Sponsored Links

Sponsored Links

PS3 Save Game Tools PlayStation 3 Hacking Pack by Flat_z Arrives


Sponsored Links
98w ago - Following up on the previous release, this weekend PlayStation 3 hacker Flat_z has released PS3 Save Game Tools including a Data Dumper, Disc Hash Key Dumper, PFD SFO Tools, Secure File ID Dumper, and a PFD Tool update with details below.

Download: [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] / [Register or Login to view links] by aldostools

From Twitter: A save game tool in a testing phase before tomorrow's release save game tools. hehe, dunno yet maybe I will make a managed dll for pfd stuff. An another link if you experience a troubles with downloading. Little update of pfdtool (I fixed an issue with 4 version for some games. They should be fine now.)

Trophies will work in the next release but I'm afraid to add support for them because you can easily hack your trophies with it and synchronize them with the server. I'll release a port of my dumpers to 4.21 soon. I'm working on a new payload which I think allow me to not to replace sprx. And newer version will write keys directly to the file.

You don't need to replace modules and launch a dumper if you only want to resign files. A dumper required only for extracting a save game key directly from the memory of the game. And trophy keys are the same for every console because they are constant. In addition, you don't need to extract/read/write keys every time.

A .PFD file for save games is a bit complex than trophy's .PFD. And games uses different keys for their save files. Trophy keys are constants as I mentioned above. I don't like a name PSID because there are two different PSIDs on the PS3: PSID and OpenPSID. So I call the first one as Console ID (it should contains the Target ID of your console). The second one seems to be random bytes (or encrypted bytes) which widely used on PSN stuff.

There are different ways to get your console ID. If you have a flasher then you can make a dump of your flash, then locate your EID0 there and the first 16 bytes will be your Console ID. The second way is using a proxy server as you mentioned. A PS3 will send your console ID in different queries (for example, when you try to login to PSN, when it fetches your act.dat, etc).

It used as a HMAC key to hash a file content along with another keys. I suppose that current firmwares don't check these hashes. That's why Xploder don't need your Console ID. You can check it by yourself making a different console ID and resign your save game and then try to load it. But I want to generate all hashes correctly. That's why I used all real parameters. But you can omit some of them.

You don't need to specify a full file path, only a file name inside a folder (actually it is an entry name inside .PFD). By the way, specifying a zero offset causes a very slow processing. Because .ELF files have a 70-80% of code and not data. And I recommend to use a dumper instead of bruteforcing.

It is better than Xploder because it is not server based, so you can do what you want with your save game and I think Xploder doesn't allow you to decrypt/encrypt data (I can be wrong because I don't use the Xploder's software). Trophies are also supported but not in current version because I didn't include keys for them in the release.

From the included ReadMe Files: Data Dumper (data_dumper.pkg)

Requirements:

  • 3.55 CFW (e.g. Kmeaw)
  • MultiMAN or original dev_blind application and FTP client

1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin

2. Every time you're want to dump a data from my applications (e.g. Klicensee Dumper) you're need to reboot a console to clear a data storage in LV2 memory.

3. Run a dumper loader, then start your game.

4. After exiting from the game you need to run Data Dumper, you will hear some beeps.

5. Then run any FTP client (e.g. builtin in MultiMAN) and download a dumped data from /dev_hdd0/tmp/dumps.bin.

Disc Hash Key Dumper (disc_hash_key_dumper_loader.pkg)

Requirements:

  • 3.55 CFW (e.g. Kmeaw)
  • MultiMAN or another FTP client

1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin A data which stored there is written by dumper loaders, e.g. by Disc Hash Key Dumper.

2. Install Disc Hash Key Dumper Loader (disc_hash_key_dumper_loader.pkg). It stores a disc hash key if your game is not a PSN/SEN game.

3. Reboot a console to clear a data storage in LV2 memory.

4. Now you need to start Disc Hash Key Dumper Loader, then start your game.

5. After exiting from the game you need to run Data Dumper, you will hear some beeps.

6. Then run any FTP client (e.g. builtin in MultiMAN) and download a dumped disc hash key from /dev_hdd0/tmp/dumps.bin.

PFDTool & SFOPatcher Beta version (pfd_sfo_tools: pfdtool.exe and sfopatcher.exe)

ATTENTION!!! Be careful with 'pfdtool' because it is working with the directory you specify so it will overwrite files inside it.

Some notes about keys:

1. 'Syscon Manager Key' (syscon_manager_key): a constant key from a Syscon Manager.
2. 'PARAM.SFO Key' (param_sfo_key): a constant key used for PARAM.SFO entry.
3. 'Fallback Disc Hash Key' (fallback_disc_hash_key): a constant key used for discless PSN/SEN games.
4. 'Authentication ID' (authentication_id): an additional constant key.
5. 'Console ID' (console_id): your unique console identifier.
6. 'Secure File ID' (secure_file_id): per a game file, almost the same for all files of the game, specified by a game developer (used to encrypt save game files and to hash their content).
7. 'Disc Hash Key' (disc_hash_key): per a game disc or a constant key for PSN/SEN games (used to hash a file entry). You need to use an original game disc and extract it from the disc. For PSN/SEN games they used a fallback disc hash key. 'Disc Hash Key' hash is not verified by PS3 so you can omit this key.

