Hey there.

So... you use an ad blocker. That's cool. Sometimes we do too.

But without ad revenue, we wouldn't even be here. And we might not be here much longer.

Please disable your ad blocker and click to continue.

Page 1 of 7 12 ... Last
  1. #1
    Join Date
    Apr 2005

    PS3 3.60 Keys Leaked, New PlayStation 3 EBOOTs Decrypted & More!

    Following up on the previous news that the PS3 v3.60+ keys were incoming, today the PS3 3.60 keys appear to have been leaked from fckyoudh on Spanish site Elotrolado (linked above) which has lead to new decrypted PlayStation 3 EBOOT fixes for CFW users.

    Download: PS3 3.60 Keys / PS3 3.60 Keys (Mirror) / PS3 3.60 Keys (Mirror #2) / PS3 3.60 Keys (Mirror #3) / PS3 3.60 Keys (Mirror #4) / PS3 3.60 Keys (Mirror #5) / PS3 3.60 Keys (Mirror #6) / PS3 3.60 Keys (Mirror #7) / PS3 3.60 Keys (Mirror #8) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #2) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #3) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #4) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #5) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #6) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #7) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #8) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #9) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #10) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #11) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #12) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #13) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #14) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #15) / multiMAN EBOOT Fix Tool v0.5 with PS3 3.60 Keys (Mirror #16) / DeanK EBOOTFix with 3.60 Keys / PS3Tools (PS3SOS - EVILNAT) with PS3 3.60 Keys by nathan_r32_69 / PS3 3.60 Keys multiMAN EBOOT Fix (Woulf_Alpha) / PS3 Decrypted 3.60 Firmware Core_OS SELF Files by PsDev / PS3 3.72 Firmware Core_OS SELF Files by coreylad / PS3 Resigning Tools by Attila

    To quote, roughly translated: http://pastie.org/private/cxqyed7veotyccabsfna (aka http://pastie.org/pastes/4368180/tex...7veotyccabsfna)

    fck you .... demonhades I told you you were in your place guapeton these strings do you like most? Anti-e3 people.

    PS3 3.60 Keys:

    [Register or Login to view code]

    From eussNL: I wonder if anyone is even considering adding the 3.56 and 3.60 keys to appldr to make 3.60 content playable

    3.60 Keys, ready for use with Naehrwert SCETool: http://pastie.org/4368553

    [Register or Login to view code]

    For those curious, below are some PlayStation 3 games which are reported as being 3.6 Firmware titles, however, some of them have already been fixed and are working on PS3 Custom Firmware:
    • Air Conflicts: Secret Wars
    • Alice: Madness Returns
    • Ape Escape On The Move
    • Arcana Heart 3
    • Atelier Meruru: The Apprentice of Arland (Japanese release)
    • Brink
    • Captain America: Super Soldier
    • Catherine
    • Crysis
    • Deus Ex: Human Revolution
    • Dirt 3
    • Duke Nukem Forever
    • Dynasty Warriors Gundam 3
    • Earth Defense Force: Insect Armageddon
    • El Shaddai: Ascension of the Metatron
    • F.E.A.R 3
    • Green Lantern: Rise of the Manhunters
    • Harry Potter and the Deathly Hallows: Part 2
    • Hunted: The Demons Forge
    • inFAMOUS 2
    • inFAMOUS 2: Festival of Blood
    • Kung Fu Panda 2
    • LA Noir
    • LEGO Pirates of the Caribbean: The Video Game
    • Let's Dance with Mel B
    • MLB 2011: The Show
    • MX vs. ATV Alive
    • Naruto Shippuden: Ultimate Ninja Storm 2
    • Nascar The Game 2011
    • National Geographic Challenge
    • NCAA Football 12
    • Need for Speed: Shift 2 - Unleashed
    • Operation Flashpoint: Red River
    • Phineas and Ferb Across the 2nd Dimension
    • Portal 2
    • Prince of Persia Trilogy 3d
    • Record of Agarest War Zero
    • Red Faction: Armageddon
    • Sniper: Ghost Warrior
    • Supremacy MMA
    • The Penguins of Madagascar: Dr. Blowhole Returns
    • Thor: God of Thunder
    • Transformers: Dark of the Moon
    • Warriors: Legends of Troy
    • White Knight Chronicles II

    From the PlayStation 3 Developer Wiki (via ps3devwiki.com/wiki/KaKaRoTo_Kind_of_%C2%B4Jailbreak%C2%B4#3.60_keys_U pdate):

    PS3 3.60 keys Update

    Q: Recently 3.60 keys surfaced (lv1ldr, lv2ldr, isoldr, appldr), what does this mean for this release and the future?
    A: That is actually a multiparted answer: Now that several binairies (Iso module + CoreOS minus the loaders that are inside lv0) can be decrypted, more investigation can be done in them, which give a new boost in (unrelated to the HeN) other targets, like:
    • Hardwareless downgrades : Downgrading with PSgrade Dongle (lv1.self)
    • QA Flagging / systemtokens (spu_token_processor.self) and usertokens (spu_utoken_processor.self)
    • PS2 compatibility (mc_iso_spu_module.self , me_iso_for_ps2emu.self , sv_iso_for_ps2emu.self)
    • Getting per_console_root_key_1 / EID_root_key on 3.56+/slim3K (lv1.self , aim_spu_module.self)
    • Backsigning applications for <=3.55 and patch sys_proc_param_version (appldr.self , lv2_kernel.self)

    Q: So does this mean a future release would be sooner?
    A: Only God knows But it can also be that because of the above, it would become meaningless/surpassed by better progress. So lets all hope for the best

    Also from PS3 Dev Wiki (ps3devwiki.com/wiki/Talk:Playstation_Update_Package_%28PUP%29#Adding_n ew_keys_to_older_firmwares):

    Adding new keys to older firmware
    • Patch the loaders
    • Add keys to appldr keys index & tables
    • There are also npdrm keys inside appldr as well, add the 3.56++ ones
    • appldr,. lv2.self and game_ext_plugin need patching for new games support
    • vsh.self maybe too

    Note: PlayStation 3 developer Rogero has confirmed he started working already.. stating eventually it will be possible to do a new PS3 CFW so EBOOT converters are not necessary.

