A way to override games with a save protection #14
Comments
|
do you have any details about this "save protection" ? any documentation or information would be helpful to review how this can be solved or patched. |
|
For Gran Turismo at least, it looks like there's a plugin that can disable this check: https://www.youtube.com/watch?v=MOaPEuKSdVs And it seems that if you give your system the same nickname as the system the save came from, the check passes: https://gamefaqs.gamespot.com/boards/920775-gran-turismo-the-real-driving-simulator/51961135 |
|
For the record, here's another example
in this case, Socom is using the MAC address to enforce that the save is not copied to another PSP. So it seems that each game did their own "security method", some using the wifi MAC, or GT using the system nickname. I assume there could be other weird tricks floating around too. Anyways, since it's a "game-by-game" basis, a universal unlocker won't be possible at all, but Apollo save patches could be created for each game, once the security method is found and fixed. Back to the GT or Socom examples, a patch could be created to modify the save and update the save-data with the current MAC or system nickname. |
|
Nice digging, especially with the Invizimals one! I'm looking forward to seeing what you come up with here. I'm interested in either incorporating it into https://github.com/euan-forrester/save-file-converter or linking from there to your work. |
|
note: GT saves are double encrypted with custom encryption, so it won't be possible to hack/edit unless that encryption layer is reversed. So probably the only option for now is to use that plugin or rename the psp nickname. |
|
after some research, Invizimals saves are saving the wlan MAC at Edit: actually the PSP wlan mac is stored many times in the |
|
On the savefileconverter site, I have a few places where I ask users to supply an example save file that I use to copy this sort of info from. Users seem quite willing and able to make an example save and then upload it to the site. I wonder if a similar idea might be helpful here? Since you're running on the PSP itself, you could load in some info about the device (nickname, wlan mac, etc) and then look for those in the example save and then patch those locations in the desired save. I guess in this case, where it's once per animal, you'd have to be a bit smarter. But it seems like you could algorithmically find all the places to change: find the first place to patch by looking for the device wlan mac in the example save. Then look for the data to replace in the same location in the desired save, then find however many places that data occurs in the desired save and replace all of them. I wonder how successful that approach would be across multiple titles? It doesn't seem like there's many titles with this issue, so this approach might work out better than one would expect? On a different note, regarding Gran Turismo's double encryption, it seems like it was broken: https://hzzustqy.typepad.com/blog/2011/09/gran-turismo-psp-savegame-editor.html |
|
I was doing a bit more research, and sadly Invizimals save-data also has a custom hash checksum stored at offset So right now, the only way to load such saves is to change the MAC address to match the value that you can find at offset |
Can't find any info or a download about that "P-SPatchator" thing there or anywhere else and I am not sure how could I get that plugin that is being talked about in that video. BTW if you need another game that got a save protection you have Patapon 3 (and maybe 2 too not sure) its just MAC address based protection it seems (or it just an anti cheat one). |
|
Nice work digging this all up! It's a shame that it seems that it's not possible to share these saves without more extensive per-game work, but it does make sense that they were all PSN-capable games. It's also too bad that the tools mentioned in those places that others seem to have made in the past seem to be lost to the mists of time. As a former gamedev, I find it interesting how something simple like a custom CRC can make things significantly harder to crack! I'm from the same era as the PSP, and at the time all our library code was custom -- more just because that's how things were done back then than for security reasons. |
|
I was doing some additional reversing of the original EBOOT to solve the Invizimals save-game checksum, and by luck I also found that developers left a flag at save-data offset Since I already reversed the custom checksum, I made a
Btw, I checked invizimals titles UCES01411, UCES01525, UCES01581, UCUS98760 and all use the same save-data header structure, wlan mac address at offset On a side note about Apollo and locked saves: I also created a |
|
Wow, fantastic work! |
yes, I also tried to find some info or files about that "pspatchator" tool but nothing showed up. All dead links and no reference to such plugin for GT.
About patapon 3, I did some research and the save-data has custom encryption plus a save hash check. So nothing can be done unless those things are solved. About the save encryption, I found some references to a tool called "P3Hash" that can decrypt patapon 3 saves, but the links are gone, and only a reference to a Discord server remains: https://discord.gg/ZsZmgA7 Also about the save hash, I found this in-memory cheat code that would disable the check (I assume you'd need to use CWCheat or TempAR cheat plugins): |
|
I looked over that discord server and the most I found about P3Hash is this repo here : |
thanks for diving into discord and finding this repository. I'll test out and confirm if this code can decrypt Patapon 3 save-data files. If it works, at least we'll be a step closer to unlock these saves. |
I can confirm that the code from |
There may need to be some general solution to games that use the MAC address for locking the save because I just got reminded that Valkyria Chronicles 2 does it as well (and maybe more games?). |
|
As discussed in #23 , Gran Turismo saves (and probably some other games) used a special hash flag from the PSP system to detect if the save was created by another PSP console. Now the correct hashing algorithm and keys have been added to Apollo, allowing users to resign and swap Gran Turismo saves across different PSP devices. (This hash fix could also solve issues with other games too) |
|
That's awesome work! Congrats on figuring it out! |
|
Is there a way to override protection on Tekken5:DR save file? Apollo patch doesn't seem to work and there isn't much info online. |
if changing the MAC address allows the game to load the save, then it's most probably a mac-addr protection. Creating blank saves on different systems and then comparing the data might give some clues. |
|
@KoLiPSe if you can provide 2 Tekken saves from different systems, I can take a look. Also providing mac-addr of "PSP-A" and "PSP-B" can be helpful to confirm findings. |
@Double-0-seven7 a generic solution for PSP saves protected with mac-addr is not really possible, the saves can have additional security like checksums, encryption or hashing, that unless is also custom-fixed for each game, would render the save corrupt. So it needs to be solved on a game-by-game basis. Apollo has the low-level support to get the mac-addr from the system, and then write the value to a save file, but that still needs to be customized for each game. Users are free to review such saves with an Hex editor, and try to find patterns. (use Apollo to decrypt data files and then use your PC, or you can use the Hex editor on Apollo itself) |
If its MAC address related and you wanna use a save you got from PPSSPP I found out you can fake/change your PSP mac address with homebrew. |
|
@bucanero Are there any ways to get the DLC for the games Taiko Portable 1 and 2 to work? |
Some games use a save protection like Monster Hunter games and Gran Turismo so you cant move saves from one device to another easily.
Have a way to disable or override it with Apollo if its possible.
The text was updated successfully, but these errors were encountered: