Page 4 of 5 FirstFirst ... 2345 LastLast
Results 31 to 40 of 41



  1. #31
    Senior Member Brenza's Avatar
    Join Date
    Sep 2010
    Posts
    293
    sony can read pretty much anything they want. everytime you connect the ps3 to internet (NB: internet, non psn) it automatically uploads the log files

    these files contains the all ps3 activity, sony's fw are 175MB of code (compressed) and they could put some checker everywhere in the firmware, if one of these checks finds out that your ps3 is running a non-original firmware sony'll know it.

    the only thing we can do is locate these checks and find out a way to bypass all of them

  2. #32
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    26,871

    PS3 IDPS Changer v1.1 Homebrew Application is Now Available

    Following up on the PS3 IDPS Proj3ct, today PlayStation 3 developer Joris (aka JorisD33) has made available PS3 IDPS Changer version 1.1 followed by v1.3 and IDPSet v0.6 with details below.

    Download: PS3 IDPS Changer v1.1 / PS3 IDPS Changer v1.1 (Mirror) / PS3 IDPS Changer v1.3 / IDPS_Changer.zip (Latest Version) / idpstool.pkg / IDPSet_v0.6.pkg (IDPSTool and IDPSet by Zar to change PS3 IDPS)

    From the ReadMe File:

    What do this application do?

    This application will change your IDPS and optionally your MAC address into your flash dump.

    How can I use it?

    Just put a VALID(!) NOR/NAND dump called dump.bin and your eEID Root Key called eid_root_key.bin into the same directory, run the program and enter your new IDPS.

    Your modified dump will be created as dump_patched.bin, you just have to flash it back to your console.

    How can I dump my eEID Root Key?

    http://www.ps3news.com/ps3-hacks-jai...now-available/

    How can I dump my flash?
    • Hardware flasher (E3, Teensy, Progskeet...)
    • Multiman
    • ...




    How can I byte-reverse my dump?

    Flowrebuilder: FlowRebuilder v.4.2.3.0.exe / FlowRebuilder v.4.2.3.0.exe (Mirror)

    4.2.3.0 Changelog:
    • added support to manage NAND preloader dumps
    • message user about the type of dump
    • message the user if bootloader are missing
    • auto-recognize if dump is normal or byte swapped and automanage them

    If you byte-reverse your dump before using this application, remember to byte-reverse it back after the procedure.

    CHANGELOG 1.0:
    • Initial release

    Finally, from haz367: proper eid0 section/part conversion so the new idps at least has correct values after it (cex2dex offsets 002F090-2F14F//omac hash)

    offset 2F077/2F07F (new idps)

    offsets/block: 2F090-2F14F - new values calculated/added to have valid idps change? at least better then only changing IDPS line

    offset 303D7/303DF (new idps)

    offset 3F040-3F045 (new mac)

    tested offline and trashed with my own dumps. not needed but people deserve second change right, only need to brick another PS3 to get new idps. great share for that.

    Update: PS3 IDPS Changer v1.3 Changelog: Here is the latest version of this sweet little app. I had troubles using all versions prior and now I have permanently installed new IDPS on over 30 systems. Make sure you have openssl installed via cygwin, enable XP SP2 compatibility on openssl.exe. Then grant admin access to openssl.exe as well as IDPS Changer then drop these files in the cygwin directory to ensure all the needed dll files are present.

    Name your eEID Root Key - eid_root_key.bin (obtained via FW 3.55)
    Name your NOR/NAND dump - dump.bin

    Then place these in the cygwin folder as well with the other stuff we just installed/added

    Then simply run the IDPS Changer.exe and follow instructions, this also allows changing of your MAC address. After the app is done simply rename the dump_patched.bin to the following depending on your flash type NAND or NOR.

    Nor model = CEX-FLASH.FULL.EID0.NORBIN

    Nand model = CEX-FLASH.FULL.EID0.NANDBIN

    Once you have named the file copy on to a flash drive and open mM and go to mMOS then open the drive with the newly patched dump. Double click on it and wait for it to install. Once done reboot your system and go back to mM and the settings and look at your new MAC/IDPS on your freshly unbanned PS3.

    Update: IDPSTool become IDPSet v0.6 is now available (linked above) by Zar from the PS3Gunz French site.

    With this new version, you can permanently change your console IDPS (NAND and NOR). You just have to run IDPSet on your CFW (with Eid Root Key and valid IDPS on your USB key).

    PS3 IDPS Changer v1.1 Homebrew Application is Now Available

    More PlayStation 3 News...

  3. #33
    Contributor s25s's Avatar
    Join Date
    Feb 2011
    Posts
    8
    great work

    we need also update for change (psid) because some of ban in psid

  4. #34
    Registered User onik's Avatar
    Join Date
    May 2013
    Posts
    3
    is there any brick possibilities while reflashing??

  5. #35
    Contributor mahidi's Avatar
    Join Date
    Jan 2011
    Posts
    28
    DLL files is missing after downloading the dll it still asking me for ssleay32.dll why they couldn't make this program perfectly??

  6. #36
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    26,871

    PS3 IDPS / PSID Changer by Zecoxao, Permanently Change IDPS / PSID

    Following up on the previous PS3 IDPS Changer and ChangePSID, today PlayStation 3 developer zecoxao has released an updated PS3 IDPS / PSID Changer with details below.

    Download: idps_psid_changer.zip / http://www.dll-files.com/dllindex/dll-files.shtml?cygwin1 / idps_psid_changer.zip (Mirror) / idps_psid_changer.zip (Mirror #2)

    To quote: Ok guys, so here's something I have for you. This is an idps/psid changer.

    This changes the idps in section 0 or section 6 and the psid in section B (not A sorry, i corrected that on the wiki) PERMANENTLY on flash. so, you know the drill. be VERY careful when using this tool and always take precautions with a flasher.

    You're going to need 5 things: root_key, a backup of your nor flash (only nor is supported at the moment but you can easily make it compatible for nand consoles by changing the offsets at merge_section as well as change the name to whatever you wish to call your flash), a back up of eid (you can obtain this with flow rebuilder or using memdump) and, obviously, the idps and the psid you want to use on your console.

    As for the final hash in each section, the libeeid creator was kind enough to take care of that, so don't worry about that but PLEASE use valid idps and psid files!!!

    Any questions, please ask. and yes, that handles cex2dex too.
    Code:
    hex 0 1 2 3 4 5 6 7 8 9 A B
    dec 1 2 3 4 5 6 7 8 9 10 11 12 <- 12 sections
    Anyways, i figured this might be easier to use than c2d, because you can take a look at the source yourself and see and do your own changes, in case there's anything wrong.

    WARNING. IF YOU USE THIS AND SOMETHING BAD HAPPENS. IT'S YOUR RESPONSIBILITY.

    Finally, in related news zecoxao has also made available a PPU Binary Backup Manager but it needs testing.

    To quote: I have a binary of a backup manager precompiled a long time ago. I'm not sure if it's even possible to boot it but I'm convinced this binary is meant either for 3.41 or 3.55, but i need someone to test it.

    Here's the binary.. please report if it works signed as disc eboot/npdrm eboot on 3.55 or 3.41. Thanks.

    Download: test.elf

    To avoid creating unnecessary new threads i'll just post this here. i need also someone who can test this pkg.

    PLEASE be careful about this one and keep a flasher with a backup of your flash with you! this is dump_flash from gitbrew in psl1ght v1.

    This contains two changes. there's an aditional poking in the memory for NAND flash dumping to allow the bootldr unmasking (as per a specific wiki section on the Hardware flashing page), and there are no debug outputs with udp_printf, so it should be faster to dump. This is ONLY for 3.55!

    You can see the code on wargio's repository (github.com/wargio/dump_flash), but it's adapted to v2. to use it on v1, simply change the file lv2_syscalls.h to the one on gitbrew on the common git and the Makefile must have the respective include for ppu.mk in v1 (it differs in v2). if you just want to use the repository you can clone it or fork it. Careful with it though. it's not guaranteed it works !

    What remains...

    mc_iso and me_iso individuals seed (unknown what this does at the present time)
    Code:
    52 38 D0 FA 23 A9 93 B8 97 1D 40 0F 98 2D 21 77 
    81 30 DC F4 DE 7C 4E 11 9C 1D E2 86 AA 37 61 0B 
    1A B7 11 22 3F 27 68 16 59 AE 6B 71 F1 84 F9 CB 
    0E 00 D0 8A D0 6A F9 F7 A1 D5 5F 69 C7 1D 2B 25
    F2 33 6E 25 63 B6 03 07 7A 76 65 71 26 CA E4 DB
    82 0E 92 85 6B 69 3C E8 14 22 E9 FB 1C 1C A5 B3
    E9 43 38 8E 4B 48 03 50 AA 24 A5 FB FA BF D1 72
    D9 7A 1E 25 DE 3E 64 A0 A7 A4 82 52 84 56 B1 74[/code]EID1 and EID5 still uncovered
    EID0 sections 2,3,4,5,6,8,9,10 (marked as 1,2,...11) still uncovered. BD Drive Firmware (any kind) can't be decrypted yet through the computer. SYSCON Firmware (any kind) can't be decrypted yet through the computer.

