Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: UnPKG GUI PS3 PKG Decompiler, Homebrew Stealthing Utility Out!

  1. #1
    Join Date
    Apr 2005

    UnPKG GUI PS3 PKG Decompiler, Homebrew Stealthing Utility Out!

    Over the weekend TeamSOS have released UnPKG GUI PS3 PKG Decompiler alongside a video of it in action below followed by PlayStation 3 Homebrew Stealthing Utility v1.3.5.

    Download: UnPKG GUI PS3 PKG Decompiler / UnPKG Commandline PS3 PKG Decompiler / UnPKG v1.2 GUI / Commandline PS3 PKG Decompiler / PS3 Homebrew Stealthing Utility v1.3.5 / Stealthed MultiMAN PS3 Backup Manager / UngPKG 2GB Fix by element

    To quote: First is Unpkg GUI (Windows Program requires .NET) and second is Allunpkg (Command Line version) both will decrypt and extract ALL pkg files with the exception of firmware PKG files. Instead of having to use different applications to deal with different pkg types, these applications will detect what's what and handle it accordingly. Major props goes to Blazie151 for making most of the app (I'm on TeamSOS too, just not as good as Blazie + he did most of it).

    Thanks goes out to Mathieulh for sharing some of the source code needed for this release, also thanks to nawhrwet for his program that handles the debug pkgs.

    If you would like to see it in action check out the video below:

    I'm releasing an application, called Homebrew Stealthing Utility v1.3.5, that I created that allows you to stealth a homebrew application or game as any PSN demo or full game that you want. Instead of having it possibly affect your future gaming needs, or having 10,000+ people all playing the same "game", YOU can choose what you stealth the homebrew as. Normally, this would just appear as game sharing; for double protection or the paranoid bunch, download the demo first and it'll be added to your purchase history.

    Ok, before anyone even asks - NO THIS NOT ALLOW YOU ACCESS TO PSN. It's an application that will make PSN safer once its restored. Trollers on this thread saying useless crap like "how does this help without PSN access" will not be appreciated.

    So here's the theory I cooked up from getting information from multiple sources and seeing the data and logs myself, cross-referencing things like what was being played and used, when, how long, log cleaning and safety measures used, and online habits. Needless to say it was a lot of data to sift through to fully formulate my thoughts. Some of this is known, some of it I haven't seen on the net at all, so here goes...

    Part 1 - Any homebrew you use puts a line in your log files. The log files are not normally wiped by going online. By wiping your own logs, you give reason for flags. The only time your logs would be erased normally is if you formatted your hard drive. When you log in 50 different times with blank logs, it would obviously be something noticeable on the server side, even if $ony is not monitoring it now. It takes more than 5 minutes to format your hard drive, pop it another game and get online. So when you log out, change your game with your boot manager, and log back in with clean logs again, it would look very fishy. All $ony would need to do is cache logs between log ins for a predetermined amount of time and wait for people to start triggering flags and warning that could turn into bans. For this reason, ALL HOMEBREW SHOULD BE STEALTHED!

    Part 2 - If you can see what your friends are playing online, don't you think $ony can too? The way "stealth" homebrew is currently stealthed is by having it look like a game. The downfall is that you can't play that game in future, because the homebrew files are using that folder. Also, and a big one here, if your online with that stealth homebrew, it shows that its being played from the hard drive. Now, to me, that looks like a huge red flag waving around with a jumping kid screaming "$ony come ban me." I mean, if your friends can see that don't you think $ony can? I would think that would be immensely easy to detect. No gameid starting in B (as in BLES00000) should be listed as being played from the hard drive. I would think detecting this would be more than easy for $ony to implement, especially since the average user can see that now.

    As for only releasing the homebrew stealthed as a single game, don't you thing it looks weird when 10,000+ people start using a game that's not popular? I know that question has been asked here before. Even if they can't ban someone directly for it, I would think $ony could at least monitor those consoles closer than the rest cause again, it just looks fishy.

    Now the solution. What's the best way to stealth homebrew, without losing ability to play certain games from disc if you wanted to, and have everything look kosher and perfect, even while online? I decided that using PSN demos would be the safest. They never really get played so its not interfering with your regular gaming or other homebrew, you don't have to ever clean your logs, and your friends and $ony can't see you playing a disc-based game from the hard drive.

