A way to override games with a save protection

[Double-0-seven7]

Some games use a save protection like Monster Hunter games and Gran Turismo so you cant move saves from one device to another easily. Have a way to disable or override it with Apollo if its possible.

[bucanero]

do you have any details about this "save protection" ?

any documentation or information would be helpful to review how this can be solved or patched.

[euan-forrester]

For Gran Turismo at least, it looks like there's a plugin that can disable this check: https://www.youtube.com/watch?v=MOaPEuKSdVs

And it seems that if you give your system the same nickname as the system the save came from, the check passes: https://gamefaqs.gamespot.com/boards/920775-gran-turismo-the-real-driving-simulator/51961135

[bucanero]

For the record, here's another example

• Socom FTB2: https://www.youtube.com/watch?v=Jop20OXdaEk&t=245s
• https://github.com/hrydgard/ppsspp/issues/12608

in this case, Socom is using the MAC address to enforce that the save is not copied to another PSP.

So it seems that each game did their own "security method", some using the wifi MAC, or GT using the system nickname. I assume there could be other weird tricks floating around too.

Anyways, since it's a "game-by-game" basis, a universal unlocker won't be possible at all, but Apollo save patches could be created for each game, once the security method is found and fixed.

Back to the GT or Socom examples, a patch could be created to modify the save and update the save-data with the current MAC or system nickname.

[euan-forrester]

Nice digging, especially with the Invizimals one! I'm looking forward to seeing what you come up with here. I'm interested in either incorporating it into https://github.com/euan-forrester/save-file-converter or linking from there to your work.

[bucanero]

note: GT saves are double encrypted with custom encryption, so it won't be possible to hack/edit unless that encryption layer is reversed. So probably the only option for now is to use that plugin or rename the psp nickname.

[bucanero]

after some research, Invizimals saves are saving the wlan MAC at 0x34.

Edit: actually the PSP wlan mac is stored many times in the GAMEDATA save-file. For example in a Shadow Zone (UCES01411) save, it can be found many times, like one per each animal. Patching everything can be a pain, and it might have additional checks. Probably the quickest way to load the save in an emulator like PPSSPP, is to change the emu MAC address to the value found at 0x34. Then it will match the save.

[euan-forrester]

On the savefileconverter site, I have a few places where I ask users to supply an example save file that I use to copy this sort of info from. Users seem quite willing and able to make an example save and then upload it to the site.

I wonder if a similar idea might be helpful here? Since you're running on the PSP itself, you could load in some info about the device (nickname, wlan mac, etc) and then look for those in the example save and then patch those locations in the desired save.

I guess in this case, where it's once per animal, you'd have to be a bit smarter. But it seems like you could algorithmically find all the places to change: find the first place to patch by looking for the device wlan mac in the example save. Then look for the data to replace in the same location in the desired save, then find however many places that data occurs in the desired save and replace all of them.

I wonder how successful that approach would be across multiple titles? It doesn't seem like there's many titles with this issue, so this approach might work out better than one would expect?

On a different note, regarding Gran Turismo's double encryption, it seems like it was broken: https://hzzustqy.typepad.com/blog/2011/09/gran-turismo-psp-savegame-editor.html

[bucanero]

I was doing a bit more research, and sadly Invizimals save-data also has a custom hash checksum stored at offset 0x0C. I think they're using a custom CRC algorithm (I couldn't match the result to any regular CRC algo) so that would need dedicated code reversing before any save-game editing can be done.

So right now, the only way to load such saves is to change the MAC address to match the value that you can find at offset 0x34, because even if you edit the save-data and replace all the mac address you find with another value, the CRC checksum will fail and the game will not start.

[Double-0-seven7]

On a different note, regarding Gran Turismo's double encryption, it seems like it was broken: https://hzzustqy.typepad.com/blog/2011/09/gran-turismo-psp-savegame-editor.html

Can't find any info or a download about that "P-SPatchator" thing there or anywhere else and I am not sure how could I get that plugin that is being talked about in that video.

BTW if you need another game that got a save protection you have Patapon 3 (and maybe 2 too not sure) its just MAC address based protection it seems (or it just an anti cheat one). It seems there is a theme with games that connect via PSN for either online play or DLC to have some protection to them.

