Sponsored Links

Sponsored Links

Page 1 of 4 123 ... LastLast
Results 1 to 10 of 33



  1. #1
    Registered User humi's Avatar
    Join Date
    Feb 2010
    Posts
    42
    Sponsored Links

    IDA IDC Hypervisor Dump Script, PS3 Debug Firmware 3.41 Leaks

    Sponsored Links
    Today Jack Chen aka anita999 has shared a PlayStation 3 IDA IDC hypervisor dump script on xorloser's blog (linked above) alongside a PS3 Debug / Test Firmware version 3.41 leak from Blackpen0 there as well!

    For those curious, the IDA script is used to extract the protection page list of process obj in PS3 Hypervisor dumps.

    Downloads: PS3 IDA IDC Hypervisor Dump Script / PS3 Debug Firmware v3.41 / [Register or Login to view links] (Mirror - Required UnRAR Password Below)

    To quote: For those who are new to HV reversing like I am. Here I made a quick IDC script for those interested in tracing the process protection pages to realize the VA and RA address mapping being used by the process.

    You must execute the HV_DUMP.IDC from xorloser first, then apply this IDC later because it requires a opd_table to be defined first. and it’s for 3.15 HV only because that’s the only HV dump I have. process 0 is not extractable. There seems some data missing in the process object of process 0.

