pkg). It stores a disc hash key if your game is not a PSN/SEN game.
3. Reboot a console to clear a data storage in LV2 memory.
4. Now you need to start Disc Hash Key Dumper Loader, then start your game.
5. After exiting from the game you need to run Data Dumper, you will hear some beeps.
6. Then run any FTP client (e.g. builtin in MultiMAN) and download a dumped disc hash key from /dev_hdd0/tmp/dumps.bin.
PFDTool & SFOPatcher Beta version (pfd_sfo_tools: pfdtool.exe and sfopatcher.exe)
ATTENTION!!! Be careful with 'pfdtool' because it is working with the directory you specify so it will overwrite files inside it.
Some notes about keys:
1. 'Syscon Manager Key' (syscon_manager_key): a constant key from a Syscon Manager.
2. 'PARAM.SFO Key' (param_sfo_key): a constant key used for PARAM.SFO entry.
3. 'Fallback Disc Hash Key' (fallback_disc_hash_key): a constant key used for discless PSN/SEN games.
4. 'Authentication ID' (authentication_id): an additional constant key.
5. 'Console ID' (console_id): your unique console identifier.
6. 'Secure File ID' (secure_file_id): per a game file, almost the same for all files of the game, specified by a game developer (used to encrypt save game files and to hash their content).
7. 'Disc Hash Key' (disc_hash_key): per a game disc or a constant key for PSN/SEN games (used to hash a file entry). You need to use an original game disc and extract it from the disc. For PSN/SEN games they used a fallback disc hash key. 'Disc Hash Key' hash is not verified by PS3 so you can omit this key.
Attention! Some game developers (for example, creators of Metal Gear Solid 4) uses a custom additional encryption layer for their save files. In these cases you need to reverse-engineer the game itself.
1. Paste your console specific data inside 'global.conf'. You need to paste your console ID (IDPS) and needed keys. Open 'Keys' page on the PS3 Dev Wiki and look into the 'Key lists - sc_iso module 1.00-4.00'. There is a 'Syscon Manager Key' at the #2.
Open 'Talk:Keys' page on the PS3 Dev Wiki and search for strings 'Params' and 'Fallback key'. They are 'PARAM.SFO Key' and 'Fallback Disc Hash Key'.
2. Prepare required keys for the game and place them inside 'games.conf'. You need these keys only to verify your .PFD file (it is an optional feature) or to play with save game data encryption. So if you want only to resign a foreign save game then you need only your console ID and skip some hash updates by specifying some flags at 'pfdtool'.
For secure file IDs you can specify an exact file name or use wildcards to match a file name (for example, you don't need to specify the same key for all game files if the game uses the same key for all of them). A disc hash key can be extracted only from an original game disc. For PSN/SEN games a fallback disc hash key is used. This type of hash is not verified by PS3 so you can omit its key but they can add a check in the future firmware versions.
So if you want to use 'Disc Hash Key'=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and 'Secure File ID'=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY for a save file named 'SAVE.DAT' and your game have a product code='BLZZZZZZZ' place them inside a config file:
After copying it to the PS3 you need to update a game cache. You have two solutions:
a) 'Rebuild Database' in the system recovery menu. Be careful with it because it can corrupt your file system in rarely cases.
b) Manually copy your save game to the corresponding folder by using a FTP client (for example, embedded in MultiMAN).
2) You need to patch a foreign PARAM.SFO with data from your PARAM.SFO (the tool uses your account ID, save parameters, optional title and description values):
4. Import your optionally patched save game folder to 'pfdtool' and use it.
Make sure that you specify a game setting set (from 'games.conf') otherwise you will get some fails.
a) You will always get a 'Disc Hash Key FAIL' if you don't use a valid disc hash key. It is not important because it is not checked.
b) If you will get a 'Console ID Hash FAIL' then you use a wrong console ID.
c) If you will get a 'Secure File ID Hash FAIL' then you use a wrong secure file ID for a corresponding file.
You don't need to get a valid console ID for foreign save, just use your console ID and update a save game.
