I think I've made some progress with PGR2's verification of downloaded content:


A brief recap of PGR2 (and just about every other XBox Live game)'s DLC verification:

For each directory, PGR2 loads contentmeta.xbx, and checks its signature. The signature algorithm produces hashes unique to each XBox, by using a unique number in the EEPROM as a salt.

If the signature checks out, PGR2 goes through each file listed in contentmeta.xbx, and checks to see that the file hash matches the hash stored in contentmeta.xbx. If it does, it loads the file. If not, it ignores the content(?). Again, these file signatures are salted with data from the XBox's EEPROM, and thus are specific to each XBox.


Now the progress:

Disassempling PGR2's default.xbe, I think I've found the bit of the XBE that performs the verification of the DLC files (For those of you following along at home, I used IDA's pcf and sigmake to create a FLIRT file from xapilib.lib , and then traced backwards from XCalculateContentSignature to find the signature check.). Changing the byte sequence f3 a6 74 2d 8b 44 24 10 50 e8 to f3 a6 /eb/ 2d 8b 44 24 10 50 e8 would appear to bypass this check, allowing one to modify files in DLC and still have gotham load it. This does not bypass the check of the contentmeta.xbx signature, and thus does not allow DLC to be transferred between XBoxes. This check may be much harder to find, as it is part of the statically-linked xdk library.


Now, the problem:

I don't have Xbox Live, and have no way to try this. It would be very nice if somebody with Xbox Live and some PGR2 content installed could try this hack, and let me know if I'm on the right track. It should allow for the modification of files in an already installed DLC (car ini files would seem like an easy choice). Make sure to back up your DLC before doing this, as modifying even a single byte will make it fail the signature, and thus be incompatible with Live.

It allready allows changes in installed files, it has allways done that. And the thing about ini files doesn't make any sense, pgr2 reads the plain text from them, it never calculated the checksum.

The problem are rendering in the sky.

It doesn't skip anything, it loads everything.

You're saying that if you edit an ini file in e:\tdata , for instance E:/TDATA/4d53004b/$u/dcontentcar5.ini , an unpatched gotham will still load the paris pack correctly? It won't complain that the pack is damaged, or absent?

As I understand the XDK documentation, an XBox Live title must perform validation on downloadable content to be certified : if the user could modify the downloaded content on the hard disk, he could potentially cheat on Live. It doesn't have to perform validation on its own content, as it is impossible to modify it on an unmodified XBox (and, of course, modified XBoxen are banned from Live).

Some games, DOAX for example, perform validation on their data files anyway, in order to hinder modification even on a modded XBox. To my knowledge PGR2 does not do this, but it /does/ validate XBox Live Downloadable Content, which is why you can't simply copy the Paris pack from one XBox to another. Is my understanding of this incorrect?

Loading from tdata i'm not shure about, but anyway the problem about the pgr2 content is not to get the files to their right location.

The content has a new updated default.xbe. Every time you start the game from dvd it will look for a newer xbe on the hdd. But if you copy the content with the new default.xbe to their right locations and start the game from the dvd it will say the disc is dirty. If you start it without the updated xbe and launch a content track as paris or long beach, the game will freeze your xbox the moment you hit A to start driving, due to fubar render. The new xbe contains the update fixing this render issue, so all needed is making it able to load this new file, or change the original.

More progress:

changing the string c0 f3 a7 74 04 6a 05 eb af to c0 f3 a7 /eb/ 04 6a 05 eb af disables the header check on contentmeta.xbx . With this modification, PGR2 will attempt to verify downloadable content from another xbox. (Without it, it ignores foreign content completely).

On mine, however, even with both modifications (done to both XBEs), content verification fails, and gotham offers to delete the damaged content 'The auto-update is damaged - press a to delete the damaged content and restart your xbox'.

Either :

a) I've messed up, and there's yet another content verification check
b) I've messed up, and I haven't correctly disabled the content verification check
c) My copy of gotham / paris pack is messed up in some way

While it's most-likely a or b, I'd appreciate it if someone else with (preferably a clean copy of) PGR2 and the paris pack from another Xbox could try these two hex edits, and report their results.

I'd also appreciate it if someone with the paris pack locked to their xbox could try (having first made a backup!) applying this hexedit and modifying a contentmeta.xbx and/or applying the other hexedit and modifying a car.ini , and report if anything odd happens. Also, it would help a lot if you could try applying these patches to the default.xbe in the content pack as well.

My hypothesis is that once all the verification checks have been punched out, PGR2 will load another XBox's version of a content pack just as if it had downloaded it itself: no pink sky, no dirty disk. I hope :)

Did you make that eeprom?

The content is right here, backedup before extracted, its virgin, untrouched. However none of the hexstrings you provided are to be found in either my new or old default.xbe. Dubble checked on two xboxes.

If you're able, I would like to talk this over with you on irc, efnet. My nick is the same.

