Free Vast has been released! under the name of Free MC Boot, Jimmikaelkael has released a project that allows to boot homebrew without the use of a triggerdisc on almost every ps2 version ever made (even the 10K). The app can be found @ the public release page, and includes many nice futures, check it out!


Well, I don't know wether this is the right subforum to continue,
If it's not, maybe one of the mods can move it..

Newcomers and dev's can read this (http://psx-scene.com/forums/419373-post124.html) post from MikeTV about the wiki he created for this project :)

Well, a small summary of what has happened until now:

- Memor32 got released, and so did Memento, the unofficial firmware for Memor32 that allows the booting of back-ups and elf-files via DEV1 (MC) and DEV3 (HDD). See the Memento-Homepage (http://www.mementoteam.com)
- Memento Firmware got dumped by TikTok 'n Botch, see Botch Homepage (http://botch.front.ru)

- Jimmikaelkael released a few apps in an attempt to dump the MementoFW and flash it to a datel 32MB MC, he was working on getting the signature of a datel 32mb MC and HEx that into a MementoFW. Afterwards he wanted to flash the hexed image to the datel 32MB MC, hoping it would boot Memento :)

This is what I could save via google cache, and some hottracking around the net :)

Ok so i have corrected may bugs and here is the final version of my McFlasher for HDProject.
It is stable and flash memcards reliably.

The things have that changed :

MC Flasher :
- I turn the option DATEL card into DATEL never formatted as you must turn it to YES only if you have never reformatted your datel card at home. (because when it's never reformatted it just make ECC emulation).
I have made many many tests so you should not have to worrying about your cards. Just one thing, be sure to correctly set the options.

The SKIP ECC READ option is set to NO by default : It assume that you use a image file that contains ECC datas, like PCSX2 compatible image (read next), just like the memento hack dump.


MC Dump :
- Hackchip ask me to make modifications to MCDump so it can make PCSX2 compatible memcard image, so i've added the option PCSX2 IMAGE.
This now easy to transfer your memcard content from PS2 to PC and vice-versa.
The PCSX2 IMAGE require ECC rebuilding so it makes the dumping take more time, about 2 minutes for an official 8mb memcard.


Here is the link, the ELF comes Packed or Unpacked : HDProjectv1.07 + McFlasher (http://www.4shared.com/file/40181176/31c02a4b/HDProjectMcFlasher.html)
Relic version : MCD001 (http://www.4shared.com/file/40317970/b3034260/Mcd001.html)
Stayehyetreez version : MCD002 (http://rapidshare.com/files/98493857/32mb_datel_mc_dvd_u.zip)


Memor32 dump :
HackedMemor32 (http://rapidshare.com/files/93639539/HackMemor32.rar.html)
FreeMemor32 (http://www.4shared.com/file/38476891/4896d04c/FreeMemor32.html)
Memor32 Tool (Dump/Flash/Format memor32 utility) (http://www.4shared.com/file/38637552/75063d07/Memor32_Tool.html)
MyMC (http://www.4shared.com/file/40462074/2344a16c/mymc-alpha-116.html)


I couldn’t find the extraction tool, maybe jimmikaelkael would like to post it again..

Oh, forgot to add, this is what I've found on Google's cache about a week back of the original thread.

Page
1 (http://www.google.com/search?q=cache:ieOyy9aBfmgJ:psx-scene.com/forums/sony-news/58841-free-vast.html+http://psx-scene.com/forums/sony-news/58841-free-vast.html&hl=en&ct=clnk&cd=1&gl=us)
2 (http://209.85.165.104/search?q=cache:8shtHkb3u8AJ:psx-scene.com/forums/sony-news/58841-free-vast-2.html+http://psx-scene.com/forums/sony-news/58841-free-vast-2.html&hl=en&ct=clnk&cd=1&gl=us)
3 (http://66.102.9.104/search?q=cache:G8L5wB7MArAJ:www.psx-scene.com/forums/showthread.php%3Ft%3D58841%26page%3D3+site:www.psx-scene.com+free+vast+psx-scene&hl=en&ct=clnk&cd=5&client=firefox-a)
4 (http://66.102.9.104/search?q=cache:P7Mu1iIjlbEJ:www.psx-scene.com/forums/showthread.php%3Ft%3D58841%26page%3D4+site:www.psx-scene.com+free+vast+psx-scene&hl=en&ct=clnk&cd=6&client=firefox-a)
5 (http://209.85.165.104/search?q=cache:duKVReWDP5UJ:psx-scene.com/forums/sony-news/58841-free-vast-5.html+http://psx-scene.com/forums/sony-news/58841-free-vast-5.html&hl=en&ct=clnk&cd=1&gl=us)
6 (http://209.85.165.104/search?q=cache:LXZXmtPidUoJ:psx-scene.com/forums/sony-news/58841-free-vast-6.html+http://psx-scene.com/forums/sony-news/58841-free-vast-6.html&hl=en&ct=clnk&cd=1&gl=us)
7 (http://209.85.165.104/search?q=cache:_OvcCeS30oYJ:psx-scene.com/forums/sony-news/58841-free-vast-7.html+http://psx-scene.com/forums/sony-news/58841-free-vast-3.html&hl=en&ct=clnk&cd=2&gl=us)
8 (http://209.85.165.104/search?q=cache:RDRhYASZXGoJ:psx-scene.com/forums/sony-news/58841-free-vast-8.html+http://psx-scene.com/forums/sony-news/58841-free-vast-8.html&hl=en&ct=clnk&cd=1&gl=us)
9 (http://www.google.com/search?q=cache:AhWgwLd2FJsJ:psx-scene.com/forums/sony-news/58841-free-vast-9.html+http://psx-scene.com/forums/sony-news/58841&hl=en&ct=clnk&cd=1&gl=us)
10 (http://209.85.165.104/search?q=cache:2yyQHshPdf8J:psx-scene.com/forums/sony-news/58841-free-vast-10.html+http://psx-scene.com/forums/sony-news/58841-free-vast-10.html&hl=en&ct=clnk&cd=1&gl=us)
11 - missing
12 (http://209.85.165.104/search?q=cache:UXdFd1B2buoJ:psx-scene.com/forums/sony-news/58841-free-vast-12.html+http://psx-scene.com/forums/sony-news/58841-free-vast-12.html&hl=en&ct=clnk&cd=1&gl=us)
13 (http://209.85.165.104/search?q=cache:qDU5pfwtaTEJ:psx-scene.com/forums/sony-news/58841-free-vast-13.html+http://psx-scene.com/forums/sony-news/58841-free-vast-3.html&hl=en&ct=clnk&cd=1&gl=us)
14 (http://209.85.165.104/search?q=cache:ImzZMfUhd0EJ:psx-scene.com/forums/sony-news/58841-free-vast-14.html+http://psx-scene.com/forums/sony-news/58841-free-vast-4.html&hl=en&ct=clnk&cd=1&gl=us)
15 (http://209.85.165.104/search?q=cache:UZRlzwTd5jMJ:psx-scene.com/forums/sony-news/58841-free-vast-15.html+http://psx-scene.com/forums/sony-news/58841-free-vast-15.html&hl=en&ct=clnk&cd=1&gl=us)
16 (http://209.85.165.104/search?q=cache:f12NnIJte2sJ:psx-scene.com/forums/sony-news/58841-free-vast-16.html+http://psx-scene.com/forums/sony-news/58841-free-vast-16.html&hl=en&ct=clnk&cd=1&gl=us)
17 - missing
18 (http://209.85.165.104/search?q=cache:a3YEwty-hXEJ:psx-scene.com/forums/sony-news/58841-free-vast-18.html+http://psx-scene.com/forums/sony-news/58841-free-vast-18.html&hl=en&ct=clnk&cd=1&gl=us)
19 (http://209.85.165.104/search?q=cache:kmy3KFvC5JIJ:psx-scene.com/forums/sony-news/58841-free-vast-19.html+http://psx-scene.com/forums/sony-news/58841-free-vast-19.html&hl=en&ct=clnk&cd=1&gl=us)
20 (http://209.85.165.104/search?q=cache:c_IA2gU3Xj8J:psx-scene.com/forums/sony-news/58841-free-vast-20.html+http://psx-scene.com/forums/sony-news/58841-free-vast-20.html&hl=en&ct=clnk&cd=1&gl=us)
21 (http://209.85.165.104/search?q=cache:eNCkXo_1xH4J:psx-scene.com/forums/sony-news/58841-free-vast-21.html+http://psx-scene.com/forums/sony-news/58841-free-vast-21.html&hl=en&ct=clnk&cd=1&gl=us)
22 - missing
23 (http://www.google.com/search?q=cache:YUXKa9kbrFwJ:www.psx-scene.com/forums/showthread.php%3Ft%3D58841%26page%3D23+site:www.ps x-scene.com+free+vast+psx-scene&hl=en&ct=clnk&cd=3)



May the project continue :)

//PALGamer

word. Hopefully he'll continue this project. It would make any people with dead lasers or slims happy.

also, I uploaded my 3.02u DVD player from my 32 MB datel card to his 4shared. hopefully it can help him. Also, it would be kinda cool if he can create a PC or PS2 app that will modify the memento firmware on the fly for a usable state that a Datel card can use. :)

Yes, that sure as hell would be nice..
If the datel version works, maybe there's a chance it'll work on the normal 8MB MC's aswell :)..
(plus I secretly hope that if memento FW gets hacked, EEUG will release his 'Plan B', cause that would really be nice)

//PALGamer

well, if I take the way EEUG was talking about plan b, it seemed as though he has it working on a standard card, but I'm not sure on that. Hard to tell since his posts were wiped in the site crash and the fact that I'm too lazy to take a trip into google's cache.

I'm rather curious on both his and jimmi's methods of going about this. hopefully we'll see some progression on either front.

Update:

I'm still looking for a Datel Memory Plus Card :( I've picked up a few Max Memory Cards and none of them have preformed like the instructions have said for the memory plus.

Please look over these instructions and give any information on this mystory card........

I ordered a DVD remote from walmart and the description says it includes the update disc. I'll let you know if it really does when I get it.


Features & Specifications
Expand your PlayStation 2's capabilities and control the DVD player with this remote.

Watch your favorite movies and don't worry about using your game controller as the remote. This DVD remote gives you the freedom to move around the room, control the DVD and not be connected to the machine.

Allows freedom while watching movies on the PlayStation 2
Package includes DVD Remote Control, instruction manual and two AAA Batteries
Discover new updated DVD features with the new driver disc
http://www.walmart.com/catalog/product.do?product_id=2467798

The extraction tool was mymc, a command line utility, by Ross Ridge, it allowed you to pull individual files out of the .ps2 image created by mcflasher.

