(Help) How to add Icons to HDLoader/KERMIT Games on PS2 HDD-OSD

Here they are :
HDDOSD100J_ATADPATCHES.zip

Now I'm gonna try to patch the language selector:livid:.

Oh, a bit unrelated question sorry, but did Sony ever produce a DVD Player update CD for HK consoles ?

Lucky Japanese, they had a fine tech support and could request update discs to $ony for free (Jap DVD Player update discs I saw are 2.01 PBPX-95206, 2.10 PBPX-95207, 2.12 PBPX-95221, 2.14 unknown serial, 2.16 PBPX-95224, 3.00 unknown serial and 3.04 unknown serial). Here in France we had 2.10 PBPX-95208 (bundled with the remote) and nothing else . As I'm an Utility Disc fetishist, I'm super disappointed. I saw a PAL 2.14 somewhere but don't know what its MG region is. Damn I love these discs, sexy print and recreative copy protections:excitement:. So lovely.

 

We don't even have the Network Adaptor for the older FAT Playstation 2 consoles. D:

Some of the shops here don't even know they they exist... or that older Playstation 2 consoles had a network adaptor.

Maybe HK itself has got such a disc released there, but AFAIK most of all the accessories have never appeared here in Singapore (Or were simply just very rare).

My SCPH-39006 is one of them (The 'A' probably becomes a 'H' after bootup if the EE is actually seeing the real content of the boot ROM chip). When a dump is made from the EE-side, it appears as a 'A'. When dumped from the IOP, rom0:ROMVER shows a 'H'.

The system folder is "BAEXEC-SYSTEM" like you said.

I don't know what we really use here. :/
AFAIK our TVs here are PAL, but the Playstation 2 consoles use NTSC (Not PAL60).

I believe that the video mode setting is determined from other settings obtained from the OSD configuration block from the EEPROM.

I didn't see how the video mode is determined, but AFAIK the rom0:ROMVER check is there to only determine the 'supported' languages by the OSD and not the video mode directly.

 

Thanks for the info.

Correct !
Tested on my SCPH-39004 console :
0x00 = PAL 60 Hz / Multi2 (Might be Jap LNG)
0x01 = PAL 60 Hz / Multi7 (Might be US LNG)
0x02 = PAL 50 Hz / Multi7 (Might be Euro LNG)
0x03 = PAL 60 Hz / Crashes When Accessed (Not in BIOS ? Out-of-bounds ?)
0x04 = PAL 60 Hz / Crashes When Accessed (Not in BIOS ? Out-of-bounds ?)
0x05 = PAL 60 Hz / Crashes When Accessed (Not in BIOS ? Out-of-bounds ?)
0x06 = PAL 60 Hz / Crashes When Accessed (Not in BIOS ? Out-of-bounds ?)
0x07 = PAL 60 Hz / Crashes When Accessed (Not in BIOS ? Out-of-bounds ?)

So that function changes the language selector with its associated refresh rate, but not the colour encoding system.

EDIT : Mmmm, I launched my proggy 3 hours ago and it didn't find the corruption point yet.

 

The only 4 returned values for that function are 0, 1, 2 and -1. -1 is returned if the console is out of the supported regions ('E', 'A', 'H' or 'J'). 0 is for (Japan) NTSC, 1 is for "Overseas" NTSC and 2 is for PAL.

I believe that your TV might be seeing a NTSC signal with the PAL resolution (Hence why you get PAL60), as OSD itself is confused. There is no PAL60 mode in the Playstation 2 boot ROM.

Perhaps the video mode is determined by other means...

I don't know whether you know this, but the video mode is set with a call to the SetGsCrt() syscall. The resolution is set separately by the GS library.

So far, the common video modes used by Sony software with SetGsSet() are: 0x02 (NTSC), 0x03 (PAL) and 0x50 (480P). Mode 0 seems to be a "Autodetect" mode, where it'll cause the PS2 to use NTSC if it's a NTSC console, and PAL if it's a PAL console. I don't know what mode 1 is, but it may be the same as mode 0 (It is, however, not implemented in the Protokernel boot rom, so please do not use it if you want compatibility with all models!).

 

Thanks very much ! I'm gonna try it out. Hope there's no need of an additional Horizontal/Vertical screen fix. The less there are code modifications, the better is the hack.

I've re-coded some parts of my brute force tool. It has found the corruption point for the ROMVER function, but messing up with these bytes leads to a wide demolition of the unpacked ELF:dejection:. I assume that Multi2 fix can't be applied straight to the KELF, unlike my ATAD patches . Doh:moody:.