I've tried to patch the default.xbe both ways, but no way works

lets get this hash cracked.. so i can use a silver radical on live

You have Live sniper, can you provide a file location index, detailed one? With size, date, etc..

I would be gratefull if you started pgr2, and raced a live car on a paris track, then made a index of e: f: and x: and y:

THX MrFish it works great for Halo 2!

Ok, this all sounds great and all, but i guess im missing something? If you have to edit the default.xbe (which i think you do) then obviously this cant be used on live? correct? but then saying that, this is complety useless because you can already edit the cars if you dont intend to go on live? so what exactly am i missing? do you edit some .xbe on the TDATA section? Ive not thoroughly scanned through the DLC content in TDATA, but i dont really remember seeing a .xbe... any input from now would be cool...

MrFish is trying to get content running on a box with no live account. When starting such a game it checks by several signatures if the content was originally installed on this xbox. If this is not the case, the content does not start.
When he achieves to remove these checks, the content would run.

And then of course you cannot cheat on xbl, because the default.xbe would not start any more when the modchip is off.

Success Report

Games : Ultramix and Ultramix2

Patch : Enhanced version still in testing - thanks to the Fish.

Files : ...hold yer horses... Ultramix/2 Downloadable Content Song Pack 1. ...i'd need to test the others... but sadly i don't have them... :-(

first one works. anyone got the others?

You must be doing something right MrFish! I found and replaced the HEX in my F:\PG2 and the one in E:\TDATA too. allthough the Render Bug is still there and causes PG2 to crash. It now takes about a minute instead of the second One presses the 'A' button as before!!!

Hey guys how do you apply this to games other than PGR2? I want to use it on the Ninja Gaiden Hurricane pack

I can't wait till I get my 2nd XBOX so I can Download XBOX Live Content. I wish thier was a place to download XBOX Live Content. Would love to check out the extra Halo 2 stuff, but I shall wait. If you guys get this going, then other games patches may follow for other games. Then we can have lots of System Link Fun.
Someone should make a list of what data can be transfered from one XBOX to Anther. Weather it requires a patch or not...etc.

Works for Ghost Recon 2 with a small issue. If you try it with the default.xbe that comes with the disk, it won't even load. If you use the default.xbe from the first patch however and overright the original, it works like a charm

Which files to transfere is posted in the sticky topic.

huh? do you mean the stickey in this forum? I just read through all 10 pages and there is no mention of changing a hex value in default.xbe nor any mention of Ghost Recon 2 or , for that matter, using the patch downloaded from Xbox Live instead of the default.xbe off the disk.

Sorry if I've misunderstood.

You don't have to edit the xbe unless you want to play the tracks. The car file can just be transfered, and that's posted in the sticky thread here.

Noone here have succeeded in cracking the xbe for prg2, we've been 3 or 4 looking at it.

Edit. I have no thoughts on gr2 editing and I can't recall seeing any posts about it inside this pgr2 thread.

I just posted here cause this is where the info was and there were posts here about the same bit working with other games, sorry

No need to excuse yourself for me, friendly tone here mate.

Cool, and I'd like to thank MrFish again for this great info.

ya sweet!! i just did the second patch to Links2004 and it works great, i transfered the content to my modded xbox .. i only have the update and the one free course .. had to patch both default.xbe files .. thanx MrFish :]

I may sound like a total idiot here...
but What exactly does this do? I have read all the posts constantly and I have no idea what is going on? Somebody said something about halo 2 and downloadable content. so whats this do?

allow you to play xbox live downloadable content without having xbox live

im not sure if i can talk about this useing it for halo 2, but how do you get it working with halo 2? i downloaded the dlc on my nonmodded xbox, used a game save to get all the stuff. but if i apply it to the original it doesnt do anything for me and if i apply it to the 1.1 patch i cant get the game to even start.

sorry. dont know if it works for h2 or not. but even if it did, no h2 talk at all from reg forum members. "news" only from the site admins.

So how would I sign this so I could share my content onto another one of my xboxes &/or have diff color cars on live?

To pass the content along to your friends, all you have to do is give them whatever files you change as was instructed here.

As far a live is concerned, lets just say you "can't". Although technically I believe it can and has been done on live, but the info was never openly released. Which means no one will tell you, even if they know. And no, I don't know.

could some one make like a tutorial on how to do this?
i realy want to add more songs to my copie of ddr ultramix 2 but i dont want to pay for xbox live.

if there was a tutorial on how to do it for pgr2 i could probably figure out how to do it since aparently some one else did at the botom of page one.

anoher thing is that someone was asking for DLC and some said somthing about the usuale place"S"
i only know of the one where u use irc and then ftp a sertin site.

any help is totaly apriciated.

but i guess ill just keep on surfing.
thnx

This problem has been solved a long time ago. Some people actually got this old content signing properly:)

I may sound like a total idiot here..