[euan-forrester]

Nice work digging this all up! It's a shame that it seems that it's not possible to share these saves without more extensive per-game work, but it does make sense that they were all PSN-capable games. It's also too bad that the tools mentioned in those places that others seem to have made in the past seem to be lost to the mists of time.

As a former gamedev, I find it interesting how something simple like a custom CRC can make things significantly harder to crack! I'm from the same era as the PSP, and at the time all our library code was custom -- more just because that's how things were done back then than for security reasons.

[bucanero]

I was doing some additional reversing of the original EBOOT to solve the Invizimals save-game checksum, and by luck I also found that developers left a flag at save-data offset 0x30. If it's 1 (default), it will check "wlan ownership", if it's 0, it will skip the "save owner" check.

Since I already reversed the custom checksum, I made a .savepatch script for Apollo that:

• patches the GAMEDATA file, setting flag at offset 0x30 = 0
• calculates the new checksum
• updates the new hash at offset 0x0C
• result: save is fully unlocked to be used on any PSP system 🎉

Btw, I checked invizimals titles UCES01411, UCES01525, UCES01581, UCUS98760 and all use the same save-data header structure, wlan mac address at offset 0x34, "psp check flag" at 0x30, custom checksum at 0x0C. So I made similar savepatch scripts for those titles. Note: All titles use a custom adler32 checksum, except UCES01581 that uses a custom murmur3 hash. (weird that they changed the algorithm for only 1 title)

On a side note about Apollo and locked saves: I also created a savepatch file for "SOCOM Fire team Bravo 2", since it uses the wlan mac owner check. It has no checksum or any hash, so the patch just updates the wlan MAC value.

[euan-forrester]

Wow, fantastic work!

[bucanero]

Can't find any info or a download about that "P-SPatchator" thing there or anywhere else and I am not sure how could I get that plugin that is being talked about in that video.

yes, I also tried to find some info or files about that "pspatchator" tool but nothing showed up. All dead links and no reference to such plugin for GT.

BTW if you need another game that got a save protection you have Patapon 3 (and maybe 2 too not sure) its just MAC address based protection it seems (or it just an anti cheat one). It seems there is a theme with games that connect via PSN for either online play or DLC to have some protection to them.

About patapon 3, I did some research and the save-data has custom encryption plus a save hash check. So nothing can be done unless those things are solved. About the save encryption, I found some references to a tool called "P3Hash" that can decrypt patapon 3 saves, but the links are gone, and only a reference to a Discord server remains: https://discord.gg/ZsZmgA7 If you have a chance, you might want to ask in that Discord server if they have a copy and can share that decrypter "P3Hash". If you can get the tool and share it here, at least I can take a look at the save data.

Also about the save hash, I found this in-memory cheat code that would disable the check (I assume you'd need to use CWCheat or TempAR cheat plugins):

_C1 # Disable HCheck
_L 0xD0235CB0 0x00000018
_L 0x20235CB0 0x8E050000
_L 0xD0235FA4 0x00000018
_L 0x20235FA4 0x8E050000

 # Original code by Owocek
 # Adapted to USA by Madwig
 # The code works on EUR / USA
 # After saving once code is not needed, unless save is modified again

[Double-0-seven7]

I looked over that discord server and the most I found about P3Hash is this repo here : https://github.com/efonte/libP3Hash May be useful.

[bucanero]

I looked over that discord server and the most I found about P3Hash is this repo here : https://github.com/efonte/libP3Hash May be useful.

thanks for diving into discord and finding this repository. I'll test out and confirm if this code can decrypt Patapon 3 save-data files. If it works, at least we'll be a step closer to unlock these saves.

[bucanero]

I looked over that discord server and the most I found about P3Hash is this repo here : https://github.com/efonte/libP3Hash May be useful.

I can confirm that the code from libP3hash can decrypt Patapon 3 saves correctly. The checksum hash remains unknown

[Double-0-seven7]

I was doing some additional reversing of the original EBOOT to solve the Invizimals save-game checksum, and by luck I also found that developers left a flag at save-data offset 0x30. If it's 1 (default), it will check "wlan ownership", if it's 0, it will skip the "save owner" check.

