Re-encryptor for disc game eboots

Rip Cord

Administrator
Staff member
Developer
a couple simple tools to re encrypt/ re sign disc game eboots for lower firmware.
instead of extracting the elf portion, it saves the entire decrypted self file.
any values in the decrypted self file can be edited in a hex editor or with the included utilities.
uses the original self meta data for re - encryption

adapted from fail0verflow tools
place your key files in a subfolder named "ps3keys"
file name format for keys: app type - key type - key revision; app-key-0004, app-iv-0004,...
 

Attachments

  • eboot_recryptor.zip
    283.8 KB · Views: 6
Last edited by a moderator:

Rip Cord

Administrator
Staff member
Developer
usage for eboots with sdk version in an uncompressed section

1. use readself or scetool to find out the elf section that contains the sdk version.
on all the eboots I have it's in section 0.

Code:
ELF64 Program Headers:
 
Idx Type	 Offset   VAddr	PAddr	FileSize MemSize  PPU SPU RSX Align
 
...
 
006 PARAMS   01062280 01072280 01072280 00000020 00000020 --- --- --- 00000008
params section is at offset 01062280
Code:
[*] Metadata Section Headers:
Idx Offset   Size	 Type Index Hashed SHA1 Encrypted Key IV Compressed
000 00000980 010622C8 02   00	[YES]  00   [YES]	 06  07 [NO ]
001 01070980 0008D244 02   01	[YES]  08   [YES]	 0E  0F [NO ]
section 0 starts at offset 980 and is 10622C8 long. params is in section 0

2.use de_eboot to decrypt the eboot header and section 0
de_eboot EBOOT.BIN EBOOT_decrypted.self 0

3. use edit_firmware_version to edit the firmware version and key revision
edit_firmware_version EBOOT_decrypted.self EBOOT_decrypted_edited1.self 04 341

4. use edit_sdk_param to edit the sdk version
edit_sdk_param EBOOT_decrypted_edited1.self EBOOT_decrypted_edited2.self 34

5. use re_eboot to re-encrypt the edited eboot
re_eboot EBOOT_decrypted_edited2.self EBOOT_reenrypted.BIN 0

included with the tools is a batch file that has all these commands. just double click it to fix an eboot with the sdk version in an uncompressed section 0.
 
Last edited by a moderator:

Rip Cord

Administrator
Staff member
Developer
for eboots with compressed section de_eboot will save the compressed section to a separate file named
decrypted_section_X.bin ( x for the section number)
use section_decompress to uncompress the section
edit the sdk version
use section_compression to compress the section
specify a compression level that results in a section that is equal to or smaller than the original section (level 6 or 7)
use insert_section to insert the section
edit the firmware version and key revision
use a hex editor to edit the size of the section in the section table of the self
use re_eboot to encrypt the self file.

I only tested one eboot with a compressed section 0. after editing the sdk version and recompressing with level 6, it was one byte larger than the original. I noticed that the offset for the next section, section 1, was farther away than the increase in size of one byte. So I inserted section 0 even though it's one byte too big. used a hex editor to find the section size; it was 2 places in the decrypted self. I edited the size to equal the new size. finished re-encrypting the self. Copied the eboot to the usrdir folder on the ps3 hdd and the game played ok.
 

Rip Cord

Administrator
Staff member
Developer
apps to fix a compressed section, no need to edit section size manually

edit_compressed_section.exe will uncompress the section, edit the sdk version in sys_proc_param, and re-compress the section.
Usage:
edit_compressed_section <input.bin> <output.bin> <sdk version> <compression level>

<input.bin> compressed section from decrypted self
<output.bin> recompressed section to be inserted back into decrypted self
sdk version in sys_proc_param for the self; 34, 35,...
optional: compression level, valid values 0-9, default is 6

insert_section.exe this version edits the section size in the self section info table and in the meta data section table
Usage: insert_section <input.self> <input_section.bin> <index> <output.self>

input.self is the self in which the section is inserted.
input_section.bin is the section to be inserted.
index is the index number given to inserted section.
possible values 0,1,...index of last section

includes sample batch files to resign for 341 or 355
 

Attachments

  • compressed_section.zip
    95 KB · Views: 6
Last edited by a moderator:

Rip Cord

Administrator
Staff member
Developer
small update to edit_compressed_section.exe

change_log:
edit_compressed_section.exe version 0.2.2
fixed printed output displaying offset of sdk version
added: uncompressed section saved to file if sdk version not found
added: more error control
added: version information

thanks for the suggestions
 

Attachments

  • edit_compressed_section.zip
    58.8 KB · Views: 2
Top