One problem is that he knows what data to pull from the DVD player files and where to place it in the Memento file. And there's no tool out to automate the process.

yes it is complicated, from what i have gathered reading the forum. The first 32 bytes of the memcard dumps, contain the fat record and signature of the individual cards. The memor32 software uses a modified fat which references a few filenames to the same block of data. So you have to modify these 32 bytes in the memento dump to match the individual card. And for now it is only likely to work on the datel 32mb cards. R3lic and Stayehyetreez have the modified images for their cards so lets see what happened. Patiently awaiting their feedback

yo guys, welcome back! i had a chance to download the image of my datel mc that jimmi posted before the site went down. if anyone was wondering, it didn't work, but it did have all 150+mb of data on my 32mb card. it also froze my ps2 if i booted with it inserted.

Hmmm. Could be a simple error in the code. I did do a compare in hex workshop between yours and R3lic's and found a number of areas that were the same data, only in different memory locations. Also with that, there were numerous areas that were either replaced, deleted, or inserted with diffent data throughout the image. So I'm curious to R3lic's results as well.

And I finally got around to creating a proper pcsx2 image of my dvd player files (3.02u) on my datel card. I'm hoping to test this out to help out my declining v10. :D

i found this link to that magic datel card with the mc manager built in memento-style:

http://www.ps2savetools.com/

just follow the links:D

The extraction tool was mymc, a command line utility, by Ross Ridge, it allowed you to pull individual files out of the .ps2 image created by mcflasher.

I meant the extraction tool to get the files out of the MementoFW (the installation file)

mymc does indeed allow you to pull/add files to the /ps2 image

//PALGamer

The project continues ;) !

here are the important links :
Memor32 Tool (Dump/Flash/Format memor32 utility) : here (http://www.4shared.com/file/38637552/75063d07/Memor32_Tool.html)

HDProjectv1.07 + McFlasher (ps2 memcard dump/flash/emulator) : here (http://www.4shared.com/file/40181176/31c02a4b/HDProjectMcFlasher.html)

myMC : here (http://www.4shared.com/file/40462074/2344a16c/mymc-alpha-116.html)


I'm working on secrman as i think the way of signing our encrypted files is in.
I've learned interesting things on the 32bytes sig, i will report soon.

This is all great news!

I added the links to the first post, thanks bootleg
I'll see if I can find the missing ones, but I stronly doubt it...

//PALGamer

Comminup: The memory Plus is now on their website.It looks like only the 64MB has the .elf loading features

http://uk.codejunkies.com/Products/PS2-Memory-Plus-64MB__EF000554.aspx

And the US vesion of that page. (for those of us who are lazy and don't want to use a currency converter.) :D
http://us.codejunkies.com/Products/PS2-Memory-Plus-64MB__EF000554.aspx

The project continues ;) !

here are the important links :
Memor32 Tool (Dump/Flash/Format memor32 utility) : here (http://www.4shared.com/file/38637552/75063d07/Memor32_Tool.html)

HDProjectv1.07 + McFlasher (ps2 memcard dump/flash/emulator) : here (http://www.4shared.com/file/40181176/31c02a4b/HDProjectMcFlasher.html)

myMC : here (http://www.4shared.com/file/40462074/2344a16c/mymc-alpha-116.html)


I'm working on secrman as i think the way of signing our encrypted files is in.
I've learned interesting things on the 32bytes sig, i will report soon.


Welcome back Jimmi! I'm interested to hear what you found out about the sigs (and how far off base I was in my hypothesis). I'm back from vacation and got my chubby back up and running w/ a new HD and hope to start tinkering soon myself (probably next weekend if you guys haven't already solved it).

kiwicider: well looks like im just gonna get me a few of those..... :) now i can bring some of my dead systems back to life...... :)

i will stiil be here to help and test any new devlopments that come for the normal mem card as i have tons of them due to my three kids and myself

I added the links to the first post, thanks bootleg
I'll see if I can find the missing ones, but I stronly doubt it...
Here are all Free VAST pages 1 - 23 from Google cached pages. I re-made them so you can view them offline using the site template and removed the embedded google cache code.

UPDATE: Fixed all internal navigation links, so you don't have to open each page individually. Oops, I previously uploaded the wrong file lol, here is the correct one.

you are the man! http://www.console-exploits.com/forums/images/smilies/bowrolleyespurple.gif

Edit - When I get some time and I'm bored, I'm going to edit the links on it just a bit to allow changing to the next/previous page just as you would using the forums.

you are the man! http://www.console-exploits.com/forums/images/smilies/bowrolleyespurple.gif

Edit - When I get some time and I'm bored, I'm going to edit the links on it just a bit to allow changing to the next/previous page just as you would using the forums.
Thanks Bootlegninja, however I already took the time to do this. Unfortuntely I am unable to edit my previous post, so here is the updated version with the navigation fixed.

EDIT: Moved attachment to my original post, #22 in this thread.

Odd that you can't edit your post. On a side note, I went ahead and placed it in that post for you. :D

Odd that you can't edit your post. On a side note, I went ahead and placed it in that post for you. :D
Thanks, I figured out what the problem was. It's because I was using the default old style ps2-scene template. When I switched back to the new template "PSX-SCENE/WIINEWZ", everything works fine.

While in Edit mode, the old ps2-scene template doesn't allow you to manage attachments, and the format toolbar links (ex: Bold, Italic, etc and emoticons) are comletely disabled. Not sure if that can be fixed, but I'll talk to xiaNaix about it the next time I see him online.

oh man, my account was totally gone :/ i was kinda waiting for this thread to reappear.

can't wait to get my hands on some extra dumps to tinker with them ;-) right now i'm trying to figure out the meaning of two fields in 32byte sig, and what exactly changes between regions for the same encrypted file, as sig differs by only 4 bytes when region changes.

The 32 bytes sig is composed of two 128 bits keys :
- the BIT key (first 16 bytes)
- the content key (last 16 bytes)

I've learned other things, but i must be sure before to report ;)

when i was comparing two copies of [supposedly] the same file, one encrypted for us, one for eur there was a block of similar data in the middle.

every couple hundreds of bytes there was 8byte block that differed for two files, and the last 32 or 64 bytes were different. hmm, you could be right there. (there could be checksums at certain points in the encrypted files as well - i don't know what are they for, so that's my guess)

still my theory about file length composed of two header fields was a pretty much wild guess (since i tested it on ~6 files :D), so no worries if you post your wild guesses as well ;-)

Your right yoshi for the two hex sections about file size.
From what i've seen from my eyes it 's not just theory, it's a sure thing.

The first 32 bit is data lenght.
The second 16 bit is header length.

File header also have flags...

I can't understand... Is now possible load freevast on a normal ps2 memory or the project is not finished yet?

not just yet.....

Ok so from what i know, Dvd player update, bbnav etc... are using a special version of secrman irx module.
This special version provide a special functions set for data encryption, BIT key and Content key generation.

So to get the famous ID to include to our encrypted files, we need this special secrman module.

would this simply be included in the DVD player Disk?

EDIT: looks like it's not straight on the disk. Could it be hidden in the .pak file?

Yes i suspect this, but i don't how to really unpack .PAK content.
It seems files are chained in it, but they must be crypted or packed.

we probably need to hook into secrman and use it to decrypt the pak files to see what happens.

well we'll need to start with decoding ps289.vob off dvd update/bbnav disks as it's the starting point and first accessed encrypted file and go from there.

[i know that the main boot file contains ps290.vob filename, but somebody already stated that it's just a trick to confuse people, and the filename is changed on-the-fly to ps289.vob ]

I'm actually working with secrman in order to try to decrypt files.
I don't think hooking a secrman export is necesaary to see the decrypted files, we must just use secrman exports like dvdplayer does.

I have successfully decrypted dvdplayer.irx using secrman export 10 (SecrCardBootFile), it's the function that decrypt irx modules.

Here is the decrypt result : SecrCardBootFile result (http://www.4shared.com/file/41647689/7841b441/decrypt2.html)

cool! which dvdplayer version is that? ok, hold on i'll check the file first ;-)

Nice, I smell some very good progress over there :)
GJ jimmi ;)

//PALGamer

I'm actually working with secrman in order to try to decrypt files.
I don't think hooking a secrman export is necesaary to see the decrypted files, we must just use secrman exports like dvdplayer does.

I have successfully decrypted dvdplayer.irx using secrman export 10 (SecrCardBootFile), it's the function that decrypt irx modules.

Here is the decrypt result : SecrCardBootFile result (http://www.4shared.com/file/41647689/7841b441/decrypt2.html)

Man ! I'm drooling over this ! Grats :)
This is the holy grail of PS2 hacking ! ;)

grail? well it's not like it's deeply hidden anyway ;-)

maybe there are some extra tricks to it, though.

edit: okay, a question. is the file location relevant for this method to work? can it decrypt from any media, or only from memcard/memory ? i ask because secrman info contained descriptions like "decrypt a file using memory card".

I don't exactly know how it works.
And now i'm not sure this is really the decrypted file, as the function always return 0.

Maybe this don't work because these files are not designed for my memcard...

I think that if it does not match the sig, it does not attempt to decrypt nothing.

That doesn't sound odd, If I had a dvd-player update disk, I would sent it 2 u,
shipping within europe isn't very expensive anyway (if I remembered correctly u were from france?) but sadly enough I don't have 1 ..
good luck on it :)

//PALGamer

jimmi...if there are any files from the dvd player update u need, or maybe just some more mc dumps, just pm me, i think i might have everything u need minus the know-how:D

I have the pal DVD-player disc, how can I help you? I can make an image and a dump of save, tell me and it will be done!

do u guys know if there was another way to get this module? maybe from a game? maybe the games that will not let u copy the save files to another mem card in the browser?

we'll need to decrypt dvd update disk to see how it's getting things done.

or maybe it's present somewhere in rom1 in console (that's where dvdplayer is, and by looking at pcsx2 dumps of it, it doesn't look like unencrypted file).

All important stuff is in the "special secrman" module, and i think it not will come with some games. I'ts only with dvd player update or bbnav.
You guys are very cool.
One thing i want to test is : Does the dvd player have same sig one the same card if we update with different versions of dvd player.
I think it won't work because the key is made with file content and card ID, but i want to make sure...

Is anyone have several versions of dvdplayer update ?

Can't you use several versions of the dvd-player update on memor32, as that should have the same ID in every single memor32..? so several people with a memor32 install dvdplayer update, than u check between different versions :) (just theoretic .. )

i have dvd player update 2.10u and 3.02u. i would like to help but 2.10 will install fine because it is original disc, but i can't get 3.02 to install completely. maybe because it is a copy?

i have dvd player update 2.10u and 3.02u. i would like to help but 2.10 will install fine because it is original disc, but i can't get 3.02 to install completely. maybe because it is a copy?