Attention! Some game developers (for example, creators of Metal Gear Solid 4) uses a custom additional encryption layer for their save files. In these cases you need to reverse-engineer the game itself.

1. Paste your console specific data inside 'global.conf'. You need to paste your console ID (IDPS) and needed keys. Open 'Keys' page on the PS3 Dev Wiki and look into the 'Key lists - sc_iso module 1.00-4.00'. There is a 'Syscon Manager Key' at the #2.

Open 'Talk:Keys' page on the PS3 Dev Wiki and search for strings 'Params' and 'Fallback key'. They are 'PARAM.SFO Key' and 'Fallback Disc Hash Key'.

2. Prepare required keys for the game and place them inside 'games.conf'. You need these keys only to verify your .PFD file (it is an optional feature) or to play with save game data encryption. So if you want only to resign a foreign save game then you need only your console ID and skip some hash updates by specifying some flags at 'pfdtool'.

For secure file IDs you can specify an exact file name or use wildcards to match a file name (for example, you don't need to specify the same key for all game files if the game uses the same key for all of them). A disc hash key can be extracted only from an original game disc. For PSN/SEN games a fallback disc hash key is used. This type of hash is not verified by PS3 so you can omit its key but they can add a check in the future firmware versions.

So if you want to use 'Disc Hash Key'=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and 'Secure File ID'=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY for a save file named 'SAVE.DAT' and your game have a product code='BLZZZZZZZ' place them inside a config file:

[Register or Login to view code]

3. Make a custom save game to use it as a pattern for 'sfopatcher'.

1) You may also need to patch a copy protection flag inside your PARAM.SFO because some games uses it:

[Register or Login to view code]

After copying it to the PS3 you need to update a game cache. You have two solutions:

a) 'Rebuild Database' in the system recovery menu. Be careful with it because it can corrupt your file system in rarely cases.
b) Manually copy your save game to the corresponding folder by using a FTP client (for example, embedded in MultiMAN).

2) You need to patch a foreign PARAM.SFO with data from your PARAM.SFO (the tool uses your account ID, save parameters, optional title and description values):

[Register or Login to view code]

If you also want to patch title and description use a command below:

[Register or Login to view code]

4. Import your optionally patched save game folder to 'pfdtool' and use it.

Make sure that you specify a game setting set (from 'games.conf') otherwise you will get some fails.

Attention!

a) You will always get a 'Disc Hash Key FAIL' if you don't use a valid disc hash key. It is not important because it is not checked.
b) If you will get a 'Console ID Hash FAIL' then you use a wrong console ID.
c) If you will get a 'Secure File ID Hash FAIL' then you use a wrong secure file ID for a corresponding file.

You don't need to get a valid console ID for foreign save, just use your console ID and update a save game.

1) To list all entries from PARAM.PFD use a 'list' command:

[Register or Login to view code]

2) To check the validity of PARAM.PFD use a 'check' command.

[Register or Login to view code]

3) If you don't plan to modify save game files and you want only to resign a save game for your console then just use an 'update' command with a 'partial' update option:

[Register or Login to view code]

4) If you plan to modify save game files then use an 'update' command without the option above:

[Register or Login to view code]

5) To encrypt or decrypt specified save game files use 'encrypt' or 'decrypt' command:

[Register or Login to view code]

6) To bruteforce a secure file ID use a 'brute' command along with the .ELF file from the game and specified decimal offset (I recommend to specify an offset of data segment which is usually started at 70-80% of the entire file):

[Register or Login to view code]

Bruteforcing a secure file ID takes a lot of time because it is based on hashing of the game file. The larger the file size, the longer the wait. And bruteforcing don't guarantee that you will get a secure file ID because it can not be specified in the plaintext inside an ELF file.

Once again, if you want to easily resign a save game (as publicly known commercial tools does) you just need to place your console ID and use the command:

[Register or Login to view code]

I also recommend to use my 'Disc Key Dumper' (incorrectly named because it is a disc hash key really) and 'Secure File ID Dumper' to dump keys directly from the memory of a game. But they are written for 3.55 CFW. I will port them to the 4.21 soon.

I will be glad to see if someone will write a batch script for automate the process or a GUI application because I have no time to do it personally. Also will be nice if someone will create a centralized storage of game setting' sets to find keys there. In the future the tool needs to be improved for error handling because it is poor at the moment. I will plan to improve it in further versions.

Secure File ID Dumper (secure_file_id_dumper: ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx and secure_file_id_dumper_loader.pkg)

A secure file ID is specified by developer of the game. There are can be more than one secure file IDs, one ID per file. There are cases when these bytes stored at EBOOT.ELF as is, so you can use my PFD tool to bruteforce them by specifying a PARAM.PFD and file name.

In other cases you need skills of reverse-engineering and a disassembler to find a secure file ID. That's why I had created this dumper. It dumps a secure file ID from memory itself.

Requirements:

  • 3.55 CFW (e.g. Kmeaw)
  • MultiMAN or original dev_blind application and FTP client

1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin. A data which stored there is written by dumper loaders, e.g. by Klicensee Dumper.

2. Install Secure File ID Dumper Loader (secure_file_id_dumper_loader.pkg). It stores a file path to the file which used in your save data and a secure file ID of this file.

3. Now you need to replace original libraries located at dev_flash/vsh/module by modified versions. There are ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx. I use a dev_blind feature from MultiMAN, you can use any other way. Don't forget to backup original files.

4. Reboot a console to clear a data storage in LV2 memory.

5. Now you need to start Secure File ID Dumper, then start your game.

6. Then you need to make a game save.

7. After exiting from the game you need to run Data Dumper, you will hear some beeps.

8. Then run any FTP client (e.g. builtin in MultiMAN) and download dumped secure file IDs from /dev_hdd0/tmp/dumps.bin.

9. Restore original libraries ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx using the same method as at step 3.

Notes: Not all of these libraries used with all games, there is one library per game type.

From gingerbread: Save Data Information

[Register or Login to view code]

Let me say a few words about the process of signing. There are two types of files - system file object (PARAM.SFO) and game files (which are encrypted by the secure file ID). The first one contains 3 or 4 hashes (depending on whether it is a trophy file database or not).

So for game saves they are a static key embedded in the prx module, your unique console ID, disc hash key and authentication ID (it is static too). So if you take a foreign save game you probably don't have its console ID and the disc hash key (you can only take a disc hash key if you have an original game disc for it).

Also if you don't have a secure file ID and you are lazy to get it (by bruteforcing it/reversing the game executable/dumping from the memory) then you can't calculate hashes for game files too. That's why I created two different modes of signing/checking - one for these people who want only to resign a foreign save game and nothing more and the second one is for people who have all data to update all hashes for their save game.

The first mode called partial update/check (see the corresponding option at pfdtool), and for full update you don't need to specify this option. The partial update only updates hashes which are easy to calculate (based on static data such as authentication ID and console ID).

So if you have a filled global.conf (all keys and your console ID) and run a partial update on the foreign save game to resign it for your console then you got a fully working resigned save game.

But if you want to modify save game files which are encrypted then you need to get all data and specify them in configuration files and then use a full update to resign it. By the way the PS3 itself doesn't check some hashes such as a hash which was calculated using a disc hash key.

So you can omit some of them (I only omitted the hash which I said and it works fine). But I don't know what situation will be in the future, maybe S0ny will add a check for them.

Finally, from aldostools: I have updated the BruteforceSaveData tool with the suggested changes. Also if you press the buttons holding Ctrl it will allow to edit the command line

TIP: Hold Ctrl key and press Enter or double-click on a game to skip the bruteforce using the keys in the database. This feature can be use useful for savegames with large data (eg. >4MB and that you already know that the key is unknown)








Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 94 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

BerserkLeon's Avatar
#54 - BerserkLeon - 97w ago
Can anyone able to communicate with the devs ask them if they could include multicore support for bruteforcing? I've got a fairly crappy quad core and each core can't do much on its own, but pfdtool seems to be locked to a single core.

Either that, or CUDA/OpenCL. one or both of those options should really speed up the bruteforcing.

Update: From : I suppose I sort of used the wrong term when I said this code could be optimized, to be honest, since it is working with byte arrays, you cannot really get more speed out of it unless you are constantly reading/writing large sections of bytes (which if you are, feel free to hit me up for some optimization tips on your current code). However, like I said previously, the code could be shrunk way down to a few functions and I only wrote it the way I did for people to easily learn from. Here is all the above code complete in a few functions:

VB.NET Code

[Register or Login to view code]

C# Code
[code]Add to a class:

using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;

