PS3 3.60 Keys Leaked, New PlayStation 3 EBOOTs Decrypted & More!
Following up on the previous news that the PS3 v3.60+ keys were incoming, today the PS3 3.60 keys appear to have been leaked from fckyoudh on Spanish site Elotrolado (linked above) which has lead to new decrypted PlayStation 3 EBOOT fixes for CFW users.
For those curious, below are some PlayStation 3 games which are reported as being 3.6 Firmware titles, however, some of them have already been fixed and are working on PS3 Custom Firmware:
Air Conflicts: Secret Wars
Alice: Madness Returns
Ape Escape On The Move
Arcana Heart 3
Atelier Meruru: The Apprentice of Arland (Japanese release)
Captain America: Super Soldier
Deus Ex: Human Revolution
Duke Nukem Forever
Dynasty Warriors Gundam 3
Earth Defense Force: Insect Armageddon
El Shaddai: Ascension of the Metatron
Green Lantern: Rise of the Manhunters
Harry Potter and the Deathly Hallows: Part 2
Hunted: The Demons Forge
inFAMOUS 2: Festival of Blood
Kung Fu Panda 2
LEGO Pirates of the Caribbean: The Video Game
Let's Dance with Mel B
MLB 2011: The Show
MX vs. ATV Alive
Naruto Shippuden: Ultimate Ninja Storm 2
Nascar The Game 2011
National Geographic Challenge
NCAA Football 12
Need for Speed: Shift 2 - Unleashed
Operation Flashpoint: Red River
Phineas and Ferb Across the 2nd Dimension
Prince of Persia Trilogy 3d
Record of Agarest War Zero
Red Faction: Armageddon
Sniper: Ghost Warrior
The Penguins of Madagascar: Dr. Blowhole Returns
Thor: God of Thunder
Transformers: Dark of the Moon
Warriors: Legends of Troy
White Knight Chronicles II
From the PlayStation 3 Developer Wiki (via ps3devwiki.com/wiki/KaKaRoTo_Kind_of_%C2%B4Jailbreak%C2%B4#3.60_keys_U pdate):
PS3 3.60 keys Update
Q: Recently 3.60 keys surfaced (lv1ldr, lv2ldr, isoldr, appldr), what does this mean for this release and the future?
A: That is actually a multiparted answer: Now that several binairies (Iso module + CoreOS minus the loaders that are inside lv0) can be decrypted, more investigation can be done in them, which give a new boost in (unrelated to the HeN) other targets, like:
Hardwareless downgrades : Downgrading with PSgrade Dongle (lv1.self)
QA Flagging / systemtokens (spu_token_processor.self) and usertokens (spu_utoken_processor.self)
Getting per_console_root_key_1 / EID_root_key on 3.56+/slim3K (lv1.self , aim_spu_module.self)
Backsigning applications for <=3.55 and patch sys_proc_param_version (appldr.self , lv2_kernel.self)
Q: So does this mean a future release would be sooner?
A: Only God knows But it can also be that because of the above, it would become meaningless/surpassed by better progress. So lets all hope for the best
Also from PS3 Dev Wiki (ps3devwiki.com/wiki/Talk:Playstation_Update_Package_%28PUP%29#Adding_n ew_keys_to_older_firmwares):
Adding new keys to older firmware
Patch the loaders
Add keys to appldr keys index & tables
There are also npdrm keys inside appldr as well, add the 3.56++ ones
appldr,. lv2.self and game_ext_plugin need patching for new games support
vsh.self maybe too
Note: PlayStation 3 developer Rogero has confirmed he started working already.. stating eventually it will be possible to do a new PS3 CFW so EBOOT converters are not necessary.
From Sony PS3 hacker deank: They also posted my ebootFIX/ebootMOD tools prepackaged (linked above) with the keys in .ps3 folder, so it is ready to be used like in the old 3.41/3.55 days.
Have in mind that some games (like Sniper Ghost Warrior) have additional .self/.sprx files and it is better to use ebootFIX by dragging the PS3_GAME folder to it - it will find and fix all necessary files. If you use ebootMOD you'll have to search for these files yourself and 'fix' them one by one.
