Talk:Graf's PSGroove Payload: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
Line 1: Line 1:
----
=QA-Flag Token Combo=
==HowTo==
===Install Linux===
===Install BootOS===
===LV2===
===How to dump the Dummy Token===
===Decrypt the Token and Edit it===
===How to make a Real Token===
===How to install the Real Token===
===Combo===
----
==old scratchpad==
''(marked for deletion after above text is filled in)''
<pre>
<pre>
<Slynk> Hmm had a thought : / You know how the token and token seed are made at the same time? That means the token seed isn't passed into the processor... what is? It can't be just your idps right? Unless sony doesn't use the HV to make their tokens. There must be other info passed in that determines whether you receive a dummy token or the full one. ... Just a thought. ^^;
<Slynk> Hmm had a thought : / You know how the token and token seed are made at the same time? That means the token seed isn't passed into the processor... what is? It can't be just your idps right? Unless sony doesn't use the HV to make their tokens. There must be other info passed in that determines whether you receive a dummy token or the full one. ... Just a thought. ^^;
Line 8: Line 26:
<rms> seed is calculated from eid which allows token to be calculated. its more of a byproduct/intermediate product. if you do the math, its simple: v+s+f+h=t
<rms> seed is calculated from eid which allows token to be calculated. its more of a byproduct/intermediate product. if you do the math, its simple: v+s+f+h=t
</pre>
</pre>
----
 
 
*the seed value is made from your EID (from a NAND/NOR dump, either software with payload, or hardware)
*the seed value is made from your EID (from a NAND/NOR dump, either software with payload, or hardware)
*updater manager calls spu_token_processor
*updater manager calls spu_token_processor
Line 26: Line 45:
<!--// erk: 0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED  //  iv: 0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E  //  hmac: 0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A  //-->
<!--// erk: 0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED  //  iv: 0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E  //  hmac: 0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A  //-->


----


*combo is in vsh
*combo is in vsh
Line 35: Line 53:
then use the left joystick, and press: down, right, right, down, right, right, down, right, right, down, right, right, start.
then use the left joystick, and press: down, right, right, down, right, right, down, right, right, down, right, right, start.
</pre>^above combo is 13+2 buttons (too long)...
</pre>^above combo is 13+2 buttons (too long)...
----

Revision as of 02:10, 29 May 2011


QA-Flag Token Combo

HowTo

Install Linux

Install BootOS

LV2

How to dump the Dummy Token

Decrypt the Token and Edit it

How to make a Real Token

How to install the Real Token

Combo


old scratchpad

(marked for deletion after above text is filled in)

<Slynk> Hmm had a thought : / You know how the token and token seed are made at the same time? That means the token seed isn't passed into the processor... what is? It can't be just your idps right? Unless sony doesn't use the HV to make their tokens. There must be other info passed in that determines whether you receive a dummy token or the full one. ... Just a thought. ^^;

<rms> i can make my own tokens from a nor/nand dump. just like hypervisor

<kevin6548> so what does that mean when a sedd is created it passes something to proccessor . nit the whole seed but a by product of creating it . is that theroy

<rms> seed is calculated from eid which allows token to be calculated. its more of a byproduct/intermediate product. if you do the math, its simple: v+s+f+h=t


  • the seed value is made from your EID (from a NAND/NOR dump, either software with payload, or hardware)
  • updater manager calls spu_token_processor
  • sent out of spu_token_processor
  • IBM Cell Simulator with SE Linux (not the ancient Sony SPU Simulator from old pre 0.9x SDKs)
  • seed : 80 bytes, only the first 20 are populated

there are two algorithms used (one's an alternative of a hashing algorithm / one's a block cipher):

  • HMAC-SHA1
  • AES 256 CBC - Advanced Encryption Standard Cipher-block chaining; fixed block size 128 bit, key size 256 bit - with 4x4 byte matrices
erk: 0x341812376291371C8BC756FFFC611525403F95A8EF9D0C996482EEC216B562ED
iv: 0xE8663A69CD1A5C454A761E728C7C254E
hmac: 0xCC30C4229113DB25733553AFD06E8762B3729D9EFAA6D5F35A6F58BF38FF8B5F58A25BD9C9B50B01D1AB4028676968EAC7F88833B662935D7506A6B5E0F9D97A


  • combo is in vsh
  • combo > 3 < 10 buttons
Goto Network Settings
Hold on L1 and R1
then use the left joystick, and press: down, right, right, down, right, right, down, right, right, down, right, right, start.

^above combo is 13+2 buttons (too long)...