eboot.bin - more comprehensive guide?

[tastyratz]

First off I want to thank Veritas for helping us figure out how to get the ball rolling. He wrote an awesome guide I will quote here:

Anyway, this guide requires you to have some knowledge of how the SELF and ELF file formats are laid out. I don’t have a quick tool to do this for me, but it takes maybe 5 minutes of my time to do it by hand.

1. Open EBOOT.BIN in a hex editor of your preference.
2. In EBOOT.BIN, look at the SELF control info, if you see anything resembling the game titleid, it’s an NPDRM SELF and this guide won’t work, give up.
3. Use readself on EBOOT.BIN to get information about the encrypted metadata sections.
4. unself EBOOT.BIN eboot.elf
5. Open eboot.elf in a hex editor of your preference.
6. In eboot.elf, go to every encrypted metadata section (now decrypted), copy its data, and replace the encrypted data in EBOOT.BIN.
7. In EBOOT.BIN, change SELF header to indicate it’s FSELF.
8. In EBOOT.BIN, change SELF section headers that are marked as encrypted to say they are not encrypted.
9. If the game is a newer SDK version (like GT5, which is 3.50), in EBOOT.BIN, find the .sys_proc_param segment and change the SDK version to something earlier, such as 3.41. This will probably cause crashes in games that actually use newer SDK features that are not available in earlier SDK versions.
10. Save EBOOT.BIN
11. Cross fingers, run game, hope it works.

Unfortunately for those of us who do NOT understand the self system or know what to look for, it is not useful. I have spent a few days searching but still haven't wrapped my head around it. I don't like to be "that guy" who just posts eboots and waits around for someone to mod it for me.

I was hoping someone would possibly expand on his guide to make it easier to follow for those of us who WANT to learn and don't know where to start.

A start to finish idiots guide could help people like myself switch from asking for eboots to helping others with eboots. Could someone who knows the process please take the time?

Thanks

[whodingy]

the instructions are fairly clear with the exception of what the flag values are to be replaced as well as missing a bit of file offset explanation.

the setup for decryption on a windows machine is explained here:
PSGroove.com - Tutorial: How to Decrypt Your Own EBOOT.BIN's or SELF Files in Windows

the values for setting as fself (0x8000) are explained here:
SELF File Format and Decryption - PS3Wiki

as far as setting each section as decrypted, analyze a fixed EBOOT file and an original, i think you'll see the differences (from 0x01 to 0x02 i believe)

once you get all setup simply follow the instructions already posted here... (readself... unself... paste decrypted data into original file... change values in header to set as fself and from encrypted to non-encrypted in sections)

the last thing that 'may' be tricky is to understand where to paste from.
the decrypted ELF file is listed at a higher than offset 0 in the original EBOOT. so you must copy the blocks starting from the beginning of the decrypted file and paste into the appropriate offset in the original EBOOT.

example:
if the first encrypted section starts at 00000000_00000800 and is 00000000_00002000 bytes long, from the decrypted ELF you must copy from offset 0x00000000-0x00001FFF (0x2000 bytes) and paste that block (overwriting, not inserting) at offset 0x0800 in the original EBOOT file.

all other offsets in the decrypted file will be found at (-0x800) from the original file (using the example of the encrypted section starting at 0x800).

an example of this would be the 2nd encrypted section being at 00000000_0000D000. you would find the start of this data at 0xC800 in the decryted ELF. again, copy the block size stated from the readself for this section, paste into original EBOOT at 0xD000 and repeat for all encrypted sections listed.

[ModIT]

Ah nice a learning thread!

Maybe i can ask you a few questions too:

We do we acutally do here?
- We decrypt a 3.50 file and copy all (now encrypted) sectors into the original crypted file?

And we do this, because the decrypted file wouldnt run ? But why ?


Could we use this methode to do the same with 3.41 games running on 3.15 ?

[xmod4u]

Could we use this methode to do the same with 3.41 games running on 3.15 ?

I would like that question answered as well. Im really tryin to learn how to do this, but if it ain't gonna work for 3.15, its pointless to me.

[[C*]]

I would like that question answered as well. Im really tryin to learn how to do this, but if it ain't gonna work for 3.15, its pointless to me.

Of course it will work. Just apply the same steps except change the value to 3.15.

[whodingy]

all i can say is try it and see if it works. one of the keypacks linked in the page i referrenced looks like it has 341 keys, so just extract those into your keys subfolder inside your home\user\.ps3 folder and give it a go

[Muffy]

I can do the readself and get the info regarding Encrypted Metadata, and unself to get the decrypted eboot.elf however I am a bit lost when it comes to figuring out what to do in the hex editor.

Code:

Encrypted Metadata
  Key:            75 fa df 30 70 d7 ae 7e 39 15 f8 e4 2c 66 45 93
  IV :            ae 7a 3e a1 5e 1e f1 c4 a1 79 95 32 e0 fb 2e 32
  Signature end   00000950
  Sections        7
  Keys            52

And i presume the sections you speak of are this

Code:

Sections
    Offset            Length            Key IV  SHA1
    00000000_00000980 00000000_01772468 006 007 000
    00000000_01780980 00000000_0014cf5c 014 015 008
    00000000_018cd8dc 00000000_00000000 022 023 016
    00000000_018cd8dc 00000000_00000000 030 031 024
    00000000_018cd8dc 00000000_00000000 038 039 032
    00000000_018cdb14 00000000_000052a6 -01 -01 040
    00000000_018d2f08 00000000_00000800 -01 -01 046

Its the which data to copy from the elf to the eboot that is confusing me (doesn't take a lot )

Any noob type pointers would be grateful. (using Hexworkshop V6)

[Dumler]

Sections number 1 and 2 this is what I have understood. Please correct me if I am wrong.

[tastyratz]

Stopped at the start. I followed the guide to unself received this error when attempting to unself this zumba eboot:

Multiupload.com - upload your files to multiple file hosting sites!

Exception: STATUS_ACCESS_VIOLATION at eip=00401A55
eax=7E960000 ebx=00000040 ecx=00000000 edx=00000000 esi=FDDB4C56 edi=7E960050
ebp=0028CD18 esp=0028CC40 program=C:\cygwin\bin\unself.exe, pid 4288, thread main
cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B
Stack trace:
Frame Function Args
0028CD18 00401A55 (6123CA37, 61179FC3, 0028CD58, 61006CD3)
0028CD58 61006CD3 (00000000, 0028CD94, 61006570, 7EFDE000)
End of stack trace

[Muffy]

Stopped at the start. I followed the guide to unself received this error when attempting to unself this zumba eboot:

Multiupload.com - upload your files to multiple file hosting sites!

Exception: STATUS_ACCESS_VIOLATION at eip=00401A55
eax=7E960000 ebx=00000040 ecx=00000000 edx=00000000 esi=FDDB4C56 edi=7E960050
ebp=0028CD18 esp=0028CC40 program=C:\cygwin\bin\unself.exe, pid 4288, thread main
cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B
Stack trace:
Frame Function Args
0028CD18 00401A55 (6123CA37, 61179FC3, 0028CD58, 61006CD3)
0028CD58 61006CD3 (00000000, 0028CD94, 61006570, 7EFDE000)
End of stack trace

Getting the same error with that Eboot