Editing Talk:Graf's PSGroove Payload

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
This page needs proper cleanup before merge to mainpage...
<pre>
 
<Slynk> Hmm had a thought : / You know how the token and token seed are made at the same time? That means the token seed isn't passed into the processor... what is? It can't be just your idps right? Unless sony doesn't use the HV to make their tokens. There must be other info passed in that determines whether you receive a dummy token or the full one. ... Just a thought. ^^;
 
----
 
 
Initial import from the original text file still needs LOTS of formtting to look good in wiki...
 
==INTRODUCTION==
 
The following tutorial will outline the steps necessary to build, install, and successfully exploit a PS3 "slim" or "fat" (firmware 3.15) utilizing the psgroove "service-jig" exploit (psgroove), and the payload created by grafchokolo.  This tutorial was created and tested using Fedora 9, Fedora 14, and CentOS 5.4.  If you are utilizing a different linux distribution you will probably need to make minor adjustments, keep this in mind.  Despite the amount of effort expended to try and make this tutorial "easy", utilizing the grafchokolo tools is not exactly for the "novice", but you should still try, inevitably you will learn much! ":-)"
 
Because of the size of the grafchokolo exploit payload, the exploit itself is broken down into two different stages, a stage 1 bootstrap which is responsible for initializing the network interface, and a stage 2 payload that varies depending on what is being exploited (many of the  options are outlined in step 3). This stage 1 bootstrap is compiled into the psgroove exploit (the psgroove exploit is well documented already, see the Appendix for links) and then programmed onto an AVR-based USB dongle device. Once the psgroove exploit and the stage 1 bootstrap have loaded, the stage 2 payload is then sent via ethernet from a Linux/Mac workstation utilizing the sendfile tool provided.  It is this stage 2 payload that has been making the headlines on all of the PS3 news sites recently.  There is much to be written about this exploit, as it seems grafchokolo has just begun!
 
 
==INSTALLATION==
Please verify the necessary prerequisites are installed and working properly before attempting this tutorial, it will save you a lot of pain and grief.
 
  TESTED:
    Fedora 9 ()
    Fedora 14 ()
    CentOS 5.4 ()
    PS3 Fat ()
    PS3 Slim()
 
  PREREQUISITES:
    - linux / mac workstation (IBM SDK requires linux)
    - PS3 "slim" or "fat" with firmware 3.15
    - IDA Pro (linux or mac)
    - "tar" (linux or mac)
    - "git" (linux or mac)
    - libnet-1.1.5 (linux or mac)
    - libpcap-1.1.1 (linux or mac)
    - "Native GNU toolchain" (linux or mac)
    - "AVR GNU cross-toolchain" (linux or mac)
    - dfu-programmer (linux or mac)
    - "PS3 GNU cross-toolchain"
      - IBM Cell SDK (f9 verified working, rh5 needs testing)
      - oopo ps3toolchain (not working)
      - HACKERCHANNEL ps3chain (not working)
      - YNO$ SDK (not working)
 
 
===get the grafchokolo exploit git repo===
 
  TESTED:
    - Fedora 9 (working with tar / git from yum repo)
    - Fedora 14 (working with tar / git from yum repo)
    - CentOS 5.4 (working with tar / git from yum repo)
 
  PREREQUISITES:
    - linux / mac workstation
    - "tar" installed and working
    - "git" installed and working
    - psgroove_grafchokolo.tar.bz2 (this tutorial should have come in this file)
 
  - $ tar xvf psgroove_grafchokolo.tar.bz2
  - $ cd grafchokolo_exploit
  - grafchokolo_exploit$ git clone git://github.com/grafchokolo/psgroove.git
  - grafchokolo_exploit$ cp -R psgroove/. psgroove.grafchokolo
  - grafchokolo_exploit$ rm -rf psgroove
  - grafchokolo_exploit$ cd psgroove.grafchokolo
  - psgroove.grafchokolo$
 
 
===prepare and compile psgroove with the grafchokolo exploit stage1 bootstrap and stage2 payload gelic (network) test===
 
  TESTED:
    - Fedora 9 (working with IBM Cell SDK, native GNU tools, and avr utils from yum repo)
    - Fedora 14 (native GNU tools, avr utils from yum repo)
    - CentOS 5.4
 
  PREREQUISITES:
    - linux / mac workstation
    - AVR-based USB dongle device
    - "git" installed and working
    - "Native GNU toolchain" installed and working
    - "AVR GNU cross-toolchain" installed and working
    - "PS3 GNU cross-toolchain" installed and working
      - IBM Cell SDK (f9 verified, rh5 needs testing)
      - or oopo ps3toolchain (may not work)
      - HACKERCHANNEL ps3chain (may not work)
 
  - grafchokolo_exploit$ cd psgroove.grafchokolo
  - psgroove.grafchokolo$ less README.md
  - psgroove.grafchokolo$ git clone git://github.com/psgroove/lufa-lib.git
  - psgroove.grafchokolo$ vi Makefile
      - Modify MCU / BOARD / F_CPU
        - uncomment the values to reflect the chip/board/frequency of the AVR-based USB dongle device being used
        - verify all other MCU/BOARD/F_CPU values are commented with "#"
  - psgroove.grafchokolo$ vi bootstrap/main.c
    - Uncomment the following options to perform the gelic (network) test
      - main.c
        - mm_init()
        - param_init()
        - gelic_init()
        - gelic_xmit_test()
        - gelic_recv_test()
  - psgroove.grafchokolo$ vi payload/main.c
    - Uncomment the following options to perform the gelic (network) test
      - main.c
        - mm_init()
        - param_init()
        - gelic_init()
        - gelic_xmit_test()
        - gelic_recv_test()
    - Verify that all other options are commented out with /* ... */
  - psgroove.grafchokolo$ make clean && make 1> ../make.out 2>&1
    - compiles with some warnings
    - bin2hex tool is installed in grafchokolo_exploit/bin in case you need it later (you will not with these instructions)
    - AVR-based USB dongle .hex file is located in grafchokolo_exploit/stage1/stage1_bootstrap_MCU_BOARD.hex (for flashing)
    - stage2 payload gelic (network) test is located in grafchokolo_exploit/stage2/payload-gelic_test.bin (sent to stage1 bootstrap code i
n steps 2+)
  - psgroove.grafchokolo/bootstrap$ less ../make.out
    - review output from build
 
 
===flash the .hex file onto an AVR-based USB dongle device===
 
  TESTED:
    - Fedora 9 (working with dfu-programmer from yum repo)
    - Fedora 14 (working with dfu-programmer from yum repo)
    - CentOS 5.4
 
  PREREQUISITES:
    - linux / mac workstation
    - dfu-programmer installed and working
 
  - psgroove.grafchokolo$ make dfu
    - program hex onto AVR-based USB dongle device using dfu-programmer
 
 
===compile the grafchokolo exploit stage2 payload tools===
 
  TESTED:
    - Fedora 9 (payload compiles fine with ps3toolchain / IBM Cell SDK, tools require updated libnet / libpcap)
    - Fedora 14 (payload compiles fine with ps3toolchain / IBM Cell SDK, tools working with yum repo tools / libnet / libpcap)
    - CentOS 5.4
 
  PREREQUISITES:
    - linux / mac workstation
    - "Native GNU toolchain" installed and working
    - libnet-1.1.5+
    - libpcap-1.1.1+
 
  - grafchokolo_exploit$ cd psgroove.grafchokolo/payload/tools
  - psgroove.grafchokolo/payload/tools$ make clean && make 1> ../../make.payload.tools.out 2>&1
  - psgroove.grafchokolo/payload$ less ../../make.payload.tools.out
    - review output from build
  - psgroove.grafchokolo/payload/tools$ cp dump_region_from_file.sh  dump_segs_from_pcap.sh  inflate  pcap2bin  sendfile ../../../bin
  - psgroove.grafchokolo/payload$ cd ../../..
  - grafchokolo_exploit$
 
 
 
==USAGE==
With psgroove and the grafchokolo exploit stage 1 bootstrap compiled and programmed onto an AVR-based USB dongle device, and the stage 2 payload gelic (network) test compiled, you are now ready to exploit the PS3 with the grafchokolo exploit!
 
  TESTED:
    - Fedora 9 ()
    - Fedora 14 ()
    - CentOS 5.4
    - MacOS 10.5 ()
    - MacOS 10.6 ()


  PREREQUISITES:
<rms> i can make my own tokens from a nor/nand dump. just like hypervisor
    - linux / mac workstation
    - PS3 Slim (fat not supported at this time)
      - MAC ADDRESS
    - AVR-based USB dongle device with stage 1 bootstrap programmed
    - stage 2 payload and tools compiled


===setup tcpdump on your linux / mac workstation to receive data from the PS3===
<kevin6548> so what does that mean when a sedd is created it passes something to proccessor . nit the whole seed but a by product of creating it . is that theroy
  - filter for ps3 mac address as the ps3 uses broadcast address to send packets, keep this window visible for step 2.3 below
  - LINUX: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -X -s 2048 'vlan and ether proto 0xcafe and ether src 00:9A:0A:00:5D:13'
    - listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
  - MACOS: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -X -s 2048 'vlan and ether proto 0xcafe and ether src 00:9A:0A:00:5D:13'
    - listening on en0, link-type EN10MB (Ethernet), capture size 2048 bytes


===boot ps3 with psgroove / stage1 bootstrap===
<rms> seed is calculated from eid which allows token to be calculated. its more of a byproduct/intermediate product. if you do the math, its simple: v+s+f+h=t
  - remove power from the ps3 completely
  - attach the AVR-based USB dongle  device programmed earlier
  - apply power to the ps3
  - power on / disc eject
  - ps3 should not boot to XMB, stays at black screen
    - if your ps3 boots to XMB review steps 1 - 1.4 above
 
 
===send stage2 payload gelic test to ps3 from linux/mac workstation, verify network communication===
<pre>- usage: bin/sendfile [-p <proto>] [-s <packet size>] [-w <pause us>] [-r <max retransmits>] <interface> <dest mac address> <filename>
    - LINUX: grafchokolo_exploit$ sudo bin/sendfile eth0 009A0A005D13 stage2/payload-gelic_test.bin
    - MACOS: grafchokolo_exploit$ sudo bin/sendfile eth0 009A0A005D13 stage2/payload-gelic_test.bin
</pre>
</pre>
----
*the seed value is made from your EID (from a NAND/NOR dump, either software with payload, or hardware)
*updater manager calls spu_token_processor
*sent out of spu_token_processor
*IBM Cell Simulator with SE Linux (not the ancient Sony SPU Simulator from old pre 0.9x SDKs)
*seed : 80 bytes, only the first 20 are populated
*combo &gt; 3 &lt; 10 buttons


- SUCCESS looks like this:
there are two algorithms used (one's an alternative of a hashing algorithm / one's a block cipher):
<pre>
* HMAC-SHA1
pcap filter: ether proto 0xcafe and ether src 00:9A:0A:00:5D:13
* AES 256 CBC - Advanced Encryption Standard Cipher-block chaining; fixed block size 128 bit, key size 256 bit - with 4x4 byte matrices
file size #7272
sending packet #1 of #5
received ack for packet #1
...
sending packet #5 of #5
received ack for packet #5
</pre>
 
- SUCCESS in tcpdump looks like this:
<pre>
13:07:34.349760 00:9A:0A:00:5D:13 (oui Unknown) > Broadcast, ethertype Unknown (0xcafe), length 82:
0x0000:  0001 0203 0405 0607 0809 0a0b 0c0d 0e0f  ................
0x0010:  1011 1213 1415 1617 1819 1a1b 1c1d 1e1f  ................
0x0020:  2021 2223 2425 2627 2829 2a2b 2c2d 2e2f  .!"#$%&'()*+,-./
0x0030:  3031 3233 3435 3637 3839 3a3b 3c3d 3e3f  0123456789:;<=>?
0x0040:  f458 1ff7                                .X..
13:07:34.357064 00:9A:0A:00:5D:13 (oui Unknown) > Broadcast, ethertype Unknown (0xcafe), length 80:
0x0000:  0122 ffff ffff ffff 000d 9379 4efe 0806  .".........yN...
0x0010:  0001 0800 0604 0001 000d 9379 4efe c0a8  ...........yN...
0x0020:  0115 0000 0000 0000 c0a8 011a 5555 5555  ............UUUU
0x0030:  5555 5555 5555 5555 5555 5555 5555 d93b  UUUUUUUUUUUUUU.;
0x0040:  711c                                    q.
</pre>
 
- FAILURE looks like this:
<pre>
pcap filter: ether proto 0xcafe and ether src 00:9A:0A:00:5D:13
file size #7272
sending packet #1 of #5
timeout ack for packet #1
...
no ack received for packet #1
</pre>
 
- FAILURE in tcpdump is empty
 
- grafchokolo_exploit$
- If you have received successful ACKs back from sendfile / stage1 bootstrap and proper output from tcpdump (step 2.1), you are ready to
proceed to section 3.  If however, either stage1 bootstrap or tcpdump does not look proper please review the tips below.
  - Try the test with the PS3 connected directly via ethernet to the workstation (no router or switch in-between)
  - Review sections 1 and 2 again to make sure no steps were missed
  - Look at the issues section on github for graf's code
 
==stage2 payload options==
  - The following options were utilized from the grafchokolo payload, to perform the network test
    - main.c
      - mm_init()........................:: just returns
      - param_init().....................:: initializes parameters
      - gelic_init().....................:: initializes gelic (network) device
      - gelic_xmit_test()................:: transmit test
      - gelic_recv_test()................:: receive test
 
  - The following are available after successfully verifying network communication
    - main.c
      - mm_init()........................:: this should ALWAYS be uncommented
      - param_init().....................:: this should ALWAYS be uncommented
      - gelic_init().....................:: this should ALWAYS be uncommented
      - dump_lv2().......................:: this option dumps LV2 memory back across the network
      - dump_flash().....................:: this option dumps flash back across the network
      - dump_profile()...................:: this option dumps profile back across the network
      - dump_slb().......................:: this option dumps slb back across the network
      - dump_sprg0().....................:: this option dumps sprg0 back across the network
      - dump_htab()......................:: this option dumps htab back across the network
      - dump_stor()......................:: this option dumps stor back across the network
      - dump_repo_nodes()................:: this option dumps repo nodes back across the network
      - dump_repo_nodes_spu()............:: this option dumps SPU repo nodes back across the network
      - dump_hvcall99_param()............:: this option dumps hvcall99 parametersback across the network
      - decrypt_self()...................::
      - decrypt_self_direct()............::
      - decrypt_lv2_direct().............::
      - decrypt_profile()................::
      - decrypt_pkg()....................::
      - decrypt_game()...................::
      - decrypt_usb_dongle_master_key()..::
      - decrypt_self()...................::
      - decrypt_self_direct()............::
      - self_decrypter_hook()............::
      - usb_dongle_auth()................::
      - vuart_sysmgr()...................::
      - vuart_dispmgr()..................::
      - update_mgr_inspect_pkg().........::
      - query_lpar_address().............::
      - product_mode_off()...............::
 
 
===in order to decrypt self files, the first step is to dump lv2 memory===
  - dump_lv2 system memory, so uncomment
    - mm_init() leave uncommented (this is ?? initialization)
    - param_init() leave uncommented (this is parameter initialization)
    - gelic_init() leave uncommented (this is network initialization)
    - dump_lv2() leave uncommented (this is lv2 memory dump)
  - Make sure tcpdump is capturing the network traffic from the PS3, filter for ps3 mac address as the ps3 uses broadcast address to send
packets
    - LINUX: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -w pcap/dump_lv2.pcap 'vlan and ether proto 0xcafe and ether src 00:9A:0A:00:5D:
13'
      - listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
    - MACOS: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -w pcap/dump_lv2.pcap 'vlan and ether proto 0xcafe and ether src 00:9A:0A:00:5D:
13'
      - listening on en0, link-type EN10MB (Ethernet), capture size 2048 bytes
  - process the network traffic
    - pcap2bin dump_lv2.pcap
 
 
 
 
===setup tcpdump to receive decrypted .self===
  - Make sure tcpdump is capturing the network traffic from the PS3, filter for ps3 mac address as the ps3 uses broadcast address to send
packets
    - LINUX: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -w pcap/dump_self-<filename>.self.pcap 'vlan and ether proto 0xcafe and ether sr
c 00:9A:0A:00:5D:13'
      - listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
    - MACOS: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -w pcap/dump_self-<filename>.self.pcap 'vlan and ether proto 0xcafe and ether sr
c 00:9A:0A:00:5D:13'
      - listening on en0, link-type EN10MB (Ethernet), capture size 2048 bytes
 
 
===send .self file===
  - using the same sendfile tool used to send the stage2 payload, send an encrypted .self file to the PS3
    - sendfile <filename>.self
    - when the PS3 is done decrypting and sending the .self, you will hear 2 beeps
 
 
===process decrypted .self===
  - Each segment of the decrypted .self file just receive back from the PS3 was sent with a different ethernet protocol value, the first i
s 0xBEEF, the second is 0xBEEF+1 (0xBEF0), the third is 0xBEEF+2 (0xBEF1) and so on
  - Use the following to extract the segments from the dump_self-<filename>.self.pcap file manually
    - segment 0
      - grafchokolo_exploit$ pcap2bin -p 0xBEEF pcap/dump_self-<filename>.self.pcap <filename>-segment0.bin
    - segment 1
      - grafchokolo_exploit$ pcap2bin -p 0xBEF0 pcap/dump_self-<filename>.self.pcap <filename>-segment1.bin
    - segment 2
      - grafchokolo_exploit$ pcap2bin -p 0xBEF1 pcap/dump_self-<filename>.self.pcap <filename>-segment2.bin
  - Use the following to extract the segments from the dump_self-<filename>.self.pcap file automatically with the handy dump_segs_from_pca
p.sh script
    - dump_segs_from_pcap.sh dump_self-<filename>.self.pcap
  - The segment load addresses are extracted with the following:
    - investigate decrypt_self.c for this information
 
 
 
==ANALYSIS==
 
===Almost at the finish line!  You are now ready to load the decrypted .self segments into IDA Pro===
  - Load each segment into IDA Pro using the proper load address for each segment
    -
  -
 
 
==PROFIT!==
  Now that you have successfully exploited the PS3 "slim" utilizing the grafchokolo expoit, only your imagination limits the potential discoveries that await!  The inner-workings of the PS3 system console have always been shrouded in mystery, but that is no more. ":-)"
 
 
==APPENDIX==
  - IRC session transcript with grafchokolo outlining some of the steps necessary, http://pastebin.com/iEFeVwHX
  - IRC class transcript with grafchokolo outlining the steps necessary,
  - http://pastie.org/1389868
  - Linux
    -
 
  - MacOS
    - CrossPack for AVR Development (http://www.obdev.at/products/crosspack/download.html)
    - dfu-programmer ()
 
  -  File Tree
    - grafchokolo_exploit
      +-- INSTALL
      +-- docs
      |  +-- README_FIRST
      |  +-- fedora9_cell3.1_install.txt
      |  +-- irc_log1.txt
      |  `-- irc_log2.txt
      +-- psgroove.grafchokolo
      │  +-- README.md
      │  +-- COPYING
      │  +-- Makefile
      │  +-- psgroove.c
      │  +-- descriptor.h
      │  +-- lufa-lib
      │  +-- bootstrap
      │  |  `-- tools
      │  +-- payload
      │  |  `-- tools
      │  `-- originals
      +-- bin
      +-- hex
      +-- stage1
      +-- stage2
      `-- wishlist.txt
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)