Since I already reversed the custom checksum, I made a .savepatch script for Apollo that:

• patches the GAMEDATA file, setting flag at offset 0x30 = 0
• calculates the new checksum
• updates the new hash at offset 0x0C
• result: save is fully unlocked to be used on any PSP system 🎉

Btw, I checked invizimals titles UCES01411, UCES01525, UCES01581, UCUS98760 and all use the same save-data header structure, wlan mac address at offset 0x34, "psp check flag" at 0x30, custom checksum at 0x0C. So I made similar savepatch scripts for those titles. Note: All titles use a custom adler32 checksum, except UCES01581 that uses a custom murmur3 hash. (weird that they changed the algorithm for only 1 title)

On a side note about Apollo and locked saves: I also created a savepatch file for "SOCOM Fire team Bravo 2", since it uses the wlan mac owner check. It has no checksum or any hash, so the patch just updates the wlan MAC value.

There may need to be some general solution to games that use the MAC address for locking the save because I just got reminded that Valkyria Chronicles 2 does it as well (and maybe more games?). I don't know if the recent PR about it is part of this but I guess it could be nice.

[bucanero]

As discussed in #23 , Gran Turismo saves (and probably some other games) used a special hash flag from the PSP system to detect if the save was created by another PSP console.

Now the correct hashing algorithm and keys have been added to Apollo, allowing users to resign and swap Gran Turismo saves across different PSP devices. (This hash fix could also solve issues with other games too)

[euan-forrester]

That's awesome work! Congrats on figuring it out!

[KoLiPSe]

Is there a way to override protection on Tekken5:DR save file? Apollo patch doesn't seem to work and there isn't much info online. From my testing it is bounded to system's MAC adress - PPSSPP emulator loads the save just fine when MAC changed to a system the save was made on

[bucanero]

Is there a way to override protection on Tekken5:DR save file? Apollo patch doesn't seem to work and there isn't much info online. From my testing it is bounded to system's MAC adress - PPSSPP emulator loads the save just fine when MAC changed to a system the save was made on

if changing the MAC address allows the game to load the save, then it's most probably a mac-addr protection. Yet the specific area where the game stores such data, how it's encoded or if it's protected by some additional security is unknown.

Creating blank saves on different systems and then comparing the data might give some clues.

[bucanero]

@KoLiPSe if you can provide 2 Tekken saves from different systems, I can take a look. Just start the game, create a new save on PSP-"A", then do the same on another PSP-"B", and I'll compare to see if some pattern shows up.

Also providing mac-addr of "PSP-A" and "PSP-B" can be helpful to confirm findings.

[bucanero]

There may need to be some general solution to games that use the MAC address for locking the save because I just got reminded that Valkyria Chronicles 2 does it as well (and maybe more games?). I don't know if the recent PR about it is part of this but I guess it could be nice.

@Double-0-seven7 a generic solution for PSP saves protected with mac-addr is not really possible, the saves can have additional security like checksums, encryption or hashing, that unless is also custom-fixed for each game, would render the save corrupt.

So it needs to be solved on a game-by-game basis. Apollo has the low-level support to get the mac-addr from the system, and then write the value to a save file, but that still needs to be customized for each game.

Users are free to review such saves with an Hex editor, and try to find patterns. (use Apollo to decrypt data files and then use your PC, or you can use the Hex editor on Apollo itself)

[Double-0-seven7]

Has anyone ever considered making a full list of games with similar protections?

I also remember:

* the DJ Max series (not sure if Portable 1-2 have this problem though)

* Super Stardust Portable

* Pro Cycling Manager (not sure which version though, probably 2009 or 2010)

You also mentioned:

* Gran Turismo (which is already covered anyway)

* Tekken 5 Dark Resurrection

* Valkyria Chronicles II (i didn't remember that)

* the Monster Hunter series (same as above... but which ones? just Freedom Unite?)

* SOCOM Fireteam Bravo 2 (what about 3?)

* Patapon 3

* the Invizimals series

The list should probably be longer, though.

If its MAC address related and you wanna use a save you got from PPSSPP I found out you can fake/change your PSP mac address with homebrew.

[Double-0-seven7]

@bucanero Are there any ways to get the DLC for the games Taiko Portable 1 and 2 to work? They are stored in the SAVEDATA folder and are tied to the PSP that downloaded them (no MAC address involved). I tired to re-sign them but it still doesn't work and they dont show up ingame...