Article: PS3 3.60 Keys Leaked

[YoYoBalls]

nvm

[YoYoBalls]

Edit: I tried it with my TB patched copy and I get a spinning yellow warning sign. I'm going to try to redump the game clean and try again. I've never seen that warning logo. It's not a Sony one, so they might be junk patches

I have only seen that image with portal 2 trying to run it disc-less. It maybe a dev error for portal 2 - who knows

[BahumatLord]

I just checked a clean/untouched copy of Portal 2 with the PSFR33 update patch and it still gives that error symbol. They're junk patches.

[JOshISPoser]

i have noticed in comments sections that people aren't getting them to work. idk if i can report the patches on a site i use, but i shall try so people don't pull out their hair.

[BahumatLord]

most patches work fine that just needed the Eboot patched, but some like Portal 2 that needed SPRX + Sdat files patched are problematic. If you've got the names of working patches for games like that it would be a big help. Just no download links. I'm pretty sure everybody knows how to use google

[oakhead69]

@YoYouBalls - yes that's exactly it

@oakhead69 - Would you mind sharing the script you're using to brute-force the klicense? I get what you're saying but I don't want to get into doing a base-16 number generator if you've already got a working method

Hi BahumatLord, at the bottom of this post is the code I have written to brute force the klicense. Sorry it is C source code not a script, I hope you can make use of it. Sorry no comments unlike my script as I was not expecting any body else to be interested in it. Not sure if I am allowed to post the .exe

Examples to test it with are

Rage (BLES01377) offset 0x1978b20 into eboot.elf for 58a4badb96035258c54dde01f210cbdd
Deus Ex (BLES01150) offset 0x0df07c0 into eboot.elf for 3e5a737b7d7d6f242d3f305873647153

Rage is working fine for me but I am struggling to get Deus Ex working it locks up the PS3 when I try to launch a single player game.

Some other scripts that I have written that might help are.

I use this to re-encrypt the self and sprx files, this has the klicense for Deus Ex in it you will need to replace this.

Code:

@echo off
%~d0
cd %~p0

IF "%1"=="" (set filename=EBOOT.BIN) ELSE (set filename=%1)
echo fn is %filename%

FOR /F "tokens=*" %%A IN ('scetool -i "%filename%" ^| find "ContentID"') DO SET contentID=%%A
set contentID=%contentID:~13%
echo contentID is "%contentID%"

if filename==EBOOT.BIN (scetool -d "%filename%" "%filename%.ELF") ELSE (scetool -l 3e5a737b7d7d6f242d3f305873647153 -d "%filename%" "%filename%.ELF") 


IF NOT EXIST "%filename%.ELF" goto decryptFailed

rem Search and Replace 3.6 with 3.4
gsar.exe -x18 -o -s:x24:x13:xbc:xc5:xf6:x00:x33:x00:x00:x00:x36 -r:x24:x13:xbc:xc5:xf6:x00:x33:x00:x00:x00:x34 "%filename%.ELF"

scetool.exe -l 3e5a737b7d7d6f242d3f305873647153 --sce-type=SELF --compress-data=FALSE --skip-sections=TRUE --key-revision=0001 --self-auth-id=1010000001000003 --self-vendor-id=01000002 --self-type=NPDRM --self-fw-version=0003004000000000 --np-license-type=FREE --np-content-id=%contentID% --np-app-type=EXEC --np-real-fname=%filename% --encrypt "%filename%.ELF" "fixed-%filename%"
del /Q "%filename%.ELF"
scetool -i "fixed-%filename%" > "fixed-%filename%.txt"
goto eof
:decryptFailed
echo Decrypt failed look in %filename%.txt
scetool -i "%filename%" > "%filename%.txt"
:eof
pause

Updated version of my re-encrypt script that also uses gsar (Google for it) to replace the 2413bcc5f600330000036 with 2413bcc5f600330000034. i.e. 3.6 to 3.4 in the EBOOT.BIN. It also has a pause in the script before the pkg repack allowing you to fix any self or sprx files.

