PS3 [Research] MLT's RIF bypass patches in VSH

atreyu187 said:
Does this patched vsh work with your 4.46 Rebug REX build?

And when I asked what differences you noticed when adding these patches I thought you meant performance wise you noticed differences not just the fact some PSN content worked without activating.
Click to expand...

I do not see any performance difference also, not my focus on this research either.

I'm trying to minimize patches and see if I can add this on cobra payload just like old cobra team added reactPSN on stage2's modulespatch.

Looks like this patch can be ported to all CFW up to 4.66 version. So far worked on REBUG 4.41/4.46

I just don't like this broken heavy patches, so it's either add perfection or minimizing, that's my research goal.
 
From my testings:
1- Some games only test if they can successfully decrypt an EDAT using a RIF. These cases will pose no issue bypassing the RIF testing.
2- Others have info stored in the encrypted files and will (obviously) fail.
3- Others have their EBOOT.BIN encrypted with the RIF and DEVKlicensee key, and unless previously patched (with a free license) will simply not run.


There are at least these 3 LV2 syscalls, that could be intercepted to return expected values and "fool" the ps3 ?

int syscall 470 (uint32_t type?, void* npd? [0x60])
int syscall_471(uint32_t type, char* titleID, void* klicensee, uint8_t* actdat, uint8_t* rif, int32_t licenseType, uint8_t* magicVersion);
int syscall_475(uint32_t type, void* npd?, void* klicensee, uint8_t* actdat, uint8_t* rif, uint8_t magicVersion)


i've found also some nice info here:
NPDRM Self algorithm


Unfortunatelly I don't have enough time nowadays to study this further.
(a very nice add-on to a running plugin wouldbe to automatically generate RIFs based on the installed content - similar to the ps2classics launcher RIF generator that KW have added to psnpatch: if ps2classics launcher RIF doesn't exist, the RAP is automatically generated and the RIF signed to a valid user account (one that has a valid ACT.DAT).
 
just took the time and searched for the bypass patches i have applied on 4.21. still cannot determine which ones are the necessary ones and also do not remember anymore how i have searched them.

i have no exdata folder nor any act.dat and i am not using any cracks for c00 games

note: these are file offsets for 4.21 debug vsh!

0x000C9A26
04F0786400203860000060638202
0040786400203860000060638204

0x0018A4D4
7C004828
38000001

0x0018C100
7C004828
38000001

0x00246D80
60000000
39600000

0x002471E8
483D48F5
38600000

as you can see, these are a lot less patches i have applied and still c00 games work without a problem. those other games only have to resign eboot and they work also fine without rif/edat.

i will take more time to find the routine @Skiller was talking about and maybe trying to circumvent that error code

btw, using these patches and going online is not recommended since JuanNadie himself has said it.
 
Last edited:
haxxxen said:
just took the time and searched for the bypass patches i have applied on 4.21. still cannot determine which ones are the necessary ones and also do not remember anymore how i have searched them.

i have no exdata folder nor any act.dat and i am not using any cracks for c00 games

note: these are file offsets for 4.21 debug vsh!

0x000C9A26
04F0786400203860000060638202
0040786400203860000060638204

0x0018A4D4
7C004828
38000001

0x0018C100
7C004828
38000001

0x00246D80
60000000
39600000

0x002471E8
483D48F5
38600000

as you can see, these are a lot less patches i have applied and still c00 games work without a problem. those other games only have to resign eboot and they work also fine without rif/edat.

i will take more time to find the routine @Skiller was talking about and maybe trying to circumvent that error code

btw, using these patches and going online is not recommended since JuanNadie himself has said it.
Click to expand...


Wow any chance of figuring this out and making it work for 4.80/4.81 like your fself patch for MFW Builder? I would love to try this on my system. Do you you by chance happen to have one of your 4.21 REX Cobra FW's already made?
 
i can take a look at 4.81 vsh, no problem. i just have posted the patterns for 4.21 for now. thought myself it would have been much more, but luckily only those few.

@atreyu187 sorry, but somehow i cannot quote anymore or i am too stupid :(
can you upload vsh.self for me? i only have ofw one, so i can determine which are react patches

edit
ok, retail vsh has a few more, such a mess...take me a bit more

seems retail vsh with systemsoftware mode is a nogo. ps3 shuts down when running games because of too less system memory.

edit
have made now patches for 4.81 retail vsh if someone is interested. i have now much more than mlt, but i cannot tell which ones are important. i think i have added a few more, dunno.

