Talk:Dev Tools: Difference between revisions
Jump to navigation
Jump to search
m (→Payloader3) |
m (→Payloader3) |
||
| Line 122: | Line 122: | ||
* ps3load will '''not''' work on 3.50/3.55 (¨sysProcessExitSpawn2¨ won't work proper), use 3.41 instead. | * ps3load will '''not''' work on 3.50/3.55 (¨sysProcessExitSpawn2¨ won't work proper), use 3.41 instead. | ||
** Note: latest version seem to address/fix the issues seen on 3.50/3.55 | ** Note: latest version seem to address/fix the issues seen on 3.50/3.55 | ||
== lv2-v9.pkg == | |||
* [http://www.multiupload.com/WEVBQ1WAA0 lv2v9.pkg (111.33 KB)] | |||
* [http://www.multiupload.com/QBRZMCJ86V lv2-v9-pkg-content.rar (105.52 KB)] | |||
=== patch1 === | |||
# PL3 3.55 | |||
# Patches marked with (*1) seem to be unstable. Thanks to drizztbsd and | |||
# RandomUse. | |||
# PL3: | |||
ef48: payload.bin | |||
# Segment 0: | |||
### 24e44: 38600000 # patch_func6 *1 | |||
55dc4: 38600000 # lv2open: patch_func8_offset1 | |||
55f28: 60000000 # lv2open: patch_func8_offset2 | |||
### 79d80: 3880000090830000 # patch_func4 + patch_func4_offset *1 | |||
### 79d88: 4E800020 # cont'd *1 | |||
### 7af7c: 60000000 # patch_func9_offset *1 | |||
### c1dd0: 38600000 # patch_func7 *1 | |||
2b3298: 4BD5C050 # hook_open (patch_func3 + patch_func3_offset) | |||
# Segment 1: | |||
346688: 800000000000f2dc # syscall_map_open_desc | |||
# Spoof | |||
# *f3b8: version.bin | |||
# 2e8218: 800000000000f378 # syscall_versiontest | |||
# 2e82f0: 800000000000f3c0 # syscall_process_sdkversion | |||
# 16ad74: 3960000a44000002 # sha1 test | |||
# f3e4: find 3437353136000000 | |||
# *fe34: 3436313335000000 | |||
=== patch2 === | |||
# Waninkoko V2 | |||
# 3270: e8821030e87c0020 # load unsigned ELFs | |||
# 3278: f8640000 | |||
# e7f0: 48000c50 # Some jump | |||
ef48: payload2.bin | |||
19360: 7c001fac4c00012c | |||
1936c: 7c0018ac7c0004ac | |||
24e44: 4bfea5c5 # patch_func6 | |||
55dc4: 38600000 # patch_func8_offset1 | |||
55f28: 60000000 # patch_func8_offset2 | |||
79d80: 38800000908300004e800020 # patch_func4 + patch_func4_offset *1 | |||
7af7c: 60000000 # patch_func9_offset | |||
c1dd0: 4bf4d639 # patch_func7 | |||
2b3298: 4bd5bf40 # hook_open | |||
3465b0: 80000000002e81e8 # sc8 | |||
346688: 8000000000324968 # sc35 | |||
=== patch3 === | |||
# Syscall36 | |||
# by 2 anonymous people | |||
55f14: 60000000 | |||
55f1c: 48000098 | |||
7af68: 60000000 | |||
7af7c: 60000000 | |||
2be4a0: payload3.bin | |||
2b3274: 4800b32c2ba30420 # add a jump to payload2_start | |||
55EA0: 63FF003D60000000 # fix 8001003D error | |||
55F64: 3FE080013BE00000 # fix 8001003E error | |||
346690: 80000000002be570 # syscall_map_open_desc | |||
Revision as of 08:24, 30 September 2011
sputnik - Cell/SPU Pipeline viewer
http://www.ps3hax.net/2011/08/sputnik-build-3-cellspu-pipeline-viewer/
- Windows (will also need QT runtime files)
- MAC OSX
netrpc
git://gist.github.com/1041214.git
https://gist.github.com/1041214
Objdump
If you, for whatever reason, need to disassemble non-x86 binary files, you usually look out for a disassembler. If there's nothing free available for your platform (e.g.: ARM) one of the few solutions may be buying something like IDA Pro.
But wait, if you only need to "analyze" a small portion (boot-sector, single routine, ...) and someone already ported GNUs GCC and bintools to your platform, using OBJDUMP may do the trick...
If "raw.bin" is your binary file, just typing
objdump -d raw.bin objdump: raw.bin: File format not recognized
will not work. Objdump needs a file system object or file.
