Profile/Burnout Paradise: Difference between revisions
mNo edit summary |
(Add images.) |
||
Line 11: | Line 11: | ||
== Known issues and exploits == |
== Known issues and exploits == |
||
=== Buffer overread via color indices === |
=== Buffer overread via color indices === |
||
[[File:Paradise Neon Car 2.png|thumb|right]] |
|||
Colors and color types may be modified by changing the selected index on a given vehicle. As there is no bounds checking in place, it is possible to read data beyond the selected color type and the [[PlayerCarColours]] resource altogether. What's read in is interpreted as floating-point data representing percentages of 255, leading to values less than 0% and greater than 100%. The resulting colors often glow and have been dubbed "neon" colors. The exact process by which these colors are formed is currently unknown and likely requires shader research to understand. |
Colors and color types may be modified by changing the selected index on a given vehicle. As there is no bounds checking in place, it is possible to read data beyond the selected color type and the [[PlayerCarColours]] resource altogether. What's read in is interpreted as floating-point data representing percentages of 255, leading to values less than 0% and greater than 100%. The resulting colors often glow and have been dubbed "neon" colors. The exact process by which these colors are formed is currently unknown and likely requires shader research to understand. |
||
TODO: Add picture of a neon car [[User:Burninrubber0|Burninrubber0]] ([[User talk:Burninrubber0|talk]]) 23:48, 18 February 2022 (UTC) |
|||
=== Replacement of selected liveries with other vehicles === |
=== Replacement of selected liveries with other vehicles === |
||
[[File:Paradise Traffic Car 1.png|thumb|right]] |
|||
The selected livery of a given vehicle is stored as a vehicle ID. As there are no checks in place to ensure the selected vehicle is a child of the given vehicle, this can be replaced with any other vehicle, including undrivable vehicles such as traffic. Liveries set this way cannot be selected normally in the junkyard but can be used by other means, such as waiting for the countdown to end in an online race or having the host of an online room start a Marked Man game. |
The selected livery of a given vehicle is stored as a vehicle ID. As there are no checks in place to ensure the selected vehicle is a child of the given vehicle, this can be replaced with any other vehicle, including undrivable vehicles such as traffic. Liveries set this way cannot be selected normally in the junkyard but can be used by other means, such as waiting for the countdown to end in an online race or having the host of an online room start a Marked Man game. |
||
TODO: Add a picture of an unselectable traffic car [[User:Burninrubber0|Burninrubber0]] ([[User talk:Burninrubber0|talk]]) 23:48, 18 February 2022 (UTC) |
|||
=== Time and distance limitations === |
=== Time and distance limitations === |
||
Time played, measured in seconds, was originally stored as a float. Due to the imprecision inherent to the float datatype, the smallest increments at which a value can increase get larger with bigger values. In this case, time stopped increasing when it could no longer increment by the frametime (16.6 ms), which limited the value to just 262144 seconds (72.8 hours). |
Time played, measured in seconds, was originally stored as a float. Due to the imprecision inherent to the float datatype, the smallest increments at which a value can increase get larger with bigger values. In this case, time stopped increasing when it could no longer increment by the frametime (16.6 ms), which limited the value to just 262144 seconds (72.8 hours). |
||
Line 23: | Line 21: | ||
Distance travelled suffers the same imprecision woes but at a later point. While it is still added to every frame, the increase changes based on speed, so the limit changes based on speed as well: 10425 mi at 67-134 mph, 20850 mi at 134-268 mph, and 41700 mi at 268-537 mph, to name some common ones. These limits apply to both total and per-car mileage. |
Distance travelled suffers the same imprecision woes but at a later point. While it is still added to every frame, the increase changes based on speed, so the limit changes based on speed as well: 10425 mi at 67-134 mph, 20850 mi at 134-268 mph, and 41700 mi at 268-537 mph, to name some common ones. These limits apply to both total and per-car mileage. |
||
In version 1.3, time played was fixed by |
In version 1.3, time played was fixed by using a structure created specifically to address the issue: |
||
{| class="wikitable" |
{| class="wikitable" |
||
|+ CgsSystem::Time |
|+ CgsSystem::Time |
Revision as of 08:34, 16 May 2022
This page is a work in progress. Please leave any thoughts on the talk page or on Discord.
Enumerations Enumerations used in the profile. |
Structures Structures used throughout the profile. |
Development Information on the known iterations of the profile. |
The profile for Burnout Paradise contains all saved progression, including event completion, collectible discovery, records, and unlocked vehicles, among other things. It also contains user-selected data such as vehicle colors, options, and custom online race routes.
The only major content not saved in the profile is mugshot data, which is stored independently. Its location is platform-specific.
Overview
TODO: Describe some common stuff here. High-level overviews of components saved: vehicles, records, progression, etc.
Known issues and exploits
Buffer overread via color indices
Colors and color types may be modified by changing the selected index on a given vehicle. As there is no bounds checking in place, it is possible to read data beyond the selected color type and the PlayerCarColours resource altogether. What's read in is interpreted as floating-point data representing percentages of 255, leading to values less than 0% and greater than 100%. The resulting colors often glow and have been dubbed "neon" colors. The exact process by which these colors are formed is currently unknown and likely requires shader research to understand.
Replacement of selected liveries with other vehicles
The selected livery of a given vehicle is stored as a vehicle ID. As there are no checks in place to ensure the selected vehicle is a child of the given vehicle, this can be replaced with any other vehicle, including undrivable vehicles such as traffic. Liveries set this way cannot be selected normally in the junkyard but can be used by other means, such as waiting for the countdown to end in an online race or having the host of an online room start a Marked Man game.
Time and distance limitations
Time played, measured in seconds, was originally stored as a float. Due to the imprecision inherent to the float datatype, the smallest increments at which a value can increase get larger with bigger values. In this case, time stopped increasing when it could no longer increment by the frametime (16.6 ms), which limited the value to just 262144 seconds (72.8 hours).
Distance travelled suffers the same imprecision woes but at a later point. While it is still added to every frame, the increase changes based on speed, so the limit changes based on speed as well: 10425 mi at 67-134 mph, 20850 mi at 134-268 mph, and 41700 mi at 268-537 mph, to name some common ones. These limits apply to both total and per-car mileage.
In version 1.3, time played was fixed by using a structure created specifically to address the issue:
Offset | Length | Type | Name | Description | Comments |
---|---|---|---|---|---|
0x0 | 0x4 | int32_t | miSeconds | Seconds | |
0x4 | 0x4 | float32_t | mfFraction | Milliseconds |
Unfortunately, this fix was only applied to time, meaning distance remains limited even in the latest versions of the game.
Layout
Headers and protection
Each platform has its own container and/or file header. The profile itself has no header and nothing in place to prevent modification; however, per-platform protections are in place. This section will give a rough overview of these protections but is not intended to be a guide to defeating them.
PlayStation 3
The profile has no header on the PS3, making it the most straightforward to edit in its decrypted form. Saves on PS3 are encrypted, but tools such as Bruteforce Save Data render that irrelevant.
Xbox 360
Xbox 360 profiles use EA's proprietary MC02 header to protect the data. Following any edits, the profile must be rehashed using a program such as MC02 Package Tool. It is also contained in the standard format used on Xbox 360 and can be accessed with a tool such as Velocity.
PC
The PC profile uses the Rich Game Header (RGMH), which affords no protection from modding. The profile is located at %LOCALAPPDATA%/Criterion Games/Burnout Paradise/Save/Profile.BurnoutParadiseSave
.
PlayStation 4
The PS4 profile is similar to the PS3 profile in that it has no header. Per-platform protection, on the other hand, is greatly improved; it is not possible to modify saves without the use of a jailbroken PS4 except through the paid software Save Wizard, which only allows all events to be found and all vehicles to be unlocked. Any PS4 running firmware 9.00 or below can be jailbroken, meaning any saves from that firmware or below can be decrypted. Jailbroken PS4s may access the profile via Apollo Save Tool. Alternatively, one could use PS4 Save Mounter and an FTP connection, assuming the account is PSN activated.
Xbox One
The Xbox One is the only console on this list to not have been exploited; thus, its saves cannot be modified and the structure of the profile is unknown.
PC (Remastered)
Like with the PC version of the original game, the Remastered profile uses the Rich Game Header and has no protection from modding. It is located at %LOCALAPPDATA%/Criterion Games/Burnout Paradise Remastered/Save/Profile.BurnoutParadiseSave
.
Switch
TODO: I'm not familiar with Switch saves, someone else might have to do this section. Burninrubber0 (talk) 23:13, 18 February 2022 (UTC)
ProfileStoredData
This is the primary profile structure which holds all data.
TODO: Create structures for development builds. (Perhaps make a dedicated subpage for each profile iteration?) Burninrubber0 (talk) 00:58, 19 February 2022 (UTC)
PlayStation 3
Offset | Length | Type | Name | Description | Comments |
---|---|---|---|---|---|
0x0 | 0x1DA30 | Profile | mProgressionProfile | Profile 1.0 | |
0x1DA30 | 0x7540 | LiveRevengeProfile | mLiveRevengeProfile | Live Revenge Profile | |
0x24F70 | 0x7370 | OptionsDataProfile | mOptionsDataProfile | Options Data Profile 1.0 | |
0x2C2E0 | 0xAC0 | ? | ? | Profile 1.3 | |
0x2CDA0 | 0x18 | ? | ? | Options Data Profile 1.3 | |
0x2CDB8 | 0x19C8 | ? | ? | Profile 1.4 | |
0x2E780 | 0x1C60 | ? | ? | Profile 1.7 | |
0x303E0 | 0x268 | ? | ? | Profile 1.8 | |
0x30648 | 0x10A8 | ? | ? | Profile 1.9 | |
0x316F0 | 0xE910 | char[59664] | macPadData | Padding |
Xbox 360
Offsets are relative to 0x1C, the end of the MC02 header (start of the Profile structure).
Offset | Length | Type | Name | Description | Comments |
---|---|---|---|---|---|
0x0 | 0x1CD30 | Profile | mProgressionProfile | Profile 1.0 | |
0x1CD30 | 0x7540 | LiveRevengeProfile | mLiveRevengeProfile | Live Revenge Profile | |
0x24270 | 0x7370 | OptionsDataProfile | mOptionsDataProfile | Options Data Profile 1.0 | |
0x2B5E0 | 0xAC0 | ? | ? | Profile 1.3 | |
0x2C0A0 | 0x18 | ? | ? | Options Data Profile 1.3 | |
0x2C0B8 | 0x17C8 | ? | ? | Profile 1.4 | |
0x2D880 | 0x1C60 | ? | ? | Profile 1.7 | |
0x2F4E0 | 0x268 | ? | ? | Profile 1.8 | |
0x2F748 | 0xFE0 | ? | ? | Profile 1.9 | |
0x30728 | 0xF8D8 | char[63704] | macPadData | Padding |
PC
Offsets are relative to 0x1D246, the end of the RGMH header (start of the Profile structure).
Offset | Length | Type | Name | Description | Comments |
---|---|---|---|---|---|
0x0 | 0x1CC00 | Profile | mProgressionProfile | Profile 1.0 | |
0x1CC00 | 0x6D68 | LiveRevengeProfile | mLiveRevengeProfile | Live Revenge Profile | |
0x23968 | 0x7780 | OptionsDataProfile | mOptionsDataProfile | Options Data Profile 1.0 | |
0x2B0E8 | 0xAC0 | ? | ? | Profile 1.3 | |
0x2BBA8 | 0x18 | ? | ? | Options Data Profile 1.3 | |
0x2BBC0 | 0x19C8 | ? | ? | Profile 1.4 | |
0x2D588 | 0xC88 | ? | ? | Recent Players | |
0x2E210 | 0x1C68 | ? | ? | Profile 1.7 | |
0x2FE78 | 0x10188 | char[65928] | macPadData | Padding |
PlayStation 4
Offset | Length | Type | Name | Description | Comments |
---|---|---|---|---|---|
0x0 | 0x66100 | Profile | mProgressionProfile | Profile 1.0 | |
0x66100 | 0x7D10 | LiveRevengeProfile | mLiveRevengeProfile | Live Revenge Profile | |
0x6DE10 | 0x7778 | OptionsDataProfile | mOptionsDataProfile | Options Data Profile 1.0 | |
0x75588 | 0xAC0 | ? | ? | Profile 1.3 | |
0x76048 | 0x18 | ? | ? | Options Data Profile 1.3 | |
0x76060 | 0x1C48 | ? | ? | Profile 1.4 | |
0x77CA8 | 0x1C68 | ? | ? | Profile 1.7 | |
0x79910 | 0x268 | ? | ? | Profile 1.8 | |
0x79B78 | 0x11E0 | ? | ? | Profile 1.9 | |
0x7AD58 | 0x52A9 | char[21161] | macPadData | Padding |
PC (Remastered)
Offsets are relative to 0x1D246, the end of the RGMH header (start of the Profile structure).
Offset | Length | Type | Name | Description | Comments |
---|---|---|---|---|---|
0x0 | 0x65DA0 | Profile | mProgressionProfile | Profile 1.0 | |
0x65DA0 | 0x7538 | LiveRevengeProfile | mLiveRevengeProfile | Live Revenge Profile | |
0x6D2D8 | 0x7778 | OptionsDataProfile | mOptionsDataProfile | Options Data Profile 1.0 | |
0x74A50 | 0xAC0 | ? | ? | Profile 1.3 | |
0x75510 | 0x18 | ? | ? | Options Data Profile 1.3 | |
0x75528 | 0x1C48 | ? | ? | Profile 1.4 | |
0x77170 | 0x1C68 | ? | ? | Profile 1.7 | |
0x78DD8 | 0x268 | ? | ? | Profile 1.8 | |
0x79040 | 0x11D8 | ? | ? | Profile 1.9 | |
0x7A218 | 0x5DE8 | char[24040] | macPadData | Padding |
Switch
Offset | Length | Type | Name | Description | Comments |
---|---|---|---|---|---|
0x0 | 0x66820 | Profile | mProgressionProfile | Profile 1.0 | |
0x66820 | 0x84E0 | LiveRevengeProfile | mLiveRevengeProfile | Live Revenge Profile | |
0x6ED00 | 0x7778 | OptionsDataProfile | mOptionsDataProfile | Options Data Profile 1.0 | |
0x76478 | 0xAC0 | ? | ? | Profile 1.3 | |
0x76F38 | 0x18 | ? | ? | Options Data Profile 1.3 | |
0x76F50 | 0x2048 | ? | ? | Profile 1.4 | |
0x78F98 | 0x1C68 | ? | ? | Profile 1.7 | |
0x7AC00 | 0x268 | ? | ? | Profile 1.8 | |
0x7AE68 | 0x1360 | ? | ? | Profile 1.9 | |
0x7C1C8 | 0x3E38 | char[15928] | macPadData | Padding |
Profile 1.0
Progression Profile Information on the Progression Profile and the layout of the Profile structure. |
Live Revenge Profile
Live Revenge Profile Information on the Live Revenge Profile and the layout of the LiveRevengeProfile structure. |
Options Data Profile 1.0
Options Data Profile Information on the Options Data Profile and the layout of the OptionsDataProfile structure. |
Profile 1.3
Profile 1.3 Information on the layout of the Profile 1.3 structure. |
Options Data Profile 1.3
Options Data Profile 1.3 Information on the layout of the Options Data Profile 1.3 structure. |
Profile 1.4
Profile 1.4 Information on the layout of the Profile 1.4 structure. |
Recent Players
Recent Players Information on the layout of the Recent Players structure. |
Profile 1.7
Profile 1.7 Information on the layout of the Profile 1.7 structure. |
Profile 1.8
Profile 1.8 Information on the layout of the Profile 1.8 structure. |
Profile 1.9
Profile 1.9 Information on the layout of the Profile 1.9 structure. |