    So why now, why not wait until PSN is back? Well, that's simple. PSN is coming back, it's inevitable. Why not already practice good stealthing so when PSN comes back your not scrambling to clean your logs and worrying that something slipped through the cracks?

    This application supports all pkg files that are not firmware pkg files. You can select an extra file to include in the USRDIR directory (mainly implemented that for MultiMan use, since that file is needed to play backups and not included in the MultiMan package). Also, it supports pkg file creation for 3.41 and 3.55, as well as a pause function for manual file manipulation prior to re-packaging. It also saves your output directory and firmware selection for future use, as well as run time arguments. Drag a pkg file on top of it or assign pkg files to open with it in windows, and it will load the first field with that data.

    The only applications I've seen have some problems with being stealthed are programs with callbacks to a static eboot.bin folder (like dev_blind), I'm working on a fix for that. Also, any program like MultiMan, that has an options ini file, needs that file modified with the new gameid in order for all the functions, such as covers, themes, etc, to work. All the other functions work fine though. If you'd like, check the pause option and modify the file manually. You also need to change the option to clear the logs when MultiMan boots. I'll work on a solution for this as well, but for now I'll also share my stealthed MultiMan with you all so you don't have to stealth that one if you don't want.

    Current Feature List:
    • Stealthed pkg file works on all firmware versions (3.15, 3.41, 3.55) including GH 3.55
    • Supports all pkg files
    • Supports run time arguments so you can open this program with a file or even automate it
    • Grabs the GameIDs and homebrew names automatically
    • Creates the -conf files automatically
    • Creates the stealth pkg automatically
    • Adds an additional user specified file if selected
    • Can sign the file automatically if selected (3.55GH mainly)
    • Pause checkbox allows manual modification of files before pkg'ing
    • Works on Virtual Machines, runs with .net 3.5

    Known Issues:
    • Some virus protection programs don't like it. This is because it creates all dependency files during run time, and some virus protection programs don't like exe files appearing from thin air. If this happens to you, please add the dir this utility is stored in to your excluded list in your virus scanner.

    Coming Soon:
    • Automatic modification of ini files (like the ones in MultiMan)
    • Automatically change MultiMan's log cleaning setting


    Update: PlayStation 3 developer element has now made available an UngPKG 2GB fix below, as follows:

    I am a great fan of the ps3tools ... but I have seen that the tools cannot support files which are larger than ~1.5 GB.

    The reason is fairly simple... there are no more continuous heap left to map the entire file.

    Therefore I have adapted the ungpkg tool, that this will read the file and make a decryption slice by slice. Hopefully somebody enjoy the release

    ungpkg.c 2GB fix
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <fcntl.h>
    #include <string.h>
    #include <assert.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include "tools.h"
    #include "types.h"
    #include "common.h"
    #ifdef WIN32
    #define MKDIR(x,y) mkdir(x)
    #define MKDIR(x,y) mkdir(x,y)
    typedef void (*decrypt_callback) (u8*, u64, u64);
    static FILE *pkg;
    static u64 size;
    static u64 offset;
    static PKG_HEADER *header = NULL;
    static u8 key[0x10];
    static decrypt_callback decrypt;
    void decrypt_debug_block(u8 *data, u64 size, u64 register_offset) {
    	u64 i;
    	u8 key[0x40];
    	u8 bfr[0x1c];
    	memset(key, 0, sizeof key);
    	memcpy(key, header->digest, 8);
    	memcpy(key + 0x08, header->digest, 8);
    	memcpy(key + 0x10, header->digest + 0x08, 8);
    	memcpy(key + 0x18, header->digest + 0x08, 8);
    	wbe64(key + 0x38, be64(key + 0x38) + register_offset);
    	sha1(key, sizeof key, bfr);
    	for(i=0; i<size;i++) {
    		if(i != 0 && (i % 16) == 0) {
    			wbe64(key + 0x38, be64(key + 0x38) + 1);
    			sha1(key, sizeof key, bfr);
    		data[i] ^= bfr[i & 0xf];
    void decrypt_retail_block(u8 *data, u64 size, u64 register_offset) {
    	u64 tmp;
    	u8 iv[0x10];
    	memcpy(iv, header->k_licensee, 0x10);
    	tmp = be64(iv + 8) + register_offset /*1*/;
    	wbe64(iv + 8, tmp);
    	if (tmp == 0)
    		wbe64(iv, be64(iv) + register_offset /*1*/);
    	aes128ctr(key, iv,data, size ,data);
    static void unpack_pkg(void) {
    	PKG_FILE_HEADER *file;
    	u64 i;
    	u64 n_files;
    	u32 fname_len;
    	u64 file_offset;
    	u32 flags;
    	u32 fname_off;
    	u8 *data_block;
    	u8 *file_block;
    	char fname[255];
    	n_files = be32( (u8*) &header->item_count);	
    	file = malloc(sizeof(PKG_FILE_HEADER));
    	for ( i = 0; i <  n_files; i++ ) {
    		fseek(pkg, offset + (i * 0x20), SEEK_SET);
    		fread(file, 0x20, 1, pkg);
    		decrypt((u8*)file , 0x20,  (offset + (i * 0x20) - offset) / 16);
    		fname_off = be32((u8*)&file->filename_offset);
    		fname_len = be32((u8*)&file->filename_size);
    		file_offset = be64((u8*)&file->data_offset);
    		size = be64((u8*)&file->data_size);
    		flags = be32((u8*)&file->flags);
    		fseek(pkg, fname_off + offset, SEEK_SET);
    		file_block = malloc( fname_len );		
    		fread( file_block, fname_len, 1, pkg );
    		decrypt(file_block, fname_len,  fname_off / 16);
    		memset(fname, 0, sizeof fname);
    		strncpy(fname,(const char*) file_block, fname_len);
    		printf("%10x %s\n",flags, fname);
    		fseek( pkg, file_offset + offset, SEEK_SET);				
    		data_block = malloc ( size );
    		fread( data_block, size, 1, pkg);
    		decrypt(data_block, size, file_offset / 16);
    		flags &= 0xff;
    		if(flags == 4) {
    			MKDIR(fname, 0777);
    		} else if (flags == 1 || flags == 3 || flags == 2) {
    			memcpy_to_file( fname, data_block, size);
    		} else {
    			fail("unknown flags: %08x", flags);
    int main(int argc, char *argv[]) {
    	char *dir;
    	if (argc != 2 && argc != 3)
    		fail("usage: ungpkg filename.pkg [target]");
    	pkg = fopen( (const char*) argv[1], "rb");
    	header = malloc(sizeof(PKG_HEADER));
    	fread( header, sizeof(PKG_HEADER), 1, pkg);
    	if (argc == 2) {
    		dir = malloc(0x31);
    		memset(dir, 0, 0x31);
    		memset(dir, 0, 0x30);
    		memcpy(dir, header->contentid, 0x30);
    	} else {
    		dir = argv[2];
    	offset = be64((u8*)&header->data_offset);
    	size = be64((u8*)&header->data_size);	
    	u32 type = be32((u8*)&header->pkg_type);
    	if( type & 0x80000000 ) {
    		if ((type & 0x0000000F) != 1)
    			fail("invalid pkg type: %x", type);
    		if (key_get_simple("gpkg-key", key, 0x10) < 0)
    			fail("failed to load the package key.");
    		decrypt = decrypt_retail_block;
    	} else {
    		decrypt = decrypt_debug_block;
    	MKDIR(dir, 0777);
    	if (chdir(dir) != 0)
    		fail("chdir(%s)", dir);
    	return 0;
    new types.h
    // Copyright 2010       Sven Peter <[email protected]>
    // Licensed under the terms of the GNU GPL, version 2
    #ifndef TYPES_H__
    #define TYPES_H__
    #include <stdint.h>
    typedef uint64_t u64;
    typedef uint32_t u32;
    typedef uint16_t u16;
    typedef uint8_t u8;
    struct elf_phdr {
    	u32 p_type;
    	u64 p_off;
    	u64 p_vaddr;
    	u64 p_paddr;
    	u64 p_filesz;
    	u64 p_memsz;
    	u32 p_flags;
    	u64 p_align;
    	void *ptr;
    struct elf_shdr {
    	u32 sh_name;
    	u32 sh_type;
    	u32 sh_flags;
    	u64 sh_addr;
    	u64 sh_offset;
    	u32 sh_size;
    	u32 sh_link;
    	u32 sh_info;
    	u32 sh_addralign;
    	u32 sh_entsize;
    #define	ET_NONE		0
    #define ET_REL		1
    #define	ET_EXEC		2
    #define	ET_DYN		3
    #define	ET_CORE		4
    #define	ET_LOOS		0xfe00
    #define	ET_HIOS		0xfeff
    #define ET_LOPROC	0xff00
    #define	ET_HIPROC	0xffff
    struct elf_hdr {
    	char e_ident[16];
    	u16 e_type;
    	u16 e_machine;
    	u32 e_version;
    	u64 e_entry;
    	u64 e_phoff;
    	u64 e_shoff;
    	u32 e_flags;
    	u16 e_ehsize;
    	u16 e_phentsize;
    	u16 e_phnum;
    	u16 e_shentsize;
    	u16 e_shnum;
    	u16 e_shtrndx;
    typedef struct {
       u32 magic;
       u32 pkg_type;
       u32 pkg_info_offset;
       u32 pkg_info_size;
       u32 header_size;
       u32 item_count;
       u64 total_size;
       u64 data_offset;
       u64 data_size;
       char contentid[0x30];
       u8 digest[0x10];
       u8 k_licensee[0x10];
    typedef struct {
       u32 filename_offset;
       u32 filename_size;
       u64 data_offset;
       u64 data_size;
       u32 flags;
       u32 padding;
    struct id2name_tbl {
    	u32 id;
    	const char *name;
    struct key {
    	u8 key[32];
    	u8 iv[16];
    	int pub_avail;
    	int priv_avail;
    	u8 pub[40];
    	u8 priv[21];
    	u32 ctype;
    struct keylist {
    	u32 n;
    	struct key *keys;
        struct key *idps;
        struct key *klic;
        struct key *rif;
        struct key *npdrm_const;
        struct key *free_klicensee;
    struct rif {
        u8 unk1[0x10]; //version, license type and user number
        u8 titleid[0x30]; //Content ID
        u8 padding[0xC]; //Padding for randomness
        u32 actDatIndex; //Key index on act.dat between 0x00 and 0x7F
        u8 key[0x10]; //encrypted klicensee
        u64 unk2; //timestamp??
        u64 unk3; //Always 0
        u8 rs[0x28];
    } __attribute__ ((packed));
    struct actdat {
        u8 unk1[0x10]; //Version, User number
        u8 keyTable[0x800]; //Key Table
        u8 unk2[0x800];
        u8 signature[0x28];
    } __attribute__ ((packed));
    static inline u8 be8(u8 *p)
    	return *p;
    static inline u16 be16(u8 *p)
    	u16 a;
    	a  = p[0] << 8;
    	a |= p[1];
    	return a;
    static inline u32 be32(u8 *p)
    	u32 a;
    	a  = p[0] << 24;
    	a |= p[1] << 16;
    	a |= p[2] <<  8;
    	a |= p[3] <<  0;
    	return a;
    static inline u64 be64(u8 *p)
    	u32 a, b;
    	a = be32(p);
    	b = be32(p + 4);
    	return ((u64)a<<32) | b;
    static inline void wbe16(u8 *p, u16 v)
    	p[0] = v >>  8;
    	p[1] = v;
    static inline void wbe32(u8 *p, u32 v)
    	p[0] = v >> 24;
    	p[1] = v >> 16;
    	p[2] = v >>  8;
    	p[3] = v;
    static inline void wbe64(u8 *p, u64 v)
    	wbe32(p + 4, v);
    	v >>= 32;
    	wbe32(p, v);
    [imglink=|UnPKG GUI PS3 PKG Decompiler, Homebrew Stealthing Utility Out!][/imglink]
    [imglink=|UnPKG GUI PS3 PKG Decompiler, Homebrew Stealthing Utility Out!][/imglink]
    More PlayStation 3 News...

