Page 48 of 128 FirstFirst ... 384748495898 ... LastLast
Results 471 to 480 of 1278

Thread: Cobra USB - PS3 Dongle Runs Blu-ray & PS1 iSOs and PSP Minis

  1. #471
    Join Date
    Apr 2005

    MultiMAN v04.20.03 PS3 Backup Game Manager Arrives, Dynarec Enabled

    MultiMAN v04.20.03 PS3 Backup Game Manager is now available with Dynarec enabled from deank with the changes detailed below, as follows:

    Download: multiMAN v04.20.03 UPD (20130303) (7.97 MB) / multiMAN v04.20.03 UPD (20130303) (Mirror) / PS3SX [BETA].pkg (5.95 MB) / lastGAME2 [COBRA FW].pkg (356.81 KB) / Attached below: LANG_IT.TXT by Dino05 / LANG_BR.TXT by ajts1989 / LANG_PR.TXT by kgb / LANG_RU.TXT by pvc1 / LANG_IN.TXT by aquarius / LANG_PL.TXT by djtom / LANG_HU.TXT by JohnDoeHun / LANG_JP.TXT by Kyan_dudl / LANG_FR.TXT by winch03200 / LANG_GL.TXT by ser8210 / (5.26 MB) by samson

    multiMAN 04.20.03 update is available online and in the WEB column.

    multiMAN ver 04.20.03 UPD (20130303)
    • Added support for 4.30DEX CFW (REBUG) (TBA)
    • Added support for PS1 BIN+CUE (using ps1_emu/netemu) for 3.55DEX, 4.21DEX and 4.30DEX
    • Added DynaRec support: New option in Settings "Enable DYNAREC"
    • DYNAREC support for 3.55CEX/DEX, 4.21CEX/DEX, 4.30CEX/DEX, 4.31CEX
    • Fixed few minor issues in 4x2 and 8x4 modes (refreshing the game title when insert/ejecting a PS3 game disc)
    • Fixed a very rare bug in mmOS when icon names/texts are getting corrupted

    You must use lastGAME2 [COBRA FW].pkg on Cobra 3.55/4.30. It supports everything you need. mmCM 04.20.02 and lastGAME2 support:
    • PS1 Disc Backups
    • PS1 BIN+CUE
    • PS2 Disc Backups
    • PS2 ISO or BIN+CUE
    • PS3 ISO (unencrypted)
    • PS3 (folder format)
    • DVD ISO (decrypted)
    • BD ISO (decrypted)

    ...all these can be loaded from networked PC (wired or wireless LAN) from /net_host, Internal HDD and USB HDD (only exception is PS2 ISO files for BC consoles - ISO must be on /dev_hdd0 and PS3 games in folder-format must be on /dev_hdd0 or /dev_usbxxx and of course the Disc backups).

    DYNAREC support tested on 4.21REX and 4.30ROGERO with ps3sx_Beta.pkg which is enough to assume that the implementation is proper. Thanks to Ing. Pereira for the htab info and PeteUK for the testing. All offsets can be found in my source below so Ing. Pereira can port his app for other firmwares, too. Also there is an easier way to detect all CFW firmwares and I posted about it at the end of this post.

    Here is a slightly modified PS3SX:
    • You can install it on any mM supported firmware (3.55CEX/DEX, 4.21CEX/DEX, 4.30CEX/DEX, 4.31CEX)
    • The configuration file is USRDIR/CF.ini
    • Comes with bios and all paths set properly where the default ROM path is /dev_hdd0/PSXISO
    • EBOOT.BIN calls RELOAD.SELF so you can boot PS3SX directly from multiMAN
    • It has VERY POOR compatibility but shows that dynarec is working on all firmwares.

    You can enable DynaRec in mM's settings and directly load PS3SX from mM's GAME column. Thanks to aldostools for the cover. Developers can use this dynarec option in mM if they wish to test their apps in this environment.

    The implementation in mM is different than IngPereira's approach, because it doesn't use the 0x700000 area for the payload and the patches, there are no issues with PKG files and works on all firmwares. Still the kammy data for the hvsc redirections is used, but dynarec's usage is greatly simplified by an "On/Off" option in mM.

    I'm just saying this because some morons will go again with their idiotic comments about copy/pasting. Parts of the mM code is here, along with info how to make it work on all firmwares.

    It is as simple as that:
        /* (c) 2010-2013 multiMAN, Dynarec Enabler
           (c) 2013 Ing Pereira
        #define HTAB_BASE                0x800000000f000000ULL
        #define HTAB_LV2_START_421            (0x01000000ULL)
        #define HTAB_LV2_START_421D            (0x08000000ULL)
        #define HTAB_LV2_START_430            (0x01000000ULL)
        // base_addr = address of mM's payload
        // base_addr + 0x100 = address of htab payload
        void dynarec_payload()
            u64 base_addr=0;
            u64 patch_htab1=0;
            u64 patch_htab2=0;
            u64 patch_htab3=0;
            if(c_firmware==3.55f && !dex_mode)
            else if(c_firmware==3.55f && dex_mode)
            else if(c_firmware==4.21f && !dex_mode)
                patch_htab2=0x5D6DC; //+A38
                patch_htab3=0x5DBA4; //+4C8
            else if(c_firmware==4.21f && dex_mode)
            else if(c_firmware==4.30f && !dex_mode)
                base_addr=0x2D2418; //0x6ff000; to test htab
            else if(c_firmware==4.30f && dex_mode)
            else if(c_firmware==4.31f && !dex_mode)
            else return;
            if(patch_htab1 && HTAB_LV2_START)
                Lv2Syscall2(7, base_addr + 0x100, 0x7C0802A6F8010010ULL);
                Lv2Syscall2(7, base_addr + 0x108, 0xF821FF81F8410070ULL);
                Lv2Syscall2(7, base_addr + 0x110, 0x3C40800060420000ULL);
                Lv2Syscall2(7, base_addr + 0x118, 0x784207C664420000ULL | ( ((base_addr+0x198)>>16)&0xFFFF) );
                Lv2Syscall2(7, base_addr + 0x120, 0x60420000E8020000ULL | ( ((base_addr+0x198))&0xFFFF)<<32 );
                Lv2Syscall2(7, base_addr + 0x128, 0xE84200087C0903A6ULL);
                Lv2Syscall2(7, base_addr + 0x130, 0x4E800421E8410070ULL);
                Lv2Syscall2(7, base_addr + 0x138, 0x38210080E8010010ULL);// BCTR <htab_write_caller> desc
                Lv2Syscall2(7, base_addr + 0x140, 0x7C0803A64E800020ULL);
                Lv2Syscall2(7, base_addr + 0x148, 0x78C607647C0802A6ULL);// <htab_write_caller>
                Lv2Syscall2(7, base_addr + 0x150, 0xF801001060C60002ULL);
                Lv2Syscall2(7, base_addr + 0x158, 0xF821FF914800001DULL);// -> BL <lv1_write_htab>
                Lv2Syscall2(7, base_addr + 0x160, 0x6000000038210070ULL);
                Lv2Syscall2(7, base_addr + 0x168, 0x7C6307B4E8010010ULL);
                Lv2Syscall2(7, base_addr + 0x170, 0x7C0803A64E800020ULL);
                Lv2Syscall2(7, base_addr + 0x178, 0x7C0802A6F8010010ULL);// <lv1_write_htab>
                Lv2Syscall2(7, base_addr + 0x180, 0x3960000144000022ULL);
                Lv2Syscall2(7, base_addr + 0x188, 0x7C6307B4E8010010ULL);
                Lv2Syscall2(7, base_addr + 0x190, 0x7C0803A64E800020ULL);
                Lv2Syscall2(7, base_addr + 0x198, (base_addr + 0x148));     // htab _Custom call desc
                Lv2Syscall2(7, base_addr + 0x1A0, 0x8000000000700000ULL);
                /* enable full r/w/x access */
                uint64_t pte0, pte1;
                /* process entire lv2 */
                for (int i = 0; i < 128; i++)
                    /* read the old value */
                    pte0 = Lv2Syscall1(6, HTAB_BASE | (i << 7));
                    pte1 = Lv2Syscall1(6, HTAB_BASE | (i << 7) + 8);
                    /* verify entry is lv2 */
                    if ((pte1 >= HTAB_LV2_START) && (pte1 < (HTAB_LV2_START+0x800000ULL)))
                        /* patch proper htab settings */
                        lv1_write_htab_entry(0, i << 3, pte0, (pte1 & 0xff0000) | 0x190);
                Lv2Syscall2(7, patch_htab1, (0x480000012C230000ULL) | ( ((base_addr+0x100-patch_htab1)&0xFFFFFF)<<32) );
                Lv2Syscall2(7, patch_htab2, (0x480000012C230000ULL) | ( ((base_addr+0x100-patch_htab2)&0xFFFFFF)<<32) );
                Lv2Syscall2(7, patch_htab3, (0x480000012C230000ULL) | ( ((base_addr+0x100-patch_htab3)&0xFFFFFF)<<32) );
            u64 CEX=0x4345580000000000ULL;
            u64 DEX=0x4445580000000000ULL;
            if(peekq(0x80000000002E79C8ULL)==DEX) {dex_mode=2; c_firmware=3.41f;}
            if(peekq(0x80000000002CFF98ULL)==CEX) {dex_mode=0; c_firmware=3.41f;}
            if(peekq(0x80000000002EFE20ULL)==DEX) {dex_mode=2; c_firmware=3.55f;}
            if(peekq(0x80000000002D83D0ULL)==CEX) {dex_mode=0; c_firmware=3.55f;}
            if(peekq(0x8000000000302D88ULL)==DEX) {dex_mode=2; c_firmware=4.21f;}
            if(peekq(0x80000000002E8610ULL)==CEX) {dex_mode=0; c_firmware=4.21f;}
            if(peekq(0x80000000002E9F08ULL)==CEX) {dex_mode=0; c_firmware=4.30f;}
            if(peekq(0x8000000000304630ULL)==DEX) {dex_mode=2; c_firmware=4.30f;}
            if(peekq(0x80000000002E9F18ULL)==CEX) {dex_mode=0; c_firmware=4.31f;}
        // unknown fw...
    In IDA for 4.30CEX where: base_addr=0x2D2418 which makes the payload go at base_addr+0x100 -> 0x2D2518:
        ROM:002D2518 # =============== S U B R O U T I N E =======================================
        ROM:002D2518 sub_2D2518:                             # CODE XREF: sub_5C9D4+420p
        ROM:002D2518                                         # sub_5D590+29Cp
        ROM:002D2518 .set var_10, -0x10
        ROM:002D2518 .set arg_10,  0x10
        ROM:002D2518                 mflr      r0
        ROM:002D251C                 std       r0, arg_10(r1)
        ROM:002D2520                 stdu      r1, -0x80(r1)
        ROM:002D2524                 std       r2, 0x80+var_10(r1)
        ROM:002D2528                 lis       r2, -0x8000
        ROM:002D252C                 mr        r2, r2
        ROM:002D2530                 sldi      r2, r2, 32
        ROM:002D2534                 oris      r2, r2, 0x2D
        ROM:002D2538                 ori       r2, r2, 0x25B0
        ROM:002D253C                 ld        r0, 0(r2)
        ROM:002D2540                 ld        r2, 8(r2)
        ROM:002D2544                 mtctr     r0
        ROM:002D2548                 bctrl
        ROM:002D254C                 ld        r2, 0x80+var_10(r1)
        ROM:002D2550                 addi      r1, r1, 0x80
        ROM:002D2554                 ld        r0, arg_10(r1)
        ROM:002D2558                 mtlr      r0
        ROM:002D255C                 blr
        ROM:002D255C # End of function sub_2D2518
        ROM:002D2560 # ---------------------------------------------------------------------------
        ROM:002D2560 loc_2D2560:                             # DATA XREF: ROM:002D25B4o
        ROM:002D2560                 clrrdi    r6, r6, 2
        ROM:002D2564                 mflr      r0
        ROM:002D2568                 std       r0, 0x10(r1)
        ROM:002D256C                 ori       r6, r6, 2
        ROM:002D2570                 stdu      r1, -0x70(r1)
        ROM:002D2574                 bl        sub_2D2590
        ROM:002D2578                 nop
        ROM:002D257C                 addi      r1, r1, 0x70
        ROM:002D2580                 extsw     r3, r3
        ROM:002D2584                 ld        r0, 0x10(r1)
        ROM:002D2588                 mtlr      r0
        ROM:002D258C                 blr
        ROM:002D2590 # =============== S U B R O U T I N E =======================================
        ROM:002D2590 sub_2D2590:                             # CODE XREF: ROM:002D2574p
        ROM:002D2590 .set arg_10,  0x10
        ROM:002D2590                 mflr      r0
        ROM:002D2594                 std       r0, arg_10(r1)
        ROM:002D2598                 li        r11, 1
        ROM:002D259C                 hvsc                    # hvsc(1): lv1_write_htab_entry
        ROM:002D25A0                 extsw     r3, r3
        ROM:002D25A4                 ld        r0, arg_10(r1)
        ROM:002D25A8                 mtlr      r0
        ROM:002D25AC                 blr
        ROM:002D25AC # End of function sub_2D2590
        ROM:002D25AC # ---------------------------------------------------------------------------
        ROM:002D25B0                 .long 0x80000000
        ROM:002D25B4                 .long loc_2D2560
        ROM:002D25B8                 .long 0x80000000
        ROM:002D25BC                 .long unk_700000
        002D2518  7C 08 02 A6 F8 01 00 10  F8 21 FF 81 F8 41 00 70
        002D2528  3C 40 80 00 60 42 00 00  78 42 07 C6 64 42 00 2D
        002D2538  60 42 25 B0 E8 02 00 00  E8 42 00 08 7C 09 03 A6
        002D2548  4E 80 04 21 E8 41 00 70  38 21 00 80 E8 01 00 10
        002D2558  7C 08 03 A6 4E 80 00 20  78 C6 07 64 7C 08 02 A6
        002D2568  F8 01 00 10 60 C6 00 02  F8 21 FF 91 48 00 00 1D
        002D2578  60 00 00 00 38 21 00 70  7C 63 07 B4 E8 01 00 10
        002D2588  7C 08 03 A6 4E 80 00 20  7C 08 02 A6 F8 01 00 10
        002D2598  39 60 00 01 44 00 00 22  7C 63 07 B4 E8 01 00 10
        002D25A8  7C 08 03 A6 4E 80 00 20  80 00 00 00 00 2D 25 60
        002D25B8  80 00 00 00 00 70 00 00

