PS3 Hacking the Singstar DLC encryption for backup/custom songs?

[Berion]

Just rename user number from 00000008 to 6 in home dir and do the same inside xRegistry.sys on PC then replace file this in PS3. You do not need to adding new users. If You want keep Your current user for ownership contents reason but using this Singstar shit, then create new user in XMB and do what I wrote earlier.

 

[dittnamn]

Not having much luck with the registry editor. I copy both xregistry.sys and the backup to my pc edit both for user/lastCreatedUserID and set them to 3 and save. then delete orig on ps3 and copy the new versions back over. Reboot PS3 and try creating a new user. The new user keeps on incrementing from the last value as before I'm now up to user 0000015 I've tried it so many times.

Sorry that I forgot about the simpler way to do this. It should be enough to just change the <User>x</User> tags inside /dev_hdd0/game/BCES00011SINGSTARFAMILY/SongCache/SongCache.xml to a user id that exists on your system.

For those who want to move their songs to a new console and don't need any old highscores, this means that only this needs to be done:

• Spoof your PSID to the one from your old console (IDPS is not needed for this).
• Start a PS3 Singstar game or the Singstar XMB once to create the folder structure.
  
• Copy the encrypted files in /dev_hdd0/game/BCES00011SINGSTARFAMILY/DownloadSong/
• Copy the entire /dev_hdd0/game/BCES00011SINGSTARFAMILY/SongCache/ directory*, editing the
  <User>x</User> tags to a user that exists on your new system. For a clean formatted drive, x would be 0.

* Technically, only the SongCache.xml file is needed here, but you won't get any song previews without the cache folders.

 

[Chris79page]

Haha yeah I re-read it and that's what it sounded like sorry.

Anyway -=- GOOD NEWS I DONE IT

I've got it all working. Long story short, I somehow lost the Console ID/IDPS & PSID, they reverted back to the consoles original - it must have been when I uninstalled the WebMan pkg??

Here's what I did

1. CFW (CFW 4.87.2 Evilnat Cobra [CEX]) on my Dodgy PS3 so I could ftp into it and get all the "dev_hdd0" files!

Especially the "dev_hdd0\game\BCES00011SINGSTARFAMILY" folder!
Only one file (/dev_hdd0/game/BCES00011SINGSTARFAMILY/USRDIR/DownloadSong/Pack0_100HR5.pkg.drm) refused to copy over and it seemed to have some sort of cyclic redundancy protection (it wouldn't ftp or copy to usb drive.... or even WebMan download? it kept restarting to the point of a 65Mb file being 1.5Gb?)

2. CFW on donor PS3 and a larger HDD installed.
3. WebMan (webMAN_MOD_1.47.33_Installer.pkg.706.v1.47.33_brewology_com.pkg) installed and used on both PS3's to copy and change IDPS & PSIDs.
4. FTP'd all of /dev_hdd0 onto Donor PS3
5. Created new User account and Deleted my original account (Donor PS3 made it user/00000009)
6. Deleted ALL files in donor PS3 "\dev_flash2" then FTP'd ALL original PS3's "\dev_flash2\" files over! I wanted to use the xRegistry.sys and it worked and changed my User ID and user/00000001 etc.
7. Rechecked and changed the Console ID/DPS & PSID's again to the original PS3's​

Hope this helps anyone else that feels ripped off with the SingStar store being taken down etc.
It is the one thing that made me go down this route I paid for 192 downloaded tracks and was at risk of losing them all if this dodgy PS3 dies.
I have cloned the original drive but that no use with a YLOD and it wouldn't work in any other console!

I now have a decent back up and a way of keeping my downloaded content alive! .... with the bonus of a backwards compatible PS3 and plenty of room to put my entire collection onto my PS3

So I have an original 60gb ps3 with ylod, and have the same issue as above, loads of lost singstar songs. I wanted to buy a later ps3 slim and transfer across, I have Absolutley no idea how to do the above, would anyone be willing to help? I can post both hard drives, I'm in the uk but don't mind us postage. Please, anybody?!

 

[Berion]

You need to fix Your old console to get IDPS (for IDPS spoofing on target console) and ERK (for getting data from HDD from dead console (it is encrypted by keys generated from ERK)).

 

[pcjones]

Thanks to everyone here!
I was able to save 500+ songs bought in the SingStore that were on a dying PS3 - thanks!
If I can help to break the DRM in any way please let me know - and if anyone manages to break it I'll happily provide the song files

 

[Coro]

I'll happily provide the song files

welcome to the forum! we are happy to have you here...but please remember that this site has a no piracy rule.

if you will read the whole thread, i think you can get the songs working by copying your old psn account.