  2. #2
    GrandpaHomer Guest
    Yeah - it would be not suspicious AT ALL if I'll be playing the "Demo of Barbie horse riding" 20 hours a day for several months ... IMO - this all reasoning behind "stealth" mode is pointless unless you'll be using multiply game IDs at random and even then it would be still easily detectable by Sony - all they need to do is some stast on games and demo usage overall and it will point out most of the unusual activities. Also - I'm not sure Sony is currently seeing if the game is played grom hard drive or BD ...

    The much esier way than fiddling with the HB ids is simply to fake the list rather then vipe it or just back it up prior runing HB and then restore it to it's original content etc. Still - best solution - simply don't go online with such PS3.

  3. #3
    Brenza Guest
    I remind you that backup managers erase the log file when you run them, no need to worry about this!

  4. #4
    Xalies Guest
    I remind you that not everyone uses them, this would mostly be aimed at people that install PSN-like.

  5. #5
    Join Date
    Apr 2005

    PS3 Homebrew Stealthing Utility 1.4 Released by TeamSOS

    Today blazie151 of TeamSOS has released Homebrew Stealthing Utility version 1.4 for the PS3 console.

    Download: PS3 Homebrew Stealthing Utility 1.4

    To quote: Today, I'm releasing version 1.4 of the Homebrew Stealthing Utility. I have changed around some functions on it to make it more compatible with homebrew without losing features.

    It now automatically looks recursively in sub directories to find any and all ini files, reads them into memory, and changes all references to the original homebrew gameid to the one its being stealthed as.

    I have also added some extra features specific to MultiMan, such as removing log cleaning and turning of FTP, both user choice. Just as the last release was, this one was tested thoroughly on multiple machines and even a couple virtual machines.

    Added Features Include:
    • Automatic ini (options) file modification, processes all ini files
    • Turn off auto log cleaning in MultiMan
    • Disable FTP on startup in MultiMan
    • Some rarely occurring bug fixes

    Known Issues:
    • Some homebrew has a static call back to a specific folder, still working on that. Dev_Blind is an example of this.
    • Some computers don't have their .net installations done right. If you get an error message saying that MSVCR100.dll is missing, please download this: - Thanks xim2
    • Some virus protection programs don't like this application. It's because all required dependencies are built into this application. I did this so that an installation was not required and it could be a stand-alone exe file. If your virus protection program doesn't like this application, simply add it's folder to your anti-virus exclusions list, or dis-able it while running this app. The only culprit I have confirmed so far has been Kaspersky Anti-Virus.

    [imglink=|PS3 Homebrew Stealthing Utility 1.4 Released by TeamSOS][/imglink]
    More PlayStation 3 News...

  6. #6
    pjmiller435 Guest
    has some nice additional features other than stealthing, always welcome them.

  7. #7
    m00dy Guest
    has anybody stealthed the rebug selecter? i tried but get errors

    share plz!

  8. #8
    Join Date
    Apr 2005

    Arrow UngPKG 2GB Fix

    Here is another update to UngPKG from element which includes a 2GB fix, as follows:

    Fixes below are for fail0verflow’s ungpkg.c ps3 dev tool. Ungpkg supports now files larger than ~1.5 GB and PSP packages.

    Hello, I am a great fan of the ps3tools ... but I have seen that the tools cannot support files which are larger than ~1.5 GB.

    The reason is fairly simple ... there are no more continous heap left to map the entire file.

    Therfore I have adapted the ungpkg tool, that this will read the file and make a decryption slice by slice.

    Hopefully somebody enjoy the release:

    Finally, from element comes an EDAT Tool - PS3Tools style, who states the following:

    Download: edat_beta_1_0.7z

    Hello ... it is me again, with a small release. I "partially" ported the edat tool from snowydev to plain c in ps3tool style... Currently it is only possible to encrypt ISO.BIN and MINIS.BIN (what I have tested so far).

    Thanks to all which have developed the base versions of all the tools.

    Just to say again: I have just decompiled the base tools and make a "new" one out of it, SO ... BIG THANKS TO flatz, snowydev

  9. #9
    nam678910 Guest

  10. #10
    DoBa NiBlGr Guest
    very nice

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts