Downloadable Content Checksums, Possible progress? Options

[MrFish]

I think I've made some progress with PGR2's verification of downloaded content:


A brief recap of PGR2 (and just about every other XBox Live game)'s DLC verification:

For each directory, PGR2 loads contentmeta.xbx, and checks its signature. The signature algorithm produces hashes unique to each XBox, by using a unique number in the EEPROM as a salt.

If the signature checks out, PGR2 goes through each file listed in contentmeta.xbx, and checks to see that the file hash matches the hash stored in contentmeta.xbx. If it does, it loads the file. If not, it ignores the content(?). Again, these file signatures are salted with data from the XBox's EEPROM, and thus are specific to each XBox.


Now the progress:

Disassempling PGR2's default.xbe, I think I've found the bit of the XBE that performs the verification of the DLC files (For those of you following along at home, I used IDA's pcf and sigmake to create a FLIRT file from xapilib.lib , and then traced backwards from XCalculateContentSignature to find the signature check.). Changing the byte sequence f3 a6 74 2d 8b 44 24 10 50 e8 to f3 a6 /eb/ 2d 8b 44 24 10 50 e8 would appear to bypass this check, allowing one to modify files in DLC and still have gotham load it. This does not bypass the check of the contentmeta.xbx signature, and thus does not allow DLC to be transferred between XBoxes. This check may be much harder to find, as it is part of the statically-linked xdk library.


Now, the problem:

I don't have Xbox Live, and have no way to try this. It would be very nice if somebody with Xbox Live and some PGR2 content installed could try this hack, and let me know if I'm on the right track. It should allow for the modification of files in an already installed DLC (car ini files would seem like an easy choice). Make sure to back up your DLC before doing this, as modifying even a single byte will make it fail the signature, and thus be incompatible with Live.

[DOS4GW]

It allready allows changes in installed files, it has allways done that. And the thing about ini files doesn't make any sense, pgr2 reads the plain text from them, it never calculated the checksum.

The problem are rendering in the sky.

It doesn't skip anything, it loads everything.

This post has been edited by DOS4GW: Aug 7 2004, 08:06 PM

[MrFish]

You're saying that if you edit an ini file in e:\tdata , for instance E:/TDATA/4d53004b/$u/dcontentcar5.ini , an unpatched gotham will still load the paris pack correctly? It won't complain that the pack is damaged, or absent?

As I understand the XDK documentation, an XBox Live title must perform validation on downloadable content to be certified : if the user could modify the downloaded content on the hard disk, he could potentially cheat on Live. It doesn't have to perform validation on its own content, as it is impossible to modify it on an unmodified XBox (and, of course, modified XBoxen are banned from Live).

Some games, DOAX for example, perform validation on their data files anyway, in order to hinder modification even on a modded XBox. To my knowledge PGR2 does not do this, but it /does/ validate XBox Live Downloadable Content, which is why you can't simply copy the Paris pack from one XBox to another. Is my understanding of this incorrect?

[DOS4GW]

Loading from tdata i'm not shure about, but anyway the problem about the pgr2 content is not to get the files to their right location.

The content has a new updated default.xbe. Every time you start the game from dvd it will look for a newer xbe on the hdd. But if you copy the content with the new default.xbe to their right locations and start the game from the dvd it will say the disc is dirty. If you start it without the updated xbe and launch a content track as paris or long beach, the game will freeze your xbox the moment you hit A to start driving, due to fubar render. The new xbe contains the update fixing this render issue, so all needed is making it able to load this new file, or change the original.

This post has been edited by DOS4GW: Aug 7 2004, 08:55 PM

[MrFish]

More progress:

changing the string c0 f3 a7 74 04 6a 05 eb af to c0 f3 a7 /eb/ 04 6a 05 eb af disables the header check on contentmeta.xbx . With this modification, PGR2 will attempt to verify downloadable content from another xbox. (Without it, it ignores foreign content completely).

On mine, however, even with both modifications (done to both XBEs), content verification fails, and gotham offers to delete the damaged content 'The auto-update is damaged - press a to delete the damaged content and restart your xbox'.

Either :

a) I've messed up, and there's yet another content verification check
b) I've messed up, and I haven't correctly disabled the content verification check
c) My copy of gotham / paris pack is messed up in some way

While it's most-likely a or b, I'd appreciate it if someone else with (preferably a clean copy of) PGR2 and the paris pack from another Xbox could try these two hex edits, and report their results.

I'd also appreciate it if someone with the paris pack locked to their xbox could try (having first made a backup!) applying this hexedit and modifying a contentmeta.xbx and/or applying the other hexedit and modifying a car.ini , and report if anything odd happens. Also, it would help a lot if you could try applying these patches to the default.xbe in the content pack as well.

My hypothesis is that once all the verification checks have been punched out, PGR2 will load another XBox's version of a content pack just as if it had downloaded it itself: no pink sky, no dirty disk. I hope :)

[DOS4GW]

Did you make that eeprom?

The content is right here, backedup before extracted, its virgin, untrouched. However none of the hexstrings you provided are to be found in either my new or old default.xbe. Dubble checked on two xboxes.

If you're able, I would like to talk this over with you on irc, efnet. My nick is the same.

This post has been edited by DOS4GW: Aug 8 2004, 02:32 AM

[CompuTerror]

I've tried to patch the default.xbe both ways, but no way works

[SniperKilla]

lets get this hash cracked.. so i can use a silver radical on live

[DOS4GW]

You have Live sniper, can you provide a file location index, detailed one? With size, date, etc..

I would be gratefull if you started pgr2, and raced a live car on a paris track, then made a index of e: f: and x: and y:

This post has been edited by DOS4GW: Aug 23 2004, 04:33 PM

[NarutoKun]

THX MrFish it works great for Halo 2!

[Rooble]

Ok, this all sounds great and all, but i guess im missing something? If you have to edit the default.xbe (which i think you do) then obviously this cant be used on live? correct? but then saying that, this is complety useless because you can already edit the cars if you dont intend to go on live? so what exactly am i missing? do you edit some .xbe on the TDATA section? Ive not thoroughly scanned through the DLC content in TDATA, but i dont really remember seeing a .xbe... any input from now would be cool...

[knatsch]

MrFish is trying to get content running on a box with no live account. When starting such a game it checks by several signatures if the content was originally installed on this xbox. If this is not the case, the content does not start.
When he achieves to remove these checks, the content would run.

And then of course you cannot cheat on xbl, because the default.xbe would not start any more when the modchip is off.

[jsrlepage]

Success Report

Games : Ultramix and Ultramix2

Patch : Enhanced version still in testing - thanks to the Fish.

Files : ...hold yer horses... Ultramix/2 Downloadable Content Song Pack 1. ...i'd need to test the others... but sadly i don't have them... :-(

first one works. anyone got the others?

[Ichijoe]

You must be doing something right MrFish! I found and replaced the HEX in my F:\PG2 and the one in E:\TDATA too. allthough the Render Bug is still there and causes PG2 to crash. It now takes about a minute instead of the second One presses the 'A' button as before!!!

[Agret]

Hey guys how do you apply this to games other than PGR2? I want to use it on the Ninja Gaiden Hurricane pack