  2. #472
    Join Date
    Apr 2005

    Cobra ODE, stay tuned!

    More mM 04.20.03 translation attachments for above...

    Showtime 4.3.48 by Andreas Oman is now available for mM and as standalone (in the WEB column):

    Download: Showtime 04.03.048 [CEX].pkg (5.67 MB) / Showtime 04.03.048 [DEX].pkg (5.73 MB)

    Also below is an update on the Cobra ODE, as follows:

    4 - 03 - 2013

    Release date is a little delayed since we're ironing out the last remaining bugs with the software and hardware in preparation for release. This has taken a longer than expected due to the extended range of consoles we support.

    Some pictures and further information about our hardware will follow over the next few days. Stay tuned for further info!

  3. #473
    Join Date
    Apr 2005

    MultiMAN v04.20.04 PS3 Backup Game Manager is Now Released

    MultiMAN v04.20.04 PS3 Backup Game Manager is now available via deank with the changes detailed below, as follows:

    Download: multiMAN v04.20.04 Update (20130309) (16.77 MB - Includes CEX/DEX/STEALTH updates) / multiMAN v04.20.04 Update (20130309) (Mirror) / multiMAN v04.20.04 Update (20130309) (Mirror #2) / LANG_AR.TXT by HAIDER

    multiMAN ver 04.20.04 update is now available online and in the WEB column:
    • Improved discless compatibility (even more) on 3.55/4.21/4.30CEX firmwares
    • A BD-DISC icon with [PlayStation(R)3] text will appear in XMB to replace /app_home/PS3_GAME entry
    • Tested few games, which didn't work discless before and now work just fine (like LEGO:Indiana Jones and 30 other games)
    • Upon launch mM will try to restore default LV2 environment by resetting syscalls 35, 36, 37, 141, 142, 600, 604 (this should fix problems when mM is launched after Iris)

    p.s. Please try to download the update from the link or the WEB column to save update-server-bandwidth.