Code:

rem @echo off

rem Move to the current directory if pkg file drag and dropped.
%~d0
cd %~p0

SETLOCAL ENABLEEXTENSIONS
SETLOCAL DISABLEDELAYEDEXPANSION

rem check that PARAM_SFO_Editor.exe
IF NOT EXIST PARAM_SFO_Editor.exe goto noSFOEditor

rem check that pkgview.exe
IF NOT EXIST pkgview.exe goto nopkgview

rem check that old EBOOT.BIN does not exist
IF EXIST EBOOT.BIN goto ebootbin

rem check parameter is a pkg file and it exists
IF NOT "%~x1" == ".pkg" goto notpkg
IF NOT EXIST %1 goto nofile

rem get the pkg extraction folder name
set pkgfolder=%~n1
echo pkgfolder is "%pkgfolder%"

rem get the package version needed later to repack to package
FOR /F "tokens=*" %%A IN ('psn_package_npdrm %1 ^| find "PackageVersion"') DO SET PackageVersion=%%A
set PackageVersion=%PackageVersion:~19% 
echo PackageVersion is "%PackageVersion%"

rem Extract the package file
call PkgView.exe -ex %1

rem check that it has extracted correctly
IF NOT EXIST "%pkgfolder%" goto nopkgfolder

cd "%pkgfolder%"

rem get the game ID needed later to repack to package
FOR /F "tokens=*" %%A IN ('dir /b /ad') DO SET gameId=%%A
echo gameId is "%gameId%"

cd "%gameId%"

rem check that PARAM.SFO exists
IF NOT EXIST PARAM.SFO goto noPARAMSFO

rem patch the PARAM.SFO file to firmware v3.4 from v3.6
..\..\PARAM_SFO_Editor.exe PARAM.SFO --out=PARAM.SFX
ren PARAM.SFX PARAM.TMP
call ..\..\replace 03.6000 03.4000 PARAM.TMP >> PARAM.SFX
del /Q PARAM.SFO
..\..\PARAM_SFO_Editor.exe PARAM.SFX --out=PARAM.SFO
del /Q PARAM.TMP
del /Q PARAM.SFX

cd USRDIR

rem check that EBOOT.BIN exists and move to the root
IF NOT EXIST EBOOT.BIN goto noEBOOTBIN
move EBOOT.BIN ..\..\..
cd ..\..\..

rem get the ContentID from the EBOOT.BIN
FOR /F "tokens=*" %%A IN ('scetool -i EBOOT.BIN ^| find "ContentID"') DO SET contentID=%%A
set contentID=%contentID:~13%
echo contentID is "%contentID%"

rem is the EBOOT.BIN compressed TBD
set compressed=FALSE

rem decrypt the EBOOT.BIN
call scetool.exe --decrypt EBOOT.BIN EBOOT.ELF

rem Search and Replace 3.6 with 3.4
gsar.exe -x18 -o -s:x24:x13:xbc:xc5:xf6:x00:x33:x00:x00:x00:x36 -r:x24:x13:xbc:xc5:xf6:x00:x33:x00:x00:x00:x34 EBOOT.ELF

rem recypty the EBOOT.ELF
call scetool.exe --sce-type=SELF --compress-data=%Compressed% --skip-sections=TRUE --key-revision=0001 --self-auth-id=1010000001000003 --self-vendor-id=01000002 --self-type=NPDRM --self-fw-version=0003004000000000 --np-license-type=FREE --np-content-id=%contentID% --np-app-type=EXEC --np-real-fname=EBOOT.BIN --encrypt EBOOT.ELF EBOOT.BIN
del /Q EBOOT.ELF

rem move the EBOOT.BIN back to the USRDIR
move EBOOT.BIN "%pkgfolder%\%gameId%\USRDIR"

rem Create the config file for the pkg packer.
echo Content-ID=%contentID% > "reencrypt.txt"
echo k_licensee=0x00000000000000000000000000000000 >> "reencrypt.txt"
echo DRM_Type=Free >> "reencrypt.txt"
echo Content_Type=GameData >> "reencrypt.txt"
echo PackageType=DiscGamePatch >> "reencrypt.txt"
echo PackageVersion=%PackageVersion% >> "reencrypt.txt"

echo Fix and self/ sprx files now and press a key to continue
pause

rem Temp rename the original pkg file
ren "%pkgfolder%.pkg" "%pkgfolder%-o.pkg"

rem Create the new pkg
rem psn_package_npdrm reencrypt.txt "%pkgfolder%\%gameId%"
FOR /F "tokens=*" %%A IN ('psn_package_npdrm reencrypt.txt "%pkgfolder%\%gameId%" ^| find "Generate Package"') DO SET PackageOutputName=%%A
set PackageOutputName=%PackageOutputName:~20,-1%
echo PackageOutputName is "%PackageOutputName%"

rem Rename the output from the package to the start as the original with -3.4 on the end.
ren "%PackageOutputName%" "%pkgfolder%-3.4.pkg"

rem Restore the original pkg file name
ren "%pkgfolder%-o.pkg" "%pkgfolder%.pkg"

rem cleanup
del /Q reencrypt.txt
rmdir /S /Q "%pkgfolder%"
goto end

:ebootbin
echo Please delete/move the old EBOOT.BIN from %~dp0 as it will be overwrtitten
goto errorend
:noEBOOTBIN
echo Could not find EBOOT.BIN in %~dp0
goto errorend
:noPARAMSFO
echo Could not find PARAM.SFO in %~dp0
goto errorend
:noSFOEditor
echo PARAM_SFO_Editor.exe must be in the current directory
goto errorend
:nopkgfolder
echo Could not find the extracted folder %pkgfolder%
goto errorend
:nopkgview
echo PkgView.exe must be in the current directory
goto errorend
:nofile
echo File %1 does not exist
goto errorend
:notpkg
echo Please specifiy a pkg file
goto errorend
:end
echo Finished
:errorend
cd %~p0
pause

Code:

#include <stdio.h>
#include <ctype.h>
#include <stdlib.h>
#include <conio.h>
#include <time.h>

#include "windows.h"

//#define FALSE (1 == 0)
//#define TRUE (!FALSE)

#define KEY_LENGTH 16

static int hexKey(char *hexString, const unsigned char *key) 
{
    int i;
    int ok = FALSE;

    for (i = 0; i < KEY_LENGTH; i++)
    {
        if (*key != 0)
        {
            ok = TRUE;
        }
        sprintf(hexString, "%02x", *key++);
        hexString +=2;
    }

    return ok;
}

int main(int argc, char* argv[])
{
    char *pElfFilename;
    char *pSelfFilename;
    char elfTestFilename[512];
    unsigned char keystr[(KEY_LENGTH * 2) + 1] ="01020304050607080910111213141516";
    char command[1024];
    FILE *pElfFile;
    char * buffer;
    int found = FALSE;
    size_t startOffset = 0;
    size_t endOffset;
    size_t i = 0;
    size_t fileLength;
    size_t length;
    HANDLE h = GetStdHandle(STD_OUTPUT_HANDLE);
    time_t startTime;
    double diff;
    double rate = 10;
    int display;
    int remaining;
    COORD coord;

    coord.X = 0; 
    coord.Y = 0;

    if (argc >= 3 && argc <= 5)
    {
        pElfFilename = argv[1];
        pSelfFilename = argv[2];

        if (argc >= 4)
        {
            startOffset = atol(argv[3]);
        }

        sprintf(elfTestFilename, "%s.elf", pSelfFilename);
        
        pElfFile = fopen(pElfFilename, "rb");
        if (pElfFile == NULL)
        {
            exit(0);
        }

        fseek(pElfFile, 0L, SEEK_END);
        fileLength = ftell(pElfFile);
        fseek(pElfFile, startOffset, SEEK_SET);

        if (argc == 5)
        {
            endOffset = atol(argv[4]);
            if (endOffset > fileLength - 1)
            {
                printf("End offset to large\n");
                exit(0);
            }
        }
        else
        {
            endOffset = fileLength - 1;
        }

        length = endOffset - startOffset;

        buffer = (char*)malloc(length);
        if (buffer == NULL)
        {
            printf("Can not allocate %d: try smaller chunk\n", length);
            exit(0);
        }

        if (fread(buffer, 1, length, pElfFile) != length)
        {
            printf("Read failed\n");
            fclose(pElfFile);
            exit(0);
        }

        fclose(pElfFile);

        if (length < KEY_LENGTH)
        {
            printf("Search range too small\n");
            exit(0);
        }

        length -= KEY_LENGTH;

        startTime = time(0);
        system("cls");

        for (i = 0; !found && i < length; i++)
        {
            /* 0.5 second updates */
            if (((int)rate) < 2 || (i % (((int)rate) / 2)) == 0)
            {
                display = TRUE;
            }
            else
            {
                display = FALSE;
            }

            if (display)
            {
                SetConsoleCursorPosition(h, coord);

                diff = difftime(time(0), startTime);

                rate = i / diff;
                if (rate == 0)
                {
                    rate = 1;
                }
                remaining = (int)((length - i) / rate);
            }

