What's new

domaumaru

Beginner
Joined
Jul 13, 2018
Messages
1
Reaction score
0
Location
Canada
Hi all,

I got myself an update usb for a 357 title. Game update files are presented as pkg files, so I think there could be a way to decrypt the game contents directly.

The header block appears to follow the same structure as used in regular ps3 consoles. According to pkg header information documented here, the packages identified themselves as debug pkg.

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 7F 50 4B 47 00 00 00 01 00 00 00 C0 00 00 00 08 PKG À
00000010 00 00 00 C0 00 00 06 15 00 00 00 00 CB 2D E6 50 À Ë-æP
00000020 00 00 00 00 00 00 01 80 00 00 00 00 CB 2D E4 70 € Ë-äp
00000030 55 50 30 30 30 31 2D 53 43 45 45 58 45 30 30 30 UP0001-SCEEXE000
00000040 5F 30 30 2D 46 55 4C 4C 50 41 43 4B 41 47 45 30 _00-FULLPACKAGE0
00000050 30 30 30 31 00 00 00 00 00 00 00 00 00 00 00 00 0001
00000060 87 0F 10 9B 63 92 AD 1E 7E 71 F1 0E A5 8B 3C F6 ‡ ›c’­ ~qñ ¥‹<ö
00000070 1F 5B 3F 05 F0 03 25 BE 03 45 6C 84 D4 E4 2D 3E [? ð %¾ El„Ôä->
00000080 D0 0B 97 40 BB 74 09 5D 12 63 8D 7F 58 42 09 4C Ð —@»t ] c XB L
00000090 B6 E3 5A AD F9 05 E5 C6 60 33 D3 EF 7B AB 7D E6 ¶ãZ­ù åÆ`3Óï{«}æ
000000A0 BD 44 84 09 02 46 DA 8C A6 83 E0 84 71 3A 12 1F ½D„ FÚŒ¦ƒà„q:

000000B0 06 74 36 87 F9 E9 B9 4C 35 9C 37 74 56 F3 22 16 t6‡ùé¹L5œ7tVó"

I tried to use tools that supports debug pkg to extract the data, but none of the tools I tried worked. ungpkg crashes after creating a new folder. psn_package_npdrm complains about file being corrupted. pkgview says array out of bound...

Anyone can give any pointers on what I could try next?

Thanks in advance.

EDIT: formatting
 
Hello,

did you try to use the official Sony tool for this? (make_package_npdrm -x)
 
Hello,

did you try to use the official Sony tool for this? (make_package_npdrm -x)
This tool also returns in error.
That's weird. The official Sony tools supports debug packages and most of the scene based tools support retail packages. So either one of them should work except if the PKG type is somewhat special.
The executable files (.self) inside the PKG are special, they're also marked as debug SELFs but are actually authorized by Sony. Handling these files was just recently added to the scetool (https://github.com/Sorvigolova/scetool) and isn't supported by any other tool.
Can you please provide the output of:
make_package_npdrm <pkg name here>
make_package_npdrm -c <pkg name here>
for further investigation?
 
Hello,

did you try to use the official Sony tool for this? (make_package_npdrm -x)
This tool also returns in error.
That's weird. The official Sony tools supports debug packages and most of the scene based tools support retail packages. So either one of them should work except if the PKG type is somewhat special.The executable files (.self) inside the PKG are special, they're also marked as debug SELFs but are actually authorized by Sony. Handling these files was just recently added to the scetool (https://github.com/Sorvigolova/scetool) and isn't supported by any other tool.
Can you please provide the output of:
make_package_npdrm <pkg name here>
make_package_npdrm -c <pkg name here>
for further investigation?
Hey,

I'm also having trouble with these packages. I tried the version of scetool you linked but nothing really happened, not even file information:

Code:
> scetool.exe -i D:\TNT_RED_ASIA_UPD_NEWPCBONLY\VERSIONUP\DATA00010.BIN
scetool 0.3.2 beta 3 (C) 2011-2013 by naehrwert
NP local license handling (C) 2012 by flatz

[*] Warning: Could not load internal keys.
Here are the outputs from make_package_npdrm:

Code:
> make_package_npdrm.exe D:\TNT_RED_ASIA_UPD_NEWPCBONLY\VERSIONUP\DATA00010.BIN
This file was corrupted: "D:\TNT_RED_ASIA_UPD_NEWPCBONLY\VERSIONUP\DATA00010.BIN"

> make_package_npdrm.exe -c D:\TNT_RED_ASIA_UPD_NEWPCBONLY\VERSIONUP\DATA00010.BIN
This file was corrupted: "D:\TNT_RED_ASIA_UPD_NEWPCBONLY\VERSIONUP\DATA00010.BIN"
(For both tools, I also tried changing the filetype to .PKG but it did not change anything.)

I'll send you a PM with one of the packages, hopefully it will be helpful to find what the problem is.
 
Hello,

thanks for the files, I did some analysis on them.
These files are "debug" pkgs which can be created using the make_package_npdrm tool and mostly comply with the standard.
But there's one thing that's different: The key generation.

The content of these pkgs is (like the retail counterpart) encrypted, but make_package_npdrm should be able to decrypt them, because the key can be easily generated from the values in the header (unlike retail pkgs). However, this fails.

It's also no retail pkg file, because the header hash doesn't match (and some other things too). If you try to install them on a (retail/debug) PS3 you'll get error 0x80029564 (the same one like for pkgs which are only compatible with the shop "IDU" consoles or simply corrupt/"damaged" pkgs).

This means that Sony uses some custom key or key generation for the arcade (and maybe also shop) pkgs. This reminds me of the special PS2 memory cards.

I do have some arcade firmwares and know where the key should be located.
I'm going to take a look at this next week.
 
Hello,

thanks for the files, I did some analysis on them.
These files are "debug" pkgs which can be created using the make_package_npdrm tool and mostly comply with the standard.
But there's one thing that's different: The key generation.

The content of these pkgs is (like the retail counterpart) encrypted, but make_package_npdrm should be able to decrypt them, because the key can be easily generated from the values in the header (unlike retail pkgs). However, this fails.

It's also no retail pkg file, because the header hash doesn't match (and some other things too). If you try to install them on a (retail/debug) PS3 you'll get error 0x80029564 (the same one like for pkgs which are only compatible with the shop "IDU" consoles or simply corrupt/"damaged" pkgs).

This means that Sony uses some custom key or key generation for the arcade (and maybe also shop) pkgs. This reminds me of the special PS2 memory cards.

I do have some arcade firmwares and know where the key should be located.
I'm going to take a look at this next week.
Interesting, I figured it was a different key being used. Thanks for looking into this, hopefully you can find the key!
 
I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
This would ensure that these PKG files are not specially made for that game.
 
I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
This would ensure that these PKG files are not specially made for that game.
I don't have access to an arcade PS3 to test that, sadly. But I did find footage of the installation process, if that matters:

 
I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
This would ensure that these PKG files are not specially made for that game.
I don't have access to an arcade PS3 to test that, sadly. But I did find footage of the installation process, if that matters:
Thanks, that's interesting. The installation process is game specific.

If you have the game, can you confirm if it follows the same naming convention for executable files like earlier titles:
BOOT.SELF
BOOT_XXX.SELF
EBOOT.BIN
GAME_XXX.SELF
TEST_XXX.SELF
TESTLIVE_XXX.SELF
VERUD_XXX.SELF
VERUDLIVE_XXX.SELF
, where XXX is a number like 100?

TEKKEN6 uses /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG and/or /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG for the software update.
 
I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
This would ensure that these PKG files are not specially made for that game.
I don't have access to an arcade PS3 to test that, sadly. But I did find footage of the installation process, if that matters:
Thanks, that's interesting. The installation process is game specific.
If you have the game, can you confirm if it follows the same naming convention for executable files like earlier titles:
BOOT.SELF
BOOT_XXX.SELF
EBOOT.BIN
GAME_XXX.SELF
TEST_XXX.SELF
TESTLIVE_XXX.SELF
VERUD_XXX.SELF
VERUDLIVE_XXX.SELF
, where XXX is a number like 100?

TEKKEN6 uses /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG and/or /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG for the software update.
The contents of the update dongle are all I have, I'm afraid. I'm only looking to extract the game data, running the game isn't of much interest to me currently.
 