    Update: I fixed the issue and will post the link later when I'm back home or if you wish you can start mM by holding L2+R2 and update online.

    Download: multiMAN v04.20.04 Update CEX (20130311) / multiMAN v04.20.04 Update CEX (20130311) (Mirror)

    This should fix 8001003C errors on all supported firmwares and also should fix some more issues caused by Iris/mM launched one after another.

  4. #474
    kikeadsl Guest
    The Spanish dev MiraLaTijera (via has dumped sucessfully dongle cobra 6.0. The next update of 4.31 CFW will bring some interesting stuff...

    I just dump the kernel loaded with 6.0 cobra
        li r6, 0
        oris r6, r6, 0xBAAD
        ori r6, r6, 0xCAFE
        lis r4, 1 # 0x11888
        addi r4, r4, 0x1888 # 0x11888
        lis r5, 2 # 0x18770
        addi r5, r5, -0x7890 # 0x18770
        subf. r5, r4, r5
        beq loc_0_8000000000540070
    Hola Cobra

    Stay tuned!!!

  5. #475
    williak6 Guest
    Is it true that update 8 is coming out in a few hours?

  6. #476
    kikeadsl Guest
    The update will be public as soon as possible.

  7. #477
    williak6 Guest

  8. #478
    joekrow Guest
    In the new multiman base 14.20 I don't seem to find the install pkg for mm stealth, anyone here with some help.. and also don't seem to know how to change the .txt to .self hoping someone may be of help thanks

  9. #479
    jensen76 Guest
    there is now pkg for the stealth multiman... and how the heck woud you change a txt to a self... the txt is the stealth multiman. read the guide for multiman on how to use stealth..

  10. #480
    Join Date
    Apr 2005

    Sony PlayStation 2 (PS2) Classics Algorithm Revealed by Flat_z

    Following up on the previous updates, today PlayStation 3 developer Flat_z has revealed the Sony PlayStation 2 (PS2) Classics algorithm with details below.

    Download: Sony PlayStation 2 (PS2) Classics Algorithm

    To quote: Ok, guys. Unfortunately I forced to admit that I have no more time to work on PS3 stuff because I'm very busy lately. So I decided to publish all information related to PS2 classics as JuanNadie did with the NPDRM algorithm one year ago.

    Firstly I wanted to say that he was the first who started reverse-engineering on this subject and when he left the scene I decided to continue his work to keep it from going to waste. And so I would like to thank JuanNadie for his amazing contribution to the PS3 scene. Besides that, he gave me some piece of information on the subject.
    # -*- coding: utf-8 -*-
    import sys, os, math, datetime
    import struct, hashlib, hmac, ecdsa
    from CryptoPlus.Cipher import AES
    def aes_encrypt_ecb(key, data):
    	crypto =, AES.MODE_ECB)
    	return crypto.encrypt(data)
    def aes_decrypt_ecb(key, data):
    	crypto =, AES.MODE_ECB)
    	return crypto.decrypt(data)
    def aes_encrypt_cbc(key, iv, data):
    	crypto =, AES.MODE_CBC, iv)
    	return crypto.encrypt(data)
    def aes_decrypt_cbc(key, iv, data):
    	crypto =, AES.MODE_CBC, iv)
    	return crypto.decrypt(data)
    def aes_cmac(key, data):
    	crypto =, AES.MODE_CMAC)
    	return crypto.encrypt(data)
    def calculate_sha1(data):
    	return hashlib.sha1(data).digest()
    def sha1_hmac(key, data):
    	return, msg=data, digestmod=hashlib.sha1).digest()
    def load_file_contents(file_path):
    	with open(file_path, 'rb') as in_file:
    		data =
    	return data
    def store_file_contents(file_path, data):
    	with open(file_path, 'wb') as out_file:
    def xor_data(data1, data2, size):
    	return ''.join(chr(ord(data1[i]) ^ ord(data2[i])) for i in xrange(size))
    def s2i(s):
    	result = 0L
    	for c in s:
    		result = 256 * result + ord(c)
    	return result
    def round_up(x, n):
    	return (x + (n - 1)) & ~(n - 1);
    def get_ecdsa_curve_parameters(type, index):
    	if type == 'vsh':
    		curves = []
    		curve_fmt = '>20s20s20s20s20s20s'
    		with open('vsh.curves', 'rb') as in_file:
    			file_data =
    			file_size = len(file_data)
    			num_curves = int(file_size / struct.calcsize(curve_fmt))
    			for i in xrange(num_curves):
    				data = file_data[i * struct.calcsize(curve_fmt):(i + 1) * struct.calcsize(curve_fmt)]
    				inv_data = ''.join([chr((~ord(x)) & 0xff) for x in data])
    				p, a, b, n, gx, gy = struct.unpack(curve_fmt, inv_data)
    				curves.append({ 'p': s2i(p), 'a': s2i(a), 'b': s2i(b), 'n': s2i(n), 'gx': s2i(gx), 'gy': s2i(gy) })
    		params = curves[index]
    		return params['p'], params['a'], params['b'], params['n'], params['gx'], params['gy']
    		return None
    def dump(data, data_size, block_size=16):
    	if data_size == 0:
    		data_size = len(data)
    	num_blocks = int(math.floor(data_size / block_size))
    	for i in num_blocks:
    		print '\t', data[i * block_size:(i + 1) * block_size].encode('hex')
    if len(sys.argv) < 3:
    	print 'usage: <ISO.BIN.ENC or CONFIG or SCEVMC*.VME> <klicensee file>'
    CMAC_KEY_SIZE = 0x10
    NPDRM_OMAC_KEY1 = '????????????????????????????????'.decode('hex') # FIXME: SHA-1: 1DD100602ABC688AC7520EE8168B8B23B0563CF8
    NPDRM_OMAC_KEY2 = '????????????????????????????????'.decode('hex') # FIXME: SHA-1: 07DAD1183CEC7ED834AFE8C7590E225484618D7F
    NPDRM_OMAC_KEY3 = '????????????????????????????????'.decode('hex') # FIXME: SHA-1: 838633A7E03256F6CCE4E53D0842816013F8AECA
    FALLBACK_HEADER_HASH = '00000000000000000000000000000001'.decode('hex')
    ATA_KEY_SEED = '????????????????????????????????????????????????????????????????'.decode('hex') # FIXME: SHA-1: 362AA6F834600464B76ECC4E8CBFBEF99A76C1AF
    PS2_KEYS = {
    	'cex': {
    		'meta': '????????????????????????????????'.decode('hex'), # FIXME: SHA-1: B9CACFF9E126F63634DC38AF61040BDF6F370A26
    		'data': '????????????????????????????????'.decode('hex'), # FIXME: SHA-1: CB0BAECAAADF9E5C629522B11757F78C7CD5B23C
    		 'vmc': '????????????????????????????????'.decode('hex')  # FIXME: SHA-1: EB03D83F96E3394A05BCE68F8645DA134CDA5545
    	'dex': {
    		'meta': '????????????????????????????????'.decode('hex'), # FIXME: SHA-1: 4FCFB6683AC46E73FFFCE49895E3F303A117BE8C
    		'data': '????????????????????????????????'.decode('hex'), # FIXME: SHA-1: AEC7A9C13A4023FE268A163FFDC8382F45496928
    		 'vmc': '????????????????????????????????'.decode('hex')  # FIXME: SHA-1: B41AEE9D3B6C54292469C9C754AE8FE75ACBE958
    PS2_IV = '00000000000000000000000000000000'.decode('hex')
    ECDSA_CURVE_TYPE = 'vsh'
    ECDSA_PUBLIC_KEY = '????????????????????????????????????????????????????????????????????????????????'.decode('hex') # FIXME: SHA-1: 7B365A6A821FC03B1A9A764E5E695DB3599FF7BC
    BASE_TICKS = 62135596800000000 # 01/01/1970
    input_file_path = sys.argv[1]
    klicensee_file_path = sys.argv[2]
    klicensee_key = load_file_contents(klicensee_file_path)
    if len(klicensee_key) != KLICENSEE_KEY_SIZE:
    	print 'Incorrect klicensee key size'
    console_type = 'cex'
    ecdsa_signature_fmt = '>20s20s'
    ecdsa_curve_p, ecdsa_curve_a, ecdsa_curve_b, ecdsa_curve_n, ecdsa_curve_gx, ecdsa_curve_gy = get_ecdsa_curve_parameters(ECDSA_CURVE_TYPE, ECDSA_CURVE_INDEX)
    ecdsa_curve = ecdsa.ellipticcurve.CurveFp(ecdsa_curve_p, ecdsa_curve_a, ecdsa_curve_b)
    ecdsa_generator = ecdsa.ellipticcurve.Point(ecdsa_curve, ecdsa_curve_gx, ecdsa_curve_gy, ecdsa_curve_n)
    ecdsa_public_qx, ecdsa_public_qy = struct.unpack(ecdsa_signature_fmt, ECDSA_PUBLIC_KEY)
    ecdsa_public_qx, ecdsa_public_qy = s2i(ecdsa_public_qx), s2i(ecdsa_public_qy)
    ecdsa_public_point = ecdsa.ellipticcurve.Point(ecdsa_curve, ecdsa_public_qx, ecdsa_public_qy)
    ecdsa_public_key = ecdsa.ecdsa.Public_key(ecdsa_generator, ecdsa_public_point)
    NPD_MAGIC = 'NPD\x00'
    PS2_MAGIC = 'PS2\x00'
    PS2_VMC_MAGIC = 'Sony PS2 Memory Card Format'
    FILE_FLAGS_DEBUG = 0x80000000
    magic_fmt = '>4s'
    header_fmt = '>4sHHII48s16s16s16sQQIIQ16s16s40s20s20s'
    meta_data_section_fmt = '>16s'
