Downloadable Content Checksums
Posted 07 August 2004 - 01:37 PM
A brief recap of PGR2 (and just about every other XBox Live game)'s DLC verification:
For each directory, PGR2 loads contentmeta.xbx, and checks its signature. The signature algorithm produces hashes unique to each XBox, by using a unique number in the EEPROM as a salt.
If the signature checks out, PGR2 goes through each file listed in contentmeta.xbx, and checks to see that the file hash matches the hash stored in contentmeta.xbx. If it does, it loads the file. If not, it ignores the content(?). Again, these file signatures are salted with data from the XBox's EEPROM, and thus are specific to each XBox.
Now the progress:
Disassempling PGR2's default.xbe, I think I've found the bit of the XBE that performs the verification of the DLC files (For those of you following along at home, I used IDA's pcf and sigmake to create a FLIRT file from xapilib.lib , and then traced backwards from XCalculateContentSignature to find the signature check.). Changing the byte sequence f3 a6 74 2d 8b 44 24 10 50 e8 to f3 a6 /eb/ 2d 8b 44 24 10 50 e8 would appear to bypass this check, allowing one to modify files in DLC and still have gotham load it. This does not bypass the check of the contentmeta.xbx signature, and thus does not allow DLC to be transferred between XBoxes. This check may be much harder to find, as it is part of the statically-linked xdk library.
Now, the problem:
I don't have Xbox Live, and have no way to try this. It would be very nice if somebody with Xbox Live and some PGR2 content installed could try this hack, and let me know if I'm on the right track. It should allow for the modification of files in an already installed DLC (car ini files would seem like an easy choice). Make sure to back up your DLC before doing this, as modifying even a single byte will make it fail the signature, and thus be incompatible with Live.
Posted 07 August 2004 - 05:17 PM
The problem are rendering in the sky.
It doesn't skip anything, it loads everything.
Edited by DOS4GW, 07 August 2004 - 08:06 PM.
Posted 07 August 2004 - 05:45 PM
As I understand the XDK documentation, an XBox Live title must perform validation on downloadable content to be certified : if the user could modify the downloaded content on the hard disk, he could potentially cheat on Live. It doesn't have to perform validation on its own content, as it is impossible to modify it on an unmodified XBox (and, of course, modified XBoxen are banned from Live).
Some games, DOAX for example, perform validation on their data files anyway, in order to hinder modification even on a modded XBox. To my knowledge PGR2 does not do this, but it /does/ validate XBox Live Downloadable Content, which is why you can't simply copy the Paris pack from one XBox to another. Is my understanding of this incorrect?
Posted 07 August 2004 - 08:13 PM
The content has a new updated default.xbe. Every time you start the game from dvd it will look for a newer xbe on the hdd. But if you copy the content with the new default.xbe to their right locations and start the game from the dvd it will say the disc is dirty. If you start it without the updated xbe and launch a content track as paris or long beach, the game will freeze your xbox the moment you hit A to start driving, due to fubar render. The new xbe contains the update fixing this render issue, so all needed is making it able to load this new file, or change the original.
Edited by DOS4GW, 07 August 2004 - 08:55 PM.
Posted 08 August 2004 - 12:55 AM
changing the string c0 f3 a7 74 04 6a 05 eb af to c0 f3 a7 /eb/ 04 6a 05 eb af disables the header check on contentmeta.xbx . With this modification, PGR2 will attempt to verify downloadable content from another xbox. (Without it, it ignores foreign content completely).
On mine, however, even with both modifications (done to both XBEs), content verification fails, and gotham offers to delete the damaged content 'The auto-update is damaged - press a to delete the damaged content and restart your xbox'.
a) I've messed up, and there's yet another content verification check
b) I've messed up, and I haven't correctly disabled the content verification check
c) My copy of gotham / paris pack is messed up in some way
While it's most-likely a or b, I'd appreciate it if someone else with (preferably a clean copy of) PGR2 and the paris pack from another Xbox could try these two hex edits, and report their results.
I'd also appreciate it if someone with the paris pack locked to their xbox could try (having first made a backup!) applying this hexedit and modifying a contentmeta.xbx and/or applying the other hexedit and modifying a car.ini , and report if anything odd happens. Also, it would help a lot if you could try applying these patches to the default.xbe in the content pack as well.
My hypothesis is that once all the verification checks have been punched out, PGR2 will load another XBox's version of a content pack just as if it had downloaded it itself: no pink sky, no dirty disk. I hope :)
Posted 08 August 2004 - 02:25 AM
The content is right here, backedup before extracted, its virgin, untrouched. However none of the hexstrings you provided are to be found in either my new or old default.xbe. Dubble checked on two xboxes.
If you're able, I would like to talk this over with you on irc, efnet. My nick is the same.
Edited by DOS4GW, 08 August 2004 - 02:32 AM.
Posted 22 August 2004 - 07:25 PM
Posted 23 August 2004 - 12:54 PM
Posted 23 August 2004 - 04:25 PM
I would be gratefull if you started pgr2, and raced a live car on a paris track, then made a index of e: f: and x: and y:
Edited by DOS4GW, 23 August 2004 - 04:33 PM.
Posted 17 January 2005 - 06:45 AM
Posted 18 January 2005 - 11:57 AM
When he achieves to remove these checks, the content would run.
And then of course you cannot cheat on xbl, because the default.xbe would not start any more when the modchip is off.
Posted 19 January 2005 - 12:19 AM
Games : Ultramix and Ultramix2
Patch : Enhanced version still in testing - thanks to the Fish.
Files : ...hold yer horses... Ultramix/2 Downloadable Content Song Pack 1. ...i'd need to test the others... but sadly i don't have them... :-(
first one works. anyone got the others?
Posted 26 January 2005 - 01:40 AM
Posted 03 February 2005 - 01:43 PM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users