I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
This would ensure that these PKG files are not specially made for that game.
I don't have access to an arcade PS3 to test that, sadly. But I did find footage of the installation process, if that matters:
Thanks, that's interesting. The installation process is game specific.If you have the game, can you confirm if it follows the same naming convention for executable files like earlier titles:
BOOT.SELF
BOOT_XXX.SELF
EBOOT.BIN
GAME_XXX.SELF
TEST_XXX.SELF
TESTLIVE_XXX.SELF
VERUD_XXX.SELF
VERUDLIVE_XXX.SELF
, where XXX is a number like 100?

TEKKEN6 uses /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG and/or /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG for the software update.
The contents of the update dongle are all I have, I'm afraid. I'm only looking to extract the game data, running the game isn't of much interest to me currently.
No problem, I've reversed how the update works:
Either the game copies the game specific update data to /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALLX.PKG (variable X) and resets the PS3 into update mode or the PS3 copies the data from /dev_usb000/game/SCEEXE000/ARCDIR/INSTALLX.PKG and then installs it (similar with the system update (PUP)).

This game and also Tekken 6 use the first option.

To install the PKG, the VirtualShell (VSH) uses the nas_plugin (like for any other PKG). The good news: The VSH is different between ARCADE and other types of firmwares, but the nas_plugin stays the same.

The nas_plugin does have different functions: https://www.psdevwiki.com/ps3/Nas_plugin . "Normal" PKGs use a different function compared to "Arcade" (or "Shop") PKGs - but I don't know hich functions are used yet.
I've to ask someone to solve this.
 
I didn't have time to check my assumptions yet, but did you try to install these *.BIN files on a arcade PS3 by renaming them to *.PKG and using the XMB option?
This would ensure that these PKG files are not specially made for that game.
I don't have access to an arcade PS3 to test that, sadly. But I did find footage of the installation process, if that matters:
Thanks, that's interesting. The installation process is game specific.If you have the game, can you confirm if it follows the same naming convention for executable files like earlier titles:BOOT.SELF
BOOT_XXX.SELF
EBOOT.BIN
GAME_XXX.SELF
TEST_XXX.SELF
TESTLIVE_XXX.SELF
VERUD_XXX.SELF
VERUDLIVE_XXX.SELF
, where XXX is a number like 100?

TEKKEN6 uses /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG and/or /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALL0.PKG for the software update.
The contents of the update dongle are all I have, I'm afraid. I'm only looking to extract the game data, running the game isn't of much interest to me currently.
No problem, I've reversed how the update works:Either the game copies the game specific update data to /dev_hdd0/game/SCEEXE000/ARCDIR/INSTALLX.PKG (variable X) and resets the PS3 into update mode or the PS3 copies the data from /dev_usb000/game/SCEEXE000/ARCDIR/INSTALLX.PKG and then installs it (similar with the system update (PUP)).

This game and also Tekken 6 use the first option.

To install the PKG, the VirtualShell (VSH) uses the nas_plugin (like for any other PKG). The good news: The VSH is different between ARCADE and other types of firmwares, but the nas_plugin stays the same.

The nas_plugin does have different functions: https://www.psdevwiki.com/ps3/Nas_plugin . "Normal" PKGs use a different function compared to "Arcade" (or "Shop") PKGs - but I don't know hich functions are used yet.
I've to ask someone to solve this.
Yes, I've heard Tekken 6 and some other Namco arcade games use this option. Thank you for your work so far, I hope something comes out of this.
 
the Reverse Engineering was made by SSL in explore_plugin.sprx (the algo is universal and exists in all firmwares, even non arcade ones)
i decided to grep for SCEEXE000 in the 4.70 GEX PUP and found a couple of matches. SSL found the respective code and modified ungpkg to accept arcade pkgs (we only have 3 to test but they all worked properly)
 
M4j0r said:
The arcade pkgs can now be decrypted, thanks to SSL and zecoxao.
For this to work, you'll need to compile the fail0verflow tools (github.com/darkuncle/fail0verflow) with the provided patch.
When I use this tool on the Taiko Red version update data, I am getting a "filename too long" error for the DATA00010.pkg and DATA00011.pkg files, and for the DATA00012.pkg I am getting a "Segmentation fault (core dumped)" error. Has anyone experienced these errors/have a solution for these errors?

Edit: Disregard the above, I figured it out.. I'm new to this
 
Last edited:
Back
Top