PS3Hax Network - Playstation 3 Hacks and Mods - View Single Post - [Explain] Understanding PARAM.SFO structure

sandungas · 07-15-2012

Ohhh man, i think you have erased correct information, this structure is not easy at all, it needs some hours of investigation and to look at several examples to understand it

I suggest by now lest use the same names for the tables... at beggining i used "index table" (for the X table)... and "weird table" (for the Y table)... but later i thought "by now" while we dont know exactly his function is better to use something more generic ---> "X table" and "Y table" will work for now and cant be wrong because is something "generic"

I will need some time to understand what you changed, so i will edit this message several times, but by now... the most easy table:

Originally Posted by deroad

let's take this X table

Code:

00000060  00 00 00 00 00 00 00 39  00 00 00 00 00 00 00 72  |.......9.......r|
00000070  00 00 00 00 00 00 00 4c  00 00 00 00 00 00 00 1f  |.......L........|
00000080  00 00 00 00 00 00 00 25  00 00 00 00 00 00 00 32  |.......%.......2|
00000090  00 00 00 00 00 00 00 3a  00 00 00 00 00 00 00 46  |.......:.......F|
000000a0  00 00 00 00 00 00 00 1c  00 00 00 00 00 00 00 2a  |...............*|
000000b0  00 00 00 00 00 00 00 31  00 00 00 00 00 00 00 3e  |.......1.......>|
000000c0  00 00 00 00 00 00 00 48  00 00 00 00 00 00 00 22  |.......H......."|
000000d0  00 00 00 00 00 00 00 2b  00 00 00 00 00 00 00 36  |.......+.......6|
000000e0  00 00 00 00 00 00 00 40  00 00 00 00 00 00 00 1a  |.......@........|
000000f0  00 00 00 00 00 00 00 24  00 00 00 00 00 00 00 2e  |.......$........|
00000100  00 00 00 00 00 00 00 38  00 00 00 00 00 00 00 42  |.......8.......B|
00000110  00 00 00 00 00 00 00 1b  00 00 00 00 00 00 00 26  |...............&|
00000120  00 00 00 00 00 00 00 30  00 00 00 00 00 00 00 37  |.......0.......7|
00000130  00 00 00 00 00 00 00 44  00 00 00 00 00 00 00 72  |.......D.......r|
00000140  00 00 00 00 00 00 00 72  00 00 00 00 00 00 00 72  |.......r.......r|
00000150  00 00 00 00 00 00 00 72  00 00 00 00 00 00 00 72  |.......r.......r|
00000160  00 00 00 00 00 00 00 06  00 00 00 00 00 00 00 15  |................|
00000170  00 00 00 00 00 00 00 1e  00 00 00 00 00 00 00 28  |...............(|
00000180  00 00 00 00 00 00 00 33  00 00 00 00 00 00 00 3d  |.......3.......=|
00000190  00 00 00 00 00 00 00 47  00 00 00 00 00 00 00 4a  |.......G.......J|
000001a0  00 00 00 00 00 00 00 29  00 00 00 00 00 00 00 34  |.......).......4|
000001b0  00 00 00 00 00 00 00 3c  00 00 00 00 00 00 00 49  |.......<.......I|
000001c0  00 00 00 00 00 00 00 23  00 00 00 00 00 00 00 2d  |.......#.......-|
000001d0  00 00 00 00 00 00 00 35  00 00 00 00 00 00 00 41  |.......5.......A|
000001e0  00 00 00 00 00 00 00 17  00 00 00 00 00 00 00 20  |............... |
000001f0  00 00 00 00 00 00 00 4b  00 00 00 00 00 00 00 39  |.......K.......9|
00000200  00 00 00 00 00 00 00 43  00 00 00 00 00 00 00 3f  |.......C.......?|
00000210  00 00 00 00 00 00 00 27  00 00 00 00 00 00 00 2f  |.......'......./|
00000220  00 00 00 00 00 00 00 3b  00 00 00 00 00 00 00 45  |.......;.......E|
00000230  00 00 00 00 00 00 00 0a  00 00 00 00 00 00 00 13  |................|

Code:

Offset 	Size 	Value 	                          Description
0x60 	0x08 bytes 	0000000000000039 	Max Number of reserved entries in the X table & Hash table (57 in decimal)
0x68 	0x08 bytes 	0000000000000072 	Max Number of reserved entries in the Protected files table (114 in decimal)
0x70 	0x08 bytes 	000000000000004C       Number of files listed (76 in decimal)

Now compare if you have 76 files listed in the "Protected file table" and you will see im right
The "X table" starts after this (at 0x78) and has 57 entries

Originally Posted by deroad

that 0x1F is the ID of the file

Nops, this 0x1F is the "virtual number" assigned to this file
The position of the entry in the "X table" is nº1, and his assigned number is 0x1F (nº31 in decimal)
So.... file 1 is linked to position 31 (when i say "linked" is only speculation... it can be other thing like a parameter for his signature generation)

You can do the same with all the others... the list of numbers is complete (from 0x00 to 0x71 max)... most of the smaller numbers are in the "X table"... the others are in the "protected files table"

************* [ - Post Merged - ] *************

Originally Posted by deroad

before each file name there is a value that say that there is something every each 0x110.

an example (from RESISTANCE)

Code:

00000240  00 00 00 00 00 00 00 72  50 41 52 41 4d 2e 53 46  |.......rPARAM.SF|

From (GT5)

Code:

00000350  00 00 00 00 00 00 00 72  50 52 4f 46 49 4c 45 2e  |.......rPROFILE.|

From Heavy Rain

Code:

00000680  00 00 00 00 00 00 00 72  33 00 00 00 00 00 00 00  |.......r3.......|

as you can see there is always a 0x72 before it starts. this means that that 0x72 before the PARAM.SFO file name is the same 0x72 for every each file listed on that PFD

as you can also see, there is a 0x39 in the "index table" (as i call it) because it always has a SFO listed in it. what change is the ID.

anyway at the and of each 0x100 section you can see the file size.
an example

Code:

00000240  00 00 00 00 00 00 00 72  50 41 52 41 4d 2e 53 46  |.......rPARAM.SF| <- file name. (max name lenght 0x16)
00000250  4f 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |O...............|
00000260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000270  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000280  00 00 00 00 00 00 00 00  00 00 00 00 ef 39 b2 aa  |.............9..|
00000290  57 ff fd 20 5a 47 d8 92  bb ac 26 dd df 9f 48 ec  |W.. ZG....&...H.| <--- 0x14 sha1-hmac hashes
000002a0  ef ae 66 1e 97 ee 73 8d  02 56 fd 01 92 3c a0 b9  |..f...s..V...<..|
000002b0  75 26 c3 09 3d 92 95 f6  4a fb 2e 9e 7c ee f3 72  |u&..=...J...|..r|
000002c0  2e b0 a0 91 bf 37 2d d5  51 fd 26 8f 11 8d 8b a9  |.....7-.Q.&.....|
000002d0  83 c3 af d6 09 3f 81 61  27 00 ea 08 ae 5e 7c b9  |.....?.a'....^|.|
000002e0  58 5e 4d 5a 6d f5 aa 7d  fa e1 ac bd 73 1c e4 9d  |X^MZm..}....s...|
000002f0  c4 25 e4 e6 31 91 84 97  29 f7 bd 30 52 a0 b0 30  |.%..1...)..0R..0|
00000300  8a 22 f3 4c ea b3 5e c7  35 f8 17 b7 0d 96 50 1b  |.".L..^.5.....P.|
00000310  ab 71 99 4a ce 2d 28 26  b8 38 ed b8 4b 60 d3 69  |.q.J.-(&.8..K`.i|
00000320  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000330  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000340  00 00 00 00 00 00 00 00  00 00 00 00 00 00 0a b0  |................| <--- filesize (0x0ab0 = 2736, exactly the byte size of the SFO)

Partially correct, all this was documented in the page before, this is refered to the "Protected files table", each entry in this table is composed by:

Code:

Size 	Value 	Description
0x8 	00000000000000** 	File index
0x16 	EXAMPLE.WTF 	Name of the file included the point and the extension in ASCII (Null-terminated)
0xBC 	 ????????... 	Certificate for the file. When the file is PARAM.SFO then the certificate is bigger in size and uses imput data from the attribute "PARAMS" and/or "ACCOUNT_ID" inside PARAM.SFO. Method unknown (Null-terminated)
0x4 	1A2B3C4D 	Size of the file in bytes

"""as you can see there is always a 0x72 before it starts""" <--- this is not correct, you need to look at more example files

The way are "marked" is the same than the "X table"..... if you found a 0x72... it means that is "not used" (it points out of the table)
But you will find that sometimes is used... ( this depends of the number of files are listed in the "protected files table"
The "problem" is the "X table" can only store 57 "indexed files"... but the format is able to store 114 signatures for files.... so if you need to "index" more than 57 files.... the "X table" is not big enought... and the rest of this index are "spreaded" in the "Protected files table"

And when i say the word "spreaded" is because there is no relationship in the positions of this "index" between tables (look at this very carefully, because this is the real nonsense of all the structure)
It seems completly random (im sure is not)... but is not so easy
This is what i called a "virtual index"

This is hard to explain... but e.g:
Imagine you are a game developer and you need to secure 80 files... so you need to include the signatures for this 80 files in the "protected files table", ok ?... well...
The problem is you need to "index" this files... and in the "X table" you can only "index" 57 files... in other words... you need to "index" the other 23 in the "protected files table" ifself

If you make a list with all this "indexed files" (the ones spreaded in "X table" + the ones spreaded in "protected file table")... you will see you have a complete list with ALL the files ordered by number

----------
Edit:
Great, i think i was able to explain all this "virtual index"

This is the "big secret" of this format, im glad now we are in the same road and we are crashed with the same concrete wall