    Private Keys can't be obtained (unless somehow someone had a quantum computer with >1000 qubits processing power and Shor's Algorithm at hand...) AES can't be compromised (maybe in a near future)

    Per-console key 0 can't be obtained so far. What you see here is what remains. If anything happens that makes any of these things possible or understandable or achievable to be done, i'll delete the respective part of them.

    Debunking the idps

    Here's my debunking of the idps or console id as you know.

    Combinations: pastie.org/private/61rdfam68ipwtmvrmgnixg#10
    Code:
    idps combinations 
    
    00 00 00 01 00    00
    1  2  3  4  5  6  7  8  9  10 11 12 13 14 15 16
    
    c  c  c  c  c  17 c  14 5  49 r  r  r  r  r  r
    
    
    with known constants : 						16412805891998351360 possibilities
    knowing target id:     						965459170117550080 possibilities
    knowing target id and revision:				        68961369294110720 possibilities
    discounting static dummy idps 9th byte :	                55169095435288576 possibilities
    discounting static dummy idps 10th byte :	                54043195528445952 possibilities
    knowing all first 10 bytes :				        281474976710656 possibilities
    
    c=constant
    r=random
    n=number of possibilities for byte
    9th byte list (from wiki): pastie.org/private/lqwgs1qzh1jd14kmbea8a
    Code:
    03
    
    00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D  0x81 SD System Debugger / DECR Reference Tool / DECR 0x01 DECR-1000(A/J) / DEH-Z1010 (TMU-520) Static Dummy IDPS  
    
    04
    
    00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001)  
    00 00 00 01 00 A0 00 04 04 00 04 1B 13 AB 46 25  0xA0 ARC Arcade 0x04 GECR-1100 (COK-002) (COK-002 without Bluetooth/Wifi)  
    00 00 00 01 00 85 00 05 04 00 33 A3 44 9D 57 2B  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 A0 00 08 04 00 13 69 BC E4 78 80  0xA0 ARC Arcade 0x08 GECR-1500 (VER-001) (VER-001 without Bluetooth/Wifi)  
    
    10
    
    00 00 00 01 00 84 00 01 10 19 15 0C 45 9F 1C 2A  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001)  
    00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2  0x8A CEX Retail or Shop Kiosk - South Asia 0x01 CECHA (COK-001)  
    00 00 00 01 00 84 00 01 10 1B 23 A2 EA C6 4D D0  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001)  
    00 00 00 01 00 84 00 02 10 01 15 ED DE D8 06 8B  0x84 CEX Retail or Shop Kiosk - USA 0x02 CECHB (COK-001)  
    00 00 00 01 00 85 00 03 10 11 62 95 56 FF DB FD  0x85 CEX Retail or Shop Kiosk - Europe 0x03 CECHC (COK-002)  
    00 00 00 01 00 85 00 03 10 00 3D F9 65 97 B6 EA  0x85 CEX Retail or Shop Kiosk - Europe 0x03 CECHC (COK-002)  
    00 00 00 01 00 85 00 05 10 01 5F 01 12 FF 56 4F  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 87 00 05 10 02 3A 2D 53 AF 66 28  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001)  
    00 00 00 01 00 8C 00 05 10 00 D1 F3 55 2D DA BC  0x8C CEX Retail or Shop Kiosk - Russia 0x05 CECHG (SEM-001)  
    00 00 00 01 00 87 00 05 10 0A EE 67 DD 75 86 DA  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001) (original label stated CECHC model!)  
    00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x07 CECHJ/CECHK (DIA-002)  
    00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D  0x85 CEX Retail or Shop Kiosk - Europe 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 85 00 09 10 0A 27 3E 8E 1D DF 65  0x85 CEX Retail or Shop Kiosk - Europe 0x09 CECH20xx (DYN-001)  
    00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85  0x85 CEX Retail or Shop Kiosk - Europe 0x09 CECH20xx (DYN-001)  
    00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF  0x84 CEX Retail or Shop Kiosk - USA 0x09 CECH20xx (DYN-001)  
    00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF  0x85 CEX Retail or Shop Kiosk - Europe 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 84 00 0C 10 19 15 0C 45 9F 1C 2A  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001) used by PS-Unban  
    00 00 00 01 00 84 00 0C 10 11 21 52 A6 EB 62 10  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001) used by PS-Unban  
    00 00 00 01 00 84 00 0C 10 22 CE B2 EB 40 D9 EB  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001)  
    
    14
    
    00 00 00 01 00 85 00 05 14 02 F7 06 9F 10 B6 22  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)   
    00 00 00 01 00 85 00 05 14 0E F0 DF DC DD 5E 56  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7  0x84 CEX Retail or Shop Kiosk - USA 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 84 00 08 14 11 D8 06 97 94 B6 80  0x84 CEX Retail or Shop Kiosk - USA 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)   
    00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17  0x85 CEX Retail or Shop Kiosk - Europe 0x0A CECH21xx (SUR-001)  
    00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F  0x8C CEX Retail or Shop Kiosk - Russia 0x0C CECH30xx (KTE-001)  
    00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0C CECH30xx (KTE-001)  
    00 00 00 01 00 8C 00 0B 14 00 E1 1D 11 03 C8 65  0x8C CEX Retail or Shop Kiosk - Russia 0x0B CECH25xx (JTP-001/JSD-001) used by PS-Unban  
    00 00 00 01 00 89 00 0D 14 00 93 75 A9 00 4C 96  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0D CECH40xx (MPX-001/MSX-001)
    
    F4
    00 00 00 01 00 87 00 05 F4 01 E9 4F 17 DB D9 5D  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001)  
    00 00 00 01 00 84 00 05 F4 00 41 86 55 9B D3 52  0x84 CEX Retail or Shop Kiosk - USA 0x05 CECHG (SEM-001) 
    00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B  0x85 CEX Retail or Shop Kiosk - Europe 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)
    10th byte list (from wiki): pastie.org/private/ftr9f5yw164jhndy3ieoa
    Code:
    0X
    
    00
    
    00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001)  
    00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2  0x8A CEX Retail or Shop Kiosk - South Asia 0x01 CECHA (COK-001)  
    00 00 00 01 00 85 00 03 10 00 3D F9 65 97 B6 EA  0x85 CEX Retail or Shop Kiosk - Europe 0x03 CECHC (COK-002)  
    00 00 00 01 00 A0 00 04 04 00 04 1B 13 AB 46 25  0xA0 ARC Arcade 0x04 GECR-1100 (COK-002) (COK-002 without Bluetooth/Wifi)
    00 00 00 01 00 85 00 05 04 00 33 A3 44 9D 57 2B  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)
    00 00 00 01 00 84 00 05 F4 00 41 86 55 9B D3 52  0x84 CEX Retail or Shop Kiosk - USA 0x05 CECHG (SEM-001)  
    00 00 00 01 00 8C 00 05 10 00 D1 F3 55 2D DA BC  0x8C CEX Retail or Shop Kiosk - Russia 0x05 CECHG (SEM-001)  
    00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x07 CECHJ/CECHK (DIA-002)  
    00 00 00 01 00 A0 00 08 04 00 13 69 BC E4 78 80  0xA0 ARC Arcade 0x08 GECR-1500 (VER-001) (VER-001 without Bluetooth/Wifi)  
    00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0B CECH25xx (JTP-001/JSD-001)
    00 00 00 01 00 8C 00 0B 14 00 E1 1D 11 03 C8 65  0x8C CEX Retail or Shop Kiosk - Russia 0x0B CECH25xx (JTP-001/JSD-001) used by PS-Unban 
    00 00 00 01 00 89 00 0D 14 00 93 75 A9 00 4C 96  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0D CECH40xx (MPX-001/MSX-001)
    
    01
    
    00 00 00 01 00 84 00 02 10 01 15 ED DE D8 06 8B  0x84 CEX Retail or Shop Kiosk - USA 0x02 CECHB (COK-001)  
    00 00 00 01 00 87 00 05 F4 01 E9 4F 17 DB D9 5D  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001)  
    00 00 00 01 00 85 00 05 10 01 5F 01 12 FF 56 4F  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) 
    00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B  0x85 CEX Retail or Shop Kiosk - Europe 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)   
    
    02
    
    00 00 00 01 00 85 00 05 14 02 F7 06 9F 10 B6 22  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 87 00 05 10 02 3A 2D 53 AF 66 28  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001)  
    
    05
    
    00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D  0x85 CEX Retail or Shop Kiosk - Europe 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17  0x85 CEX Retail or Shop Kiosk - Europe 0x0A CECH21xx (SUR-001)  
    00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0B CECH25xx (JTP-001/JSD-001)  
    
    06
    
    00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0C CECH30xx (KTE-001)  
    
    0A
    
    00 00 00 01 00 87 00 05 10 0A EE 67 DD 75 86 DA  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001) (original label stated CECHC model!)  
    00 00 00 01 00 85 00 09 10 0A 27 3E 8E 1D DF 65  0x85 CEX Retail or Shop Kiosk - Europe 0x09 CECH20xx (DYN-001)  
    
    0B
    
    00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7  0x84 CEX Retail or Shop Kiosk - USA 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    
    
    0C
    
    00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0B CECH25xx (JTP-001/JSD-001)  
    
    0E
    
    00 00 00 01 00 85 00 05 14 0E F0 DF DC DD 5E 56  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F  0x8C CEX Retail or Shop Kiosk - Russia 0x0C CECH30xx (KTE-001)  
    
