Editing Talk:Graf's PSGroove Payload

This page needs proper cleanup before merge to mainpage...


----


Initial import from the original text file still needs LOTS of formtting to look good in wiki...

==INTRODUCTION==

The following tutorial will outline the steps necessary to build, install, and successfully exploit a PS3 "slim" or "fat" (firmware 3.15) utilizing the psgroove "service-jig" exploit (psgroove), and the payload created by grafchokolo.  This tutorial was created and tested using Fedora 9, Fedora 14, and CentOS 5.4.  If you are utilizing a different linux distribution you will probably need to make minor adjustments, keep this in mind.  Despite the amount of effort expended to try and make this tutorial "easy", utilizing the grafchokolo tools is not exactly for the "novice", but you should still try, inevitably you will learn much! ":-)"

Because of the size of the grafchokolo exploit payload, the exploit itself is broken down into two different stages, a stage 1 bootstrap which is responsible for initializing the network interface, and a stage 2 payload that varies depending on what is being exploited (many of the  options are outlined in step 3).  This stage 1 bootstrap is compiled into the psgroove exploit (the psgroove exploit is well documented already, see the Appendix for links) and then programmed onto an AVR-based USB dongle device.  Once the psgroove exploit and the stage 1 bootstrap have loaded, the stage 2 payload is then sent via ethernet from a Linux/Mac workstation utilizing the sendfile tool provided.  It is this stage 2 payload that has been making the headlines on all of the PS3 news sites recently.  There is much to be written about this exploit, as it seems grafchokolo has just begun!


==INSTALLATION==
Please verify the necessary prerequisites are installed and working properly before attempting this tutorial, it will save you a lot of pain and grief.

  TESTED:
    Fedora 9 ()
    Fedora 14 ()
    CentOS 5.4 ()
    PS3 Fat ()
    PS3 Slim()

  PREREQUISITES:
    - linux / mac workstation (IBM SDK requires linux)
    - PS3 "slim" or "fat" with firmware 3.15
    - IDA Pro (linux or mac)
    - "tar" (linux or mac)
    - "git" (linux or mac)
    - libnet-1.1.5 (linux or mac)
    - libpcap-1.1.1 (linux or mac)
    - "Native GNU toolchain" (linux or mac)
    - "AVR GNU cross-toolchain" (linux or mac)
    - dfu-programmer (linux or mac)
    - "PS3 GNU cross-toolchain"
      - IBM Cell SDK (f9 verified working, rh5 needs testing)
      - oopo ps3toolchain (not working)
      - HACKERCHANNEL ps3chain (not working)
      - YNO$ SDK (not working)


===get the grafchokolo exploit git repo===

  TESTED:
    - Fedora 9 (working with tar / git from yum repo)
    - Fedora 14 (working with tar / git from yum repo)
    - CentOS 5.4 (working with tar / git from yum repo)

  PREREQUISITES:
    - linux / mac workstation
    - "tar" installed and working
    - "git" installed and working
    - psgroove_grafchokolo.tar.bz2 (this tutorial should have come in this file)

  - $ tar xvf psgroove_grafchokolo.tar.bz2
  - $ cd grafchokolo_exploit
  - grafchokolo_exploit$ git clone git://github.com/grafchokolo/psgroove.git
  - grafchokolo_exploit$ cp -R psgroove/. psgroove.grafchokolo
  - grafchokolo_exploit$ rm -rf psgroove
  - grafchokolo_exploit$ cd psgroove.grafchokolo
  - psgroove.grafchokolo$


===prepare and compile psgroove with the grafchokolo exploit stage1 bootstrap and stage2 payload gelic (network) test===

  TESTED:
    - Fedora 9 (working with IBM Cell SDK, native GNU tools, and avr utils from yum repo)
    - Fedora 14 (native GNU tools, avr utils from yum repo)
    - CentOS 5.4

  PREREQUISITES:
    - linux / mac workstation
    - AVR-based USB dongle device
    - "git" installed and working
    - "Native GNU toolchain" installed and working
    - "AVR GNU cross-toolchain" installed and working
    - "PS3 GNU cross-toolchain" installed and working
      - IBM Cell SDK (f9 verified, rh5 needs testing)
      - or oopo ps3toolchain (may not work)
      - HACKERCHANNEL ps3chain (may not work)

  - grafchokolo_exploit$ cd psgroove.grafchokolo
  - psgroove.grafchokolo$ less README.md
  - psgroove.grafchokolo$ git clone git://github.com/psgroove/lufa-lib.git
  - psgroove.grafchokolo$ vi Makefile
      - Modify MCU / BOARD / F_CPU
        - uncomment the values to reflect the chip/board/frequency of the AVR-based USB dongle device being used
        - verify all other MCU/BOARD/F_CPU values are commented with "#"
  - psgroove.grafchokolo$ vi bootstrap/main.c
    - Uncomment the following options to perform the gelic (network) test
      - main.c
        - mm_init()
        - param_init()
        - gelic_init()
        - gelic_xmit_test()
        - gelic_recv_test()
  - psgroove.grafchokolo$ vi payload/main.c
    - Uncomment the following options to perform the gelic (network) test
      - main.c
        - mm_init()
        - param_init()
        - gelic_init()
        - gelic_xmit_test()
        - gelic_recv_test()
    - Verify that all other options are commented out with /* ... */
  - psgroove.grafchokolo$ make clean && make 1> ../make.out 2>&1
    - compiles with some warnings
    - bin2hex tool is installed in grafchokolo_exploit/bin in case you need it later (you will not with these instructions)
    - AVR-based USB dongle .hex file is located in grafchokolo_exploit/stage1/stage1_bootstrap_MCU_BOARD.hex (for flashing)
    - stage2 payload gelic (network) test is located in grafchokolo_exploit/stage2/payload-gelic_test.bin (sent to stage1 bootstrap code i
n steps 2+)
  - psgroove.grafchokolo/bootstrap$ less ../make.out
    - review output from build


===flash the .hex file onto an AVR-based USB dongle device===

  TESTED:
    - Fedora 9 (working with dfu-programmer from yum repo)
    - Fedora 14 (working with dfu-programmer from yum repo)
    - CentOS 5.4

  PREREQUISITES:
    - linux / mac workstation
    - dfu-programmer installed and working

  - psgroove.grafchokolo$ make dfu
     - program hex onto AVR-based USB dongle device using dfu-programmer


===compile the grafchokolo exploit stage2 payload tools===

  TESTED:
    - Fedora 9 (payload compiles fine with ps3toolchain / IBM Cell SDK, tools require updated libnet / libpcap)
    - Fedora 14 (payload compiles fine with ps3toolchain / IBM Cell SDK, tools working with yum repo tools / libnet / libpcap)
    - CentOS 5.4

  PREREQUISITES:
    - linux / mac workstation
    - "Native GNU toolchain" installed and working
    - libnet-1.1.5+
    - libpcap-1.1.1+

  - grafchokolo_exploit$ cd psgroove.grafchokolo/payload/tools
  - psgroove.grafchokolo/payload/tools$ make clean && make 1> ../../make.payload.tools.out 2>&1
  - psgroove.grafchokolo/payload$ less ../../make.payload.tools.out
    - review output from build
  - psgroove.grafchokolo/payload/tools$ cp dump_region_from_file.sh  dump_segs_from_pcap.sh  inflate  pcap2bin  sendfile ../../../bin
  - psgroove.grafchokolo/payload$ cd ../../..
  - grafchokolo_exploit$



==USAGE==
With psgroove and the grafchokolo exploit stage 1 bootstrap compiled and programmed onto an AVR-based USB dongle device, and the stage 2 payload gelic (network) test compiled, you are now ready to exploit the PS3 with the grafchokolo exploit!

  TESTED:
    - Fedora 9 ()
    - Fedora 14 ()
    - CentOS 5.4
    - MacOS 10.5 ()
    - MacOS 10.6 ()

  PREREQUISITES:
    - linux / mac workstation
    - PS3 Slim (fat not supported at this time)
      - MAC ADDRESS
    - AVR-based USB dongle device with stage 1 bootstrap programmed
    - stage 2 payload and tools compiled

===setup tcpdump on your linux / mac workstation to receive data from the PS3===
  - filter for ps3 mac address as the ps3 uses broadcast address to send packets, keep this window visible for step 2.3 below
  - LINUX: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -X -s 2048 'vlan and ether proto 0xcafe and ether src 00:9A:0A:00:5D:13'
    - listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
  - MACOS: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -X -s 2048 'vlan and ether proto 0xcafe and ether src 00:9A:0A:00:5D:13'
    - listening on en0, link-type EN10MB (Ethernet), capture size 2048 bytes

===boot ps3 with psgroove / stage1 bootstrap===
  - remove power from the ps3 completely
  - attach the AVR-based USB dongle  device programmed earlier
  - apply power to the ps3
  - power on / disc eject
  - ps3 should not boot to XMB, stays at black screen
    - if your ps3 boots to XMB review steps 1 - 1.4 above


===send stage2 payload gelic test to ps3 from linux/mac workstation, verify network communication===
  - usage: bin/sendfile [-p <proto>] [-s <packet size>] [-w <pause us>] [-r <max retransmits>] <interface> <dest mac address> <filename>
    - LINUX: grafchokolo_exploit$ sudo bin/sendfile eth0 009A0A005D13 stage2/payload-gelic_test.bin
    - MACOS: grafchokolo_exploit$ sudo bin/sendfile eth0 009A0A005D13 stage2/payload-gelic_test.bin

 - SUCCESS looks like this:
pcap filter: ether proto 0xcafe and ether src 00:9A:0A:00:5D:13
file size #7272
sending packet #1 of #5
received ack for packet #1
...
sending packet #5 of #5
received ack for packet #5

 - SUCCESS in tcpdump looks like this:
13:07:34.349760 00:9A:0A:00:5D:13 (oui Unknown) > Broadcast, ethertype Unknown (0xcafe), length 82: 
	0x0000:  0001 0203 0405 0607 0809 0a0b 0c0d 0e0f  ................
	0x0010:  1011 1213 1415 1617 1819 1a1b 1c1d 1e1f  ................
	0x0020:  2021 2223 2425 2627 2829 2a2b 2c2d 2e2f  .!"#$%&'()*+,-./
	0x0030:  3031 3233 3435 3637 3839 3a3b 3c3d 3e3f  0123456789:;<=>?
	0x0040:  f458 1ff7                                .X..
13:07:34.357064 00:9A:0A:00:5D:13 (oui Unknown) > Broadcast, ethertype Unknown (0xcafe), length 80: 
	0x0000:  0122 ffff ffff ffff 000d 9379 4efe 0806  .".........yN...
	0x0010:  0001 0800 0604 0001 000d 9379 4efe c0a8  ...........yN...
	0x0020:  0115 0000 0000 0000 c0a8 011a 5555 5555  ............UUUU
	0x0030:  5555 5555 5555 5555 5555 5555 5555 d93b  UUUUUUUUUUUUUU.;
	0x0040:  711c                                     q.

 - FAILURE looks like this:
pcap filter: ether proto 0xcafe and ether src 00:9A:0A:00:5D:13
file size #7272
sending packet #1 of #5
timeout ack for packet #1
...
no ack received for packet #1

  - FAILURE in tcpdump is empty

 - grafchokolo_exploit$
 - If you have received successful ACKs back from sendfile / stage1 bootstrap and proper output from tcpdump (step 2.1), you are ready to 
proceed to section 3.  If however, either stage1 bootstrap or tcpdump does not look proper please review the tips below.
   - Try the test with the PS3 connected directly via ethernet to the workstation (no router or switch in-between)
   - Review sections 1 and 2 again to make sure no steps were missed
   - Look at the issues section on github for graf's code



==stage2 payload options==
  - The following options were utilized from the grafchokolo payload, to perform the network test
    - main.c
      - mm_init()........................:: just returns
      - param_init().....................:: initializes parameters
      - gelic_init().....................:: initializes gelic (network) device
      - gelic_xmit_test()................:: transmit test
      - gelic_recv_test()................:: receive test

  - The following are available after successfully verifying network communication
    - main.c
      - mm_init()........................:: this should ALWAYS be uncommented
      - param_init().....................:: this should ALWAYS be uncommented
      - gelic_init().....................:: this should ALWAYS be uncommented
      - dump_lv2().......................:: this option dumps LV2 memory back across the network
      - dump_flash().....................:: this option dumps flash back across the network
      - dump_profile()...................:: this option dumps profile back across the network
      - dump_slb().......................:: this option dumps slb back across the network
      - dump_sprg0().....................:: this option dumps sprg0 back across the network
      - dump_htab()......................:: this option dumps htab back across the network
      - dump_stor()......................:: this option dumps stor back across the network
      - dump_repo_nodes()................:: this option dumps repo nodes back across the network
      - dump_repo_nodes_spu()............:: this option dumps SPU repo nodes back across the network
      - dump_hvcall99_param()............:: this option dumps hvcall99 parametersback across the network
      - decrypt_self()...................::
      - decrypt_self_direct()............::
      - decrypt_lv2_direct().............::
      - decrypt_profile()................::
      - decrypt_pkg()....................::
      - decrypt_game()...................::
      - decrypt_usb_dongle_master_key()..::
      - decrypt_self()...................::
      - decrypt_self_direct()............::
      - self_decrypter_hook()............::
      - usb_dongle_auth()................::
      - vuart_sysmgr()...................::
      - vuart_dispmgr()..................::
      - update_mgr_inspect_pkg().........::
      - query_lpar_address().............::
      - product_mode_off()...............::


===in order to decrypt self files, the first step is to dump lv2 memory===
  - dump_lv2 system memory, so uncomment
    - mm_init() leave uncommented (this is ?? initialization)
    - param_init() leave uncommented (this is parameter initialization)
    - gelic_init() leave uncommented (this is network initialization)
    - dump_lv2() leave uncommented (this is lv2 memory dump)
  - Make sure tcpdump is capturing the network traffic from the PS3, filter for ps3 mac address as the ps3 uses broadcast address to send 
packets
    - LINUX: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -w pcap/dump_lv2.pcap 'vlan and ether proto 0xcafe and ether src 00:9A:0A:00:5D:
13'
      - listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
    - MACOS: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -w pcap/dump_lv2.pcap 'vlan and ether proto 0xcafe and ether src 00:9A:0A:00:5D:
13'
      - listening on en0, link-type EN10MB (Ethernet), capture size 2048 bytes
  - process the network traffic
    - pcap2bin dump_lv2.pcap




===setup tcpdump to receive decrypted .self===
  - Make sure tcpdump is capturing the network traffic from the PS3, filter for ps3 mac address as the ps3 uses broadcast address to send 
packets
    - LINUX: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -w pcap/dump_self-<filename>.self.pcap 'vlan and ether proto 0xcafe and ether sr
c 00:9A:0A:00:5D:13'
      - listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
    - MACOS: grafchokolo_exploit$ sudo tcpdump -vv -i en0 -w pcap/dump_self-<filename>.self.pcap 'vlan and ether proto 0xcafe and ether sr
c 00:9A:0A:00:5D:13'
      - listening on en0, link-type EN10MB (Ethernet), capture size 2048 bytes


===send .self file===
  - using the same sendfile tool used to send the stage2 payload, send an encrypted .self file to the PS3
    - sendfile <filename>.self
    - when the PS3 is done decrypting and sending the .self, you will hear 2 beeps


===process decrypted .self===
  - Each segment of the decrypted .self file just receive back from the PS3 was sent with a different ethernet protocol value, the first i
s 0xBEEF, the second is 0xBEEF+1 (0xBEF0), the third is 0xBEEF+2 (0xBEF1) and so on
  - Use the following to extract the segments from the dump_self-<filename>.self.pcap file manually
    - segment 0
      - grafchokolo_exploit$ pcap2bin -p 0xBEEF pcap/dump_self-<filename>.self.pcap <filename>-segment0.bin
    - segment 1
      - grafchokolo_exploit$ pcap2bin -p 0xBEF0 pcap/dump_self-<filename>.self.pcap <filename>-segment1.bin
    - segment 2
      - grafchokolo_exploit$ pcap2bin -p 0xBEF1 pcap/dump_self-<filename>.self.pcap <filename>-segment2.bin
  - Use the following to extract the segments from the dump_self-<filename>.self.pcap file automatically with the handy dump_segs_from_pca
p.sh script
    - dump_segs_from_pcap.sh dump_self-<filename>.self.pcap
  - The segment load addresses are extracted with the following:
    - investigate decrypt_self.c for this information



==ANALYSIS==

===Almost at the finish line!  You are now ready to load the decrypted .self segments into IDA Pro===
  - Load each segment into IDA Pro using the proper load address for each segment
    -
  - 


==PROFIT!==
  Now that you have successfully exploited the PS3 "slim" utilizing the grafchokolo expoit, only your imagination limits the potential discoveries that await!  The inner-workings of the PS3 system console have always been shrouded in mystery, but that is no more. ":-)"


==APPENDIX==
  - IRC session transcript with grafchokolo outlining some of the steps necessary, http://pastebin.com/iEFeVwHX
  - IRC class transcript with grafchokolo outlining the steps necessary, 
  - http://pastie.org/1389868
  - Linux
    - 

  - MacOS
    - CrossPack for AVR Development (http://www.obdev.at/products/crosspack/download.html)
    - dfu-programmer ()

  -  File Tree
    - grafchokolo_exploit
      +-- INSTALL
      +-- docs
      |   +-- README_FIRST
      |   +-- fedora9_cell3.1_install.txt
      |   +-- irc_log1.txt
      |   `-- irc_log2.txt
      +-- psgroove.grafchokolo
      │   +-- README.md
      │   +-- COPYING
      │   +-- Makefile
      │   +-- psgroove.c
      │   +-- descriptor.h
      │   +-- lufa-lib
      │   +-- bootstrap
      │   |   `-- tools
      │   +-- payload
      │   |   `-- tools
      │   `-- originals
      +-- bin
      +-- hex
      +-- stage1
      +-- stage2
      `-- wishlist.txt