static class clsGlobal
{
//**************************************************************************************************************************'
//* GLOBAL KEYS *'
//**************************************************************************************************************************'
public static byte[] SYSCON_MANAGER_KEY = new byte[] {
0xd4,
0x13,
0xb8,
0x96,
0x63,
0xe1,
0xfe,
0x9f,
0x75,
0x14,
0x3d,
0x3b,
0xb4,
0x56,
0x52,
0x74
};
//**************************************************************************************************************************'
//* GLOBAL HEADER TABLE VARIABLES *'
//**************************************************************************************************************************'
public struct PFD_HEADER_SECTION
{
public const int MAGIC_OFFSET = 0x0;
public const int VERSION_OFFSET = 0x8;
public const int IV_OFFSET = 0x10;
public const int SIGNATURE_OFFSET = 0x20;
public const int TOP_HASH_OFFSET = 0x0;
public const int BOTTOM_HASH_OFFSET = 0x14;
}
public struct PFD_HEADER_SECTION_SIZE
{
public const int MAGIC_SIZE = 8;
public const int VERSION_SIZE = 8;
public const int IV_SIZE = 16;
public const int SIGNATURE_SIZE = 64;
public const int HASH_SIZE = 20;
}
public struct PFD_HEADER
{
public const int OFFSET = 0x0;
public const int SIZE = 96;
}
//**************************************************************************************************************************'
//* GLOBAL HASH TABLE VARIABLES *'
//**************************************************************************************************************************'
public struct HASH_TABLE
{
public const int OFFSET = 0x60;
public const int SIZE = 456;
public const int MAX_ENTRIES = 57;
public const int HEADER_OFFSET = 0x60;
public const int HEADER_SIZE = 24;
public const int ENTRY_OFFSET = 0x78;
public const int ENTRY_SIZE = 8;
}
//**************************************************************************************************************************'
//* GLOBAL PROTECTED FILES TABLE VARIABLES *'
//**************************************************************************************************************************'
public struct PF_TABLE_SECTION
{
public const int INDEX = 0;
public const int NAME = 8;
public const int GARBAGE = 73;
public const int DATA = 80;
public const int ENTRY_KEY = 80;
public const int HASHES = 144;
public const int HASH1 = 144;
public const int HASH2 = 164;
public const int HASH3 = 184;
public const int HASH4 = 204;
public const int PADDING = 224;
public const int FILE_SIZE = 264;
}
public struct PF_TABLE_SECTION_SIZE
{
public const int INDEX = 8;
public const int NAME = 65;
public const int GARBAGE = 7;
public const int DATA = 192;
public const int ENTRY_KEY = 64;
public const int HASHES = 80;
public const int HASH = 20;
public const int PADDING = 40;
public const int FILE_SIZE = 8;
}
public struct PF_TABLE
{
public const int OFFSET = 0x240;
public const int SIZE = 31008;
public const int MAX_ENTRIES = 113;
public const int ENTRY_SIZE = 272;
}
//**************************************************************************************************************************'
//* GLOBAL Y TABLE VARIABLES *'
//**************************************************************************************************************************'
public struct Y_TABLE
{
public const int MAX_ENTRIES = 56;
public const int OFFSET = 0x7b60;
public const int SIZE = 1140;
public const int ENTRY_SIZE = 20;
}
//**************************************************************************************************************************'
//* GLOBAL PADDING VARIABLES *'
//**************************************************************************************************************************'
public struct BOTTOM_PADDING
{
public const int OFFSET = 0x7fd4;
public const int SIZE = 44;
}
}

Add to a class:

using System;
using System.Windows.Forms;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using System.IO;
using System.Text;
using System.Security.Cryptography;
using glb = clsGlobal;

static class clsClasses
{
//***************************************************************************************************************'
//* OPEN FILE DIALOG BOX : RETURNS A STRING *'
//***************************************************************************************************************'
public static string File_Dialog(string sTitle, string sFilter, string sFileName)
{
OpenFileDialog OFD = new OpenFileDialog();

String retval = string.Empty;

OFD.Filter = sFilter;
OFD.InitialDirectory = Application.ExecutablePath;
OFD.Title = sTitle;
OFD.Filter = sFilter;
OFD.FileName = sFileName;

if (OFD.ShowDialog() == DialogResult.OK)
{
retval = OFD.FileName;
}
if (retval == String.Empty)
{
return string.Empty;
}
else
{
return retval;
}
}
//**************************************************************************************************************************'
//* AES DECRYPTION FUNCTION *'
//**************************************************************************************************************************'
public static byte[] AES_Decrypt(byte[] bytes, int block_size, int key_size, byte[] aes_iv, byte[] aes_key)
{
//--------------------------------------------------------------------------------------------------------------------------'
// AES Crypto Service Provider
//--------------------------------------------------------------------------------------------------------------------------'
AesCryptoServiceProvider AES = new AesCryptoServiceProvider();
//--------------------------------------------------------------------------------------------------------------------------'
// AES Crypto Service Provider parameters
//--------------------------------------------------------------------------------------------------------------------------'
AES.BlockSize = block_size;
AES.KeySize = key_size;
AES.IV = aes_iv;
AES.Key = aes_key;
AES.Mode = CipherMode.CBC;
AES.Padding = PaddingMode.None;
//--------------------------------------------------------------------------------------------------------------------------'
// Decrypt the bytes : AES 128 CBC mode
//--------------------------------------------------------------------------------------------------------------------------'
using (ICryptoTransform AES_Dec = AES.CreateDecryptor()) {
byte[] dec_bytes = AES_Dec.TransformFinalBlock(bytes, 0, bytes.Length);
//--------------------------------------------------------------------------------------------------------------------------'
// Return the byte array of decrypted bytes
//--------------------------------------------------------------------------------------------------------------------------'
return dec_bytes;
}
}
//***************************************************************************************************************'
//* CONVERT A BYTE ARRAY TO A HEXADECIMAL STRING *'
//***************************************************************************************************************'
public static string ByteArray_To_Hex(byte[] bytes, string separator = null)
{
string retval = string.Empty;
StringBuilder strHex = new StringBuilder(bytes.Length * 2);