    1X
    
    00 00 00 01 00 85 00 03 10 11 62 95 56 FF DB FD  0x85 CEX Retail or Shop Kiosk - Europe 0x03 CECHC (COK-002)  
    00 00 00 01 00 84 00 08 14 11 D8 06 97 94 B6 80  0x84 CEX Retail or Shop Kiosk - USA 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)
    00 00 00 01 00 84 00 0C 10 11 21 52 A6 EB 62 10  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001) used by PS-Unban 
    
    1B
      
    00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85  0x85 CEX Retail or Shop Kiosk - Europe 0x09 CECH20xx (DYN-001)
    00 00 00 01 00 84 00 01 10 1B 23 A2 EA C6 4D D0  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001) 
    
    1C
      
    00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF  0x84 CEX Retail or Shop Kiosk - USA 0x09 CECH20xx (DYN-001)  
    
    18
    
    00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF  0x85 CEX Retail or Shop Kiosk - Europe 0x0B CECH25xx (JTP-001/JSD-001)  
    
    19
    
    00 00 00 01 00 84 00 0C 10 19 15 0C 45 9F 1C 2A  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001) used by PS-Unban  
    00 00 00 01 00 84 00 01 10 19 15 0C 45 9F 1C 2A  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001)  
    
    22
    
    00 00 00 01 00 84 00 0C 10 22 CE B2 EB 40 D9 EB  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001) 
    
    FF
    00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D  0x81 SD System Debugger / DECR Reference Tool / DECR 0x01 DECR-1000(A/J) / DEH-Z1010 (TMU-520) Static Dummy IDPS
    Notes: if you notice, cechgs appear in almost all possibilities of the 9th byte list, except in the static idps 9th byte.

    Banned idps list from "Free IDPS" thread: pastie.org/private/mk0ipzwuo9woejakc45sa
    Code:
    
    0000000100 8400 07 14 01 EEA827A1E790 
    0000000100 8400 0B 10 09 3A9E4193B877 
    0000000100 8C00 09 10 01 B82AEB2F5D4F
    0000000100 8500 08 14 0D 1030CD933117 
    0000000100 8400 0B 10 20 0B9C692AB7F1 
    0000000100 8500 0B 10 0E A29E70DC0774 
    0000000100 8500 0B 10 19 1B4DC8EF9A52 
    0000000100 8C00 07 10 01 96773F4BF2C8 
    0000000100 8600 06 10 00 297CD2B0CE66 
    0000000100 8500 09 14 0D 58433296E50A 
    0000000100 8E00 06 14 00 4981602E3C25 
    0000000100 8500 08 14 0A AF9A79149AAB 
    0000000100 8500 0B 10 1F EC26761625E8 
    0000000100 8500 09 10 10 C424BF296492 
    0000000100 8500 09 10 24 43E3977D72D3 
    0000000100 8900 06 10 00 AEBB1C48C61C 
    0000000100 8500 07 F4 01 223D790CD404 
    0000000100 8500 08 14 0C D655C8E72CB7 
    0000000100 8500 07 10 02 664CDFE6DB35 
    0000000100 0C00 08 00 97 2763B000CCBA ??0C00?? ??97??
    0000000100 8C00 09 10 02 3A9B1639CC70 
    0000000100 8500 08 10 0D 405CB8D55009 
    0000000100 8500 0B F4 04 2F0046D34A8A 
    0000000100 8700 09 10 02 41BA96BD6558 
    0000000100 8C00 09 10 00 719C437E732F 
    0000000100 8400 0B 10 31 AFD1A498EC07 ??31??
    0000000100 8400 07 10 01 0FF3FC501A21
    0000000100 8C00 0B 14 00 D402E0E513CC 
    0000000100 8700 0B 14 0D 998AE449ABA8 
    0000000100 8700 0A 10 00 F860FEB89670 
    0000000100 8500 0A 10 04 2E3F6852CCE4
    Buffer Overflow on Save Games

    This comes back from the psp era. usually, you'd insert a disc, load a certain save and it'd load a data that'd have a very long string. at the end or the middle of that string you'd see a binary loader (hbl.bin) that would load the main menu of HBL. In the case of the ps3, before the crypto fail was publically announced, little to nothing was possible in regards to load a binary of a savegame. now, thanks to that and thanks to flatz 's amazing tools, it might be a possibility in the near future

    Since there isn't a tool that handles savegame crashes (yet), so far we can only manage ourselves with a DEX/Convert and eth debug to know what happens at the time of the crash/freeze.. in my case, i don't have access to such tools, but there are people who do

    So, you can try this for yourselves.. this was made in fifa 09. i turned auto-save off (so it didn't overwrite the crafted save i made), made a savegame profile, and loaded the disc. The result was that it crashed while loading the save.

    The only thing i changed was SYS-DATA. i opened it in HxD, and filled my name (zecoxao) with o's until it matched Ronaldo's string entry. that caused the game to crash.

    Theoretically, you can most likely load a disc-bind 3.55 and below signed self from a register that returns an address and it'll just load the self (i think) although i didn't try this myself yet, because i can't debug it properly on a superslim. Anyone who wishes to give it a go is welcome to do so.

    Printing Things to the Screen

    As you all know, neither the sdk nor the psl1ght environment allow you to print things natively to the screen , at least not without using rsx. fortunately, inside the cobra sources of their usb, there is something that enables that, making debug output MUCH easier.

    The specified functions are debug_install and debug_printf. debug_install patches the necessary offsets and redirects tty output to the screen, and then debug_printf simply prints the thing you want. this might not sound much but it's a VERY useful feature, specially when you want to debug code and you like to visually see what is happening. also, this could turn things such as memory patching and dumping much easier to look at.

    I'd like to compile it myself and test for results but i don't have a working hackable console. so i'd like to ask any of you devs to test it and check if it works or not. as i was told it does seem to work, so i hope that this gets adapted to PSL1GHT very soon.

    U$er , i'd like you to be the first person to test this, since you have understood the plugin loading and adapted it for ourselves.

    Buffer Overflow on Save Games

    This comes back from the psp era. usually, you'd insert a disc, load a certain save and it'd load a data that'd have a very long string. at the end or the middle of that string you'd see a binary loader (hbl.bin) that would load the main menu of HBL.

    In the case of the ps3, before the crypto fail was publically announced, little to nothing was possible in regards to load a binary of a savegame. now, thanks to that and thanks to flatz 's amazing tools, it might be a possibility in the near future.

    Since there isn't a tool that handles savegame crashes (yet), so far we can only manage ourselves with a DEX/Convert and eth debug to know what happens at the time of the crash/freeze.

    In my case, i don't have access to such tools, but there are people who do

    So, you can try this for yourselves.. this was made in fifa 09. i turned auto-save off (so it didn't overwrite the crafted save i made), made a savegame profile, and loaded the disc.

    The result was that it crashed while loading the save.. the only thing i changed was SYS-DATA. i opened it in HxD, and filled my name (zecoxao) with o's until it matched Ronaldo's string entry. that caused the game to crash.

    Theoretically, you can most likely load a disc-bind 3.55 and below signed self from a register that returns an address and it'll just load the self (i think) although i didn't try this myself yet, because i can't debug it properly on a superslim.. anyone who wishes to give it a go is welcome to do so.

    From pastie.org/private/p1mxjrd6xbmv3hrphazxsw (the freeze):
    Code:
    # Lv-2 detected an interrupt(exception) in a user PPU Thread.
    #
    # Interrupt(exception) Info.
    #   Type : Trap
    #   SRR0 : 0x000000000006b40c
    #   SRR1 : 0x800000000002c032
    #   DSISR: 0x0000000000200000
    #   DAR  : 0x0000000010002b3c
    #   TB   : 0x0000000f5a4619f2
    #   HW Thread #: 1
    #
    # Backtrace
    #   0x00000000d0124dfc
    #   0x000000000006b67c
    #   0x00000000001a6434
    #   0x00000000001a6624
    #   0x000000000005c354
    #   0x000000000005c3f0
    #   0x0000000000329a18
    #   0x0000000000329b20
    #   0x0000000000329c28
    #   0x0000000000329d98
    #   0x0000000000329e28
    #   0x00000000003795b0
    #   0x0000000000396a34
    #   0x00000000003aa970
    #   0x000000000097ec78
    #   0x00000000009858c4
    #   0x0000000000995df8
    #   0x000000000098dd7c
    #   0x0000000000995df8
    #   0x000000000098c8a4
    #   0x00000000009896f8
    #   0x000000000097d034
    #   0x00000000003a5a98
    #   0x00000000003935cc
    #   0x00000000007ff880
    #   0x00000000007ff9d8
    #   0x0000000000805a64
    #   0x0000000000059f78
    #   0xbadadd0011300b5c
    #
    # User PPU Thread Info.
    #   ID        : 0x011300b6
    #   Name      : FEThread
    #   Stack addr: 0x00000000d0106000
    #   Stack size: 0x0000000000020000
    #   Priority  : 1002
    #   Proc name : /dev_hdd0/game/BLES00314/USRDIR/EBOOT.BIN
    #   Proc ID   : 0x10e0200
    #
    # Register Info.
    #      LR: 0x000000000006b408     CR:0x28000042
    #     CTR: 0x0000000000000000
    #
    #   GPR 0: 0x0000000000000000  GPR 1: 0x00000000d0124d70
    #   GPR 2: 0x0000000001843188  GPR 3: 0x0000000000000000
    #   GPR 4: 0x0000000000122800  GPR 5: 0x00000000014e07b8
    #   GPR 6: 0x00000000019052f0  GPR 7: 0x0000000000000010
    #   GPR 8: 0x0000000000000000  GPR 9: 0x0000000000000000
    #   GPR10: 0x0000000030e4049c  GPR11: 0x00000000d0124e60
    #   GPR12: 0x00000000310dba80  GPR13: 0x00000000100098a0
    #   GPR14: 0x0000000000000000  GPR15: 0x0000000000000000
    #   GPR16: 0x0000000000000000  GPR17: 0x0000000000000000
    #   GPR18: 0x00000000014e07b8  GPR19: 0x0000000000000000
    #   GPR20: 0x0000000000000000  GPR21: 0x0000000000122800
    #   GPR22: 0x0000000000000001  GPR23: 0x0000000000000010
    #   GPR24: 0x0000000000000001  GPR25: 0x0000000000122800
    #   GPR26: 0x0000000000000002  GPR27: 0x0000000001905150
    #   GPR28: 0x0000000001905138  GPR29: 0x0000000001905138
    #   GPR30: 0x0000000001725d18  GPR31: 0x0000000000000000
    #
    #     XER: 0x0000000020000000  FPSCR: 0x82002000
    #
    #   FPR 0: 0x41efffffffe00000  FPR 1: 0x3ff0000000000000
    #   FPR 2: 0x0000000000000000  FPR 3: 0x0000000000000000
    #   FPR 4: 0x0000000000000000  FPR 5: 0x0000000000000000
    #   FPR 6: 0x0000000000000000  FPR 7: 0x0000000000000000
    #   FPR 8: 0x407b300000000000  FPR 9: 0x0000000000000000
    #   FPR10: 0x0000000000000000  FPR11: 0x3ff0000000000000
    #   FPR12: 0x409f400000000000  FPR13: 0x4030000000000000
    #   FPR14: 0x00000011303b6000  FPR15: 0x00000011303b6000
    #   FPR16: 0x00000011303b6000  FPR17: 0x00000011303b6000
    #   FPR18: 0x00000011303b6000  FPR19: 0x00000011303b6000
    #   FPR20: 0x00000011303b6000  FPR21: 0x00000011303b6000
    #   FPR22: 0x00000011303b6000  FPR23: 0x00000011303b6000
    #   FPR24: 0x00000011303b6000  FPR25: 0x00000011303b6000
    #   FPR26: 0x00000011303b6000  FPR27: 0x00000011303b6000
    #   FPR28: 0x00000011303b6000  FPR29: 0x00000011303b6000
    #   FPR30: 0x00000011303b6000  FPR31: 0x00000011303b6000
    #
    # Continue... (Lv-2 is still running.)
    #
    LR is what matters to us. it's called Link Register and returns the address of what we want to load.

    IT'S A TARP! Thanks flatz for the debugging)

    FIFA 08 (props to NiceShot for the logs) (via pastie.org/private/9iqksaxgxpo8kdqxc87g):
    Code:
    
    SDK v4.3.0
    [TM] Boot mode := System
    control_console: Server bound to port number 8080
    abort() is called from 0x0000000000151184
                      from 0x0000000000152b14
                      from 0x0000000000155268
                      from 0x0000000000147a3c
                      from 0x0000000000142fb8
                      from 0x000000000003fe98
                      from 0x00000000000ad5e0
                      from 0xbadadd0010200e50
    
    
    Continue... (Lv-2 is still running.)
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    [TM] Open connection failed (o)
    SDK v4.3.0
    [TM] Boot mode := System
    control_console: Server bound to port number 8080
    [TM] Open connection failed (o)
    SDK v4.3.0
    [TM] Boot mode := System
    control_console: Server bound to port number 8080
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    control_console: Server bound to port number 8080
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    control_console: Server bound to port number 8080
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): #
    lv2(2): #
    lv2(2): # SDK version: 181001
    lv2(2): # system software version: 4.30 (DEX)
    lv2(2): # revision: 49489
    lv2(2): #
    lv2(2): # Lv-2 detected an interrupt(exception) in a user PPU Thread.
    lv2(2): #
    lv2(2): # Interrupt(exception) Info.
    lv2(2): #   Type : Data Storage
    lv2(2): #   SRR0 : 0x000000000029ee98
    lv2(2): #   SRR1 : 0x800000000000c032
    lv2(2): #   DSISR: 0x0000000040000000
    lv2(2): #   DAR  : 0x0000000036860000
    lv2(2): #   TB   : 0x00000015d962d7f6
    lv2(2): #   HW Thread #: 1
    lv2(2): #
    lv2(2): # Backtrace
    lv2(2): #   0x000000000029eeb0
    lv2(2): #   0x00000000002a8434
    lv2(2): #   0x00000000002b47f0
    lv2(2): #   0x0000000000ac3e64
    lv2(2): #   0x0000000000aca6fc
    lv2(2): #   0x0000000000ad8f00
    lv2(2): #   0x0000000000ad31d0
    lv2(2): #   0x0000000000ad8f00
    lv2(2): #   0x0000000000ad1724
    lv2(2): #   0x0000000000acd924
    lv2(2): #   0x0000000000ac1f7c
    lv2(2): #   0x00000000002b2b40
    lv2(2): #   0x0000000000296f4c
    lv2(2): #   0x000000000001dd4c
    lv2(2): #   0x000000000001f280
    lv2(2): #   0x0000000000026e60
    lv2(2): #   0x000000000087de08
    lv2(2): #   0xbadadd00116008dc
    lv2(2): #
    lv2(2): # User PPU Thread Info.
    lv2(2): #   ID        : 0x0116008e
    lv2(2): #   Name      : FEThread
    lv2(2): #   Stack addr: 0x00000000d00ad000
    lv2(2): #   Stack size: 0x0000000000020000
    lv2(2): #   Priority  : 1002
    lv2(2): #   Proc name : /dev_bdvd/PS3_GAME/USRDIR/EBOOT.BIN
    lv2(2): #   Proc ID   : 0x10e0200
    lv2(2): #
    lv2(2): # Register Info.
    lv2(2): #      LR: 0x000000000029eeb4     CR:0x22000084
    lv2(2): #     CTR: 0x0000000000a3db94
    lv2(2): #
    lv2(2): #   GPR 0: 0x0000000031313131  GPR 1: 0x00000000d00cc4f0
    lv2(2): #   GPR 2: 0x0000000001094e20  GPR 3: 0x0000000030665994
    lv2(2): #   GPR 4: 0x00000000d00cc56c  GPR 5: 0x00000000d00cc4c0
    lv2(2): #   GPR 6: 0x00000000000000cd  GPR 7: 0x0000000000000000
    lv2(2): #   GPR 8: 0x0000000000000000  GPR 9: 0x00000000d00cc56c
    lv2(2): #   GPR10: 0x0000000036860002  GPR11: 0x0000000036860006
    lv2(2): #   GPR12: 0x000000003066ba40  GPR13: 0x00000000300095c0
    lv2(2): #   GPR14: 0x0000000000000000  GPR15: 0x0000000000000000
    lv2(2): #   GPR16: 0x0000000000000000  GPR17: 0x0000000000000000
    lv2(2): #   GPR18: 0x0000000000000000  GPR19: 0x0000000000000000
    lv2(2): #   GPR20: 0x0000000000000000  GPR21: 0x0000000000000000
    lv2(2): #   GPR22: 0x0000000000000000  GPR23: 0x0000000000000000
    lv2(2): #   GPR24: 0x0000000000000001  GPR25: 0x0000000000000000
    lv2(2): #   GPR26: 0x0000000010054a50  GPR27: 0x0000000000000dcc
    lv2(2): #   GPR28: 0x000000003685fffe  GPR29: 0x000000003685919e
    lv2(2): #   GPR30: 0x0000000036857f7e  GPR31: 0x0000000030664a54
    lv2(2): #
    lv2(2): #     XER: 0x0000000000000000  FPSCR: 0x82062000
    lv2(2): #
    lv2(2): #   FPR 0: 0x41efffffffe00000  FPR 1: 0x4131f0544e560419
    lv2(2): #   FPR 2: 0x402e000000000000  FPR 3: 0x4037555560000000
    lv2(2): #   FPR 4: 0x3fd5555560000000  FPR 5: 0x0000000000000000
    lv2(2): #   FPR 6: 0xc022000000000000  FPR 7: 0x4077980000000000
    lv2(2): #   FPR 8: 0x0000000000000000  FPR 9: 0x0000000000000000
    lv2(2): #   FPR10: 0x0000000000000000  FPR11: 0x3f89aa0660000000
    lv2(2): #   FPR12: 0x43e0000000000000  FPR13: 0x41efffffffe00000
    lv2(2): #   FPR14: 0x000000116038e000  FPR15: 0x000000116038e000
    lv2(2): #   FPR16: 0x000000116038e000  FPR17: 0x000000116038e000
    lv2(2): #   FPR18: 0x000000116038e000  FPR19: 0x000000116038e000
    lv2(2): #   FPR20: 0x000000116038e000  FPR21: 0x000000116038e000
    lv2(2): #   FPR22: 0x000000116038e000  FPR23: 0x000000116038e000
    lv2(2): #   FPR24: 0x000000116038e000  FPR25: 0x000000116038e000
    lv2(2): #   FPR26: 0x000000116038e000  FPR27: 0x000000116038e000
    lv2(2): #   FPR28: 0x000000116038e000  FPR29: 0x000000116038e000
    lv2(2): #   FPR30: 0x000000116038e000  FPR31: 0x000000116038e000
    lv2(2): #
    lv2(2): # PRX Info: 16 PRX in process
    lv2(2): #   --/--: id-------- path------------------------------ versi
    on segments---
    lv2(2): #    0/16: 0x23000000 [/dev_flash/sys/external/liblv2.sprx]
    1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10480000+0x00013b68+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x104a0000+0x00000d94+0x00000888 [0x00000001]
    lv2(2): #    1/16: 0x23000c00 [/dev_flash/sys/external/libsysmodule.sp
    rx]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x104b0000+0x00008a48+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x104c0000+0x000014c8+0x00000034 [0x00000001]
    lv2(2): #    2/16: 0x23000e00 [/dev_flash/sys/external/libsysutil.sprx
    ]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x104d0000+0x0001ee10+0x000010f0 [0x00000001]
    lv2(2): #       1/  2: 0x104f0000+0x00000874+0x0000cf8c [0x00000001]
    lv2(2): #    3/16: 0x23002100 [/dev_flash/sys/external/libgcm_sys.sprx
    ]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10500000+0x0000b760+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10510000+0x00000974+0x0000283c [0x00000001]
    lv2(2): #    4/16: 0x23002200 [/dev_flash/sys/external/libaudio.sprx]
      1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10520000+0x000057e0+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10530000+0x00000358+0x000006d0 [0x00000001]
    lv2(2): #    5/16: 0x23002300 [/dev_flash/sys/external/libio.sprx]   1
    .  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10540000+0x0000ccb0+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10550000+0x00000f10+0x00000038 [0x00000001]
    lv2(2): #    6/16: 0x23002400 [/dev_flash/sys/external/libsre.sprx]
    1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10560000+0x0002df00+0x00002100 [0x00000001]
    lv2(2): #       1/  2: 0x10590000+0x00003fe0+0x00000360 [0x00000001]
    lv2(2): #    7/16: 0x23002500 [/dev_flash/sys/external/liblv2coredump.
    sprx]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x105a0000+0x0001d974+0x00000000 [0x00000001...
    Register control in GPR0 (0x31) (via pastie.org/private/hqi53jdrhltfvdaezn3png):
    Code:
    
