PS2 KELFBinder 2 v1.1.1

[El_isra]

KELFBinder 2 allows users to install system updates and DVDPlayer updates into a memory card. it can also test the update binding capabilities of a card without even writing a single byte to the card.
as well as installing a bootloader to the HDD.

this program is easily adaptable to other projects.
The stock update will be PS2BBL.

More information will be added soon!

 

[El_isra]

El_isra updated KELFBinder 2 with a new update entry:

magicgate test

• remotion of unneeded stuff from release package
• updated PS2BBL
• add exfat usb device support
• NEW FEATURE: magicgate test. (test if your card supports updates without writing data to it)

Read the rest of this update entry...

 

[El_isra]

El_isra updated KELFBinder 2 with a new update entry:

Dynamic install tables and HDD support

• Dynamic install tables: extra files to be installed are calculated on the fly by reading the specified folders (now you can update the files to be installed or add new ones like you did on FreeMcBoot installer)
• HDD support, added 3 new operations

1. HDD bootloader installation
2. HDD formatting (not ready)
3. HDD boot EEPROM configuration (enable HDD booting without installing anything)

Read the rest of this update entry...

 

[El_isra]

El_isra updated KELFBinder 2 with a new update entry:

Minor changes and updated PS2BBL

• Updated default update (PS2BBL) to latest version
• Fixed the functionality of the nohdd.opt option file (for more info on the option files please peek the documentation)
• Fixed the boot device waiting (program waits untill the device from where it's booting is accessible before starting up the menu) quite useful for users wich have USB external HDDs

Read the rest of this update entry...

 

[Rallye89]

I have some questions about installing DVD Player Update. Starting from a folder called BEEXEC-DVDPLAYER containing dvdplayer.elf and other files related to the update i was able to transform dvdplayer.elf into dvdplayer.xlf with kelftool dnasload with keys and cmd. Putting the file dvdplayer.xlf in folder KelfBinder\INSTALL\KELF probably is not enough to make the dvd update working, bacause it probably requires the other files that are located in folder BEEXEC-DVDPLAYER. Looking at KelfBinder.lua i found function DVDPlayerRegionPicker() and function DVDPlayerINST(port, slot, target_region) so i assume that kelfbinder detects the correct region looking at console rom, or system options or scanning inside dvdplayer.xlf somehow, so that it will create a correct folder B?EXEC-DVDPLAYER on target device. How can I inject these files in EXTINST.lua? Can i modify the script to make it universally working for every region DVDPlayer update, both on MC USB and HDD? So that i only have to add dvdplayer.xlf and files in folder KelfBinder\INSTALL\ASSETS\DVDPLAYER?

 

[El_isra]

I have some questions about installing DVD Player Update. Starting from a folder called BEEXEC-DVDPLAYER containing dvdplayer.elf and other files related to the update i was able to transform dvdplayer.elf into dvdplayer.xlf with kelftool dnasload with keys and cmd. Putting the file dvdplayer.xlf in folder KelfBinder\INSTALL\KELF probably is not enough to make the dvd update working, bacause it probably requires the other files that are located in folder BEEXEC-DVDPLAYER. Looking at KelfBinder.lua i found function DVDPlayerRegionPicker() and function DVDPlayerINST(port, slot, target_region) so i assume that kelfbinder detects the correct region looking at console rom, or system options or scanning inside dvdplayer.xlf somehow, so that it will create a correct folder B?EXEC-DVDPLAYER on target device. How can I inject these files in EXTINST.lua? Can i modify the script to make it universally working for every region DVDPlayer update, both on MC USB and HDD? So that i only have to add dvdplayer.xlf and files in folder KelfBinder\INSTALL\ASSETS\DVDPLAYER?

In progress....

The region thing is something user chooses before installing. so no automated assumptions are made

 

[Rallye89]

I've done some research on DVD Player package by krHACKen and i found that PS2 DVD Player updates for Memory Card install have this characteristics in all versions, languages and revisions depending of dvdplayer.id content:

- if dvdplayer.id 5th byte is A the CRC32 of this file is 436898CD
- if dvdplayer.id 5th byte is M the CRC32 of this file is EFDDD7C1
- if dvdplayer.id 5th byte is U the CRC32 of this file is 6DC64F98
...and in this case the folder where additional files have to be copied is BAEXEC-DVDPLAYER

- if dvdplayer.id 5th byte is C the CRC32 of this file is 715EFA4F
...and in this case the folder where additional files have to be copied is BCEXEC-DVDPLAYER

- if dvdplayer.id 5th byte is E the CRC32 of this file is 27045DC9
- if dvdplayer.id 5th byte is O the CRC32 of this file is DDEBB543
- if dvdplayer.id 5th byte is R the CRC32 of this file is 2287D95F
...and in this case the folder where additional files have to be copied is BEEXEC-DVDPLAYER

- if dvdplayer.id 5th byte is J the CRC32 of this file is A09C4106
...and in this case the folder where additional files have to be copied is BIEXEC-DVDPLAYER

We can provide dvdplayer.xlf in KelfBinder\INSTALL\KELF and additional files in KelfBinder\INSTALL\ASSETS\DVDPLAYER if we have a script that scans the content of dvdplayer.id or calculate the hash of dvdplayer.id contained in attached files and selects the correct destination folder for these ones. However if i remeber correctly the language of dvd player update must match the current language on system setup and also the region of the console to be working. This choice along with progressive/nonprogressive and 3.04J/3.04M/3.11J should be done manually by the user considering language and console region, just because the whole folder for memory card install is 170MB. There could be also a method to let the user choose a combination of progressive/version/region/language and mantain the portability on memory card for the whole package since the compressed folder containing the memory card update is full or redundant files in folder structures for every combination of progressive/version/region/language, maybe the user data is about 10MB and can be fitted to a Memor32 for example.

 

[Rallye89]

Tried binding dvdplayer in both modes via kelftool dnasload (dnasload or fmcb commands), kelfbinder generates two different files of different size (from the one created with kelftwinsigner), both larger of 128bytes than dvdplayer.elf. They have also different hash among them, both don't work as dvdplayer updates, while the one from kelftwinsigner does. Attached files copied with wLaunchELF in all three cases. KelfBinder also seems faulty because it assigns BAEXEC-DVDPLAYER for European Install, it should be BEEXEC-DVDPLAYER, however i moved the file to correct folder with wLE in post-install. In case of Chinese Install the app hangs indefinitely. Correct folder instead for American and Asian install. Thank you for your work even if the dvdplayer update section is still wip, this app is really powerful.

@El_isra FYI seems that kelftool adds an header that kelfbinder won't remove after binding with magicgate card, the final size is also bigger than the original elf, the kelftwinsigner one has the same size of the original krackhen elf.

 

[El_isra]

Tried binding dvdplayer in both modes via kelftool dnasload (dnasload or fmcb commands), kelfbinder generates two different files of different size (from the one created with kelftwinsigner), both larger of 128bytes than dvdplayer.elf. They have also different hash among them, both don't work as dvdplayer updates, while the one from kelftwinsigner does. Attached files copied with wLaunchELF in all three cases. KelfBinder also seems faulty because it assigns BAEXEC-DVDPLAYER for European Install, it should be BEEXEC-DVDPLAYER, however i moved the file to correct folder with wLE in post-install. In case of Chinese Install the app hangs indefinitely. Correct folder instead for American and Asian install. Thank you for your work even if the dvdplayer update section is still wip, this app is really powerful.

@El_isra FYI seems that kelftool adds an header that kelfbinder won't remove after binding with magicgate card, the final size is also bigger than the original elf, the kelftwinsigner one has the same size of the original krackhen elf.

I dont understand why you did that with KELFtool
DVDPlayer updates from krHACKen are already KELF. and the proof of that is that KELFTwinSigner works..

So, basically you added another KELF Header on top of the older one....

 

[El_isra]

Tried binding dvdplayer in both modes via kelftool dnasload (dnasload or fmcb commands), kelfbinder generates two different files of different size (from the one created with kelftwinsigner), both larger of 128bytes than dvdplayer.elf. They have also different hash among them, both don't work as dvdplayer updates, while the one from kelftwinsigner does. Attached files copied with wLaunchELF in all three cases. KelfBinder also seems faulty because it assigns BAEXEC-DVDPLAYER for European Install, it should be BEEXEC-DVDPLAYER, however i moved the file to correct folder with wLE in post-install. In case of Chinese Install the app hangs indefinitely. Correct folder instead for American and Asian install. Thank you for your work even if the dvdplayer update section is still wip, this app is really powerful.

@El_isra FYI seems that kelftool adds an header that kelfbinder won't remove after binding with magicgate card, the final size is also bigger than the original elf, the kelftwinsigner one has the same size of the original krackhen elf.

found the two issues

• 1) KELFBinder function that calculates DVDPlayer folder was missing the European case
• 2) the lua DVDPlayer region function considers American and Asian regions as one (technically acurate), but KELFBinder C++ code considered them as two separate regions that just share the same folders... this caused the european DVDPlayer request to be considered as an asian dvdplayer request, and chinese dvdplayer request caused an out of bounds array index?

the issue is fixed now

 

[Rallye89]

I dont understand what you did with KELFtool
DVDPlayer updates from krHACKen are already KELF. and the proof of that is that KELFTwinSigner works..

So, basically you added another KELF Header on top of the older one....

So you're saying me that I have only to rename krhacken dvdplayer.elf in DVDPLAYER.XLF?
Where are supposed to be attached files? Or it is not yet included function? The whole package includes:

BTNB
dvdplayer.elf
dvdplayer.ico
dvdplayer.id
dvdplayer-e.ver
dvdplayer-j.ver
HLPB
icon.sys
LGBB
MSGB
NUMB

Thank you!

 

[El_isra]

So you're saying me that I have only to rename krhacken dvdplayer.elf in DVDPLAYER.XLF?
Where are supposed to be attached files? Or it is not yet included function? The whole package includes:

BTNB
dvdplayer.elf
dvdplayer.ico
dvdplayer.id
dvdplayer-e.ver
dvdplayer-j.ver
HLPB
icon.sys
LGBB
MSGB
NUMB

Thank you!

I don't have time to add DVDPlayer extra files installation for now

But you should bind the DVDPlayer KELF, then paste the other files via wLaunchELF.

 

[Rallye89]

Seems that there is a bug in decrypting process with kelfbinder. if I encypt an elf into a kelf (dnasload, fmcb, fhdb or mbr) the xlf output is larger of 128bytes as said above, this happens also with other branches of kelftool. When I decrypt this files via kelftool on windows the result is a valid elf smaller of 128bytes, just the same size of the starting file included in the krhacken archive. This is not happening if I sign an xlf via kelfbinder, the resulting elf placed in B?EXEC-DVDPLAYER has the same size of the xlf, such as the header is not removed. Obviously i can sign the elf with kelftwinsigner but if kelfbinder will be working the process could be made only on console side (it can be done even without attached files automatization because they can be copied via System Browser or uLaunchELF). Have you rewritten the code included in kelfbinder from scratch? It doesn't behave like kelftool. Every effort from your side is very appreciated, and if you have a little time and you're working at other projects I don't want to force you, I just want to share the anomalies that i've found doing some tries as simple user (advanced).

 

[El_isra]

Seems that there is a bug in decrypting process with kelfbinder. if I encypt an elf into a kelf (dnasload, fmcb, fhdb or mbr) the xlf output is larger of 128bytes as said above, this happens also with other branches of kelftool. When I decrypt this files via kelftool on windows the result is a valid elf smaller of 128bytes, just the same size of the starting file included in the krhacken archive. This is not happening if I sign an xlf via kelfbinder, the resulting elf placed in B?EXEC-DVDPLAYER has the same size of the xlf, such as the header is not removed. Obviously i can sign the elf with kelftwinsigner but if kelfbinder will be working the process could be made only on console side (it can be done even without attached files automatization because they can be copied via System Browser or uLaunchELF). Have you rewritten the code included in kelfbinder from scratch? It doesn't behave like kelftool. Every effort from your side is very appreciated, and if you have a little time and you're working at other projects I don't want to force you, I just want to share the anomalies that i've found doing some tries as simple user (advanced).

seems like youre confusing two different things

KELFTool: encrypt ELF or decrypt KELF. hence the 128 bytes gain/loss is the adition/removal of the KELF header, and kbit/kc fields
KELFTwinSigner: REPLICATES binding from one KELF to another. nothing else... does not add or remove KELF header because its not part of it's purpose

You must be doing something wrong...

KELFBinder KELF binding process is performed with the special version of the security manager taken from the FreeMcBoot 1.9xx installer series. Which was reverse engineered from the security manager of the 2.14 DVDPlayer Sony official update disc by sp193

 

[Rallye89]

KELFBinder KELF binding process is performed with the special version of the security manager taken from the FreeMcBoot 1.9xx installer series. Which was reverse engineered from the security manager of the 2.14 DVDPlayer Sony official update disc by sp193

So which file do I have to put in KELFBinder\INSTALL\KELF to install a DVDPlayer update? It's specified in KelfBinder documentation that i have to add to the aforementioned folder a file called DVDPLAYER.XLF, but how do I create that file considering that the file in dvdplayer update from krhacken is dvdplayer.elf (obviously not already binded to a random magicgate memory card)?

 

[El_isra]

So which file do I have to put in KELFBinder\INSTALL\KELF to install a DVDPlayer update? It's specified in KelfBinder documentation that i have to add to the aforementioned folder a file called DVDPLAYER.XLF, but how do I create that file considering that the file in dvdplayer update from krhacken is dvdplayer.elf (obviously not already binded to a random magicgate memory card)?

You should rename and paste into proper path and that's it...
No tweaking, no nothing

 

[Rallye89]

No, KelfBinder gives a red screen and an error that way. I've found a way to make the binding process work and the dvdplayer works attaching the required files in B?EXEC-DVDPLAYER folder of mc, now i'm in a hurry, i'll post the solution as soon as possible! thank you for your tips!

 

[El_isra]

No, KelfBinder gives a red screen and an error that way. I've found a way to make the binding process work and the dvdplayer works attaching the required files in B?EXEC-DVDPLAYER folder of mc, now i'm in a hurry, i'll post the solution as soon as possible! thank you for your tips!

It's possible that the KELF headers have some data that makes SECRMAN binding to fail...

Maybe you could take my kelftool, decrypt it, and re-encrypt the generated ELF as fmcb or dnasload KELF...

In addition, create inside the KELFBinder folder

INSTALL/CORE

A file called

txtlog.opt

It will dump all debugging messages to a file, that way we can get a bit more of info (most probably useless, but should help a bit)

 

[El_isra]

i think I found some issues...

original cracked DVDPlayer KELF:

header.UserDefined     = 01 00 00 04 00 06 00 4A 00 0E 01 00 00 00 00 02
header.ContentSize     = 0
header.HeaderSize      = 0X80
header.SystemType      = 0 (SYSTEM_TYPE_PS2)
header.ApplicationType = 0 (disc wobble ?)
header.Flags           = 0X21C - kirx:HDR_FLAG2|HDR_FLAG3|HDR_FLAG4_1DES|HDR_FLAG9|
header.BitCount        = 0
header.MGZones         = 0XFF |All regions allowed|
header.gap             = 00 00 00
HeaderSignature        = 90 F3 19 06 C6 E4 60 1B

Kbit                   = 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39
Kc                     = 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39
BitTableSize           = 0X28
bitTable.HeaderSize    = 0X80
bitTable.BlockCount    = 2
bitTable.gap           = 00 00 00
                         Size        Signature           Flags
    bitTable.Blocks[0] = 000699FC    FC99060000000000    0 (not encrypted, not signed)
    bitTable.Blocks[1] = 00000008    003BEB0B63B32769    2 (signed only)
BitTableSignature      = E0 0B 44 DE 5A 0C EF 97
signature =  00 3B EB 0B 63 B3 27 69

VS Dnasload KELF

header.UserDefined     = 01 00 00 04 00 06 00 4A 00 0E 01 00 00 00 00 02
header.ContentSize     = 0X69A04
header.HeaderSize      = 0X80
header.SystemType      = 0 (SYSTEM_TYPE_PS2)
header.ApplicationType = 1 (xosdmain)
header.Flags           = 0X22C - kelf:HDR_FLAG2|HDR_FLAG3|HDR_FLAG4_3DES|HDR_FLAG9|
header.BitCount        = 0
header.MGZones         = 0XFF |All regions allowed|
header.gap             = 00 00 00
HeaderSignature        = 88 09 04 6C E0 E2 70 B3

Kbit                   = D9 4A 2E 56 01 6E A7 31 00 00 00 00 00 00 00 00
Kc                     = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
BitTableSize           = 0X28
bitTable.HeaderSize    = 0X80
bitTable.BlockCount    = 2
bitTable.gap           = 00 00 00
                         Size        Signature           Flags
    bitTable.Blocks[0] = 000699F4    0000000000000000    0 (not encrypted, not signed)
    bitTable.Blocks[1] = 00000010    44E39D1E31993959    3 (encrypted and signed)     
BitTableSignature      = 9D 7C 8B A5 1F 68 72 21

git diff for more visual view:

the most serious issue I see is that original krHACKen KELF is flagged for single DES encryption, that is used for KIRX, not for KELF...

But I think that the issue could be somehwere else amongst the other diffs too.

 

[TnA]

Which was reverse engineered from the security manager of the 2.14 DVDPlayer Sony official update disc by sp193

Based on previous work, knowledge and RE'ing by Jimmikaelkael.