PS3 Modding/Editing EBOOT.BIN with Unlock FPS Patches

gmanarte

gmanarte

Member
I was searching and learning about applying unlock fps patches for original hardware as following this thread: Game Patches from @LuanTeles

As I dug deeper I noticed the patches I applied would only work whenever they were in be32 data type based (not all cases, but always be32). I made a question over the topic and the answer helped me at the time as I was learning a bit from it. I remember I faced a wall and it took me sometime to comeback and learn more things around it.

Lately, I have been working on modifying EBOOT.BIN with unlock fps patches. And I faced that wall again when I tried to modify The Ico & Shadow of The Colossus Collection which the patch is in byte data type. As you can see here and on RPCS3wiki:

"60 FPS":
Games: *sotc_101title
Author: "Margen67"
Notes: *sotc_60fps_notes
Patch Version: 1.0
Patch:
- [ byte, 0x00332707, 0x01 ]

After decrypting it to .ELF I wasn't able to find the address 00332707 nor the original HEX values I retrieved using Webman mod's PS3MAPI. Once we find out how to deal with these other data types patches (byte, be16, bef32...) we will be able to get lots of patches to work on the original hardware. There's gotta be someone here who knows-how or at least knows these other data type patches won't work on original console. Other than that, there is also another problem I have noticed. Not all games have EBOOT.BIN, at least not as easy to find than others (example: Batman Arkham City). Which may be even trickier.

Having said that I was able to successfully run GTA IV with an uncap framerate. Nothing that you couldn't do on PS3MAPI or Artemis. The only benefit from it is never having to deal with anything again, other than just run the game with uncapped framerates. And it is still to soon to claim it is all good and that it does not affects the console, since I experienced two problems: 1- As I was using TrueAncestor SELF Resigner (found here on PSX-Place) to "reencrypt" the EBOOT.ELF to .BIN, I noticed the file was half the size compared to the original one. Although everything ran normally. 2- There was noticeable horizontal screen tearing over the top edge or on webman mod's fps/temperature monitor when the game experienced 120+ fps during loading screens.

Have any experiences with modifying EBOOT.BIN? Which games? Which worked? Which one was the hardest? Have any knowledge over any of the topics? Please, share it with us.
 
Last edited:
Try looking through the decrypted ELF for a unique value that doesn't repeat or less than 10 times, start with the longest code type first 00000000-FFFFFFFF then research the same value in memory, obvisouly not 00000000 as that's mostly dummy data or the base value, then it should give you an offset to work with between ELF & memory, you might need to check the endian type also.
 
@Kevstah2004 Yesterday night, I kept going and found out a couple of other things. As I was trying to patch Uncharted 2: Among Thieves and TLOU, I found out some of the patches work with addresses that go beyond EBOOT.BIN. I tried patching TLOU with the 01571A6F address. But I encountered the same problem as I did with Uncharted 2. There are no 01571A6F and 00E9C1FB addresses on TLOU' EBOOT.BIN and Uncharted 2 EBOOT.BIN respectively. To find those addresses I believe we would have to run the game on RPCS3 and check the whole main memory of it while emulating the game we want to work on. This belief came as I was able to find some matching HEX values from Shadow of The Colossus (doing it), that I couldn't through the EBOOT.BIN or .self .

PS: I was able to patch the TLOU EBOOT.BIN with another patch/address given by the community. Found on Game Patches thread.

Unlock FPS patch for TLOU (Although the person said it is for TLOU Left Behind DLC, it works on the original game):
[be32, 0x00039d1c, 0x38a00000]
 
Last edited:
Sorry I don't have that much experience with the ps3, all my knowledge is from the previous generation.
Is the memory map chunk static like scratch ram on rpcs3 or does it shift for every ps3 game?
I'm guessing all the emulators also have different memory maps?
 
@Kevstah2004 I don't have much knowledge about coding or patching either. So idk if I understood your question. You mean if the memory map is static on the emulator?

if that's your question, I guess not because I was able to find matching hex values under different memory addresses like I said. I booted it on RPCS3 and checked the memory map for some hex values they were let's say, on memory address "X". When I went back to check on it, it was in a different address. (Need to confirm on that since I did it only twice and the pc I was using struggled a bit with it)
 
I vaguely remember doing something in cheat engine with pcsx2 where it'd always return the same address, something to do with a pointer code that's in every single game like a hz, pad joker or mastercode there's a setting you change so it doesn't give you a new address on the next session after you close pcsx2, Idk about rpcs3 never tried it on pc.
 
gmanarte said:
Having said that I was able to successfully run GTA IV with an uncap framerate.
Click to expand...