1) To list all entries from PARAM.PFD use a 'list' command:
pfdtool -l <save game folder>
2) To check the validity of PARAM.PFD use a 'check' command.
pfdtool -g <game setting set> -c <save game folder>
3) If you don't plan to modify save game files and you want only to resign a save game for your console then just use an 'update' command with a 'partial' update option:
pfdtool -g <game setting set> -p -u <save game folder>
4) If you plan to modify save game files then use an 'update' command without the option above:
pfdtool -g <game setting set> -u <save game folder>
5) To encrypt or decrypt specified save game files use 'encrypt' or 'decrypt' command:
6) To bruteforce a secure file ID use a 'brute' command along with the .ELF file from the game and specified decimal offset (I recommend to specify an offset of data segment which is usually started at 70-80% of the entire file):
pfdtool -b <save game folder> <elf file> <starting offset in decimal> <file1 file2...>
Bruteforcing a secure file ID takes a lot of time because it is based on hashing of the game file. The larger the file size, the longer the wait. And bruteforcing don't guarantee that you will get a secure file ID because it can not be specified in the plaintext inside an ELF file.
Once again, if you want to easily resign a save game (as publicly known commercial tools does) you just need to place your console ID and use the command:
pfdtool -p -u <save game folder>
I also recommend to use my 'Disc Key Dumper' (incorrectly named because it is a disc hash key really) and 'Secure File ID Dumper' to dump keys directly from the memory of a game. But they are written for 3.55 CFW. I will port them to the 4.21 soon.
I will be glad to see if someone will write a batch script for automate the process or a GUI application because I have no time to do it personally. Also will be nice if someone will create a centralized storage of game setting' sets to find keys there. In the future the tool needs to be improved for error handling because it is poor at the moment. I will plan to improve it in further versions.
Secure File ID Dumper (secure_file_id_dumper: ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx and secure_file_id_dumper_loader.pkg)
A secure file ID is specified by developer of the game. There are can be more than one secure file IDs, one ID per file. There are cases when these bytes stored at EBOOT.ELF as is, so you can use my PFD tool to bruteforce them by specifying a PARAM.PFD and file name.
In other cases you need skills of reverse-engineering and a disassembler to find a secure file ID. That's why I had created this dumper. It dumps a secure file ID from memory itself.
3.55 CFW (e.g. Kmeaw)
MultiMAN or original dev_blind application and FTP client
1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin. A data which stored there is written by dumper loaders, e.g. by Klicensee Dumper.
2. Install Secure File ID Dumper Loader (secure_file_id_dumper_loader.pkg). It stores a file path to the file which used in your save data and a secure file ID of this file.
3. Now you need to replace original libraries located at dev_flash/vsh/module by modified versions. There are ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx. I use a dev_blind feature from MultiMAN, you can use any other way. Don't forget to backup original files.
4. Reboot a console to clear a data storage in LV2 memory.
5. Now you need to start Secure File ID Dumper, then start your game.
6. Then you need to make a game save.
7. After exiting from the game you need to run Data Dumper, you will hear some beeps.
8. Then run any FTP client (e.g. builtin in MultiMAN) and download dumped secure file IDs from /dev_hdd0/tmp/dumps.bin.
9. Restore original libraries ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx using the same method as at step 3.
Notes: Not all of these libraries used with all games, there is one library per game type.
Let me say a few words about the process of signing. There are two types of files - system file object (PARAM.SFO) and game files (which are encrypted by the secure file ID). The first one contains 3 or 4 hashes (depending on whether it is a trophy file database or not).
So for game saves they are a static key embedded in the prx module, your unique console ID, disc hash key and authentication ID (it is static too). So if you take a foreign save game you probably don't have its console ID and the disc hash key (you can only take a disc hash key if you have an original game disc for it).
Also if you don't have a secure file ID and you are lazy to get it (by bruteforcing it/reversing the game executable/dumping from the memory) then you can't calculate hashes for game files too. That's why I created two different modes of signing/checking - one for these people who want only to resign a foreign save game and nothing more and the second one is for people who have all data to update all hashes for their save game.
The first mode called partial update/check (see the corresponding option at pfdtool), and for full update you don't need to specify this option. The partial update only updates hashes which are easy to calculate (based on static data such as authentication ID and console ID).
So if you have a filled global.conf (all keys and your console ID) and run a partial update on the foreign save game to resign it for your console then you got a fully working resigned save game.
But if you want to modify save game files which are encrypted then you need to get all data and specify them in configuration files and then use a full update to resign it. By the way the PS3 itself doesn't check some hashes such as a hash which was calculated using a disc hash key.
So you can omit some of them (I only omitted the hash which I said and it works fine). But I don't know what situation will be in the future, maybe S0ny will add a check for them.
