PS3 [Research] MLT's RIF bypass patches in VSH

Joonie · Jan 16, 2015

[MENTION=89]aldostools[/MENTION] and [MENTION=872]sandungas[/MENTION] recently asked me if I could do some reversing of MLT's rif bypass patches.

If you are not familiar with this, you can check this article as a reference [Translated well in English]

MiralaTijera 4.40 CFW [Update#2] - ReActPSN RIF License Bypass - PSX-Scene

The original source is EOL, the link is below.

[UPDATE4][CFW 4.40 MiralaTijera] System manager 1.1 & Core 3.2.0 integrado +qaflag (1 de 298) @ ElOtroLado.net PlayStation 3 Modchips y Softmods

So I gave a shot, and there was positive result, basically I tried porting MLT's 4.40 VSH patched to REBUG's 4.41 vsh,

So far only tested on retail VSH. [4.41.3 REX]

If any of you interested in this research, would you guys like to give me some help?

I heard the report saying his rif bypass has some bugs and that was why he stopped porting to 4.5x+. [PS2Classic can be bypassed also according to his note, but patching in ps2netemu required.

I remember his teaser video of PS2 ISO loader, I think he was able to do it also.

I'm going to upload my sample files including original MLT's 4.40.

I'll also ask habib about this research, he may improve some asm codes of this patches.

http://www.mediafire.com/download/vdbkxb6dpdqvnsg/vsh_patches_RIF_bypass.rar

If you want to try this on REBUG 4.41.3

You need to do following

1. Install REBUG 4.41.3 REX Edition [don't do it via Recovery, this has the same bug as REX 4.53.1 , it fails to install at 52%]
2. Launch toolbox
3. replace vsh.self.cexsp located in dev_rebug/vsh/module/vsh.self.cexsp, with vsh_rbg_441.self from the package.
4. Activate REBUG mode, and then change XMB menu type to "Retail"
5. Close Toolbox [ it will reboot ]
6. Then try some PSN contents [old PSN games, PS1 Classics and etc]

I tried one c00 demo type game, it worked as unlocked [Tmnt series]
and tried another one Street Fighter HD , It gave me error 80010009.

I'm going to try porting this to 4.65.2 REX, see if that works.

Probably a lot harder than porting it from 4.40 to 4.41, because its asm code should have a lot of changes. [mostly bl]

I also included TXT file that has all that hex patterns of those patches. It was quite a lot.

Anyways, I think this is good founding

psykosis · Jan 16, 2015

Always down to help out joonie

Nicolas · Jan 16, 2015

wow how interesting the project you have started
I thought to find how to work when the CFW had released but at that time no one help me
really this is great feature that even rebug team could not add to rebug cfw yet!!
almost 1 year ago (when the CFW released,i cannot remember when was exactly) i told evilsperm: "hey dude,there is an awesome feature in MLT CFW,did you hear anything about that?sound like it is an amazing feature that really can help lazy cfw users like me that don't wanna waste their time for finding FUUking RAPS and create aa and ..."
Unfortunately the creator of MLT CFW is a selfish person that really cannot contact him and has a friendly relationship with him and all time has hated any other devs on ps3 scene
I am sure that the structure of this feature will be found and we will get it to him so that when we asked him for telling us how to work feature that you added to your CFW he said:"Get your nose out of my business"
Ok it is not a big deal and we will walk over you

evilsperm · Jan 16, 2015

good luck! I would love to see this patch bug free

Joonie · Jan 16, 2015

Nicolas said:
wow how interesting the project you have started
I thought to find how to work when the CFW had released but at that time no one help me
really this is great feature that even rebug team could not add to rebug cfw yet!!
almost 1 year ago (when the CFW released,i cannot remember when was exactly) i told evilsperm: "hey dude,there is an awesome feature in MLT CFW,did you hear anything about that?sound like it is an amazing feature that really can help lazy cfw users like me that don't wanna waste their time for finding FUUking RAPS and create aa and ..."
Unfortunately the creator of MLT CFW is a selfish person that really cannot contact him and has a friendly relationship with him and all time has hated any other devs on ps3 scene
I am sure that the structure of this feature will be found and we will get it to him so that when we asked him for telling us how to work feature that you added to your CFW he said:"Get your nose out of my business"
Ok it is not a big deal and we will walk over you

I heard about his reputation, what a shame after he did all that good work and vanished.

By the way, I just wanna know what game works with this patch and what doesn't and why so we can narrow down what's missing

Thanks for your support

Joonie · Jan 16, 2015

Progress report,

I also ported this patches to REBUG 4.46, and it seems working as the same as my first port [4.41],

so far, I have got the same result.

TMNT works, Street Fighter HD gives 80010009 error.

I'm going to try Virtua Fighter 5 soon

Again, I removed my act.dat, and there is no rif has been activated.

This is legit test results.

The reason why I chose REBUG REX for testing, is because it's easy to swap VSH, since all REBUG REX include 3 VSH files.

I can easily see the immediate differences between normal VSH and patched VSH with MLT's patches

Zar · Jan 17, 2015

Well done
the 0x8....9 error cannot be solved by patching the eboot to a lower version ? (fw at offset 0x400 or 0x40C)
also did you patch the lv2 to avoid this error ? ( for 4.41 : poke ( 0x059AF8 , 0x60000000) )

atreyu187 · Jan 17, 2015

What differences do you see? Is it performance wise?

Skiller · Jan 17, 2015

the Bypass stuff is it not just based of Forcing the Static Keys for say C00,PS1 and so on ..
it will not work on games that don't follow static key (if im correct).
the other format would be to take this one step past the RAP process and allow to load RAW keys from the exdata section
this would take out the need for Act.dat.

its nice to see people looking into this area and as always Nice work [MENTION=29]Joonie[/MENTION]

Joonie · Jan 17, 2015

atreyu187 said:
What differences do you see? Is it performance wise?

What difference? Normal VSH [Not working due to missing patches ] Patched VSH with MLT's patches [ Working ]..

Skiller said:
the Bypass stuff is it not just based of Forcing the Static Keys for say C00,PS1 and so on ..
it will not work on games that don't follow static key (if im correct).
the other format would be to take this one step past the RAP process and allow to load RAW keys from the exdata section
this would take out the need for Act.dat.

its nice to see people looking into this area and as always Nice work [MENTION=29]Joonie[/MENTION]

Thanks for your clarification.

Well then MLT's statement is FALSE, He said "ALL GAMES" should work lol.

Let me verify if RE : Revelations working or not, some claimed this was working before its RAP [rif key] was found.

Skiller · Jan 17, 2015

my guess is he just did what Duplex/Zhuge did back in the day just Via the VSH
Modding the call to tell
sceNpDrmVerifyUpgradeLicense2
sceNpDrmVerifyUpgradeLicense
it is "Ok"
so that it instead of going down "need to purchase" side it goes down Purchased side of the code..

can tell this also from your test .

TMNT: Turtles in time Re-shelled = Goma
Super Puzzle Fighter 2 Turbo HD remix = Non-Goma

you can try it on other games like
PAC-MAN Championship Edition DX
Marvel vs Capcom 2
Earth worm Jim HD
Tank Battles

or any games that store there edat into the Exdata section (so same games that HDD OFW can load)

Every game can say you bought it its the Decrypting Part that becomes the need of the RIF..

STLcardsWS · Jan 17, 2015

This thread will not turn into a piracy thread guys.

There is legitimate uses for this as people who purchase PSN Games and content should not be subject to Re-activate games and agree to ever changing Terms of Service and log into PSN to just play what they bought. So for informational purposes this discussion is allowed but do not mistake as a discussion for piracy (just giving that warning so it doesn't go that way).

Skiller · Jan 17, 2015

STLcardsWS said:
This thread will not turn into a piracy thread guys.

There is legitimate uses for this as people who purchase PSN Games and content should not be subject to Re-activate games and agree to ever changing Terms of Service and log into PSN to just play what they bought. So for informational purposes this discussion is allowed but do not mistake as a discussion for piracy (just giving that warning so it doesn't go that way)..

Not meant to turn that way just meant to Signify what format this patch is using most likely.
and i agree this is not meant to push this in the direction of Piracy .. and agree the hoops people have to jump through when u own a game is a pain. but like anything that comes to activation it always on the Edge of this kinda talk just like game hacking and so on

Makes our life hard and hard it is normally why stuff like this is discussed in private

everyone as this thread grows remember that this is completely educational. referral to similar stuff is just meant to be that. not to say we agree with there function they used..

STLcardsWS · Jan 17, 2015

Skiller said:
Not meant to turn that way just meant to Signify what format this patch is using most likely.
and i agree this is not meant to push this in the direction of Piracy .. and agree the hoops people have to jump through when u own a game is a pain. but like anything that comes to activation it always on the Edge of this kinda talk just like game hacking and so on Makes our life hard and hard it is normally why stuff like this is discussed in private

everyone as this thread grows remember that this is completely educational. referral to similar stuff is just meant to be that. not to say we agree with there function they used..

Was not so much directed towards you or anyone in the thread at all. just giving the fair warning is all

because i do not want it to go that route but i do like the feature and research

sandungas · Jan 17, 2015

STLcardsWS said:
...There is legitimate uses for this as people who purchase PSN Games and content should not be subject to Re-activate games and agree to ever changing Terms of Service and log into PSN to just play what they bought. So for informational purposes this discussion is allowed but do not mistake as a discussion for piracy (just giving that warning so it doesn't go that way).

Actually... it can be one of the steps needed to make ps2 .iso to boot directly (without the need of placeholders tricks)
I dont know much about how all this works, but well... the purpose of the ps2 placeholder is to add a "dummy" edat to be used later for all ps2 games... and MLT patches seems to bypass the need of edats so is related, right ?

I remember to read about MLT vsh patches (but dont remember who or where was wrote, maybe was himself) commenting some of them are not related with the rif bypass
[MENTION=29]Joonie[/MENTION] iniciative is great as the first step to identify them... by now you have the list of patches and has been proved working in newer firms... so should be correct
Next step is to try to make sense of them to identify wich ones are critical and wich ones not related (in worst scenrario in "blind mode" without reversing... just remove one by one and test)

atreyu187 · Jan 17, 2015

Yea I agree with that statemem . I lost a lot of money when I got banned as Sony felt it OK to take back all my LEGALLY purchased content from PSN when I got banned. Over $400 just gone and all I used online was the PS Store and a paid for digital strwaming video service. Had it not been for ReActPSN I would have been really sore. So this has many uses that does not pertain to piracy.

Joonie · Jan 18, 2015

Zar said:
Well done
the 0x8....9 error cannot be solved by patching the eboot to a lower version ? (fw at offset 0x400 or 0x40C)
also did you patch the lv2 to avoid this error ? ( for 4.41 : poke ( 0x059AF8 , 0x60000000) )

Patching EBOOT is impossible without RIF key, so that's not the case.
I'll see what I can do with LV2

sandungas said:
Actually... it can be one of the steps needed to make ps2 .iso to boot directly (without the need of placeholders tricks)
I dont know much about how all this works, but well... the purpose of the ps2 placeholder is to add a "dummy" edat to be used later for all ps2 games... and MLT patches seems to bypass the need of edats so is related, right ?

I remember to read about MLT vsh patches (but dont remember who or where was wrote, maybe was himself) commenting some of them are not related with the rif bypass
[MENTION=29]Joonie[/MENTION] iniciative is great as the first step to identify them... by now you have the list of patches and has been proved working in newer firms... so should be correct
Next step is to try to make sense of them to identify wich ones are critical and wich ones not related (in worst scenrario in "blind mode" without reversing... just remove one by one and test)

I identified MLT's 24 patches, it looks like 4 of them are reactPSN related[un-signed ACT.DAT and rif activation ], I'll go thru Jumptables on IDA and find out what patches.

It is going to be fun research.

Zar · Jan 18, 2015

[MENTION=29]Joonie[/MENTION]
you don't need to decrypt the eboot/self/sprx, so you don't need the key. You just have to change the value of fw version at the offset 0x40C or at 0x400. That's exactly what multiman do to fix the game.

but this error can be called for a lot of issue... according to devwiki : "Operation not permitted. An error occurred during the start operation (e.g.: debug self on retail)" . So, i'm not sure that what i told you will solve it :p

Joonie · Jan 18, 2015

Zar said:
[MENTION=29]Joonie[/MENTION]
you don't need to decrypt the eboot/self/sprx, so you don't need the key. You just have to change the value of fw version at the offset 0x40C or at 0x400. That's exactly what multiman do to fix the game.

but this error can be called for a lot of issue... according to devwiki : "Operation not permitted. An error occurred during the start operation (e.g.: debug self on retail)" . So, i'm not sure that what i told you will solve it :p

The game I tried running was already lower than 3.00, [it was like 2.xx], So that trick won't do any good on 4.40/4.41/4.46, I'm just going to get some debug log from cobra and see what fails, probably will do some public testing also

atreyu187 · Jan 18, 2015

Joonie said:
Progress report,

I also ported this patches to REBUG 4.46, and it seems working as the same as my first port [4.41],

so far, I have got the same result.

TMNT works, Street Fighter HD gives 80010009 error.

I'm going to try Virtua Fighter 5 soon

Again, I removed my act.dat, and there is no rif has been activated.

This is legit test results.

The reason why I chose REBUG REX for testing, is because it's easy to swap VSH, since all REBUG REX include 3 VSH files.

I can easily see the immediate differences between normal VSH and patched VSH with MLT's patches

Does this patched vsh work with your 4.46 Rebug REX build?

And when I asked what differences you noticed when adding these patches I thought you meant performance wise you noticed differences not just the fact some PSN content worked without activating.

PS3 [Research] MLT's RIF bypass patches in VSH

Joonie

psykosis

Developer

Nicolas

Member

evilsperm

Forum Noob

Joonie

Joonie

Zar

atreyu187

Loathsome Dung Eater

Skiller

Joonie

Skiller

STLcardsWS

Skiller

STLcardsWS

sandungas

atreyu187

Loathsome Dung Eater

Joonie

Zar

Joonie

atreyu187

Loathsome Dung Eater

Similar threads