 

SetGsCrt took care of both mode and scanrate. By forcing 0x03 (PAL) like you mentioned, I had "true" PAL 50 Hz:encouragement:. I guess I have to tweak sceGsPutDispEnv to correct the screen position and stretch the picture.


(decrypted ELF launched by a loader)

I retried patching the original hosdsys KELF with no luck . If I build a patch, it will be for the decrypted ELF and perhaps for the KELF that comes out of SUDC2...

 

I bet you it's a european disc. http://cgi.ebay.fr/110700938617 "[FONT=Arial, Helvetica, sans-serif]Telecommande + recepteur + notice + dvd player (version 2.14) , piles telecommande non fournie ." [/FONT]http://www.leboncoin.fr/consoles_jeux_video/385417024.htm zoom-in the picture. The last number appears to be 4 and the seller lives in Pont-de-l'Arche.

 

Just release the HDDOSD as an unencrypted ELF. We should try to allow users to break free from the Magicgate encryption, since it's not required for HDD booting anyway (Other than the HDD boot loader, but I can fix that for you and them).

I'll like to work with you on patching the OSD, since I find it interesting. We'll communicate via PM and e-mail.

PS: I'm sorry, but I've been busy with life recently. So I haven't been able to type a proper reply to your PM.

 

I guess having the HDDOSD in PAL 50 Hz is good to show it works. Just doesn't seem very useful.

 

Region freed original files (MG header patched and re-signed) was enough to make the OSD work fine on my Satin Silver SCPH-50003(UK).
Obviously I had to use a original SONY HDD.

Meaning the files work fine on PAL consoles without any tampering after regional restriction was removed.

Edit: The files are on the internet. Richi902 been playing with these files for a long while now ...

 

Holy s*it !

Sweet Jesus !!! Thanks a MILLION dude ! I've contacted the seller @ leboncoin, and oh là là the disc is v2.14:excitement:. The lot is 1 remote with IR + DVD Player Version 2.14 + 1 3rd Party PS1 MC + Welcome Pack (2 DVDs). Please donate 5€ to my PayPal account. I spent 35€ in the French OPS2M demo disc preservation project last month, can't invest anymore on PS2 shit. As a big thanks I'll give you the remote, the Welcome Pack and a couple of original OPS2M demos... along with the cracked DVD Player upgrade disc and the RPC-1 hacked DVDPFW of course hahaha. Thanks again Seg, you rock. Can't wait to mutilate that disc I'm sooooo excited hehe.

 

@Segment_Fault :
Tadaaaaa (kHn in supa jovial mode) !!!

You da man bro ! Thanks a lot for the alert and your donation.
You rock ! Come to my bunker to get your reward any time. The Remote controller is a SCPH-10150, the IR Receiver is SCPH-10160, Welcome Pack discs are unlabeled PBPX-95506 and "Bonus Demo 5" SCED-51940. I'll have to dump the SCED-51940 before I give it to ya.
I was like WTF when I tested the unofficial PS1 Memory Card. That thing is recognized as a PocketStation by the PS2 browser. I didn't test it in a slim but I assume it will not be detected at all.
The DVD Player is not dumped yet as I have tons of priority things todo.

@Lum :
Not very useful indeed. But older PAL TVs can't display PAL 60 Hz or NTSC. Such a patch is only useful to anticipate a "dude, I have no video signal/ black and white picture, your hack isn't working".

@l_oliveira :
Region-free patches + ATAD patches = "all weak points attacked for massive damage":livid:.
Pre-patched utility disc and raw HDD image have been on teh www for a while now. I'm just posting here things that are "clean" and "safe" to share (patches less the giant enemy crab's seed). Anyway, Google told me that "HDDUD###U_A4" (replace ### with 110) is good dope^^...

@sp193 :
Got your PM ! Sorry for the delay, but I'm super busy with many PS2 things that are coming from everywhere. I promise to answer you as soon as I can, with a little piece of src attached.

 

krHACKen, I'm in talk currently with doctorxyz (of GSM selector fame) about figuring out the IOP side writes that setup the DVE (Digital Video Encoder) chip to enable Macrovision and set the video mode as YcBPr. Once the writes are understood I'll forward you the information and we can see that the DVD players (all of them) are hacked with your "corruption point" technique, which is by far much better than repacking the KELFs.

I think that "DISK" signed KELFs can be extracted from the utility discs. Is that correct ? With these we can make them region free then apply your technique to make them region free, RGB compatible and macrovision-less.

