eboot.bin - more comprehensive guide?

[Muffy]

The Fself is explained above

Code:

{
uint32_t magic; // "SCE\0"
uint32_t version; // 2
uint16_t attribute; // 0x8000 - fself

Which apparently converts to

Code:

53 43 45 00 00 00 00 02  80 00

I have always found the string at the beginning of the eboot 0x0 and looks like this

Code:

53 43 45 00 00 00 00 02 00 07

and you are change the 00 07 to 80 00 to make it FSELF.

Thats how i interpreted it at least

The sys_proc_param i am currently unsure of.

[sik]

Well I got myself a project
I will re-hack Splatterhouse. If it works I will write a step-by-step guide on how to hack eboots.

[seros]

yes, it should be 018d2f08, it was a bad paste. i've fixed it in the original post as well.

remember, tho, this is not for every file, this is an example using the parameters posted by Muffy. also keep in mind that the sections you want to replace are the ones in the 'Section header' report from readself, NOT the plain one named 'Sections'. The Section header report will let you know which sections are encrypted and therefore which ones you'll have to replace.

Thanks for the reply, & cheers for clearing up the 'sections' / 'section header' usage. Think I've now got fself due to your later posts (hopefully all games have it in the same place lol), just gota figure out the encrypted yes/no part, but hopefully the other guys will be able to help with that once they figure it out

Edit: Think I got the encrypted part thanks to Muffy, will have to test it out tomorrow...

[xmod4u]

try this question one more time.

What would be the difference for this process if made for 3.15 firmware.

The metadata sections, changing SELF to FSELF and changing the encrypted to not encrypted... I see nothing about firmware type in that process.

Does it have to do something with the keys in the .ps3 folder ?

please answer.

[Katsuhiko]

Ok thanks to whodingy I have now figured this out (i think lol)

Change to

Code:

00 00 00 00 01 78 09 80 00 00 00 00 00 14 CF 5C
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02

etc etc

I think that is correct

What you are doing is simply turning off the encryption flag from YES to NO.

Offsets: 0x2AF // 0x2B4 // 0x2D4 // 0x2F4 // 0x314 // 0x334 // 0x354 // 0x374

Possible Values : 00 N/A, 01 YES, 02 NO

To understand it, you have a LOOOOOOOOOOOOOOONG Way

Almost ALL not working games are fixed.

The rest needs more than simple removing decryption and putting something from A to B.

[seros]

try this question one more time.

What would be the difference for this process if made for 3.15 firmware.

The metadata sections, changing SELF to FSELF and changing the encrypted to not encrypted... I see nothing about firmware type in that process.

Does it have to do something with the keys in the .ps3 folder ?

please answer.

From what I understand, the process should be no different. The only issue may be point 9. whereby one may need to change the sdk version for 3.15 compatibility. But if it was higher, there's a good chance the game won't work anyway as it probably needs the newer sdk to run...

[risky buisness]

omg im still confused i have manage to get read self to work and this is what i got


$ READSELF EBOOT.BIN
SELF header
elf #1 offset: 00000000_00000090
header len: 00000000_00000980
meta offset: 00000000_00000410
phdr offset: 00000000_00000040
shdr offset: 00000000_003f73e8
file size: 00000000_003f7338
auth id: 10100000_01000003 (Unknown)
vendor id: 01000002
info offset: 00000000_00000070
sinfo offset: 00000000_00000290
version offset: 00000000_00000390
control info: 00000000_000003c0 (00000000_00000070 bytes)
app version: 1.0.0
SDK type: unknown
app type: application

Control info
control flags:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
file digest:
81 eb ed 3b 32 a4 b4 70 57 b3 74 16 c4 78 fe 3e a6 a5 f0 a4

Section header
offset size compressed unk1 unk2 encrypted
00000000_00000980 00000000_003a9ee8 [NO ] 00000000 00000000 [YES]
00000000_003b0980 00000000_00043c00 [NO ] 00000000 00000000 [YES]
00000000_003f4580 00000000_00000000 [NO ] 00000000 00000000 [YES]
00000000_003f4580 00000000_00000000 [NO ] 00000000 00000000 [YES]
00000000_003f4580 00000000_00000000 [NO ] 00000000 00000000 [YES]
00000000_003d1900 00000000_00000004 [NO ] 00000000 00000000 [N/A]
00000000_003aa800 00000000_00000028 [NO ] 00000000 00000000 [N/A]
00000000_003aa828 00000000_00000040 [NO ] 00000000 00000000 [N/A]

Encrypted Metadata
Key: a5 97 34 24 0d 8f 75 e7 65 3b b5 d6 42 0d bb 02
IV : dd 17 54 2d 38 af 18 a5 f5 ac 0b c8 64 46 69 78
Signature end 00000950
Sections 7
Keys 52

Sections
Offset Length Key IV SHA1
00000000_00000980 00000000_003a9ee8 006 007 000
00000000_003b0980 00000000_00043c00 014 015 008
00000000_003f4580 00000000_00000000 022 023 016
00000000_003f4580 00000000_00000000 030 031 024
00000000_003f4580 00000000_00000000 038 039 032
00000000_003f49ac 00000000_0000294c -01 -01 040
00000000_003f7478 00000000_00000840 -01 -01 046