I'm having issues with on original of the hdd utility disc with dvd player 3.02u on my v7 with matrix even with atad patching on. The screen will go blank and the system will freeze with no files written to the MC. however t does fine on my unmodded v10 with the sony hdd even with the 32MB datel card.

dunno why but it does.

for 2.10 to install i have to disable my DMS4, or else the update will freeze(original disc). With 3.02u(the one on the hdd util. 1.10), which is a CD-R, installs the hdd browser just fine on a 20gb hd. but the dvd player update 3.02u, will not install. the screen goes blank just like bootlegninja said. i tried to swap magic with my chip disabled, launchelf, direct boot, even rebuilt the iso with 2.10 main files. still no go. the only time it got close was when i tried to update a mc with 2.10 already on it. the progress bar made it to 100% but the update never changed from 2.10. any ideas?

anybody tried this?

rebuild the iso to boot ULE first then load it via HDL then launch the ELF.

Anyone had a look at the kernel function prototypes in ps2sdk? There are two function protos in loadfile.h that may be of interest. I believe these are functions exported from one of the rom modules.

int SifLoadModuleEncrypted(const char *path, int arg_len, const char *args);
int SifLoadElfEncrypted(const char *path, t_ExecData *data);

I think that the ps289.vob file mentioned earlier is an encrypted ELF file. The question is, can any of these functions do anything useful with it? I made a little program a while back to load the file using these functions and run it in pcsx2 but it didn't work. But that might be a problem with pcsx2, because if anyone ever tried to install the dvd update in pcsx2 probably noticed that the installation stops right after reading the sectors that contain the ps289.vob file.

Unfortunately i can't test it on a real ps2 at the moment but here is some sample code to play with if anyone interested.

#include <tamtypes.h>
#include <sifrpc.h>
#include <kernel.h>
#include <loadfile.h>
#include <debug.h>

int main(void)
{
t_ExecData edata;
int result;

/*
* Some initialization stuff.
* Not sure whether it's required or
* if it's the right way at all...
*/
SifInitRpc(0);
SifLoadModule("rom0:SIO2MAN", 0, NULL);
init_scr();

/*
* Try to load the thing. Change the path to
* wherever the file is located. If you want
* to load it from mc you might also need to call
* SifLoadModule("rom0:MCMAN", 0, NULL);
*/
result = SifLoadElfEncrypted("cdrom0:\\DATA\\PS289.VOB", &edata);

/* Print the result on screen using the debug library. */
scr_printf("result: %d\n", result);
scr_printf("epc: %d\n", edata.epc);
scr_printf("gp: %d\n", edata.gp);
scr_printf("sp: %d\n", edata.sp);

return 0;
}

Anyone had a look at the kernel function prototypes in ps2sdk? There are two function protos in loadfile.h that may be of interest. I believe these are functions exported from one of the rom modules.

int SifLoadModuleEncrypted(const char *path, int arg_len, const char *args);
int SifLoadElfEncrypted(const char *path, t_ExecData *data);

I think that the ps289.vob file mentioned earlier is an encrypted ELF file. The question is, can any of these functions do anything useful with it? I made a little program a while back to load the file using these functions and run it in pcsx2 but it didn't work. But that might be a problem with pcsx2, because if anyone ever tried to install the dvd update in pcsx2 probably noticed that the installation stops right after reading the sectors that contain the ps289.vob file.

Unfortunately i can't test it on a real ps2 at the moment but here is some sample code to play with if anyone interested.

#include <tamtypes.h>
#include <sifrpc.h>
#include <kernel.h>
#include <loadfile.h>
#include <debug.h>

int main(void)
{
t_ExecData edata;
int result;

/*
* Some initialization stuff.
* Not sure whether it's required or
* if it's the right way at all...
*/
SifInitRpc(0);
SifLoadModule("rom0:SIO2MAN", 0, NULL);
init_scr();

/*
* Try to load the thing. Change the path to
* wherever the file is located. If you want
* to load it from mc you might also need to call
* SifLoadModule("rom0:MCMAN", 0, NULL);
*/
result = SifLoadElfEncrypted("cdrom0:\\DATA\\PS289.VOB", &edata);

/* Print the result on screen using the debug library. */
scr_printf("result: %d\n", result);
scr_printf("epc: %d\n", edata.epc);
scr_printf("gp: %d\n", edata.gp);
scr_printf("sp: %d\n", edata.sp);

return 0;
}

ps288.vob and ps289.vob seems to be encrypted elfs.

Sounds very interresting what you found ;)
i will take a look !

PCSX2 has not decryption support....

So what are the possibilities of getting the module?

Could we possible get the one in the ps2 itself dumped somehow so we can decrypt some of theses files

Hmm. Seems i found a more correct way to load encrypted ELFs.
Take a look at this: dvdexec by mrbrown (http://lists.topica.com/lists/ps2cvs/read/message.html?sort=t&mid=1712471019)

something new to the table.......:D

Yes and it works !!!
I've just finished to make a memento loader.

It is able to relaunch the memento encrypted elf.

I'm working and i come soon, with good news i hope !

Congrats! Looking forward to the release. :D

congrats, nice job m8
looking forward to the release as well..


small question, is it for datel 32MB only?
:D:D


//PALGamer

now that is good news....

good dude great job

cool, let's hope we can get out hands on encryption soon - memento itself is not too useful for me.

I take memento just for test, because this is the one encrypted file with correct sig i have.
And my lens is dead...
On other hand, make memento load means that it can load not only at boot...

I can access some unencrypted content into memory and put it in a file, but i must continue to work...

I take memento just for test, because this is the one encrypted file with correct sig i have.

Is this one signed for Memor32 ?


I can access some unencrypted content into memory and put it in a file, but i must continue to work...

yes, Desperately Seeking Secrman...:)

Please could you post your compiled dvdexec.elf and your encrypted memento elf for testing ?

right now we could simply should try to decrypt as many files as we can find, so maybe we can figure out the decryption this way. i don't feel like relying on secrman all the time - maybe be could port the encryption to pc then (assuming we can figure out memcard signature, of course)

good thing that the decryption procedure doesn't immediately execute the file :>

freakin' genius!!

right now we could simply should try to decrypt as many files as we can find, so maybe we can figure out the decryption this way. i don't feel like relying on secrman all the time - maybe be could port the encryption to pc then (assuming we can figure out memcard signature, of course)

good thing that the decryption procedure doesn't immediately execute the file :>


I've extracted all program loaded in ee ram by SifLoadEncryptedElf, but it seems that is not all decrypted.
Size of data is corresponding to what is mentionned in encryped elf header.
It seems that SifLoadEncryptedElf only decrypt program header or something like that... (maybe with SECRMAN's SecrCardBootHeader...).

And looking to what is supposed to be not decrypted, and i can't any correspondance with encrypted file content...
However, I see the repeating 1024 bytes chunk of the memento after 68kb of data... but again the datas in memory does not matches datas in encrypted file.

The part that is decrypted look like the beginning of what TikTok'n botch team have ripped from memento. (memento rip as 1024 bytes repeat after 68 kb too, the famous FAT trick).

Maybe at execution the memory content is decrypted with SECRMAN's SecrCardBootBlock as it wants pointers and size as arguments.

Here is the file : Memento loaded into ee ram (http://www.4shared.com/file/42056439/fa5c0eb1/memento_into_EEram.html)


If some of you wants make a test i need the path were you will execute your file, and of course it must be original as BIT key is very important for SifLoadEncryptedElf to decrypt and return pointer to program into ram.

nvm what i wrote before. file looks scrambled, but also is pretty similar to that decrypted dvdplayer.irx posted some posts before.

i'm starting to think that all this encryption was done because of dvd css copy protection at the time - i mean, what other reason would there be to hide dvdplayer rom, and also encrypt it?

I think the dvdplayer.irx i post previously was not really decrypted as i run it from a copy on my memcard, with wrong id.

jimmikaelkael, i think the file you posted is valid decrypted code. Otherwise you wouldn't be able to feed it to ExecPS2. It might be compressed or scrambled in a way to make it unrecognizable but i loaded it into ps2dis and found valid code at the beginning. When you call ExecPS2, that code is executed and uncompresses the data to another memory location and calls ExecPS2 again.
I think the key now is to decrypt the files on the update disk and try to figure out how the installation works.

jimmikaelkael, i think the file you posted is valid decrypted code. Otherwise you wouldn't be able to feed it to ExecPS2. It might be compressed or scrambled in a way to make it unrecognizable but i loaded it into ps2dis and found valid code at the beginning. When you call ExecPS2, that code is executed and uncompresses the data to another memory location and calls ExecPS2 again.
I think the key now is to decrypt the files on the update disk and try to figure out how the installation works.

Interesting, i will take a look in ps2dis.
Ok so have you a valid dvdplayer disk ?
I must recompile with the path to the encrypted elf.

Would it be easier to make the MC Flasher patch the Memento Firmware on the fly. What I am trying to say is, If you only have the DVD Software on your memory card and nothing else could you then have the flasher copy the sig and header info into the memento firmware as it is flashing it to the Memory Card.

Ok very very interesting, i saw the ExecPS2() call !
Maybe we can modify the part of this ee ram before to call ExecPS2.

Would it be easier to make the MC Flasher patch the Memento Firmware on the fly. What I am trying to say is, If you only have the DVD Software on your memory card and nothing else could you then have the flasher copy the sig and header info into the memento firmware as it is flashing it to the Memory Card.

The day we have success to create a valid sig for any MC, i promise to make a program to flash it and patch on the fly.

For the moment, in the test we made to install a EUR version of DvDplayer on the memor32, it seems that the sig is not the same that the one in the EUR osdxxx.elf.

StayHyeTreez have runned a memento image that i have corrected with his datel dvdplayer sig, with no success... Entire image is valid minus 32 bytes :D.


A friend, Hackchip, has bought a jap V0 ps2 in order to have the bbnav files installed on memory card, as it seems there are 2 algorithms to Build the MagicGate ID, one is used for OSD files, the other for dvdplayer.
Soon we will test to run the memento on a datel card after intalled bbnav files on it and figure out the sig.

The responsible for this sig generation seems to be a special secrman module, that allow data encryption, and BIT key/content key generation.
And maybe this special secrman comes in different versions for bbnav or dvdplayer...

For the moment we hope to decrypt DVDplayer Files (and maybe others) in order to figure out what it make with encrypted and packed files found on the disk.

Jimmikaelkael,
I also wanted to add that I will be getting the memorymanager plus 64mb memory card sometime next week. Would a image dump of that card help you at all.

This maybe can help yes.

Ok so i made a little elf that tries to decrypt dvd player update's ps289.vob file.
dvdpdec_PS289.elf (http://www.4shared.com/file/42167725/dcf70392/dvdpdec_PS289.html)

To every one who have DvdPlayer Update 2.12U :
Run this elf with dvdplayer disk in your ps2 and a memcard inserted.
This will load and copy (I hope) the encrypted file onto memcard (ps289.bin)
Copy this file on a usb key and send it here please.


I hope the scrambling in the memento decrypted file was just made by memento...

what about the us version 2.10u?

what about the us version 2.10u?

Just tried that one. Jimmi's ELF locks up on this one. Also tried the hdd utility disc 1.10 with the 3.10u upgrade.with the same results.

ok just give me the size in bytes of your ps289.vob and his path.
It must be something like cdfs:/FILES/PS289.VOB.