    meta_data_section_extended_fmt = '>16sQIII'
    input_file_dir, input_file_name = os.path.split(input_file_path)
    input_file_extension = os.path.splitext(input_file_path)[1]
    if input_file_extension.upper() != '.VME':
    	with open(input_file_path, 'rb') as npd_file:
    		magic, = struct.unpack(magic_fmt,
    		if magic != NPD_MAGIC and magic != PS2_MAGIC:
    			print 'Not a NPD/PS2 file'
    		header =
    		extended_header =
    		signature_data =
    		magic, version_major, version_minor, license_type, type, content_id, qa_digest, cid_fn_hash, header_hash, time_period_start, time_period_end, file_flags, segment_size, data_size, meta_data_sections_hash, extended_header_hash, unknown_data, signature_r, signature_s = struct.unpack(header_fmt,
    		version = (version_major << 16) | version_minor
    		is_ps2_format = magic == PS2_MAGIC
    		# Validate hashes
    		if (file_flags & FILE_FLAGS_DEBUG) == 0:
    			computed_cid_fn_hash = aes_cmac(NPDRM_OMAC_KEY3, content_id + input_file_name)
    			computed_header_hash = aes_cmac(xor_data(NPDRM_OMAC_KEY1, NPDRM_OMAC_KEY2, CMAC_KEY_SIZE), header)
    			if type == 1:
    				computed_header_hash = map(ord, FALLBACK_HEADER_HASH)
    				computed_header_hash = map(ord, klicensee_key)
    			for i in xrange(struct.calcsize(header_hash_fmt)):
    				computed_header_hash[i] = computed_header_hash[i] ^ ord(qa_digest[i]) ^ 0x55
    			computed_header_hash = ''.join(map(chr, computed_header_hash))
    			computed_cid_fn_hash = ''.join(chr(ord(x) ^ 0xFF) for x in qa_digest)
    		if (file_flags & FILE_FLAGS_DEBUG) == 0:
    			if cid_fn_hash != computed_cid_fn_hash:
    				print 'CID FN hash is not correct'
    			if header_hash != computed_header_hash:
    				print 'Header hash is not correct'
    		content_id = content_id.rstrip('\x00')
    		if time_period_start != 0:
    			time_period_start = datetime.datetime(1, 1, 1) + datetime.timedelta(microseconds=BASE_TICKS + time_period_start * 1000)
    		if time_period_end != 0:
    			time_period_end = datetime.datetime(1, 1, 1) + datetime.timedelta(microseconds=BASE_TICKS + time_period_end * 1000)
    		if not is_ps2_format:
    			# TODO
    			meta_data_size = 0
    			meta_data_size = segment_size
    		num_segments = int(math.ceil((data_size + segment_size - 1) / segment_size))
    		last_segment_size = round_up(data_size - segment_size * (num_segments - 1), 16)
    		# Validate ECDSA signature
    		if (file_flags & FILE_FLAGS_DEBUG) == 0:
    			signature_hash = calculate_sha1(signature_data)
    			if not ecdsa_public_key.verifies(s2i(signature_hash), ecdsa.ecdsa.Signature(s2i(signature_r), s2i(signature_s))):
    				print 'ECDSA signature is not correct'
    		if magic == NPD_MAGIC:
    			print '       Usage: NPD'
    		elif magic == PS2_MAGIC:
    			print '       Usage: PS2'
    		print '     Version: {0:02}.{1:02}'.format(version_major, version_minor)
    		if license_type == 1:
    			print 'License type: Network'
    		elif license_type == 2:
    			print 'License type: Local'
    		elif license_type == 3:
    			print 'License type: Free'
    		print '        Type: {0}'.format(type)
    		print '  Content ID: {0}'.format(content_id)
    		print '   QA digest: 0x{0}'.format(qa_digest.encode('hex').upper())
    		print '  File flags: 0x{0:08X}'.format(file_flags)
    		print 'Segment size: {0}'.format(segment_size)
    		print '   Data size: {0}'.format(data_size)
    		print 'Num segments: {0} (last segment size: {1})'.format(num_segments, last_segment_size)
    		if time_period_start != 0:
    			print '  Time start: {0}'.format(str(time_period_start))
    		if time_period_end != 0:
    			print '    Time end: {0}'.format(str(time_period_end))
    		if not is_ps2_format:
    			# TODO
    			ps2_meta_key = aes_encrypt_cbc(PS2_KEYS[console_type]['meta'], PS2_IV, klicensee_key)
    			ps2_data_key = aes_encrypt_cbc(PS2_KEYS[console_type]['data'], PS2_IV, klicensee_key)
    			output_meta_file_path = os.path.join(input_file_dir, input_file_name + '.meta')
    			output_data_file_path = os.path.join(input_file_dir, input_file_name + '.data')
    			with open(output_meta_file_path, 'wb') as meta_file:
    				with open(output_data_file_path, 'wb') as data_file:
    					while True:
    						meta_data =
    						if not meta_data:
    						meta_data = aes_decrypt_cbc(ps2_meta_key, PS2_IV, meta_data)
    						num_child_segments = int(meta_data_size / PS2_META_ENTRY_SIZE)
    						for i in xrange(num_child_segments):
    							file_data =
    							if not file_data:
    							file_data = aes_decrypt_cbc(ps2_data_key, PS2_IV, file_data)
    	with open(input_file_path, 'rb') as npd_file:
    		segment_size = PS2_DEFAULT_SEGMENT_SIZE
    		offset = npd_file.tell()
    		file_data =
    		if not file_data:
    			print 'Unable to read file'
    		magic = aes_decrypt_cbc(PS2_KEYS[console_type]['vmc'], PS2_IV, file_data)
    		if magic[:len(PS2_VMC_MAGIC)] != PS2_VMC_MAGIC:
    			print 'Invalid virtual memory card file'
    		output_file_path = os.path.join(input_file_dir, input_file_name + '.vmc')
    		with open(output_file_path, 'wb') as out_file:
    			while True:
    				file_data =
    				if not file_data:
    				file_data = aes_decrypt_cbc(PS2_KEYS[console_type]['vmc'], PS2_IV, file_data)
    All PS2 classics runs within the ps2_netemu.self which represents a different kernel for execution these PS2 games but before it started the VSH module loads your individual data for PSN/SEN (such as act.dat and .rif file for your game). It is absolutely the same process as used for usual PSN games and the goal of it is getting the key used for decryption of PS2 content which includes an optional CONFIG file, ISO.BIN.EDAT and ISO.BIN.ENC.

