Since we have SDK docs related with drm,
why don't someone produce a cfw with patched drm check functions,
according to NP_DRM-Reference_e (htm or pdf) there are candidate functions such as:
patch so that always return zero value for the function below:
Code:
sceNpDrmVerifyUpgradeLicense
Functions :Verify license
Definition
#include <np/drm.h>
int sceNpDrmVerifyUpgradeLicense (
const char *content_id
);
Calling Conditions:
Multithread safe
Arguments:
content_id : Content ID of the license package
Return Values:
Value 0 = Normal termination
Negative = Error (see the document "NP DRM Error Code Reference")
Description:
This function is provided under the premise that it will be called from
an application that supports the NP game purchase utility. It verifies
the license purchased and downloaded by the user. When the
verification succeeds, in order words, if the game has been purchased,
the function returns 0 for normal termination. If a value other than 0 is
returned, consider the game to be one that has not been purchased yet
and handle accordingly.
This function includes processing that takes a relatively long time.
Call it from a separate thread as the one on which screen rendering is processed.
Notes
-------------------------------------------------------------
This function calls cellSysutilCheckCallback() in an internal loop and
waits for a callback function to be called. It is possible that a different
callback function that is registered to a system utility may be called as a side-effect.
If you want to manage the call timing of callback functions, use
sceNpDrmVerifyUpgradeLicense2() instead of this function.
See Also: sceNpDrmVerifyUpgradeLicense2()
patch so that always return zero and set a fixed remaining time for the function below:
Code:
sceNpDrmGetTimelimit
Functions: Get remaining time of the validity period
Definition
#include <np/drm.h>
int sceNpDrmGetTimelimit (
const char *path,
uint64_t *time_remain
);
Calling Conditions:
Multithread safe
Arguments :
path : NPDRM file path
time_remain : Remaining time (microseconds)
Return Values:
Value 0 = Normal termination
Negative = Error (see the document "NP DRM Error Code Reference")
-------------------------------------------------------------
This function obtains the remaining time of an NPDRM content's set
validity period. If the validity has not yet started or already expired,
the corresponding error will return.
time_remain only takes on meaning when the return value is 0 and
the function reaches normal termination. The remaining time is
given in microseconds. For a content to which a validity period
has not been set (one with no expiration date/time set),
SCE_NP_DRM_TIME_INFO_ENDLESS(0x7FFFFFFFFFFFFFFFULL)
will return to time_remain.
This function must be called from a different thread, while the call of
the callback is being checked with cellSysutilCheckCallback() and
processing completion is waited for in the main thread loop.
It is necessary to confirm the call of the callback function;
otherwise processing cannot end (a version in which the callback
is automatically waited for is not provided).
Notes
-----------------------------------------------------------------------
The NPDRM file to be specified can be NPDRM EDATA, NPDRM PPU SELF,
NPDRM SPU SELF, or NPDRM SPRX.
This function can also obtain the remaining time of validity for the
EBOOT.BIN file of an HDD boot game; the EBOOT.BIN is exclusively
for starting up the HDD boot game from the system software.
Below comments are from the file NP_DRM-Overview_e (htm or pdf)
(2) Verify License
Call sceNpDrmVerifyUpgradeLicense() on a thread separate from the one processing screen rendering, and perform a license verification. In other words, check if the user has already purchased the game or not. As an argument, specify the content ID specified upon creating the license package.
The following is an excerpt taken from a sample program.
// Ensure the call of the following code in the game boot sequence
int ret = 0;
bool purchase_status = false;
ret = sceNpDrmVerifyUpgradeLicense("IV0002-NPXS00021_00-GAMEPURCHASE0002");
if(ret == 0){
// This game has been purchased -> run as a full version
purchase_status = true;
}else{
// This game has not been purchased -> run as a trial version
purchase_status = false;
}
sceNpDrmVerifyUpgradeLicense() returns 0 if the game has already been purchased, and returns a "license cannot be found" error if the game has not been purchased yet. Make sure the game only operates as the full version when 0 is returned.
Perform this verification every time the application starts up. It is recommended that the verification process be carried out immediately after application startup.
Note
sceNpDrmVerifyUpgradeLicense() internally calls cellSysutilCheckCallback(), and the timing at which a callback that is registered to another system utility is called may be affected. If this is a problem, perform the license verification with sceNpDrmVerifyUpgradeLicense2().
|
I think, one can let 3.55 cfw execute npdrm'd eboot.bin, and fake it as application is puchased.
Even a new cfw may not be needed if above mentioned functions can be patched on lv2_v9.pkg installed PS3s.
I'm not an expert, didn't decrypted or patched any firmware, but it looks like promising.
If someone created a tool that decrypts npdrm eboot.bin's, then we need crackers to analyse the decrypted eboot.bin and patch above mentioned function calls in the executable. by modifying firmware, I think a lot of executables can be faked. I'm not sure about the condition of consoles never connected to PSN and lacks some identification that files npdrm loaders needed.
************* [ - Post Merged - ] *************
I think it is possible to compare, DUPLEX's released decrypted npdrm elf's and cracked selfs and learn someting about npdrm checks performed by eboot.bin's.
DUPLEX released decrypted selfs to prove npdrm decryption. if their cracked eboot.bin's could be converted to elfs, we see what they changed.