76w ago - Following up on their initial release, today PlayStation 3 dongle hackers Oct0xor (aka Mr. DongleBreaker) and Flat_z have released PS3UserCheat PS3 Cheat dongle update version 2.2 with Cheatlist.dat v6.0 for those interested.
To quote via Twitter: Cracked ps3usercheat v2.2 + cheatlist.dat v6.0
Thanks to Khaled Alshabak and all contributors, you motivates me.
Will release a way to modify cheatlist.dat in future.
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
Following up on his initial release, this weekend PlayStation 3 developer Flat_z has updated his PS3 Save Game Tools hacking pack alongside a fix for PFDTool v0.2.0 followed by v0.2.1 and v0.2.2 with details below.
From the included ReadMe file: Guys, here is an updated version of pfdtool.
Please test it carefully because I have no time at the moment to test it by myself.
Support of PARAM.PFD for trophies (without keys, of course)
Support of PARAM.PFD v4 which used in a newer SDK
Fixed a bug with verify operation on signature hashes
Now you can use a list of product codes delimeted by '/' (slash), for example: [BLUS31142/BLES01403], they should use the same disc hash key and secure file IDs
Show an information about .PFD type and version
The format for 'global.conf' is different. Please add these changes to your files:
1. Add a new parameter called 'user_id' which set the user identifier (the same number as used in your home folder: /dev_hdd0/home/[user_id]/)
2. Add a new parameter called 'keygen_key'. Open 'Talk:Keys' page on the PS3DevWiki and search for string 'KeygenV4'
3. Rename the parameter 'param_sfo_key' to 'savegame_param_sfo_key' (see below)
4. There a bunch of new keys for trophies: 'trophy_param_sfo_key', 'tropsys_dat_key', 'tropusr_dat_key', 'troptrns_dat_key', 'tropconf_sfm_key' and they are not public so left them as XX.
Also I noticed that some of you use a kernel swapping feature in the REX firmware. Don't forget to use your current (!) console ID. For example, if you made a save game on a DEX then you need to specify a DEX console ID.
Disc hash keys are sent to the PS3 by the Blu Ray Drive itself (well, not the actual disc hash key but some data from the disc which will be encrypted after that and used as a disc hash key).
PFDTool 0.2.1 Changelog:
Fixed issues with the file size.
PFDTool 0.2.2 Changelog:
Now encrypt and decrypt operations update hashes automatically (be sure to use all keys!).
Fixed another issue with the file size of modified files.
Removed a verbose flag because it is not used at the moment.
Wow, something I'd love to use. can't wait until it's ported to 4.21... hope some sort of code hacking plugin can be released soon too.
Also, Demario, no, can't be used on a non-modded ps3, I'm pretty sure. As the instructions say to replace files in dev_flash... on the console.
Anyway, If I were you, dev, I wouldn't worry about people hacking their trophies. Because anyone on 4.21REX can do that and sync with servers as normal. since there are already tools out that can allow you to do it, I wouldn't worry about releasing a more complex process that'd allow one to do the same thing. That's just me though.
Following up on the previous release, this weekend PlayStation 3 hacker Flat_z has released PS3 Save Game Tools including a Data Dumper, Disc Hash Key Dumper, PFD SFO Tools, Secure File ID Dumper, and a PFD Tool update with details below.
From Twitter: A save game tool in a testing phase before tomorrow's release save game tools. hehe, dunno yet maybe I will make a managed dll for pfd stuff. An another link if you experience a troubles with downloading. Little update of pfdtool (I fixed an issue with 4 version for some games. They should be fine now.)
Trophies will work in the next release but I'm afraid to add support for them because you can easily hack your trophies with it and synchronize them with the server. I'll release a port of my dumpers to 4.21 soon. I'm working on a new payload which I think allow me to not to replace sprx. And newer version will write keys directly to the file.
You don't need to replace modules and launch a dumper if you only want to resign files. A dumper required only for extracting a save game key directly from the memory of the game. And trophy keys are the same for every console because they are constant. In addition, you don't need to extract/read/write keys every time.