Just do it like this:
# create an empty file touch empty.c # compile this empty file gcc -c -o empty.o empty.c # add binary as a raw section objcopy --add-section raw=raw.bin empty.o # remove ".comment" section to join objcopy -R .comment empty.o # now run objdump on it objdump -d empty.o
Source: http://askrprojects.net/software/objdump.html
Several handy scripts
Most of the scripts are using graf's ps3dm-utils, so make sure you have them in your /bin directory. Also make sure you are using graf's kernel (graf_chokolo kernel 2.6.39).
panic1.sh
This script will panic lv1 and get you back to petitboot, without exiting to GameOS.
ps3hvc_hvcall /dev/ps3hvc panic 1
usb_dongle_auth.sh
This script will get you into Factory/Service mode, without using dongle:
echo Generating a challenge ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_challenge echo Generating a response '(0xAAAA)' ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_resp 0xAAAA echo Verifying response '(0xAAAA)' ps3dm_usb_dongle_auth /dev/ps3dmproxy verify_resp 0xAAAA echo Checking if 'Product Mode is enabled The returned value shouldn't be 0xff ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07
dump_EID0.sh
This script will dump your EID0.
echo Dumping EID0 ps3dm_iim /dev/ps3dmproxy get_data 0x0 > EID0.bin
dump_EID4.sh
This script will dump your EID4.
echo Dumping EID4 ps3dm_iim /dev/ps3dmproxy get_data 0x4 > EID4.bin
get_EID0_size.sh
This script will get the size of your EID0.
echo EID0 size: ps3dm_iim /dev/ps3dmproxy get_data_size 0x0
get_EID4_size.sh
This script will get the size of your EID4.
echo EID4 size: ps3dm_iim /dev/ps3dmproxy get_data_size 0x4
get_metldr_size.sh
This script will get the size of metldr.
echo metldr size: ps3dm_iim /dev/ps3dmproxy get_data_size 0x1000
nor_dump.sh
echo Dumping nor dd if=/dev/ps3nflasha of=nor.bin
dump_ram.sh
This script will dump your ram.
echo Dumping ram dd if=/dev/ps3ram of=ps3ram.bin
dump_vram.sh
This script will dump your vram.
echo Dumping vram dd if=/dev/ps3vram of=ps3vram.bin
Payloader3
- http://git.dashhacks.com/payloader3/payloader3/trees/master (down)
- 2011-06-22 backup: http://gotbrew.org/payloader3.tar.gz / payloader3.tar.gz (55.55 MB)
- Up including last commit before dashhacks went down : payloader3.tar.bz2 (45.49 MB) (full git backup, also includes : payloader3-src-only.rar (2.08 MB))
Howto
- Set firmware version in Makefile
- Compile with "./build.sh"
- Copy pkg file to usb stick
- Install pkg on PS3
Precompiles
Notes
- Loading ps3load after the payload will execute the appropriate ps3load.self, after your self exits you will be returned to the XMB.
- Loading 'ethdebug' will load ArielX's Kammy self, after it executes you will be returned to the XMB.
- Loading 'ethdebug/ps3load' will load ethdebug, then ps3load.
Limitations
- ps3load will not work on 3.50/3.55 (¨sysProcessExitSpawn2¨ won't work proper), use 3.41 instead.
- Note: latest version seem to address/fix the issues seen on 3.50/3.55
lv2-v9.pkg
patch1
# PL3 3.55 # Patches marked with (*1) seem to be unstable. Thanks to drizztbsd and # RandomUse. # PL3: ef48: payload.bin # Segment 0: ### 24e44: 38600000 # patch_func6 *1 55dc4: 38600000 # lv2open: patch_func8_offset1 55f28: 60000000 # lv2open: patch_func8_offset2 ### 79d80: 3880000090830000 # patch_func4 + patch_func4_offset *1 ### 79d88: 4E800020 # cont'd *1 ### 7af7c: 60000000 # patch_func9_offset *1 ### c1dd0: 38600000 # patch_func7 *1 2b3298: 4BD5C050 # hook_open (patch_func3 + patch_func3_offset) # Segment 1: 346688: 800000000000f2dc # syscall_map_open_desc # Spoof # *f3b8: version.bin # 2e8218: 800000000000f378 # syscall_versiontest # 2e82f0: 800000000000f3c0 # syscall_process_sdkversion # 16ad74: 3960000a44000002 # sha1 test # f3e4: find 3437353136000000 # *fe34: 3436313335000000
patch2
# Waninkoko V2 # 3270: e8821030e87c0020 # load unsigned ELFs # 3278: f8640000 # e7f0: 48000c50 # Some jump ef48: payload2.bin 19360: 7c001fac4c00012c 1936c: 7c0018ac7c0004ac 24e44: 4bfea5c5 # patch_func6 55dc4: 38600000 # patch_func8_offset1 55f28: 60000000 # patch_func8_offset2 79d80: 38800000908300004e800020 # patch_func4 + patch_func4_offset *1 7af7c: 60000000 # patch_func9_offset c1dd0: 4bf4d639 # patch_func7 2b3298: 4bd5bf40 # hook_open 3465b0: 80000000002e81e8 # sc8 346688: 8000000000324968 # sc35
patch3
# Syscall36 # by 2 anonymous people 55f14: 60000000 55f1c: 48000098 7af68: 60000000 7af7c: 60000000 2be4a0: payload3.bin 2b3274: 4800b32c2ba30420 # add a jump to payload2_start 55EA0: 63FF003D60000000 # fix 8001003D error 55F64: 3FE080013BE00000 # fix 8001003E error 346690: 80000000002be570 # syscall_map_open_desc