Both have the same file name and path, and are 22KB. And my mistake. I mislabeled it in a previous post from the hdd utility disc. It's 3.02u.

MD5 of 2.10u - 7FF88E026C4292F22AB50FAB4A7B2ECB
MD5 of 3.02u - 0E96A18D81FC796826A93E7F47B45131

@ jimmi - PM sent

ok i have the original us 2.12u disc and have run the elf via exploit. left it for 5 min.
just says loading cdfs:/FILES/PS289.VOB

am going to try on my other machine with modchip


ok did same thing, just hangs with same message on screen

It must be something like cdfs:/FILES/PS289.VOB.

It is possible that "cdfs" could not be used with sony's ps2 drivers, so PLEASE Jimmikaelkael :), could you compile and post that elf again with that path :
cdrom0:/FILES/PS289.VOB

and please could you provide the source code ? thanks

(EDIT : changed to "cdrom0")

file path is FILES\PS289.VOB and windows tells me file size is 21.3KB (21,779 bytes)
and size on disc is 22KB (22,528 bytes).

Try making your ELF direct copying it to a usb-stick if possible,
in case the filesize is to big to be placed on a MC..
I don't know what the decryption will do to the filesize :)

//PALGamer

Sorry, i was to hurry, cdfs: is for use with libcdvd...

here is the new elf : dvdpdec_ps289.elf (http://www.4shared.com/file/42225971/756e0221/dvdpdec-ps289.html)

I've extracted dvdplayer from hidden rom.
and file looks scrambled like memento decrypted.

We must understand how it unpack it in memory, maybe the starting offset can help, it's 0x1080008 into eeram, and seems to be the same for all encrypted files.

It seems to put half word of packed content starting at 0x1080750 and make a mips dsslv, ddiv on it.

After have checked it, seems that the start of decrypted dvdplayer or memento is exactly the same code.

Like Neme has said, this code unpacks datas in memory and execute it as a thread.
So the only way to unpack the data and have a whole decrypted file is to understand mips code in ps2dis what the program do to unpack it.

I've started to comment to code but i will not have time to continue until monday, so feel free to add comments if you understand it.

Download mips code HERE (http://www.4shared.com/file/42246862/694b52a3/mipsunpack.html)


EDIT : check at this
lui v0, $011c # 00200000:3c02011c v0=$011c0000
lui v1, $011d # 00200004:3c03011d v1=$011d0000
addiu v0, v0, $7f40 # 00200008:24427f40 v0=$011c7f40
addiu v1, v1, $80c8 # 0020000c:246380c8 v1=$011c80c8

Here what ps2dis return, is v1 is correct or like i think it must be 011d80c8 in place of 011c80c8 ?

maybe we need to execute two secrman procedures : (i don't know which are used right now)

that's what pcsx2 bios dumper does when dumping rom1:

[IOP] find secrman disk decrypt routines
[IOP] SecrDiskDecryptHeader found

File closed successfully...
[IOP] SecrDiskDecryptSection found


as for the assembly - i'd have to read a bit on mips assembly to be of any use :] (looking for some docs)

i tried to use the dvdpdec-ps289.elf on my dms4 ps2 with dvdupdate 2.10 and 3.02u, they both gave me "Error loading cdrom0:/FILES/PS289.VOB". same for my ps1 exploited v4 ps2 w/ no hdd. Am i doing something wrong, load dvdpdec-ps289.vob with ule, with dvd player update disc in drive, correct?

There is a tool to unpack part of the bios: ps2unpack (http://ps2dev.org/ps2/Tools/Packers/Unpackers/ps2unpack_(_unpacks_OSDSYS,_Win32_exe_))

From the readme:
"Sony have packed the menu system contained in BIOS. The file OSDSYS contains a data section that is packed with a rather simple algorithm. The tool does what the loader does at runtime - unpacks the data in the data segment and stores it to a file."

The packed OSDSYS has the same code in the beginning as the decrypted memento file and both unpack to address 0x200000 and call ExecPS2 with that address as entry point.

The problem is that SifLoadElfEncrypted parses the elf header and relocates the program sections and we don't have a real elf after saving the decrypted content. If we had a correct elf we would be able to use ps2unpack on it.

I don't think this is the same algorithm.
OSDSYS didn't seems to be packed the same way.

Can you show me ? i don't any refrence to address 0x200000 except this is the adress where ps2dis loads it.

Check the mips file i've posted with comments.

Sorry Stayhye it seems there is a problem loading it.
However i've loaded dvdplayer from rom and its packed the same way as memento file.
So we must first try to make a loader to unpack it before to work with other encrypted files...

Your're right. On a closer look they look different but i still think they unpack to 0x200000. In your disassembly at line 507-510:

lui a0, $0108 # 002006dc:3c040108 a0=$01080000
lui a1, $0020 # 002006e0:3c050020 a1=$00200000
jal FNC_01 # 002006e4:0c420088 v FNC_01080220
addiu a0, a0, $0750 # 002006e8:24840750 a0=$01080750 //Address of first packed block

a0 contains the start of packed data, a1 is the destination address (0x200000) and FNC_01 is the unpacking function.
At line 518-519:

jal ExecPs2 # 00200708:0c420080 v FNC_01080200
lui a0, $0020 # 0020070c:3c040020 a0=$00200000
The second line is where execps2 gets its first param. This part of the code is almost identical to OSDSYS.

OK Neme ;)
I let you comment a little more the file ok ? Seems you understand it very well.

I think the best we can do is reproduce this code. And it seems too that you will be of full help for this.

What about the ps2dis error i may noticed in the first lines about addui ?

this is some deep low level programmin goin on around here lol you guys are teh 1337!

this is some deep low level programmin goin on around here lol you guys are teh 1337!

Yeah you guys are smart. I'm getting high 90's in 1st year Computer Science in University but this is nothing like the Java we are programming. ;)

Keep up the great work everybody

Sorry, i was to hurry, cdfs: is for use with libcdvd...

In the same idea than "cdrom0", i found that backslash should be used instead of slash in the path
...
EDIT : i don't have any PS2, just using PCSX2. Now with backslashes in dvdpdec_ps289.elf, it goes further (no more complaints about path or filename) but now i get this :
loadmodule: fname rom0:SIO2MAN args 0 arg
loadcore RegisterLibraryEntries (7489c): sio2man
loadmodule: id 29, ret 1
loadmodule: fname rom0:CDVDMAN args 0 arg
loadcore RegisterLibraryEntries (7870c): cdvdman
loadmodule: id 30, ret 1
loadmodule: fname rom0:MCMAN args 0 arg
loadcore RegisterLibraryEntries (7f11c): mcman
loadmodule: id 31, ret 1
loadmodule: fname rom0:MCSERV args 0 arg
loadcore RegisterLibraryEntries (74b0c): mcserv
loadmodule: id 32, ret 1
loadmodule: fname rom0:PADMAN args 0 arg
loadcore RegisterLibraryEntries (7a47c): padman
loadmodule: id 33, ret 1
loadmodule: fname rom0:SECRMAN args 0 arg
loadcore RegisterLibraryEntries (767ec): secrman
loadmodule: id 34, ret 1
loadelf version 3.30
Cannot openfile
("loadelf version 3.30" is the one in my PS2 SCPH-70004 bios image LOADFILE module)

But it's with update 2.10 since i don't have 2.12U... does size (of the vob file) matters ?? :) I don't know.

Anyway for a next test elf, it could be better to statically link with (or to provide) ps2sdk libs.

can confirm switching the slashes makes the elf work on my ps2, good eye malak2:D

link to edited elf
http://rapidshare.com/files/103197238/dvdpdec-ps289_slash_swap_.elf

can confirm switching the slashes makes the elf work on my ps2, good eye malak2:D
Nice :) and thanks for your updated elf.
Was it with 2.12U udpate ?

For my own research with this project, i really need some help : could someone tell me how i could create some special PCSX2 memory card image (.ps2 file) of any size (like 128MB, really !) and how i could put any file and folder i want, anywhere on it, just with some PC software ?

Or does someone know a way to bypass the mecachon-like test with CD or DVD in PCSX2 (like when you try to load the dvd player update and get "Make sure the file is already decrypted!!!" message) ?

nope....just 2.10u and 3.02u. any way to make the elf save to mass: instead of mc0: using hex?

DVD Player 2.12 [NTSC U/C] [PBPX-95218]
PS289.VOB (http://www.4shared.com/file/42327094/f503fb81/PS289.html)
PS289.BIN (http://www.4shared.com/file/42327093/6b676e22/ps289.html)

jimmikaelkael, check your private messages.
Hope it helps,
- MikeTV

any way to make the elf save to mass: instead of mc0: using hex?
i noticed the cdfs related error in PCSX2 with that message :

loadelf version 3.30
Unknown device 'cdfs'
Known devices are tty:(CONSOLE) rom:(ROM/Flash) cdrom:(CD-ROM ) mc:(Memory Card)
Cannot openfile

so i don't think you can use 'mass:' without compiling that elf with ps2sdk libs, like most homebrew elfs do to access a usb hdd or pendrive.

You are too hurrry, if it works the final version will come with usb support and more...
@malak2 : PCSX2 has no decrypting code, just check its code.
You will never be able to bypass the message "Make sur the elf is already decrypted" as long it's not a normal elf...

Nice Stayhye that you found for the backslashes ;)
But now before to go ahead we must understand the loader.

Check that ps289.bin has the same loader that memento.

ok the ps289.bin is slightly different, but it has exactly the same FNC_01 function to unpack it.

is it possible to launch that intermediate file on ps2 or via pcsx2 somehow?

in my case, i can't even get the result ps289.bin off my usb drive to my pc. it keeps giving me a stop error in windows

Use uLaunchElf to rename the file from "\ps289.bin" to "ps289.bin"
Windows is very picky about slashes in filenames.

is it possible to launch that intermediate file on ps2 or via pcsx2 somehow?

Good idea, maybe you can test and report the result.
I think it will fail because of non standard elf header...

maybe we could wrap it in elf, or simply load it into memory (at a proper location) and jump to the beginning address to see what happens.

i'll try to do something like that tomorrow (if i have time to spare).

@miketeevee

thx for the tip:D

I can't undrestrand very much but is it now possible to launch the memento firmware without a memor32?

Hi i've been checking this forum for a while but i finally wanted to add something to this project. I have the DVD Player Version 2.14 Australian Disc and i installed it onto 2 different official 8MB PS2 Memory Cards, Then i copied the files from both Memory cards then compared them in Hex workshop. Results were very interesting. Well first both the dvdplayer.elf and dvdplayer.irx have id's on them, and from what i see its not the first 32 bytes its from 00000028 to 00000048 where the id resides on both the elf and irx file. Im not saying im right im just saying what i think. Here are the comparisons.
http://img252.imageshack.us/img252/8123/dvdelfhr7.th.jpg (http://img252.imageshack.us/my.php?image=dvdelfhr7.jpg)
http://img150.imageshack.us/img150/4130/dvdirxyi6.th.jpg (http://img150.imageshack.us/my.php?image=dvdirxyi6.jpg)

thx but we already know where is placed the sig ;)

For the memento elf, i've launched it from my memor32, but with MY loader.

we really could use a wiki of sorts :]

so what's the meaning of 8 bytes just before the signature?

