System 357 pkg decryption

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • System 357 pkg decryption

      Hi all,

      I got myself an update usb for a 357 title. Game update files are presented as pkg files, so I think there could be a way to decrypt the game contents directly.

      The header block appears to follow the same structure as used in regular ps3 consoles. According to pkg header information documented here, the packages identified themselves as debug pkg.

      Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

      00000000 7F 50 4B 47 00 00 00 01 00 00 00 C0 00 00 00 08 PKG À
      00000010 00 00 00 C0 00 00 06 15 00 00 00 00 CB 2D E6 50 À Ë-æP
      00000020 00 00 00 00 00 00 01 80 00 00 00 00 CB 2D E4 70 € Ë-äp
      00000030 55 50 30 30 30 31 2D 53 43 45 45 58 45 30 30 30 UP0001-SCEEXE000
      00000040 5F 30 30 2D 46 55 4C 4C 50 41 43 4B 41 47 45 30 _00-FULLPACKAGE0
      00000050 30 30 30 31 00 00 00 00 00 00 00 00 00 00 00 00 0001
      00000060 87 0F 10 9B 63 92 AD 1E 7E 71 F1 0E A5 8B 3C F6 ‡ ›c’­ ~qñ ¥‹<ö
      00000070 1F 5B 3F 05 F0 03 25 BE 03 45 6C 84 D4 E4 2D 3E [? ð %¾ El„Ôä->
      00000080 D0 0B 97 40 BB 74 09 5D 12 63 8D 7F 58 42 09 4C Ð —@»t ] c XB L
      00000090 B6 E3 5A AD F9 05 E5 C6 60 33 D3 EF 7B AB 7D E6 ¶ãZ­ù åÆ`3Óï{«}æ
      000000A0 BD 44 84 09 02 46 DA 8C A6 83 E0 84 71 3A 12 1F ½D„ FÚŒ¦ƒà„q:

      000000B0 06 74 36 87 F9 E9 B9 4C 35 9C 37 74 56 F3 22 16 t6‡ùé¹L5œ7tVó"

      I tried to use tools that supports debug pkg to extract the data, but none of the tools I tried worked. ungpkg crashes after creating a new folder. psn_package_npdrm complains about file being corrupted. pkgview says array out of bound...

      Anyone can give any pointers on what I could try next?

      Thanks in advance.

      EDIT: formatting
    • nyannyan wrote:

      M4j0r wrote:

      Hello,

      did you try to use the official Sony tool for this? (make_package_npdrm -x)
      This tool also returns in error.
      That's weird. The official Sony tools supports debug packages and most of the scene based tools support retail packages. So either one of them should work except if the PKG type is somewhat special.
      The executable files (.self) inside the PKG are special, they're also marked as debug SELFs but are actually authorized by Sony. Handling these files was just recently added to the scetool (github.com/Sorvigolova/scetool) and isn't supported by any other tool.
      Can you please provide the output of:
      make_package_npdrm <pkg name here>
      make_package_npdrm -c <pkg name here>
      for further investigation?
    • M4j0r wrote:

      nyannyan wrote:

      M4j0r wrote:

      Hello,

      did you try to use the official Sony tool for this? (make_package_npdrm -x)
      This tool also returns in error.
      That's weird. The official Sony tools supports debug packages and most of the scene based tools support retail packages. So either one of them should work except if the PKG type is somewhat special.The executable files (.self) inside the PKG are special, they're also marked as debug SELFs but are actually authorized by Sony. Handling these files was just recently added to the scetool (github.com/Sorvigolova/scetool) and isn't supported by any other tool.
      Can you please provide the output of:
      make_package_npdrm <pkg name here>
      make_package_npdrm -c <pkg name here>
      for further investigation?

      Hey,

      I'm also having trouble with these packages. I tried the version of scetool you linked but nothing really happened, not even file information:

      Source Code

      1. > scetool.exe -i D:\TNT_RED_ASIA_UPD_NEWPCBONLY\VERSIONUP\DATA00010.BIN
      2. scetool 0.3.2 beta 3 (C) 2011-2013 by naehrwert
      3. NP local license handling (C) 2012 by flatz
      4. [*] Warning: Could not load internal keys.

