PS3 Building all updates into a CFW2OFW PKG and avoiding game data installation

DeViL303

DeViL303

Developer
PSX-Place Supporter
Random bit of information, I wanted to convert my Wipeout HD Fury ISO to a CFW2OFW style pkg for archiving. I wanted to build all updates into the one pkg, and also avoid having to install game data. Took a little bit of figuring out but eventually got there. This method will probably work for other CFW2OFW rips too but I have only done it with this game so far.

So normally the disc version of Wipeout HD fury has these files in the USRDIR folder.

upload_2021-3-26_0-43-4.png



What I did was the usual CFW2OFW process:
  • Download all the updates
  • Extract them all into the same folder from oldest to newest, overwriting files as required.
  • Edit the PARAM.SFO to category HG
When this was done I discovered it still required gamedata to install before I could play it, during this process it copied all the psarc files from BCES00664 to BCES00664DATA.


This has a couple of extra psarc files included that were in the update pkgs.
upload_2021-3-26_1-7-1.png


So I created a pkg using lmn7s special pkg creator that allows us to create pkgs with folders included that can install to different locations, I removed all of the psarcs from the original location BCES00664, and put them into a newly created folder dev_hdd0/game/BCES00664DATA/USRDIR/, and it worked, the original BCES00664 folder is only 16MB, with everything else in the BCES00664DATA.

Top level of my pkg look like this
upload_2021-3-26_1-26-0.png


So basically now I have single PKG, that installs a fully up to date version OF Wipeout HD Fury with gamedata already installed. No licenses required as its CFW2OFW converted, and this package has no files duplicated so still comes in at 1.85GB.
 

Attachments

Last edited:
This is how the package creator works, if you want the pkg to install stuff to different locations than the usual game/CONTENTID/, you add the extra folders there. Any extra folder included in the root level that start with "dev_" will be installed to the other location.

So you could include a dev_hdd0/exdata/ folder there if you wanted, this way you can have the rap file included in the pkg. You can also have a package that installs an application like normal but also patches dev_blind. Lots of potential uses.
 
Berion said:
Why do You have dev_hdd0 folder in root of package?
Click to expand...

The pkg_custom (make_package_custom) uses a directory traversal attack (../../..) to install files outside of the game folder.

The installation path is: /dev_hdd0/game/XXXX00000

The directory traversal adds ../../.. to the path, so it installs in /dev_hdd0/game/XXXX00000/../../../ the effective path is /

Therefore the folder dev_hdd0 installs in /dev_hdd0 (dev_blind would install in /dev_blind)
 
This directory traversal attack works in other places on PS3 too. Like basically everywhere I have tried it. You can use it on paths within sprx files and vsh.self, so you can do funny stuff like have xai_plugin.sprx read from dev_hdd0/plugins/ for example.

I had an idea before to use in my CFW, basically have all the usual stuff people like to change like qrc files, coldboot.raf , imagefont.bin, and ac3 files, maybe even category xmls too, all read from dev_flash2 instead, this way all that stuff would survive firmware updates and HDD formats.

A lot of this can be done with direct path changes, but if the full path is not used, for example if the path has a "%s" or whatever, then the directory traversal attack works to get back up to root.
 
Last edited:
DeViL303 said:
This directory traversal attack works in other places on PS3 too. Like basically everywhere I have tried it. You can use it on paths within sprx files and vsh.self, so you can do funny stuff like have xai_plugin.sprx read from dev_hdd0/plugins/ for example.

I had an idea before to use in my CFW, basically have all the usual stuff people like to change like qrc files, coldboot.raf , imagefont.bin, and ac3 files, maybe even category xmls too, all read from dev_flash2 instead, this way all that stuff would survive firmware updates and HDD formats.

A lot of this can be done with direct path changes, but if the full path is not used, for example if the path has a "%s" or whatever, then the directory traversal attack works to get back up to root.
Click to expand...

A variation of the path attack is the use of /. or // to make a path look different.
e.g. /dev_hdd0/file, //dev_hdd0/file, /./dev_hdd0/file, /dev_hdd0/./file, //dev_hdd0//file, ///dev_hdd0/file are the same path.

I use this trick to make webMAN copy the files in hdd0, instead of link the files when source and target are in /dev_hdd0. Example:
/copy.ps3//dev_hdd0/boot_plugins.txt&/dev_hdd0/backup.txt
 
That too. The double // works great for avoid bricks if added to system flash paths too.

For example category_game_tool2.xml uses paths like these to link back to category_game.xml
Code: 
src="xmb://localhost/%flash/xmb/category_game.xml#seg_psp2appdata"

If then that xml does not exist for any reason you have a soft brick.

Simply changing it to this completely avoids that soft brick should there be any issue with the linked xml
Code: 
src="xmb://localhost//dev_flash/vsh/resource/explore/xmb/category_game.xml#seg_psp2appdata"

Another example, this path will cause a soft brick if the qrc file is missing
upload_2021-3-26_17-37-49.png


This will just ignore the missing qrc and load the XMB with no icons.
upload_2021-3-26_17-39-9.png

^^ not the best example as there is not room in the sprx.

Ideally all CFW would use these modified paths for extra brick resistance.
 
Last edited:
Actually I remember and I know but what I didn't understand was why this folder in use while there is nothing outside "dev_hdd0/game/<GameID>/" in case of game+patches. But I didn't know that disc to digital conversion needs the license, so all is clear now. ^^ Thanks for explanation.
 
Berion said:
Actually I remember and I know but what I didn't understand was why this folder in use while there is nothing outside "dev_hdd0/game/<GameID>/" in case of game+patches.
Click to expand...
There is lots of stuff outside of dev_hdd0/game/<GameID, 95%+ of the games files are in dev_hdd0/game/<GameIDDATA
Berion said:
But I didn't know that disc to digital conversion needs the license
Click to expand...

No, disc to digital conversions do not need any license, I was just saying for games that do need a license those can be built into the pkg too.
 
AFAIK "standard package", unpacking i.e games to "dev_hdd0/game/<GameID>/", not to "dev_hdd0/game/<GameID>/DATA/" (or USRDIR), so for contents closed only in GameID dir, we don't needs any special tricks (because none of the games also doesn't store data outside this folder, except some for DLC which uses it's own "GameID<suffix>"). At least this is how I understand that.

If "digital conversions" don't needs a license, I still don't see a reason to utilise traversal attack. ^^"

edit:
Oh, I get it. It is for games which using "dev_hdd0/game/<GameID<suffix i.e DATA>>/" for DLC. :)
But 95%? ;) Personally I saw only few which using additional dir for DLC, the rest using cache+patches dir.
 
No, its because this is a disc convert, if it was a normal pkg it would not need to install gamedata, the disc version of Wipeout HD Fury normally installs gamedata to dev_hdd0/game/<GameID>DATA/ before you can play it.

See my screenshot above. This is where it installs the game data to

upload_2021-3-26_1-7-1-png.32371


I would have tried making it all be in a normal PKG that installed to BCES00664DATA but PARAM.SFO editor does not allow to use CONTENTIDs over 9 characters long.
 
Interesting... but in this way uninstalling the package will not uninstall additional content because i've tested just now, additional content needs to be deleted manually or i'm missing some step?
 
You must log in or register to reply here.

Similar threads

Back
Top