    From Sony PS3 hacker deank: They also posted my ebootFIX/ebootMOD tools prepackaged (linked above) with the keys in .ps3 folder, so it is ready to be used like in the old 3.41/3.55 days.

    Have in mind that some games (like Sniper Ghost Warrior) have additional .self/.sprx files and it is better to use ebootFIX by dragging the PS3_GAME folder to it - it will find and fix all necessary files. If you use ebootMOD you'll have to search for these files yourself and 'fix' them one by one.

    How to Use SCETool to Decrypt a PS3 3.60 EBOOT.BIN File Guide:

    [vcdLAKERS] for those of you who want to decrypt a 3.60 EBOOT.BIN use scetool
    [vcdLAKERS] download scetool_0.2.7.zip unzip it to C:\scetool
    [vcdLAKERS] create a new folder inside scetool and name it data
    [vcdLAKERS] and download these files here:
    • keys: ps3devwiki.com/files/devtools/scetool/data/keys
    • ldr_curves: ps3devwiki.com/files/devtools/scetool/data/ldr_curves
    • vsh_curves: ps3devwiki.com/files/devtools/scetool/data/vsh_curves

    [vcdLAKERS] and put them inside data folder
    [vcdLAKERS] put your EBOOT.BIN file in scetool folder
    [vcdLAKERS] go to start - run - cmd and cd to the folder were scetool is
    [vcdLAKERS] for example "cd C:\scetool"
    [vcdLAKERS] then type this command to decrypt the EBOOT.BIN:
    [vcdLAKERS] scetool -d EBOOT.BIN EBOOT.ELF
    [vcdLAKERS] and use this one to encrypt it to 3.41 :
    [vcdLAKERS] C:\scetool>scetool -0=SELF -5=APP -6=0003004100000000 -e EBOOT.elf E

    From Billal (aka S.B.M) comes a few corrections to the above guide, as follows:

    You have to leave a space between an (abbreviated) option and a parameter not an equal sign "="
    It lacks the option for key revision "-2 0004" or "--key-revision=0004"

    This is the correct command: C:\scetool>scetool -0 SELF -1 TRUE -s TRUE -2 0004 -3 1010000001000003 -4 01000002 -5 APP -6 0003004100000000 -e EBOOT.elf EBOOT.self

    How to Use SCETool to Decrypt a PS3 3.60 EBOOT.BIN File (Revised) Guide:
    • For those of you who want to decrypt a 3.60 EBOOT.BIN use scetool by naehrwert.
    • Download scetool_0.2.7.zip unzip it to C:\scetool
    • Create a new folder inside scetool and name it data and download the data files from the previous guide and put them inside data folder
    • Put your EBOOT.BIN file in scetool folder
    • Go to start > run > cmd and cd to the folder were scetool is for example "cd C:\scetool"
    • Then type this command to decrypt the EBOOT.BIN: scetool -d EBOOT.BIN EBOOT.ELF
    • And use this one to encrypt it to 3.41: C:\scetool>scetool -0 SELF -1 TRUE -s TRUE -2 0004 -3 1010000001000003 -4 01000002 -5 APP -6 0003004100000000 -e EBOOT.elf EBOOT.self
    • Or you can use ScetoolGui (ps3devwiki.com/files/devtools/scetool/ScetoolGui.exe)
    • Download and copy ScetoolGui.exe to your scetool folder
    • Open it > click browse file and select your game EBOOT.BIN
    • Then click decrypt, scetool will decrypt your "eboot.bin" and create a new file "eboot.elf" (decrypted eboot.bin)
    • To resign "eboot.elf" for lower fw (3.41) activate enable encryption: in self type choose APP and in SELF fw version write 3.41 and click encrypt.
    • Don't forget to rename EBOOT.self to EBOOT.BIN.

    From defaultdnb comes another brief How-To Guide:
    • Download the keys folder for 3.60.
    • Download deank's ebootfix.
    • Add keys to eboot fix .PS3 folder.
    • Drag PS3_GAME folder from 3.60 game info the ebootfix.exe
    • Profit.

    From andreus: Ok, so for the updates do this:

    1. So first go get the scetool (ps3devwiki.com/files/devtools/scetool/) Download the entire directory and subdirectories and unzip the latest version 0.2.7
    2. Create a batch file named "eboot360npdrmfix.bat" in scetool folder with this code:

    [Register or Login to view code]

    3. Put the EBOOT.BIN in the scetool main folder
    4. Do this command

    [Register or Login to view code]

    And get the ContentID
    5. Run from dos prompt

    [Register or Login to view code]

    It pauses when you encrypt the file and them shows the info of the new EBOOT.BIN for you to check.
    6. You should now have an EBOOT.BIN NPDRM signed. If you want to put it in the package, use psn_package_npdrm.exe to create the package.

    How to Use AldosTools Applications Guide:

    1. For retail disks signed with 3.60 keys: Copy all eboot.bin/SPRX/SELF/SFO files to the tool directory and run eboot_fix.bat, them copy the reasigned files to your game backup directory. This tool will reasign all files with 3.40+ keys (works on 3.40+ cfw), reasign the sys_proc_param to 3.40 and change the sfo to 3.40

    2. For game updates signed with 3.60 keys: Extract the package, copy EBOOT.BIN/PARAM.SFO and all SPRX/SELF files to the bruteforce tool directory

    2.1 If it only uses EBOOT.BIN and PARAM.SFO, just run eboot_fix.bat
    2.2 If also have SPRX/SELF files
    2.2.1 If SELF file is equal to eboot.bin use bruteforce tool and it will autodetect and just create a reassigned copy of EBOOT.BIN (deank method)
    2.2.2 Else, you have to bruteforce with bruteforce tool to get the klic so you can decrypt the SELF/SPRX files and them reassign them

    When you have all files reasigned, them create a fix update package. Extra: If do not want to be disturbed with game updates with 3.65+ keys change PARAM.SFO APP_VERSION to 9.99. Note: This tool can't manage sdat, edat files

    Convert PS3 3.60 Games / Patches to 3.55 Guide By JayDee78

    Download this, it contains all the tools need:

    Download and unrar to a folder. Also, use sfoedit to change the param.sfo to 3.55/3.41 instead of 3.60. I'll use Dirt 3 (BLES01287) in this example. Get the EP4001-BLES01287_00-DIRT3PATCHEU0101-A0101-V0100-PE.pkg patch and start Pkgview 1.3.

    Drag and drop the Dirt 3 pkg patch in the left window, right click in it, and "extract to source directory"

    Cut the eboot.bin from the "PkgView_1.3\EP4001-BLES01287_00-DIRT3PATCHEU0101-A0101-V0100-PE\BLES01287\USRDIR" and paste it in the SCETOOL folder. In the SCETool folder hold down the shift button+right click in the window and choose "open cmd window"

    Write "ebootfix EP4001-BLES01287_00-DIRT3PATCHEU0101" and it starts decrypting the file. Take the EBOOT.bin (not ORGINAL_EBOOT.bin) and copy it back to the USRDIR folder you first got it.

    Now cut the BLES01287 folder and paste it in the psn_package_npdrm folder (package.conf in here needs to change package version from 1.04 to 1.01 but the rest is already setup for DIRT3). Again, open a cmd window (shift+right click) and write "psn_package_npdrm.exe package.conf BLES01287"

    Wait until finished, install the new pkg and play Dirt 3. Guide works for all 3.60 games/patches (WITHOUT selfs & sprx files These are ten times harder to decrypt and fix up to a proper retail level...) Hope someone gets some use from this

    From Spanish site PS3SOS comes PS3Tools (PS3SOS - EVILNAT) with PS3 3.60 Keys with a brief guide (roughly translated) as follows:

    Here are the manuals:
    • You must copy the keys (. Ps3keys) in your user folder (C: \ Users \ XXXX \. Ps3keys) if you have Windows, if you want to use Cygwin or Linux you get the keys (. Ps3) in your user folder (home \ XXXXXX \. PS3), you should copy the two folders.
    • Just put in the command (cmd / terminal) the command to decrypt would be: EBOOT.BIN unself EBOOT.ELF
    • To encrypt this: EBOOT.ELF make_self EBOOT.BIN
    • The easiest is to drag the console, otherwise you must move the directories to where the exe / bin and decrypt / fix are.

    PsDev has made available PS3 Decrypted 3.60 Firmware Core_OS SELF Files followed by the PS3 3.72 Firmware Core_OS SELF Files from coreylad which may be of use to those seeking a PlayStation 3 version 3.60 Custom Firmware (CFW) update

    To quote: The files in the download below are all from the 3.60 Core_OS and I decrypted using the 3.60 keys.

    The files that were unselfed were:
    • aim_spu_module
    • emer_init
    • lv1.self
    • lv2_kernal
    • manu_info_spu_module
    • mc_iso_spu_module
    • me_iso_spu_module
    • sb_iso_spu_module
    • sc_iso
    • spp_verifier
    • spu_pkg_rvk_verifier
    • spu_token_processor
    • spu_utoken_processor
    • sv_iso_spu_module

    Also like to thanks naehrwert.

    PS3 developer SiLENTGame has made available PS3 Hack Checker v0.1 followed by PS3 Hack Checker v0.2 stating:

    I was bored and so I have written a little tool which grabs the latest "hack status" of the PS3. I think the screenshot below says everything. I hope you like it. I'm thankful for suggestions, bug reports or anything else. So long.

    It's important to note that currently PS3 CECH-3nnnX/CECH-4nnnX (and some CECH-2500X) console models cannot be downgraded though.

    v0.2 Changelog:
    • hackable firmware fixed
    • firmware downgrade information added
    • key information added
    • DEX converting information added

    PlayStation 3 developer Deviance has made available FreeLoader v0.1 followed by FreeLoader v0.2 which is a PS3 EBoot Grabber with the following features:

    This application is designed to make life easier to download Eboots. Since itís the initial release, The database is still quite small but will be updated over time to add more additions. Very simple to use. Click the game and press go!

    What's new?
    • Initial release

    • Planning on adding descriptions and make sure you are using the latest eboot
    • Buy me a beer! (Info in about tab)
    • If the eboot download gets removed. Just wait and a new link will be in the db.

    • Database updated
    • If youíre experiencing graphical issues when running the application, try this version.

    • Freeloader is an app for windows that has a database full of the latest 3.60 Eboots to be easily downloadable.

    What's new in V0.2?
    • Spiffy Gui
    • PS IDís added
    • Regions Added
    • Descriptions Added
    • (Bugfix) Corrected how it grabbed the database
    • A new database layout. (Lots of new titles added)
    • The db will have even more titles soon. (Only a one man band)

    PlayStation 3 developer aryaei (aka aryasoft2872) has made available PS3 Autofix v1.1 (requires .Net Framework 4) followed by PS3 Autofix v1.2 which assists users in fixing PS3 3.6 games automatically.

    You have to just enter the title ID and after click on "Do It!" it will automatically download patches and then fix the latest one for you. This app also has an option that will fix EBOOT.BIN without downloading updates.


    1- if you have downloaded files before and you just want to fix them put them in application's folder.after checking the sony server if file exists it will skip that file and will start to fix
    2- to copy download Download Link double click on it
    3- this app doesn't changes PARAM.SFO (Some times changing PARAM.SFO causes some problem in packing) to prevent Update error enable the spoof on your cfw
    4- here is a example of which files to install
    for example i want to update and install Gran Turismo 5

    1- Enter BCES00569
    2- it will automatically download the 9 files:

    [Register or Login to view code]

    After download finished the application will automatically fix the latest patch (in this case:"EP9001-BCES00569_00-0000000000000000-A0113-V0100-PE.pkg") and will make a new file which is fixed for 3.55 with following name: EP9001-BCES00569_00-0000000000000000.pkg (The last part of name has been removed.)

    Now you have to install following 8 files:

    [Register or Login to view code]

    And then install the latest update which is fixed by application (EP9001-BCES00569_00-0000000000000000.pkg)

    Changelog v1.2:
    Version 1.2 is ready to download...
    • Added:Sign and repack specific PKG.
    • Fixed: 8001003C error
    • Improvements in fixing and file managing.
    • Fixed: blur bog
    • Minor UI Changes.
    • Fixed: some of minor bugs

    Changelog v1.1:
    • Fixed some bugs
    • Updated scetool to latest version to have better fixing.
    • Added Option to just fix EBOOT.BIN.
    • Some minor improvements in code.

    Asure (via pastie.org/4407666) has made a small .bat file that can bruteforce the klic key from PS3 EBOOTs that use/load SELF/SPRX files stating the followng:

    [Register or Login to view code]

    You need to put this into a folder with scetool, data / keys etc. working. Then drop an eboot.bin and decrypt it with scetool into eboot.elf. The drop an encrypted self, or sprx and modify the bat file a little perhaps.

    The needed linux tools like od.exe, sed.exe, can all be found in the package above. If you want to test with say, portal 2 sprx files, you can try starting at offset 608600. MW3 around offset 54272.. The batch file is not perfect. On large files, the CUT command starts to malfunction as i don't take this into account with the sed/cut combo. Some PS3 game key examples are located HERE and also below in full.

    From deank: The other day someone sent me eboot+self for "Ryu ga Gotoku of the End" (Yakuza). It is one of these games (like Rock Band 3) which cannot be 'decrypted' using a k_lic, so here is the "ogrez.self" patched for 3.55.

    Download: JP0177-BLJM60316_00-GAMEVER0101WEEK1 FIXED-YAK4-BLJM60316 ogrez.self

    You can prepare a fixed update pkg by using the original pkg + the fixed eboot.bin and this fixed ogrez.self. It is pretty simple once you figure it out

    You will notice that in some game updates you have:
    • blabla.self

    Where both files are "the same". They are not 1:1 the same, because they're encrypted with different keys, but if you look at the prog/data sections and the offsets - you will see what I mean. Also the sizes are the same. I noticed this 'update' approach back in 2010 with "Prince of Persia TFS" and with some other games, so I decided to try that. Both in this game and Rock Band there are no references to the .self and no k_lic... either.

    What you have to do is:

    1) Decrypt the EBOOT.BIN to .elf
    2) Use scetool to create NPDRM NPTYPE=UPDATE with key 00, contentID=game-update-content-id, and np-original-name=name_of_the_self.
    3) You get the new blabla.self and use it

    For example for this yakuza game you'll notice that the info for the eboot.bin and the ogrez.self are the same:

    [Register or Login to view code]

    There is no universal approach. Sizes must be equal (not more or less) and to be sure that there is no k_license involved you can either check if the .self is referenced in the eboot.bin or you'll have to use IDA to make sure that NP functions use NULL k_lic... (or find the k_license location in IDA using the NP functions).

    A simple bat/cmd script to compare the PROGBITS sections of 2 files (like EBOOT.BIN and ogrez.self): check.cmd

    [Register or Login to view code]

    [Register or Login to view code]

    If they match (i.e. no differences) then there is a very good chance that you only need to re-self the eboot.bin to the desired .self without the need of a license key.

    From aldostools.org/temp/klics.txt:

    [Register or Login to view code]

    Note: This is just a proof-of-concept, I wanted to know how the whole SELF/SPRX stuff worked. It doesn't contain keys or any proprietary tools from Sony, and as far as I know, it's not doing anything illegal.

    From JLM: In case anyone is not sure how to use the script:

    1. Use scetool to decrypt the eboot.bin, copy eboot.bin to the scetool folder, use command scetool -v -d eboot.bin eboot.elf, screen output should be (brackets removed from around *'s because it screws up the post formatting):

    [Register or Login to view code]

    2. Use scetool to decrypt the sprx with Asure's script, unpack his bruteforce.zip in the scetool directory, copy the sprx to the scetool directory, use his script or the following which is slightly different: rename the sprx to exactly this: game.sprx, using notepad create a text file and paste the script contents:

    [Register or Login to view code]

    Save the file as sprxdecrypt.bat, open a command prompt window, type: sprxdecrypt.bat wait a long time.. ONLY FOR THE VERY PATIENT.

    Tiny changes to Asure's script: changed filename to game.sprx and game.prx, change it to whatever you like (remember to use the same name in the test line after "IF EXIST") also removed extra -l %key% in the scetool command line.

    Finally, from aldostools comes a Quick Tutorial for Converting PS3 3.60 Games to 3.55 Using PS3 Tools, a GUI Version for the above batch file followed by SCETool v0.2.8 Bruteforce v1.3.1 who states:

    It has a slider for a more convenient selection of the offset. The cut.exe / dd.exe / od.exe / sed.exe / batch files are not needed. Just put it in the same folder of the scetool.exe, with the EBOOT.BIN and the .self or .sprx to be decrypted, start the BruteForce.exe and press the Start button. Tested working with Red Dead Redemption. Added support for command line parameters.

    Example: BruteForce.exe 332300 /start

    Anyway I improved the BruteForce.exe a bit more:
    • Added additional checks when the program starts
    • Now the tool auto-resigns the EBOOT.BIN and the self/sprx with the 3.55 keys when it finds the klic
    • Small GUI changes
    • Included all the tools in a 7z archive

    In Portal 2, the klic key is not aligned to 4. Thus the faster method (4X) will not find it. So, I made BruteForce 1.4: It first try to find the key in a range aligned to 4. If it doesn't find the key, then it retries using the original method (1 byte at a time).

    The method is similar to the original batch, but bytes aligned to 4 are tested first. Keys already tested, are ignored. In this version also it is possible to define the range to parse (start and stop addresses). Additionally, I added other data aligments: 1, 2, 4, 8 and 16. So in some cases, it could be up to 16X faster than the original method

    Updated to SCETool v0.2.8 Bruteforce v1.4.1 (ignored keys/offsets are refreshed on screen every 1/2 second, added a clean_folder.bat)

    For those interested, posted here are the BruteForce/SCETool Decrypter Build Changelogs and additional updates as they are available.

    More PlayStation 3 News...

  2. #2
    Foo Guest
    Finally! Good news.

  3. #3
    ConsoleDev Guest
    Is this legit?

    PS3 game key examples:

    [Register or Login to view code]

    Some more below:

    [Register or Login to view code]

  4. #4
    Join Date
    Apr 2005

    BruteForce/SCETool Decrypter Build Changelogs

    Yep it's legit, in a bit I will link to the other thread in the main post with the new decrypted games and so on once they are added.

    BruteForce/SCETool Decrypter Builds: aldostools.org/temp/scetool_0.2.9_bruteforce.7z

    [Register or Login to view code]

    BruteForce/SCETool Decrypter Build Changelogs:

    Updated to version 1.5.1:
    • Added real-time switching from hex to dec and vice-versa
    • Patterns 01xxxxxx01xxxxxx01xxxxxx01xxxxxx are ignored (in addition to 00xxxxxx00xxxxxx00xxxxxx00xxxxxx, *0000* and *FFFFFFFFFFFF*)
    • Added credits please let me know if I'm missing someone
    • Added display info for SELF/SPRX
    • Added F2 shortcut to open program's folder
    • Added find to DOS box (use F3)
    • Double click on an offset value in the DOS box sets the offset field
    • Stop address field can be set from the DOS box selecting an initial address then double click on the final address

    Updated to version 1.5.2:
    • Solved the issue finding the key for SOCOM 4 (the real key contains *0000* which was in the ignored patterns)
    • Now the patterns to ignore can me defined in the file "ignore_patterns.txt". It includes 4 by default, but you can add all/remove the patterns that you want.

    TIP: If you use data alignment 16, if the klic key is not found in the selected range, the tool will retry automatically using data alignment 4, then data alignment 1. The BruteForce 1.6 has the "pre-database of known keys" already implemented. It now first tries the known keys first (read from klics.txt). I went further: the program now first extracts the ContentID, and puts the klic for the TitleID as the first in the list.

    I uploaded version 1.6.1 and 1.6.2 is up:
    • Added Asure to the credits.
    • This version now has an experimental dynamic section alignment (it first tries using the alignment of the section).
    • The section index is now displayed.

    I changed the &H to 0x in build 1.6.5 (available online) Added the KLIC for Tom Clancy Splinter Cell Trilogy HD (1.01) [BLES01146] (thanks to andreus and PatrickBatman for all the klic keys in the database). Added the patterns for the above scenario.

    BruteForce/SCETool Decrypter Build 1.6.7
    • Added 2 new klic keys to the database: G1 Jockey and Sniper Ghost Warrior
    • The used keys are now saved to a file. The file name includes the ContentID and ELF size to prevent conflicts with other files decrypted. (these keys are not tested the next time you run the program.)

    BruteForce/SCETool Decrypter Build 1.6.8
    • I added a timeout of 1 minute. If in that time scetool.exe does not finish, the program will terminate the task and retry again. If it crashes again, it continues with the next keys!

    BruteForce/SCETool Decrypter Build 1.7.0
    • The default view was changed from decimal to hex
    • Press SPACE key in the EBOOT info to jump to the section offset addresses
    • When you change the offset address, it now hilights the address in the EBOOT info window
    • Press ENTER near an address in the EBOOT info window to use it as offset address
    • The timeout is now set to 30 secs (in 1.6.9 it was set to 10 mins by mistake)
    • Added support to choose encryption keys: 3.40 or 3.55 (default)
    • Added option to compress encrypted Data (active by default)
    • If the PARAM.SFO is found in the folder, it sets the PS3_SYSTEM_VER to 3.55 (or 3.40)
    • Program's version and ContentID are now displayed
    • Count of ignored keys is now shown while processing
    • Added FixELF (36 --> 34 / 35 --> 34) before SPRX/SELF encryption
    • If EBOOT.BIN or SELF/SPRX is not found, it tries to use the *_ORIGINAL files if present in the folder
    • Added Test drive unlimited 2 (1.06) to the database of klics (thanks to PatrickBatman)
    • Fixed some incorrect addresses caused by automatic coersion (VB uses int16 instead of int32 when the value fits in 2 bytes. Example: 0xFFFF was converted to -1 instead of 65,535)

    BruteForce/SCETool Decrypter Build 1.7.1:
    • Display the key revision
    • Warning for EBOOT.BIN with key revision <= 3.55
    • Cleaned the internal source code a bit (just a bit)
    • FixELF is applied for key revisions up to 4.20. Example if key revision is 4.00, it applies:

    [Register or Login to view code]

    BruteForce/SCETool Decrypter Build 1.7.2:
    • I tested MW3 with this version and it works fine now.
    • Settings are now remembered when the program is closed
    • Added setting for skip sections

    BruteForce/SCETool Decrypter Build 1.7.3:
    • it fixes a bug introduced fixing the coersion bug in version 1.6.10?

    BruteForce/SCETool Decrypter Build 1.7.5:
    • I tested the new version and i saw you encrypt with the klincensee. yes, now it is encrypting with the klicensee and SPRX (and compress=true and skip sections=fase are now the defaults)
    • I removed almost all the windows updates while it is minimized and made small code optimizations to create/move less strings while it's processing. I don't think they will make much difference, but at least I tried
    • BTW: Notice that same klic is used in different regions.

    BruteForce/SCETool Decrypter Build 1.7.6:
    • If they match (i.e. no differences) then there is a very good chance that you only need to re-self the eboot.bin to the desired .self without the need of a license key.
    • It can suggest to the user that it is possible to create the .self for testing.

    BruteForce/SCETool Decrypter Build 1.7.7:
    • In my tests it worked 10-20% faster

    BruteForce/SCETool Decrypter Build 1.7.11:
    • I updated the FixELF.exe so in a single call like this: FixELF.exe EBOOT.elf "24 13 BC C5 F6 00 33 00 00 00 36" "24 13 BC C5 F6 00 33 00 00 00 34" it will search: "24 13 BC C5 F6 00 33 00 00 00 xx ??" -> "24 13 BC C5 F6 00 33 00 00 00 34 00" where xx is any char between 0x35 and 0x99 (inclusive). if the value is found, it stop the search/replace.
    • This build 1.7.11 now supports another tool (aldostools.org/temp/testklic.rar) developed by andreus to test the klicensee. Extract the content of the rar in the same folder of the BruteForce.exe. In our tests it worked faster than scetool. The user can select which tool want to use to find the klicensee (scetool or testklic).

    BruteForce/SCETool Decrypter Build 1.7.12: A klicensee finder using scetool (based on Asure's brute force script) with heuristic algorythms for brute force attack. Once it finds the klicensee, the tool resign the EBOOT/SPRX/SELF with 3.55/3.40 keys. It also includes my FixELF tool.
    • I have updated the BruteForce to version 1.7.12 and my PS3 Tools to use the lowest key revision (01) and 3.40 by default.
    • For BruteForce, the default option now will be 3.40 (it can be switch to 3.55)
    • If the PARAM.SFO is copied to the BruteForce-scetool's folder the BruteForce.exe will auto-patch the sfo's PS3_SYSTEM_VER to 3.40.
    • If you use my PS3 Tools to make the PKG (just right-clicking of the folder), now it will auto-patch the PARAM.SFO to 3.40 if PS3_SYSTEM_VER is higher than 3.40.
    • If you need to patch a PARAM.SFO from a batch file, use my latest PARAM.SFO Editor 2.5.3 like this:

      [Register or Login to view code]

      It accepts more pairs of paremeters. example:

      [Register or Login to view code]

    The BruteForce is a tool designed mainly to *FIND* the klicensee used to encrypt the NPDRM self/sprx files found in game patches/updates. Currently it supports files signed with up to 3.6 keys (mainly 3.56 and 3.60). If 3.7+ keys are available, the tool should also work (updating the keys in the data folder).

    To find the klicensee you will need to copy the EBOOT.BIN, the self/sprx files and the PARAM.SFO to the BruteForce/scetool's folder.

    If the klicensee is already known, it will take few seconds to resign the EBOOT.BIN and the self/sprx files. Otherwise it will use optimized methods to try to *guess* the klicensee in few hours.

    Once the klicensee is found, the files are resigned with the keys from key revision 01 [0.92 - 3.30], which should be supported by ALL firmware versions available.

    To resign files and repack PKG, I suggest that use the PS3 Tools Collection (which also includes the BruteForce).

    To resign a disc EBOOT.BIN/self/sprx, just press Ctrl+Enter on the file and it will be resigned. If you double click (or press Enter) on the EBOOT.BIN or *.self or *.sprx you will see the file's information (including key version used).

    To resign NPDRM files, extract the PKG (use the right click menu), browse to the USRDIR and press Ctrl+Enter on the EBOOT.BIN/self/sprx files. Then return to the folder where the PKG is located and right click on the extracted folder and select Make PKG.

    It will modify automatically the PARAM.SFO to work with 3.40/3.55+. It will also detect the type of PKG being created (disc patch, game data or hard disk game). So there is not need at all for batch files or edit package.conf. Everything is automated.

    The PS3 Tools Collection integrates strongly with Windows Explorer, so you can view/edit files (PKG, PUP, SFO, SFX, HIP, HIS, RAP, edat, SFB, BIN, SELF, SPRX, MD5, SFV, SHA1, MTH, 66600) and perform many other tasks just double clicking on the files or using the context menu.

    Another nice feature is the repack of retail PKGs for use with DEX converted consoles. Just press Ctrl+Shift+Enter on a PKG and the tool will automatically extract the PKG and repack it as a debug PKG. To extract a PKG, just press Shift+Enter on the PKG. And to view it's Content ID, press Ctrl+Enter on the PKG.

    • If you select Make PKG on a PS3_GAME folder, it will call the PS3RIP tool.
    • If you select Make PKG on a PS3_UPDATE folder, it will call the Create_PS3_EXTRA tool.
    • All tools are accessed from the PS3 Tools Menu. You can use it from other PS3 related tasks, like add links to your favorite scene news sites or open folders where you put your PS3 files. You can return to the menu clicking on the blue jewel icon.
    • For the PS3 Game Updates, it is suggested to set the target version to 3.60
    • If you need to remove ALL the file associations created by the tool, there is a .reg file in the tools folder.
    • For BruteForce, try extracting this AddOn (developed by andreus) in the scetool's folder (it should help to make the brute force work faster).

    Big thanks to Asure, naehrwert, flatz, deank, andreus, PatrickBatman, BLKDTH, JLM, opoisso893, Matsumot0, catalinnc, and many others that I could be forgetting.

    PS. The BruteForce/scetool does NOT crack NPDRM files (DLC or games) that require RIF/RAP/edats.

    BruteForce/SCETool Decrypter Build 1.7.13:
    • I just updated the BruteForce to version 1.7.13 with the new option "Dont use tried_keys list"

    BruteForce/SCETool Decrypter Build 1.7.14:
    • The testklic was using the default key version (I was not passing the key version as parameter).

    BruteForce/SCETool Decrypter Build 1.7.15:
    • This new version has the "shutdown" option and prompt to auto-update the database when a new klic is found.
    • If shutdown option is active, it will not prompt and will auto-update the online database automatically.
    • A new button "Update KLICS.TXT" will download the latest klic.txt

    BruteForce/SCETool Decrypter Build 1.8.0:
    • It should support SCETool 0.2.8 and 0.2.9.

    BruteForce/SCETool Decrypter (Build 0.2.9 SCETool): aldostools.org/temp/scetool_0.2.9_bruteforce.7z
    • (updated FixELF)

    [Register or Login to view code]

    it will actually do the following search/replace:

    [Register or Login to view code]

    (only if xx xx > 34 00 and the found address is aligned to 4)

    BruteForce/SCETool Decrypter Build 1.8.1:
    • I updated the PKG Content ID (it also resigns SELF/SPRX/EBOOT)
    • The tool now first checks the current app type of each SELF/SPRX/EBOOT, then use it for resign the file.
    • I also rearranged a bit the options.

    BruteForce/SCETool Decrypter Build 1.8.5:
    • Includes the new KLICS.TXT and can decrypt DEBUG EBOOT.BIN) - Everyone should say THANKS to Deank for the tip.

    BruteForce/SCETool Decrypter Build 1.8.6:
    • Updated command line parameters for new klics.txt

    BruteForce/SCETool Decrypter Build 1.9.0:
    • Added 2 new heuristic algorythms
    • Find the "drmKey" string in the decrypted EBOOT.ELF and test the text klicensee next to it
    • Test klicensees stored as text strings (ansi or unicode)

    BruteForce/SCETool Decrypter Build
    • There was a bug in the algorythm for "drmKey" (it was considering the klics in lower case as invalid)... but the 2nd algorythm should have worked.
    • Now it accepts the game folder as parameter, and scans all the sprx/self/eboot.bin. If the klic is found, the resigned files are moved to the original location.
    • If there is not an EBOOT.BIN in the BruteForce folder, it will ask for the game folder.
    • Also changed the priority of the tried keys validations... I hope that it helps a bit to improve the speed.

    BruteForce/SCETool Decrypter Build
    • Updated the .ps3 with the proper keys provided by andreus in the testklic app (I'm still going to double check them)
    • Updated klics.txt with at least the following new klicensees (thanks to Omnomnom, catalinc and av)

    [Register or Login to view code]

    Tested the Ridge Racer 7 with the updated .ps3 keys and it seems to be working fine again using testklic app by andreus.

    BruteForce/SCETool Decrypter Build
    • Updated the .ps3 keys folder based on ps3devwiki.com/wiki/Keys#Appldr
    • There was still errors in the proper keys included yesterday from testklic app by andreus. The drm-key-55 and drm-iv-355 were the 3.50 (rev 0x07 np). I also found other errors in the keys. Also included the keys in "key revision" format.
    • The BruteForce now calls the testklic app using "key revision" instead of "firmware version" (as requested by andreus).
    • Added BruteForce association to folders. Now you can decrypt/resign a PS3 game folder using Right-click -> BruteForce...
    • Internal changes: changed some static values to parametric values read from the registry.
    • Reverted the resign files (when encrypt: 3.55 option is selected) to use the keyset 0x0A (retail type 0). It was changed it in to 0x0B (retail), but I forgot to revert it to 0x0A.
    • Updated the klics.txt with the klics of MAG update 2.12 (found Omnomnom) and Final Fantasy XIII-2 update 1.06 (posted to the online database)

    BruteForce/SCETool Decrypter Build
    • A minor validation to ensure that testklic is used only for NPDRM files

    BruteForce/SCETool Decrypter Build 2.0:
    • I updated BruteForce to version 2.0... Sorry, but no fancy features. This new build now includes make_fself.exe and the GUI let you set the target system (CEX or DEX) for re-encryption.
    • The klic.txt also includes a new klicense collected through online database update 218A6FBF2865464A79399B6EEF54632A Champion Jockey: G1 Jockey & Gallop Racer [BLUS30863] [BLES01235] [BLJM60367] [JP0106-BLJM60367_00-GXGJPNPATCH00102]

    BruteForce/SCETool Decrypter Build 2.0.1:
    • It now uses make_fself_npdrm.exe for NPDRM content and make_fself.exe for retail content.
    • The program uses make_fself_npdrm.exe or make_fself.exe when DEX is selected (depending if the files are NPDRM or retail). For CEX it still uses scetool.exe.

    BruteForce/SCETool Decrypter Build 2.0.2:

    Today I updated the BruteForce 2.0.2 package again... but this time the update is not related to any of the tools, but related to the ps3 keys (both .ps3 and SCETool's keys file).

    Here is the background: Yesterday I decided to recheck the .ps3 keys and realized that it was a bit difficult to edit/fix the keys using just an hex editor. So I created this tool to review the keys and edit them with a little more ease.

    BruteForce/SCETool Decrypter Build 2.0.3:
    • I can't believe that I missed the most simple KLIC test... (test decryption of SPRX/SELF without KLIC)... fixed in BruteForce 2.0.3

    BruteForce/SCETool Decrypter Build 2.1.0:
    • Added conversion to fself (DEX), fixed issue with files with space in the file name

    BruteForce/SCETool Decrypter Build 2.2.0:
    • It now integrates the "blazing fast" test tool by MAGIC333X
    • If the tool does not find it using this new tool, it continues using the old methods
    • If the key is found, the BruteForce resigns the EBOOT and self/sprx as usual.
    • Indeed I already integrated it in the scetool-BruteForce version 2.2.0.

    BruteForce/SCETool Decrypter Build 2.2.3:

    So I tweaked the tool in version 2.2.3, to set it to the improper parameter --self-app-version=0000100050000000, which returns the proper "App Version" 01.05. Other changes in version 2.2.3 are:
    • FixELF is now applied always to the EBOOT.ELF (before it was applied only if the key version was higher than 3.40)
    • testklic now uses the key revision from the SELF/SPRX (before it was using the key revision from the EBOOT.BIN)
    • Now using the KLicence Brute-force Tool v1.2 (2012/10/07) and showing a progress bar
    • Small speed improvement: if TITLEID is found in KLICS.TXT, it's the first klic to try (before it always tested first noklic)

    BruteForce/SCETool Decrypter Build 2.2.5:
    • Setting the Self App version from PARAM.SFO is now an option
      (if the SelfAppVersion is unchecked, the tool will use the App Version from the SPRX/SELF)
    • Testklic now uses the key revision from the SELF/SPRX (before it was using the key revision from the EBOOT.BIN) was not working properly... fixed in 2.2.5
    • Updated for klicensee detection tool by MAGIC333X (v1.2), always applies FixELF, now uses key rev from sprx/self

    BruteForce/SCETool Decrypter Build 2.3.0:
    • Includes the klicencebruteforce 1.3 and an option to use (or not) the address range.

    BruteForce/SCETool Decrypter Build 2.3.1:
    • Fixed some minor issues and tweaks
    • Added keys to KLICS.TXT

    BruteForce/SCETool Decrypter Build 2.3.2:
    • Updated for klicensee detection tool by MAGIC333X (v1.3.1), updated KLICS.TXT

    BruteForce/SCETool Decrypter Build 2.3.3:
    • It also includes my FixELF tool.

    BruteForce/SCETool Decrypter Build 3.1.0:
    • It now has support for download the patch files on demand from the online database at github maintained by gingerbread.
    • The database currently has the patches for approximately 170 game ids. And considering that some patches can be used also on other versions/regions of the same game, it could grow easily to near 500 game ids.
    • I also added support for listing of grouped cheats.

    BruteForce/SCETool Decrypter Build 3.8.14: New in this version: added to the patch engine a new function for ADD calculation in a range of bytes (ADD, WADD, DWADD, QWADD).

    Tip: After you resign and replace your trophies, it is required to Rebuild Database through Recovery Menu, and launch a game that will do "Sync Trophies" on it's startup in order to get the trophies working properly.

    PS3 Keys 1.0 - A tool to manage your PS3 keys

    Download: PS3 Keys Tool

    Update: I have updated the PS3 keys tool to version 1.1. Now it can convert SCETool's keys file to .ps3 (click on the big blue icon) I used the .ps3, data/keys and ps3devwiki Keys article for a three-way comparison. And found some mistakes in SCETool's data/keys file and some missing keys in ".ps3" and others keys were wrong. Not to talk about all the mistakes in the PS3 dev wiki already discussed here some days ago. So I did the best that I could do and fixed the files included in the updated archive of BruteForce 2.0.2.
    • BruteForce 2.0.2 now uses unfself.exe to unself DEX files and unself.exe + scetool.exe for CEX files.

    PS3 Keys 1.2

    The tool now shows a visual alert (a red cross icon) when the key if found in the scetool's Keys file, but the revision in the file name doesn't match the revision found in the section of the Keys file. A green check mark icon means that it was found in the Keys file and matched the version/revision.

    Since version 1.1, the tool allows to convert the scetool's Keys into .ps3 keys binary format. Click on the big blue icon for the menu... I know that menu it is not intuitive but I love to hide features.

    PS3 Keys 1.3
    • Version 1.3 adds a report of keys in HTML and 'next' button to find the bad keys.

    PS3 Keys 1.5
    • Bruteforce + Testklic not working key set problem fixed

    PS3 Keys 1.5.1 / 1.5.2
    • Updated keys again

    I just discovered that unself2 also can decrypt with klic. A little nasty, but it can.

    1. Go to github.com/granberro/ps3tools, download and compile the tools with Cygwin.

    [Register or Login to view code]

    2. Add the keys (ps3devwiki.com/files/devtools/ps3keys/) to your /home/xxxx/.ps3 folder
    3. Add the missing npdrm keys (app-iv-102f, app-key-102f, app-pub-102f, app-priv-356, free_klicensee-key, klic-key, npdrm-const and rif-key) to .ps3 folder
    4. Hex edit /.ps3/free_klicensee-key and put the klic there
    5. Then "unself2 xxxx.self xxxx.elf" (it will give a warning, but compare the elfs with this and scetool, you will see they are the same)

    So it does the same scetool does. Don't know if this is faster, but it works.

    Finally of note, HoNo posted (via ps3club.ru/forum/showpost.php?&p=721795&postcount=1) what he claims were 3.70 keys (below) but they were quickly deemed fake as pictured HERE.

    [Register or Login to view code]

  5. #5
    pandulce1 Guest
    Outstanding! I'll have to learn how to mess with this stuff.

  6. #6
    Foo Guest
    I went ahead and put all the keys into a folder. This includes about all of them... app, lv1, lv2, spp, rvk, iso... http://www.sendspace.com/file/t74f6n

  7. #7
    muny21 Guest
    Nice. Is there a proper English guide to doing this? Just would like to know how to decrypt and encrypt these EBOOTS myself just to know. Already have all the tools and can make psn packages but never tried to mess with EBOOTs before. Thanks.

  8. #8
    elser1 Guest
    how kool is this eh. thanks for this awesome news!! i hope a new rebug can come out of this.

    also does this mean all keys can now be gotten for all the newer firmwares?

  9. #9
    alvarito8910 Guest

  10. #10
    ezzitdus Guest
    does this mean that soon a cfw 3.60 comes out?... i hope so because i some how update to 3.60 of a wrong install...

Page 1 of 7 12 ... Last

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Log in