Finally, from aldostools: I have updated the BruteforceSaveData tool with the suggested changes. Also if you press the buttons holding Ctrl it will allow to edit the command line
TIP: Hold Ctrl key and press Enter or double-click on a game to skip the bruteforce using the keys in the database. This feature can be use useful for savegames with large data (eg. >4MB and that you already know that the key is unknown)
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
Can anyone able to communicate with the devs ask them if they could include multicore support for bruteforcing? I've got a fairly crappy quad core and each core can't do much on its own, but pfdtool seems to be locked to a single core.
Either that, or CUDA/OpenCL. one or both of those options should really speed up the bruteforcing.
Following up on his previous update, today PlayStation 3 developer Flat_z has updated the PS3 Save Game Tools Pack to include SFOPatcher v0.2.0 and PFDTool version 0.2.3 alongside an update to the BruteforceSaveData GUI by aldostools below.
From Flat_z: Some people asked me about the source code of pfd & sfo tools.. here they are (linked above).
Guys, here is an update of my tools. It contains an update to sfopatcher (see the changelog below) and a small update to pfdtool. Previously you should make a save game for your game on your console and then use PARAM.SFO from it as a template to PARAM.SFO from a foreign save game to build a new PARAM.SFO which will contain the data specific to your console. A newer version of sfopatcher will use a foreign save data directory and params only if you specify these options.
From aldostools: A new version of the frontend is available with the updated tools from flatz and new settings to take advantage of these features.
Changes: new "Rebuild" option, new "Restore" option, updated the database with secure_file_id for more than 750 games (over 3140 title ids). Added a new "date" column. Special thanks to flatz, Alex at CMP, acab, skillerCMP, gingerbread and many others
Added an option to specify the relative offset to advance each time while bruteforcing a secure file ID.
Finally, below is a guide from zorrolaro on how to use PFDTool without PS3 CFW using Borderlands 2 as an example:
Create a folder near your root drive for pfdtool (i.e. c:/pfdtool/), then extract all files into that folder from the linked archive.
Download and install wireshark and winPcap (included with the wireshark installer)
Download and install the .net runtimes
Download and install PS3 ProxyServer
Open a command prompt (start menu -> all programs -> accessories -> command prompt) and enter command "ipconfig". Write down the IPv4 address (should look like 192.168.0.10 or something similar)
Open PS3 ProxyServer and copy the IPv4 address you wrote down into the IP Address field and check of PS3 mode, leave the other options alone. Hit the big start button. Keep you IPv4 number handy, you'll need it again. Leave this program running.
Open Wireshark. On the left side there is an option to start capture. Left click with your mouse to select the appropriate network adapter listed below the start command. If you are not sure about which adapter to use, select them all using ctrl + left mouse click. Hit the start button once you've highlighted the appropriate adapters. Leave this program running.
Boot up your PS3 and navigate to Settings -> Network Settings -> Internet Connection Settings. on the first page select Custom, on the second select whether you are connected wirelessly or wired. Skip all other options by hitting right on your controller until you get to the Proxy Server page, then select use for that option. input the IPv4 address you wrote down earlier into the top field.
Make sure that the port number on this page matches the port number on PS3 ProxyServer (should both say 8080). Skip to the last page on the configuration and hit x. Test connection when prompted by hitting x again. As long as the top 3 fields say succeeded you can carry on to the next step. if not, review your settings in this step and steps 5 and 6 and retry.
Sign into the playstation network and login to the psn store.
Go back to your pc and check Wireshark. There should be a whole bunch of information displayed on the screen, don't worry you don't need to know what it means. Press [ctrl]+ e to stop capturing, then press [ctrl]+f to bring up your search dialogue. Under "find" check of "string" and under "Search In" check off "Packet bytes". Enter 0000000100 as your search criteria and hit enter. If the necessary packet was found, in the bottom frame it should show the number highlighted on the right side (plaintext view) to ensure you have the right packet, right before the highlighted text it should say "devideID":" and then the numbers you searched for.
Take all the numbers and letters starting with your highlighted numbers and copy everything down until you find the next quotation mark in the plaintext. You should have a total of 32 digits written down. Should look something like 000000010084 followed by a bunch of letters and numbers. This is your console id.