 

[dittnamn]

As an update, I've found that the game itself has a few functions inside called "sceeDRMPackageOpen/Close/Read/Seek", which are probably exactly what we want. The original code seems to have been C++ and as a result following the disassembly is really annoying, so I'm not entirely sure but I think it uses a file from the installation called "keys.edat", which makes sense. However, I'm not sure I'm having any luck decrypting said EDAT. I'm using a very old tool called "make_npdata" and this is the output, in case somebody finds anything useful or can tell me what to use instead:

> make_npdata keys.edat outputKey 4

NPD HEADER
NPD version: 2
NPD license: 3
NPD type: 0

EDAT HEADER
EDAT flags: 0x0000000C
EDAT block size: 0x00004000
EDAT file size: 0x00000600

WARNING: NPD title hash is invalid!
WARNING: NPD dev hash is invalid!
DEVKLIC: F2FBCA7A75B04EDC1390638CCDFDD1EE
RIF KEY: 00000000000000000000000000000000
DECRYPTION KEY: F2FBCA7A75B04EDC1390638CCDFDD1EE

Parsing data...
WARNING: Header hash is invalid!
WARNING: Metadata section hash is invalid!
File successfully parsed!

Decrypting data...
WARNING: Block at offset 0x00000110 has invalid hash!
File successfully decrypted!

I've managed to decrypt the keys.edat file using TrueAncestor EDAT Rebuilder, but the content of the output doesn't make any sense to me. The first bytes are "12 EC D9 0B 2E F9 56 3F" and I can't seem to find any similar file format. There's also some repeating information in the file, so I guess that the key might just be a part of the file without any other compression etc., but it's still a lot to go through blindly. I still haven't figured out what kind of encryption method is being used for the files.

I've also noticed that there seems to be two different file formats for the DLC. The file sizes in SongCache.xml are all 256 bytes smaller than the actual size for songs released up until around September 2009. After that, the file sizes in SongCache.xml are the same as the actual size, and they also have the tag <IsNew>True</IsNew> instead of False for the older ones. The later files aren't possible to play using old Singstar versions without updating.

The pkg.drm files are fully encrypted but I do suspect that there still might be a 256 byte header that is encrypted by a common key in keys.edat and that the rest of the file is encrypted by the PSID + possibly something from keys.edat. There could also be some kind of two pass encryption, but if I remember correctly the Singstar app was able to read the artist and song title even with the wrong PSID on the console. To get further with this I think we need someone who can analyze the disassembled program code to see how to recreate the encryption method. @Bolonni: Did you notice anything more in the disassembled code that could help us here?

 

[dittnamn]

I have some potentially helpful updates about this now. I've been able to compare my song files to ones from another PS3. We have 49 songs in common, 19 of them have the exact same file size. Out of these, 4 of them have almost identical contents, except for the last 256 bytes of the files.

Overall, there aren't enough different file combinations files for a certain conclusion, but I have a few takeaways:

• Some songs have a 256 byte difference in the file sizes in the SongCache.xml file and the actual size. However, it wasn't as I thought before that it had to do with the IsNew tag, so I think we could just ignore this. It's probably just depending on which Singstar version that was used for the download.
• Some songs we have in common have slightly different file sizes. I suspect this is due to changes made in the content and that it has nothing to do with the encryption. I think the input files has been the exact same size as the output files.
• The four songs that have the exact same file size and are almost identical are all marked as <IsNew>True</IsNew> in SongCache.xml.
• There's a <PCL>x</PCL> tag in the SongCache.xml file, where x can have a number from 0 to 5. Songs with <IsNew>False</IsNew> and different PCL number have entirely different contents, even when the file sizes are identical. We didn't have any "old" files with the same PCL number, so I'm not sure what this means. It could mean that it's connected to the encryption for the old files only, or it's just not relevant.
• One of the four mostly identical songs had <IsNew>True</IsNew> and different PCL numbers. This could mean that the PCL number is only relevant for the old songs, but I suspect it's not relevant at all.
• I think I've been wrong from the start that the PSID is part of the encryption. I now believe that the PSID is part of the contents of the encrypted file and that the app just checks if it matches. The key is most likely in keys.edat and from the layout of the extracted file, I think there are at least three different keys (disc, old, new?). They might just be part of the extracted file and we would just need to figure out where they start and end, plus to find out which encryption method is being used.
• My guess is that the old encryption method means that the entire file is encrypted as one part, and that the new method is encrypted using two parts.

Another interesting thing I've noticed is that Singstar Ultimate Party and some versions of the Singstar app has an external library file called libSceSecure.sprx. If this is what controls the DRM, it might be easier to decompile than the full app.

The early Singstar versions also doesn't seem to have the keys.edat file, so the old key might be included in the binaries instead if someone looks into the decompilation process.

 

[Elm0]

Had to register for this post. First of all thanks for everyone sharing related information, its really helpful when you don't have to replicate every step from the beginning by yourselves.

I have a DEX PS3 on which I've been able to debug the game. The main goal would be to allow custom songs one way or another. I haven't looked at all into any of the online content / downloaded songs, so skip this post if its your only interest.

However, I have quite a PS2 collection which I've been playing through the disc swap feature. As you probably know, some of the latest PS2 versions include an encrypted PAK_W.PAK file. This file is read during the disc swap on PS3 game, with disassembly showing some hints to "PS2_DISC_TRUST". Information on various forums mentions also that the melodies files (.chc) are encrypted on the latest versions of PS2 using "standard" Tiny Encryption Algorithm (TEA) with 32 rounds. I don't have any experience on those as I don't own a disc with these. However it might be possible the PAK_W.PAK is encrypted using a similar algorithm and I think a method to find .chc keys exists, though not public. If anyone has information on this, please PM or better yet publish the method if legally allowed.

Now the interesting part: PS3 checks the whole PS2 disc for any changes. Changing one byte in any file will result in "Not a SingStar disc" error. I've disassembled and debugged this somewhat: the check data is included in PS3 itself, probably in LegacyPS2Discs.pkd. It seems like this file includes all previous releases of PS2 discs in archived format, probably similar to .pkf files (ZLIB?). Of course it is also encrypted as well. However I've been able to dump some of the content related to this check by pausing the game at start of the check routine with a debugger (using breakpoints), then dumping the RAM through webMAN MOD. There is probably a folder structure with folder names being title ids ("SCESxxxx") containing probably a file named "trustdata.xml". The same information can also be found by disassembling the game ELF. The RAM dump revealed some of the contents of this trust check as well, it is probably a file in the following format (Could someone confirm if it is ok to post this? I've removed any critical information for now)

<?xml version="1.0" encoding="UTF-8"?>
<PS2_DISC_TRUST xmlns="http://www.singstargame.com" xmlns:ss="http://www.singstargame.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.singstargame.com http://lon01-singsql/xml_schema/PS2DiscTrust.xsd">
<TRUST_DB_VER=x>
    <DISC PRODUCT_CODE="xxxxxxxxx" SYS_VER="x.xx">
    <FILES>
        <FILE>
            <FILEPATH>PACK_EE.PAK</FILEPATH>
            <SIZE>xxx</SIZE>
            <POSITION>0</POSITION>
            <HASH POS="0" LEN="xxx" TYPE="Whirlpool">hash_here</HASH>
            <HASH POS="0" LEN="xxx" TYPE="Whirlpool">hash_here</HASH>
        </FILE>
   </FILE>
      <FILE>
        <FILEPATH>songid\movie.ipu</FILEPATH>
        <SIZE>xxx</SIZE>
        <POSITION>xxx</POSITION>
        <HASH POS="0" LEN="xxx" TYPE="Whirlpool">hash_here</HASH>
        <HASH POS="xxx" LEN="xxx" TYPE="Whirlpool">hash_here</HASH>
      </FILE>
      ...

The original file hashes match with what I can calculate from the offsets and lengths given in the file for a specific file using Whirlpool algorithm so we can quite reliably assume this is the method used to check the disc. I've tested this by loading a PS2 game with single byte modification to PACK_EE.PAK and the hashes found at RAM dump were the same as before, meaning they come from the PS3 game and are not the ones calculated for the files. However I manually poked the ram to insert my new modified file hashes in place of the loaded ones and BOOM, THE GAME LOADS THE DISC WITHOUT ERRORS.

I also suspect that PAK_W.PAK contains similar file which is used instead of the built-in trustdata if found on the disc.

Another interesting thing is that the game checks manually for the SingStar Bollywood, you can find the SC-code related to it in the disassembly. This is a PS2 disc that wouldn't load using the disc swap feature, at least that is all I could find from the forums. I don't have the game so I can't find what the ID is used in the PS3 for, but it is interesting to find it in the disassembly. Perhaps this is a feature to block the disc or a fix included by Sony in some update to allow for it to load?

Anyway the next step would be to find the encryption method and keys to PAK_W.PAK or LegacyPS2Discs.pkd, unless someone can create an automatic patch for the RAM during the disc loading phase. Any ideas, anyone?

 

[theorist]

When you bought product to activate on from PSStore in exdata folder are license files *.rap. maybe similar files are with downloadable singstar songs?

 

[aldostools]

When you bought product to activate on from PSStore in exdata folder are license files *.rap. maybe similar files are with downloadable singstar songs?

The content bought from PSStore are activated as .rif in exdata folder of user's home directory.

.rap files only come from unofficial homebrew "stores" that provide pirated content or when the users convert their own .rif to .rap.

Here is a reminder of the forum rules.
https://www.psx-place.com/threads/site-forum-rules-guidelines.79/

 

[Elm0]

Information on various forums mentions also that the melodies files (.chc) are encrypted on the latest versions of PS2 using "standard" Tiny Encryption Algorithm (TEA) with 32 rounds. I don't have any experience on those as I don't own a disc with these. However it might be possible the PAK_W.PAK is encrypted using a similar algorithm and I think a method to find .chc keys exists, though not public. If anyone has information on this, please PM or better yet publish the method if legally allowed.

New info, the CHC files are indeed encrypted with TEA cipher (the most common "default" implementation, 32 rounds with sum 0xC6EF3720 and delta 0x9E3779B9). The keys are disc specific as they're really just CRC-32 checksums of the following null-padded strings found on the disc (in PACK_EE.PAK/export/config.xml):

Key 1: PRODUCT_NAME
Key 2: PRODUCT_CODE
Key 3: TERRITORY
Key 4: DEFAULT_LANG

Note you'll need to add 0x00 byte at the end of each of these. Then get the standard CRC-32 of each string and append them together to get the 128-bit key for TEA.

No progress on PAK_W however. Well, I noticed it is not 8-byte padded so the TEA isn't suitable for it (atleast for the plain file without added padding).

 

[Pebbles]

Im surprised there still isnt a way for customs or a method to combine all singstar games on the ps3 yet. Its sad to see that so much content is basically lost now. I dont know much about coding but somebody could try using AI to find out how to the encryption works on the singstar games. I see that theres many AI coding plug ins that could help.

 

[GuilloteTesla]

Im surprised there still isnt a way for customs or a method to combine all singstar games on the ps3 yet. Its sad to see that so much content is basically lost now. I dont know much about coding but somebody could try using AI to find out how to the encryption works on the singstar games. I see that theres many AI coding plug ins that could help.

That's not how AI works.

 

[Shadow_Zero]

Had to register for this post. First of all thanks for everyone sharing related information, its really helpful when you don't have to replicate every step from the beginning by yourselves.

I have a DEX PS3 on which I've been able to debug the game. The main goal would be to allow custom songs one way or another. I haven't looked at all into any of the online content / downloaded songs, so skip this post if its your only interest.

However, I have quite a PS2 collection which I've been playing through the disc swap feature. As you probably know, some of the latest PS2 versions include an encrypted PAK_W.PAK file. This file is read during the disc swap on PS3 game, with disassembly showing some hints to "PS2_DISC_TRUST". Information on various forums mentions also that the melodies files (.chc) are encrypted on the latest versions of PS2 using "standard" Tiny Encryption Algorithm (TEA) with 32 rounds. I don't have any experience on those as I don't own a disc with these. However it might be possible the PAK_W.PAK is encrypted using a similar algorithm and I think a method to find .chc keys exists, though not public. If anyone has information on this, please PM or better yet publish the method if legally allowed.

Now the interesting part: PS3 checks the whole PS2 disc for any changes. Changing one byte in any file will result in "Not a SingStar disc" error. I've disassembled and debugged this somewhat: the check data is included in PS3 itself, probably in LegacyPS2Discs.pkd. It seems like this file includes all previous releases of PS2 discs in archived format, probably similar to .pkf files (ZLIB?). Of course it is also encrypted as well. However I've been able to dump some of the content related to this check by pausing the game at start of the check routine with a debugger (using breakpoints), then dumping the RAM through webMAN MOD. There is probably a folder structure with folder names being title ids ("SCESxxxx") containing probably a file named "trustdata.xml". The same information can also be found by disassembling the game ELF. The RAM dump revealed some of the contents of this trust check as well, it is probably a file in the following format (Could someone confirm if it is ok to post this? I've removed any critical information for now)

<?xml version="1.0" encoding="UTF-8"?>
<PS2_DISC_TRUST xmlns="http://www.singstargame.com" xmlns:ss="http://www.singstargame.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.singstargame.com http://lon01-singsql/xml_schema/PS2DiscTrust.xsd">
<TRUST_DB_VER=x>
    <DISC PRODUCT_CODE="xxxxxxxxx" SYS_VER="x.xx">
    <FILES>
        <FILE>
            <FILEPATH>PACK_EE.PAK</FILEPATH>
            <SIZE>xxx</SIZE>
            <POSITION>0</POSITION>
            <HASH POS="0" LEN="xxx" TYPE="Whirlpool">hash_here</HASH>
            <HASH POS="0" LEN="xxx" TYPE="Whirlpool">hash_here</HASH>
        </FILE>
   </FILE>
      <FILE>
        <FILEPATH>songid\movie.ipu</FILEPATH>
        <SIZE>xxx</SIZE>
        <POSITION>xxx</POSITION>
        <HASH POS="0" LEN="xxx" TYPE="Whirlpool">hash_here</HASH>
        <HASH POS="xxx" LEN="xxx" TYPE="Whirlpool">hash_here</HASH>
      </FILE>
      ...

The original file hashes match with what I can calculate from the offsets and lengths given in the file for a specific file using Whirlpool algorithm so we can quite reliably assume this is the method used to check the disc. I've tested this by loading a PS2 game with single byte modification to PACK_EE.PAK and the hashes found at RAM dump were the same as before, meaning they come from the PS3 game and are not the ones calculated for the files. However I manually poked the ram to insert my new modified file hashes in place of the loaded ones and BOOM, THE GAME LOADS THE DISC WITHOUT ERRORS.

I also suspect that PAK_W.PAK contains similar file which is used instead of the built-in trustdata if found on the disc.

Another interesting thing is that the game checks manually for the SingStar Bollywood, you can find the SC-code related to it in the disassembly. This is a PS2 disc that wouldn't load using the disc swap feature, at least that is all I could find from the forums. I don't have the game so I can't find what the ID is used in the PS3 for, but it is interesting to find it in the disassembly. Perhaps this is a feature to block the disc or a fix included by Sony in some update to allow for it to load?

Anyway the next step would be to find the encryption method and keys to PAK_W.PAK or LegacyPS2Discs.pkd, unless someone can create an automatic patch for the RAM during the disc loading phase. Any ideas, anyone?

As a sidequestion, since you have a PS2 SingStar collection, did you ever come across the custom SingStar's "Linkin Park" and "Beatles + 60's"? Saw some hints of those back in the day, but never came across those or saw any footage unfortunately.

 

[Edness]

Hi! Back in July I reversed the encryption algorithm used by SCEE London Studio PS3 games because I needed to for other research/projects, and later on I released it to the public (currently just on ResHax). It supports extracting all of their known PS3 PACKAGE variants.
https://reshax.com/files/file/79-ps3-scee-london-studio-package-extract/

 

[DeViL303]

Hi! Back in July I reversed the encryption algorithm used by SCEE London Studio PS3 games because I needed to for other research/projects, and later on I released it to the public (currently just on ResHax). It supports extracting all of their known PS3 PACKAGE variants.
reshax.com/files/file/79-ps3-scee-london-studio-package-extract/
(Can't seem to post attachments or direct links yet though)

Oh.. Nice work. Very interesting. By any chance do you have plans to open source it or detail how the encryption works.

 

[Edness]

Oh.. Nice work. Very interesting. By any chance do you have plans to open source it or detail how the encryption works.

Yep, I do plan on open sourcing it eventually. They used a somewhat custom/non-standard implementation of XTEA encryption. There's one more thing I also wanted to test but have been unable to currently, and that is the support for SingStore distributed DLC, and possibly recrypting them for use on other systems, because I don't have any. (I'm aware it's against forums rules to share them here, so I'm not implying anything :P) I've only been able to extract DLC distributed via PSN for DanceStar instead, which just uses .EDAT encryption.

 

[MunkeySpoon]

Hi! Back in July I reversed the encryption algorithm used by SCEE London Studio PS3 games because I needed to for other research/projects, and later on I released it to the public (currently just on ResHax). It supports extracting all of their known PS3 PACKAGE variants.
reshax.com/files/file/79-ps3-scee-london-studio-package-extract/
(Can't seem to post attachments or direct links yet though)

Hello, @Edness, question; can this work on ps2 singstar games too?

 

[Edness]

Hello, @Edness, question; can this work on ps2 singstar games too?

I don't think PS2 .PAK files are encrypted? They use SceeWhId/SceeWhPk/SceeWhPC archives anyway, which are a different format, and I believe other extractors already exist for it. Only exception is PAK_W.PAK found in later PS2 games, which is just the PS3 PACKAGE .PKD format, and is supported by my tool already.