Graf's PSGroove Payload: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(cleanup)
 
(13 intermediate revisions by 5 users not shown)
Line 1: Line 1:
=graf_chokolo's Payload=
=graf_chokolo's Payload=


This payloads have been around for months, and not many people have played with them.. they do amazing stuff
This payloads have been around for months, and not many people have played with them.. they do amazing stuff <br />


==Source Code for a git bootstrap and the payload from coolstuff.rar:<br>==
==Source Code for a git bootstrap and the payload from coolstuff.rar:<br>==
Line 8: Line 8:
http://git-hacks.com/graf_payloads/graf_payloads/
http://git-hacks.com/graf_payloads/graf_payloads/


drar
zip
http://www.megaupload.com/?d=9BGFIXJD
http://www.mirrorcreator.com/files/N0XNBWWI/grafchokolo-psgroove-8a5898f.zip_links (grafchokolo-psgroove-8a5898f.zip)
other variant: http://dl.dropbox.com/u/9694818/grafchokolo.zip  17-1-2011 9:44


==Requirements:==
==Requirements:==
Line 474: Line 476:
**product_mode_off
**product_mode_off


===Expoits===
===Exploits===
**hv_mmap_exploit
**hv_mmap_exploit
**exploit_isoldr_mbox
**exploit_isoldr_mbox
Line 507: Line 509:
**store_file_on_flash
**store_file_on_flash
**replace_lv2
**replace_lv2


===vflash/flash/hdd===
===vflash/flash/hdd===
Line 526: Line 527:
**encdec_cmd_0x85
**encdec_cmd_0x85
**edec_kgen1
**edec_kgen1
==Dumping Flash==
Uncomment '''dump_dev_flash()''' compile and run the payload


==Setting QA Mode==
==Setting QA Mode==
Line 532: Line 536:
</pre>
</pre>


First you have tu dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c
First you have to dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c


*To do this you can use [[Hardware_flashing]] or Linux with graf_chokolo kernel with acces to '''/dev/ps3nflasha''' [[Links_to_precompiled_stuff]]
*To do this you can use [[Hardware_flashing]], Linux with graf_chokolo kernel with acces to '''/dev/ps3nflasha''' [[Links_to_precompiled_stuff]] or using this payload uncommenting '''dump_dev_flash()'''


*More info in [[Flash]]
*More info in [[Flash]]


Once you are set
Once you are set


----
----


Use the payloads in the following order uncommenting the required function
Use the payloads in the following order uncommenting the required function
Line 554: Line 556:
*Set the calculated and verified token in '''update_mgr_set_token.c'''
*Set the calculated and verified token in '''update_mgr_set_token.c'''
**update_mgr_set_token()
**update_mgr_set_token()
'''You should use wireshark to capture the responses'''
'''You should use wireshark or tcpdump to capture the responses'''
 
 
{{Custom Firmware}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 14:14, 2 January 2021

graf_chokolo's Payload[edit | edit source]

This payloads have been around for months, and not many people have played with them.. they do amazing stuff

Source Code for a git bootstrap and the payload from coolstuff.rar:
[edit | edit source]

git http://git-hacks.com/graf_payloads/graf_payloads/

zip http://www.mirrorcreator.com/files/N0XNBWWI/grafchokolo-psgroove-8a5898f.zip_links (grafchokolo-psgroove-8a5898f.zip)

other variant: http://dl.dropbox.com/u/9694818/grafchokolo.zip 17-1-2011 9:44

Requirements:[edit | edit source]

- Working ppc64 toolchain
- libpcap (sudo apt-get install libpcap-dev)
- libnet (sudo apt-get install libnet1-dev)

Instructions:[edit | edit source]

- cd bootstrap-8a5898f
- make
- cd ../payload-coolstuff/tools
- make
- Set the options you want in the payload's main.c
- cd ..
- make

Graf's Tutorial (Cut IRC Log):[edit | edit source]

On decrypter payload https://github.com/grafchokolo/psgroove

<iLLNESS> graf, is your payload to be used with psgroove?

<graf_chokolo> yeah, psgroove, it uses 2 stages

<graf_chokolo> boostrap is programmed into psgroove
<graf_chokolo> payload is sent to ps3 via ethernet
<graf_chokolo> payload is what does the real job :-)

<graf_chokolo> i did it that way because you cannot program psgroove with large piece of code
<graf_chokolo> bootstrap.bin have to be converted to C hex and inserted into psgroove descriptor

<graf_chokolo> i can upload my psgroove descriptor, it's no problem
<graf_chokolo> ok, here is my psgroove desc
<graf_chokolo> http://pastie.org/1368027
<graf_chokolo> just convert bootstrap.bin to payload.h with bin2hex tool i provided
<graf_chokolo> the bytes after payload.h doesn't matter, they are just dummies

<graf_chokolo> program your psgroove with this bootstrap
<graf_chokolo> bootstrap has one purpose, it received payload.bin from me via ethernet and runs it :-)

<graf_chokolo> this way i can run huge piece of code :-)
<graf_chokolo> and do not need to reprogram my psgroove everytime, have just to change payload and it does something different

<graf_chokolo> i'm using tcpdump to capture verything that comes back from ps3 and extract it then with pcap2bin

<graf_chokolo> you can also use wireshark if you want to
<graf_chokolo> payload.bin is sent to ps3 with sendfile tool i provided
<graf_chokolo> and a self to decrypt e.g. is also sent with sendfile via ethernet
<graf_chokolo> all data sent to ps3 is acked by ps3, to make sure that file transferred to ps3 is ok

<graf_chokolo> because sometimes a ethernet frame can get lost

<graf_chokolo> to be able to decrypt selfs you have first to edit main.c file and uncomment it, make sure only self decrypter will be called in main except mm and gelic

<graf_chokolo> to decrypt selfs, first run psgroove with programmed bootstrap
<graf_chokolo> wait some time till it runsa
<graf_chokolo> then send payload.bin

<graf_chokolo> data sent to ps3 should be acked,sendfle will give you feedback
<graf_chokolo> if it doesn't see any acks then there is a problem
<graf_chokolo> i think here it would be best to test it with your ps3
<graf_chokolo> when payload.bin is uploaded to ps3 it will be executed immediately
<graf_chokolo> if the payload.bin does self decryption then it waits now for you to send it some SELF file to decrypt :-)

<graf_chokolo> so send  a SELF to ps3 with sendfile
<graf_chokolo> but before that make sure you start tcpdump to capture the data coming back from ps3 :-)

<graf_chokolo> because the data will contain the decrypted SELF segments :-)
<graf_chokolo> every decrypted self segment is sent using different Ethernet protocol field values

<graf_chokolo> i do it for one purpose, to make extracting decrypted segments easier
<graf_chokolo> here an example
<graf_chokolo> if a SELF has 2 encrypted segments, i send 1st decrypted segment with Ethernet protocol field value 0xBEEF, and the 2nd one i send with protocol (0xBEEF+1)

<graf_chokolo> so to extract the 1st segment from tcpdump pcap file i just use "pcap2bin -p 0xBEEF  <pcap filename>  <segment filename>"

<graf_chokolo> so to extract the 2nd segment from tcpdump pcap file i just use "pcap2bin -p 0xBEF0  <pcap filename>  <segment filename>"

<graf_chokolo> and now you have 2 decrypted segments :-) which are impatient to be loaded into IDA for reversing, but that's not all :-)
<graf_chokolo> forgot to say. when self decrypter is done, ps3 should make 2 beeps :-)
<graf_chokolo> you need also the right load addresses for those segments in order to be able to reverse it
<graf_chokolo> self decrypter sends not only decrypted segments to you, it sends more data :-)
<graf_chokolo> one of the packets sent to PC by self decrypter contains load address of segment, take a look at decrypt_self.c and you will understand what i mean

<graf_chokolo> this paxket is sent just before the decrypted data is sent
<graf_chokolo> so now you have everything to do reversing with IDA
<graf_chokolo> just load these segments into IDA at right addresses

Graf's Tutorial (Full IRC Log):[edit | edit source]

[23:06] <@graf_chokolo> so guys should i start ?
[23:06] <Heden_DLT> Hi all
[23:06] <thomas> ok what is my first step here?
[23:06] <thomas> psgroove modification?
[23:06] <@arunningp> graf_chokolo everyone is here now...please start
[23:06] <@theruler_> ^ this.
[23:06] <@graf_chokolo> ok
[23:07] <@arunningp> everyone else...let himtalk
[23:07] <@graf_chokolo> i use 2 stages to run my code
[23:07] <@graf_chokolo> 1st stage is kinda bootloader for 2nd stage because psgroove allows only small piece of code
[23:08] <@graf_chokolo> so first i program psgroove with my 1st stage 
[23:08] <@graf_chokolo> it's always the same
[23:08] <@iLLNESS> yo
[23:09] <@graf_chokolo> it creates a memory region of 64kb for 2nd stage and receives 2nd stage binary rom PC via Ethernet, stores received binary in this memory and executes it
[23:09] <@graf_chokolo> so far clear ?
[23:09] <Heden_DLT> yep
[23:09] <@iLLNESS> yes..
[23:09] <@frank> prove it ^
[23:09] <@iLLNESS> i got a quick question
[23:09] <Heden_DLT> lol
[23:09] <@graf_chokolo> ok
[23:09] <@iLLNESS> your payload is slightly different from psgroove
[23:09] <@frank> is that kilobits or bytes?
[23:10] <@graf_chokolo> completely different :-)
[23:10] <@iLLNESS> i mean, the layout of it
[23:10] <@iLLNESS> http://pastie.org/1368027
[23:10] <@iLLNESS> payload.h is the bootstrap header?
[23:10] <@graf_chokolo> first i compile bootloader and convert it to C hex and store it in payload.h
[23:11] <@graf_chokolo> then i include it into psgroove desc
[23:11] <Heden_DLT> does your memory region
[23:11] <@iLLNESS> okay. the pastie link i just provided is the port1 config descriptor in full? aka no extra padding?
[23:11] <Heden_DLT> protected against overwriting
[23:12] <@frank> original psgroove?
[23:12] <@graf_chokolo> iLLNESS: it's complete psgroove desc i use, copied from my code, so you can just use it
[23:12] <@graf_chokolo> there are more psgrooves ?
[23:13] <@iLLNESS> what commands are you using for the bin2hex?
[23:13] <@iLLNESS> oh nm
[23:13] <@iLLNESS> i see the makefile
[23:13] <@graf_chokolo> ./bin2hex bootstrap.bin > payload.h
[23:13] <@frank> PL3 is in the new one, and iirc the FACEBOOK doesn't exist in it
[23:14] <@graf_chokolo> i use an old psgroove version
[23:14] <@graf_chokolo> and compile everything with IBM's ppu cross compiler
[23:14] <@frank> i know :), just wanted to make sure + let them know
[23:15] <@graf_chokolo> more questions ?
[23:15] <Heden_DLT> memory region
[23:15] <Heden_DLT> ?
[23:15] <@graf_chokolo> ah, ok, sorry
[23:15] <Heden_DLT> no prob :)
[23:15] <@graf_chokolo> i allocate the memory direct by using HV call so, gameos doesn't even see it :-)
[23:16] <Heden_DLT> ok
[23:16] <@graf_chokolo> it's hidden from gameos
[23:16] <Heden_DLT> This is what i thought
[23:16] <Heden_DLT> no worry about overwritten
[23:16] <@graf_chokolo> yeah
[23:17] <@graf_chokolo> something unclear maybe ? don't hesitate to ask
[23:17] <Heden_DLT> it's ok
[23:18] <@graf_chokolo> when 1st stage runs, it expects you to send the 2nd stage via Ethernet
[23:18] <@graf_chokolo> i use sendfile for this
[23:19] <@graf_chokolo> you will find it payload/tools
[23:19] <@graf_chokolo> in*
[23:19] <@iLLNESS> what are the symptoms of a successful boot with the bootstrap?
[23:20] <@iLLNESS> ps3 is black screened with light on
[23:20] <@iLLNESS> power light that is
[23:20] <@graf_chokolo> ps3 hangs :-) gameos shouldn't boot, but i could put a beep into bootstrap :-) then you will here it when it's ready
[23:21] <@iLLNESS> yeah that would be good
[23:21] <@iLLNESS> :)
[23:22] <@graf_chokolo> ps3 should send ACKs for every received packet, sendfile will give you feedback about this
[23:22] <@iLLNESS> i get 'nothing to be done for 'all' when compiling your sendfile
[23:22] <@graf_chokolo> maybe it's already compiled ?
[23:23] <@iLLNESS> :o a new error :o
[23:23] <@iLLNESS> sendfile.c:20: fatal error: libnet.h: No such file or directory
[23:23] <@iLLNESS> what are the requisites for compiling this?
[23:23] <@iLLNESS> pre-requisites that is
[23:23] <@graf_chokolo> you need libnet library, libpcap also
[23:24] <@graf_chokolo> so, after the last packet of 2nd stage is received, 1st stage is done and jumps to 2nd stage and executes it
[23:25] <Heden_DLT> ok
[23:25] <@iLLNESS> which distro are you using this on?
[23:25] <@graf_chokolo> arch linux x86
[23:25] <@frank> ill, probably port to win32
[23:25] <@iLLNESS> your porting to win32?
[23:25] <@graf_chokolo> i quit :-)
[23:25] <@theruler_> lol
[23:26] <Heden_DLT> lol
[23:26] <@frank> lol, why so soon? :p
[23:26] <Heden_DLT> win32 !
[23:26] <@frank> guys use ubuntu
[23:26] <@arunningp> ill keep a tally for how many times graf quits :P
[23:27] <@frank> i just prefer VS
[23:27] <@graf_chokolo> it doesn't matter which linux are you using :-) arch linux is just my favorite and dwm manager :-)
[23:27] <Heden_DLT> Then 2nd stage :p
[23:28] <@iLLNESS> ack.
[23:28] <@iLLNESS> �core/config.c:111: error: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
[23:28] <@iLLNESS> make [1]: ***  [core/config.o] Error 1
[23:29] <thomas> "bootloader" == "bootstrap" == "stage 1" ?  just want to keep the terms clear
[23:29] <thomas> you need LATEST libpcap
[23:29] <@iLLNESS> im trying to install libnet :o
[23:29] <@graf_chokolo> thomas, correct
[23:29] <thomas> cool.
[23:29] <thomas> this is being logged to make into a nice tutorial ;)
[23:30] <@graf_chokolo> no problem with that, everything is public anyways, just in code
[23:31] <@graf_chokolo> so, in main.c of 2nd stage you will find many function calls, most of them are disabled, mm_init, gelic_init and param_init should never be disabled
[23:31] <Heden_DLT> mm_init returns 0 :)
[23:31] <@graf_chokolo> to make self decrypter payload e.g. activate decrypt_self call
[23:31] <@graf_chokolo> 0 means success
[23:32] <Heden_DLT> yeah this is the only line 
[23:32] <Heden_DLT> if i remember
[23:32] <@graf_chokolo> to make lv2 decrypter activate decrypt_lv2_direct call and so on
[23:32] <@graf_chokolo> after that compile 2nd stage
[23:33] <@graf_chokolo> you will get payload.bin which you have to send to 1st stage with sendfile
[23:33] <@graf_chokolo> questions ?
[23:33] * thomas is using fedora 14 ... fwiw
[23:33] <@graf_chokolo> i quit :-)
[23:33] <@arunningp> thats 3 so far...
[23:33] <Heden_DLT> I did tell you that I had a problem of linker
[23:34] <Heden_DLT> for this one :(
[23:34] <@frank> graf_chokolo, never give up
[23:34] <@arunningp> never surrender
[23:34] <Heden_DLT> toilets ?
[23:34] <@graf_chokolo> Heden_DLT, with IBM's ppu compiler ?
[23:35] <Heden_DLT> coffee ?
[23:35] <Heden_DLT> no choko
[23:35] <Heden_DLT> I don't use this one
[23:35] <Heden_DLT> I should ?
[23:35] <@graf_chokolo> hm, i only tested with IBM's ppu compiler, not sure about others
[23:35] <Heden_DLT> Once lv1 functions compiled
[23:35] <@graf_chokolo> with IBM's compiler i have no problems at all
[23:36] <Heden_DLT> the linker cannot find them
[23:36] <Heden_DLT> but continue
[23:36] <Heden_DLT> I'll will look deeper
[23:37] <@graf_chokolo> ok, we can discuss your problems with compiler another day
[23:37] <Heden_DLT> yep
[23:37] <@graf_chokolo> ok, now you send payload.bin to bootloader, it receives it and executes
[23:37] <@iLLNESS> would libpcap-dev be okay to use?
[23:37] <@graf_chokolo> yeah
[23:38] <@iLLNESS> :)
[23:38] <@graf_chokolo> i assume now that we want to decrypt selfs
[23:38] <@graf_chokolo> should i go deeper into details or just user manual ?
[23:39] <Heden_DLT> lol
[23:39] <Heden_DLT> I just see
[23:39] <@frank> when will women stop bitching
[23:39] <@theruler_> never.
[23:39] <Heden_DLT> that you isolated a SPU
[23:40] <@frank> when all men are dead
[23:40] <@theruler_> :P
[23:40] <@iLLNESS> damnit
[23:40] <@iLLNESS> still get libnet errors
[23:41] <Heden_DLT> put your self in memory
[23:41] <Heden_DLT> and ask the spu to decrypt it using a mailbox
[23:41] <@theruler_> @Rich: You following along or how are you making out?
[23:41] <@graf_chokolo> you are looking at decrypt_self.c or decrypt_self_direct.c ?
[23:42] <Heden_DLT> me ?
[23:42] <@iLLNESS> inflate.c:20: fatal error: zlib.h: No such file or directory 
[23:42] <@graf_chokolo> yeah
[23:42] <@iLLNESS> :o
[23:42] <@graf_chokolo> install zlib
[23:42] <Heden_DLT> choko : decrypt_self.x
[23:42] <Heden_DLT> choko : decrypt_self.c
[23:42] <@graf_chokolo> you need inflate for decrypting update packages
[23:43] <@graf_chokolo> i do not load isolated module (appldr) manually, HV call 99 does it, in decrypt_self_direct.c i do it manually
[23:44] <Heden_DLT> inflate or deflate ?
[23:44] <thomas> sorry graf, one question ... what is the difference between the config_descriptor [] you provided in the pastie, and the stage1 bootstrap?  I ask because the bootstrap I compile is MUCH larger
[23:44] <@graf_chokolo> zlib calls it inflate
[23:44] <Heden_DLT> ok
[23:44] <@frank> like a balloon :)
[23:45] <Heden_DLT> :)
[23:45] <@graf_chokolo> bootstrap.bin ?
[23:45] <thomas> right, now bootstrap.hex via bin2hex
[23:46] <@graf_chokolo> compile bootstrap.bin, convert it to payload.h with ./bin2hex bootstrap.bin > payload.h and place payload.h into psgroove dir
[23:46] <thomas> are they the same?  I compiled from latest git
[23:46] <thomas> ok
[23:47] <@graf_chokolo> then compile psgroove and flash it
[23:47] <@graf_chokolo> but use my config desc and not the one from psgroove
[23:47] <@iLLNESS> i have the bootstrap compiled if you guys want it
[23:47] <@iLLNESS> just give me board info
[23:48] <@iLLNESS> i cant compile the payload tools though :(
[23:48] <thomas> when you say you use an old version of psgroove, do you suspect latest git (with PL3) to be incompatible?
[23:49] <@frank> grab the one that added peek/poke
[23:49] <@iLLNESS> :o
[23:49] <@iLLNESS> i got it :)
[23:49] <@theruler_> sweet
[23:49] <@graf_chokolo> hm, really don't know, because i compiled bootstrap once, flashed psgroove and have not changed it since ages
[23:49] <@iLLNESS> thomas, i used evilsperms psgroove fork for this
[23:49] <@iLLNESS> just remove the #ifdef before port1 config descriptor
[23:49] <Heden_DLT> a stupid question choco
[23:49] <@iLLNESS> as well as the #endif
[23:49] <@frank> ya, peek/poke was my last update, so i haven't changed it, heh
[23:50] <Heden_DLT> all packets received and sent
[23:50] <@graf_chokolo> waiting for question
[23:51] <Heden_DLT> are done with a "simple" ETH link between PC and PS3 ?
[23:51] <@graf_chokolo> i have a router and ps3 and pc are connected to it
[23:52] <@graf_chokolo> ps3 sends packets with broadcast dest mac addr
[23:52] <Heden_DLT> Gelic gives the opportunity then to a direct link ?
[23:53] <@graf_chokolo> gelic is just a low level device driver which sends raw ethernet frames
[23:53] <@graf_chokolo> i do not use IPv4 :-)
[23:53] <Heden_DLT> lol
[23:53] <@frank> no layer 3? :O
[23:53] <@graf_chokolo> so to use sendfile you need root rights
[23:54] <@graf_chokolo> no, i wanted first to use UDP but i thouth then what for ?
[23:54] <@frank> i know, just pulling ur leg :p
[23:54] <@graf_chokolo> :-)
[23:55] <@graf_chokolo> no more questions ?
[23:55] <thomas> I have done this to the descriptor.h file... http://pastie.org/1374542
[23:56] <@graf_chokolo> looks fine i would say
[23:56] <@graf_chokolo> so about self decrypter
[23:56] <@graf_chokolo> it expects you to send a SELF which it will decrypt
[23:57] <Heden_DLT> :)
[23:57] <@graf_chokolo> so grab some SELF and again use sendfile to send it to ps3
[23:57] <@graf_chokolo> you should see ACKS comming from ps3
[23:58] <@graf_chokolo> sendfile will give you feedback about that
[23:58] <@graf_chokolo> it is also ok if some packets get lost, sendfile will retransmit it
[23:58] <Heden_DLT> great!
[23:59] <@graf_chokolo> but before sending a SELF start tcpdump to capture the decrypted segments sent by ps3
[23:59] <@graf_chokolo> or else you could miss them if you are not fast enough :-)
[00:00] <@graf_chokolo> after self decrypter is done it should make 2 beeps :-)
[00:00] <Heden_DLT> double beep ;)
[00:00] <@graf_chokolo> yeah, and now you can terminate tcpdump
[00:01] <@graf_chokolo> it should contains decrypted segments now
[00:01] <@graf_chokolo> which are impatient to be reversed by you :-)
[00:01] <@arunningp> lulz
[00:01] <Heden_DLT> yet the problem
[00:02] <Heden_DLT> to separate payload
[00:02] <Heden_DLT> from "header"
[00:02] <@graf_chokolo> no problem :-)
[00:02] <@graf_chokolo> i send decrypted segmnets with Ethernet protocol field starting with 0xBEEF :-)
[00:03] <@frank> yum
[00:03] <Heden_DLT> 0xBEEF...payload....0xBEEF..payload
[00:03] <Heden_DLT> right ?
[00:03] <@graf_chokolo> so data from 1st decrypted segment has protocol 0xBEEF, data from 2nd decrypted segment has protocol 0xBEEF+1 and so on
[00:03] <@graf_chokolo> yeah, right
[00:03] <Heden_DLT> nice !
[00:04] <Heden_DLT> 0xCAFE is better
[00:04] <Heden_DLT> :p
[00:04] <@graf_chokolo> now use pcap2bin and dump_segs_from_pcap.sh to extract those segments
[00:04] <@graf_chokolo> segments are pure ppc asm :-)
[00:05] <@graf_chokolo> no, in case of executable files the 1st segment contains also ELF header
[00:05] <Heden_DLT> ah..
[00:05] <Heden_DLT> a true ELF ?
[00:05] <@graf_chokolo> and strings of course
[00:05] <@graf_chokolo> no, not true ELF ready to run
[00:06] <Heden_DLT> I saw a tutorial
[00:06] <Heden_DLT> using zlib to reconstruct
[00:06] <@graf_chokolo> just segments of ELF, but you can make an ELF, for reversing you don't need true ELFs
[00:06] <Heden_DLT> sure
[00:06] <@graf_chokolo> zlib ?
[00:07] <Heden_DLT> zpipe
[00:07] <Heden_DLT> sorry
[00:07] <@graf_chokolo> segments are not compressed, appldr already decompressed them
[00:08] <Heden_DLT> look : http://netkas.org/?p=573
[00:08] <@graf_chokolo> yeah, but why compressing them ?
[00:09] <Heden_DLT> well good question
[00:09] <@graf_chokolo> that's not all guys
[00:09] <@graf_chokolo> you have got now segments, but to reverse it you also need load addresses of these segments
[00:10] <@theruler_> @thomas/@iLLNESS: you guys still following along?
[00:10] <@graf_chokolo> ask questions if you have any, i will help
[00:11] <@graf_chokolo> no questions ?
[00:11] <Heden_DLT> i will have
[00:11] <Heden_DLT> concerning LV2..
[00:11] <Heden_DLT> But I let the others
[00:11] <@graf_chokolo> yeah
[00:11] <Heden_DLT> finish with this step
[00:12] <@graf_chokolo> guys, ask me anything, don't hesitate, i won't laugh you out
[00:12] <@arunningp> although he might quit :P
[00:12] <Heden_DLT> :p
[00:13] <Heden_DLT> choko ?
[00:13] <@graf_chokolo> so no questions then ? :-)
[00:13] <@theruler_> not sure if thomas/ill are AFK or what
[00:13] <@theruler_> but if heden is good you can keep going
[00:13] <Heden_DLT> okay
[00:13] <thomas> ok, got it compiled and my minimus flashed ... first boot looks successful! \o/ ps3 is at black screen and minimus blue light is off
[00:13] <@theruler_> great job thomas
[00:13] <@theruler_> :D
[00:14] <@graf_chokolo> try to send something with sendfile, you should see acks
[00:14] * thomas is up-reading ... 
[00:14] <Heden_DLT> the way you described is simply amazing :)
[00:15] <Heden_DLT> Now..let's talk if you want
[00:15] <thomas> ok, as far as tcpdump goes, *what* should I be looking for, udp? port?
[00:15] <@graf_chokolo> you know tcpdump a bit ?
[00:15] <thomas> sure
[00:16] <@graf_chokolo> you could e.g. filter only traffic comming from ps3's mac address
[00:16] <thomas> ok, I should be using a cross-over cable?
[00:16] <thomas> or was I supposed to set an IP address somewhere?
[00:16] <thomas> ie destination
[00:16] <@graf_chokolo> hm, i used router, didn't try cross over
[00:17] <@graf_chokolo> i don't use IP, just Ethernet
[00:17] <thomas> my sniffer(tcpdump) and the ps3 are on the same switch, but its a switch not a hub
[00:17] <Heden_DLT> thomas : try a direct link ?
[00:17] <@graf_chokolo> ps3 use brodcast dst addr so it should be no problem
[00:17] <thomas> kk
[00:18] <thomas> that I think answers my question
[00:18] <@graf_chokolo> i mean filter for eth src addr of ps3
[00:18] <thomas> right
[00:18] <@graf_chokolo> not dst
[00:19] <@graf_chokolo> more questions ?
[00:19] <Heden_DLT> does all worl on old fat PS3 ?
[00:19] <Heden_DLT> thomas : slim or fat ?
[00:19] <thomas> is it by chance sending anything periodicall?
[00:19] <thomas> fat 3.15
[00:19] <thomas> CECHG01
[00:20] <Heden_DLT> ok
[00:20] <@graf_chokolo> i have not tried it yet, but intend to do it, someone reported that it has problems with FATs
[00:20] <@graf_chokolo> i use slim
[00:20] <Heden_DLT> thomas seems to success on a fat
[00:20] <@graf_chokolo> but i will test it in the next days with a fat
[00:21] <thomas> I have a minor chicken/egg problem atm ... it is booted with payload, but arp -a gives me an incomplete address ... let me read up this tcpdump that has been running for 2 days watching the ps3 to see if mac is in there
[00:21] <@graf_chokolo> you need the filter for tcpdump, just capture everything, no problem with that
[00:21] <@graf_chokolo> don't need*
[00:22] <@graf_chokolo> you can use it but it's not required
[00:22] <Heden_DLT> may i continue thomas or you need details from choco ?
[00:22] <thomas> go on ;)
[00:23] <Heden_DLT> sure ?
[00:23] <Heden_DLT> choko ?
[00:23] <@graf_chokolo> yeah
[00:39] <Heden_DLT> a big thank to theruler
[00:39] <Heden_DLT> and choko
[00:39] <@graf_chokolo> yeah
[00:40] <@theruler_> @graf: thanks for all your help
[00:40] <Heden_DLT> bye bye

Features[edit | edit source]

Feature/Payload list[edit | edit source]

Communication[edit | edit source]

    • gelic_xmit_test
    • gelic_recv_test

Dump[edit | edit source]

    • dump_lv2
    • dump_slb
    • dump_sprg0
    • dump_htab
    • dump_stor
    • dump_flash
    • dump_repo_nodes
    • dump_repo_nodes_spu
    • dump_profile
    • dump_sysrom
    • dump_dev_flash
    • dump_hvcall99_param
    • dump_lpar_ra
    • dump_lv1

Decrypt[edit | edit source]

    • decrypt_profile
    • decrypt_usb_dongle_master_key
    • decrypt_pkg
    • decrypt_self
    • decrypt_npdrm
    • decrypt_game
    • decrypt_lv2_direct
    • decrypt_lv2_direct_355
    • decrypt_self_direct
    • decrypt_self_direct_355
    • decrypt_profile_direct

QA flag and token[edit | edit source]

    • update_mgr_qa_flag
    • update_mgr_get_token_seed
    • update_mgr_set_token
    • update_mgr_calc_token
    • update_mgr_verify_token

PKG's[edit | edit source]

    • update_mgr_inspect_pkg

Hooks[edit | edit source]

    • self_decrypter_hook
    • vuart_hook
    • stor_hook
    • hvcall209_hook


Dongle/Product Mode (recovery mode)[edit | edit source]

    • usb_dongle_auth
    • product_mode_off

Exploits[edit | edit source]

    • hv_mmap_exploit
    • exploit_isoldr_mbox
    • exploit_lv2ldr_mbox
    • exploit_lv2ldr_ls
    • exploit_appldr_mbox

System Controller (SC) manager[edit | edit source]

    • sc_mgr_read_eprom
    • sc_mgr_get_region_data
    • sc_mgr_get_sc_status
    • sc_mgr_get_srh

aim - aim_spu_module.self[edit | edit source]

    • aim_get_device_type
    • aim_get_device_id
    • aim_get_ps_code
    • aim_get_open_ps_id

SC - sc_iso.self[edit | edit source]

    • sc_iso_sc_binary_patch
    • sc_iso_get_sc_status
    • sc_iso_get_property
    • sb_iso_get_rnd
    • sb_iso_encdec_key


MFW/CFW/Patch Testing[edit | edit source]

    • store_file_on_flash
    • replace_lv2

vflash/flash/hdd[edit | edit source]

    • patch_vflash_region
    • create_vflash_region
    • store_file_on_vflash
    • create_hdd_region

Patches[edit | edit source]

    • patch_region_access
    • patch_sll_load_lv2
    • disable_hdd_crypto

MISC[edit | edit source]

    • vuart_sysmgr
    • vuart_dispmgr
    • query_lpar_address
    • encdec_cmd_0x85
    • edec_kgen1

Dumping Flash[edit | edit source]

Uncomment dump_dev_flash() compile and run the payload

Setting QA Mode[edit | edit source]

'''This section is in development anyone feel free to share and edit this section'''

First you have to dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c

Once you are set


Use the payloads in the following order uncommenting the required function

  • Set the QA flag
    • update_mgr_qa_flag()
  • Calculate the token
    • update_mgr_calc_token()
  • Verify token
    • update_mgr_verify_token()
  • Set the calculated and verified token in update_mgr_set_token.c
    • update_mgr_set_token()

You should use wireshark or tcpdump to capture the responses