PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

October 6, 2012 // 9:36 pm - Following up on the PS3 BruteForce / SCETool Decrypter builds by aldostools and KLICS, this weekend PlayStation 3 homebrew developer MAGiC333X has released a KLicense Brute-force Tool for PlayStation 3 users complete with source code and updates below.

Download: KLicense Brute-force Tool v1.0 for PS3 / KLicense Brute-force Tool v1.1 for PS3 / KLicense Brute-force Tool v1.2 for PS3 / KLicense Brute-force Tool v1.3.1 for PS3 / MSVCR100.dll (Required)

To quote: I've created a new, ultra-fast tool for your KLicence brute-forcing needs! Compiled for Windows. Source code is included. Happy brute-forcing!

I've just released version 1.1 of my tool. Download link in first post.


Version 1.1 (October 7, 2012):

  • Keys stored as hex-strings in keydata file will now be found
  • Added option to select search mode (see USAGE for directions)
  • Flushing output of progress updates to allow for better integration
  • Performance increase (~40%)

I've implemented the hex-string search function. And I made sure all cases are covered, except for one: When searching for hex-strings there is one case where the key will not be found. It occurs when the KLicence hex-string is preceeded by an odd number of hex digits. I haven't covered this case, because I don't think this will ever occur. If you (or someone else) think this can occur, please tell me, because it's very easy to implement at this point.

Output is now being flushed (for progress updates). I will give you a example. EBOOT.ELF from BLES00330 contains string: "-drmKey=1fbadf00d726101632a11da1cafeacac", if this string was instead: "-drmKeyf1fbadf00d726101632a11da1cafeacac" there is an odd number of hex digits (1x 'f' here) preceeding the key, causing the key not to be found.

Version 1.2 (October 7, 2012):

  • Removed restriction on hex-string search mode
  • (BugFix) Found hex-string is now displayed, instead of data at address

Version 1.3 (October 10, 2012)

  • Added support for UTF-16/UTF-32 encoded hex-strings
  • Added search-range option

Btw, decided not to add separate options for UTF-16/UTF-32 as it has just a very minor impact on performance (like 1%). Also a note on using the search-range option (from README.txt): When using option search-range to process part of a file, please keep in mind that the last key tried is at offset: end position - 16 (size of KLicence).

Version 1.3.1 (October 10, 2012)

Sorry about the search-range bug, I was in a bit of a hurry and completely forgot to test if the option worked... Almost did work though What it did was it always tried to process fileSize amount of bytes starting at the given offset, instead of (end - start) amount of bytes. Had to change just one line to get it working. Anyways, everything should be working now in version 1.3.1


From the ReadMe File: KLicence Brute-force Tool v1.0 (2012/10/06)
Copyright (C) MAGiC333X


Initial release of the KLicence Brute-force Tool. Version 1.0, built on October 6, 2012 using Microsoft Visual C++ 2010 Express.

Use this program with caution. I will not be held responsible for any damage caused by (the use of) this program or it's source code.

Source code is included as a donation to other developers.

Files included in this release:

  • Compiled program (Win32): 'klicencebruteforce.exe'.
  • Example ps3keys file: 'keys'.
  • This README file: 'README.txt'.
  • Source code: 'klicencebruteforce-src-1.0.rar'.
  • GPL v3 for used libraries: 'gpl-3.0.txt'.

Special thanks to:

  • Asure (PS3Hax) - for the first steps in this subject and gaining my interrest.
  • PS3DevWiki - for the information on SELF files and NPDRM decryption algorithm.
  • naehrwert - if SCETool source code was available, i wouldn't have made this.


This program will try to decrypt the metadata info of a SELF file that's been encrypted using a developer KLicence, by trying all the possible keys in the user-specified input keydata file. If the input keydata file contains the key to decrypt the metadata info, then the key will be found. When a working key is found, it will be written to the console.

It is VERY fast! On my Core2Quad Q6600 at 3.2 GHz it does ~770.000 keys/second, utilizing only a single thread/core. Moreover, it scales perfectly when running multiple instances concurrently. So, if you have a quad-core processor and you split your input keydata file into four equally sized parts and run four instances of this program, each using one part of the input keydata file, it will give you a nice x4 speedup!

This program is built for speed, not compatibility. This means that there is a great chance that some SELF files won't be processed correctly. If this is the case, try processing it with option '--minimize-validation' enabled. If it still doesn't work, use option '--npdrm' together with '--metadata-info'. This will result in the SELF file not being used or validated (the argument is still mandatory though). This way you can force the program into brute-forcing the metadata info of any SELF file.

Input ps3keys file must use format as used by SCETool. A sample ps3keys file is provided: 'keys'. The program will try all keys in the ps3keys file with name prefix 'NP_' as possible KLicence keys before starting the brute-force attack. This has the advantage that previously found keys can be added to the keys file. For an example, see the included keys file: it has the InfinityWardKey added to it as 'NP_infinitywardkey'. Also, you can use comments in the keys file by starting a line with '#' (just like an INI file).

Input keydata file is a binary file. This is the file that is used for the brute-force attack. If the KLicence key is in this file, it will be found.

For more help on how to use this program, see the USAGE section below.


Version 1.0 (October 6, 2012)

- Initial release


Source will build using Microsoft Visual C++ 2010 Express.

I've tried to keep the code portable, so making it compile on Linux shouldn't cause too many problems. This is untested, however.

There is some room for improvement:

  • Thorough testing for bugs/flaws.
  • Don't read input keydata file fully to memory.
  • Make brute forcing multi-threaded (it will scale perfectly!).
  • Use another (faster) AES library to improve performance.
  • Refactor: make coding style consistent.

Libraries used:

  • aes.h/aes.c - AES library from PolarSSL, GPL v2+.
  • common.h - Endianness swapping library by Youness Alaoui (KaKaRoTo), GPL v3.
  • Code may contain some parts from euss's ps3tools/fail0verlow tools, any licence that came with these 'borrowed' source parts remain in effect.
  • A copy of the GPL v3 licence is included.

My source code is not protected by any licence, feel free to use it any way you want. If improvements are made to the source code, I would be very pleased if those improvements are made public.


[Register or Login to view code]

KLicense Brute-force Tool By MAGiC333X for PS3 is Now Available

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew.

#23 - gesib99 - August 21, 2015 // 8:31 pm
gesib99's Avatar
will this work on ps3 ofw?

#22 - qwe123123 - September 5, 2013 // 1:55 am
qwe123123's Avatar
can it work with a gui?

#21 - evil99019 - July 10, 2013 // 8:46 am
evil99019's Avatar
I have heard of several games only editable by Hyperkin's commercial game genie because Flat_z's program can't dump the Secure File ID. That's why there are still many old games not supported by Bruteforce Save data.

I am going around many place trying to find willing people with CFW and soul calibur 5 to test secure file ID dumper on soul calibur 5, but if someone already knows that it's futile, please let me know so I can stop them before they dive deep only to get disappointed in the end.

#20 - JeoWay - July 9, 2013 // 6:22 pm
JeoWay's Avatar
I've never had a problem with it. Bruteforce save data (aldostools) is what i use.

#19 - evil99019 - July 9, 2013 // 12:47 pm
evil99019's Avatar
so it's been half a year since Flat_z's Secure File ID Dumper came out, from search I learned there are some games that this program doesn't work, like dark souls or some games that use double encryption and stuff.

problem is I can't find a concrete list of games that this program can't work on. it's hard to decide whether it's worth running personal test on the games not in the database yet if someone else already knows that it'd be a waste of time.

#18 - BerserkLeon - December 28, 2012 // 12:16 am
BerserkLeon's Avatar
The Disc Key dumper dumps the disc hash key (of the disc in your BD drive, pretty sure they're not stored in backups) , which is something that could be used for save decryption but the ps3 doesn't utilize/check it.

The Secure File ID Dumper dumps the Secure File ID key which is the main thing you need for save decrypt/encrypting. It doesn't seem to work with some games (dark souls is still being a pain)

Klicensee dumper, of course, dumps the klicensee. It's mostly only used for decrypting the EBOOT.BIN or SELFs or SPRXs.

Basically though if you don't already know those terms, you don't need to worry about it.

#17 - Ferchenko - December 27, 2012 // 1:46 pm
Ferchenko's Avatar
Sorry, but I'm still a noob on this things. What is this supposed to be for?

#16 - BerserkLeon - December 27, 2012 // 7:48 am
BerserkLeon's Avatar
Make sure when you try to use the secure file ID loader that you only replace the ps3*.sprxs, not the libsys_np.sprx.

only use the libsys one when doing the klic one. And make sure to back up your originals or you wont be able to switch between what you want to use at all, as far as these dumpers go.

#15 - PS4 News - December 27, 2012 // 5:14 am
PS4 News's Avatar
Following his initial releases, today PlayStation 3 developer Flat_z has updated his PS3 Disc Key Dumper, Klicensee Dumper and Secure File ID Dumper for 4.21 CFW with details below.

Download: PS3 Disc Key Dumper, Klicensee Dumper and Secure File ID Dumper Updates / PS3 Disc Key Dumper, Klicensee Dumper and Secure File ID Dumper Updates (Mirror)

To quote: Finally I was able to find the time to port my dumpers on 4.21 CFW. There were some problems while porting from 3.55 to 4.xx and hopefully all of them were fixed.

These dumpers are not required to work with previous tool called Data Ddumper because they just write all data directly to the corresponding file on /dev_hdd0/tmp. All dumpers were tested on 4.21 REX and should works fine if you do the process correctly.

Example from KDSBest in REX 4.21:

[Register or Login to view code]

Dishonored Save Game Hack by KDSBest:

I ported XB36Harzard's XBox 360 Dishonored Save Game Editor to PS3 and modified it. His was detected as virus and I know why. Mine shouldn't get detected.

Download: XBox 360 Dishonored Save Game Editor For PS3

  • You have to use pfdtool to decrypt PAYLOAD of your Dishonored Save.
  • Enter the Stuff the SaveGame wants to know.
  • Play till you got at least 1 rune to be save.
  • Backup the savegame it uses a heuristic method since the positions of coins and runes are not fixed. It will warn you if it came to trouble and it backups your old PAYLOAD file.
  • If no warning comes (even sometimes if one comes) you should have more coins, runes and 65000 of most of the bullet types.
  • At the end you have to encrypt the PAYLOAD file with pfdtool again.
  • To the SaveGame it uses some strange modified zip algorithm to zip and unzip the save.

XB36Harzard uses offzip and packzip to manage the zip algo for him. So do I! I just ported his stuff and modified it and wrote it in C#... VB really sucks. Have fun, KDSBest

PS: If autosaves save failing press circle to cancel and normal. That works for me!

From whitezombie:

Here is FFXIII-2. I resigned a save, successfully copied, and loaded it. I don't know if it works on the US version but someone can test it. Add the following to your games.conf. I used the 3.55 version and keam to dump it from memory. Loaded it on another console with the latest Rogero.

[Register or Login to view code]


  • I recommend to use the FTP client from multiMAN to patch sprx files.
  • Don't forget to make backups of sprx files before patching them.
  • Don't use two or more dumpers at once - this will definitely not work).

More PlayStation 3 News...

#14 - crackle - October 22, 2012 // 10:45 pm
crackle's Avatar
Exciting if the disc key dumper works. Has anyone been able to verify that the keys correctly decrypt the software cryptographic layer?