    [14:51:46] NiceShot: # SDK version: 181001
    lv2(2): # system software version: 4.30 (DEX)
    lv2(2): # revision: 49489
    lv2(2): #
    lv2(2): # Lv-2 detected an interrupt(exception) in a user PPU Thread.
    lv2(2): #
    lv2(2): # Interrupt(exception) Info.
    lv2(2): #   Type : Data Storage
    lv2(2): #   SRR0 : 0x000000000029ee98
    lv2(2): #   SRR1 : 0x800000000000c032
    lv2(2): #   DSISR: 0x0000000040000000
    lv2(2): #   DAR  : 0x0000000036860000
    lv2(2): #   TB   : 0x00000015d962d7f6
    lv2(2): #   HW Thread #: 1
    lv2(2): #
    lv2(2): # Backtrace
    lv2(2): #   0x000000000029eeb0
    lv2(2): #   0x00000000002a8434
    lv2(2): #   0x00000000002b47f0
    lv2(2): #   0x0000000000ac3e64
    lv2(2): #   0x0000000000aca6fc
    lv2(2): #   0x0000000000ad8f00
    lv2(2): #   0x0000000000ad31d0
    lv2(2): #   0x0000000000ad8f00
    lv2(2): #   0x0000000000ad1724
    lv2(2): #   0x0000000000acd924
    lv2(2): #   0x0000000000ac1f7c
    lv2(2): #   0x00000000002b2b40
    lv2(2): #   0x0000000000296f4c
    lv2(2): #   0x000000000001dd4c
    lv2(2): #   0x000000000001f280
    lv2(2): #   0x0000000000026e60
    lv2(2): #   0x000000000087de08
    lv2(2): #   0xbadadd00116008dc
    lv2(2): #
    lv2(2): # User PPU Thread Info.
    lv2(2): #   ID        : 0x0116008e
    lv2(2): #   Name      : FEThread
    lv2(2): #   Stack addr: 0x00000000d00ad000
    lv2(2): #   Stack size: 0x0000000000020000
    lv2(2): #   Priority  : 1002
    lv2(2): #   Proc name : /dev_bdvd/PS3_GAME/USRDIR/EBOOT.BIN
    lv2(2): #   Proc ID   : 0x10e0200
    lv2(2): #
    lv2(2): # Register Info.
    lv2(2): #      LR: 0x000000000029eeb4     CR:0x22000084
    lv2(2): #     CTR: 0x0000000000a3db94
    lv2(2): #
    lv2(2): #   GPR 0: 0x0000000031313131  GPR 1: 0x00000000d00cc4f0
    lv2(2): #   GPR 2: 0x0000000001094e20  GPR 3: 0x0000000030665994
    lv2(2): #   GPR 4: 0x00000000d00cc56c  GPR 5: 0x00000000d00cc4c0
    lv2(2): #   GPR 6: 0x00000000000000cd  GPR 7: 0x0000000000000000
    lv2(2): #   GPR 8: 0x0000000000000000  GPR 9: 0x00000000d00cc56c
    lv2(2): #   GPR10: 0x0000000036860002  GPR11: 0x0000000036860006
    lv2(2): #   GPR12: 0x000000003066ba40  GPR13: 0x00000000300095c0
    lv2(2): #   GPR14: 0x0000000000000000  GPR15: 0x0000000000000000
    lv2(2): #   GPR16: 0x0000000000000000  GPR17: 0x0000000000000000
    lv2(2): #   GPR18: 0x0000000000000000  GPR19: 0x0000000000000000
    lv2(2): #   GPR20: 0x0000000000000000  GPR21: 0x0000000000000000
    lv2(2): #   GPR22: 0x0000000000000000  GPR23: 0x0000000000000000
    lv2(2): #   GPR24: 0x0000000000000001  GPR25: 0x0000000000000000
    lv2(2): #   GPR26: 0x0000000010054a50  GPR27: 0x0000000000000dcc
    lv2(2): #   GPR28: 0x000000003685fffe  GPR29: 0x000000003685919e
    lv2(2): #   GPR30: 0x0000000036857f7e  GPR31: 0x0000000030664a54
    lv2(2): #
    lv2(2): #     XER: 0x0000000000000000  FPSCR: 0x82062000
    lv2(2): #
    lv2(2): #   FPR 0: 0x41efffffffe00000  FPR 1: 0x4131f0544e560419
    lv2(2): #   FPR 2: 0x402e000000000000  FPR 3: 0x4037555560000000
    lv2(2): #   FPR 4: 0x3fd5555560000000  FPR 5: 0x0000000000000000
    lv2(2): #   FPR 6: 0xc022000000000000  FPR 7: 0x4077980000000000
    lv2(2): #   FPR 8: 0x0000000000000000  FPR 9: 0x0000000000000000
    lv2(2): #   FPR10: 0x0000000000000000  FPR11: 0x3f89aa0660000000
    lv2(2): #   FPR12: 0x43e0000000000000  FPR13: 0x41efffffffe00000
    lv2(2): #   FPR14: 0x000000116038e000  FPR15: 0x000000116038e000
    lv2(2): #   FPR16: 0x000000116038e000  FPR17: 0x000000116038e000
    lv2(2): #   FPR18: 0x000000116038e000  FPR19: 0x000000116038e000
    lv2(2): #   FPR20: 0x000000116038e000  FPR21: 0x000000116038e000
    lv2(2): #   FPR22: 0x000000116038e000  FPR23: 0x000000116038e000
    lv2(2): #   FPR24: 0x000000116038e000  FPR25: 0x000000116038e000
    lv2(2): #   FPR26: 0x000000116038e000  FPR27: 0x000000116038e000
    lv2(2): #   FPR28: 0x000000116038e000  FPR29: 0x000000116038e000
    lv2(2): #   FPR30: 0x000000116038e000  FPR31: 0x000000116038e000
    lv2(2): #
    lv2(2): # PRX Info: 16 PRX in process
    lv2(2): #   --/--: id-------- path------------------------------ versi
    on segments---
    lv2(2): #    0/16: 0x23000000 [/dev_flash/sys/external/liblv2.sprx]
    1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10480000+0x00013b68+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x104a0000+0x00000d94+0x00000888 [0x00000001]
    lv2(2): #    1/16: 0x23000c00 [/dev_flash/sys/external/libsysmodule.sp
    rx]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x104b0000+0x00008a48+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x104c0000+0x000014c8+0x00000034 [0x00000001]
    lv2(2): #    2/16: 0x23000e00 [/dev_flash/sys/external/libsysutil.sprx
    ]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x104d0000+0x0001ee10+0x000010f0 [0x00000001]
    lv2(2): #       1/  2: 0x104f0000+0x00000874+0x0000cf8c [0x00000001]
    lv2(2): #    3/16: 0x23002100 [/dev_flash/sys/external/libgcm_sys.sprx
    ]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10500000+0x0000b760+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10510000+0x00000974+0x0000283c [0x00000001]
    lv2(2): #    4/16: 0x23002200 [/dev_flash/sys/external/libaudio.sprx]
      1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10520000+0x000057e0+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10530000+0x00000358+0x000006d0 [0x00000001]
    lv2(2): #    5/16: 0x23002300 [/dev_flash/sys/external/libio.sprx]   1
    .  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10540000+0x0000ccb0+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10550000+0x00000f10+0x00000038 [0x00000001]
    lv2(2): #    6/16: 0x23002400 [/dev_flash/sys/external/libsre.sprx]
    1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10560000+0x0002df00+0x00002100 [0x00000001]
    lv2(2): #       1/  2: 0x10590000+0x00003fe0+0x00000360 [0x00000001]
    lv2(2): #    7/16: 0x23002500 [/dev_flash/sys/external/liblv2coredump.
    sprx]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x105a0000+0x0001d974+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x105c0000+0x00002fac+0x00007448 [0x00000001]
    lv2(2): #    8/16: 0x23000b02 [/dev_flash/sys/external/libnetctl.sprx]
       1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x105d0000+0x00006bc8+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x105e0000+0x00000294+0x000000d4 [0x00000001]
    lv2(2): #    9/16: 0x23000c02 [/dev_flash/sys/external/libnet.sprx]
    1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x105f0000+0x00020ff8+0x0000f008 [0x00000001]
    lv2(2): #       1/  2: 0x10620000+0x00001580+0x000011b0 [0x00000001]
    lv2(2): #   10/16: 0x23000d02 [/dev_flash/sys/external/libusbd.sprx]
     1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10630000+0x00009800+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10640000+0x00000380+0x00000008 [0x00000001]
    lv2(2): #   11/16: 0x23000e02 [/dev_flash/sys/external/libfs.sprx]   1
    .  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10650000+0x0000fe48+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10660000+0x0000172c+0x00008b14 [0x00000001]
    lv2(2): #   12/16: 0x23002402 [/dev_flash/sys/external/libresc.sprx]
     1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10670000+0x0000ac20+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10680000+0x00001794+0x00000414 [0x00000001]
    lv2(2): #   13/16: 0x23002502 [/dev_flash/sys/external/libsysutil_np.s
    prx]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): ...
    Controlling r0 is pretty much the same as controlling the link register. if we control r1 we can control the rop.

