Editing Communication Processor

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 23: Line 23:
The update packages are just tar.gz packages encrypted using AES256CBC Here is the syntax to decrypt them :
The update packages are just tar.gz packages encrypted using AES256CBC Here is the syntax to decrypt them :


* The first 16 bytes of the package is the IV, the Second 16 bytes is the MD5 hash of the decrypted package without padding. If the padding is 1 byte after tgz the binary will be padded with a single 01 byte at the end (0x10) if the padding is 2 bytes it'll be two 02 bytes, and so on until 16 (WTF Sony!) 0x10 bytes.
* The first 16 bytes of the package is the IV, the Second 16 bytes is the MD5 hash of the decrypted package.


So use this Syntax after skipping the first 32 bytes of the file:  
So use this Syntax after skipping the first 32 bytes of the file:  


{{keyboard|content=<syntaxhighlight lang="bash">openssl aes-256-cbc -in reftool_cp_xxx.bin -K E8ED2B817207B70C5DF9090507AF2A8982967620D692B92A59231638402DF13F -iv the_first_16_bytes_of_the_file -d > dec.tgz
{{keyboard|content=openssl aes-256-cbc -in reftool_cp_xxx.bin -K E8ED2B817207B70C5DF9090507AF2A8982967620D692B92A59231638402DF13F -iv the_first_16_bytes_of_the_file -d > dec.tgz
</syntaxhighlight>}}
}}


PSP Hardware Tool Updates use the very same encryption but a different key inside the toolupdatedec binary.
PSP Hardware Tool Updates use the very same encryption but a different key inside the toolupdatedec binary.
Line 34: Line 34:
The key to these units has also been dumped, here is the syntax to decrypt psp Hardware Tool Update for DTP-T1000
The key to these units has also been dumped, here is the syntax to decrypt psp Hardware Tool Update for DTP-T1000


{{keyboard|content=<syntaxhighlight lang="bash">openssl aes-256-cbc -in psptoolupdate.bin -K A400C48628A7A5294D11AE3BB2587AEA32E501C63E49D1DCAA19B5AEB092F3DB -iv the_first_16_bytes_of_the_file -d > dec.tgz
{{keyboard|content=openssl aes-256-cbc -in psptoolupdate.bin -K A400C48628A7A5294D11AE3BB2587AEA32E501C63E49D1DCAA19B5AEB092F3DB -iv the_first_16_bytes_of_the_file -d > dec.tgz
</syntaxhighlight>}}
}}


P.S. If you have any trouble extracting the tarballs, try using Linux.
P.S. If you have any trouble extracting the tarballs, try using Linux.
Line 281: Line 281:


Add a line to start telnet in inetd.conf (on DECR-1000 the line already exists in the original file but is commented; on DTP-T1000 telnet is enabled by default so this command is not required.)
Add a line to start telnet in inetd.conf (on DECR-1000 the line already exists in the original file but is commented; on DTP-T1000 telnet is enabled by default so this command is not required.)
{{keyboard|content=<syntaxhighlight lang="bash">echo >>/etc/inetd.conf telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd</syntaxhighlight>}}  
{{keyboard|content=; echo >>/etc/inetd.conf telnet stream tcp     nowait root   /usr/sbin/tcpd in.telnetd }}  
Add a line to start ftpd in inetd.conf
Add a line to start ftpd in inetd.conf
{{keyboard|content=<syntaxhighlight lang="bash">echo >>/etc/inetd.conf ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd</syntaxhighlight>}}
{{keyboard|content=; echo >>/etc/inetd.conf ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd }}
Restart inetd to apply the above changes
Restart inetd to apply the above changes
{{keyboard|content=<syntaxhighlight lang="bash">/etc/init.d/inetd restart</syntaxhighlight>}}
{{keyboard|content=; /etc/init.d/inetd restart }}
Add an account called rt with root privileges and no password to the passwd file (alternatively on the DECR-1000 Communication Processor you may ignore this step and log in with the root account and the password cytology on the DTP-T1000 the password to the root account is tAchyOn )
Add an account called rt with root privileges and no password to the passwd file (alternatively on the DECR-1000 Communication Processor you may ignore this step and log in with the root account and the password cytology on the DTP-T1000 the password to the root account is tAchyOn )
{{keyboard|content=<syntaxhighlight lang="bash">echo >>/etc/passwd rt::0:0:root:/root:/bin/bash</syntaxhighlight>}}
{{keyboard|content=; echo >>/etc/passwd rt::0:0:root:/root:/bin/bash }}


You may also output files given the right path (if you don't want to mess with ftp) the below example creates a ls.txt file containing a listing of all files on the CP at the Development panel's root
You may also output files given the right path (if you don't want to mess with ftp) the below example creates a ls.txt file containing a listing of all files on the CP at the Development panel's root
{{keyboard|content=<syntaxhighlight lang="bash">ls -alR /* > /usr/local/sony/www/html/ls.txt</syntaxhighlight>}}
{{keyboard|content=; ls -alR /* > /usr/local/sony/www/html/ls.txt }}


While sending all these commands (by clicking on the "Setting" button), the Development Tool's panel will send you an error message, this is normal (given the nature of the exploit) and can be ignored, just follow with the next commands until you have achieved your expected goal.
While sending all these commands (by clicking on the "Setting" button), the Development Tool's panel will send you an error message, this is normal (given the nature of the exploit) and can be ignored, just follow with the next commands until you have achieved your expected goal.
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)