PS3 Hacking the Singstar DLC encryption for backup/custom songs?

[GDMorry]

Now to figure out how to add song files from the 20+ PS2 and PS3 Singstar disks to the digital Singstar app and make this more like a Jukebox of songs.

You and me both

Nice work by the way ... well done

Could You try decrypt those packages as *.edat? Maybe it is nothing extraordinary and all can be make easily "IDPS free".

The SingStar songs on the discs are (this ones PS3 ABBA )

disc:\
<DIR> PS3_GAME
<DIR> PS3_UPDATE
1,536 PS3_DISC.SFB

<DIR> PS3_GAME
34,196 ICON0.PNG
1,040 PARAM.SFO
178,607 PIC0.PNG
1,594,354 PIC1.PNG
31,211 PIC2.PNG
5,120 PS3LOGO.DAT
664,776 SND0.AT3

<DIR> USRDIR
42 DiscInfo
9,732,288 EBOOT.BIN
4,285,294,041 Pack0.pkd
2,978,391,498 Pack1.pkd
535,454,044 data.pkf
10,354,386 datamem.pkf

<DIR> Themes
​

Not sure of much but was thinking it's mostly in the PARAM.SFO and the Pack... pkd files ??

 

[Berion]

I have in mind those not on disc, but those which was bought on PSN and put into Singstar dir in "dev_hdd0/game/<Singstar ID>/". Content on disc is always console independent.

 

[mattwookie]

Could You try decrypt those packages as *.edat? Maybe it is nothing extraordinary and all can be make easily "IDPS free".

If you can point me in the right direction of how to do this I will try. I have never attempted anything like this so any help you can give me would be great.

 

[mattwookie]

I have found information from the Performous project in which they found the following information about the Singstar disks.

1. "Concerning the PKD, we found out that the encryption is vulnerable to watermark attack and thus were able to identify that it is actually a .pkf file with substitution cipher applied. The substitution table depends on byte offset but no other factors. This means that the algorithm is sufficiently weak to allow for known plain text attacks but so far we haven't been able to figure out exactly what kind of substitution is used or to extract the key."

2. "These seem to be encrypted in AES128-CTR mode but we haven't been able to extract the keys. Known plain text attacks have been successful but they don't get us very far because different SingStar releases use different keys."

3. They apparently had success and created a program to convert Singstar disks to Performous files. This means that they broke the encryption. There is conflicting information about whether they broke encryption on both PS2 and PS3 disks. The program they created is called Singstar Ripper found here manpages.ubuntu.com/manpages/trusty/man1/ss_extract.1.html . There is also a wiki on how to use it here github.com/performous/performous/wiki/SingStar-ripper .

I do not have Ubuntu on my computers so I will have to install Ubuntu sometime in the near future and try this out. I have about 300 Singstar songs on PS2 disks, another 300 on PS3 disks and 130 download files. If we can find a way to make all of these digital and add them to the Singstar app life would be grand ;-)

 

[mattwookie]

I have in mind those not on disc, but those which was bought on PSN and put into Singstar dir in "dev_hdd0/game/<Singstar ID>/". Content on disc is always console independent.

Here is the directory structure and some of the downloaded files -

 

[Aezaeo]

I have found information from the Performous project in which they found the following information about the Singstar disks.

1. "Concerning the PKD, we found out that the encryption is vulnerable to watermark attack and thus were able to identify that it is actually a .pkf file with substitution cipher applied. The substitution table depends on byte offset but no other factors. This means that the algorithm is sufficiently weak to allow for known plain text attacks but so far we haven't been able to figure out exactly what kind of substitution is used or to extract the key."

2. "These seem to be encrypted in AES128-CTR mode but we haven't been able to extract the keys. Known plain text attacks have been successful but they don't get us very far because different SingStar releases use different keys."

3. They apparently had success and created a program to convert Singstar disks to Performous files. This means that they broke the encryption. There is conflicting information about whether they broke encryption on both PS2 and PS3 disks. The program they created is called Singstar Ripper found here manpages.ubuntu.com/manpages/trusty/man1/ss_extract.1.html . There is also a wiki on how to use it here github.com/performous/performous/wiki/SingStar-ripper .

