IDA IDC Hypervisor Dump Script, PS3 Debug Firmware 3.41 Leaks

[humi]

Today Jack Chen aka anita999 has shared a PlayStation 3 IDA IDC hypervisor dump script on xorloser's blog (linked above) alongside a PS3 Debug / Test Firmware version 3.41 leak from Blackpen0 there as well!

For those curious, the IDA script is used to extract the protection page list of process obj in PS3 Hypervisor dumps.

Downloads: PS3 IDA IDC Hypervisor Dump Script / PS3 Debug Firmware v3.41 / PS3 Debug Firmware v3.41 (Mirror - Required UnRAR Password Below)

To quote: For those who are new to HV reversing like I am. Here I made a quick IDC script for those interested in tracing the process protection pages to realize the VA and RA address mapping being used by the process.

You must execute the HV_DUMP.IDC from xorloser first, then apply this IDC later because it requires a opd_table to be defined first. and it’s for 3.15 HV only because that’s the only HV dump I have. process 0 is not extractable. There seems some data missing in the process object of process 0.

I am working on a different IDC script to extract the pages to a new file in order to get a file which RA=VA so I can analyze the code more easily. Here is the output for process 6 extraction from the dump I have.

Code:

opd_addr = 003214d0
rtoc_addr = 00350470
process_table_addr = 0035e850
process_obj_addr = 00368cf0
process_protection_domain_addr = 0036a960
protection_page_addr = 0036ab00, RA=000f4000, VA=80000000, next page addr = 0036ab30
protection_page_addr = 0036ab30, RA=000f5000, VA=80001000, next page addr = 0036ab60
protection_page_addr = 0036ab60, RA=000f6000, VA=80002000, next page addr = 0036ab90
protection_page_addr = 0036ab90, RA=000f7000, VA=80003000, next page addr = 0036abc0
protection_page_addr = 0036abc0, RA=000f8000, VA=80004000, next page addr = 0036abf0
protection_page_addr = 0036abf0, RA=000f9000, VA=80005000, next page addr = 0036ac20
protection_page_addr = 0036ac20, RA=000fa000, VA=80006000, next page addr = 0036ac50
protection_page_addr = 0036ac50, RA=000fb000, VA=80007000, next page addr = 0036ac80
protection_page_addr = 0036ac80, RA=000fc000, VA=80008000, next page addr = 0036acb0
protection_page_addr = 0036acb0, RA=000fd000, VA=80009000, next page addr = 0036ace0
protection_page_addr = 0036ace0, RA=000fe000, VA=8000a000, next page addr = 0036ad10
protection_page_addr = 0036ad10, RA=000ff000, VA=8000b000, next page addr = 0036ad40
protection_page_addr = 0036ad40, RA=00700000, VA=8000c000, next page addr = 0036ad70
protection_page_addr = 0036ad70, RA=00701000, VA=8000d000, next page addr = 0036ada0
protection_page_addr = 0036ada0, RA=00702000, VA=8000e000, next page addr = 0036add0
protection_page_addr = 0036add0, RA=00703000, VA=8000f000, next page addr = 0036ae00
protection_page_addr = 0036ae00, RA=00704000, VA=80010000, next page addr = 0036ae30
protection_page_addr = 0036ae30, RA=00705000, VA=80011000, next page addr = 0036ae60
protection_page_addr = 0036ae60, RA=00706000, VA=80012000, next page addr = 0036ae90
protection_page_addr = 0036ae90, RA=00707000, VA=80013000, next page addr = 0036aec0
protection_page_addr = 0036aec0, RA=00708000, VA=80014000, next page addr = 0036aef0
protection_page_addr = 0036aef0, RA=00709000, VA=80015000, next page addr = 0036af20
protection_page_addr = 0036af20, RA=0070a000, VA=80016000, next page addr = 0036af50
protection_page_addr = 0036af50, RA=0070b000, VA=80017000, next page addr = 0036af80
protection_page_addr = 0036af80, RA=0070c000, VA=80018000, next page addr = 0036afb0
protection_page_addr = 0036afb0, RA=0070d000, VA=80019000, next page addr = 0036afe0
protection_page_addr = 0036afe0, RA=0070e000, VA=8001a000, next page addr = 0036b010
protection_page_addr = 0036b010, RA=0070f000, VA=8001b000, next page addr = 0036b040
protection_page_addr = 0036b040, RA=00710000, VA=8001c000, next page addr = 0036b070
protection_page_addr = 0036b070, RA=00711000, VA=8001d000, next page addr = 0036b0a0
protection_page_addr = 0036b0a0, RA=00712000, VA=8001e000, next page addr = 0036b0d0
protection_page_addr = 0036b0d0, RA=00713000, VA=8001f000, next page addr = 0036b100
protection_page_addr = 0036b100, RA=00714000, VA=80020000, next page addr = 0036b130
protection_page_addr = 0036b130, RA=00715000, VA=80021000, next page addr = 0036b160
protection_page_addr = 0036b160, RA=00716000, VA=80022000, next page addr = 0036b190
protection_page_addr = 0036b190, RA=00717000, VA=80023000, next page addr = 0036b1c0
protection_page_addr = 0036b1c0, RA=00718000, VA=80024000, next page addr = 0036b1f0
protection_page_addr = 0036b1f0, RA=00719000, VA=80025000, next page addr = 0036b220
protection_page_addr = 0036b220, RA=0071a000, VA=80026000, next page addr = 0036b250
protection_page_addr = 0036b250, RA=0071b000, VA=80027000, next page addr = 0036b280
protection_page_addr = 0036b280, RA=0071c000, VA=80028000, next page addr = 0036b2b0
protection_page_addr = 0036b2b0, RA=0071d000, VA=80029000, next page addr = 0036b2e0
protection_page_addr = 0036b2e0, RA=0071e000, VA=8002a000, next page addr = 0036b310
protection_page_addr = 0036b310, RA=0071f000, VA=8002b000, next page addr = 0036b340
protection_page_addr = 0036b340, RA=00720000, VA=8002c000, next page addr = 0036b370
protection_page_addr = 0036b370, RA=00721000, VA=8002d000, next page addr = 0036b3a0
protection_page_addr = 0036b3a0, RA=00722000, VA=8002e000, next page addr = 0036b3d0