Could you explain in detail how did you managed to do it, because i'm trying to do this myself but it doesn't work me and I can't figure out what I did wrong.
Btw I used this patch :
"Unlock FPS":
Games:
"Grand Theft Auto IV (Grand Theft Auto 4)":
BLES00229: [ 01.08 ]
NPEB00882: [ 01.09 ]
Author: "Zolika1351, illusion"
Notes: *gta4_fps_notes
Patch Version: 1.0
Patch:
- [ be32, 0x00f18840, 0x00000000 ]
 
I was able to edit GTA IV eboot.bin successfully as well. But the BLUS30127 version. I don't think the version will matter in this case. I would guess your problem is because you are not subtracting 10.000 from HxD memory addresses column. I actually found out this 10k subtraction is not quite accurate.
What you will need to do is: you will need to run your version of GTA IV and check the ps3MAPI using webcam mod. You are able to patch the game through there in case you didn't know. If it works there, you will likely be able to modify the eboot.bin so it will maintain permanently. To do so, you will need to write down the original hex values you would modify using PS3MAPI. Open the eboot.bin (decrypted to eboot.elf) using HxD, search for the original Hex Values you wrote down (MAKE SURE IT IS THE RIGHT ONE. it can have and likely will, more than one Hex sequence with equal values, but the previous/next values will differ at some point) . Edit them with the new hex values suggested by the patch, in this case: 00 00 00 00. After that reencrypt your new EBOOT.BIN, replace the old one located at dev_hdd>GAMES>(game paste)(example GTA IV)>USRDIR for the new one.

If it still a bit confusing I can always try another method. But I suggest you search on youtube for the following key words: PS3 EBOOT.BIN MOD/EDIT HxD

Good luck.

Ps:decrypted using TrueAncestor Self Resigner as previously said.
 
Last edited:
gmanarte said:
I was able to edit GTA IV eboot.bin successfully as well. But the BLUS30127 version. I don't think the version will matter in this case. I would guess your problem is because you are not subtracting 10.000 from HxD memory addresses column. I actually found out this 10k subtraction is not quite accurate. What you will need to do is: you will need to run your version of GTA IV and check the ps3MAPI using webcam mod. You are able to patch the game through there in case you didn't know. If it works there, you will likely be able to modify the eboot.bin so it will maintain permanently. To do so, you will need to write down the original hex values you would modify using PS3MAPI. Open the eboot.bin (decrypted to eboot.elf) using HxD, search for the original Hex Values you wrote down. Edit them with the new hex values suggested by the patch, in this case: 00 00 00 00. After that reencrypt your new EBOOT.BIN, replace the old one located at dev_hdd>GAMES>(game paste)(example GTA IV)>USRDIR for the new one.

If it still a bit confusing I can always try another method. But I suggest you search on youtube for the following key words: PS3 EBOOT.BIN MOD/EDIT HxD

Good luck.

Ps:decrypted using TrueAncestor Self Resigner as previously said.
Click to expand...

Alright, so I tried what you told me to do, and yeah it turns out you were right, I managed to edit GTA IV eboot.bin successfully and now the game runs at uncapped framerate as intended.
Well thanks for your help man, I appreciate it.
 
From memory all the game patches you find here:
J

PS3 Thread '60/Unlock FPS Patches'

Alice Madness ReturnsBLUS306071.00Cheat codeNo OC:
Unlock FPS
0
Joey
0 008a3238 28030001
0 008a30e4 28030001
#
Alien RageNPEB010881.00Cheat codeUnlock FPS
0
Joey
0 009802e8 2c030001
0 003491bc 2c040001
0 00980304 28030000
0 009801a4 28030000
#
Aliens: Colonial MarinesBLUS308621.05Cheat codeUnlock FPS
0
Joey
0 005c92f8 2b800000
#
Alpha ProtocolBLUS303411.00Cheat...
  • Like
  • Love
should work for pre-patching the eboot.bin

There are some patches running around that require the game initialization (meaning they are not suitable to pre-patch the eboot in other words their offset address falls outside the eboot). I've refrained to post those patches on my table but if I did please let me know.
 
You must log in or register to reply here.

Similar threads

Back
Top