How to Use SCETool to Decrypt a PS3 3.60 EBOOT.BIN File Guide:
[vcdLAKERS] for those of you who want to decrypt a 3.60 EBOOT.BIN use scetool
[vcdLAKERS] download scetool_0.2.7.zip unzip it to C:\scetool
[vcdLAKERS] create a new folder inside scetool and name it data
[vcdLAKERS] and download these files here:
[vcdLAKERS] and put them inside data folder
[vcdLAKERS] put your EBOOT.BIN file in scetool folder
[vcdLAKERS] go to start - run - cmd and cd to the folder were scetool is
[vcdLAKERS] for example "cd C:\scetool"
[vcdLAKERS] then type this command to decrypt the EBOOT.BIN:
[vcdLAKERS] scetool -d EBOOT.BIN EBOOT.ELF
[vcdLAKERS] and use this one to encrypt it to 3.41 :
[vcdLAKERS] C:\scetool>scetool -0=SELF -5=APP -6=0003004100000000 -e EBOOT.elf E
From Billal (aka S.B.M) comes a few corrections to the above guide, as follows:
You have to leave a space between an (abbreviated) option and a parameter not an equal sign "="
It lacks the option for key revision "-2 0004" or "--key-revision=0004"
This is the correct command: C:\scetool>scetool -0 SELF -1 TRUE -s TRUE -2 0004 -3 1010000001000003 -4 01000002 -5 APP -6 0003004100000000 -e EBOOT.elf EBOOT.self
How to Use SCETool to Decrypt a PS3 3.60 EBOOT.BIN File (Revised) Guide:
For those of you who want to decrypt a 3.60 EBOOT.BIN use scetool by naehrwert.
Download scetool_0.2.7.zip unzip it to C:\scetool
Create a new folder inside scetool and name it data and download the data files from the previous guide and put them inside data folder
Put your EBOOT.BIN file in scetool folder
Go to start > run > cmd and cd to the folder were scetool is for example "cd C:\scetool"
Then type this command to decrypt the EBOOT.BIN: scetool -d EBOOT.BIN EBOOT.ELF
And use this one to encrypt it to 3.41: C:\scetool>scetool -0 SELF -1 TRUE -s TRUE -2 0004 -3 1010000001000003 -4 01000002 -5 APP -6 0003004100000000 -e EBOOT.elf EBOOT.self
Or you can use ScetoolGui (ps3devwiki.com/files/devtools/scetool/ScetoolGui.exe)
Download and copy ScetoolGui.exe to your scetool folder
Open it > click browse file and select your game EBOOT.BIN
Then click decrypt, scetool will decrypt your "eboot.bin" and create a new file "eboot.elf" (decrypted eboot.bin)
To resign "eboot.elf" for lower fw (3.41) activate enable encryption: in self type choose APP and in SELF fw version write 3.41 and click encrypt.
Drag PS3_GAME folder from 3.60 game info the ebootfix.exe
From andreus: Ok, so for the updates do this:
1. So first go get the scetool (ps3devwiki.com/files/devtools/scetool/) Download the entire directory and subdirectories and unzip the latest version 0.2.7
2. Create a batch file named "eboot360npdrmfix.bat" in scetool folder with this code:
It pauses when you encrypt the file and them shows the info of the new EBOOT.BIN for you to check.
6. You should now have an EBOOT.BIN NPDRM signed. If you want to put it in the package, use psn_package_npdrm.exe to create the package.
How to Use AldosTools Applications Guide:
1. For retail disks signed with 3.60 keys: Copy all eboot.bin/SPRX/SELF/SFO files to the tool directory and run eboot_fix.bat, them copy the reasigned files to your game backup directory. This tool will reasign all files with 3.40+ keys (works on 3.40+ cfw), reasign the sys_proc_param to 3.40 and change the sfo to 3.40
2. For game updates signed with 3.60 keys: Extract the package, copy EBOOT.BIN/PARAM.SFO and all SPRX/SELF files to the bruteforce tool directory
2.1 If it only uses EBOOT.BIN and PARAM.SFO, just run eboot_fix.bat
2.2 If also have SPRX/SELF files
2.2.1 If SELF file is equal to eboot.bin use bruteforce tool and it will autodetect and just create a reassigned copy of EBOOT.BIN (deank method)
2.2.2 Else, you have to bruteforce with bruteforce tool to get the klic so you can decrypt the SELF/SPRX files and them reassign them
When you have all files reasigned, them create a fix update package. Extra: If do not want to be disturbed with game updates with 3.65+ keys change PARAM.SFO APP_VERSION to 9.99. Note: This tool can't manage sdat, edat files
Convert PS3 3.60 Games / Patches to 3.55 Guide By JayDee78
Download and unrar to a folder. Also, use sfoedit to change the param.sfo to 3.55/3.41 instead of 3.60. I'll use Dirt 3 (BLES01287) in this example. Get the EP4001-BLES01287_00-DIRT3PATCHEU0101-A0101-V0100-PE.pkg patch and start Pkgview 1.3.
Drag and drop the Dirt 3 pkg patch in the left window, right click in it, and "extract to source directory"
Cut the eboot.bin from the "PkgView_1.3\EP4001-BLES01287_00-DIRT3PATCHEU0101-A0101-V0100-PE\BLES01287\USRDIR" and paste it in the SCETOOL folder. In the SCETool folder hold down the shift button+right click in the window and choose "open cmd window"
Write "ebootfix EP4001-BLES01287_00-DIRT3PATCHEU0101" and it starts decrypting the file. Take the EBOOT.bin (not ORGINAL_EBOOT.bin) and copy it back to the USRDIR folder you first got it.
Now cut the BLES01287 folder and paste it in the psn_package_npdrm folder (package.conf in here needs to change package version from 1.04 to 1.01 but the rest is already setup for DIRT3). Again, open a cmd window (shift+right click) and write "psn_package_npdrm.exe package.conf BLES01287"
Wait until finished, install the new pkg and play Dirt 3. Guide works for all 3.60 games/patches (WITHOUT selfs & sprx files These are ten times harder to decrypt and fix up to a proper retail level...) Hope someone gets some use from this
You must copy the keys (. Ps3keys) in your user folder (C: \ Users \ XXXX \. Ps3keys) if you have Windows, if you want to use Cygwin or Linux you get the keys (. Ps3) in your user folder (home \ XXXXXX \. PS3), you should copy the two folders.
Just put in the command (cmd / terminal) the command to decrypt would be: EBOOT.BIN unself EBOOT.ELF
To encrypt this: EBOOT.ELF make_self EBOOT.BIN
The easiest is to drag the console, otherwise you must move the directories to where the exe / bin and decrypt / fix are.
To quote: The files in the download below are all from the 3.60 Core_OS and I decrypted using the 3.60 keys.
The files that were unselfed were:
Also like to thanks naehrwert.
PS3 developer SiLENTGame has made available PS3 Hack Checker v0.1 followed by PS3 Hack Checker v0.2 stating:
I was bored and so I have written a little tool which grabs the latest "hack status" of the PS3. I think the screenshot below says everything. I hope you like it. I'm thankful for suggestions, bug reports or anything else. So long.
It's important to note that currently PS3 CECH-3nnnX/CECH-4nnnX (and some CECH-2500X) console models cannot be downgraded though.
hackable firmware fixed
firmware downgrade information added
key information added
DEX converting information added
PlayStation 3 developer Deviance has made available FreeLoader v0.1 followed by FreeLoader v0.2 which is a PS3 EBoot Grabber with the following features:
This application is designed to make life easier to download Eboots. Since itís the initial release, The database is still quite small but will be updated over time to add more additions. Very simple to use. Click the game and press go!
Planning on adding descriptions and make sure you are using the latest eboot
Buy me a beer! (Info in about tab)
If the eboot download gets removed. Just wait and a new link will be in the db.
If youíre experiencing graphical issues when running the application, try this version.
Freeloader is an app for windows that has a database full of the latest 3.60 Eboots to be easily downloadable.
What's new in V0.2?
PS IDís added
(Bugfix) Corrected how it grabbed the database
A new database layout. (Lots of new titles added)
The db will have even more titles soon. (Only a one man band)
You have to just enter the title ID and after click on "Do It!" it will automatically download patches and then fix the latest one for you. This app also has an option that will fix EBOOT.BIN without downloading updates.
1- if you have downloaded files before and you just want to fix them put them in application's folder.after checking the sony server if file exists it will skip that file and will start to fix
2- to copy download Download Link double click on it
3- this app doesn't changes PARAM.SFO (Some times changing PARAM.SFO causes some problem in packing) to prevent Update error enable the spoof on your cfw
4- here is a example of which files to install
for example i want to update and install Gran Turismo 5
1- Enter BCES00569
2- it will automatically download the 9 files:
After download finished the application will automatically fix the latest patch (in this case:"EP9001-BCES00569_00-0000000000000000-A0113-V0100-PE.pkg") and will make a new file which is fixed for 3.55 with following name: EP9001-BCES00569_00-0000000000000000.pkg (The last part of name has been removed.)