foreach (byte b in bytes) {
strHex.Append((b.ToString("X2")) + separator);
}

retval = strHex.ToString().ToUpper();

return retval.Trim();
}

//**************************************************************************************************************************'
//* READ DATA FROM HASH TABLE :: OUTPUT = LIST OF BYTE ARRAYS *'
//**************************************************************************************************************************'
public static List Read_Hash_Table(string pfd_file, int start_offset, int section_size)
{
List output_bytes = new List();
long curr_offset = start_offset;

for (int i = 0; i

PS3 News's Avatar
#53 - PS3 News - 97w ago
Following up on his previous update, today PlayStation 3 developer Flat_z has updated the PS3 Save Game Tools Pack to include SFOPatcher v0.2.0 and PFDTool version 0.2.3 alongside an update to the BruteforceSaveData GUI by aldostools below.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links]

From Flat_z: Some people asked me about the source code of pfd & sfo tools.. here they are (linked above).

Guys, here is an update of my tools. It contains an update to sfopatcher (see the changelog below) and a small update to pfdtool. Previously you should make a save game for your game on your console and then use PARAM.SFO from it as a template to PARAM.SFO from a foreign save game to build a new PARAM.SFO which will contain the data specific to your console. A newer version of sfopatcher will use a foreign save data directory and params only if you specify these options.

From aldostools: A new version of the frontend is available with the updated tools from flatz and new settings to take advantage of these features.

Changes: new "Rebuild" option, new "Restore" option, updated the database with secure_file_id for more than 750 games (over 3140 title ids). Added a new "date" column. Special thanks to flatz, Alex at CMP, acab, skillerCMP, gingerbread and many others

Changelog:

pfdtool 0.2.3

  • Added an option to specify the relative offset to advance each time while bruteforcing a secure file ID.

Below is a guide from zorrolaro on how to use PFDTool without PS3 CFW using Borderlands 2 as an example:

Required Tools:


Guide:

  • Create a folder near your root drive for pfdtool (i.e. c:/pfdtool/), then extract all files into that folder from the linked archive.
  • Download and install wireshark and winPcap (included with the wireshark installer)
  • Download and install the .net runtimes
  • Download and install PS3 ProxyServer
  • Open a command prompt (start menu -> all programs -> accessories -> command prompt) and enter command "ipconfig". Write down the IPv4 address (should look like 192.168.0.10 or something similar)
  • Open PS3 ProxyServer and copy the IPv4 address you wrote down into the IP Address field and check of PS3 mode, leave the other options alone. Hit the big start button. Keep you IPv4 number handy, you'll need it again. Leave this program running.
  • Open Wireshark. On the left side there is an option to start capture. Left click with your mouse to select the appropriate network adapter listed below the start command. If you are not sure about which adapter to use, select them all using ctrl + left mouse click. Hit the start button once you've highlighted the appropriate adapters. Leave this program running.
  • Boot up your PS3 and navigate to Settings -> Network Settings -> Internet Connection Settings. on the first page select Custom, on the second select whether you are connected wirelessly or wired. Skip all other options by hitting right on your controller until you get to the Proxy Server page, then select use for that option. input the IPv4 address you wrote down earlier into the top field.

    Make sure that the port number on this page matches the port number on PS3 ProxyServer (should both say 8080). Skip to the last page on the configuration and hit x. Test connection when prompted by hitting x again. As long as the top 3 fields say succeeded you can carry on to the next step. if not, review your settings in this step and steps 5 and 6 and retry.
  • Sign into the playstation network and login to the psn store.
  • Go back to your pc and check Wireshark. There should be a whole bunch of information displayed on the screen, don't worry you don't need to know what it means. Press [ctrl]+ e to stop capturing, then press [ctrl]+f to bring up your search dialogue. Under "find" check of "string" and under "Search In" check off "Packet bytes". Enter 0000000100 as your search criteria and hit enter. If the necessary packet was found, in the bottom frame it should show the number highlighted on the right side (plaintext view) to ensure you have the right packet, right before the highlighted text it should say "devideID":" and then the numbers you searched for.

    Take all the numbers and letters starting with your highlighted numbers and copy everything down until you find the next quotation mark in the plaintext. You should have a total of 32 digits written down. Should look something like 000000010084 followed by a bunch of letters and numbers. This is your console id.
  • Go to the folder you installed pfdtool in. Open global.conf in notepad. Eidt the line where it says console_id=by adding the console id you just captured after the =. Also change the other fields that are bolded below to match

    [Register or Login to view code]


  • Save file and exit (make sure you save as .conf not .txt)
  • Open the games.conf file in the same folder. Edit it as follows for NA retail disc version only. You'll have a different game id (the BLUS30982) and secure_file_id. You'll need to ask for someone on the forums to get those for you if you are using a different region, version or entirely differnt game. You can add additional games follwing the same layout by adding more lines. The disc_hash_key is commented out, so you will get a notifaction everytime you use pfdtool, but it still works fine.

    [Register or Login to view code]


  • Save and close the file once you are done adding games. Again make sure you save as .conf, not .txt.
  • Make sure you have a copy of your save game on your pc. I like to copy them right into the same folder as pfdtool to make for shorter commands.
  • You are now ready to actually use pfdtool. Navigate your command prompt to the folder you installed it (command to use is simply the path of the folder, ie "c:/pfdtool"). To decrypt we use the following command:

    [Register or Login to view code]


  • Where the part in quotations will be changed to reflect your actual drive location and the name of the file will be changed to your actual file name. The file name and path are case sensitive, make sure you double check you have the right case.
  • You now have a decrypted save file. Use your hex editor of choice or in the case of Borderlands 2 you can use the latest version of Gibbed's Borderlands 2 Save Editor. Once you are done editing, sae your game again and onto the last step.
  • All that's left at this point is to encrypt the file again. See below, same notes as when decrypting about file path and name.

    [Register or Login to view code]


  • You can now transfer your save game back to your PS3.

A couple of quick notes: I have tried to make this as noob friendly as possible, but you still need some basic knowledge to follow this guide. Also, atm I really have no interest in modding any other save games so I do not have the info for other games to place in your games.conf file, though if anyone wants to post them I will be happy to add them to the guide. I did not write nor do I support any of the software mentioned in this guide.

Unfortunately we can't extract it from .PFD because IDPS is not stored there. They used it as a HMAC key to hash the content of PARAM.SFO.

I already said many times that some hashes are not checked. That's why Xploder works fine without your console ID. But my goal was the correct generation of the PFD (because S0ny can add new checks in the future) and I had managed to use all keys but you can omit some of them (based on your console id or disc hash key, for example).

From cheetahh: I can confirm that flat_z tool can be used to decrypt TROPTRANS.DAT file and if you know how to modify all the files correctly (there are different checksums and hashes in the files) you can sync those unlocked trophies to PSN as well.

From Sunny992: All information should be free, don't conceal it if it's already leaked, which it was.

[Register or Login to view code]

It was leaked on NGU.

Finally, from comes a VB.NET/C# PARAM.PFD Code Snippet below, as follows:

Figured I would share this as it is a starting point to anyone who wants to work with PARAM.PFD files within VB.NET/C#. Use it, change it, do what you want with it. I used a code converter to avoid rewriting everything between the 2 languages, and then went through and fixed what broke during the conversion.

The code could be optimized... Most of the classes/functions could easily be combined down to just a few classes/functions, and global variables should be avoided when possible other than for this demonstration. The reason it is the way it is now is so that it is easier to see what is going on. If anyone actually uses this, and wants an optimized set of functions or classes just ask.

With that said, all that is needed is a decryption/encryption (AES 128 CTR Mode) function/class for save files and you can be on your way to making your own cheat editor without the need of bundling in flatz pfdtools.

VB.NET Code

[Register or Login to view code]

C# Code
[code]Add to a class:

using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;

public class clsGlobal
{
//**************************************************************************************************************************'
//* GLOBAL KEYS *'
//**************************************************************************************************************************'
public static byte[] SYSCON_MANAGER_KEY = new byte[] {
0xd4,
0x13,
0xb8,
0x96,
0x63,
0xe1,
0xfe,
0x9f,
0x75,
0x14,
0x3d,
0x3b,
0xb4,
0x56,
0x52,
0x74

};
//**************************************************************************************************************************'
//* GLOBAL HEADER TABLE VARIABLES *'
//**************************************************************************************************************************'
public struct PFD_HEADER
{
public const int OFFSET = 0x0;
public const int SIZE = 96;
public const int MAGIC_OFFSET = 0x0;
public const int MAGIC_SIZE = 8;
public const int VERSION_OFFSET = 0x8;
public const int VERSION_SIZE = 8;
public const int IV_OFFSET = 0x10;
public const int IV_SIZE = 16;
public const int SIGNATURE_OFFSET = 0x20;
public const int SIGNATURE_SIZE = 64;
public const int TOP_HASH_OFFSET = 0x0;
public const int TOP_HASH_SIZE = 20;
public const int BOTTOM_HASH_OFFSET = 0x14;
public const int BOTTOM_HASH_SIZE = 20;
}
public static byte[] PFD_HEADER_TABLE = new byte[PFD_HEADER.SIGNATURE_SIZE + 1];
public static byte[] PFD_HEADER_MAGIC = new byte[PFD_HEADER.MAGIC_SIZE + 1];
public static byte[] PFD_HEADER_VERSION = new byte[PFD_HEADER.VERSION_SIZE + 1];
public static byte[] PFD_HEADER_TABLE_IV = new byte[PFD_HEADER.IV_SIZE + 1];
public static byte[] PFD_HEADER_SIGNATURE = new byte[PFD_HEADER.SIGNATURE_SIZE + 1];
public static byte[] PFD_HEADER_DECRYPTED = new byte[PFD_HEADER.SIGNATURE_SIZE + 1];
public static byte[] PFD_HEADER_DECRYPTED_TOP_HASH = new byte[PFD_HEADER.TOP_HASH_SIZE + 1];
public static byte[] PFD_HEADER_DECRYPTED_BOTTOM_HASH = new byte[PFD_HEADER.BOTTOM_HASH_SIZE + 1];
//**************************************************************************************************************************'
//* GLOBAL HASH TABLE VARIABLES *'
//**************************************************************************************************************************'
public struct HASH_TABLE
{
public const int MAX_ENTRIES = 57;
public const int HEADER_OFFSET = 0x60;
public const int HEADER_SIZE = 24;
public const int OFFSET = 0x78;
public const int SIZE = 456;
public const int TABLE_ENTRY_SIZE = 8;
}
public static byte[] PFD_HASH_TABLE_HEADER = new byte[HASH_TABLE.HEADER_SIZE + 1];
public static byte[] PFD_HASH_TABLE = new byte[HASH_TABLE.SIZE + 1];
public static byte[] PFD_HASH_TABLE_ALL_ENTRIES = new byte[HASH_TABLE.SIZE / HASH_TABLE.TABLE_ENTRY_SIZE + 1];
//**************************************************************************************************************************'
//* GLOBAL PROTECTED FILES TABLE VARIABLES *'
//**************************************************************************************************************************'
public struct PF_TABLE
{
public const int OFFSET = 0x240;
public const int SIZE = 31008;
public const int ENTRY_SIZE = 272;
public const int ENTRY_INDEX_SIZE = 8;
public const int ENTRY_NAME_SKIP_BYTES = 8;
public const int ENTRY_NAME_SIZE = 65;
public const int ENTRY_GARBAGE_SKIP_BYTES = 73;
public const int ENTRY_GARBAGE_SIZE = 7;
public const int ENTRY_DATA_SKIP_BYTES = 80;
public const int ENTRY_DATA_SIZE = 192;
public const int ENTRY_KEY_SKIP_BYTES = 80;
public const int ENTRY_KEY_SIZE = 64;
public const int ENTRY_HASHES_SKIP_BYTES = 144;
public const int ENTRY_HASHES_SIZE = 80;
public const int ENTRY_HASH1_SKIP_BYTES = 144;
public const int ENTRY_HASH_SIZE = 20;
public const int ENTRY_HASH2_SKIP_BYTES = 164;
public const int ENTRY_HASH3_SKIP_BYTES = 184;
public const int ENTRY_HASH4_SKIP_BYTES = 204;
public const int ENTRY_PADDING_SKIP_BYTES = 224;
public const int ENTRY_PADDING_SIZE = 40;
public const int ENTRY_FILESIZE_SKIP_BYTES = 264;
public const int ENTRY_FILESIZE_SIZE = 8;
}
public static byte[] PFD_PROTECTED_FILES_TABLE = new byte[PF_TABLE.SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY = new byte[PF_TABLE.ENTRY_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ALL_ENTRIES = new byte[PF_TABLE.SIZE / PF_TABLE.ENTRY_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_INDEX = new byte[PF_TABLE.ENTRY_INDEX_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_NAME = new byte[PF_TABLE.ENTRY_NAME_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_GARBAGE = new byte[PF_TABLE.ENTRY_GARBAGE_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_DATA = new byte[PF_TABLE.ENTRY_DATA_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_KEY = new byte[PF_TABLE.ENTRY_KEY_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_HASHES = new byte[PF_TABLE.ENTRY_HASHES_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_HASH1 = new byte[PF_TABLE.ENTRY_HASH_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_HASH2 = new byte[PF_TABLE.ENTRY_HASH_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_HASH3 = new byte[PF_TABLE.ENTRY_HASH_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_HASH4 = new byte[PF_TABLE.ENTRY_HASH_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_PADDING = new byte[PF_TABLE.ENTRY_PADDING_SIZE + 1];
public static byte[] PFD_PROTECTED_FILES_TABLE_ENTRY_FILESIZE = new byte[PF_TABLE.ENTRY_FILESIZE_SIZE + 1];
//**************************************************************************************************************************'
//* GLOBAL Y TABLE VARIABLES *'
//**************************************************************************************************************************'
public struct Y_TABLE
{
public const int MAX_ENTRIES = 57;
public const int OFFSET = 0x7b60;
public const int SIZE = 1140;
public const int TABLE_ENTRY_SIZE = 20;
}
public static byte[] PFD_Y_TABLE = new byte[Y_TABLE.SIZE + 1];
public static byte[] PFD_Y_ALL_ENTRIES = new byte[Y_TABLE.SIZE / Y_TABLE.TABLE_ENTRY_SIZE + 1];
//**************************************************************************************************************************'
//* GLOBAL PADDING VARIABLES *'
//**************************************************************************************************************************'
public struct BOTTOM_PADDING
{
public const int OFFSET = 0x7fd4;
public const int SIZE = 44;
}
public static byte[] PFD_BOTTOM_PADDING = new byte[BOTTOM_PADDING.SIZE + 1];
}

Add to a class:

using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using glb = clsGlobal;

public class clsPFDTables
{
//**************************************************************************************************************************'
//* READ THE TOP HASH FROM DECRYPTED HEADER IN AN ARRAY *'
//**************************************************************************************************************************'
public static byte[] Read_Decrypted_Header_Top_Hash(byte[] decrypted_header_array, int offset)
{

byte[] output_array = new byte[glb.PFD_HEADER.TOP_HASH_SIZE];

Buffer.BlockCopy(decrypted_header_array, offset, output_array, 0, glb.PFD_HEADER.TOP_HASH_SIZE);

return output_array;
}
//**************************************************************************************************************************'
//* READ THE BOTTOM HASH FROM DECRYPTED HEADER IN AN ARRAY *'
//**************************************************************************************************************************'
public static byte[] Read_Decrypted_Header_Bottom_Hash(byte[] decrypted_header_array, int offset)
{
byte[] output_array = new byte[glb.PFD_HEADER.BOTTOM_HASH_SIZE];

Buffer.BlockCopy(decrypted_header_array, offset, output_array, 0, glb.PFD_HEADER.BOTTOM_HASH_SIZE);

return output_array;
}
//**************************************************************************************************************************'
//* READ ALL ENTRIES FROM HASH TABLE TO A LIST OF ARRAYS *'
//**************************************************************************************************************************'
public static List Build_Hash_Table_Entries_Array(byte[] hash_table_array)
{
List output_bytes = new List();

for (int i = 0; i

GMOTE's Avatar
#52 - GMOTE - 97w ago
Nice news.

eric994's Avatar
#51 - eric994 - 97w ago
this is a favour i want to ask for anyone who understands this stuff.

Could it be possible to fix the "corrupt save data" dilemma in the call of duty: black ops II(BLES01717) with will highly appreciated by me and many others with the same copies of this amazing game.

PS3 News's Avatar
#50 - PS3 News - 97w ago
Following up on his initial release, this weekend PlayStation 3 developer Flat_z has updated his PS3 Save Game Tools hacking pack alongside a fix for PFDTool v0.2.0 followed by v0.2.1 and v0.2.2 with details below.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] (Removed) / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] (Required)

From the included ReadMe file: Guys, here is an updated version of pfdtool.

Please test it carefully because I have no time at the moment to test it by myself.

Changelog:

  • Support of PARAM.PFD for trophies (without keys, of course)
  • Support of PARAM.PFD v4 which used in a newer SDK
  • Fixed a bug with verify operation on signature hashes
  • Now you can use a list of product codes delimeted by '/' (slash), for example: [BLUS31142/BLES01403], they should use the same disc hash key and secure file IDs
  • Show an information about .PFD type and version

The format for 'global.conf' is different. Please add these changes to your files:

1. Add a new parameter called 'user_id' which set the user identifier (the same number as used in your home folder: /dev_hdd0/home/[user_id]/)
2. Add a new parameter called 'keygen_key'. Open 'Talk:Keys' page on the PS3DevWiki and search for string 'KeygenV4'
3. Rename the parameter 'param_sfo_key' to 'savegame_param_sfo_key' (see below)
4. There a bunch of new keys for trophies: 'trophy_param_sfo_key', 'tropsys_dat_key', 'tropusr_dat_key', 'troptrns_dat_key', 'tropconf_sfm_key' and they are not public so left them as XX.

[Register or Login to view code]

Also I noticed that some of you use a kernel swapping feature in the REX firmware. Don't forget to use your current (!) console ID. For example, if you made a save game on a DEX then you need to specify a DEX console ID.

Disc hash keys are sent to the PS3 by the Blu Ray Drive itself (well, not the actual disc hash key but some data from the disc which will be encrypted after that and used as a disc hash key).

PFDTool 0.2.1 Changelog:

  • Fixed issues with the file size.

PFDTool 0.2.2 Changelog:

  • Now encrypt and decrypt operations update hashes automatically (be sure to use all keys!).
  • Fixed another issue with the file size of modified files.
  • Removed a verbose flag because it is not used at the moment.

More PlayStation 3 News...

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News