hit tracker

Bruteforce KLicense Tools Discussion

Discussion in 'PS3 Technical Only Topics' started by PatrickBatman, Aug 5, 2012.

  1. 2,773
    374
    0
    PatrickBatman

    PatrickBatman SCENE MOD Loyal Member

    Joined:
    Oct 24, 2011
    Location:
    Pangea
    1.11 Fixed Update I uploaded it to ps3scenefiles http://ps3scenefiles.com/file.php?id=904

    You have to install ALL updates from 1.05 to 1.11 before that
    1.12 doesn't seem to work for unknown circumstances. 1.13 does not have an EBOOT.BIN, so if 1.12 is fixed we will have 1.13
     
    Jock O'Strap likes this.
  2. 37
    0
    6
    corsasri

    corsasri Loyal Member

    Joined:
    Jan 9, 2012
    where can i get all the updates fro gt5 ?
     
  3. 4,102
    292
    83
    gDrive

    gDrive Not Your Mommas Tranny Clean-Up Crew

    Joined:
    Jul 9, 2011
    Home Page:
    http://techbliss.org
    The PS3 Game Updater application - all you need is to simply search for the update using the gameID and Bob's your uncle! :p
     
    Jock O'Strap likes this.
  4. 130
    0
    0
    cerebr_al

    cerebr_al Loyal Member

    Joined:
    Jul 7, 2011
    1.11 installed fine but I started the Formula GT Championship and went to stop midway via the Quick Menu and there was no interrupt button. Maybe you can only do it between races. Will try later and post.
     
  5. 352
    1
    0
    tonybologna

    tonybologna Loyal Member

    Joined:
    Jul 1, 2006
    Occupation:
    construction business owner, affiliate marketing,
    Location:
    USA- Tennessee
    There seems to be a lot of weird crap happening with this scetool fixing. I believe ghosts have decided to reside in some PS3's. This is crazy reading all of these weird reports/posts coming from using scetool. :confusion:
     
  6. 780
    9
    0
    xPreatorianx

    xPreatorianx Loyal Member

    Joined:
    Jul 7, 2011
    Home Page:
    http://deviant-generation.com/
    Cheers bud, I'll definitely look into it. Ya, I already know I have auto immune deficiency disease like my mom. She has plagued me with her damn junk genes. (and no I don't mean the real AIDS. As yes, auto immune dif does share the same basic acronym. But they are fundamentally different. The real Aids is a virus that attacks your body. Auto immune is a disease where your body attacks itself as it perceives itself as a virus.)
     
  7. 48
    0
    0
    FinalFight

    FinalFight Loyal Member

    Joined:
    Nov 19, 2011
    Hello every one, i have fixed some eboot games until now but now i want to fixe one that have an .sprx file...can some one tell me what tools do i have to use and how use them?

    Thanks ;)
     
  8. 113
    0
    0
    opoisso893

    opoisso893 <b>Our Official MaxConsole PS3 Eboot Fixer</b> Loyal Member

    Joined:
    Aug 2, 2012
    To correct the 8001003C error try this :
    1- decrypt EBOOT.BIN with scetool v0.2.8 : scetool -d EBOOT.BIN EBOOT.ELF
    2- rename EBOOT.BIN EBOOT_ORIGINAL.BIN
    3- Edit the EBOOT.ELF in hexadecimal (I'm using Hex Editor Neo) : search 24 13 BC C5 F6 and just after you should get 00 33 00 00 00 36 change 36 to 34 and save
    4- encrypt the EBOOT.ELF with scetool : scetool.exe --sce-type=SELF --compress-data=FALSE --skip-sections=FALSE --key-revision=000A --self-auth-id=1010000001000003 --self-vendor-id=01000002 --self-type=NPDRM --self-fw-version=0003005500000000 --np-license-type=FREE --np-content-id=xxxxxxxxx --np-app-type=EXEC --np-real-fname=EBOOT.BIN --encrypt EBOOT.ELF EBOOT.BIN

    Replace xxxxxx by the Content ID. In my example I encrypt the EBOOT.BIN for FW3.55.
     
  9. 48
    0
    0
    FinalFight

    FinalFight Loyal Member

    Joined:
    Nov 19, 2011
    How can i find 24 13 BC C5 F6? Thanks
     
  10. 113
    0
    0
    opoisso893

    opoisso893 <b>Our Official MaxConsole PS3 Eboot Fixer</b> Loyal Member

    Joined:
    Aug 2, 2012
    Open the EBOOT.ELF with an hex Editor and click find in the Edit menu.

    View attachment 3089
     
  11. 48
    0
    0
    FinalFight

    FinalFight Loyal Member

    Joined:
    Nov 19, 2011
    OK ;), i did that and i resolve that error :D :D...BCES00865-EyePet and Friends now working :D.

    Thanks
     
  12. 0
    0
    0
    JLM

    JLM Guest

    Sniper Ghost Warrior BLES01286 PATCH000001
    01DB75F0 0000 0000 0000 0000 0000 0000 0000 0000 ................
    01DB7600 0000 0024 13BC C5F6 0033 0000 0035 0001 ...$.....3...5..

    __________________

    For typing long commands (with lots of options at the command line), the up arrow key is very handy. If you made a mistake typing and scetool says error, just push the up arrow key, the last command you typed will appear, then use the left arrow key to go to the mistake and fix it. Sometimes easier than re-typing the whole line.
     
  13. 2,773
    374
    0
    PatrickBatman

    PatrickBatman SCENE MOD Loyal Member

    Joined:
    Oct 24, 2011
    Location:
    Pangea
    So its the same as when I manually modded eboots, thats the sys_proc_param yeah and that 35 hex is the SDK version 3.50 same old shit. You just change that to whatever the hell firmware you want usually 34 for lowest jailbreak 3.41 and with every eboot at least back when I did it to find its that same string of bytes everytime 13 BC C5 F6 (but it has to be the .elf obviously, the .self is encrypted so those bytes dont exist)

    You can use readself in cygwin on EBOOT.BIN (encrypted) to get this info here's Deus Ex for example:
    Code:
    Section header
        offset             size              compressed unk1     unk2     encrypted
        00000000_00000a80  00000000_00f667e8 [NO ]      00000000 00000000 [YES]
        00000000_00f70a80  00000000_000bf6d4 [NO ]      00000000 00000000 [YES]
        00000000_01030154  00000000_00000000 [NO ]      00000000 00000000 [YES]
        00000000_01030154  00000000_00000000 [NO ]      00000000 00000000 [YES]
        00000000_01030154  00000000_00000000 [NO ]      00000000 00000000 [YES]
        00000000_01000734  00000000_00000008 [NO ]      00000000 00000000 [N/A]
        00000000_00f67200  00000000_00000028 [NO ]      00000000 00000000 [N/A]
        00000000_00f67228  00000000_00000040 [NO ]      00000000 00000000 [N/A]
    
    if you copy the offsets say like the first one is 00000000_00000a80 00000000_00f667e8 then takes out the underscores and spaces
    to make 0000000000000a800000000000f667e8. You then search this hexvalue in a hexeditor the line directly below will have all zeros
    except there will 2 that are not those toggle the compression and encryption flags. The first non zero is the compression and the at the end is the encryption. change the numbers from 01 to 02 or vice versa to toggle yes and no on compression and encryption. then save check readself and you will (I just toggled the first 2 offsets but back then I'd have to do all of them compression didnt matter that just changed the size of the eboot) to get:

    Code:
    Section header
        offset             size              compressed unk1     unk2     encrypted
        00000000_00000a80  00000000_00f667e8 [YES]      00000000 00000000 [NO ]
        00000000_00f70a80  00000000_000bf6d4 [YES]      00000000 00000000 [NO ]
        00000000_01030154  00000000_00000000 [NO ]      00000000 00000000 [YES]
        00000000_01030154  00000000_00000000 [NO ]      00000000 00000000 [YES]
        00000000_01030154  00000000_00000000 [NO ]      00000000 00000000 [YES]
        00000000_01000734  00000000_00000008 [NO ]      00000000 00000000 [N/A]
        00000000_00f67200  00000000_00000028 [NO ]      00000000 00000000 [N/A]
        00000000_00f67228  00000000_00000040 [NO ]      00000000 00000000 [N/A]
    
    and I had to some other shit once I got good I could "crack" an eboot in 5 minutes or so.
     
    Jock O'Strap likes this.
  14. 425
    0
    0
    andreus

    andreus Loyal Member

    Joined:
    Jul 4, 2011
    I think you can do hex search and replace in command line. And if you can do it in commandline, as you know, you can add them to a batch script.

    So you can download binmay (text/hex/binary replacer) to your fix folder and, for instance, had this lines to the batch file after the ELF is created.
     
  15. 306
    1
    0
    aldostools

    aldostools Developer

    Joined:
    Feb 21, 2007
    removed post
     
  16. 35
    0
    0
    Asure

    Asure Loyal Member

    Joined:
    Jul 7, 2011
    With some help from devs i made a small .bat file that can bruteforce the klic key from eboots that use/load self/sprx files.

    Code:
    @Echo
     off
    SET OFFSET=0
    :START
    FOR /F "tokens=*" %%i in ('"od -j%OFFSET% -N16 -w16 -t x1 eboot.elf | cut -c 8- |sed 's/ //g'"') do SET KEY=%%i
    if %KEY% == 00000000000000000000000000000000 (
    echo Skipped 10 bytes of blank/useless key at %OFFSET%
    set /a OFFSET+=10
    ) else (
    ECHO Trying Key: %KEY% from decimal offset: %OFFSET%
    scetool.exe -l %KEY% -d default.self selfout.elf >nul
    set /a OFFSET+=1
    )
    IF EXIST selfout.elf GOTO END
    goto START
    :end
    echo Done! Key used was: %KEY%
    
    You need to put this into a folder with scetool, data / keys etc. working.
    Then drop an eboot.bin and decrypt it with scetool into eboot.elf
    The drop an encrypted self, or sprx and modify the bat file a little perhaps.

    The needed linux tools like od.exe, sed.exe, can all be found in this package: http://www.sendspace.com/file/g9syfd
    If you want to test with say, portal 2 sprx files, you can try starting at offset 608600. MW3 around offset 54272..

    The batch file is not perfect. On large files, the CUT command starts to malfunction as i don't take this into account with the sed/cut combo.

    Note: This is just a proof-of-concept, i wanted to know how the whole self/sprx stuff worked. It doesn't contain keys or any proprietary tools from Sony, and as far as i know, it's not doing anything illegal.
     
  17. 425
    0
    0
    andreus

    andreus Loyal Member

    Joined:
    Jul 4, 2011
    so you have uncovered the final piece of the puzzle! Nice work.
     
  18. 35
    0
    0
    Asure

    Asure Loyal Member

    Joined:
    Jul 7, 2011
    I didn't uncover it all by myself, i got a few hints and suggestions from devs, and made the batch file.
    Lost a day because of my own stupidity, when i had -l %KEY% at the end of the scetool command, otherwise it would have found a key much sooner.

    A user on hax posted MW3 key, i found it in hexeditor, figured out i must be doing something wrong in my the bat file.. corrected the bat file => bingo!

    Should be better if someone codes a proper C app to do this which would be lots faster. we're looking at 20 hours for the portal 2 eboot, unless you cheat, and start at a higher offset, where the game has its strings located.

    Bat file also can't handle big files >9.9mb, unless someone mods it and changes the od/cut/sed command once %OFFSET%> 9.9mb etc etc.
    Try it for fun with mw3 and portal :)
     
  19. 0
    0
    0
    JLM

    JLM Guest

    I think you are saying it takes 20 hours for the batch file to find the key in one eboot?
    Nice find.
     
  20. 425
    0
    0
    andreus

    andreus Loyal Member

    Joined:
    Jul 4, 2011
    For what you're sayin normaly you found them at the end of the elf, so the batch would be more efficient if it was in reverse, i.e, start looking form the end to the beggining, don't you think?

    i think you can get the last dec offset

    Also i think that elf files must have a structure of some kind and with that you can know the offset to start looking
     

Share This Page