You need to put this into a folder with scetool, data / keys etc. working. Then drop an eboot.bin and decrypt it with scetool into eboot.elf. The drop an encrypted self, or sprx and modify the bat file a little perhaps.
The needed linux tools like od.exe, sed.exe, can all be found in the package above. If you want to test with say, portal 2 sprx files, you can try starting at offset 608600. MW3 around offset 54272.. The batch file is not perfect. On large files, the CUT command starts to malfunction as i don't take this into account with the sed/cut combo. Some PS3 game key examples are located HERE and also below in full.
From deank: The other day someone sent me eboot+self for "Ryu ga Gotoku of the End" (Yakuza). It is one of these games (like Rock Band 3) which cannot be 'decrypted' using a k_lic, so here is the "ogrez.self" patched for 3.55.
You can prepare a fixed update pkg by using the original pkg + the fixed eboot.bin and this fixed ogrez.self. It is pretty simple once you figure it out
You will notice that in some game updates you have:
Where both files are "the same". They are not 1:1 the same, because they're encrypted with different keys, but if you look at the prog/data sections and the offsets - you will see what I mean. Also the sizes are the same. I noticed this 'update' approach back in 2010 with "Prince of Persia TFS" and with some other games, so I decided to try that. Both in this game and Rock Band there are no references to the .self and no k_lic... either.
What you have to do is:
1) Decrypt the EBOOT.BIN to .elf
2) Use scetool to create NPDRM NPTYPE=UPDATE with key 00, contentID=game-update-content-id, and np-original-name=name_of_the_self.
3) You get the new blabla.self and use it
For example for this yakuza game you'll notice that the info for the eboot.bin and the ogrez.self are the same:
There is no universal approach. Sizes must be equal (not more or less) and to be sure that there is no k_license involved you can either check if the .self is referenced in the eboot.bin or you'll have to use IDA to make sure that NP functions use NULL k_lic... (or find the k_license location in IDA using the NP functions).
A simple bat/cmd script to compare the PROGBITS sections of 2 files (like EBOOT.BIN and ogrez.self): check.cmd
Note: This is just a proof-of-concept, I wanted to know how the whole SELF/SPRX stuff worked. It doesn't contain keys or any proprietary tools from Sony, and as far as I know, it's not doing anything illegal.
From JLM: In case anyone is not sure how to use the script:
1. Use scetool to decrypt the eboot.bin, copy eboot.bin to the scetool folder, use command scetool -v -d eboot.bin eboot.elf, screen output should be (brackets removed from around *'s because it screws up the post formatting):
2. Use scetool to decrypt the sprx with Asure's script, unpack his bruteforce.zip in the scetool directory, copy the sprx to the scetool directory, use his script or the following which is slightly different: rename the sprx to exactly this: game.sprx, using notepad create a text file and paste the script contents:
Save the file as sprxdecrypt.bat, open a command prompt window, type: sprxdecrypt.bat wait a long time.. ONLY FOR THE VERY PATIENT.
Tiny changes to Asure's script: changed filename to game.sprx and game.prx, change it to whatever you like (remember to use the same name in the test line after "IF EXIST") also removed extra -l %key% in the scetool command line.
It has a slider for a more convenient selection of the offset. The cut.exe / dd.exe / od.exe / sed.exe / batch files are not needed. Just put it in the same folder of the scetool.exe, with the EBOOT.BIN and the .self or .sprx to be decrypted, start the BruteForce.exe and press the Start button. Tested working with Red Dead Redemption. Added support for command line parameters.
Example: BruteForce.exe 332300 /start
Anyway I improved the BruteForce.exe a bit more:
Added additional checks when the program starts
Now the tool auto-resigns the EBOOT.BIN and the self/sprx with the 3.55 keys when it finds the klic
Small GUI changes
Included all the tools in a 7z archive
In Portal 2, the klic key is not aligned to 4. Thus the faster method (4X) will not find it. So, I made BruteForce 1.4: It first try to find the key in a range aligned to 4. If it doesn't find the key, then it retries using the original method (1 byte at a time).
The method is similar to the original batch, but bytes aligned to 4 are tested first. Keys already tested, are ignored. In this version also it is possible to define the range to parse (start and stop addresses). Additionally, I added other data aligments: 1, 2, 4, 8 and 16. So in some cases, it could be up to 16X faster than the original method
Added real-time switching from hex to dec and vice-versa
Patterns 01xxxxxx01xxxxxx01xxxxxx01xxxxxx are ignored (in addition to 00xxxxxx00xxxxxx00xxxxxx00xxxxxx, *0000* and *FFFFFFFFFFFF*)
Added credits please let me know if I'm missing someone
Added display info for SELF/SPRX
Added F2 shortcut to open program's folder
Added find to DOS box (use F3)
Double click on an offset value in the DOS box sets the offset field
Stop address field can be set from the DOS box selecting an initial address then double click on the final address
Updated to version 1.5.2:
Solved the issue finding the key for SOCOM 4 (the real key contains *0000* which was in the ignored patterns)
Now the patterns to ignore can me defined in the file "ignore_patterns.txt". It includes 4 by default, but you can add all/remove the patterns that you want.
TIP: If you use data alignment 16, if the klic key is not found in the selected range, the tool will retry automatically using data alignment 4, then data alignment 1. The BruteForce 1.6 has the "pre-database of known keys" already implemented. It now first tries the known keys first (read from klics.txt). I went further: the program now first extracts the ContentID, and puts the klic for the TitleID as the first in the list.
I uploaded version 1.6.1 and 1.6.2 is up:
Added Asure to the credits.
This version now has an experimental dynamic section alignment (it first tries using the alignment of the section).
The section index is now displayed.
I changed the &H to 0x in build 1.6.5 (available online) Added the KLIC for Tom Clancy Splinter Cell Trilogy HD (1.01) [BLES01146] (thanks to andreus and PatrickBatman for all the klic keys in the database). Added the patterns for the above scenario.
BruteForce/SCETool Decrypter Build 1.6.7
Added 2 new klic keys to the database: G1 Jockey and Sniper Ghost Warrior
The used keys are now saved to a file. The file name includes the ContentID and ELF size to prevent conflicts with other files decrypted. (these keys are not tested the next time you run the program.)
BruteForce/SCETool Decrypter Build 1.6.8
I added a timeout of 1 minute. If in that time scetool.exe does not finish, the program will terminate the task and retry again. If it crashes again, it continues with the next keys!
BruteForce/SCETool Decrypter Build 1.7.0
The default view was changed from decimal to hex
Press SPACE key in the EBOOT info to jump to the section offset addresses
When you change the offset address, it now hilights the address in the EBOOT info window
Press ENTER near an address in the EBOOT info window to use it as offset address
The timeout is now set to 30 secs (in 1.6.9 it was set to 10 mins by mistake)
Added support to choose encryption keys: 3.40 or 3.55 (default)
Added option to compress encrypted Data (active by default)
If the PARAM.SFO is found in the folder, it sets the PS3_SYSTEM_VER to 3.55 (or 3.40)
Program's version and ContentID are now displayed
Count of ignored keys is now shown while processing
I tested MW3 with this version and it works fine now.
Settings are now remembered when the program is closed
Added setting for skip sections
BruteForce/SCETool Decrypter Build 1.7.3:
it fixes a bug introduced fixing the coersion bug in version 1.6.10?
BruteForce/SCETool Decrypter Build 1.7.5:
I tested the new version and i saw you encrypt with the klincensee. yes, now it is encrypting with the klicensee and SPRX (and compress=true and skip sections=fase are now the defaults)
I removed almost all the windows updates while it is minimized and made small code optimizations to create/move less strings while it's processing. I don't think they will make much difference, but at least I tried
BTW: Notice that same klic is used in different regions.
BruteForce/SCETool Decrypter Build 1.7.6:
If they match (i.e. no differences) then there is a very good chance that you only need to re-self the eboot.bin to the desired .self without the need of a license key.
It can suggest to the user that it is possible to create the .self for testing.
BruteForce/SCETool Decrypter Build 1.7.7:
In my tests it worked 10-20% faster
BruteForce/SCETool Decrypter Build 1.7.11:
I updated the FixELF.exe so in a single call like this: FixELF.exe EBOOT.elf "24 13 BC C5 F6 00 33 00 00 00 36" "24 13 BC C5 F6 00 33 00 00 00 34" it will search: "24 13 BC C5 F6 00 33 00 00 00 xx ??" -> "24 13 BC C5 F6 00 33 00 00 00 34 00" where xx is any char between 0x35 and 0x99 (inclusive). if the value is found, it stop the search/replace.
This build 1.7.11 now supports another tool (aldostools.org/temp/testklic.rar) developed by andreus to test the klicensee. Extract the content of the rar in the same folder of the BruteForce.exe. In our tests it worked faster than scetool. The user can select which tool want to use to find the klicensee (scetool or testklic).
BruteForce/SCETool Decrypter Build 1.7.12: A klicensee finder using scetool (based on Asure's brute force script) with heuristic algorythms for brute force attack. Once it finds the klicensee, the tool resign the EBOOT/SPRX/SELF with 3.55/3.40 keys. It also includes my FixELF tool.
I have updated the BruteForce to version 1.7.12 and my PS3 Tools to use the lowest key revision (01) and 3.40 by default.
For BruteForce, the default option now will be 3.40 (it can be switch to 3.55)
If the PARAM.SFO is copied to the BruteForce-scetool's folder the BruteForce.exe will auto-patch the sfo's PS3_SYSTEM_VER to 3.40.
If you use my PS3 Tools to make the PKG (just right-clicking of the folder), now it will auto-patch the PARAM.SFO to 3.40 if PS3_SYSTEM_VER is higher than 3.40.
If you need to patch a PARAM.SFO from a batch file, use my latest PARAM.SFO Editor 2.5.3 like this:
The BruteForce is a tool designed mainly to *FIND* the klicensee used to encrypt the NPDRM self/sprx files found in game patches/updates. Currently it supports files signed with up to 3.6 keys (mainly 3.56 and 3.60). If 3.7+ keys are available, the tool should also work (updating the keys in the data folder).
To find the klicensee you will need to copy the EBOOT.BIN, the self/sprx files and the PARAM.SFO to the BruteForce/scetool's folder.
If the klicensee is already known, it will take few seconds to resign the EBOOT.BIN and the self/sprx files. Otherwise it will use optimized methods to try to *guess* the klicensee in few hours.
Once the klicensee is found, the files are resigned with the keys from key revision 01 [0.92 - 3.30], which should be supported by ALL firmware versions available.
To resign files and repack PKG, I suggest that use the PS3 Tools Collection (which also includes the BruteForce).
To resign a disc EBOOT.BIN/self/sprx, just press Ctrl+Enter on the file and it will be resigned. If you double click (or press Enter) on the EBOOT.BIN or *.self or *.sprx you will see the file's information (including key version used).
To resign NPDRM files, extract the PKG (use the right click menu), browse to the USRDIR and press Ctrl+Enter on the EBOOT.BIN/self/sprx files. Then return to the folder where the PKG is located and right click on the extracted folder and select Make PKG.
It will modify automatically the PARAM.SFO to work with 3.40/3.55+. It will also detect the type of PKG being created (disc patch, game data or hard disk game). So there is not need at all for batch files or edit package.conf. Everything is automated.
The PS3 Tools Collection integrates strongly with Windows Explorer, so you can view/edit files (PKG, PUP, SFO, SFX, HIP, HIS, RAP, edat, SFB, BIN, SELF, SPRX, MD5, SFV, SHA1, MTH, 66600) and perform many other tasks just double clicking on the files or using the context menu.
Another nice feature is the repack of retail PKGs for use with DEX converted consoles. Just press Ctrl+Shift+Enter on a PKG and the tool will automatically extract the PKG and repack it as a debug PKG. To extract a PKG, just press Shift+Enter on the PKG. And to view it's Content ID, press Ctrl+Enter on the PKG.
If you select Make PKG on a PS3_GAME folder, it will call the PS3RIP tool.
If you select Make PKG on a PS3_UPDATE folder, it will call the Create_PS3_EXTRA tool.
All tools are accessed from the PS3 Tools Menu. You can use it from other PS3 related tasks, like add links to your favorite scene news sites or open folders where you put your PS3 files. You can return to the menu clicking on the blue jewel icon.
For the PS3 Game Updates, it is suggested to set the target version to 3.60
If you need to remove ALL the file associations created by the tool, there is a .reg file in the tools folder.
For BruteForce, try extracting this AddOn (developed by andreus) in the scetool's folder (it should help to make the brute force work faster).
Big thanks to Asure, naehrwert, flatz, deank, andreus, PatrickBatman, BLKDTH, JLM, opoisso893, Matsumot0, catalinnc, and many others that I could be forgetting.
PS. The BruteForce/scetool does NOT crack NPDRM files (DLC or games) that require RIF/RAP/edats.
BruteForce/SCETool Decrypter Build 1.7.13:
I just updated the BruteForce to version 1.7.13 with the new option "Dont use tried_keys list"
BruteForce/SCETool Decrypter Build 1.7.14:
The testklic was using the default key version (I was not passing the key version as parameter).
BruteForce/SCETool Decrypter Build 1.7.15:
This new version has the "shutdown" option and prompt to auto-update the database when a new klic is found.
If shutdown option is active, it will not prompt and will auto-update the online database automatically.
A new button "Update KLICS.TXT" will download the latest klic.txt
Tested the Ridge Racer 7 with the updated .ps3 keys and it seems to be working fine again using testklic app by andreus.
BruteForce/SCETool Decrypter Build 126.96.36.199:
Updated the .ps3 keys folder based on ps3devwiki.com/wiki/Keys#Appldr
There was still errors in the proper keys included yesterday from testklic app by andreus. The drm-key-55 and drm-iv-355 were the 3.50 (rev 0x07 np). I also found other errors in the keys. Also included the keys in "key revision" format.
The BruteForce now calls the testklic app using "key revision" instead of "firmware version" (as requested by andreus).
Added BruteForce association to folders. Now you can decrypt/resign a PS3 game folder using Right-click -> BruteForce...
Internal changes: changed some static values to parametric values read from the registry.
Reverted the resign files (when encrypt: 3.55 option is selected) to use the keyset 0x0A (retail type 0). It was changed it in 188.8.131.52 to 0x0B (retail), but I forgot to revert it to 0x0A.
Updated the klics.txt with the klics of MAG update 2.12 (found Omnomnom) and Final Fantasy XIII-2 update 1.06 (posted to the online database)
BruteForce/SCETool Decrypter Build 184.108.40.206:
A minor validation to ensure that testklic is used only for NPDRM files
BruteForce/SCETool Decrypter Build 2.0:
I updated BruteForce to version 2.0... Sorry, but no fancy features. This new build now includes make_fself.exe and the GUI let you set the target system (CEX or DEX) for re-encryption.
The klic.txt also includes a new klicense collected through online database update 218A6FBF2865464A79399B6EEF54632A Champion Jockey: G1 Jockey & Gallop Racer [BLUS30863] [BLES01235] [BLJM60367] [JP0106-BLJM60367_00-GXGJPNPATCH00102]
BruteForce/SCETool Decrypter Build 2.0.1:
It now uses make_fself_npdrm.exe for NPDRM content and make_fself.exe for retail content.
The program uses make_fself_npdrm.exe or make_fself.exe when DEX is selected (depending if the files are NPDRM or retail). For CEX it still uses scetool.exe.
BruteForce/SCETool Decrypter Build 2.0.2:
Today I updated the BruteForce 2.0.2 package again... but this time the update is not related to any of the tools, but related to the ps3 keys (both .ps3 and SCETool's keys file).
Here is the background: Yesterday I decided to recheck the .ps3 keys and realized that it was a bit difficult to edit/fix the keys using just an hex editor. So I created this tool to review the keys and edit them with a little more ease.
BruteForce/SCETool Decrypter Build 2.0.3:
I can't believe that I missed the most simple KLIC test... (test decryption of SPRX/SELF without KLIC)... fixed in BruteForce 2.0.3
BruteForce/SCETool Decrypter Build 2.1.0:
Added conversion to fself (DEX), fixed issue with files with space in the file name
BruteForce/SCETool Decrypter Build 2.2.0:
It now integrates the "blazing fast" test tool by MAGIC333X
If the tool does not find it using this new tool, it continues using the old methods
If the key is found, the BruteForce resigns the EBOOT and self/sprx as usual.
Indeed I already integrated it in the scetool-BruteForce version 2.2.0.
BruteForce/SCETool Decrypter Build 2.2.3:
So I tweaked the tool in version 2.2.3, to set it to the improper parameter --self-app-version=0000100050000000, which returns the proper "App Version" 01.05. Other changes in version 2.2.3 are:
FixELF is now applied always to the EBOOT.ELF (before it was applied only if the key version was higher than 3.40)
testklic now uses the key revision from the SELF/SPRX (before it was using the key revision from the EBOOT.BIN)
Now using the KLicence Brute-force Tool v1.2 (2012/10/07) and showing a progress bar
Small speed improvement: if TITLEID is found in KLICS.TXT, it's the first klic to try (before it always tested first noklic)
BruteForce/SCETool Decrypter Build 2.2.5:
Setting the Self App version from PARAM.SFO is now an option
(if the SelfAppVersion is unchecked, the tool will use the App Version from the SPRX/SELF)
Testklic now uses the key revision from the SELF/SPRX (before it was using the key revision from the EBOOT.BIN) was not working properly... fixed in 2.2.5
Updated for klicensee detection tool by MAGIC333X (v1.2), always applies FixELF, now uses key rev from sprx/self
BruteForce/SCETool Decrypter Build 2.3.0:
Includes the klicencebruteforce 1.3 and an option to use (or not) the address range.
BruteForce/SCETool Decrypter Build 2.3.1:
Fixed some minor issues and tweaks
Added keys to KLICS.TXT
BruteForce/SCETool Decrypter Build 2.3.2:
Updated for klicensee detection tool by MAGIC333X (v1.3.1), updated KLICS.TXT
BruteForce/SCETool Decrypter Build 2.3.3:
It also includes my FixELF tool.
BruteForce/SCETool Decrypter Build 3.1.0:
It now has support for download the patch files on demand from the online database at github maintained by gingerbread.
The database currently has the patches for approximately 170 game ids. And considering that some patches can be used also on other versions/regions of the same game, it could grow easily to near 500 game ids.
I also added support for listing of grouped cheats.
BruteForce/SCETool Decrypter Build 3.8.14: New in this version: added to the patch engine a new function for ADD calculation in a range of bytes (ADD, WADD, DWADD, QWADD).
Tip: After you resign and replace your trophies, it is required to Rebuild Database through Recovery Menu, and launch a game that will do "Sync Trophies" on it's startup in order to get the trophies working properly.
Update: I have updated the PS3 keys tool to version 1.1. Now it can convert SCETool's keys file to .ps3 (click on the big blue icon) I used the .ps3, data/keys and ps3devwiki Keys article for a three-way comparison. And found some mistakes in SCETool's data/keys file and some missing keys in ".ps3" and others keys were wrong. Not to talk about all the mistakes in the PS3 dev wiki already discussed here some days ago. So I did the best that I could do and fixed the files included in the updated archive of BruteForce 2.0.2.
BruteForce 2.0.2 now uses unfself.exe to unself DEX files and unself.exe + scetool.exe for CEX files.
PS3 Keys 1.2
The tool now shows a visual alert (a red cross icon) when the key if found in the scetool's Keys file, but the revision in the file name doesn't match the revision found in the section of the Keys file. A green check mark icon means that it was found in the Keys file and matched the version/revision.
Since version 1.1, the tool allows to convert the scetool's Keys into .ps3 keys binary format. Click on the big blue icon for the menu... I know that menu it is not intuitive but I love to hide features.
PS3 Keys 1.3
Version 1.3 adds a report of keys in HTML and 'next' button to find the bad keys.
PS3 Keys 1.5
Bruteforce + Testklic not working key set problem fixed
PS3 Keys 1.5.1 / 1.5.2
Updated keys again
I just discovered that unself2 also can decrypt with klic. A little nasty, but it can.
1. Go to github.com/granberro/ps3tools, download and compile the tools with Cygwin.
2. Add the keys (ps3devwiki.com/files/devtools/ps3keys/) to your /home/xxxx/.ps3 folder
3. Add the missing npdrm keys (app-iv-102f, app-key-102f, app-pub-102f, app-priv-356, free_klicensee-key, klic-key, npdrm-const and rif-key) to .ps3 folder
4. Hex edit /.ps3/free_klicensee-key and put the klic there
5. Then "unself2 xxxx.self xxxx.elf" (it will give a warning, but compare the elfs with this and scetool, you will see they are the same)
So it does the same scetool does. Don't know if this is faster, but it works.
Finally of note, HoNo posted (via ps3club.ru/forum/showpost.php?&p=721795&postcount=1) what he claims were 3.70 keys (below) but they were quickly deemed fake as pictured HERE.
Nice. Is there a proper English guide to doing this? Just would like to know how to decrypt and encrypt these EBOOTS myself just to know. Already have all the tools and can make psn packages but never tried to mess with EBOOTs before. Thanks.