I do not have Ubuntu on my computers so I will have to install Ubuntu sometime in the near future and try this out. I have about 300 Singstar songs on PS2 disks, another 300 on PS3 disks and 130 download files. If we can find a way to make all of these digital and add them to the Singstar app life would be grand ;-)

I read the same threads, and correct me if I'm wrong, but it seems to only decrypt the PS2 files from DVD, Performous. I do not own this game but I found it interesting so I read some info last night and everything you mentioned is what I also read. And also this:
https://zenhax.com/viewtopic.php?t=4170

It seems to be a bit harder to tackle. Unless this actually works:
https://github.com/performous/performous/wiki/SingStar-ripper

That's all I could gather from the minimal time I spent researching this. As I said I don't own this game so all my efforts were for educational purposes to help you guys out lol.

 

[GDMorry]

Using the performous-tools package in Ubuntu I've successfully ripped the "SingStar Party Starters" PS2 disc (30 tracks).

I've ripped and converted to:

song name dir

cover.png
music.ogg
notes.xml
video.m4v
vocals.ogg
​

I've got to try to find a way to rip (and not convert?) to the original structure of the ".pkg.drm" files eg. Pack0_**blahblah**.pkg.drm
and then save into /dev_hdd0/game/BCES00011SINGSTARFAMILY/USRDIR/DownloadSong

I'm yet to attempt a PS3 disc.

I'll do some more reading as there are command line switches for output files etc.

How do you use it
Synopsis
  ss_extract [-h|--help]  [--dvd  arg] [-l|--list] [--song arg] [--video arg] [--audio arg]
  ss_adpcm_decode [-h|--help] [archive.pak] input.mib output.wav
  ss_cover_conv [-h|--help] [pak_file] [track_id] [output_image]
  ss_ipu_conv [-h|--help] infile.ipu outfile.m2v
  ss_ipu_decode [-h|--help] input output
  ss_pak_extract [-h|--help] file.pak --extract [files]
  ss_pak_extract file.pak --dump file
  ss_pak_extract file.pak --list itg_pck file.pck
(source)

Example
Assuming you have the DVD mounted to path /media/dvd0, the following command will rip & convert all songs to a directory created under the current working directory.

  $ ss_extract --dvd /media/dvd0

 

[GDMorry]

Using:

ss_pak_extract /mnt/SINGSTAR/pak_iop0.pak --extract

I get folders by track number with two files in each

movie.ipu
music.mib
​

PS3 Discs don't work "ss_extract" keeps looking for "pak_ee.pak" which does not appear on the PS3 disc!

Two programs keep getting a mention in my searches "Singstar Creator v3" & "SS2USConv"

SingStar Creator converts the common Ultrastar format into Singstar DVDs (will also burn then in ESR format as well).

SS2USConv is a tool which enables you to convert Singstar-DVDs from the PS2 into the Ultrastar-Format. (Still seems to have possibly broken the encryption??)

I managed to do 12 PS2 discs and got the "Performous" format working in both Windows and Ubuntu.

I've also done an extract of the .pak files to get the .ipu and .mib files (for later maybe?)

After inserting the PS2 disc (in Ubuntu Terminal I use the following commands)

  sudo umount /mnt/dvd
  sudo mount -t iso9660 /dev/cdrom /mnt/dvd
  ss_extract --dvd /mnt/dvd
  ss_pak_extract /mnt/dvd/pak_iop0.pak --extract
  ss_pak_extract /mnt/dvd/pak_iop1.pak --extract

 

[mattwookie]

GDMorry thank you for all the work you have posted. When I get some time I will try to replicate your work. I have been very busy and not able to work on this quest but I am wondering if it will maybe be easier to find a way to decrypt the pak file from all the Singstar PS2 disks and then merge all of them into a giant pak file and then add the encryption back. I have seen other games that have pak decrypter tools that enable modification of the contents and then it re-encrypts the file using the original encryption code. In theory you take Singstar Pop PS2 disc and find the encryption code and crack open PAK files. Then insert every other decrypted Singstar PAK file into this Singstar Pop PAK file. Then use webMAN MOD mount_ps2 feature tutorial found here [TUT]Mounting PS2 SingStar on PS3 using webMAN MOD mount_ps2 feature | Page 2 | PSX-Place (psx-place.com) . Then I would have all of my downloaded songs and my PS2 Singstar discs available on Singstar digital.

 

[croage]

Going to need some help trying to get my DLC songs working again.
Have a slim CEX. Have had to format HD and transfered "BCES00011SINGSTARFAMILY" back over to the PS3 and I'm getting the "This song cannot be played because its owner has been deleted. To play the song, first delete it via Delete Songs in Settings, and then download it again from the SingStar™." message.

Looking at the save data in Apollo Save Tool it seems that the User ID: is 00000002 and account ID:xxxxxxxxxx(owner)

Due to having to format the drive I am now User 00000001.

The account ID from the save file is the same as my current user.
Last created user in the xRegistry.sys 5.

Is there a way to change user 00000001 to 0000002? I've tried editing the Param.sfo of the save file with Apollo but when I copy it over data is corrupted.
Could I use the xSystem.sys backup and change the lasted create to 1, create a new user oooooo2? I've been banned from the PSN due to CFW so I cant re-download the songs from the store if they are still there(banned for putting the CFW to try to backup the Songs). I'm assuming just creating a 00000002 with the same details wouldn't generate the same Account ID so I'd have to delete the 0000001 and change the account ID in the registry.

Any help would be appreciated.

 

[GDMorry]

Is there a way to change user 00000001 to 0000002?
Could I use the xSystem.sys backup

firstly read this entire thread to get the gist of it all and how it played out

NOW as I pretty much summed up

Here's what I did

1. CFW (CFW 4.87.2 Evilnat Cobra [CEX]) on my Dodgy PS3 so I could ftp into it and get all the "dev_hdd0"files!

Especially the "dev_hdd0\game\BCES00011SINGSTARFAMILY" folder!
Only one file (/dev_hdd0/game/BCES00011SINGSTARFAMILY/USRDIR/DownloadSong/Pack0_100HR5.pkg.drm) refused to copy over and it seemed to have some sort of cyclic redundancy protection (it wouldn't ftp or copyto usb drive.... or even WebMan download? it kept restarting to the point of a 65Mb file being 1.5Gb?)

2. CFW on donor PS3 and a larger HDD installed.
3. WebMan (webMAN_MOD_1.47.33_Installer.pkg.706.v1.47.33_brewology_com.pkg) installed and used on both PS3's to copy and change IDPS & PSIDs.
4. FTP'd all of /dev_hdd0 onto Donor PS3
5. Created new User account and Deleted my original account (Donor PS3 made it user/00000009)
6. Deleted ALL files in donor PS3 "\dev_flash2" then FTP'd ALL original PS3's "\dev_flash2\" files over! I wanted to use the xRegistry.sys and it worked and changed my User ID and user/00000001 etc.
7. Rechecked and changed the Console ID/DPS & PSID's again to the original PS3's
​

Now the only problem you have to consider is user number ... you NEED to delete the original user AND create one (even better two or more FAKE users) AFTER you have created fake users and deleted the original user you need to log in with a fake user and the UPLOAD or FTP the backup that you have of the "xRegistry.sys" (SEE parts 5 & 6) over to your PS.... then restart you now should be all good

Deleted ALL files in donor (NEW) PS3 from "\dev_flash2" then FTP'd ALL original PS3's (Backup) "\dev_flash2\" files over to donor (NEW) PS3 "\dev_flash2" !!

 

[Berion]

it wouldn't ftp or copyto usb drive.... or even WebMan download? it kept restarting to the point of a 65Mb file being 1.5Gb?

Could You try Linux? I'm pretty sure You can copy it by connecting drive to PC. Of course You need EID Root Key to deal with encryption (currently not possible to get on HAN and HEN but only on CFW).

 

[croage]

Can you confirm that if i use xRegistryEditor075 to change the xRegistry.sys and change Last created user to 1 and ftp it over its not going to brick the ps3? I'm not copying anything to another ps3 so my situation is kind of different. Just need to create user 0000002 on the same console and don't want to have to format the HD and FTP everything over again. In the xRegistry.sys backup I'm still the wrong user number and the counter number is up to 6.

I'm only proficient enough to put CFW on the console and not much more so apologies. Is there a way with I could change /setting/user/00000001/ to 00000002? With xRegistryEditor075 I can only change the VALUE of the setting not the /user/00000001 setting itself. If I could do that and it works that would be the shortest possible way to solve my problem.

 

[croage]

and modifying the xRegistry.sys to get the same user ID (0000000X) as on the old console.

Would you mind telling me how you did this?

 

[GDMorry]

Could You try Linux? I'm pretty sure You can copy it by connecting drive to PC. Of course You need EID Root Key to deal with encryption (currently not possible to get on HAN and HEN but only on CFW).

Yeah, thanks heaps ... I managed to do this when you first suggested this And I was successful!

Can you confirm that if i use xRegistryEditor075 to change the xRegistry.sys and change Last created user to 1 and ftp it over its not going to brick the ps3?

Attempted to use xRegistry with no success at all.

IF you do not have a back up of your /dev_hdd0 then FTP it over to a PC after this completes then I would format the PS3 HDD in a PC then reinstall it into your PS3 and let it set it up! (You will have lost EVERYTHING!)
Create a dud account = should now be user 1
Now recreate your original account it should now be user 2 - FTP your dev_hdd0 backup back to your PS3

 

[Noodle]

Any updates on this? I'm trying to find a specific DLC and extract the vocals/stems if possible.

 

[croage]

Attempted to use xRegistry with no success at all.

IF you do not have a back up of your /dev_hdd0 then FTP it over to a PC after this completes then I would format the PS3 HDD in a PC then reinstall it into your PS3 and let it set it up! (You will have lost EVERYTHING!)
Create a dud account = should now be user 1
Now recreate your original account it should now be user 2 - FTP your dev_hdd0 backup back to your PS3

Found a better solution.
Did not need to reformat and copy everything back.
Changed the last created user with xRegistry editor to 1 in the xRegistry.sys and Backup/xregistry.sys and that did the trick.

For the DRM downloaded content to work again didn't need to copy user ID and everything else to the newly created user 2 just needed to create user 2. Name didn't even have to be the same either.

 

[Bolonni]

Hi there,

I found this thread while looking for ways to do something similar to what you folks are talking about. In particular, I'd like to add more songs to the game (the ones from my PS2 discs and maybe others).

While I have reverse engineering experience I have zero experience with PS3 specifics, so I was hoping somebody can point me in the right direction.

@dittnamn Why do You think that "obviously PSID is part of encryption"? What experiment You have made proofs that?

Maybe those *.pkg.drm are just ordinary *.edat or *.mself files? Have You tried unpack/decrypt them?

I've checked what @Berion said about the files being EDAT and unless I'm mistaken I don't think they are. According to this page https://www.psdevwiki.com/ps3/EDAT_files said files have a header with a lot of information about the encrypted file, but those `pkg.drm` are encrypted from the very first byte (I ran a quick analysis of the entropy of the file and I'm mostly certain it's just encrypted/compressed from the beginning). MSELF files are executables as far as I can see, so they should also be ruled out because of the lack of header (again, no experience on this system, so please correct me if I'm wrong).

My suspicion is that they might be encrypted using some key unique to the game (and maybe even found inside the game itself) but one missing piece of information is: are those files "generic", unique to each user, to user + console or something else? I thought that one quick way of finding out is by getting the same file (or just a hash, should be enough) from different people that belong to the same song, so please let me know if anybody can help with that, unless somebody already knows this is useless . This will actually only tell us if files are unique or not (but not in what way) but it's a start .

After decription the PKG format itself is easy to parse, I'm not sure if it's the same as the PS2 but even if it's not, I doubt it will be that complicated.

 

[Bolonni]

As an update, I've found that the game itself has a few functions inside called "sceeDRMPackageOpen/Close/Read/Seek", which are probably exactly what we want. The original code seems to have been C++ and as a result following the disassembly is really annoying, so I'm not entirely sure but I think it uses a file from the installation called "keys.edat", which makes sense. However, I'm not sure I'm having any luck decrypting said EDAT. I'm using a very old tool called "make_npdata" and this is the output, in case somebody finds anything useful or can tell me what to use instead:

> make_npdata keys.edat outputKey 4

NPD HEADER
NPD version: 2
NPD license: 3
NPD type: 0

EDAT HEADER
EDAT flags: 0x0000000C
EDAT block size: 0x00004000
EDAT file size: 0x00000600

WARNING: NPD title hash is invalid!
WARNING: NPD dev hash is invalid!
DEVKLIC: F2FBCA7A75B04EDC1390638CCDFDD1EE
RIF KEY: 00000000000000000000000000000000
DECRYPTION KEY: F2FBCA7A75B04EDC1390638CCDFDD1EE

Parsing data...
WARNING: Header hash is invalid!
WARNING: Metadata section hash is invalid!
File successfully parsed!

Decrypting data...
WARNING: Block at offset 0x00000110 has invalid hash!
File successfully decrypted!

 

[Berion]

Thanks for the informations. Personally I don't have any Singstar so I couldn't check myself. That's why I just throw some of ideas to the guy who asking assistance in decryption process. So also I cannot check if this game using per console DRM form (i.e by moving the same game to another PS3 with the same account user number and NP Account ID which should proves that content is signed somehow or not to the console).

Normally, bought stuff on PS3 is secured just by act.dat + *.rif/*.edat in users exdata dir. So to be honest it is surprising me that some data in USRDIR can be encrypted by per user and/or per console IDs. I hope You will figure this out. I'm not a fan of Singstar but fan of user data control. ^^