Something like SP193's FMCB installer could be used as basis for a installer for these DVD players instead of the original utilty discs (well these could be done too, since you like to make things complete, right ?) and a lightweight installer is a good deal I believe.

Any opinions ?

 

Nice to see you are investigating on the Macrovision thing. A couple of days ago I've hacked (RPC-1 patched and repacked) the DVD Player 2.14. I also tried to patch the original KELF with the "corruption point" technique, it didn't work. Corrupting the target point leads to an extreme corruption of the whole unpacked data (makes the executable totally unusable). That corruption method is a dirty trick, not raw science.

Yep, all DVD Player firmwares can be ripped out of utility discs, and they're DISK signed. It involves loads of unscrambling, unpacking and MG decryption to get final DISK signed dvdplayer.elf and dvdplayer.irx files. I'm currently writing a PC app to decrypt wobbles.
Another technique is to install the DVD Player to a MC, copy the KELF and the KIRX to a PC and brute force the header with a dictionary of decrypted DISK keypairs.
Most hacked DVD Players I released came from consoles rom1/erom.

Yep, some kind of stand alone installer, like a "lite" version of FMCB. Would be better than burning craploads of discs, but might break the FMCB licence if that piece of w@rez (the DVD Player) is embedded in the installer ELF.
Regarding the original utility disc, it would be extremely difficult to make it install a modified/custom DVD Player FW, because of the way installers read, MG decrypt and uncompress the firmware package. Some japanese Utility Discs have 2 scrambled wobbles (one is the kernel fix package, the other is the DVD Player package). I'll send you my gutted Utility Discs as soon as I finished coding my PC tool.
I believe there are 3 possibilities to exploit Utility Discs :
1) Disable the first SecrDiskBoot# call and the unpacker of the sub-program, so it can handle and CARD sign KELF/KIRX in their "normal" form (a TOC + DISK signed KELF + DISK signed KIRX + resources + icon + dummy).
2) Compress and sign your own package exactly how $ony did, the installer will act like a "Hacked Build A2" if your package is a compressed KELF or like a "Hacked Build A1" if you also applied the reverse obfuscation scheme.
3) Code your own sub-program and get a rid of Sony's one, must run as a thread and return some value to the main program

I made no progress on the HDDOSD and the DVD Player since the last time I posted. Both DVD Player 2.14E disc and ELF are cracked but I delay the release a little. Got to code that Utility Disc unscrambler first.

 

That is good, plus it is not bound to the CD/DVD hardware.

In the future, we may even be able to release totally legal region-free fixes with such an installer - just scan for the regions to patch and launch the patched DVD player.

Using the Sony DVD Player Installer is good for only making it feel... "Sony" (Which I also unfortunately, happen to like).

Are you talking about ripping and repacking the files in those PAK archives? I have a tool for that, but I didn't test whether the PAK files can be rebuilt properly. (The repacked PAK files are accepted by my PAKer tool, but I don't know whether the Sony installer will accept it)

The tool (PAKer) was released here, but I think that nobody (Other than Segment_fault) took much interest with it.

If you are talking about determining where Sony hides some of the other files at a LBA that is derived from the disc's ID, I don't have any way to do that yet as I don't know how the MECHACON derives the LBA from the disc ID. :/

It won't happen, as my installer has nothing to do with the original developers of the FMCB. As the author of it, I have every right to decide the fate of it's codebase.

#2 will be best.

 

Same here. Someone sent me a PM and asked me why it was so important for me to acquire the DVD Player 2.14 disc (didn't have the time to answer your PM, sorry bro). Then it's a good opportunity to answer this question. I definately LOVE $ony Utility Discs. Their design, their purpose, and somehow their copy protections. It's a duty to preserve them:loyal:. And when you know how much $ony spent neurons, sweat and blood for hiding their MagicGrave stuff and to prevent backups of being run... still a damn great satisfaction after you got an Utility Disc cracked and in another term "preserved".

I was talking about wobbles, data of "hidden" sectors. PAK files only contain installer resource files and DISK signed KELFs that are not CARD signed by the installer (like the HDDOSD). KELFs/KIRXes to-be-CARD-signed (like DVD Players and Kernel fixes) are obfuscated on wobbles.

Nice ! I'll try it out.
Mine is an old unfinished tool. I have to use my hex editor each time I want to insert a file because I didn't implement the ability to add files/replace with larger file when I wrote it. It was initially created to disable the DVD Player installation option of PSBBN discs, re-encrypt modified bytes of the PAK and re-sum the TOC entry. The quick and dirty way.

I already made such a tool, for my personal use, to determine the cdvdKey and positions of wobbles from disc dumps.
It's a scanner that complies to the following rules :
Fourth byte of the sector is always 0x00;
Third byte of the sector is never 0x00 or 0xFF;
First byte of the sector is always a multiple of 2;
Wobbles are never located within sectors referenced by the TOC (not in a file);
Wobble/sector start is never duplicated on the rest of the dump.

What I'm trying to do now is to add decryption functionalities.
Decryption is performed in 3 steps :
1) Unscrambling with a DecSet Write command, and the BitSet (part of the cdvdKey) as argument + cdRead. Fully implemented. The PCSX2 src helped me a lot (mechaDecryptBytes fnc on cdvd.c).
2) BitWise against a few bytes of the unscrambled data. The algo differs from one Utility Disc to another, although I think there are only 2. The algo for PBPX-95201 (UD v1.00) is implemented. I didn't mutilate your PBPX-95202 yet but I'm sure it is the same thing. So my BitWise function lacks the newer DVD Player upgrade disc algo.
3) MagicGate decryption. Implemented...

Once these 3 steps are fully implemented in both CoDec directions, maybe I'll go deeper and put a firmware package unpacker (DVD Player files are packed in one file with a TOC and compressed)... and why not, an automated function to patch things like DVDV zones routines.

The harder too. If I succeed at making my unscrambler proggy, I'll send you the source code and maybe make it public (less the MG decryption feature of course).
I may also have to publish a complete documentation about how Utility Discs work, so people can kill the infamous sceReadKey shit and force the sub-program to report a static cdvdKey (for the wobble to be read at the correct sector location).

Not to give false hope. I quickly run out of time as I jump from projects to derivative projects anarchically. Most of my projects started out as hypothetical ideas and none have been planned or timed.


EDIT : Oh, I'll for sure send you my collection of descrambled/decrypted/unpacked wobbles in a PM when I find the time, but here's a LBA table that might interest y'all haxors around :
http://pastie.org/pastes/5349481/text?key=xtuvnt2cathc9jjdvosscg

 

Ahahah, that MC is a joke.





I did test it with Ridge Racer Type 4 (cuz it's PocketStation compatible). On a PS1 (SCPH-7502), the game just freeze while trying to access the MC :
On a Fat PS2 (SCPH-39004), it fails but doesn't crash the console :

All my other third party MCs (not PocketStation faked) work properly with that game.

Oh, and it's detected by my slim PS2s... always as an unformatted PocketStation... and fail to format it. Utter crap.

EDIT : Oops, sorry for the full sized screencaps.

 

Hi!

Never saw such a thing before.
Maybe the 1mbit firmware could be interesting...

Anyway, this, hmm, workshop is really cool.
It completes the big picture.


Rgds.

 

The card is just malfunctioning. It's supposed to be a regular Playstation memory card, but is somehow being misdetected as a Pocketstation. And it doesn't work.

It's amusing how it's getting detected as a Pocketstation though (Don't usually see hardware break down like that).

 

I guess gamesaves are saved to the Atmel 1M EEPROM, and the black poo IC on its right provides the I/O interface.
Perhaps the manufacturer of this MC faked both PockeStation Device ID & Manufacturer ID, or just cloned the PocketStation FW.


A contributor sent me his dump of the MC based DVD Player 2.01J. And surprisingly, the firmware does not match the one that has been previously provided by another dumper. Why the hell ?

Previous dump :
dvdplayer.elf :
Size = 591 072 bytes
Nbr of MG blocks = 33
Content start = Offset 0x270
DISK KELF CRC32 = 844C943F
dvdplayer.irx :
Size = 99 741 bytes
Nbr of MG blocks = 21
Content start = Offset 0x1B0
DISK KIRX CRC32 = 4733DED0

His dump :
dvdplayer.elf :
Size = 567 584 bytes
Nbr of MG blocks = 31
Content start = Offset 0x250
DISK KELF CRC32 = 9EDC4A90
dvdplayer.irx :
Size = 99 917 bytes
Nbr of MG blocks = 21
Content start = Offset 0x1B0
DISK KIRX CRC32 = F99DC1EE

... I don't get it... As far as I know, PBPX-95206 is the only source of MC installable DVDP 2.01J. Anyway, I'll unpack these newly dumped files and examine them. Must know what differs between the dump I've cracked/released and the dump that actually took place in ancien Japan.