protection_page_addr = 0036b3d0, RA=00723000, VA=8002f000, next page addr = 0036b400
protection_page_addr = 0036b400, RA=00724000, VA=80030000, next page addr = 0036b430
protection_page_addr = 0036b430, RA=00725000, VA=80031000, next page addr = 0036b460
protection_page_addr = 0036b460, RA=00726000, VA=80032000, next page addr = 0036b490
protection_page_addr = 0036b490, RA=00727000, VA=80033000, next page addr = 0036b4c0
protection_page_addr = 0036b4c0, RA=00728000, VA=80034000, next page addr = 0036b4f0
protection_page_addr = 0036b4f0, RA=00729000, VA=80035000, next page addr = 0036b520
protection_page_addr = 0036b520, RA=0072a000, VA=80036000, next page addr = 0036b550
protection_page_addr = 0036b550, RA=0072b000, VA=80037000, next page addr = 0036b580
protection_page_addr = 0036b580, RA=0072c000, VA=80038000, next page addr = 0036b5b0
protection_page_addr = 0036b5b0, RA=0072d000, VA=80039000, next page addr = 0036b5e0
protection_page_addr = 0036b5e0, RA=0072e000, VA=8003a000, next page addr = 0036b610
protection_page_addr = 0036b610, RA=0072f000, VA=8003b000, next page addr = 0036b640
protection_page_addr = 0036b640, RA=00730000, VA=8003c000, next page addr = 0036b670
protection_page_addr = 0036b670, RA=00731000, VA=8003d000, next page addr = 0036b6a0
protection_page_addr = 0036b6a0, RA=00732000, VA=8003e000, next page addr = 0036b6d0
protection_page_addr = 0036b6d0, RA=00733000, VA=8003f000, next page addr = 0036b700
protection_page_addr = 0036b700, RA=00734000, VA=80040000, next page addr = 0036b730
protection_page_addr = 0036b730, RA=00735000, VA=80041000, next page addr = 0036b760
protection_page_addr = 0036b760, RA=00736000, VA=80042000, next page addr = 0036b790
protection_page_addr = 0036b790, RA=00737000, VA=80043000, next page addr = 0036b7c0
protection_page_addr = 0036b7c0, RA=00738000, VA=80044000, next page addr = 0036b7f0
protection_page_addr = 0036b7f0, RA=00739000, VA=80045000, next page addr = 0036b820
protection_page_addr = 0036b820, RA=0073a000, VA=80046000, next page addr = 0036b850
protection_page_addr = 0036b850, RA=0073b000, VA=80047000, next page addr = 0036b880
protection_page_addr = 0036b880, RA=0073c000, VA=80048000, next page addr = 0036b8b0
protection_page_addr = 0036b8b0, RA=0073d000, VA=80049000, next page addr = 0036b8e0
protection_page_addr = 0036b8e0, RA=0073e000, VA=8004a000, next page addr = 0036b910
protection_page_addr = 0036b910, RA=0073f000, VA=8004b000, next page addr = 0036b940
protection_page_addr = 0036b940, RA=00740000, VA=8004c000, next page addr = 0036b970
protection_page_addr = 0036b970, RA=00741000, VA=8004d000, next page addr = 0036b9a0
protection_page_addr = 0036b9a0, RA=00742000, VA=8004e000, next page addr = 0036b9d0
protection_page_addr = 0036b9d0, RA=00743000, VA=8004f000, next page addr = 0036ba00
protection_page_addr = 0036ba00, RA=00744000, VA=80050000, next page addr = 0036ba30
protection_page_addr = 0036ba30, RA=00745000, VA=80051000, next page addr = 0036ba60
protection_page_addr = 0036ba60, RA=00746000, VA=80052000, next page addr = 0036ba90
protection_page_addr = 0036ba90, RA=00747000, VA=80053000, next page addr = 0036bac0
protection_page_addr = 0036bac0, RA=00748000, VA=80054000, next page addr = 0036baf0
protection_page_addr = 0036baf0, RA=00749000, VA=80055000, next page addr = 0036bb20
protection_page_addr = 0036bb20, RA=0074a000, VA=80056000, next page addr = 0036bb50
protection_page_addr = 0036bb50, RA=0074b000, VA=80057000, next page addr = 00127900
protection_page_addr = 00127900, RA=0075d000, VA=a0000000, next page addr = 00369e20
protection_page_addr = 00369e20, RA=0015d000, VA=a0002000, next page addr = 0036bb80
protection_page_addr = 0036bb80, RA=0074c000, VA=c0000000, next page addr = 0036bbd0
protection_page_addr = 0036bbd0, RA=0074d000, VA=c0001000, next page addr = 0036bc00
protection_page_addr = 0036bc00, RA=0074e000, VA=c0002000, next page addr = 0036bc30
protection_page_addr = 0036bc30, RA=0074f000, VA=c0003000, next page addr = 0036bc60
protection_page_addr = 0036bc60, RA=00750000, VA=c0004000, next page addr = 0036bc90
protection_page_addr = 0036bc90, RA=00751000, VA=c0005000, next page addr = 0036bcc0
protection_page_addr = 0036bcc0, RA=00752000, VA=c0006000, next page addr = 0036bcf0
protection_page_addr = 0036bcf0, RA=00753000, VA=c0007000, next page addr = 0036bd20
protection_page_addr = 0036bd20, RA=00754000, VA=c0008000, next page addr = 0036bd50
protection_page_addr = 0036bd50, RA=00755000, VA=c0009000, next page addr = 0036bd80
protection_page_addr = 0036bd80, RA=00756000, VA=c000a000, next page addr = 0036bdb0
protection_page_addr = 0036bdb0, RA=00757000, VA=c000b000, next page addr = 0036bde0
protection_page_addr = 0036bde0, RA=00758000, VA=c000c000, next page addr = 0036be10
protection_page_addr = 0036be10, RA=00759000, VA=c000d000, next page addr = 0036be40
protection_page_addr = 0036be40, RA=0075a000, VA=c000e000, next page addr = 0036be70
protection_page_addr = 0036be70, RA=0075b000, VA=c000f000, next page addr = 0036bea0
protection_page_addr = 0036bea0, RA=0075c000, VA=c0010000, next page addr = 0012fc40
protection_page_addr = 0012fc40, RA=00768000, VA=ffffd000, next page addr = 00169e90
protection_page_addr = 00169e90, RA=00769000, VA=ffffe000, next page addr = 00169ec0
protection_page_addr = 00169ec0, RA=0076a000, VA=fffff000, next page addr = 0036a988
protection_page_addr = 0036a988, RA=ffffffffffffffff, VA=ffffffff, next page addr = 0036ab00

Here is the UnRAR Password for the PS3 Debug Firmware 3.41 leak:

Code:

ds4zadf5g4,g4,4j4a9ra6z4te4tru4f14n4h;m4hljhd4g4ezet7zqe4t4gfbbw44b21dgh1s4hrqy4ery;,;jhku

More PlayStation 3 News...

[PS3 News]

Thanks humi and +Rep, I will move this to the main page later tonight also!

[CJPC]

Actually, it seems the correct password is:

Code:

ds4zadf5g4,g4,4j4a9ra6z4te4tru4f14n4h;m4hljhd4g4ezet7zqe4t4gfbbw44b21dgh1s4hrqy4ery;,;jhku

There was a space in there, perhaps due to a copy and paste error!

[barbnjason]

I'm confused.

Both the passwords have spaces in them between the ez et part.

So it is with the space or no?

[cfwprophet]

Damn thats reall great

Im allready on with testing debug files with acid cfw but couldnt get hands on 3.41 debug fw for better compatibility.

This will maybe the missing key.But first i hope that we can get a full dump of dev_flash.The dump of 3.15 was only partial one and missed a lot of files.

ps. remove the space and it will work

[CJPC]

I'm confused.

Both the passwords have spaces in them between the ez et part.

So it is with the space or no?

Yeah, whoops, no space. Added code tags, should be OK now!

[PS3 News]

I will remember to use code tags in the first post... it appears vBulletin automatically adds a space to words containing more than xx characters.

[itwong]

really cool stuff. Finally my debug can keep up with all the goodies with its retail counterpart.

CJPC, mind sharing how to get a full dump of /dev_flash, /dev_flash2, /dev_flash3 on a debug unit?

[CJPC]

Alas, I do not have a Debug unit anymore, but the simplest way to do it is to just port the JB exploit, it isn't the hardest thing to do, and then dump it right out

[cfwprophet]

Yea its still partial. So we will need to do with jb on debug con. But i don't have all files to compile a hex for pic 16f2550. Missing assambler code for that chip.

Now i need to compile for at90usb126 and send one chip to my buddy.