    I am working on a different IDC script to extract the pages to a new file in order to get a file which RA=VA so I can analyze the code more easily. Here is the output for process 6 extraction from the dump I have.
    Code:
    opd_addr = 003214d0
    rtoc_addr = 00350470
    process_table_addr = 0035e850
    process_obj_addr = 00368cf0
    process_protection_domain_addr = 0036a960
    protection_page_addr = 0036ab00, RA=000f4000, VA=80000000, next page addr = 0036ab30
    protection_page_addr = 0036ab30, RA=000f5000, VA=80001000, next page addr = 0036ab60
    protection_page_addr = 0036ab60, RA=000f6000, VA=80002000, next page addr = 0036ab90
    protection_page_addr = 0036ab90, RA=000f7000, VA=80003000, next page addr = 0036abc0
    protection_page_addr = 0036abc0, RA=000f8000, VA=80004000, next page addr = 0036abf0
    protection_page_addr = 0036abf0, RA=000f9000, VA=80005000, next page addr = 0036ac20
    protection_page_addr = 0036ac20, RA=000fa000, VA=80006000, next page addr = 0036ac50
    protection_page_addr = 0036ac50, RA=000fb000, VA=80007000, next page addr = 0036ac80
    protection_page_addr = 0036ac80, RA=000fc000, VA=80008000, next page addr = 0036acb0
    protection_page_addr = 0036acb0, RA=000fd000, VA=80009000, next page addr = 0036ace0
    protection_page_addr = 0036ace0, RA=000fe000, VA=8000a000, next page addr = 0036ad10
    protection_page_addr = 0036ad10, RA=000ff000, VA=8000b000, next page addr = 0036ad40
    protection_page_addr = 0036ad40, RA=00700000, VA=8000c000, next page addr = 0036ad70
    protection_page_addr = 0036ad70, RA=00701000, VA=8000d000, next page addr = 0036ada0
    protection_page_addr = 0036ada0, RA=00702000, VA=8000e000, next page addr = 0036add0
    protection_page_addr = 0036add0, RA=00703000, VA=8000f000, next page addr = 0036ae00
    protection_page_addr = 0036ae00, RA=00704000, VA=80010000, next page addr = 0036ae30
    protection_page_addr = 0036ae30, RA=00705000, VA=80011000, next page addr = 0036ae60
    protection_page_addr = 0036ae60, RA=00706000, VA=80012000, next page addr = 0036ae90
    protection_page_addr = 0036ae90, RA=00707000, VA=80013000, next page addr = 0036aec0
    protection_page_addr = 0036aec0, RA=00708000, VA=80014000, next page addr = 0036aef0
    protection_page_addr = 0036aef0, RA=00709000, VA=80015000, next page addr = 0036af20
    protection_page_addr = 0036af20, RA=0070a000, VA=80016000, next page addr = 0036af50
    protection_page_addr = 0036af50, RA=0070b000, VA=80017000, next page addr = 0036af80
    protection_page_addr = 0036af80, RA=0070c000, VA=80018000, next page addr = 0036afb0
    protection_page_addr = 0036afb0, RA=0070d000, VA=80019000, next page addr = 0036afe0
    protection_page_addr = 0036afe0, RA=0070e000, VA=8001a000, next page addr = 0036b010
    protection_page_addr = 0036b010, RA=0070f000, VA=8001b000, next page addr = 0036b040
    protection_page_addr = 0036b040, RA=00710000, VA=8001c000, next page addr = 0036b070
    protection_page_addr = 0036b070, RA=00711000, VA=8001d000, next page addr = 0036b0a0
    protection_page_addr = 0036b0a0, RA=00712000, VA=8001e000, next page addr = 0036b0d0
    protection_page_addr = 0036b0d0, RA=00713000, VA=8001f000, next page addr = 0036b100
    protection_page_addr = 0036b100, RA=00714000, VA=80020000, next page addr = 0036b130
    protection_page_addr = 0036b130, RA=00715000, VA=80021000, next page addr = 0036b160
    protection_page_addr = 0036b160, RA=00716000, VA=80022000, next page addr = 0036b190
    protection_page_addr = 0036b190, RA=00717000, VA=80023000, next page addr = 0036b1c0
    protection_page_addr = 0036b1c0, RA=00718000, VA=80024000, next page addr = 0036b1f0
    protection_page_addr = 0036b1f0, RA=00719000, VA=80025000, next page addr = 0036b220
    protection_page_addr = 0036b220, RA=0071a000, VA=80026000, next page addr = 0036b250
    protection_page_addr = 0036b250, RA=0071b000, VA=80027000, next page addr = 0036b280
    protection_page_addr = 0036b280, RA=0071c000, VA=80028000, next page addr = 0036b2b0
    protection_page_addr = 0036b2b0, RA=0071d000, VA=80029000, next page addr = 0036b2e0
    protection_page_addr = 0036b2e0, RA=0071e000, VA=8002a000, next page addr = 0036b310
    protection_page_addr = 0036b310, RA=0071f000, VA=8002b000, next page addr = 0036b340
    protection_page_addr = 0036b340, RA=00720000, VA=8002c000, next page addr = 0036b370
    protection_page_addr = 0036b370, RA=00721000, VA=8002d000, next page addr = 0036b3a0
    protection_page_addr = 0036b3a0, RA=00722000, VA=8002e000, next page addr = 0036b3d0
    protection_page_addr = 0036b3d0, RA=00723000, VA=8002f000, next page addr = 0036b400
    protection_page_addr = 0036b400, RA=00724000, VA=80030000, next page addr = 0036b430
    protection_page_addr = 0036b430, RA=00725000, VA=80031000, next page addr = 0036b460
    protection_page_addr = 0036b460, RA=00726000, VA=80032000, next page addr = 0036b490
    protection_page_addr = 0036b490, RA=00727000, VA=80033000, next page addr = 0036b4c0
    protection_page_addr = 0036b4c0, RA=00728000, VA=80034000, next page addr = 0036b4f0
    protection_page_addr = 0036b4f0, RA=00729000, VA=80035000, next page addr = 0036b520
    protection_page_addr = 0036b520, RA=0072a000, VA=80036000, next page addr = 0036b550
    protection_page_addr = 0036b550, RA=0072b000, VA=80037000, next page addr = 0036b580
    protection_page_addr = 0036b580, RA=0072c000, VA=80038000, next page addr = 0036b5b0
    protection_page_addr = 0036b5b0, RA=0072d000, VA=80039000, next page addr = 0036b5e0
    protection_page_addr = 0036b5e0, RA=0072e000, VA=8003a000, next page addr = 0036b610
    protection_page_addr = 0036b610, RA=0072f000, VA=8003b000, next page addr = 0036b640
    protection_page_addr = 0036b640, RA=00730000, VA=8003c000, next page addr = 0036b670
    protection_page_addr = 0036b670, RA=00731000, VA=8003d000, next page addr = 0036b6a0
    protection_page_addr = 0036b6a0, RA=00732000, VA=8003e000, next page addr = 0036b6d0
    protection_page_addr = 0036b6d0, RA=00733000, VA=8003f000, next page addr = 0036b700
    protection_page_addr = 0036b700, RA=00734000, VA=80040000, next page addr = 0036b730
    protection_page_addr = 0036b730, RA=00735000, VA=80041000, next page addr = 0036b760
    protection_page_addr = 0036b760, RA=00736000, VA=80042000, next page addr = 0036b790
    protection_page_addr = 0036b790, RA=00737000, VA=80043000, next page addr = 0036b7c0
    protection_page_addr = 0036b7c0, RA=00738000, VA=80044000, next page addr = 0036b7f0
    protection_page_addr = 0036b7f0, RA=00739000, VA=80045000, next page addr = 0036b820
    protection_page_addr = 0036b820, RA=0073a000, VA=80046000, next page addr = 0036b850
    protection_page_addr = 0036b850, RA=0073b000, VA=80047000, next page addr = 0036b880
    protection_page_addr = 0036b880, RA=0073c000, VA=80048000, next page addr = 0036b8b0
    protection_page_addr = 0036b8b0, RA=0073d000, VA=80049000, next page addr = 0036b8e0
    protection_page_addr = 0036b8e0, RA=0073e000, VA=8004a000, next page addr = 0036b910
    protection_page_addr = 0036b910, RA=0073f000, VA=8004b000, next page addr = 0036b940
    protection_page_addr = 0036b940, RA=00740000, VA=8004c000, next page addr = 0036b970
    protection_page_addr = 0036b970, RA=00741000, VA=8004d000, next page addr = 0036b9a0
    protection_page_addr = 0036b9a0, RA=00742000, VA=8004e000, next page addr = 0036b9d0
    protection_page_addr = 0036b9d0, RA=00743000, VA=8004f000, next page addr = 0036ba00
    protection_page_addr = 0036ba00, RA=00744000, VA=80050000, next page addr = 0036ba30
    protection_page_addr = 0036ba30, RA=00745000, VA=80051000, next page addr = 0036ba60
    protection_page_addr = 0036ba60, RA=00746000, VA=80052000, next page addr = 0036ba90
    protection_page_addr = 0036ba90, RA=00747000, VA=80053000, next page addr = 0036bac0
    protection_page_addr = 0036bac0, RA=00748000, VA=80054000, next page addr = 0036baf0
    protection_page_addr = 0036baf0, RA=00749000, VA=80055000, next page addr = 0036bb20
    protection_page_addr = 0036bb20, RA=0074a000, VA=80056000, next page addr = 0036bb50
    protection_page_addr = 0036bb50, RA=0074b000, VA=80057000, next page addr = 00127900
    protection_page_addr = 00127900, RA=0075d000, VA=a0000000, next page addr = 00369e20
    protection_page_addr = 00369e20, RA=0015d000, VA=a0002000, next page addr = 0036bb80
    protection_page_addr = 0036bb80, RA=0074c000, VA=c0000000, next page addr = 0036bbd0
    protection_page_addr = 0036bbd0, RA=0074d000, VA=c0001000, next page addr = 0036bc00
    protection_page_addr = 0036bc00, RA=0074e000, VA=c0002000, next page addr = 0036bc30
    protection_page_addr = 0036bc30, RA=0074f000, VA=c0003000, next page addr = 0036bc60
    protection_page_addr = 0036bc60, RA=00750000, VA=c0004000, next page addr = 0036bc90
    protection_page_addr = 0036bc90, RA=00751000, VA=c0005000, next page addr = 0036bcc0
    protection_page_addr = 0036bcc0, RA=00752000, VA=c0006000, next page addr = 0036bcf0
    protection_page_addr = 0036bcf0, RA=00753000, VA=c0007000, next page addr = 0036bd20
    protection_page_addr = 0036bd20, RA=00754000, VA=c0008000, next page addr = 0036bd50
    protection_page_addr = 0036bd50, RA=00755000, VA=c0009000, next page addr = 0036bd80
    protection_page_addr = 0036bd80, RA=00756000, VA=c000a000, next page addr = 0036bdb0
    protection_page_addr = 0036bdb0, RA=00757000, VA=c000b000, next page addr = 0036bde0
    protection_page_addr = 0036bde0, RA=00758000, VA=c000c000, next page addr = 0036be10
    protection_page_addr = 0036be10, RA=00759000, VA=c000d000, next page addr = 0036be40
    protection_page_addr = 0036be40, RA=0075a000, VA=c000e000, next page addr = 0036be70
    protection_page_addr = 0036be70, RA=0075b000, VA=c000f000, next page addr = 0036bea0
    protection_page_addr = 0036bea0, RA=0075c000, VA=c0010000, next page addr = 0012fc40
    protection_page_addr = 0012fc40, RA=00768000, VA=ffffd000, next page addr = 00169e90
    protection_page_addr = 00169e90, RA=00769000, VA=ffffe000, next page addr = 00169ec0
    protection_page_addr = 00169ec0, RA=0076a000, VA=fffff000, next page addr = 0036a988
    protection_page_addr = 0036a988, RA=ffffffffffffffff, VA=ffffffff, next page addr = 0036ab00
    Here is the UnRAR Password for the PS3 Debug Firmware 3.41 leak:
    Code:
    ds4zadf5g4,g4,4j4a9ra6z4te4tru4f14n4h;m4hljhd4g4ezet7zqe4t4gfbbw44b21dgh1s4hrqy4ery;,;jhku


    More PlayStation 3 News...
    Attached Files Attached Files

  2. #2
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,459
    Sponsored Links
    Sponsored Links
    Thanks humi and +Rep, I will move this to the main page later tonight also!

  3. #3
    Toucan Sam CJPC's Avatar
    Join Date
    Apr 2005
    Posts
    2,174
    Sponsored Links
    Sponsored Links
    Actually, it seems the correct password is:

    Code:
    ds4zadf5g4,g4,4j4a9ra6z4te4tru4f14n4h;m4hljhd4g4ezet7zqe4t4gfbbw44b21dgh1s4hrqy4ery;,;jhku
    There was a space in there, perhaps due to a copy and paste error!

  4. #4
    Contributor barbnjason's Avatar
    Join Date
    Apr 2005
    Posts
    173
    Sponsored Links
    Sponsored Links
    I'm confused.

    Both the passwords have spaces in them between the ez et part.

    So it is with the space or no?

  5. #5
    Senior Member cfwprophet's Avatar
    Join Date
    Jul 2008
    Posts
    1,815
    Damn thats reall great

    Im allready on with testing debug files with acid cfw but couldnt get hands on 3.41 debug fw for better compatibility.

    This will maybe the missing key.But first i hope that we can get a full dump of dev_flash.The dump of 3.15 was only partial one and missed a lot of files.

    ps. remove the space and it will work
    Last edited by cfwprophet; 12-01-2010 at 10:56 PM

  6. #6
    Toucan Sam CJPC's Avatar
    Join Date
    Apr 2005
    Posts
    2,174
    Quote Originally Posted by barbnjason View Post
    I'm confused.

    Both the passwords have spaces in them between the ez et part.

    So it is with the space or no?
    Yeah, whoops, no space. Added code tags, should be OK now!

  7. #7
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,459
    I will remember to use code tags in the first post... it appears vBulletin automatically adds a space to words containing more than xx characters.

  8. #8
    Senior Member itwong's Avatar
    Join Date
    Mar 2006
    Posts
    93

    Wink

    really cool stuff. Finally my debug can keep up with all the goodies with its retail counterpart.

    CJPC, mind sharing how to get a full dump of /dev_flash, /dev_flash2, /dev_flash3 on a debug unit?

  9. #9
    Toucan Sam CJPC's Avatar
    Join Date
    Apr 2005
    Posts
    2,174
    Alas, I do not have a Debug unit anymore, but the simplest way to do it is to just port the JB exploit, it isn't the hardest thing to do, and then dump it right out

  10. #10
    Senior Member cfwprophet's Avatar
    Join Date
    Jul 2008
    Posts
    1,815
    Yea its still partial. So we will need to do with jb on debug con. But i don't have all files to compile a hex for pic 16f2550. Missing assambler code for that chip.

    Now i need to compile for at90usb126 and send one chip to my buddy.

 

Sponsored Links

Page 1 of 4 123 ... LastLast
Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News