Go to the folder you installed pfdtool in. Open global.conf in notepad. Eidt the line where it says console_id=by adding the console id you just captured after the =. Also change the other fields that are bolded below to match
Save file and exit (make sure you save as .conf not .txt)
Open the games.conf file in the same folder. Edit it as follows for NA retail disc version only. You'll have a different game id (the BLUS30982) and secure_file_id. You'll need to ask for someone on the forums to get those for you if you are using a different region, version or entirely differnt game. You can add additional games follwing the same layout by adding more lines. The disc_hash_key is commented out, so you will get a notifaction everytime you use pfdtool, but it still works fine.
Save and close the file once you are done adding games. Again make sure you save as .conf, not .txt.
Make sure you have a copy of your save game on your pc. I like to copy them right into the same folder as pfdtool to make for shorter commands.
You are now ready to actually use pfdtool. Navigate your command prompt to the folder you installed it (command to use is simply the path of the folder, ie "c:/pfdtool"). To decrypt we use the following command:
Where the part in quotations will be changed to reflect your actual drive location and the name of the file will be changed to your actual file name. The file name and path are case sensitive, make sure you double check you have the right case.
You now have a decrypted save file. Use your hex editor of choice or in the case of Borderlands 2 you can use the latest version of Gibbed's Borderlands 2 Save Editor. Once you are done editing, sae your game again and onto the last step.
All that's left at this point is to encrypt the file again. See below, same notes as when decrypting about file path and name.
You can now transfer your save game back to your PS3.
A couple of quick notes: I have tried to make this as noob friendly as possible, but you still need some basic knowledge to follow this guide. Also, atm I really have no interest in modding any other save games so I do not have the info for other games to place in your games.conf file, though if anyone wants to post them I will be happy to add them to the guide. I did not write nor do I support any of the software mentioned in this guide.
Unfortunately we can't extract it from .PFD because IDPS is not stored there. They used it as a HMAC key to hash the content of PARAM.SFO.
I already said many times that some hashes are not checked. That's why Xploder works fine without your console ID. But my goal was the correct generation of the PFD (because S0ny can add new checks in the future) and I had managed to use all keys but you can omit some of them (based on your console id or disc hash key, for example).
From cheetahh: I can confirm that flat_z tool can be used to decrypt TROPTRANS.DAT file and if you know how to modify all the files correctly (there are different checksums and hashes in the files) you can sync those unlocked trophies to PSN as well.
From Sunny992: All information should be free, don't conceal it if it's already leaked, which it was.
Following up on his initial release, this weekend PlayStation 3 developer Flat_z has updated his PS3 Save Game Tools hacking pack alongside a fix for PFDTool v0.2.0 followed by v0.2.1 and v0.2.2 with details below.
From the included ReadMe file: Guys, here is an updated version of pfdtool.
Please test it carefully because I have no time at the moment to test it by myself.
Support of PARAM.PFD for trophies (without keys, of course)
Support of PARAM.PFD v4 which used in a newer SDK
Fixed a bug with verify operation on signature hashes
Now you can use a list of product codes delimeted by '/' (slash), for example: [BLUS31142/BLES01403], they should use the same disc hash key and secure file IDs
Show an information about .PFD type and version
The format for 'global.conf' is different. Please add these changes to your files:
1. Add a new parameter called 'user_id' which set the user identifier (the same number as used in your home folder: /dev_hdd0/home/[user_id]/)
2. Add a new parameter called 'keygen_key'. Open 'Talk:Keys' page on the PS3DevWiki and search for string 'KeygenV4'
3. Rename the parameter 'param_sfo_key' to 'savegame_param_sfo_key' (see below)
4. There a bunch of new keys for trophies: 'trophy_param_sfo_key', 'tropsys_dat_key', 'tropusr_dat_key', 'troptrns_dat_key', 'tropconf_sfm_key' and they are not public so left them as XX.
Also I noticed that some of you use a kernel swapping feature in the REX firmware. Don't forget to use your current (!) console ID. For example, if you made a save game on a DEX then you need to specify a DEX console ID.
Disc hash keys are sent to the PS3 by the Blu Ray Drive itself (well, not the actual disc hash key but some data from the disc which will be encrypted after that and used as a disc hash key).
PFDTool 0.2.1 Changelog:
Fixed issues with the file size.
PFDTool 0.2.2 Changelog:
Now encrypt and decrypt operations update hashes automatically (be sure to use all keys!).
Fixed another issue with the file size of modified files.
Removed a verbose flag because it is not used at the moment.