PS3 Hacking the Singstar DLC encryption for backup/custom songs?

[mattwookie]

Hi there,

I found this thread while looking for ways to do something similar to what you folks are talking about. In particular, I'd like to add more songs to the game (the ones from my PS2 discs and maybe others).

While I have reverse engineering experience I have zero experience with PS3 specifics, so I was hoping somebody can point me in the right direction.



I've checked what @Berion said about the files being EDAT and unless I'm mistaken I don't think they are. According to this page https://www.psdevwiki.com/ps3/EDAT_files said files have a header with a lot of information about the encrypted file, but those `pkg.drm` are encrypted from the very first byte (I ran a quick analysis of the entropy of the file and I'm mostly certain it's just encrypted/compressed from the beginning). MSELF files are executables as far as I can see, so they should also be ruled out because of the lack of header (again, no experience on this system, so please correct me if I'm wrong).

My suspicion is that they might be encrypted using some key unique to the game (and maybe even found inside the game itself) but one missing piece of information is: are those files "generic", unique to each user, to user + console or something else? I thought that one quick way of finding out is by getting the same file (or just a hash, should be enough) from different people that belong to the same song, so please let me know if anybody can help with that, unless somebody already knows this is useless . This will actually only tell us if files are unique or not (but not in what way) but it's a start .

After decription the PKG format itself is easy to parse, I'm not sure if it's the same as the PS2 but even if it's not, I doubt it will be that complicated.

Bolonni all of the work you have done on this is beyond my abilities but maybe I can help out some other way. I own many of the Singstar discs for PS2, PS3, PS4 and Singstar Song downloads from the Singstar Store (now offline). All that I was able to find in terms of encryption was listed in the previous pages of this topic. It does appear that the downloaded songs are secured using console ID as the only way that I was able to save my library was to spoof the CID after transferring from the old PS3 that was dying. I think the dream is to be able to take individual tracks from each disc and to copy them in the correct format to fool the system into thinking they were downloaded. Then you will never need to to change discs as the songs would already be in your download library. The Performous information listed in the previous pages details a program that can be used to bypass the encryption but I have not tried it. It seems that if the Performous software can be modified that maybe it can give you a look at the encryption key for the PS2 discs only. The Performous team gave up on trying to decrypt PS3 discs and they say that each PS3 Singstar disc had a different decryption key. I hope you have some success with this challenge.

 

[Berion]

they say that each PS3 Singstar disc had a different decryption key.

Rather impossible, because of economy (needs millions of unique master discs instead few as normally). Maybe You have not understand what they said. Each PS3 disc have special key used in encryption of some part of data on PS3 BD-ROM, and cannot be retrieved outside PS3 (but can be read by i.e GetKey R2 application or download from internet (look for "disc key" term), also they are written in *.ird made from original disc). But I doubt it have anything to do with songs encryption because digital versions of Signstar would needs in such case different encryption system than disc versions.

But oh well, who knows. Just my thee cents. ;p

 

[dittnamn]

I'm sorry for not getting back to this sooner, but I haven't had the time to look any more into this until now. What I said in the first post about the PSID being part of the encryption was that the songs work if the PSID is identical to the original console, and that it doesn't matter if I spoof the IDPS.

The .pkg.drm files look completely random, without any identifying headers, but I do suspect that they aren't completely encrypted. Some information (like the song title) might just be compressed, so it would be cool if two people had the same songs so that we could compare them as Bolonni suggested. However, I'm a bit unsure about how we could do that without breaking any rules. I have 47 full songs, but no demo songs.

 

[jcorrea]

I'm sorry for not getting back to this sooner, but I haven't had the time to look any more into this until now. What I said in the first post about the PSID being part of the encryption was that the songs work if the PSID is identical to the original console, and that it doesn't matter if I spoof the IDPS.

The .pkg.drm files look completely random, without any identifying headers, but I do suspect that they aren't completely encrypted. Some information (like the song title) might just be compressed, so it would be cool if two people had the same songs so that we could compare them as Bolonni suggested. However, I'm a bit unsure about how we could do that without breaking any rules. I have 47 full songs, but no demo songs.

I think you can supply a random range of bytes (a print of an HEX editor showing the offsets and bytes stored at that positions). No one will be able to rebuild the file only with a set of bytes, and I don't think it breaks any rule... @STLcardsWS is it ok?

If it's using the same key and data, the encrypted data should be the same.

 

[bucanero]

you could just hash the file, for example with SHA1 (or MD5)... if both parties hash the file and get the same output, then the files can be assumed as equal.