By some chance I happened to have a saved copy of the original thread, so here it is:

http://gshi.org/lmz/freevast/

By some chance I happened to have a saved copy of the original thread, so here it is:

http://gshi.org/lmz/freevast/
Thanks for your efforts, but I already posted the original pages 1 - 23 here (http://psx-scene.com/forums/419002-post21.html) for offline view. Mine was missing the last page 24, but there were only two comments in it, nothing of significance. Where these the only pages you backed up from the forums? If you backed up anything else let me know, I would like to fix them up for offline view and upload them to the site in the appropriate thread(s).

we really could use a wiki of sorts :]

Ask and ye shall recieve
ps2.mike-tv.com (http://ps2.mike-tv.com)
I need a moderator. Any volunteers?

i'm up for the job; i'll just need to re-read all the info from the thread. also common input, to organize our all findings would be nice. i'll do it in spare time, so i can't guarantee to do it quickly.

btw. does the wiki support TeX-like tables, or tex syntax? :>

edit: i just registered, but i have no clue how to create a sub page. i'll tinker with it some more.
btw you really should think about captcha in registration and disabling anonymous edit access.

edit2: okay, i made an initial draft on ps2 memcard update functionality, i'll write some more when i come home.

*Phew!*
The main wiki page (http://ps2.mike-tv.com/wiki/) is finally up, and looking good so far. What do you guys think? :D

Thanks for the contribution, yoshi314; I'm currently trying to figure it out. It's my first subdomained wiki, so there's still plenty to learn here. Yes, I believe LaTeX is supported, although i'm not sure if that'll be of much use.

You kids have fun, now. ;)

Yes, I believe LaTeX is supported, although i'm not sure if that'll be of much use.well i'm a total TeX-head, so i'll make good use of it. assuming it works :]

Great work yoshi, this is very cool ;)

Actually, i'm working hard with a Mips emulator in order to have the FNC_01 function of the decrypted elf to work.
Seems that i'm on the right way, but the work to check and adapt all code is very heavy...

i think you should try to adapt ps2unpack tool. as it halfway does what you want.

if you can find the source code, that is.

http://ps2dev.org/ps2/Tools/Packers/Unpackers/ps2unpack_(_unpacks_OSDSYS,_Win32_exe_)

i'll write some more on the wiki soon, as soon as i get more info organized.

edit: i think i found the source code : http://www.ps2-scene.org/forums/sony-news/24879-ps2packer-ps2unpacker.html

FreeVast Updates

Any relevant changes will be posted here until further notice. Please use the wiki (http://ps2.mike-tv.com/wiki/) to collaborate. Use the [discussion] tab to collaborate your thoughts, and the [edit] tab to incorporate your knowledge. For detailed article progress, click the [history] tab. For a list of all existing articles, click HERE (http://ps2.mike-tv.com/wiki/index.php?title=Special:Allpages)!

Release notes will also be posted here.

03/31/08 (8:30 pm PST):

Added multi-language (French) support! (currently untested)
Added Memor32 (http://ps2.mike-tv.com/wiki/index.php?title=Memor32) and Memento (http://ps2.mike-tv.com/wiki/index.php?title=Memento) articles
Working on skinned interface and LaTeX table support...
Unlocked the main page (http://ps2.mike-tv.com/wiki/) editing privileges for registered users, while the donations (http://ps2.mike-tv.com/wiki/index.php?title=Wikipedia:Site_support) page has been locked to SYSOPS setting.

03/31/08 (9:10 am PST):

The wiki's account creation page (http://ps2.mike-tv.com/wiki/index.php?title=Special:Userlogin&type=signup) now supports a captcha to prevent automated account creation.
The wiki's primary pages are now restricted for editing only by registered members.
The wiki's main page (http://ps2.mike-tv.com/wiki/) has been deeply secured, allowing only SYSOPS privileges.
Donations (http://ps2.mike-tv.com/wiki/index.php?title=Wikipedia:Site_support) are now welcomed to ensure that this project continues.

03/31/08 (2:00 am PST):

Initial wiki launch date.
Main page (http://ps2.mike-tv.com/wiki/), written by MikeTV and collaborated by yoshi314, added to wiki
First article "PS2 Boot Procedure (http://ps2.mike-tv.com/wiki/index.php?title=PS2_Boot_Procedure)," written by yoshi314, added to wiki.

i think you should try to adapt ps2unpack tool. as it halfway does what you want.

if you can find the source code, that is.

http://ps2dev.org/ps2/Tools/Packers/Unpackers/ps2unpack_(_unpacks_OSDSYS,_Win32_exe_)

i'll write some more on the wiki soon, as soon as i get more info organized.

edit: i think i found the source code : http://www.ps2-scene.org/forums/sony-news/24879-ps2packer-ps2unpacker.html

Thx yoshi.
But Mips emulator allow me to have JIT debugging on the mips code.

I must say, I really like the wiki,
Good job on it MikeTV and Yoshi :)

//PALGamer

I must say, I really like the wiki,
Good job on it MikeTV and Yoshi :)

Thanks! Feel free to join in. Wiki's don't fill themselves... :p
Would you mind editing your first post to redirect newcomers and non-devs HERE (http://psx-scene.com/forums/419373-post124.html)?

I've just finished to adapt mips code for running with PCspim MIPS simulator.
The FNC_01 function runs well, but it still some addresses to fix in order to have it run without exceptions. I will check this tonight as i have a lot of work today...

Check the asm file here : fnc_01.asm (http://www.4shared.com/file/42756431/e982b63b/fnc_01.html)

If you run it with PCspim, be sure to Have checked Delayed branches/jump, delayed loads options.

Would you mind editing your first post to redirect newcomers and non-devs HERE (http://psx-scene.com/forums/419373-post124.html)?

But Ofcourse not, I'll edit it right away :)

Here's a little program to extract files from files.pak. Put it in the same dir as the pak and run it. Files seem to be encrypted or packed, except files in the img dir which are just 24-bit bitmaps.

any hope for some other hosting than megaupload? i hate their toolbar .

edit: okay i got over it. doesn't work and crashes on windows. i'll peek at the code and try on linux later on. what pak files did you test it on?

crashes here on winxp as well on the 3.02u pak files.

It works only on "files.pak" from the *beep* disc. Tested only on usa version. It does nothing extraordinary, just makes examining the contents easier.

crashes here on winxp as well on the 3.02u pak files.

I don't have that version unfortunately. Can you upload it somewhere?

It's in the hdd utility disc 1.10. and check your pm.

Thanks. Well this 3.02u is new to me and it looks a lot more scrambled compared to 2.12u. So the tool works only on 2.12u for now...

pretty cool, how did you figure it out anyway?

i'll do some hex editing on the files according to your structs, out of curiosity :]

Has anyone taken a look at THIS (http://botch.front.ru)?
Has this group attempted the same thing? Looks like they couldn't get it to work with Sony/Datel mcs...
Or is this group simply the original authors of Memento?

Also, I forgot about THIS (http://freevast.biz) group. I doubt we'd want any ties with them. So to avoid confusion and legalities, what should this project be renamed to? I'll update the wiki accordingly...

They already have done the job we are doing with Neme.
They are able to decrypt 95 % of encrypted files.

I feel disappointed that we can't contact them...

We are doing hard work with Neme as the first decrypted ps289.vob we have is a loader with an encrypted image, producing another loader into memory.

They are able to decrypt 95 % of encrypted files.hmm i never knew that. where did you get that numbers from ?

I don't exactly know for the number, but check the memento.elf, there are small portions that still encrypted.
And memento.elf won't run.

But they have decrypted many bytes.

2 bad we can't contact them, but they seem to read these forums 2,
since they put a message up on the site when I directlinked to the files,
in which they asked me to remove the direct-link, and link to the homepage..

//PALGamer

or they could have just checked http referrers in their webserver log ;-)

I need your help.
It will be cool if someone here having DVD update make us a dump of unencypted ps288.vob.

Here is the elf : dvdpdec_ps288.elf (http://www.4shared.com/file/43013471/f4c21ec1/dvdpdec_ps288.html)

will do give me few minutes to setup, I am assuming this is for 2.12u ntsc

Edit as promised http://www.4shared.com/file/43049473/bd9110f9/ps288.html

Thx titch but i made a mistake about filenames! It has taken ps289.vob size, so the dump is not complete.
I've updated the elf, could you redowload it and retry please ?

thx ;)

Ask and you will receive: http://www.4shared.com/file/43049473/bd9110f9/ps288.html

thanks titch ;) it gives us some very interesting stuff :D

I see your work goes well, how can I help you? I have the PAL disc of dvd player

Any new devolpments lately?

Very quiet, I am sure this bodes well.

BTW Quick305, did you ever get your memorymanager plus 64mb memory card?

Well, after my week in rome,
I was hoping for a lot of news,
but sadly enough there isn't that much news on the scene at all,
I hope that this is like the silence for the storm,
but if it is not, I'll just be buying a Datel homebrew booting card,
since my interest wasn't at booting back-ups, but just HDLoader and SMS and stuff..
It's not that expensive...

//PALGamer

my interest is to have a way to replace ps2's osd for something else (xmb like argon ? :>) which would automatically be booted off memcard.

too bad i suck at programming.

but i've seen some interesting stuff come through jimi's filehosting account ;-)

I sure do hope this isn't the end of the Free Vast/Memento thread,
but with no news in 4 four days, I'm beginning to think the worst...

//PALGamer

no need to :]

jimi posted altered hd project on his 4shared account. judging by the source code it has elf decryption features via hooking to secrman functions. i wonder how far it can take us now.

the elf cannot be downloaded (4shared thinks it contains illegal content or sth), so i'll have to compile it at home from provided sources.

don't worry guys, we still working on the free vast ;)

Good to know. Am in here every day so shout out if you need some help with something, within my capabilities.
Kudos to you for your efforts.

Good job mr's ...
J'anime!

jimi posted altered hd project on his 4shared account. judging by the source code it has elf decryption features via hooking to secrman functions. i wonder how far it can take us now.

the elf cannot be downloaded (4shared thinks it contains illegal content or sth), so i'll have to compile it at home from provided sources.
So is it usable now by anyone requiring just a compiling environment, without submitting any data to jimi? If so, where are the sources and/or data to allow anyone do it?

@ jimmi - Let me know if you want to share the binary. If you want, I can host it on SKSApps' server.

The elf decryption is not complete, for the moment this just decrypts encrypted elf header aka the bit table.
If someone having DVDplayer update and usb key pm me for tests.

any hope for some more in-depth information about that bit table?

The bit table is the greatest part of MagicGate elf header, with bit key, content key and icvps2.
It describe how many blocks of encrypted datas, their size, some flags, and probably a 128bit key for decryption/encryption.

okay, what does icvps2 stand for?

this really should go to the wiki :D

I have the NTSC version of the dvd update ps2 disc file version 2.12 U

Can i help by uploading this somewhere?
Please tell me what you want me to do:

For example:
1. I can install the update to a memcard.
2. I can pull the update off via ftp or something.
3. I can send it to yah.

Hey one thing i noticed is that by copying this update to another memcard even a genric memcard like 64 meg china one or a Datel one the update works on ALL different PS2s (so copying is not prohibited it is only prevented from doing so in the PS2 nav screen with the memcard).

(I Have about 10 PS2s different versions, v4,v5,v6,v9,10,v12 etc) Let me know what you want me to do with this update disc. (Its a pressed one)

I want to help.

Best,
mesurf

Hey one thing i noticed is that by copying this update to another memcard even a genric memcard like 64 meg china one or a Datel one the update works on ALL different PS2s (so copying is not prohibited it is only prevented from doing so in the PS2 nav screen with the memcard).did you test it on v3? i think all ps2s from v4 onwards have 3.02 dvdplayer (but i could be wrong here) so the update might be simply ignored.

No so. My v7 comes stock with 2.12u

@ jimmikaelkael - Please check your PM for new output files. :)

Edit - Further explanation of the files

All of the output files are done on the modded v7. The only thing is, DVD player 3.02u had to be installed on both of the memory cards using my unmodded v10 due to my v7 freezing with either the original, or backup disc. And of course as explained in the PM that 2.10u has a secondary authentication check so either system of mine is out of the running on that.

@ Anyone - If you have an original DVD player disc (any version, although I've already taken care of the required of 3.02u) please let us know as I'm not sure only one complete set of decrypted files from a single version will allow for a suitable test.

I also checked my V7 ps2 and it has version 2.12 dvd player

I have 2 and they are both 2.12

I have version 2.14u origional install disc

Cool. when jimmi logs on, he should be able to help you out on exactly what he needs on it. :)

I'm not too keen on linking to his beta files unless he OK's it.

I have 2.12u and now Jimmi does too.

awaiting more news patiently.

I´ve got a few Upgrade-Discs:

DVD-Upgrade PAL (Comes with my Remote)
BB-Navi 0.31
PS2-Linux 1.0
and a few more.


Btw.1: There is a Mod for PS2-Linux kernel (Blackrhino; AFAIK no Sony-One), for autoboot Linux from MC on unmodded PS2. Correct me if I´m wrong.


Btw.2: Does anyone know more about this?


SECRMAN

SecrDownloadHeader
SecrDownloadBlock
SecrDownloadFile
SecrDownloadGetKbit
SecrDownloadGetKc
SecrDownloadGetICVPS2


Some for encrypting?

Titch I did receive The Memory plus and have not found any time to use it or copy it.

Hi Quick305, when you get a chance it would be cool if you could dump an image from mcflasher of your card. Check post on first page from jimmikaelkael for mcflasher link.

Hi Quick305, when you get a chance it would be cool if you could dump an image from mcflasher of your card. Check post on first page from jimmikaelkael for mcflasher link.

I'm also intrested in that file. Could be something useful in there.

I´ve got a few Upgrade-Discs:

Btw.2: Does anyone know more about this?

SECRMAN

SecrDownloadHeader
SecrDownloadBlock
SecrDownloadFile
SecrDownloadGetKbit
SecrDownloadGetKc
SecrDownloadGetICVPS2

Some for encrypting?

These are exports from a "special" secrman version, this secrman is not in the ps2 rom.
And yes this is for file encryption.

the more i'm looking at those encrypted or halfway-decrypted files, the more i'm thinking about zlib and deflate ;-). weird :]

What files are you talking about ?

mostly ps288.vob files.

just a strange feeling coming from sitting with a hex editor too often :]

it would be strange if files weren't compressed during encryption, though.

PS288.VOB and PS289.VOB are scrambled in two ways.
One packing is made by logical ops on the original elf before to encrypt it to scramble the elf body.

But the elf still runable, it just unpacks data to another memory location.

And MagicGate encryption is made to hide true ELF header.
MagicGate encryption is limited to 63Kb of datas, so it encrypts just small pieces of the original elf file.
This is here that the bit table takes its importance, it describes what blocks are encrypted or not.

Here is the link to the Memory Plus files.
http://rapidshare.com/files/108957212/MomoryPlus.rar.html

These are exports from a "special" secrman version, this secrman is not in the ps2 rom.
And yes this is for file encryption.

THX. May it possible to load custom IRXs, if they´re MG-Encrypted (like BB-Navi.)?

Here is the link to the Memory Plus files.
http://rapidshare.com/files/108957212/MomoryPlus.rar.html

Thanks it seems that they have used the same bit table as memento to encrypt their file.
And of course it seems to have the same repeating trick.

Could we have a full memcard dump of your memoryplus ?

Thanks it seems that they have used the same bit table as memento to encrypt their file.
And of course it seems to have the same repeating trick.

Could we have a full memcard dump of your memoryplus ?

Those were the only files on the card unless i am missing something

A full dump is the entire memcard image, you can make it with HdProject : here (http://www.4shared.com/file/40181176/31c02a4b/HDProjectMcFlasher.html)

Put your memcard in first slot.
Put a usb memory in usb port.

Launch one of the 2 elfs.
Go to MCTOOLS, MCDUMP.

In MC Dump settings :
- let port and slot to 0
- Infofile OFF
- Destination file, select mass: and push start.
- PCSX2 Image ON

Push dump start.

Wait for the process to finish (quite long 15 minutes for a 64 mb i think).
You will have a "Mcd001.ps2" file on your usb that is your memcard image.

I don't know if mcdump works with 64mb cards...

files in the besles-10000 mp folder look funny. especially runme1.elf :]

did you attempt to decrypt it, or is it provided as-is from memcard?

ulaunch.elf also seems to use pretty strange encryption, it looks like it's not encrypted at all , by the end of the file.

the runme1.elf should be the memory card manager. I am able to launch it from ulaunch.elf. I have been able to launch Ulaunch.elf from the memory manager, but get Pink screen of death if I try to run other elfs.

Here is the full dump of the memory card.
http://rapidshare.com/files/109011874/Mcd001.rar

Thanks for your dump this is great, we can see that FAT is not corrupted like with memento.
But i'm sure that they have used the same bit table to encrypt the main elf.


Could you please try to decrypt one of osdxxx.elf ?

Download this altered HdProjectX.elf : here (http://www.4shared.com/file/44270765/fd68900b/HdProjectX.html)

Got to McTool, Mg elf.
in Mg elf settings :
- let port and slot to 0.
- select BREXEC-SYSTEM/osdxxx.elf as encrypted file (where R is your region, E or U).
- select mass: and press start as ouput file.
- oh yes i forgot : MG TYPE: CARD <-- EDIT
- press decrypt.

you will have 2 files on your usb memory : output.elf and bittable.bin

@jimmikaelkael: Do you need any BB.Navi-Disc?

I think decrypted content of newest BB-Navi should be useful, cause we can see how it updates the PS2OSD.

Here is a Link to cdvdmania, if it is allowed.
http://cdvdmania.com.ru/secrman.html

Let's go TnA i let you do this ;)

We are far away from this link ;)

Newest I have is 0.30 (PM me, where to get 0.32 ^^).
O.k. Let´s Dumping. :)

These are exports from a "special" secrman version, this secrman is not in the ps2 rom.
And yes this is for file encryption.i was wondering...where does this version appear exactly? in dev ps2 models?

It comes in dvd player or bb-nav or every app that can encrypt elfs.

I think decrypted content of newest BB-Navi should be useful, cause we can see how it updates the PS2OSD.osdsys itself attepts to launch itself off memcard, it if finds a valid replacement. check osdsys ps2 bios module, after unpacking for clues.

Jimmikaelkael: O.K. I´ve decrypted some Files.

DVD-Player 2.10 (Europe/PAL)
BB.-Navi-Files seems not to be decrypted by hdprojectx.

Thanks for your dump this is great, we can see that FAT is not corrupted like with memento.
But i'm sure that they have used the same bit table to encrypt the main elf.


Could you please try to decrypt one of osdxxx.elf ?

Download this altered HdProjectX.elf : here (http://www.4shared.com/file/44270765/fd68900b/HdProjectX.html)

Got to McTool, Mg elf.
in Mg elf settings :
- let port and slot to 0.
- select BREXEC-SYSTEM/osdxxx.elf as encrypted file (where R is your region, E or U).
- select mass: and press start as ouput file.
- oh yes i forgot : MG TYPE: CARD <-- EDIT
- press decrypt.

you will have 2 files on your usb memory : output.elf and bittable.bin

The only file I got was the output.elf. It can be found here
http://rapidshare.com/files/109081345/output.elf

http://rapidshare.com/files/109082247/bittable.bin

What is the replace.img from BB-Navi for?
Is it an IOP Replacement-Image?
Does anyone take a look at it?

How do I get/create bittable.bin?

this is a standard romdir with replacement iop modules. nothing seems encrypted inside, at least when i looked around bb navi 0.31, 0.30, hdd utility disks and one dvd update disk (don't remember which version).

I was right about the bit table, this is byte-to-byte the same that memento have used to encrypt their ELF.

I have tested to put the Memory plus encrypted osdmain.elf on my memor32 and change the Kbit and Kc. And this have worked, the file has been decrypted.
This is a non-sense but we know that we can install the memento on a memory plus or vice-versa.

But I'm thinking : "does all memory plus have the same sig ?"
I think answer is yes.

But I'm thinking : "does all memory plus have the same sig ?"
I think answer is yes.does the software come preinstalled on the memcard or do you have to use a special cd to install it, or do you install it the same way as memento firmware? that could answer the question.

i was considering buying one just because of the size (64mb model), but i would like to know if it should come with a cd/dvd or not.

ps. can you give some insight about that Kc you mentioned? i'm more interested in _how_ this works than what i can do with it :D

This is a part of what we call the sig.
This sig is composed of Kbit(16 bytes) and Kc(16 bytes), they are generated by the special secrman functions : SecrDownloadGetKbit and SecrDownloadGetKc.
They are independant of file content.

I've never seen the case in all these encrypted files, but some of them may use ICVPS2 generated with the function SecrDownloadGetICVPS2.

In it interests you i can send structs concerning bit table and MagicGate elf header.

The true bit table starts just after the sig (offset 0x48) in all our files.
But from the code we have seen it may exists encrypted file with a bit table at a different offset.
All theses differences are supported by my module mg elf.

Hey guys, I used the dump of memory plus with my datel 64mb card.
ecc off and non formatted yes. Got black screen on power up. even if i take the card out with power still on. But if i put it in memslot 2 it boots to browser and i can view memcard files.

Unfortunately i tried to restore my original dump of my 64mb card and forgot to set ecc off so now ps2 dont recognise card. gonna see if I can get max evo to somewhere to fix it

In it interests you i can send structs concerning bit table and MagicGate elf header.of course i'm interested in all specs we can get.

Sorry, it only dumps me an output.elf. Can't find a bittable.bin

does the software come preinstalled on the memcard or do you have to use a special cd to install it, or do you install it the same way as memento firmware? that could answer the question.

i was considering buying one just because of the size (64mb model), but i would like to know if it should come with a cd/dvd or not.


Its pre-installed without any discs, but ive had nothing but problems with this so far. So you might want to check and see if others also have problems, before buying it.


Heres my story:
I got the Memory Plus 64 card 3 weeks ago, but they sent me a blank card with 64,000KB of free space. i called them, complained and sent it back.

I just got it back today, but they must have put PAL files in both folders , as it scrolls like a PAL on NTSC does.

Also these folders take up a lot of space, as i now only have 37,843KB free.

I compared mine to Quick305's MomoryPlus.rar

Mine:
BAEXEC-SYSTEM folder size:12.8MB {13,171KB in ps2 Browser}
BEEXEC-SYSTEM folder size:12.8MB {13,171KB in ps2 Browser}
BESLES-00000 MP folder size: 783KB {783KB in ps2 Browser}

Quick305's
BAEXEC-SYSTEM folder size:80MB
BEEXEC-SYSTEM folder size:12.8MB
BESLES-00000 MP folder size: 779KB


@ Quick305 How did you get 80MB for your BAEXEC-SYSTEM folder?

I would like to get a copy to try on mine, but i cant put 80MB and dont know if a packer will work or not.
If ya can help me out, i'd appreciate it.

JNABK, my BAEXEC-SYSTEM folder is only 12.8MB on my Memory Card I don't know why the download version is 80MB. I to have had the screen problem and found that it was the Tv I had the PS2 hooked up to. The RUNME.ELF file is in PAL 50mhz format. I am assuming this is because the PAL tV's can not display at 60mhz. I found that my older set was able to except this and display the image correctly. If you have swap magic you could also use that to load the RUNME.ELF file and force the NTSC Video.

Oh, ok..........i see. I'll figure it out i guess, shouldnt have to go thru swapmagic, it should work on NTSC. I can play PAL games fine on my HDTV, but this still dont display right.

I'll get on Codejunkies and see if i can get them to fix it. :D {I didnt pay $40 to have to jump thru hoops to use it.}


Oh, an case ya didnt know, this max memory app wont recognise FAT file system on a USB stick, only FAT32.

JNABK, my BAEXEC-SYSTEM folder is only 12.8MB on my Memory Card I don't know why the download version is 80MB. I to have had the screen problem and found that it was the Tv I had the PS2 hooked up to. The RUNME.ELF file is in PAL 50mhz format. I am assuming this is because the PAL tV's can not display at 60mhz. I found that my older set was able to except this and display the image correctly. If you have swap magic you could also use that to load the RUNME.ELF file and force the NTSC Video.

Judging by the difference of size in the two folder, we can see that it's a memento artifact.
Datel have just studied and copied the memento with some modifications.
On your card, they have repaired corrupted FAT for EUR version but not for US version.

i'm still wondering whether datel isn't behind all of this. (memor, memento)

Also these folders take up a lot of space, as i now only have 37,843KB free.
you don't need all those files actually. if they take so much space i'd say that somebody screwed up with memento fat-trick.

anyway you don't need to have all those files on the memcard - each ps2 model looks for a different osd*.elf file . my v11 looks for osd200.elf, osdmain.elf and (for dvdplayer update ) dvdplayer.elf


edit: i just took a second look at my ps2 bios dump made via pcsx2 dumper 2.0 some time ago.

dumper produces rom0, rom1 dump and special diff file for rom1

interesting thing is that diff file contains non-zero bytes for regions of rom1 that contain encrypted portions of eromdrv ;-) at least i have something to tinker with ; maybe i'll obtain fully decrypted file after decoding?

taken from pcsx2 svn :
In order to be able to run the dvdplayer code in the emulator, it needs
to be pre-decrypted. EROMDRV and DVDELF will have some 'decrypt' patches.
hmm :rolleyes:

hey i have a pile of 64meg cards that i bought on ebay and I would like to take the image of the memory + and put it on one of these cards.... what is the process to do this? Do I take the Mcd001.rar file and the HDPRojectX thing and write it to the memcard?

Also another topic... I have the NTSC Blaze CD, and I really would like to use the BB-NAVI if anybody has that... please pm me.

Also I have the dvd player 2.12 USA disc and I want to help. Please advise.

Not to get off-topic here, but it would be nice if someone was to make a driver for the Official PS3 to PS2 memory card adapter...might ease a few steps off all the work-arounds of getting info off the memory cards. By the way (I'll have to search for it...in the over-stuffed attic) I know I have an old NTSC dvd update disc, its still packaged, and it came w/ the IR Reciever. If it could be of some use...let me know, before I go digging...maybe I'll make some dumps.:D Oh, one more thing...remember (for the ones that have been here before site was deleted) we had a little discussion about an official 16MB Sony Mem card...well after doing some more reading on the package, its actually made by some company called Katana. However it IS an officialy licensed product and bears the "playstation 2" logo right on it. Hope this ends...or brings up more discussion on this! LINK (http://www.target.com/Katana-16MB-Memory-Card-PlayStation/dp/B000WE8JES/sr=1-1/qid=1208990403/ref=sr_1_1/602-0522660-3945461?ie=UTF8&index=target&rh=k%3A16MB&page=1)

i found this site even more better than dcemu for ps2 stuff
i am willing to buy ps2 cards and test them for free vast

so far i tried to flash my 64mb datel and it says it has 128mb when it should have 64mb
also i flashed my 8mb sony card found it to be at 32mb for some reason!? then i bricked the card so badly that it wouldn't format or be usable then i used my mc to ps3 usb to my ps3 formatted it bingo it fixed the mc from death and yes i did use "mc killer" too but that didn't even revive it

i also have the file everyone is looking for called dvd player 3.02u it came with final fantasy IX on the hdd format disc only to be used with the 40gb hdd other hdds didn't work with it

sony also has a 32mb card too but it's 4mcs in one you use a ps button to switch
also i had put the dvd player 3.02u on my 64mb which is somehow 128mb and it reconized it even when in slot 2
so my guess is if we flash one mc then leave mc2 with other software thats need then we might be going somewhere

The RUNME.ELF file is in PAL 50mhz format. I am assuming this is because the PAL tV's can not display at 60mhz. I found that my older set was able to except this and display the image correctly. If you have swap magic you could also use that to load the RUNME.ELF file and force the NTSC Video.

Yep the RUNME.ELF is in PAL. I made a Cd with the RUNME.ELF and booted it with my CC 2.0 SLE and it displays perfect and i can use it to manage the card as its supposed to.
I couldnt get anything to boot from USB as RUNME1 or RUNME2, and i tried almost every elf file i have, compressed and non compressed. I also tried similar from the MC itself and they just black screen.

So I deleted the folders from the card so i can have the full 64MB and its working great now. I did save the folders/files, just incase i needed them.

So maybe if and when a working installer is made for the free vast project, i'll have a card ready for testing it. :D

In the mean time im using it for game saves. :)

I'm portuguese, sorry the english...

it's possible to put the files on MAX memory 16MB ??

it's possible to change the digital signature of COGSWAP.ELF and made self boot on ps2 memory card?

If by "the files" you mean memento, then no. You might be able to put the firmware on your memory card, but it wouldn't boot it up. As for cogswap.elf, it will become obselete if this project is successful. Currently, one of the only things which stand in our way is the MagicGate encryption, which we are attempting to research so that we may bypass it. All in due time...

Keep in mind that we are all doing what we can to make this work. If you wish to stay updated, simply check the wiki (http://ps2.mike-tv.com/wiki) from time to time. The Development Status (http://ps2.mike-tv.com/wiki/index.php?title=Main_Page#Development_Status) column will list any releases made, as soon as they are actually made. Hope this helps! ;)

@jimmikaelkael: Interesting. What are the tests-files (RAR & ISO) for? :D :shhh: :cool:

I still have no clues on how to dump the bittable.bin .
It just dumps me an output.elf.

Well im not a dev person and dont know if this is known or not, but i came across this blog where someone has gotten PS2Link 1.51 ELF to boot off the MC plus 64 in place of the runme.elf


http://lukasz.dk/2008/04/22/datel-memory-plus-64-mb/#comment-556

Insightful blog. I did some messing around with my datel 32MB and only came up with black screens. So I'm assuming that the OSDMAIN.ELF as well as the OSDxxx.ELF files are somehow encrypted to specific Gatecrasher chips.

I ended up using the BAEXEC-SYSTEM folder and the MP folder.

Memory Plus 64
I had a thought of dumping the bios of each of my different consoles and finding out which of the OSDxxx.ELF files is the required one for that console.

If i were to separate them and post them, would this be of any help to figuring out the encryption?

So i just bit the bullet and bought the memory plus from codejunkies $42.46 shipped. I have a pile of 64 meg cards here so i figure if i have the real memory plus i can image this puppy or at least help the cause! here's to hoping!

@JNABK: from what I understand there is really just one OSD file. It's made to look like multiple files to allow the card to be used on many systems. If you open up the files they should be the same just different names.

@JNABK: from what I understand there is really just one OSD file. It's made to look like multiple files to allow the card to be used on many systems. If you open up the files they should be the same just different names.

Yea, i realized that after i posted {feels stupid now...:oops:}, but i was thinking of those who would like to have more free space on the MC Plus card by deleting the un-necessary ones and the other region folder. What a waste to use 1 file!

Maybe we should start a different thread listing which file goes to which console, that way others who get this card can delete everything but the one they need.

Yea, i realized that after i posted {feels stupid now...:oops:}, but i was thinking of those who would like to have more free space on the MC Plus card by deleting the un-necessary ones and the other region folder. What a waste to use 1 file!

Is it possible to create symbolic links to one of the files, containing the other filenames?

Is it possible to create symbolic links to one of the files, containing the other filenames?

I assume this is what is already done. That's how it can show an 80mb folder on a 64mb card.


-jack

I assume this is what is already done. That's how it can show an 80mb folder on a 64mb card.


-jack

I think we are getting our info mixed up here a little. Seems we are talking about 2 different products. Similar im sure, but the Memento's folders are 80MB for a 32MB card while the Memory plus is only 12.8MB for a 64MB card.

I think Quick305 uploaded the memento's BAEXEC-SYSTEM by mistake and not the one from the memory plus card. That would explain why it was 80MB as i'm guessing it uncompressed when it was extracted from the MC. If you look at the Memor32 files, it has both an unzip.exe and a zip.exe and im guessing this is how they can put an 80MB folder onto a 32MB card. The Memento updates the compressed folders on the card, im assuming.

Maybe we should start a different thread listing which file goes to which consolethat's actually dead simple (almost).

- dump your ps2 bios (you need only rom0)
- unpack it using romdir tool
- decompress osdsys file with ps2unpack (it should get around 3x as big after unpack)
- look inside and search for text ".elf" and you'll see references to osdmain.elf and osdxxx.elf (xxx stands for numbers like 100, 110, 130, 200)

as i mentioned already my v11 osdsys contains reference to osd200.elf and osdmain.elf . and also dvdplayer.elf

Is it possible to create symbolic links to one of the files, containing the other filenames?on linux - it's dead simple.

the filesystem used on memcard probably doesn't support it, so there is need for special fat modifications to have that kind of functionality.

The Memento updates the compressed folders on the card, im assuming.the memento files are specially bloated to make it harder to re-encrypt them for use with standard 8mb memcards (that's my guess, why they're 8mb each and full of repetitive data at the end). either that or they're exploiting some extra buffer overflow on the way. decrypted memento files were just around 1,2mb

- dump your ps2 bios (you need only rom0)
- unpack it using romdir tool
- decompress osdsys file with ps2unpack (it should get around 3x as big after unpack)
- look inside and search for text ".elf" and you'll see references to osdmain.elf and osdxxx.elf (xxx stands for numbers like 100, 110, 130, 200)

as i mentioned already my v11 osdsys contains reference to osd200.elf and osdmain.elf . and also dvdplayer.elf

thanks for the clarification.:)

that's actually dead simple (almost).

- dump your ps2 bios (you need only rom0)
- unpack it using romdir tool
- decompress osdsys file with ps2unpack (it should get around 3x as big after unpack)
- look inside and search for text ".elf" and you'll see references to osdmain.elf and osdxxx.elf (xxx stands for numbers like 100, 110, 130, 200)

as i mentioned already my v11 osdsys contains reference to osd200.elf and osdmain.elf . and also dvdplayer.elf



That was my original thought, but didnt know what to do with the bios once i got it. Thanks for the info, but i found an easier way.

I simply deleted the BEEXEC-SYSTEM cause i knew i didnt need that one.
Then i deleted all the files in BAEXEC-SYSTEM except for the icon & its support file.
I was giong to just copy the other files 1 at a time back to see which file worked in my consoles and then document it that way.

The first file i added back to the BAEXEC-SYSTEM folder was the osdmain.elf and i found out this is the only file i need for all my consoles.

I tested this on :
SCPH-30001 {NTSC} V4
SCPH-30001-R {NTSC} V4
SCPH-30001-R {NTSC} V5
SCPH-50001/N {NTSC} V9
SCPH-79001 {NTSC} V16

So all i have on the card is:
BESLES-00000 MP with only RUNME.ELF, icon.sys, mcp.ico
BAEXEC-SYSTEM with only osdmain.elf, icon.sys, mcp.ico

I now have 62,830KB free and the Memory Manager boots just fine on all those consoles without the other files. Although its still in PAL and is useless to me from the card, i have my own work-around to still use it.

@JNABK: sorry my bad. I read back through the posts and noticed Memory+ does not use the same Memento "fat trick". So I understand what you are saying now.

So realisticly Memory+ could be put on an 8mb easier than memento? As long as you limit the ps2 versions?

So realisticly Memory+ could be put on an 8mb easier than memento? As long as you limit the ps2 versions?

Yep, thats what im hoping....but the Mem+ is only a single app and thats why its smaller, it dont have all the functions the Memento card has.

The only problem i have is this is PAL format and im NTSC. I cant get this to display on any of my TVs without running the app off a disc and forcing NTSC via a modchip, so this is a worthless app for those without PAL.

I even tried patching it with a P/N selector from the PALtoNTSC converter. The selector loaded on bootup, but didnt convert anything, just loaded in PAL again. I tried each of its 3 settings.....:( It would be nice to get this to run in NTSC format off the card.

Here's my findings from PS2's here. All of which are NTSC US

V4
OSD160.ELF
OSDMAIN.ELF

v7
OSD170.ELF
OSDMAIN.ELF

V10
OSD200.ELF
OSDMAIN.ELF

Edit - I'm including an archive with all the required files to extract and unpack your PS2's BIOS

@JNABK: from what it looks like on the instructions(posted on the first page of this post) you can add "runme1.elf" and it should load that at boot if the card is in mc0 have you tried this. Is it still PAL?

http://psx-scene.com/forums/attachment.php?attachmentid=13514&d=1206050089

yep, the RUNME.ELF {memory manager} is definitely in PAL. I have ran it from uLaunchelf off a USB stick and its PAL. I tried to run other apps as RUNME1.ELF and RUNME2.ELF from a USB stick and have not had any success with any apps i tried to get them to run. I also tried those same file names in the folder with the original RUNME.ELF and still no go.

The only app i could get to load so far is the RUNME.ELF, renamed on the USB stick in both slots. I also patched the RUNME.ELF with a PALtoNTSC converter and it loaded from the USB stick, but it only changed it to color, still rolls up the screen.

The only way i have been able to run this app so i can use it, is by making a CD and booting that with my CC 2.0 SLE.


Heres my info:
V4
OSD160.ELF
OSDMAIN.ELF

v9
OSD170.ELF
OSDMAIN.ELF

I couldnt get a bios dump off my V5, i guessing the DMS4 pro has something to do with that, dunno, just wouldnt dump. And i cant run the dumper on the V16 cause i dont have a way to run it on that console. But i already know i only need the OSDMAIN.ELF to get the RUNME.ELF to boot.

Hi there!
I'm reading this thread since nearly it started since I'm very interested in the homebrew of the PS2 [I'm coming from the GP32, GP2x and Dreamcast scenes with lots of emulators and great homebrew software] and the VAST project. As it seems that there wasn't going to be a VAST version, I ordered myself a Memor32 and I'm very happy with this thing (together with my HDD...).
I just wanna put somethings together for myself and other not so familiar with the PS2 platform and this thread: The PS2 has an update feature which is used by the DVD player (coming with the official remote) and by the browser (coming together with the HDD connector). This feature tries to load a file from the memory card in slot 1 (name OSDMAIN.ELF and OSDXXX.ELF corresponding to the version of the PS2). The files seemed to be encrypted using Sonys own MagicGate encryption. Unfortunately there seems to be very poor information about this format, nearly zero. The encryption key seems to be made partially with the ID of the memory-card, so there is only one key per MC.
Now there are three ways to boot an ELF file by the PS2 using a MC: Having many manipulated MC with only one ID-number, resulting in only one set of encrypted OSDXXX.ELF files. This is used by the Mementoteam and answers the question "Why doesn't work the Memento firmware on my MC?!".
Or fooling the PS2 that the files are already unencrypted by the MagicGate chip on the MC and giving the PS2 normal ELFs to boot, like the Memory Plus by Datel (called "GateCrusher"?).
Or the last and best method, approached by the VAST project: Hacking the MagicGate encryption and making a program which encrypts the ELF files especially for each MC-ID number and putting that file onto the MC, so it can boot everything you want.

I hope, I got everything right, please say when I got something wrong. I see now three ways to continue: Getting the Mementoteam up to add the last promised (and already shown!) features, but they seemed to be faded away. Or hacking the firmware ourselfs and making it opensource. Or doing it the hard way and trying to crack the MagicGate encryption and making the VAST idea come true. And this, making SONY VERY angry... ;)

Just my two cents...

[sorry for my poor english...]

Or doing it the hard way and trying to crack the MagicGate encryption and making the VAST idea come true. And this, making SONY VERY angry...they can't do a thing against proper reverse-engineering. if we can keep true to this method - we are clean.

From the blog i posted about a few posts back, the guy made a Mplus Loader and this is working ok for me now to run elfs off my USB and MC:

http://lukasz.dk/category/playstation-2/

thanks Lukasz

they can't do a thing against proper reverse-engineering. if we can keep true to this method - we are clean.
Yeah, but I don't think that Sony will sit still and do nothing, since MagicGate is used in the PSP, some MiniDisc players and the memorycards by Sony and it'll be a huge impact for them, when it's gonna be hacked...

Yeah, but I don't think that Sony will sit still and do nothing, since MagicGate is used in the PSP, some MiniDisc players and the memorycards by Sony and it'll be a huge impact for them, when it's gonna be hacked...
Magicgate was already cracked by datel... and there making a lot of money because of this "gatecrusher".

I bought one of those 64mb datel cards with the gatebreaker shit I believe. Will this aid us (or me) run the signed memento elfs?

If so, how would I be able to use this to help the free vast project?

i think magicgate is evolving with newer hardware. i suspect it's different on ps2 and psp.

if it weren't we would see custom magicgate compliant psp datel memsticks flooding the market, preinstalled with e.g. homebrew launchers or some other bonus software ;-)

For those of you who have the Memory Plus 64 and are in NTSC like me, you have discovered your app is in PAL format and most apps dont run with the RUNME1 or RUNME2 as advertised. This has been fixed by a guy who is a very talented programmer.

He has created 2 apps which will load most any elf off the USB or MC and 1 that patches the NTSC format so the Memory Plus Manager runs properly on a NTSC machine/TV.

I have posted the blog a few times, but those of you who missed it, here it is again with his apps and how to use them.

http://lukasz.dk/2008/04/22/datel-memory-plus-64-mb/#comment-561

Again, thanks lukasz !!

Lukasz is making amazing progress with this card!!! http://lukasz.dk/2008/04/22/datel-memory-plus-64-mb/

he has created a loader that can load uLaunch etc. with the mem plus card. So how cool is this? for $42 bucks you can have a 64 megcard that is leaps better than memento and it will also bring dead consoles with no lasers back to life!!

there is a local shop that sells dead consoles for $5 bucks so this is god send!! keep up the good work!!

DVD Player upgrade 3.02U (AR Max save) NTSC

This may help something...

http://jnabk.selfip.com/Sony/DVDPL_9480_DVD_Player.rar

Lukasz is making amazing progress with this card!!! http://lukasz.dk/2008/04/22/datel-memory-plus-64-mb/

he has created a loader that can load uLaunch etc. with the mem plus card. So how cool is this? for $42 bucks you can have a 64 megcard that is leaps better than memento and it will also bring dead consoles with no lasers back to life!!

there is a local shop that sells dead consoles for $5 bucks so this is god send!! keep up the good work!!

i noticed that this guy posted about "gate crusher" which datel sucessfully able to crack when they made 16mb-64mb memcards
could we work around the memplus and put it on a datel memcard like the 64mb card i have

I opened up my 64mb card today, and noticed that my gate crusher chip also had "pro" on it. Anyone know the difference between a gate crusher, and a gate crusher pro?

Note: This is an older 64mb card, so it doesnt have the USB port. I bought it last year, but it was an older package compared to the rest. (Had a 2004 copyright, others had 06.)

Hi how do you export BESLES-00000 MP out of Mcd001.ps2 using mymc. i cant seem to do it cos there is a space between 0 and MP. Please help:(

i didn't test it, but maybe you have replace " " with "\ " ? this usually works on linux.