    The latest one is the actual encrypted disc image of the game. All mentioned files are encrypted with the same key (called klicensee) which is stored in encrypted form inside .rif file for your game and it decrypted with the specified key from key table stored in act.dat. When you get this key you can decrypt ISO.BIN.EDAT and see if it contains a game title (for example, SLUS-20062 for GTA 3). This will mean that key is correct. Since almost all the information regarding EDATs is known (see and I will not going to explain it again.

    Well, now there are two another formats along with EDAT. Let's call the first one as ENC (it represents the actual disc image) and the second as VME (encrypted virtual memory cards). They are encrypted using different algorithms. The ENC format is similar to EDAT and the VME format have a simple encryption layer.

    As I said before, ENC file is similar to EDAT and it have the header like in EDAT (but with different magic) and composed of segments of 16384 bytes each (you can see it at the header). I just remind you that file header consists of file magic (PS2\x00), version number (major and minor: 01.01), license type (it always 0x02), application type (0x01), content id, QA digest (seems like to be a SHA-1 hash of the non-finalized file generated using the tool from SDK), CID-FN hash (an AES CMAC hash of concatenation of content id and file name using the third NPDRM OMAC key as CMAC key), header hash (an AES CMAC hash of the 0x60 bytes from the beginning of file using xored bytes of the first NPDRM OMAC key and the second NPDRM OMAC key as CMAC key), time information which includes start and end time of the validity period (they are usually zeroed, base ticks = 62135596800000000), file flags (always zeros), segment size (16384 bytes), data size of the file data, two unknown hashes of 16 bytes each, 40 bytes of unknown data (possible another unknown signature) and <R,S> pair of an ECDSA signature (40 bytes using the second VSH curve and the VSH public key).

    I also remind you that two unknown hashes for EDAT case are known and represents meta data sections hash and extended header hash (an AES CMAC hash of 160 bytes from the beginning of file), both hashes uses the hash key as CMAC key and it depends on the file flags and keys). I don't know exactly what hashes are there for ENC format but when we zeroed them it seems like they are not checked on current firmwares. The file header ends at the offset of 256 bytes.

    Segments are divided into two types: a meta data section and a file data section. Each meta data section can include 512 entries (max) of 32 bytes each (16384 / 32 = 512) and associates with a particular file data section. So if we have a meta data section which consists of 512 entries then it will mean that there are 512 file data sections after it and each file data section have size of 16384 bytes.

    Besides that, the first meta data segment located at the offset of 16384 bytes. I don't know what data are stored before it but we also tried to zero them (these bytes starting at the offset of 256 bytes and ending at the offset of 16384 bytes) and it works as usual. I guess that it can be the encrypted garbage because the alignment of file data should be equal to the segment size.

    Now I will explain what keys are used and how they are obtained. ENC/VME files are decrypted using the ENCDEC device so the decryption process are more faster than at EDAT case. While vSH checks files for their validity period, CMAC hashes and ECDSA signature and obtains the key for decryption from .rif file and it makes a system call #475 to LV2 (on older firmwares it was #471) along with the NPDRM information, klicensee, act.dat key and encrypted rif key. LV2 gets your console ID, encrypts the NPDRM constant using it as a key, decrypts the key from act.dat using the encrypted NPDRM constant and finally decrypts klicensee from .rif using the decrypted key from act.dat. Now we have a klicensee which will be used for later decryption process.

    For EDAT case we can use free EDATs without .rif but for PS2 classics we should always use paid content and .rif file. So if you want to resign the game you need to generate .rif for the account on your console (I call this process as "personalization"). Don't forget that .rif file should be created for your act.dat (because it shares the account id) and console ID. Let's move on. When the PS3 gets the final decryption key it send a packet to the system manager inside LV1 which sets the inter-lpar parameter of type 3.

    This parameter contains a version information and the klicensee. A system manager catches this packet and sends a request to the storage manager inside SS server #1 which then configures ENCDEC keys used for later decryption. It should be kept in mind that keys for decryption differs between CEX and DEX consoles so the storage manager checks the device type and uses different key slots for ENCDEC.

    The configuration process started with running isolated SPU SB module which creates the final keys using klicensee as a key seed and send them back to the PPU which then send them to the device directly during the secure session. There are three types of keys: meta key, data key and vmc key and they are configured separately. The process of making keys consists of applying an AES 128 algorithm on the klicensee while using three different keys.

    There are SHA-1 hashes of each of three keys (you should decrypt sb_iso_spu_module.self from 4.xx FW and find each of 16 bytes key by its SHA-1 hash):

    For CEX mode:
    	1. Meta key: B9CACFF9E126F63634DC38AF61040BDF6F370A26
    	2. Data key: CB0BAECAAADF9E5C629522B11757F78C7CD5B23C
    	3. VMC key:  EB03D83F96E3394A05BCE68F8645DA134CDA5545
    For DEX mode (you actually don't need it but anyways):
    	1. Meta key: 4FCFB6683AC46E73FFFCE49895E3F303A117BE8C
    	2. Data key: AEC7A9C13A4023FE268A163FFDC8382F45496928
    	3. VMC key:  B41AEE9D3B6C54292469C9C754AE8FE75ACBE958
    Now we have all keys which are required to decrypt all files. So what we should also know?