A .PFD file for save games is a bit complex than trophy's .PFD. And games uses different keys for their save files. Trophy keys are constants as I mentioned above. I don't like a name PSID because there are two different PSIDs on the PS3: PSID and OpenPSID. So I call the first one as Console ID (it should contains the Target ID of your console). The second one seems to be random bytes (or encrypted bytes) which widely used on PSN stuff.
There are different ways to get your console ID. If you have a flasher then you can make a dump of your flash, then locate your EID0 there and the first 16 bytes will be your Console ID. The second way is using a proxy server as you mentioned. A PS3 will send your console ID in different queries (for example, when you try to login to PSN, when it fetches your act.dat, etc).
It used as a HMAC key to hash a file content along with another keys. I suppose that current firmwares don't check these hashes. That's why Xploder don't need your Console ID. You can check it by yourself making a different console ID and resign your save game and then try to load it. But I want to generate all hashes correctly. That's why I used all real parameters. But you can omit some of them.
You don't need to specify a full file path, only a file name inside a folder (actually it is an entry name inside .PFD). By the way, specifying a zero offset causes a very slow processing. Because .ELF files have a 70-80% of code and not data. And I recommend to use a dumper instead of bruteforcing.
It is better than Xploder because it is not server based, so you can do what you want with your save game and I think Xploder doesn't allow you to decrypt/encrypt data (I can be wrong because I don't use the Xploder's software). Trophies are also supported but not in current version because I didn't include keys for them in the release.
From the included ReadMe Files: Data Dumper (data_dumper.pkg)
3.55 CFW (e.g. Kmeaw)
MultiMAN or original dev_blind application and FTP client
1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin
2. Every time you're want to dump a data from my applications (e.g. Klicensee Dumper) you're need to reboot a console to clear a data storage in LV2 memory.
3. Run a dumper loader, then start your game.
4. After exiting from the game you need to run Data Dumper, you will hear some beeps.
5. Then run any FTP client (e.g. builtin in MultiMAN) and download a dumped data from /dev_hdd0/tmp/dumps.bin.
3.55 CFW (e.g. Kmeaw)
MultiMAN or another FTP client
1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin A data which stored there is written by dumper loaders, e.g. by Disc Hash Key Dumper.
2. Install Disc Hash Key Dumper Loader (disc_hash_key_dumper_loader.pkg). It stores a disc hash key if your game is not a PSN/SEN game.
3. Reboot a console to clear a data storage in LV2 memory.
4. Now you need to start Disc Hash Key Dumper Loader, then start your game.
5. After exiting from the game you need to run Data Dumper, you will hear some beeps.
6. Then run any FTP client (e.g. builtin in MultiMAN) and download a dumped disc hash key from /dev_hdd0/tmp/dumps.bin.
PFDTool & SFOPatcher Beta version (pfd_sfo_tools: pfdtool.exe and sfopatcher.exe)
ATTENTION!!! Be careful with 'pfdtool' because it is working with the directory you specify so it will overwrite files inside it.
Some notes about keys:
1. 'Syscon Manager Key' (syscon_manager_key): a constant key from a Syscon Manager.
2. 'PARAM.SFO Key' (param_sfo_key): a constant key used for PARAM.SFO entry.
3. 'Fallback Disc Hash Key' (fallback_disc_hash_key): a constant key used for discless PSN/SEN games.
4. 'Authentication ID' (authentication_id): an additional constant key.
5. 'Console ID' (console_id): your unique console identifier.
6. 'Secure File ID' (secure_file_id): per a game file, almost the same for all files of the game, specified by a game developer (used to encrypt save game files and to hash their content).
7. 'Disc Hash Key' (disc_hash_key): per a game disc or a constant key for PSN/SEN games (used to hash a file entry). You need to use an original game disc and extract it from the disc. For PSN/SEN games they used a fallback disc hash key. 'Disc Hash Key' hash is not verified by PS3 so you can omit this key.
Attention! Some game developers (for example, creators of Metal Gear Solid 4) uses a custom additional encryption layer for their save files. In these cases you need to reverse-engineer the game itself.
1. Paste your console specific data inside 'global.conf'. You need to paste your console ID (IDPS) and needed keys. Open 'Keys' page on the PS3 Dev Wiki and look into the 'Key lists - sc_iso module 1.00-4.00'. There is a 'Syscon Manager Key' at the #2.
Open 'Talk:Keys' page on the PS3 Dev Wiki and search for strings 'Params' and 'Fallback key'. They are 'PARAM.SFO Key' and 'Fallback Disc Hash Key'.
2. Prepare required keys for the game and place them inside 'games.conf'. You need these keys only to verify your .PFD file (it is an optional feature) or to play with save game data encryption. So if you want only to resign a foreign save game then you need only your console ID and skip some hash updates by specifying some flags at 'pfdtool'.
For secure file IDs you can specify an exact file name or use wildcards to match a file name (for example, you don't need to specify the same key for all game files if the game uses the same key for all of them). A disc hash key can be extracted only from an original game disc. For PSN/SEN games a fallback disc hash key is used. This type of hash is not verified by PS3 so you can omit its key but they can add a check in the future firmware versions.
So if you want to use 'Disc Hash Key'=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and 'Secure File ID'=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY for a save file named 'SAVE.DAT' and your game have a product code='BLZZZZZZZ' place them inside a config file:
3. Make a custom save game to use it as a pattern for 'sfopatcher'.
1) You may also need to patch a copy protection flag inside your PARAM.SFO because some games uses it:
sfopatcher patch --remove-copy-protection
After copying it to the PS3 you need to update a game cache. You have two solutions:
a) 'Rebuild Database' in the system recovery menu. Be careful with it because it can corrupt your file system in rarely cases.
b) Manually copy your save game to the corresponding folder by using a FTP client (for example, embedded in MultiMAN).
2) You need to patch a foreign PARAM.SFO with data from your PARAM.SFO (the tool uses your account ID, save parameters, optional title and description values):
If you also want to patch title and description use a command below:
sfopatcher build --copy-title --copy-detail
4. Import your optionally patched save game folder to 'pfdtool' and use it.
Make sure that you specify a game setting set (from 'games.conf') otherwise you will get some fails.
a) You will always get a 'Disc Hash Key FAIL' if you don't use a valid disc hash key. It is not important because it is not checked.
b) If you will get a 'Console ID Hash FAIL' then you use a wrong console ID.
c) If you will get a 'Secure File ID Hash FAIL' then you use a wrong secure file ID for a corresponding file.
You don't need to get a valid console ID for foreign save, just use your console ID and update a save game.
1) To list all entries from PARAM.PFD use a 'list' command:
2) To check the validity of PARAM.PFD use a 'check' command.
pfdtool -g -c
3) If you don't plan to modify save game files and you want only to resign a save game for your console then just use an 'update' command with a 'partial' update option:
pfdtool -g -p -u
4) If you plan to modify save game files then use an 'update' command without the option above:
pfdtool -g -u
5) To encrypt or decrypt specified save game files use 'encrypt' or 'decrypt' command:
pfdtool -g -e
pfdtool -g -d
6) To bruteforce a secure file ID use a 'brute' command along with the .ELF file from the game and specified decimal offset (I recommend to specify an offset of data segment which is usually started at 70-80% of the entire file):
Bruteforcing a secure file ID takes a lot of time because it is based on hashing of the game file. The larger the file size, the longer the wait. And bruteforcing don't guarantee that you will get a secure file ID because it can not be specified in the plaintext inside an ELF file.
Once again, if you want to easily resign a save game (as publicly known commercial tools does) you just need to place your console ID and use the command:
pfdtool -p -u
I also recommend to use my 'Disc Key Dumper' (incorrectly named because it is a disc hash key really) and 'Secure File ID Dumper' to dump keys directly from the memory of a game. But they are written for 3.55 CFW. I will port them to the 4.21 soon.
I will be glad to see if someone will write a batch script for automate the process or a GUI application because I have no time to do it personally. Also will be nice if someone will create a centralized storage of game setting' sets to find keys there. In the future the tool needs to be improved for error handling because it is poor at the moment. I will plan to improve it in further versions.
Secure File ID Dumper (secure_file_id_dumper: ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx and secure_file_id_dumper_loader.pkg)
A secure file ID is specified by developer of the game. There are can be more than one secure file IDs, one ID per file. There are cases when these bytes stored at EBOOT.ELF as is, so you can use my PFD tool to bruteforce them by specifying a PARAM.PFD and file name.
In other cases you need skills of reverse-engineering and a disassembler to find a secure file ID. That's why I had created this dumper. It dumps a secure file ID from memory itself.
3.55 CFW (e.g. Kmeaw)
MultiMAN or original dev_blind application and FTP client
1. Install Data Dumper (data_dumper.pkg) if you didn't installed it before. It is a homebrew application to dump a data from some LV2 memory to a file: /dev_hdd0/tmp/dumps.bin. A data which stored there is written by dumper loaders, e.g. by Klicensee Dumper.
2. Install Secure File ID Dumper Loader (secure_file_id_dumper_loader.pkg). It stores a file path to the file which used in your save data and a secure file ID of this file.
3. Now you need to replace original libraries located at dev_flash/vsh/module by modified versions. There are ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx. I use a dev_blind feature from MultiMAN, you can use any other way. Don't forget to backup original files.
4. Reboot a console to clear a data storage in LV2 memory.
5. Now you need to start Secure File ID Dumper, then start your game.
6. Then you need to make a game save.
7. After exiting from the game you need to run Data Dumper, you will hear some beeps.
8. Then run any FTP client (e.g. builtin in MultiMAN) and download dumped secure file IDs from /dev_hdd0/tmp/dumps.bin.
9. Restore original libraries ps3_savedata_plugin.sprx, ps3_savedata_plugin_game.sprx, ps3_savedata_plugin_game_mini.sprx using the same method as at step 3.
Notes: Not all of these libraries used with all games, there is one library per game type.
Let me say a few words about the process of signing. There are two types of files - system file object (PARAM.SFO) and game files (which are encrypted by the secure file ID). The first one contains 3 or 4 hashes (depending on whether it is a trophy file database or not).
So for game saves they are a static key embedded in the prx module, your unique console ID, disc hash key and authentication ID (it is static too). So if you take a foreign save game you probably don't have its console ID and the disc hash key (you can only take a disc hash key if you have an original game disc for it).
Also if you don't have a secure file ID and you are lazy to get it (by bruteforcing it/reversing the game executable/dumping from the memory) then you can't calculate hashes for game files too. That's why I created two different modes of signing/checking - one for these people who want only to resign a foreign save game and nothing more and the second one is for people who have all data to update all hashes for their save game.
The first mode called partial update/check (see the corresponding option at pfdtool), and for full update you don't need to specify this option. The partial update only updates hashes which are easy to calculate (based on static data such as authentication ID and console ID).
So if you have a filled global.conf (all keys and your console ID) and run a partial update on the foreign save game to resign it for your console then you got a fully working resigned save game.
But if you want to modify save game files which are encrypted then you need to get all data and specify them in configuration files and then use a full update to resign it. By the way the PS3 itself doesn't check some hashes such as a hash which was calculated using a disc hash key.
So you can omit some of them (I only omitted the hash which I said and it works fine). But I don't know what situation will be in the future, maybe S0ny will add a check for them.
Finally, from aldostools: I have updated the BruteforceSaveData tool with the suggested changes. Also if you press the buttons holding Ctrl it will allow to edit the command line
TIP: Hold Ctrl key and press Enter or double-click on a game to skip the bruteforce using the keys in the database. This feature can be use useful for savegames with large data (eg. >4MB and that you already know that the key is unknown)