Dev Tools: Difference between revisions

Tools

hexkey2bin.c

readselfoffsets.c

PS3UPDAT.PUP::license.xml

downgrade

downgrade

Git

git docs

fail0VERFLOW

ps3tools

cospkg

usage: cospkg cos.pkg dir

cosunpkg

usage: cosunpkg filename.pkg target

pkg

usage: pkg [key suffix] [contents] [filename.pkg]

unpkg

usage: unpkg [-s] filename.pkg target

readself

usage: readself file.self

readselfoffsets

usage: readselfoffsets file.self

unself

usage: unself in.self out.elf

makeself

usage: makeself [-c] [type] [version suffix] [version] [vendor id] [auth id] [sdk type] [elf] [self]

makeself keytype keysuffix sdkversion vendorid authid sdktype file.elf file.self

keytype=lv0|lv1|lv2|iso|app|ldr

keysuffix=315|331|341|355

sdkversion=3.15.0|3.41.0|3.55.0

vendorid=01000002

authid=1070000039000001

sdktype=0000:retail0, 0001:retail, 0002:retail1, 8000 devkit

puppack

usage: puppack filename.pup directory [build number]

pupunpack

usage: pupunpack filename.pup directory

norunpack

usage: norunpack dump.b directory

sceverify

usage: sceverify filename

SCEkrit

usage: scesekrit filename1 filename2

unself_gnpdrm.c source & unself_gnpdrm.exe Win32 compile : unself_gnpdrm.rar (60.16 KB)

unself_gnpdrm

usage: unself_gnpdrm in.self out.elf

Geohot Signing Tools

ps3publictools ([1]

make_self

usage: make_self input.elf output.self

make_self_npdrm

usage: make_self_npdrm input.elf output.self <content_id>

warning NPDRM cares about the output file name, do not rename

package_finalize

usage: package_finalize my.pkg

Graf Chokolo Tools

graftools Graftools

sendfile

pcap2bin

sputnik - Cell/SPU Pipeline viewer

http://www.ps3hax.net/2011/08/sputnik-build-3-cellspu-pipeline-viewer/

• Windows (will also need QT runtime files)
• MAC OSX

netrpc

git://gist.github.com/1041214.git
https://gist.github.com/1041214

Objdump

If you, for whatever reason, need to disassemble non-x86 binary files, you usually look out for a disassembler. If there's nothing free available for your platform (e.g.: ARM) one of the few solutions may be buying something like IDA Pro.

But wait, if you only need to "analyze" a small portion (boot-sector, single routine, ...) and someone already ported GNUs GCC and bintools to your platform, using OBJDUMP may do the trick...

If "raw.bin" is your binary file, just typing

  objdump -d raw.bin
  objdump: raw.bin: File format not recognized

will not work. Objdump needs a file system object or file.

Just do it like this:

  # create an empty file
  touch empty.c

  # compile this empty file
  gcc -c -o empty.o empty.c

  # add binary as a raw section
  objcopy --add-section raw=raw.bin empty.o
	
  # remove ".comment" section to join
  objcopy -R .comment empty.o

  # now run objdump on it
  objdump -d empty.o

Source: http://askrprojects.net/software/objdump.html

Several handy scripts

Most of the scripts are using graf's ps3dm-utils, so make sure you have them in your /bin directory. Also make sure you are using graf's kernel (graf_chokolo kernel 2.6.39).

panic1.sh

This script will panic lv1 and get you back to petitboot, without exiting to GameOS.

ps3hvc_hvcall /dev/ps3hvc panic 1

usb_dongle_auth.sh

This script will get you into Factory/Service mode, without using dongle:

echo Generating a challenge
ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_challenge
echo Generating a response '(0xAAAA)'
ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_resp 0xAAAA
echo Verifying response '(0xAAAA)'
ps3dm_usb_dongle_auth /dev/ps3dmproxy verify_resp 0xAAAA
echo Checking if 'Product Mode is enabled
The returned value shouldn't be 0xff
ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07

dump_EID0.sh

This script will dump your EID0.

echo Dumping EID0
ps3dm_iim /dev/ps3dmproxy get_data 0x0 > EID0.bin

dump_EID4.sh

This script will dump your EID4.

echo Dumping EID4
ps3dm_iim /dev/ps3dmproxy get_data 0x4 > EID4.bin

get_EID0_size.sh

This script will get the size of your EID0.

echo EID0 size:
ps3dm_iim /dev/ps3dmproxy get_data_size 0x0

get_EID4_size.sh

This script will get the size of your EID4.

echo EID4 size:
ps3dm_iim /dev/ps3dmproxy get_data_size 0x4

get_metldr_size.sh

This script will get the size of metldr.

echo metldr size:
ps3dm_iim /dev/ps3dmproxy get_data_size 0x1000

nor_dump.sh

echo Dumping nor
dd if=/dev/ps3nflasha of=nor.bin

dump_ram.sh

This script will dump your ram.

echo Dumping ram
dd if=/dev/ps3ram of=ps3ram.bin

dump_vram.sh

This script will dump your vram.

echo Dumping vram
dd if=/dev/ps3vram of=ps3vram.bin

Payloader3

• http://git.dashhacks.com/payloader3/payloader3/trees/master (down)
• 2011-06-22 backup: http://gotbrew.org/payloader3.tar.gz / payloader3.tar.gz (55.55 MB)
• Up including last commit before dashhacks went down : payloader3.tar.bz2 (45.49 MB) (full git backup, also includes : payloader3-src-only.rar (2.08 MB))

Howto

1. Set firmware version in Makefile
2. Compile with "./build.sh"
3. Copy pkg file to usb stick
4. Install pkg on PS3

Precompiles

• payloader3-315.pkg (3.53 MB)
• payloader3-341.pkg (3.53 MB)

Notes

1. Loading ps3load after the payload will execute the appropriate ps3load.self, after your self exits you will be returned to the XMB.
2. Loading 'ethdebug' will load ArielX's Kammy self, after it executes you will be returned to the XMB.
3. Loading 'ethdebug/ps3load' will load ethdebug, then ps3load.

ps3load 3.55 make_self fixed

• older versions of ps3load would not work on 3.50/3.55 (¨sysProcessExitSpawn2¨ won't work proper), and you had to use 3.41 instead. This is no longer an issue with the recent version ps3load which fixed the (make_self) issue for 3.55
  • standalone precompiled version to try: PS3LOAD.gnpdrm.pkg (580.47 KB)

Using ps3load

1. make your app, produce at least an ELF
2. sprxlinker yourapp.elf (this should be done for you if you use any of the samples)
3. make_self yourapp.elf yourapp.self
4. load ps3load on the PS3
5. define the PS3LOAD environment variable in your favorite shell with tcp:ip_addr (where ip_addr is your the ip address of your PS3)
6. ps3load yourapp.self

lv2-v9.pkg

• lv2v9.pkg (111.33 KB)
• lv2-v9-pkg-content.rar (105.52 KB)

patch1

  # PL3 3.55
  # Patches marked with (*1) seem to be unstable. Thanks to drizztbsd and
  # RandomUse.
  # PL3:
  ef48: payload.bin
  # Segment 0:
  ### 24e44: 38600000 # patch_func6 *1
  55dc4: 38600000 # lv2open: patch_func8_offset1
  55f28: 60000000 # lv2open: patch_func8_offset2
  ### 79d80: 3880000090830000 # patch_func4 + patch_func4_offset *1
  ### 79d88: 4E800020 # cont'd *1
  ### 7af7c: 60000000 # patch_func9_offset *1 
  ### c1dd0: 38600000 # patch_func7 *1
  2b3298: 4BD5C050 # hook_open (patch_func3 + patch_func3_offset)
  # Segment 1:
  346688: 800000000000f2dc # syscall_map_open_desc
  # Spoof
  # *f3b8: version.bin
  # 2e8218: 800000000000f378 # syscall_versiontest
  # 2e82f0: 800000000000f3c0 # syscall_process_sdkversion
  # 16ad74: 3960000a44000002 # sha1 test
  # f3e4: find 3437353136000000
  # *fe34: 3436313335000000

patch2

  # Waninkoko V2
  # 3270: e8821030e87c0020 # load unsigned ELFs
  # 3278: f8640000
  # e7f0: 48000c50 # Some jump
  ef48: payload2.bin
  19360: 7c001fac4c00012c
  1936c: 7c0018ac7c0004ac
  24e44: 4bfea5c5 # patch_func6
  55dc4: 38600000 # patch_func8_offset1
  55f28: 60000000 # patch_func8_offset2
  79d80: 38800000908300004e800020 # patch_func4 + patch_func4_offset *1
  7af7c: 60000000 # patch_func9_offset
  c1dd0: 4bf4d639 # patch_func7
  2b3298: 4bd5bf40 # hook_open
  
  3465b0: 80000000002e81e8 # sc8
  346688: 8000000000324968 # sc35

patch3

  # Syscall36
  # by 2 anonymous people
  55f14: 60000000
  55f1c: 48000098
  7af68: 60000000
  7af7c: 60000000
  
  2be4a0: payload3.bin
  2b3274: 4800b32c2ba30420 # add a jump to payload2_start
  
  55EA0: 63FF003D60000000  # fix 8001003D error
  55F64: 3FE080013BE00000  # fix 8001003E error
  
  346690: 80000000002be570 # syscall_map_open_desc