            if (hexKey(keystr, buffer + i))
            {
                if (display)
                {
                    printf("%03.03f %02d:%02d:%02d %06x: %02d%%: %s    \n", rate, remaining / 3600, (remaining % 3600) / 60, remaining % 60, startOffset + i, (i * 100) / length, keystr);
                    sprintf(command, "scetool -l %s -d %s %s", keystr, pSelfFilename, elfTestFilename);
                }
                else
                {
                    sprintf(command, "scetool -l %s -d %s %s > nul", keystr, pSelfFilename, elfTestFilename);
                }
                if (system(command) != 0)
                {
                    printf("ERROR at offset 0x%x in %s: key:%s   \n", startOffset + i, pElfFilename, keystr);
                    system("pause");
                    system("cls");
                }
                if (fopen(elfTestFilename, "rb") != NULL)
                {
                    printf("Found it at offset 0x%x in %s: key:%s   \n", startOffset + i, pElfFilename, keystr);
                    found = TRUE;
                }
            }
            else
            {
                if (display)
                {
                    printf("%03.03f %02d:%02d:%02d %06x: %02d%%: Skip\n", rate, remaining / 3600, (remaining % 3600) / 60, remaining % 60, startOffset + i, (i * 100) / length);
                }
                i+=7;
            }
        }
        if (!found)
        {
            printf("Not Found it between 0x%x and 0x%x in %s\n", startOffset, endOffset, pElfFilename);
        }
    }
    else
    {
        printf("brute elfFile selfFile optionalStartOffset optionalEndOffset\n");
    }
    free(buffer);
    system("pause");
    return 0;
}

I hope some of this maybe useful to somebody, I am still investing what we are missing to get all the self/sprx file working correctly.

EDIT:

One last thing if you are re-encrypting a sprx then use
--np-app-type=SPRX
and not
--np-app-type=EXEC
Sorry the sprx/self re-encrypt script was a personal script and I need to update it more to allow for this and the specification of the klicense.

[oakhead69]

oakhead69 Thank you so much for this such information, i make a pkg for the lasted patch of Black Ops 1.13 for 3.55

but i have a problem, multiplayer side doesn't work... i have a blackscreen and i don't know why!...
Solo and Zombie seems to work without bugs. I've tested uncompressed selfs too... doesn't working :x
I don't know what to do else.

Klicense BLES01031 Blackops Patch 1.13: AF0A8F0A8909F09234091AFADF909AF0
i can send the pkg in PM if you want inspect my work, i can't post link i'm new member...

Tested on cfw 3.55 TB v2
Thanks in advance

PS: Sorry for my bad english

The only idea I have is, did you re-encrypt the self files with the klicence?

I have looked at the elf file of the selfs in the original update pkg and the SDK is already 3.4 so no change required there.

If you PM the pkg file/ link I will look at it, but I am going on holiday early tomorrow so it will have to be today.


On an aside, do you live in Matsumoto or is it your name? Nice city been there quite a few times in the past visiting Seiko Epson.

[BahumatLord]

@oakhead69 - thanks man. that will save me a lot of time. I should be able to compile it with Sharp Develop. If not I can find something on Sourceforge. I don't see the harm in posting a compiled version for others since it's just an automation script but others might see it differently so I'd be careful about it

[BahumatLord]

@oakhead69 - It compiled without issues and without having to have C installed with LCC-Win found here LCC-Win: A free compiler system for Windows Operating Systems by Jacob Navia so there's no need to post a compiled version and take any chances with the legal system

Thanks again - this was a big help

[oakhead69]

@oakhead69 - It compiled without issues and without having to have C installed with LCC-Win found here LCC-Win: A free compiler system for Windows Operating Systems by Jacob Navia so there's no need to post a compiled version and take any chances with the legal system

Thanks again - this was a big help

No problem, it is only a single threaded program as such if you have a multi-core PC you need to run at least 1 instance per core for optimum performance. I would run 2 per core but this then make the machine quite unresponsive to anything else. Multiple instances will run with the same self, elf and scetool instances, just when one finds a match they think they all have and you have to figure out which one it is the real match.

The start and end offset for the range have to be decimal not hex.

One last tip for speeding up finding the klicense. So far for me it has tended to be a little before where all the semi-human readable data is in the elf (string tables etc). This toward the end of the file.

Good luck.