0x000C4E2A
04F0786400203860000060638202
0040786400203860000060638204

0x00240FEC
480053D9
38600000

0x00242354
7C6307B4
38600000

0x0024266C
7FE307B4
38600000

0x00242CB0
7C6307B4
38600000

0x002430E0
7C0307B4
38600000

0x00243250 fself
F821FF817C0802A6
386000004E800020

0x00243420
7FE307B4
38600000

0x00243DE8
3C00800260009513
3800000060000000

0x00243E4C
3C00800260009513
3800000060000000

0x00244414
7FA307B4
38600000

0x00245910
7FC307B4
38600000

0x0024619C
7FE307B4
38600000

0x00246398
7FE307B4
38600000

0x002463D0
483D3C4D
38600000

0x00246624
7C6307B4
38600000

0x00246674
7C6307B4
38600000

0x0024694C
60000000
38600000

0x00246974
60000000
38600000

0x00246CCC
7FC307B4
38600000

0x00246FE8
7FC307B4
38600000

0x0024765C
7FE307B4
38600000

0x00247B80
7C6307B4
38600000

0x00247DD0
7D6307B4
38600000

0x00562644
419E0014
409E0014
 
Last edited:
wow...way to go haxxen!! :)
Also, awesome work to joonie, kokotonix, zar, skiller, atreyu, pinky, etc.
Keep up the good work!
 
haxxxen said:
oh my, sorry i have forgotten to give credits to @Joonie who started the research and gave me the hints.
Click to expand...

Nah, I did nothing but digging what MLT did with his 4.30 CFW, btw does that ps2classic still work with this patch applied?

If I remembered correctly it broke ps2classic. Not so sure about the current status with your optimized/minimized patches.

Thanks for taking over where I left off :)
 
Joonie said:
Nah, I did nothing but digging what MLT did with his 4.30 CFW, btw does that ps2classic still work with this patch applied?

If I remembered correctly it broke ps2classic. Not so sure about the current status with your optimized/minimized patches.

Thanks for taking over where I left off :)
Click to expand...
hah, quote works now.
tbh, i have not tried any classics since cobra came along. i have to look at this as well. thanks for reminding.
 
u can add a free klicense for ps2 classics to lv2. I've never done it, but I know it's doable. it doesn't involve removing rif keys though. it's just in general. it allows "fixing" a ps2 game to the free klicense. u can even add keys from higher firmware to lower. there's a buffer for that.
 
bguerville said:
Wonderful.. For once I won't complain about bumping an old thread!
Click to expand...

except I'm one of the bumpers. I do post wtf to let people's guards down. u can always be urself and we won't bite. I sent @atreyu187 several texts due to humor. it's hilarious how he's going to explain the texts to his daughter since she uses his phone. I sent him some truly disturbing ones due to that. lol
 
@haxxxen @bguerville @psykosis @atreyu187

I ported MLT rif/edat bypass patches to COBRA as its dynamic module patches. So if you disable COBRA then you will lose your patches to see the difference immediately.

Patches will be applied to both DEBUG and RETAIL VSHs. @haxxxen's debug patches don't seem complete so I just used his retail pataches ported to 4.81 for both DEBUG and RETAIL and seem to work fine on REBUG 4.81.1

Here's the link of payload binaries and source.

http://www.mediafire.com/file/5h12ichl225m0r6/COBRA_7.32.zip

Code: 
if you're on CEX mode, please rename stage2.cex release to stage2.cex and overwrite stage2.cex inside dev_blind/rebug/cobra/

if you're on DEX mode, please rename stage2.dex release to stage2.dex and overwrite stage2.cex inside dev_blind/rebug/cobra/

for Developers

debug payload can be used for checking debug logs, socat is required though.

WARNING!!!!!!!!!!!!!!!!!!

DO NOT USE DEX PAYLOAD ON CEX and vice versa.. it will cause semi brick on NOR models and hard brick on NAND models.

P.S.

PS2 Classic works without hanging! (PS2 Classics isn't C00, don't expect miracles here xD)
 
Last edited:
Joonie said:
I ported MLT rif/edat bypass patches to COBRA as its dynamic module patches. So if you disable COBRA then you will lose your patches to see the difference immediately.

Patches will be applied to both DEBUG and RETAIL VSHs. @haxxxen's debug patches don't seem complete so I just used his retail pataches ported to 4.81 for both DEBUG and RETAIL and seem to work fine on REBUG 4.81.1

P.S.

Please test if this payload breaks PS2Classic pkgs or not. if my memory serves right, ps2classic will hang on boot due to its static key issue.
Click to expand...
good work, but tbh, i do not like to apply all these patches with cobra. this makes it too heavy i think.
and thanks for reminding about debug vsh. maybe i really have compared unspoofed vsh, which i have not patched i guess.

about the ps2classic compatibility, i had no time to try and i am busy with other stuff. i am making trainer prx files for games at the moment, which is a lot of fun to me, but very time consuming.

dquestagod said:
so would this on some of my games that i did not grab rif/ rap for? or just bypass it completely
Click to expand...
unluckily, this does not completely circumvent klic games and you cannot run them encrypted, but if you decrypt them and sign them free or fself you do not need any klic/rif/edat.

c00 games you can run without any problem though.
 
Last edited:
You must log in or register to reply here.

Similar threads

Back
Top