      Here are the outputs from make_package_npdrm:

      Source Code

      1. > make_package_npdrm.exe D:\TNT_RED_ASIA_UPD_NEWPCBONLY\VERSIONUP\DATA00010.BIN
      2. This file was corrupted: "D:\TNT_RED_ASIA_UPD_NEWPCBONLY\VERSIONUP\DATA00010.BIN"
      3. > make_package_npdrm.exe -c D:\TNT_RED_ASIA_UPD_NEWPCBONLY\VERSIONUP\DATA00010.BIN
      4. This file was corrupted: "D:\TNT_RED_ASIA_UPD_NEWPCBONLY\VERSIONUP\DATA00010.BIN"

      (For both tools, I also tried changing the filetype to .PKG but it did not change anything.)

      I'll send you a PM with one of the packages, hopefully it will be helpful to find what the problem is.
    • Hello,

      thanks for the files, I did some analysis on them.
      These files are "debug" pkgs which can be created using the make_package_npdrm tool and mostly comply with the standard.
      But there's one thing that's different: The key generation.

      The content of these pkgs is (like the retail counterpart) encrypted, but make_package_npdrm should be able to decrypt them, because the key can be easily generated from the values in the header (unlike retail pkgs). However, this fails.

      It's also no retail pkg file, because the header hash doesn't match (and some other things too). If you try to install them on a (retail/debug) PS3 you'll get error 0x80029564 (the same one like for pkgs which are only compatible with the shop "IDU" consoles or simply corrupt/"damaged" pkgs).

      This means that Sony uses some custom key or key generation for the arcade (and maybe also shop) pkgs. This reminds me of the special PS2 memory cards.

      I do have some arcade firmwares and know where the key should be located.
      I'm going to take a look at this next week.
    • M4j0r wrote:

      Hello,

      thanks for the files, I did some analysis on them.
      These files are "debug" pkgs which can be created using the make_package_npdrm tool and mostly comply with the standard.
      But there's one thing that's different: The key generation.

      The content of these pkgs is (like the retail counterpart) encrypted, but make_package_npdrm should be able to decrypt them, because the key can be easily generated from the values in the header (unlike retail pkgs). However, this fails.

      It's also no retail pkg file, because the header hash doesn't match (and some other things too). If you try to install them on a (retail/debug) PS3 you'll get error 0x80029564 (the same one like for pkgs which are only compatible with the shop "IDU" consoles or simply corrupt/"damaged" pkgs).

      This means that Sony uses some custom key or key generation for the arcade (and maybe also shop) pkgs. This reminds me of the special PS2 memory cards.

      I do have some arcade firmwares and know where the key should be located.
      I'm going to take a look at this next week.
      Interesting, I figured it was a different key being used. Thanks for looking into this, hopefully you can find the key!
    • M4j0r wrote:

      I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
      This would ensure that these PKG files are not specially made for that game.
      I don't have access to an arcade PS3 to test that, sadly. But I did find footage of the installation process, if that matters:

    • jonaut wrote:

      M4j0r wrote:

      I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
      This would ensure that these PKG files are not specially made for that game.
      I don't have access to an arcade PS3 to test that, sadly. But I did find footage of the installation process, if that matters:

      Thanks, that's interesting. The installation process is game specific.

      If you have the game, can you confirm if it follows the same naming convention for executable files like earlier titles:
      BOOT.SELF
      BOOT_XXX.SELF
      EBOOT.BIN
      GAME_XXX.SELF
      TEST_XXX.SELF
      TESTLIVE_XXX.SELF
      VERUD_XXX.SELF
      VERUDLIVE_XXX.SELF
      , where XXX is a number like 100?

      TEKKEN6 uses /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG and/or /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG for the software update.
    • M4j0r wrote:

      jonaut wrote:

      M4j0r wrote:

      I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
      This would ensure that these PKG files are not specially made for that game.
      I don't have access to an arcade PS3 to test that, sadly. But I did find footage of the installation process, if that matters:
      Thanks, that's interesting. The installation process is game specific.
      If you have the game, can you confirm if it follows the same naming convention for executable files like earlier titles:
      BOOT.SELF
      BOOT_XXX.SELF
      EBOOT.BIN
      GAME_XXX.SELF
      TEST_XXX.SELF
      TESTLIVE_XXX.SELF
      VERUD_XXX.SELF
      VERUDLIVE_XXX.SELF
      , where XXX is a number like 100?