    Here are the core dumps for fifa 08 and 09. r0 is controllable in both games (it's probably hitting the stack)

    Download: fifacoredumps.tar.7z

    It'll take some minutes to upload them, so please wait.

    Lv2diag.self bricking consoles?

    I told myself i wasn't going to post any more about ps3s but this is really bugging me so... i was hanging out in skype when suddenly vapour barges in and says a self he created with Objective Suites bricked his ps3.

    Naturally, for a person who bricked 7 consoles by flashing ways, i thought he was kidding, since nowhere in the world Sony would do such a thing. then i asked hellsing9 to test it somewhere. he tested the self. it bricked. he tested again, bricked again. then i asked greysmoke. he tested the self. it didn't brick.

    My question is this: in which consoles can the brick be caused, what causes the brick to be triggered, and most importantly, can we intercept the process of the command of bricking and replace it with something else?

    This is the self (3.42 appldr signed): https://dl.dropboxusercontent.com/u/...0/Lv2diag.self

    Needless to say flashers can and MUST be used before doing anything. They can unbrick. E3 flasher can be used as any regular flasher. as for the pinouts, i believe they are available on the wiki (NiceShot has the picture).

    From NiceShot: Uhm... you should have the original dump before trying this, I'm not sure if dumping it, byte swapping and flashing it back will solve the problem but it is worth trying, I had a broken e3 flasher clip so I had to map the whole points to use e3 linker but if you have an e3 flasher with e3 clip you can do the job the same way, but there you have the pinout for MSX-001:

    https://www.dropbox.com/s/0y96aa8q8c...eaM_X_TudO.bmp

    Cheers

    PS3 IDA Stuff

    So, i was bored and i decided to open ida pro and take a look at things. then, someone told me that i could open idb files in ida. so i went to graf's bible and opened a few. fun. anyways, here are some scripts/updates of scripts.

    HV Dump script has "new" function names instead of the usual "undocumented_function" crap and export script prints all the function names to the screen (the ones that don't start with sub_) consider this a release of sorts. i'll try to take care of syscall_names.idh tomorrow for the lv2 dump script.

    Download: stuff_for_ida.zip
    GIT: github.com/zecoxao/ps3ida

    Github contains precompiled loaders, plugins, signatures, and the new scripts. i've updated the zip. you should have now two aditional export functions. one for the syscalls, and another for the hvcalls. gonna see if i can take care of syscall_names, idh today.

    Edit: taken care of: github.com/zecoxao/ps3ida/blob/master/syscall_names.idh

    Kinda piggish but it does the trick

    Added some more signatures. had to use a trick. They're on github: github.com/zecoxao/ps3ida/tree/master/sig/ppc

    eEID5 Keyseed and Section Keys Found
    Code:
    u8 unk_keyseed[EID0_KEYSEED_SIZE] =
    {
    	0x33, 0x79, 0x3B, 0x9F, 0x79, 0xE2, 0xEB, 0xAE, 0x55, 0xD4, 0xD6, 0xBF, 0x0E, 0xD3, 0x76, 0xE6
    };
    Edit: some corrections: psdevwiki.com/ps3/Keys#KIRK (thanks euss)

    KIRK

    A68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B

    location: in lv2_kernel.self

    More KIRK keys
    • github.com/uofw/upspd/wiki/KIRK-13---ECDSA-point-multiplication
    • code.google.com/p/kirk-engine/source/browse/trunk/libkirk/kirk_engine.c
    • wololo.net/talk/viewtopic.php?p=80302#p80302

    AES requires a 16 byte multiple message.. i have no idea of what unk_keyseed is.
    Code:
    u8 kirk1_key[] =   {0x98, 0xC9, 0x40, 0x97, 0x5C, 0x1D, 0x10, 0xE8, 0x7F, 0xE6, 0x0E, 0xA3, 0xFD, 0x03, 0xA8, 0xBA};
    u8 kirk7_key02[] = {0xB8, 0x13, 0xC3, 0x5E, 0xC6, 0x44, 0x41, 0xE3, 0xDC, 0x3C, 0x16, 0xF5, 0xB4, 0x5E, 0x64, 0x84}; // New from PS3
    u8 kirk7_key03[] = {0x98, 0x02, 0xC4, 0xE6, 0xEC, 0x9E, 0x9E, 0x2F, 0xFC, 0x63, 0x4C, 0xE4, 0x2F, 0xBB, 0x46, 0x68};
    u8 kirk7_key04[] = {0x99, 0x24, 0x4C, 0xD2, 0x58, 0xF5, 0x1B, 0xCB, 0xB0, 0x61, 0x9C, 0xA7, 0x38, 0x30, 0x07, 0x5F};
    u8 kirk7_key05[] = {0x02, 0x25, 0xD7, 0xBA, 0x63, 0xEC, 0xB9, 0x4A, 0x9D, 0x23, 0x76, 0x01, 0xB3, 0xF6, 0xAC, 0x17};
    u8 kirk7_key07[] = {0x76, 0x36, 0x8B, 0x43, 0x8F, 0x77, 0xD8, 0x7E, 0xFE, 0x5F, 0xB6, 0x11, 0x59, 0x39, 0x88, 0x5C}; // New from PS3
    u8 kirk7_key0C[] = {0x84, 0x85, 0xC8, 0x48, 0x75, 0x08, 0x43, 0xBC, 0x9B, 0x9A, 0xEC, 0xA7, 0x9C, 0x7F, 0x60, 0x18};
    u8 kirk7_key0D[] = {0xB5, 0xB1, 0x6E, 0xDE, 0x23, 0xA9, 0x7B, 0x0E, 0xA1, 0x7C, 0xDB, 0xA2, 0xDC, 0xDE, 0xC4, 0x6E};
    u8 kirk7_key0E[] = {0xC8, 0x71, 0xFD, 0xB3, 0xBC, 0xC5, 0xD2, 0xF2, 0xE2, 0xD7, 0x72, 0x9D, 0xDF, 0x82, 0x68, 0x82};
    u8 kirk7_key0F[] = {0x0A, 0xBB, 0x33, 0x6C, 0x96, 0xD4, 0xCD, 0xD8, 0xCB, 0x5F, 0x4B, 0xE0, 0xBA, 0xDB, 0x9E, 0x03};
    u8 kirk7_key10[] = {0x32, 0x29, 0x5B, 0xD5, 0xEA, 0xF7, 0xA3, 0x42, 0x16, 0xC8, 0x8E, 0x48, 0xFF, 0x50, 0xD3, 0x71};
    u8 kirk7_key11[] = {0x46, 0xF2, 0x5E, 0x8E, 0x4D, 0x2A, 0xA5, 0x40, 0x73, 0x0B, 0xC4, 0x6E, 0x47, 0xEE, 0x6F, 0x0A};
    u8 kirk7_key12[] = {0x5D, 0xC7, 0x11, 0x39, 0xD0, 0x19, 0x38, 0xBC, 0x02, 0x7F, 0xDD, 0xDC, 0xB0, 0x83, 0x7D, 0x9D};
    u8 kirk7_key38[] = {0x12, 0x46, 0x8D, 0x7E, 0x1C, 0x42, 0x20, 0x9B, 0xBA, 0x54, 0x26, 0x83, 0x5E, 0xB0, 0x33, 0x03};
    u8 kirk7_key39[] = {0xC4, 0x3B, 0xB6, 0xD6, 0x53, 0xEE, 0x67, 0x49, 0x3E, 0xA9, 0x5F, 0xBC, 0x0C, 0xED, 0x6F, 0x8A};
    u8 kirk7_key3A[] = {0x2C, 0xC3, 0xCF, 0x8C, 0x28, 0x78, 0xA5, 0xA6, 0x63, 0xE2, 0xAF, 0x2D, 0x71, 0x5E, 0x86, 0xBA};
    u8 kirk7_key44[] = {0x7D, 0xF4, 0x92, 0x65, 0xE3, 0xFA, 0xD6, 0x78, 0xD6, 0xFE, 0x78, 0xAD, 0xBB, 0x3D, 0xFB, 0x63};  // New from PS3
    u8 kirk7_key4B[] = {0x0C, 0xFD, 0x67, 0x9A, 0xF9, 0xB4, 0x72, 0x4F, 0xD7, 0x8D, 0xD6, 0xE9, 0x96, 0x42, 0x28, 0x8B}; //1.xx game eboot.bin
    u8 kirk7_key53[] = {0xAF, 0xFE, 0x8E, 0xB1, 0x3D, 0xD1, 0x7E, 0xD8, 0x0A, 0x61, 0x24, 0x1C, 0x95, 0x92, 0x56, 0xB6};
    u8 kirk7_key57[] = {0x1C, 0x9B, 0xC4, 0x90, 0xE3, 0x06, 0x64, 0x81, 0xFA, 0x59, 0xFD, 0xB6, 0x00, 0xBB, 0x28, 0x70};
    u8 kirk7_key5D[] = {0x11, 0x5A, 0x5D, 0x20, 0xD5, 0x3A, 0x8D, 0xD3, 0x9C, 0xC5, 0xAF, 0x41, 0x0F, 0x0F, 0x18, 0x6F};
    u8 kirk7_key63[] = {0x9C, 0x9B, 0x13, 0x72, 0xF8, 0xC6, 0x40, 0xCF, 0x1C, 0x62, 0xF5, 0xD5, 0x92, 0xDD, 0xB5, 0x82};
    u8 kirk7_key64[] = {0x03, 0xB3, 0x02, 0xE8, 0x5F, 0xF3, 0x81, 0xB1, 0x3B, 0x8D, 0xAA, 0x2A, 0x90, 0xFF, 0x5E, 0x61}; 
    u8 kirk16_key[]  = {0x47, 0x5E, 0x09, 0xF4, 0xA2, 0x37, 0xDA, 0x9B, 0xEF, 0xFF, 0x3B, 0xC0, 0x77, 0x14, 0x3D, 0x8A};
    
    /* ECC Curves for Kirk 1 and Kirk 0x11 */
    // Common Curve paramters p and a
    static u8 ec_p[20] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
    static u8 ec_a[20] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC}; // mon
    
    // Kirk 0xC,0xD,0x10,0x11,(likely 0x12)- Unique curve parameters for b, N, and base point G for Kirk 0xC,0xD,0x10,0x11,(likely 0x12) service
    // Since public key is variable, it is not specified here
    static u8 ec_b2[20] = {0xA6, 0x8B, 0xED, 0xC3, 0x34, 0x18, 0x02, 0x9C, 0x1D, 0x3C, 0xE3, 0x3B, 0x9A, 0x32, 0x1F, 0xCC, 0xBB, 0x9E, 0x0F, 0x0B};// mon
    static u8 ec_N2[21] = {0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xB5, 0xAE, 0x3C, 0x52, 0x3E, 0x63, 0x94, 0x4F, 0x21, 0x27};
    static u8 Gx2[20] = {0x12, 0x8E, 0xC4, 0x25, 0x64, 0x87, 0xFD, 0x8F, 0xDF, 0x64, 0xE2, 0x43, 0x7B, 0xC0, 0xA1, 0xF6, 0xD5, 0xAF, 0xDE, 0x2C };
    static u8 Gy2[20] = {0x59, 0x58, 0x55, 0x7E, 0xB1, 0xDB, 0x00, 0x12, 0x60, 0x42, 0x55, 0x24, 0xDB, 0xC3, 0x79, 0xD5, 0xAC, 0x5F, 0x4A, 0xDF };
    
    // KIRK 1 - Unique curve parameters for b, N, and base point G
    // Since public key is hard coded, it is also included
        
    static u8 ec_b1[20] = {0x65, 0xD1, 0x48, 0x8C, 0x03, 0x59, 0xE2, 0x34, 0xAD, 0xC9, 0x5B, 0xD3, 0x90, 0x80, 0x14, 0xBD, 0x91, 0xA5, 0x25, 0xF9};
    static u8 ec_N1[21] = {0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x01, 0xB5, 0xC6, 0x17, 0xF2, 0x90, 0xEA, 0xE1, 0xDB, 0xAD, 0x8F};
    static u8 Gx1[20] = {0x22, 0x59, 0xAC, 0xEE, 0x15, 0x48, 0x9C, 0xB0, 0x96, 0xA8, 0x82, 0xF0, 0xAE, 0x1C, 0xF9, 0xFD, 0x8E, 0xE5, 0xF8, 0xFA };
    static u8 Gy1[20] = {0x60, 0x43, 0x58, 0x45, 0x6D, 0x0A, 0x1C, 0xB2, 0x90, 0x8D, 0xE9, 0x0F, 0x27, 0xD7, 0x5C, 0x82, 0xBE, 0xC1, 0x08, 0xC0 };
    static u8 Px1[20] = {0xED, 0x9C, 0xE5, 0x82, 0x34, 0xE6, 0x1A, 0x53, 0xC6, 0x85, 0xD6, 0x4D, 0x51, 0xD0, 0x23, 0x6B, 0xC3, 0xB5, 0xD4, 0xB9 };
    static u8 Py1[20] = {0x04, 0x9D, 0xF1, 0xA0, 0x75, 0xC0, 0xE0, 0x4F, 0xB3, 0x44, 0x85, 0x8B, 0x61, 0xB7, 0x9B, 0x69, 0xA6, 0x3D, 0x2C, 0x39 };
    Interesting info on KIRK 0xC, 0xD, 0x10, and 0x11 functions by Proxima
    Code:
    The curve used for KIRK function 0xC, 0xD, 0x10, and 0x11 y^2 = x^3 +ax +b mod p
    
    p = FFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF
    N= FFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127
    a= -3
    b= A68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B
    Gx= 128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C
    Gy= 5958557EB1DB001260425524DBC379D5AC5F4ADF
    
    Kirk 0xC - Generate new private/public key set
    Invocation:
    u8 keypair[0x3c]
    sceUtilsBufferCopyWithRange(keypair,0x3c,0,0,0xC);
    
    This returns the following into the keypair buffer (each value is 0x14 bytes long):
    0x00 - randomly generated private key
    0x14 - Public Key point x value
    0x28 - Public Key point y value
    
    Basically function 0xC generates a random number < N and multiplies it to the base point G to get the new public key.
    
    Kirk 0xD - point multiplication
    Invocation:
    u8 buffer[0x3C]
    u8 newpoint[0x28]
    memcpy(buffer, multiplier, 0x14);
    memcpy(buffer+0x14, pointx, 0x14);
    memcpy(buffer+0x28, pointy, 0x14);
    sceUtilsBufferCopyWithRange(newpoint,0x28,buffer,0x3c,0xD);
    
    The result is a new point(x and y are each 0x14 bytes long).
    
    To test this, you can call 0xC service and copy the first 0x14 bytes to a new buffer, then copy the Gx and Gy values after that. Calling 0xD with the new buffer will return the values of x and y that were generated by the 0xC call.
    
    Kirk 0x10 - ECDSA Sign hash
    Invocation:
    u8 buffer[0x34]
    u8 encryptedprivatekey[0x20] - the private key returned by KIRK 0xC must be AES encrypted somehow
    u8 SHA1hashofmessagetosign[0x14]
    memcpy(buffer,encryptedprivatekey,0x20)
    memcpy(buffer+0x20,SHA1hashofmessagetosign,0x14)
    sceUtilsBufferCopyWithRange(newsig,0x28,buffer,0x34,0x10);
    
    newsig will have the r and s values for an ECDSA signature
    
    This isn't that useful since it is not clear how to encrypt the private key to sign the message. There are some examples in IDStorage where a pre-encrypted private key and public key pair can be used, but no general cases yet.
    
    Kirk 0x11 - ECDSA Verify Signature
    Invocation:
    u8 buffer[0x64]
    memcpy(buffer,publickey,0x28)
    memcpy(buffer+0x28,SHA1hashofmessagetosign,0x14)
    memcpy(buffer+0x3C,newsig,0x28)
    sceUtilsBufferCopyWithRange(0,0,buffer,0x64,0x11);
    
    This returns 0 (good) or not 0 (bad) based on if the signature is successfully verify.
    
