Sponsored Links

Sponsored Links

Page 1 of 3 123 LastLast
Results 1 to 10 of 22



  1. #1
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,739
    Sponsored Links

    Graf Chokolo Shares PS3 LV2 Kernel Decrypter PSGroove Payload

    Sponsored Links
    As a follow-up to his recent PS3 SELF Decrypter PSGroove Payload and PS3 3.50 Firmware Decryption work, today PlayStation 3 developer graf_chokolo has released a PS3 LV2 Kernel Decrypter payload for PSGroove.

    Download: PS3 LV2 Kernel Decrypter PSGroove Payload / [Register or Login to view links]

    To quote from his comment on xorloser's blog, linked above:
    graf_chokolo says:

    I just release my lv2 kernel decrypter You need metldr, lv2ldr, RL_FOR_PROGRAM.img and lv2_kernel.self. You have first to dump your metldr from FLASH memory. lv2ldr you will find also in your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg from PUP files.

    RL_FOR_PROGRAM.img is a revoke list for programs and can be also found in PUP files. lv2_kernel.self is on your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg.

    First i send all files to PS3 and store them in memory. After that i load metldr in isolation mode and pass it the addr e ss of lv2ldr. The code is very low level and many things are done by directly manipulating SPU registers

    If you have any questions or problems then feel free to contact me or ask here. I will try to help you. I will try to document my findings on my homepage

    I also uploaded a code which can communicate with USB Dongle AUthenticator by using Dispatcher Manager without using any GameOS functions It’s exactly what GameOS does, just low level

    Have fun guys

    lv2_kernel.self from 1.10 firmware decrypted

    [Register or Login to view links]

    Guys, just to make sure that you know LV2 decrypter is also PS2 emu decrypter, just change LPAR auth id in code PS2 emu is like GameOS, it’s LV2 and is decrypted by lv2ldr

    Just decrypted vsh.self from 1.10 firmware Just like old good days

    I decrypted software_update_plugin.sprx but didn’t have time to reverse it yet

    metldr

    Loading metldr
    • Physical/Virtual memory address of an isolation module that should be loaded by metldr is written into SPU register SPU_In_Mbox. The SPU register SPU_In_Mbox is 32bit, so 64bit memory address is written in 2 steps.
    • MFC relocation is turned off by clearing R-bit in SPU register MFC_SR1. By doing this, HV enables real address mode for MFC of SPU.
    • On GameOS, it also works with relocation on. You just have to initialize SLB of SPU and insert valid SLB entries.
    • Physical/Virtual memory address of metldr is written to SPU registers Sig_Notify1 and Sig_Notify2
    • Isolation load request is enabled by writing SPU register SPU_PrivCntl
    • Isolation load request is made by writing value 0x3 into SPU register SPU_RunCntl

    Methods

    SPE_load_request_metldr - 0x002B00A4 (3.15)

    lv2ldr
    • lv2ldr is used to decrypt lv2_kernel.self
    • syscalls 0x10042 and 0x1004A use lv2ldr
    • syscall 0x10042 is used by HV Process 3 during LV2 LPAR construction
    • syscall 0x1004A uses different parameters as syscall 0x10042

    Methods

    SPE_load_request_lv2ldr_1 - 0x002AE82C (3.15)

    SPE_load_request_lv2ldr_2 - 0x002AE8D8 (3.15)

    Loading lv2ldr
    • 64 bit memory address of lv2ldr is written into 32 bit SPU register SPU_In_Mbox
    • metldr is loaded

    Decrypting SELFs with appldr and lv1_undocumented_function_99
    • lv1_undocumented_function_99 loads and prepares appldr for SELF decryption.
    • When appldr is ready to decrypt data, it sends a message via mailbox.
    • The address and the size of the encrypted data is passed to appldr via a shared memory.
    Graf Chokolo Shares PS3 LV2 Kernel Decrypter PSGroove Payload

    More PlayStation 3 News...
    Attached Files Attached Files

  2. #2
    Junior Member silencephaze's Avatar
    Join Date
    Feb 2008
    Posts
    128
    Sponsored Links
    Sponsored Links
    great awesome news!!

  3. #3
    Banned User
    Join Date
    Mar 2008
    Posts
    303
    Sponsored Links
    Sponsored Links
    i hope some guy like dark alex will use this great informations and create a nice custom firmware that we don't need the jailbreak solution anymore. i'm sick of the procedure.

    turn off - turn on - push start - push eject... *sick of it >.< *

  4. #4
    Banned User qiuhuahui1's Avatar
    Join Date
    Jan 2009
    Posts
    1
    I see it will work eventually, and somebody will turn to be revolutionary.

    I wonder how this playload can be used ? burn this to PS3YES PRo?
    Last edited by qiuhuahui1; 12-10-2010 at 12:41 AM Reason: Automerged Doublepost

  5. #5
    Junior Member silencephaze's Avatar
    Join Date
    Feb 2008
    Posts
    128
    Can't wait to see where this goes, more news like this.

  6. #6
    Registered User hunterrr's Avatar
    Join Date
    Jan 2010
    Posts
    175
    Quote Originally Posted by Warrorar View Post
    i hope some guy like dark alex will use this great informations and create a nice custom firmware that we don't need the jailbreak solution anymore. i'm sick of the procedure.

    turn off - turn on - push start - push eject... *sick of it >.< *
    You should be happy it's that easy to run unsigned code on the PS3

  7. #7
    Registered User Haksam's Avatar
    Join Date
    Jan 2010
    Posts
    81
    Quote Originally Posted by hunterrr View Post
    You should be happy it's that easy to run unsigned code on the PS3
    it's barely a year and theres whinging already

    here's a tip: don't bother to switch off your ps3 if you gonna game day and night.

  8. #8
    Senior Member Preceptor's Avatar
    Join Date
    Apr 2008
    Posts
    146
    Quote Originally Posted by qiuhuahui1 View Post
    I see it will work eventually, and somebody will turn to be revolutionary.
    No offense mate but graf IS revolutionary... In my opinion he is the one that did most for the scene since geohot. (of course there was the psjailbreak but nobody knows who made it or how, probably using geohot exploit)

  9. #9
    Senior Member cfwprophet's Avatar
    Join Date
    Jul 2008
    Posts
    1,815
    Ok to everyone: Forget to time the FULL installable CFW and the hell be happy with a USB Loaded one.

    As xorloser have teached us, they are signed and to time we can not make such a cfw. Only via Firm loaders we can have such a fw.

    A BIG THX to grafchokolo for sharing his researches.Now we can go the next step and get hands on the lv2kernel.Wich is the key for some nice support for our cfw.Like OtherOS or PS2 support in FW without the needs of some tricks or additional-special payloads.

    If we can do something we will try to do it with a owen cfw payload that will be used with our or a other CFW (like Rebug) to dircet boot into customized OS or enable things like the above called one.

  10. #10
    Registered User suwan116's Avatar
    Join Date
    Dec 2010
    Posts
    6
    What does this means in regards to GT5? Will we ever see GT5 on Jailbreak?

 

Sponsored Links
Page 1 of 3 123 LastLast
Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News