      TEKKEN6 uses /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG and/or /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG for the software update.
      The contents of the update dongle are all I have, I'm afraid. I'm only looking to extract the game data, running the game isn't of much interest to me currently.
    • jonaut wrote:

      M4j0r wrote:

      jonaut wrote:

      M4j0r wrote:

      I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
      This would ensure that these PKG files are not specially made for that game.
      I don't have access to an arcade PS3 to test that, sadly. But I did find footage of the installation process, if that matters:
      Thanks, that's interesting. The installation process is game specific.If you have the game, can you confirm if it follows the same naming convention for executable files like earlier titles:
      BOOT.SELF
      BOOT_XXX.SELF
      EBOOT.BIN
      GAME_XXX.SELF
      TEST_XXX.SELF
      TESTLIVE_XXX.SELF
      VERUD_XXX.SELF
      VERUDLIVE_XXX.SELF
      , where XXX is a number like 100?

      TEKKEN6 uses /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG and/or /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG for the software update.
      The contents of the update dongle are all I have, I'm afraid. I'm only looking to extract the game data, running the game isn't of much interest to me currently.
      No problem, I've reversed how the update works:
      Either the game copies the game specific update data to /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALLX.PKG (variable X) and resets the PS3 into update mode or the PS3 copies the data from /dev_usb000/game/SCEEXE000/ARCDIR/INSTALLX.PKG and then installs it (similar with the system update (PUP)).

      This game and also Tekken 6 use the first option.

      To install the PKG, the VirtualShell (VSH) uses the nas_plugin (like for any other PKG). The good news: The VSH is different between ARCADE and other types of firmwares, but the nas_plugin stays the same.

      The nas_plugin does have different functions: psdevwiki.com/ps3/Nas_plugin . "Normal" PKGs use a different function compared to "Arcade" (or "Shop") PKGs - but I don't know hich functions are used yet.
      I've to ask someone to solve this.
    • M4j0r wrote:

      jonaut wrote:

      M4j0r wrote:

      jonaut wrote:

      M4j0r wrote:

      I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
      This would ensure that these PKG files are not specially made for that game.
      I don't have access to an arcade PS3 to test that, sadly. But I did find footage of the installation process, if that matters:
      Thanks, that's interesting. The installation process is game specific.If you have the game, can you confirm if it follows the same naming convention for executable files like earlier titles:BOOT.SELF
      BOOT_XXX.SELF
      EBOOT.BIN
      GAME_XXX.SELF
      TEST_XXX.SELF
      TESTLIVE_XXX.SELF
      VERUD_XXX.SELF
      VERUDLIVE_XXX.SELF
      , where XXX is a number like 100?

      TEKKEN6 uses /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG and/or /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG for the software update.
      The contents of the update dongle are all I have, I'm afraid. I'm only looking to extract the game data, running the game isn't of much interest to me currently.
      No problem, I've reversed how the update works:Either the game copies the game specific update data to /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALLX.PKG (variable X) and resets the PS3 into update mode or the PS3 copies the data from /dev_usb000/game/SCEEXE000/ARCDIR/INSTALLX.PKG and then installs it (similar with the system update (PUP)).

      This game and also Tekken 6 use the first option.

      To install the PKG, the VirtualShell (VSH) uses the nas_plugin (like for any other PKG). The good news: The VSH is different between ARCADE and other types of firmwares, but the nas_plugin stays the same.

      The nas_plugin does have different functions: psdevwiki.com/ps3/Nas_plugin . "Normal" PKGs use a different function compared to "Arcade" (or "Shop") PKGs - but I don't know hich functions are used yet.
      I've to ask someone to solve this.
      Yes, I've heard Tekken 6 and some other Namco arcade games use this option. Thank you for your work so far, I hope something comes out of this.