Graf's PSGroove Payload: Difference between revisions
Jump to navigation
Jump to search
Source Code for a git bootstrap and the payload from coolstuff.rar:
No edit summary |
|||
(12 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
=graf_chokolo's Payload= | =graf_chokolo's Payload= | ||
This payloads have been around for months, and not many people have played with them.. they do amazing stuff | This payloads have been around for months, and not many people have played with them.. they do amazing stuff <br /> | ||
==Source Code for a git bootstrap and the payload from coolstuff.rar:<br>== | ==Source Code for a git bootstrap and the payload from coolstuff.rar:<br>== | ||
Line 8: | Line 8: | ||
http://git-hacks.com/graf_payloads/graf_payloads/ | http://git-hacks.com/graf_payloads/graf_payloads/ | ||
zip | |||
http://www. | http://www.mirrorcreator.com/files/N0XNBWWI/grafchokolo-psgroove-8a5898f.zip_links (grafchokolo-psgroove-8a5898f.zip) | ||
other variant: http://dl.dropbox.com/u/9694818/grafchokolo.zip 17-1-2011 9:44 | |||
==Requirements:== | ==Requirements:== | ||
Line 474: | Line 476: | ||
**product_mode_off | **product_mode_off | ||
=== | ===Exploits=== | ||
**hv_mmap_exploit | **hv_mmap_exploit | ||
**exploit_isoldr_mbox | **exploit_isoldr_mbox | ||
Line 507: | Line 509: | ||
**store_file_on_flash | **store_file_on_flash | ||
**replace_lv2 | **replace_lv2 | ||
===vflash/flash/hdd=== | ===vflash/flash/hdd=== | ||
Line 528: | Line 529: | ||
==Dumping Flash== | ==Dumping Flash== | ||
Uncomment '''dump_dev_flash()''' compile and run the payload | |||
==Setting QA Mode== | ==Setting QA Mode== | ||
Line 535: | Line 536: | ||
</pre> | </pre> | ||
First you have | First you have to dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c | ||
*To do this you can use [[Hardware_flashing]], Linux with graf_chokolo kernel with acces to '''/dev/ps3nflasha''' [[Links_to_precompiled_stuff]] or using this payload uncommenting '''dump_dev_flash()''' | *To do this you can use [[Hardware_flashing]], Linux with graf_chokolo kernel with acces to '''/dev/ps3nflasha''' [[Links_to_precompiled_stuff]] or using this payload uncommenting '''dump_dev_flash()''' | ||
Line 556: | Line 557: | ||
**update_mgr_set_token() | **update_mgr_set_token() | ||
'''You should use wireshark or tcpdump to capture the responses''' | '''You should use wireshark or tcpdump to capture the responses''' | ||
{{Custom Firmware}}<noinclude>[[Category:Main]]</noinclude> |
Latest revision as of 14:14, 2 January 2021
graf_chokolo's Payload[edit | edit source]
This payloads have been around for months, and not many people have played with them.. they do amazing stuff
Source Code for a git bootstrap and the payload from coolstuff.rar:
[edit | edit source]
git http://git-hacks.com/graf_payloads/graf_payloads/
zip http://www.mirrorcreator.com/files/N0XNBWWI/grafchokolo-psgroove-8a5898f.zip_links (grafchokolo-psgroove-8a5898f.zip)
other variant: http://dl.dropbox.com/u/9694818/grafchokolo.zip 17-1-2011 9:44
Requirements:[edit | edit source]
- Working ppc64 toolchain - libpcap (sudo apt-get install libpcap-dev) - libnet (sudo apt-get install libnet1-dev)
Instructions:[edit | edit source]
- cd bootstrap-8a5898f - make - cd ../payload-coolstuff/tools - make - Set the options you want in the payload's main.c - cd .. - make
Graf's Tutorial (Cut IRC Log):[edit | edit source]
On decrypter payload https://github.com/grafchokolo/psgroove <iLLNESS> graf, is your payload to be used with psgroove? <graf_chokolo> yeah, psgroove, it uses 2 stages <graf_chokolo> boostrap is programmed into psgroove <graf_chokolo> payload is sent to ps3 via ethernet <graf_chokolo> payload is what does the real job :-) <graf_chokolo> i did it that way because you cannot program psgroove with large piece of code <graf_chokolo> bootstrap.bin have to be converted to C hex and inserted into psgroove descriptor <graf_chokolo> i can upload my psgroove descriptor, it's no problem <graf_chokolo> ok, here is my psgroove desc <graf_chokolo> http://pastie.org/1368027 <graf_chokolo> just convert bootstrap.bin to payload.h with bin2hex tool i provided <graf_chokolo> the bytes after payload.h doesn't matter, they are just dummies <graf_chokolo> program your psgroove with this bootstrap <graf_chokolo> bootstrap has one purpose, it received payload.bin from me via ethernet and runs it :-) <graf_chokolo> this way i can run huge piece of code :-) <graf_chokolo> and do not need to reprogram my psgroove everytime, have just to change payload and it does something different <graf_chokolo> i'm using tcpdump to capture verything that comes back from ps3 and extract it then with pcap2bin <graf_chokolo> you can also use wireshark if you want to <graf_chokolo> payload.bin is sent to ps3 with sendfile tool i provided <graf_chokolo> and a self to decrypt e.g. is also sent with sendfile via ethernet <graf_chokolo> all data sent to ps3 is acked by ps3, to make sure that file transferred to ps3 is ok <graf_chokolo> because sometimes a ethernet frame can get lost <graf_chokolo> to be able to decrypt selfs you have first to edit main.c file and uncomment it, make sure only self decrypter will be called in main except mm and gelic <graf_chokolo> to decrypt selfs, first run psgroove with programmed bootstrap <graf_chokolo> wait some time till it runsa <graf_chokolo> then send payload.bin <graf_chokolo> data sent to ps3 should be acked,sendfle will give you feedback <graf_chokolo> if it doesn't see any acks then there is a problem <graf_chokolo> i think here it would be best to test it with your ps3 <graf_chokolo> when payload.bin is uploaded to ps3 it will be executed immediately <graf_chokolo> if the payload.bin does self decryption then it waits now for you to send it some SELF file to decrypt :-) <graf_chokolo> so send a SELF to ps3 with sendfile <graf_chokolo> but before that make sure you start tcpdump to capture the data coming back from ps3 :-) <graf_chokolo> because the data will contain the decrypted SELF segments :-) <graf_chokolo> every decrypted self segment is sent using different Ethernet protocol field values <graf_chokolo> i do it for one purpose, to make extracting decrypted segments easier <graf_chokolo> here an example <graf_chokolo> if a SELF has 2 encrypted segments, i send 1st decrypted segment with Ethernet protocol field value 0xBEEF, and the 2nd one i send with protocol (0xBEEF+1) <graf_chokolo> so to extract the 1st segment from tcpdump pcap file i just use "pcap2bin -p 0xBEEF <pcap filename> <segment filename>" <graf_chokolo> so to extract the 2nd segment from tcpdump pcap file i just use "pcap2bin -p 0xBEF0 <pcap filename> <segment filename>" <graf_chokolo> and now you have 2 decrypted segments :-) which are impatient to be loaded into IDA for reversing, but that's not all :-) <graf_chokolo> forgot to say. when self decrypter is done, ps3 should make 2 beeps :-) <graf_chokolo> you need also the right load addresses for those segments in order to be able to reverse it <graf_chokolo> self decrypter sends not only decrypted segments to you, it sends more data :-) <graf_chokolo> one of the packets sent to PC by self decrypter contains load address of segment, take a look at decrypt_self.c and you will understand what i mean <graf_chokolo> this paxket is sent just before the decrypted data is sent <graf_chokolo> so now you have everything to do reversing with IDA <graf_chokolo> just load these segments into IDA at right addresses
Graf's Tutorial (Full IRC Log):[edit | edit source]
[23:06] <@graf_chokolo> so guys should i start ? [23:06] <Heden_DLT> Hi all [23:06] <thomas> ok what is my first step here? [23:06] <thomas> psgroove modification? [23:06] <@arunningp> graf_chokolo everyone is here now...please start [23:06] <@theruler_> ^ this. [23:06] <@graf_chokolo> ok [23:07] <@arunningp> everyone else...let himtalk [23:07] <@graf_chokolo> i use 2 stages to run my code [23:07] <@graf_chokolo> 1st stage is kinda bootloader for 2nd stage because psgroove allows only small piece of code [23:08] <@graf_chokolo> so first i program psgroove with my 1st stage [23:08] <@graf_chokolo> it's always the same [23:08] <@iLLNESS> yo [23:09] <@graf_chokolo> it creates a memory region of 64kb for 2nd stage and receives 2nd stage binary rom PC via Ethernet, stores received binary in this memory and executes it [23:09] <@graf_chokolo> so far clear ? [23:09] <Heden_DLT> yep [23:09] <@iLLNESS> yes.. [23:09] <@frank> prove it ^ [23:09] <@iLLNESS> i got a quick question [23:09] <Heden_DLT> lol [23:09] <@graf_chokolo> ok [23:09] <@iLLNESS> your payload is slightly different from psgroove [23:09] <@frank> is that kilobits or bytes? [23:10] <@graf_chokolo> completely different :-) [23:10] <@iLLNESS> i mean, the layout of it [23:10] <@iLLNESS> http://pastie.org/1368027 [23:10] <@iLLNESS> payload.h is the bootstrap header? [23:10] <@graf_chokolo> first i compile bootloader and convert it to C hex and store it in payload.h [23:11] <@graf_chokolo> then i include it into psgroove desc [23:11] <Heden_DLT> does your memory region [23:11] <@iLLNESS> okay. the pastie link i just provided is the port1 config descriptor in full? aka no extra padding? [23:11] <Heden_DLT> protected against overwriting [23:12] <@frank> original psgroove? [23:12] <@graf_chokolo> iLLNESS: it's complete psgroove desc i use, copied from my code, so you can just use it [23:12] <@graf_chokolo> there are more psgrooves ? [23:13] <@iLLNESS> what commands are you using for the bin2hex? [23:13] <@iLLNESS> oh nm [23:13] <@iLLNESS> i see the makefile [23:13] <@graf_chokolo> ./bin2hex bootstrap.bin > payload.h [23:13] <@frank> PL3 is in the new one, and iirc the FACEBOOK doesn't exist in it [23:14] <@graf_chokolo> i use an old psgroove version [23:14] <@graf_chokolo> and compile everything with IBM's ppu cross compiler [23:14] <@frank> i know :), just wanted to make sure + let them know [23:15] <@graf_chokolo> more questions ? [23:15] <Heden_DLT> memory region [23:15] <Heden_DLT> ? [23:15] <@graf_chokolo> ah, ok, sorry [23:15] <Heden_DLT> no prob :) [23:15] <@graf_chokolo> i allocate the memory direct by using HV call so, gameos doesn't even see it :-) [23:16] <Heden_DLT> ok [23:16] <@graf_chokolo> it's hidden from gameos [23:16] <Heden_DLT> This is what i thought [23:16] <Heden_DLT> no worry about overwritten [23:16] <@graf_chokolo> yeah [23:17] <@graf_chokolo> something unclear maybe ? don't hesitate to ask [23:17] <Heden_DLT> it's ok [23:18] <@graf_chokolo> when 1st stage runs, it expects you to send the 2nd stage via Ethernet [23:18] <@graf_chokolo> i use sendfile for this [23:19] <@graf_chokolo> you will find it payload/tools [23:19] <@graf_chokolo> in* [23:19] <@iLLNESS> what are the symptoms of a successful boot with the bootstrap? [23:20] <@iLLNESS> ps3 is black screened with light on [23:20] <@iLLNESS> power light that is [23:20] <@graf_chokolo> ps3 hangs :-) gameos shouldn't boot, but i could put a beep into bootstrap :-) then you will here it when it's ready [23:21] <@iLLNESS> yeah that would be good [23:21] <@iLLNESS> :) [23:22] <@graf_chokolo> ps3 should send ACKs for every received packet, sendfile will give you feedback about this [23:22] <@iLLNESS> i get 'nothing to be done for 'all' when compiling your sendfile [23:22] <@graf_chokolo> maybe it's already compiled ? [23:23] <@iLLNESS> :o a new error :o [23:23] <@iLLNESS> sendfile.c:20: fatal error: libnet.h: No such file or directory [23:23] <@iLLNESS> what are the requisites for compiling this? [23:23] <@iLLNESS> pre-requisites that is [23:23] <@graf_chokolo> you need libnet library, libpcap also [23:24] <@graf_chokolo> so, after the last packet of 2nd stage is received, 1st stage is done and jumps to 2nd stage and executes it [23:25] <Heden_DLT> ok [23:25] <@iLLNESS> which distro are you using this on? [23:25] <@graf_chokolo> arch linux x86 [23:25] <@frank> ill, probably port to win32 [23:25] <@iLLNESS> your porting to win32? [23:25] <@graf_chokolo> i quit :-) [23:25] <@theruler_> lol [23:26] <Heden_DLT> lol [23:26] <@frank> lol, why so soon? :p [23:26] <Heden_DLT> win32 ! [23:26] <@frank> guys use ubuntu [23:26] <@arunningp> ill keep a tally for how many times graf quits :P [23:27] <@frank> i just prefer VS [23:27] <@graf_chokolo> it doesn't matter which linux are you using :-) arch linux is just my favorite and dwm manager :-) [23:27] <Heden_DLT> Then 2nd stage :p [23:28] <@iLLNESS> ack. [23:28] <@iLLNESS> �core/config.c:111: error: ignoring return value of ‘fgets’, declared with attribute warn_unused_result [23:28] <@iLLNESS> make [1]: *** [core/config.o] Error 1 [23:29] <thomas> "bootloader" == "bootstrap" == "stage 1" ? just want to keep the terms clear [23:29] <thomas> you need LATEST libpcap [23:29] <@iLLNESS> im trying to install libnet :o [23:29] <@graf_chokolo> thomas, correct [23:29] <thomas> cool. [23:29] <thomas> this is being logged to make into a nice tutorial ;) [23:30] <@graf_chokolo> no problem with that, everything is public anyways, just in code [23:31] <@graf_chokolo> so, in main.c of 2nd stage you will find many function calls, most of them are disabled, mm_init, gelic_init and param_init should never be disabled [23:31] <Heden_DLT> mm_init returns 0 :) [23:31] <@graf_chokolo> to make self decrypter payload e.g. activate decrypt_self call [23:31] <@graf_chokolo> 0 means success [23:32] <Heden_DLT> yeah this is the only line [23:32] <Heden_DLT> if i remember [23:32] <@graf_chokolo> to make lv2 decrypter activate decrypt_lv2_direct call and so on [23:32] <@graf_chokolo> after that compile 2nd stage [23:33] <@graf_chokolo> you will get payload.bin which you have to send to 1st stage with sendfile [23:33] <@graf_chokolo> questions ? [23:33] * thomas is using fedora 14 ... fwiw [23:33] <@graf_chokolo> i quit :-) [23:33] <@arunningp> thats 3 so far... [23:33] <Heden_DLT> I did tell you that I had a problem of linker [23:34] <Heden_DLT> for this one :( [23:34] <@frank> graf_chokolo, never give up [23:34] <@arunningp> never surrender [23:34] <Heden_DLT> toilets ? [23:34] <@graf_chokolo> Heden_DLT, with IBM's ppu compiler ? [23:35] <Heden_DLT> coffee ? [23:35] <Heden_DLT> no choko [23:35] <Heden_DLT> I don't use this one [23:35] <Heden_DLT> I should ? [23:35] <@graf_chokolo> hm, i only tested with IBM's ppu compiler, not sure about others [23:35] <Heden_DLT> Once lv1 functions compiled [23:35] <@graf_chokolo> with IBM's compiler i have no problems at all [23:36] <Heden_DLT> the linker cannot find them [23:36] <Heden_DLT> but continue [23:36] <Heden_DLT> I'll will look deeper [23:37] <@graf_chokolo> ok, we can discuss your problems with compiler another day [23:37] <Heden_DLT> yep [23:37] <@graf_chokolo> ok, now you send payload.bin to bootloader, it receives it and executes [23:37] <@iLLNESS> would libpcap-dev be okay to use? [23:37] <@graf_chokolo> yeah [23:38] <@iLLNESS> :) [23:38] <@graf_chokolo> i assume now that we want to decrypt selfs [23:38] <@graf_chokolo> should i go deeper into details or just user manual ? [23:39] <Heden_DLT> lol [23:39] <Heden_DLT> I just see [23:39] <@frank> when will women stop bitching [23:39] <@theruler_> never. [23:39] <Heden_DLT> that you isolated a SPU [23:40] <@frank> when all men are dead [23:40] <@theruler_> :P [23:40] <@iLLNESS> damnit [23:40] <@iLLNESS> still get libnet errors [23:41] <Heden_DLT> put your self in memory [23:41] <Heden_DLT> and ask the spu to decrypt it using a mailbox [23:41] <@theruler_> @Rich: You following along or how are you making out? [23:41] <@graf_chokolo> you are looking at decrypt_self.c or decrypt_self_direct.c ? [23:42] <Heden_DLT> me ? [23:42] <@iLLNESS> inflate.c:20: fatal error: zlib.h: No such file or directory [23:42] <@graf_chokolo> yeah [23:42] <@iLLNESS> :o [23:42] <@graf_chokolo> install zlib [23:42] <Heden_DLT> choko : decrypt_self.x [23:42] <Heden_DLT> choko : decrypt_self.c [23:42] <@graf_chokolo> you need inflate for decrypting update packages [23:43] <@graf_chokolo> i do not load isolated module (appldr) manually, HV call 99 does it, in decrypt_self_direct.c i do it manually [23:44] <Heden_DLT> inflate or deflate ? [23:44] <thomas> sorry graf, one question ... what is the difference between the config_descriptor [] you provided in the pastie, and the stage1 bootstrap? I ask because the bootstrap I compile is MUCH larger [23:44] <@graf_chokolo> zlib calls it inflate [23:44] <Heden_DLT> ok [23:44] <@frank> like a balloon :) [23:45] <Heden_DLT> :) [23:45] <@graf_chokolo> bootstrap.bin ? [23:45] <thomas> right, now bootstrap.hex via bin2hex [23:46] <@graf_chokolo> compile bootstrap.bin, convert it to payload.h with ./bin2hex bootstrap.bin > payload.h and place payload.h into psgroove dir [23:46] <thomas> are they the same? I compiled from latest git [23:46] <thomas> ok [23:47] <@graf_chokolo> then compile psgroove and flash it [23:47] <@graf_chokolo> but use my config desc and not the one from psgroove [23:47] <@iLLNESS> i have the bootstrap compiled if you guys want it [23:47] <@iLLNESS> just give me board info [23:48] <@iLLNESS> i cant compile the payload tools though :( [23:48] <thomas> when you say you use an old version of psgroove, do you suspect latest git (with PL3) to be incompatible? [23:49] <@frank> grab the one that added peek/poke [23:49] <@iLLNESS> :o [23:49] <@iLLNESS> i got it :) [23:49] <@theruler_> sweet [23:49] <@graf_chokolo> hm, really don't know, because i compiled bootstrap once, flashed psgroove and have not changed it since ages [23:49] <@iLLNESS> thomas, i used evilsperms psgroove fork for this [23:49] <@iLLNESS> just remove the #ifdef before port1 config descriptor [23:49] <Heden_DLT> a stupid question choco [23:49] <@iLLNESS> as well as the #endif [23:49] <@frank> ya, peek/poke was my last update, so i haven't changed it, heh [23:50] <Heden_DLT> all packets received and sent [23:50] <@graf_chokolo> waiting for question [23:51] <Heden_DLT> are done with a "simple" ETH link between PC and PS3 ? [23:51] <@graf_chokolo> i have a router and ps3 and pc are connected to it [23:52] <@graf_chokolo> ps3 sends packets with broadcast dest mac addr [23:52] <Heden_DLT> Gelic gives the opportunity then to a direct link ? [23:53] <@graf_chokolo> gelic is just a low level device driver which sends raw ethernet frames [23:53] <@graf_chokolo> i do not use IPv4 :-) [23:53] <Heden_DLT> lol [23:53] <@frank> no layer 3? :O [23:53] <@graf_chokolo> so to use sendfile you need root rights [23:54] <@graf_chokolo> no, i wanted first to use UDP but i thouth then what for ? [23:54] <@frank> i know, just pulling ur leg :p [23:54] <@graf_chokolo> :-) [23:55] <@graf_chokolo> no more questions ? [23:55] <thomas> I have done this to the descriptor.h file... http://pastie.org/1374542 [23:56] <@graf_chokolo> looks fine i would say [23:56] <@graf_chokolo> so about self decrypter [23:56] <@graf_chokolo> it expects you to send a SELF which it will decrypt [23:57] <Heden_DLT> :) [23:57] <@graf_chokolo> so grab some SELF and again use sendfile to send it to ps3 [23:57] <@graf_chokolo> you should see ACKS comming from ps3 [23:58] <@graf_chokolo> sendfile will give you feedback about that [23:58] <@graf_chokolo> it is also ok if some packets get lost, sendfile will retransmit it [23:58] <Heden_DLT> great! [23:59] <@graf_chokolo> but before sending a SELF start tcpdump to capture the decrypted segments sent by ps3 [23:59] <@graf_chokolo> or else you could miss them if you are not fast enough :-) [00:00] <@graf_chokolo> after self decrypter is done it should make 2 beeps :-) [00:00] <Heden_DLT> double beep ;) [00:00] <@graf_chokolo> yeah, and now you can terminate tcpdump [00:01] <@graf_chokolo> it should contains decrypted segments now [00:01] <@graf_chokolo> which are impatient to be reversed by you :-) [00:01] <@arunningp> lulz [00:01] <Heden_DLT> yet the problem [00:02] <Heden_DLT> to separate payload [00:02] <Heden_DLT> from "header" [00:02] <@graf_chokolo> no problem :-) [00:02] <@graf_chokolo> i send decrypted segmnets with Ethernet protocol field starting with 0xBEEF :-) [00:03] <@frank> yum [00:03] <Heden_DLT> 0xBEEF...payload....0xBEEF..payload [00:03] <Heden_DLT> right ? [00:03] <@graf_chokolo> so data from 1st decrypted segment has protocol 0xBEEF, data from 2nd decrypted segment has protocol 0xBEEF+1 and so on [00:03] <@graf_chokolo> yeah, right [00:03] <Heden_DLT> nice ! [00:04] <Heden_DLT> 0xCAFE is better [00:04] <Heden_DLT> :p [00:04] <@graf_chokolo> now use pcap2bin and dump_segs_from_pcap.sh to extract those segments [00:04] <@graf_chokolo> segments are pure ppc asm :-) [00:05] <@graf_chokolo> no, in case of executable files the 1st segment contains also ELF header [00:05] <Heden_DLT> ah.. [00:05] <Heden_DLT> a true ELF ? [00:05] <@graf_chokolo> and strings of course [00:05] <@graf_chokolo> no, not true ELF ready to run [00:06] <Heden_DLT> I saw a tutorial [00:06] <Heden_DLT> using zlib to reconstruct [00:06] <@graf_chokolo> just segments of ELF, but you can make an ELF, for reversing you don't need true ELFs [00:06] <Heden_DLT> sure [00:06] <@graf_chokolo> zlib ? [00:07] <Heden_DLT> zpipe [00:07] <Heden_DLT> sorry [00:07] <@graf_chokolo> segments are not compressed, appldr already decompressed them [00:08] <Heden_DLT> look : http://netkas.org/?p=573 [00:08] <@graf_chokolo> yeah, but why compressing them ? [00:09] <Heden_DLT> well good question [00:09] <@graf_chokolo> that's not all guys [00:09] <@graf_chokolo> you have got now segments, but to reverse it you also need load addresses of these segments [00:10] <@theruler_> @thomas/@iLLNESS: you guys still following along? [00:10] <@graf_chokolo> ask questions if you have any, i will help [00:11] <@graf_chokolo> no questions ? [00:11] <Heden_DLT> i will have [00:11] <Heden_DLT> concerning LV2.. [00:11] <Heden_DLT> But I let the others [00:11] <@graf_chokolo> yeah [00:11] <Heden_DLT> finish with this step [00:12] <@graf_chokolo> guys, ask me anything, don't hesitate, i won't laugh you out [00:12] <@arunningp> although he might quit :P [00:12] <Heden_DLT> :p [00:13] <Heden_DLT> choko ? [00:13] <@graf_chokolo> so no questions then ? :-) [00:13] <@theruler_> not sure if thomas/ill are AFK or what [00:13] <@theruler_> but if heden is good you can keep going [00:13] <Heden_DLT> okay [00:13] <thomas> ok, got it compiled and my minimus flashed ... first boot looks successful! \o/ ps3 is at black screen and minimus blue light is off [00:13] <@theruler_> great job thomas [00:13] <@theruler_> :D [00:14] <@graf_chokolo> try to send something with sendfile, you should see acks [00:14] * thomas is up-reading ... [00:14] <Heden_DLT> the way you described is simply amazing :) [00:15] <Heden_DLT> Now..let's talk if you want [00:15] <thomas> ok, as far as tcpdump goes, *what* should I be looking for, udp? port? [00:15] <@graf_chokolo> you know tcpdump a bit ? [00:15] <thomas> sure [00:16] <@graf_chokolo> you could e.g. filter only traffic comming from ps3's mac address [00:16] <thomas> ok, I should be using a cross-over cable? [00:16] <thomas> or was I supposed to set an IP address somewhere? [00:16] <thomas> ie destination [00:16] <@graf_chokolo> hm, i used router, didn't try cross over [00:17] <@graf_chokolo> i don't use IP, just Ethernet [00:17] <thomas> my sniffer(tcpdump) and the ps3 are on the same switch, but its a switch not a hub [00:17] <Heden_DLT> thomas : try a direct link ? [00:17] <@graf_chokolo> ps3 use brodcast dst addr so it should be no problem [00:17] <thomas> kk [00:18] <thomas> that I think answers my question [00:18] <@graf_chokolo> i mean filter for eth src addr of ps3 [00:18] <thomas> right [00:18] <@graf_chokolo> not dst [00:19] <@graf_chokolo> more questions ? [00:19] <Heden_DLT> does all worl on old fat PS3 ? [00:19] <Heden_DLT> thomas : slim or fat ? [00:19] <thomas> is it by chance sending anything periodicall? [00:19] <thomas> fat 3.15 [00:19] <thomas> CECHG01 [00:20] <Heden_DLT> ok [00:20] <@graf_chokolo> i have not tried it yet, but intend to do it, someone reported that it has problems with FATs [00:20] <@graf_chokolo> i use slim [00:20] <Heden_DLT> thomas seems to success on a fat [00:20] <@graf_chokolo> but i will test it in the next days with a fat [00:21] <thomas> I have a minor chicken/egg problem atm ... it is booted with payload, but arp -a gives me an incomplete address ... let me read up this tcpdump that has been running for 2 days watching the ps3 to see if mac is in there [00:21] <@graf_chokolo> you need the filter for tcpdump, just capture everything, no problem with that [00:21] <@graf_chokolo> don't need* [00:22] <@graf_chokolo> you can use it but it's not required [00:22] <Heden_DLT> may i continue thomas or you need details from choco ? [00:22] <thomas> go on ;) [00:23] <Heden_DLT> sure ? [00:23] <Heden_DLT> choko ? [00:23] <@graf_chokolo> yeah [00:39] <Heden_DLT> a big thank to theruler [00:39] <Heden_DLT> and choko [00:39] <@graf_chokolo> yeah [00:40] <@theruler_> @graf: thanks for all your help [00:40] <Heden_DLT> bye bye
Features[edit | edit source]
Feature/Payload list[edit | edit source]
Communication[edit | edit source]
- gelic_xmit_test
- gelic_recv_test
Dump[edit | edit source]
- dump_lv2
- dump_slb
- dump_sprg0
- dump_htab
- dump_stor
- dump_flash
- dump_repo_nodes
- dump_repo_nodes_spu
- dump_profile
- dump_sysrom
- dump_dev_flash
- dump_hvcall99_param
- dump_lpar_ra
- dump_lv1
Decrypt[edit | edit source]
- decrypt_profile
- decrypt_usb_dongle_master_key
- decrypt_pkg
- decrypt_self
- decrypt_npdrm
- decrypt_game
- decrypt_lv2_direct
- decrypt_lv2_direct_355
- decrypt_self_direct
- decrypt_self_direct_355
- decrypt_profile_direct
QA flag and token[edit | edit source]
- update_mgr_qa_flag
- update_mgr_get_token_seed
- update_mgr_set_token
- update_mgr_calc_token
- update_mgr_verify_token
PKG's[edit | edit source]
- update_mgr_inspect_pkg
Hooks[edit | edit source]
- self_decrypter_hook
- vuart_hook
- stor_hook
- hvcall209_hook
Dongle/Product Mode (recovery mode)[edit | edit source]
- usb_dongle_auth
- product_mode_off
Exploits[edit | edit source]
- hv_mmap_exploit
- exploit_isoldr_mbox
- exploit_lv2ldr_mbox
- exploit_lv2ldr_ls
- exploit_appldr_mbox
System Controller (SC) manager[edit | edit source]
- sc_mgr_read_eprom
- sc_mgr_get_region_data
- sc_mgr_get_sc_status
- sc_mgr_get_srh
aim - aim_spu_module.self[edit | edit source]
- aim_get_device_type
- aim_get_device_id
- aim_get_ps_code
- aim_get_open_ps_id
SC - sc_iso.self[edit | edit source]
- sc_iso_sc_binary_patch
- sc_iso_get_sc_status
- sc_iso_get_property
- sb_iso_get_rnd
- sb_iso_encdec_key
MFW/CFW/Patch Testing[edit | edit source]
- store_file_on_flash
- replace_lv2
vflash/flash/hdd[edit | edit source]
- patch_vflash_region
- create_vflash_region
- store_file_on_vflash
- create_hdd_region
Patches[edit | edit source]
- patch_region_access
- patch_sll_load_lv2
- disable_hdd_crypto
MISC[edit | edit source]
- vuart_sysmgr
- vuart_dispmgr
- query_lpar_address
- encdec_cmd_0x85
- edec_kgen1
Dumping Flash[edit | edit source]
Uncomment dump_dev_flash() compile and run the payload
Setting QA Mode[edit | edit source]
'''This section is in development anyone feel free to share and edit this section'''
First you have to dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c
- To do this you can use Hardware_flashing, Linux with graf_chokolo kernel with acces to /dev/ps3nflasha Links_to_precompiled_stuff or using this payload uncommenting dump_dev_flash()
- More info in Flash
Once you are set
Use the payloads in the following order uncommenting the required function
- Set the QA flag
- update_mgr_qa_flag()
- Calculate the token
- update_mgr_calc_token()
- Verify token
- update_mgr_verify_token()
- Set the calculated and verified token in update_mgr_set_token.c
- update_mgr_set_token()
You should use wireshark or tcpdump to capture the responses
|