Project: POC of PS3 RAM Dump and Decrypting 3.6+ Games

[Brenza]

You can't run BM on unmodified firmware as they use some function that sony obvioulsy doesn't provide! moreover retail payload will never work on a debug ofw\cfw\mfw

Debug ps3 can run backup, you just have to use ps3gen to "burn them on a hdd" and then mount them from settings\debug options\bd emulator

ps3hen sure you can run retail games on a debug console. The debug fw and retail fw have the exact same keys. Who have told you that you can't run retail games on a debug console ?

brenza How you want to dump a game on the fly with a debug ?

I don't know how to do this but some "friend" told me it's possible because some flaws in ps3 firmware that still exist in 4.11 debug and she also think that it how to get your hands on the eboot... i know this may seem to be the story of "a friend of my cousin told me that one of his friend..." but i'm quite confident she is telling the truth!

Anyway i don't know anything more than what i've already said so if you wanna try you're free, if you don't just ignore my post! =)

Is it possible dump ram while starting a game? I don't know that but i think it shoud be possible make make partial reboot after decript the eboot.bin so you can dump the decrypted file directly from ram before it has to be erased it get erased!

[PSNBRICK]

Well the option "Core Dump" on "Debug Settings" just don't dump the user area where are the EBOOTS but it can dump some good things more like a debugging tool.

[ps3hen]

ps3hen sure you can run retail games on a debug console. The debug fw and retail fw have the exact same keys. Who have told you that you can't run retail games on a debug console ?

Well then I'm wrong, I'm sure I read it somewhere. Maybe I'm thinking of the NPDRM, can debug PS3s understand retail NPDRM?

So if I'm understanding this right, Debug FWs can load fselfs and proper selfs?

[Transient]

It seems to me that you could easily verify the method works by simply self-signing a known decrypted eboot and then using your process to extract it from RAM. If the extracted copy is a binary match, then you have success.

I sort of figured this is how they manage to get their eboots. The trick of course would be knowing when and where to look in RAM as things aren't likely to be simply lying around for long or in a linear format.

Anyway, hats off to you and your team for this accomplishment. And don't pay any attention to the haters, they probably work for Sony.

[ps3hen]

Well considering that you can run retail games on a debug PS3, there should be many ways to obtain the decrypted eboot.bin

[Brenza]

It seems to me that you could easily verify the method works by simply self-signing a known decrypted eboot and then using your process to extract it from RAM. If the extracted copy is a binary match, then you have success.

I sort of figured this is how they manage to get their eboots. The trick of course would be knowing when and where to look in RAM as things aren't likely to be simply lying around for long or in a linear format.

Anyway, hats off to you and your team for this accomplishment. And don't pay any attention to the haters, they probably work for Sony.

I think it use a random location, you can both trying dump the entire ram and then search in the dump or find a way to make ps3 use a custom memory location

Anyway you should be able to get the decrypted file, this won't be useful for those who are not using a 3.55 cfw but we may say goodbye to all drm dongles

[cfwprophet]

PSNBRICK WRONG! What you think the core dump option is made for ? It's to do a core dump from user space where the game elf run if a exception is recognized. So then the dev's get a core dump file and a txt file. With thoes both files they can exactly see where the code stop to work and start to debug it.

Transient Nearly correct but much more simplier. You don't need to know the correct timing or such stuff. Well...read on the end of my post

ps3hen Yep a Debug just run everything Fake self's and Retail self's and even retail npdrm. The beast just don't let you install a retail signed pkg but there are ways around that. Get a retail update, extract it, gen a debug pkg with a fake fself_npdrm in it, install it to get it registrated on your console, start Target Manager and transfare your retail signed npdrm eboot.bin into that folder.
Start the game/app and be surprized that the PS3 with debug fw will not spit out any error message

Brenza Also nice suggestion but also wrong. It's more simplier. Anyway...

I finished my app just for a few and it is working. Now let us see if we get some retail game self's decrypted out of RAM I will, like every time, inform you in this thread and also release my app and the source for it even if we can't get retail self's decrypted into the ram. Also i will then finally tell you exactly what we have done and how to do it by yourself.

But keep in mind IF it works and we get some decrypted retail games out that i first want to release a few games and cleaning the scene before i release the source and the app and make everything open and free for all.

[ipheyzatsuke]

nice information... useful for me..

[Tepoo]

so that means we will be able to install a debug fw on our retail systems, and with your tools we can unpack and resign the games with a fake key that the debug console accept it.

if this would work, wouldnt sony just change the debug fw? like "only a specific key can be used on the debug firmwares"?

[maxiosuna]

love your work, thx