Keys
Idx Data
000 47 3c 50 a6 04 43 e3 b7 35 f0 a0 18 04 de de be
001 82 6d 77 24 00 00 00 00 00 00 00 00 00 00 00 00
002 8d 95 2d 03 39 c6 96 f5 0f 3f dd c2 20 87 c7 c4
003 c1 5b e6 4f 47 28 30 9b e0 8c 48 2f 1d 29 c3 6b
004 3f 55 e1 52 ed 91 dc 1a 04 09 ed 08 c3 e7 e0 d7
005 50 a8 77 10 d0 b0 d4 ed a4 9a dd d0 b7 81 cc 1a
006 8a ab d3 2e ac eb f4 1e c8 16 94 06 6f 1b 17 a7
007 19 a0 38 21 66 68 6f f3 d2 79 fc 6b ee f1 ef 66
008 fa 31 7c 9e e6 c6 f5 38 2b 0f a9 80 09 a7 40 b7
009 69 96 f3 c0 00 00 00 00 00 00 00 00 00 00 00 00
010 8d 95 2d 03 39 c6 96 f5 0f 3f dd c2 20 87 c7 c4
011 c1 5b e6 4f 47 28 30 9b e0 8c 48 2f 1d 29 c3 6b
012 3f 55 e1 52 ed 91 dc 1a 04 09 ed 08 c3 e7 e0 d7
013 50 a8 77 10 d0 b0 d4 ed a4 9a dd d0 b7 81 cc 1a
014 8a ab d3 2e ac eb f4 1e c8 16 94 06 6f 1b 17 a7
015 19 a0 38 21 66 68 6f f3 d2 79 fc 6b ee f1 ef 66

i understand that u subtract the header len from the offset value to get offest value from the elf which in this case if im right is 00000000_00000980 from 00000000_00000980 which is where i get confused because its the same thing? please some one explain this too me im so close to getting this.

[poppy14]

Quote:
Originally Posted by whodingy View Post
let me break it down...

all these numbers are in hex.

00000000_00000980 00000000_01772468 006 007 000
copy from decrypted ELF: offset 0-1772467 (a size of 1772468)
paste this block into the original EBOOT at offset 980

when i say paste, make sure you're overwriting bytes, not pushing them in by inserting

00000000_01780980 00000000_0014cf5c 014 015 008
copy from decrypted ELF: offset 01780000-18CCF5B (a size of 0014cf5c)
paste this block into the original EBOOT at offset 01780980

00000000_018cd8dc 00000000_00000000 022 023 016
size of this section is zero, so nothing to do
00000000_018cd8dc 00000000_00000000 030 031 024
size of this section is zero, so nothing to do
00000000_018cd8dc 00000000_00000000 038 039 032
size of this section is zero, so nothing to do

00000000_018cdb14 00000000_000052a6 -01 -01 040
copy from decrypted ELF: offset 18CD194-18D2439 (a size of 000052a6)
paste this block into the original EBOOT at offset 018cdb14

00000000_018d2f08 00000000_00000800 -01 -01 046
copy from decrypted ELF: offset 18D2588-18D2D87 (a size of 00000800)
paste this block into the original EBOOT at offset 00000800

unless i copied/pasted the wrong number into my calc, the above offsets should be correct.
just have one question how did u get that value for the size like for the offset 18CD194 how did u come up with 18D2439 (a size of 000052a6) how do u calculate that thats the only thing I dont get and thats why the eboot.bin keeps sending me back to the xmb thanks man
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote

i still dont under stand

[poppy14]

sorry for the previous post. I figured it out

[Jewrye]

the instructions are fairly clear with the exception of what the flag values are to be replaced as well as missing a bit of file offset explanation.

the setup for decryption on a windows machine is explained here:
PSGroove.com - Tutorial: How to Decrypt Your Own EBOOT.BIN's or SELF Files in Windows

the values for setting as fself (0x8000) are explained here:
SELF File Format and Decryption - PS3Wiki

as far as setting each section as decrypted, analyze a fixed EBOOT file and an original, i think you'll see the differences (from 0x01 to 0x02 i believe)

once you get all setup simply follow the instructions already posted here... (readself... unself... paste decrypted data into original file... change values in header to set as fself and from encrypted to non-encrypted in sections)

the last thing that 'may' be tricky is to understand where to paste from.
the decrypted ELF file is listed at a higher than offset 0 in the original EBOOT. so you must copy the blocks starting from the beginning of the decrypted file and paste into the appropriate offset in the original EBOOT.

example:
if the first encrypted section starts at 00000000_00000800 and is 00000000_00002000 bytes long, from the decrypted ELF you must copy from offset 0x00000000-0x00001FFF (0x2000 bytes) and paste that block (overwriting, not inserting) at offset 0x0800 in the original EBOOT file.

all other offsets in the decrypted file will be found at (-0x800) from the original file (using the example of the encrypted section starting at 0x800).

an example of this would be the 2nd encrypted section being at 00000000_0000D000. you would find the start of this data at 0xC800 in the decryted ELF. again, copy the block size stated from the readself for this section, paste into original EBOOT at 0xD000 and repeat for all encrypted sections listed.

thanks for the advice, though I have one conflicting part which I cant for the life of me determine.

example is GT5, the highlighted section is located right after the first encrypted metadata area.

was comparing to prepatched eboot to make sure I was working along correctly

I don't understand where the highlighted section is coming from in the prepatched eboot, is this some type of checksum of the metadata which I need to insert back into the eboot as well?



edit: also, how do you deal with compressed meta data sections?