    ENC encryption uses an AES algorithm in CBC mode and the initialization vector of all zeros. The actual process of decryption of CONFIG and ISO.BIN.ENC started at seeking to the offset of 16384 bytes. There is a first meta data section so we should use the meta key as key for AES and decrypt the entire segment of 16384 bytes. As I said before each meta data sections contains of some entries and each entry have a size of 32 bytes. Each entry contains a SHA-1 hash (20 bytes) of the corresponding entire encrypted file data section and all these sections are located after this meta data section. After the SHA-1 hash we can see the section index of the corresponding file data section (4 bytes).

    The rest is padded of zeros. After decryption of the meta data section we can decrypt all file data sections after it. Now we should use the data key! Before the actual decryption we can check the SHA-1 hash of each encrypted file data section and see if they matched to the hashes at entry table of the meta data section. If the actual file size of the disc image is not a multiple of 16834 bytes then we have less entries inside the latest meta data section.

    After we finished the decryption of first 512 file data sections we can started decryption of the second meta data section and set of 512 file data sections after it and so on. I recommend to write decrypted meta data entries to another file than in the same file as file data section. It will make a process more easier. After decryption you should truncate your actual file to the data size specified at the header. Now you got an UDF disc image and you can mount it on your PC, for example.

    So what is the next step? The next step is the decryption of encrypted virtual memory cards. Each PS2 classics package contains two empty encrypted virtual memory cards which located at SCEVMC0.VME and SCEVMC1.VME. As far I see they are identical for all games so we can use templates for all new virtual memory cards but only encrypts them with the new klicensee. To decrypt virtual memory cards you need to read an each segment of 16384 bytes and apply an AES encryption in CBC mode too but for this case you should use the VMC key. After decryption you should see Sony PS2 Memory Card Format at the top of file.

    Well, I attached a draft script for decryption of ENC/VME files. It was written for Python 2.7 and requires CryptoPlus (can be downloaded from: and "ecdsa" (use EasyInstall or another package manager) libraries. I intentionally left all keys as SHA-1 hashes because of legal issues but you can find all keys by yourself using my hints. My script uses CONFIG/ISO.BIN.ENC/SCEVM0.VME/SCEVM1.VME file and klicensee file as input parameters. I hope that someone will create tools for that.

    To use the script you need to create a file with name vsh.curves and put the contents of the curve table from VSH (get it from at vsh pub + curvetable) and replace all hashes of keys by their real values (see FIXME comments). Also replace three NPDRM OMAC keys and VSH public key by their values from

    I think that creation of PS2 remastering tool can lead us to getting the fully working games on our consoles but it requires testing. I recommend to create a static klicensee which can be used to encrypt all images in the same manner (static klicensee can also be implemented by patching VSH/LV2 at runtime, for example). After generating a klicensee you should create all keys based on it.

    To build an encrypted disc image you should dump the original disc image and then append zero bytes to the end to make it multiple of 16384 bytes. Then you need to encrypt each of 512 segments using the generated data key. Then you should calculate SHA-1 hashes of each encrypted segment and generate meta data section for each pair of segment hash and segment index. After this you need to encrypt meta data section and so on. At the end you need to write an original disc image size to the header, write a content id for it and generate hashes at the file header.

    After building ISO.BIN.ENC file you should create a file with the title id and pad it with zero bytes from the right side to get 12 bytes total. Then you need to create an EDAT container for this file. Hint: you can see a correct title id when mounting a disc image on your PC and looking at SYSTEM.CNF of it.

    Unfortunately, I hadn't time to see what the CONFIG file does so I will skip this step. I only know that this file is optional or can be empty inside (after decryption). You are not required (and you simply can't do it) to generate a valid ECDSA signature for files because all custom firmwares are patched to skip the ECDSA check. Will be nice to be able to generate a game package for your PS2 game too if everything will works fine. Remember, that some flags at PS2 pkg format can be different.

    Credits to: graf_chokolo, fail0verflow, JuanNadie,, glevand and all my friends (you know who you are).

    Finally, from zecoxao: i found the meta key and data key for cex, as for the vmc key, no clue where it is, the two are both in my previous post. you can check the sha1 of those in any site or with any program that supports it. somebody may post those on the wiki, if they want.

    i'm happy... this is good and concise info time to search for more #poop

    meta (CEX) :!gpdQxZZB!ZlZpYj...fEGxba5OJM3-Y4
    38 9D CB A5 20 3C 81 59 EC F9 4C 93 93 16 4C C9
    data (CEX):!B09nwJhQ!TMC3kx...gS2RQ1BzeZBlTM
    10 17 82 34 63 F4 68 C1 AA 41 D7 00 B1 40 F2 57
    From flatz: It is at sb_iso_spu_module.elf too. First two bytes are 64 E3...

    VMC key:
    64 E3 0D 19 A1 69 41 D6 77 E3 2E EB E0 7F 45 D2
    kudos to this man

    [imglink=|Sony PlayStation 2 (PS2) Classics Algorithm Revealed by Flat_z][/imglink]
    [imglink=|Sony PlayStation 2 (PS2) Classics Algorithm Revealed by Flat_z][/imglink]
    [imglink=|Sony PlayStation 2 (PS2) Classics Algorithm Revealed by Flat_z][/imglink]
    More PlayStation 3 News...

Page 48 of 128 FirstFirst ... 384748495898 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts