Update: An English update of JaicraB's KeyFindPuP application is now available HERE courtesy of kakashigr.
Just over a month ago JaicraB attempted to dump the PS3 Hypervisor LV2 (GameOS) and revealed how it was done, and today he has released a KeyFindPuP application alongside details on their PS3 LV2 dump progress.
To quote, roughly translated: Good! For business reasons I have not had occasion to pursue my hobby. Although we have less time to devote some time still.
We stayed with the method of Dump LV2, but will not be entirely useful without appropriate software, which is why I open the door in case anyone wants to help do not hesitate.
Contact firstname.lastname@example.org. HadesTeam? A small nonprofit group, we just like to learn. This group consists mainly of the following persons: JaicraB, DemonHades, Calimba, DanteHades and Druid. That said, do not hesitate to help.
Mainly we want to Lv2? As you know the PUP has a number of checks with Hmac_Sha1. If we make a clean dump of the process of installation of the Key PUP Hmac_sha1 achieve in this struggle to unpack a PUP to carry out changes and re-create the Hash.
We need a otheros.bld as simple as cash. A BLD with built the exploit and a stand to dump the memory. If someone offers volunteer program, contact. Once we have the dump is necessary to search for the Key. I have designed a program which facilitates the task: jaic_Hmac_sha1_file.zip Provide us find the Key.
The installation of the PUP has three phases:
1. Checking the hash described in PUPHeader.bin
2. UPDATE to unpack the hard disk cache area Fat32.
3. Verification and update of hardware modules.
Having a second hard drive formatted with the PS3 and have the BLD (see above). Enter the first drive and enter the recovery with the PUP in a USB.
The first process to run the PUP from the recovery checks described in the file hashes PUPHeader.bin. If everything is correct UPDATE unpacks the hard disk. At that time makes a reset and return to continue the installation.
At that time you restart and have lost the KEY, as it would be replaced by other data. Solution? Motherboard Keep constantly fed and cause instant shutdown.
"The next day the board will explain how to keep the system fed without being noticed. (Is curious to see the fan on the hard drive and other peripherals and the red light on.) Also explain how to cause instant off with a small bug on the BIOS controlled."
With these two methods can turn off the PS3 at any time hold the RAM and make a Dump.
Getting the key to restructuring a Hmac_Sha1 and PUP. The advantage of being able to change modules update. If you want to help email@example.com.
Today, not having the special BLD we are investigating the BD player with good results. Greetings!
PD: ItSuGa has volunteered to translate this page into English. Still under construction, but you can see it in http://jaicrab-en.blogspot.com/. Thanks ItSuGa.
Definitely, I'm also waiting to see what surfaces from their BD player investigation (mentioned at the end of his update) as well... props to JaicraB and crew for keeping the PS3 scene spirit alive and sharing.
So this program searches for HMAC SHA1 keys in the dump of the LV2?
It took me five times to re-read to understand it actually. From what I understood, the PUP files are checked for validity by SHA1 checksums in PUPHeader, than it begins unpacking. Once unpacked, the system restarts and if we'll dump the memory now, they key will be gone, so the solution is:
1) Run PUP update
2) Simulate reboot (cause instant shutdown while keeping motherboard on to keep the update process log as well as SHA1 signatures)
3) Run custom-built Otheros.BLD which will dump the LV2
4) search for keys and interesting stuff
Correct me if I'm wrong..
Last edited by Tidusnake666; 05-08-2010 at 09:08 AMReason: Automerged Doublepost