 

[jcorrea]

you could just hash the file, for example with SHA1 (or MD5)... if both parties hash the file and get the same output, then the files can be assumed as equal.

I don't believe I totally forgot about it... Yeah, hash is the best option

 

[dittnamn]

I don't think the hashes would tell us anything that we don't already know. The files are encrypted in some way, but what would be interesting to know is if the entire files are encrypted or not. To see that we would need to compare the contents.

 

[dittnamn]

I now have access to another PS3 with some Singstar DLC, so I've been able to do some more experiments. Unfortunately I still don't have any duplicate songs, so I can't yet compare the .pkg.drm files. What I now know though, is that it's just the PSID that matters for the encryption, that the User ID doesn't matter and that there are no other files that are involved in the encryption.

What I did was to transfer the .pkg.drm files to /dev_hdd0/game/BCES00011SINGSTARFAMILY/DownloadSong/ and the unpacked files from /dev_hdd0/game/BCES00011SINGSTARFAMILY/SongCache/ to the new PS3. I then edited the /dev_hdd0/game/BCES00011SINGSTARFAMILY/SongCache/SongCache.xml file with entries from my old PS3. In this file, I also changed the User ID to a user that exists on the new PS3.

After this, I spoofed only the PSID and loaded up Singstar. The newly added songs work, but not the old ones that relies on the system's own PSID. If I revert this, the old songs work, but not the new ones (as expected).

What I hope now is that the .pkg.drm files are simply encrypted with the full PSID and that there's no salt added. I think the next step would be to identify which form of encryption it is. What's usually used in other files on the PS3?

 

[dittnamn]

Here is the directory structure and some of the downloaded files -

View attachment 30454

Seeing this post, I made an interesting discovery with my new PS3. I now have one of the same songs as @mattwookie has. Pack0_10000J.pkg.drm is a-ha - Take On Me and the filesizes are different. The filesize in this screenshot is 61369583, my filesize is 61369536 and in my SongCache.xml, the filesize is listed as 61369280.

Does this say anything to the encryption specialists in here? As I understand it, probably can't be AES-128, because some of the filesizes aren't divisible by 16 (the size of the PSID).

I also have a small meta package that links to some Queen songs, Pack0_2000NU.pkg.drm. My file is 5510 bytes (5254 bytes in SongCache.xml), if this could help me in some way.

 

[dasinking]

I tried to research the topic of SingStore downloads and I was shocked to find out that no archive for the SingStore songs exists or anything close to it! Reading up on those posts here gave me some hope, I hope you guys will figure it out eventually. Sadly, I do not have my downloads anymore and it seems like we are unable to redownload them, which is a real shame.

 

[Bigmega]

I have been recently interessed in Singstar but the lack of the store its really a shame for me. So i came up with an idea to use "Singstar Creator" to import some songs and try to use the disk swap feature in the Ps3. I went to try on my ps2 and it worked great, it seemed to use the same interface the normal singstar uses so i though it would work as well as an original singstar works. Tried on the ps3 with the disc swap feature, and after it checks a bit for the disc, its just does not work. But would it be possible too? Does singstar creator creates somethings that could actually work for a way to import songs to the ps3? I wanted to know if that question was already been answered here.

 

[dittnamn]

I have been recently interessed in Singstar but the lack of the store its really a shame for me. So i came up with an idea to use "Singstar Creator" to import some songs and try to use the disk swap feature in the Ps3. I went to try on my ps2 and it worked great, it seemed to use the same interface the normal singstar uses so i though it would work as well as an original singstar works. Tried on the ps3 with the disc swap feature, and after it checks a bit for the disc, its just does not work. But would it be possible too? Does singstar creator creates somethings that could actually work for a way to import songs to the ps3? I wanted to know if that question was already been answered here.

The PS2 discs are most likely linked from the Singstar app through the /dev_hdd0/game/NPEA00374/USRDIR/Data/PS3/LegacyPS2Discs.pkd file. To get your custom songs working that way you would need to edit that file, but how to do this is another thing we don't know. According to a previous post, this is probably a PKF file with a substitution cipher so it might be easier to break than the .pkg.drm files.

 

[Bigmega]

The PS2 discs are most likely linked from the Singstar app through the /dev_hdd0/game/NPEA00374/USRDIR/Data/PS3/LegacyPS2Discs.pkd file. To get your custom songs working that way you would need to edit that file, but how to do this is another thing we don't know. According to a previous post, this is probably a PKF file with a substitution cipher so it might be easier to break than the .pkg.drm files.

Thats a shame, i was really looking foward to try and import some custom songs, my country does have some exclusive singstar games with some of our most popular songs, but i was looking foward to more. Well, thanks for awsnering and good luck!

 

[Richard Goforth]

I've come across this post searching for
"This song cannot be played because its owner has been deleted. To play the song, first delete it via Delete Songs in Settings, and then download it again from the SingStar™."
which I'm getting because I've accidentally deleted the account I used to download my singstar songs with. I think I've set up the same account again which I used to download the the songs with but it still comes up with the same message. Can any body help I've read the full post but most of the comments have gone straight over my head..

 

[dittnamn]

I've come across this post searching for
"This song cannot be played because its owner has been deleted. To play the song, first delete it via Delete Songs in Settings, and then download it again from the SingStar™."
which I'm getting because I've accidentally deleted the account I used to download my singstar songs with. I think I've set up the same account again which I used to download the the songs with but it still comes up with the same message. Can any body help I've read the full post but most of the comments have gone straight over my head..

This has to do with that the Singstar DLC is attached to the PS3 User ID instead of the username. If your removed Singstar user had the ID 2, the new account would be ID 3 or something higher. Without editing the system files, this User ID for the next user will just keep increasing. What you need to do is to edit the xRegistry.sys file to add a user with the previously removed ID (ID 2 in this example) and it should probably work again unless the actual downloaded files have been removed. Remember to get a full system backup before attempting to change anything.

 

[Richard Goforth]

I've cloned my orginal 40GB to a 300GB and installed Hen and Multiman. Then I used filezilla to FTP and copy the xRegistry.sys onto my PC . I've then used stoker25's editor to view it. See Pic. Looks like my current user is 0000008 so how do I make it 0000001 the editor doesn't allow me to change any of these entries for this bit. Also if 00000001 doesn't work do i just have to keep incrementing 0000002-0000007 until i get the right one. The PS3 was second hand when I got it so I recon I was probably user 5 or 6 when I created the account i downloaded the content on. https://drive.google.com/file/d/15avuDP6Ngrx0CFdM4R-6Tga1voc8i20v/preview"

 

[dittnamn]

I've cloned my orginal 40GB to a 300GB and installed Hen and Multiman. Then I used filezilla to FTP and copy the xRegistry.sys onto my PC . I've then used stoker25's editor to view it. See Pic. Looks like my current user is 0000008 so how do I make it 0000001 the editor doesn't allow me to change any of these entries for this bit. Also if 00000001 doesn't work do i just have to keep incrementing 0000002-0000007 until i get the right one. The PS3 was second hand when I got it so I recon I was probably user 5 or 6 when I created the account i downloaded the content on. https://drive.google.com/file/d/15avuDP6Ngrx0CFdM4R-6Tga1voc8i20v/preview"

Well, it was a while ago I did this, so I'm unsure how I changed it. The easiest solution should be to format the drive in a PC to get a clean xRegistry.sys and then just copy the game folders back to it.

However, I do think I managed to change /setting/user/lastCreatedUserId in xRegistry.sys to a lower number and just created a new user. Backups are always good, and someone else might have a better solution for this.

To find out which user ID you need, you don't need to guess the number as you could just check in /dev_hdd0/game/BCES00011SINGSTARFAMILY/USRDIR/ and see which numbered folders you have there. If you have a folder named 4, that means that the user ID 00000004 has been using Singstar and if you go further by looking in the /game/BCES00011SINGSTARFAMILY/SongCache/SongCache.xml file you can see which user who added the songs.

 

[Richard Goforth]

So I was user 4. so how do i go back from 8 to 4.

 

[dittnamn]

So I was user 4. so how do i go back from 8 to 4.

Try to remove all users over 4 and then change /setting/user/lastCreatedUserId in xRegistry.sys to 3 and then create a new user. If that doesn't work, look for the guides about resetting the counter by formatting the disk in a PC, add 4 new users and then copy back all the game folders to the disk.

 

[Richard Goforth]

Try to remove all users over 4 and then change /setting/user/lastCreatedUserId in xRegistry.sys to 3 and then create a new user. If that doesn't work, look for the guides about resetting the counter by formatting the disk in a PC, add 4 new users and then copy back all the game folders to the disk.

Not having much luck with the registry editor. I copy both xregistry.sys and the backup to my pc edit both for user/lastCreatedUserID and set them to 3 and save. then delete orig on ps3 and copy the new versions back over. Reboot PS3 and try creating a new user. The new user keeps on incrementing from the last value as before I'm now up to user 0000015 I've tried it so many times.