    These functions seem secure. The random number generation they use seems to be strong and they do not have any of the gaps that the PS3 or KIRK1 have around re-use of random numbers.
    Download: ps3_decrypt_tools-master.zip

    To quote(from pastie.org/private/hzqhpgaxgdybq3zjudqpva):
    Code:
    LOAD:000146FC                 il             r2, 0x220
    LOAD:00014700                 ai             r3, sp, arg_20
    LOAD:00014704                 a              r2, r3, r2
    LOAD:00014708                 ila            r4, eid0_keyseed_6
    LOAD:0001470C                 ai             r5, sp, arg_150
    LOAD:00014710                 lr             r3, r2
    LOAD:00014714                 lqd            r2, arg_140(sp)
    LOAD:00014718                 lr             r6, r2
    LOAD:0001471C                 brsl           lr, sbox_stuff
    LOAD:00014720                 lr             r4, r3
    .......
    LOAD:00014744                 br             loc_148A8
    
    LOAD:00016FCC                 ai             r2, sp, arg_1F0
    LOAD:00016FD0                 ila            r4, eid0_keyseed_6
    LOAD:00016FD4                 ai             r5, sp, arg_100
    LOAD:00016FD8                 lr             r3, r2
    LOAD:00016FDC                 lqd            r2, arg_E0(sp)
    LOAD:00016FE0                 lr             r6, r2
    LOAD:00016FE4                 brsl           lr, sbox_stuff
    LOAD:00016FE8                 lr             r4, r3
    ....
    LOAD:00017018                 br             loc_17158
    
    LOAD:00016354                 il             r2, 0x360
    LOAD:00016358                 ai             r3, sp, arg_20
    LOAD:0001635C                 a              r2, r3, r2
    LOAD:00016360                 ila            r4, key_unknown
    LOAD:00016364                 ai             r5, sp, arg_1F0
    LOAD:00016368                 lr             r3, r2
    LOAD:0001636C                 lqd            r2, arg_1D0(sp)
    LOAD:00016370                 lr             r6, r2
    LOAD:00016374                 brsl           lr, sbox_func
    LOAD:00016378                 lr             r4, r3
    ........
    LOAD:000163A4                 stqd           r3, arg_1C0(sp)
    Finally, from LiquidManZero (via psx-scene.com/forums/f153/new-63886/index28.html#post992654):

    Welp. I'm just going to leave these here... Also Rand, I know you're watching.
    Code:
    me_iso_spu_module:
    
    0x6DB0: 51ED689419A83AD8
    0x6DD0: 65E88B1A9E3FD268
    0x6DE0: 7D16C46313C3711C
    0x6DF0: D56604A445781EC4
    0x6E00: E773089E35D26A1B
    0x6E10: 38C761029437CEE3
    0x6E20: 20CB60F58D24BE50
    0x6E30: 35C860019222BB60
    0x6E40: 8C2BD03EC245C56D
    0x6E50: 5001C87121F939C144D86B069224B247
    0x6E60: 77F38314B047D87C9B37D266049228C4
    
    mc_iso_spu_module:
    
    0x6680: 6C26D37F46EE9DA9
    0x6690: CE62F68420B65A81E459FA9A2BB3598A
    0x66A0: 2CD160FA8C2ED362
    0x66B0: 7014A32FCC5B1237AC1FBF4ED26D1CC1
    0x74A0: 2C5BF48D32749127
    From zecoxao: Euss right next to this (psdevwiki.com/ps3/Seeds#sc_iso_key_seeds) there's a chunk of data, size 0x290, which is loaded twice in two separate functions. i'm guessing that this is some sort of eid1 in disguise? this is on the jig firmware btw.

    There is also a third value which i don't recognize (next to be2sc and sc2be keys):
    Code:
    2E A2 67 09 3B 45 56 ED  9D 3B E6 2E 11 5D 6D 59
    PS3 IDPS / PSID Changer by Zecoxao, Permanently Change IDPS / PSID

    More PlayStation 3 News...
    Attached Files Attached Files

  7. #37
    Member JAYRIDER666's Avatar
    Join Date
    Dec 2012
    Posts
    68

    VTRM crypto and Blu-ray playback

    I have a working idps but i have no program to put this to my ps3 cfw rogero 4.46 do anyone can help?

    Also below is some VTRM crypto and Blu-ray playback from zecoxao, as follows:

    This is already known info but i figured i'd make it into a nice post so let's start.

    There are two VTRM blocks at the flash. Each block corresponds to each ros. Essentially one VTRM is a backup of the other.

    Inside the VTRM block there are encrypted blocks. there might be 4,5,6,etc blocks. The reason why the number of blocks changes we don't know. The blocks have a size of 0x40 bytes.

    There are two ways to decrypt the blocks: using aes-xts and sherwood_ss_seed and ss_seed_one more OR(recomended) using aes cbc and keyseed_for_srk2.

    Method is the following:

    First, encrypt root key with sc_iso metadata seeds. key is at 0x20, size 0x10, iv is at 0x10. then, encrypt (pick one) either sherwood_ss_seed(for data) and ss_seed_one_more(for tweak) or keyseed_for_srk2(this is a string used as a seed) with aes cbc-128 for block key (iv is 0).

    After obtaining the data and tweak keys (or the block key) use the keys and decrypt each block.

    Most of the blocks contain nothing inside, except for the very first one.

    First block contains a hash of DRL (0x14 bytes) followed by a hash of CRL(0x14 bytes) in sha1 format. If you just remarried your console, you can fix bluray playback by replacing the hashes there with the ones you currently have.

    There's another set of hashes in plain sight, and they're probably all sha1. First hash is repeated in a set of patterns. second hash is cleverly hidden among the patterns, and third hash is at the VTRM header. Corruption of these hashes is very likely to cause RSOD. There has been a debate wether replacing a corrupted hash with another equal hash would be advisable ( it fixes the RSOD error, but we don't know the direct consequences of this)

    Oh, forgot the link to glevand's mastery: psdevwiki.com/ps3/Fixing_DRL_and_CRL_Hashes

    I i just had a word with flatz.. two of the 3 hashes can be calculated already:
    Code:
    hash_repeated:hmac_sha1(srk,empty data)
    hash_hidden:hmac_sha1(srk,0x58 bytes of empty sector)
    hash_header:unknown.
    Empty sector:
    Code:
    10 70 00 00 02 00 00 01 10 70 00 00 39 00 00 01
    [0x40 encrypted empty section here]
    00 00 00 00 00 00 00 01
    User i asked you about the method to dump srk and srh, but unfortunately, even with your help, i wasn't able to dump the data. running the code with your pokes hangs at a black screen. if you're interested in sharing that package to dump srk and srh that would be very cool of you

    From u$er: the prx has been tested on 446 dex in debug mode. it should work on cex as well, but you won't see any result... just connect to port 4546 and type "dumpsrk".

    Download: test.sprx (load with prx loader) / pastie.org/private/kfbm2w1dzjddczxvdonba (src)
    Code:
    uint64_t backup_srk(uint8_t *data)
    {
    	system_call_3(862, 0x2014, 0x60, (uint64_t)data);
    	return_to_user_prog(uint64_t);
    }
    
    
    
    void patch_proc_checks()
    {
    	//disable product mode check
    	lv1_poke(0x720670, 0x2F3E000060000000ULL);
    	lv1_poke(0x720680, 0x7FA3EB7860000000ULL);
    	//disable auth check
    	lv1_poke(0x16fb64, 0x2f80000048000050ULL);
    }
    
    int dump_srk()
    {
    	patch_proc_checks();
    
    	uint8_t data[0x60];
    	uint64_t res;
    
    	memset(data, 0, 0x60);
    	res = backup_srk(data);
    	printf("backup srk: %llx\n", res);
    	print_hex(data, 0x60);
    	return 0;
    }
    it should look like this:
    Code:
    0x00: 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 60
    0x10: encrypted srk (0x40 bytes)
    0x50: omac of header and encrypted data
    From zecoxao: Thanks u$er. i got the encrypted srk, srh, and something else

    Alright, here's the structure of the decrypted data (i'm going to upload the algorithm to generate the backup key and iv to decrypt the data using aes-cbc to my decrypt_tools)

    First 0x10 bytes of data are unknown. we don't know what they are basically then comes srh, then srk and finally a padding of 8 zeroes. I've verified this myself

    Now what's left to analyze are those 0x10 bytes. flatz wondered if they could be any master key, but i highly doubt it. either way, it's worth checking it out.

    Edit: srh is the hash of the signature table (the giant table with the repeated hashes and the hidden one) hashed with srk key

    Edit2: header hash is just a hmac sha1 of hmac sha1 of vtrm section without header (0x28 bytes) and signature table (again, with srk key, hashed twice)

    More info from flatz:

    syscon data (total size: 0x400 bytes) includes:

    management block:
    0x00 - syscon state/status (0x10 bytes with padding)

    root info block:
    0x10 - key (0x10 bytes)
    0x20-0x34 - srh (0x14 bytes)
    0x34-0x48 - srk (0x14 bytes)
    0x48-0x50 - padding

    ???:
    0x50-0x80: encrypted stuff (???)

    updater block/region data block:
    0x80-0x380 - system version, coreos hashes (?), etc
    each block have a size of 0x30 bytes (?)
    Attached Images<br><br> Attached Images

    Attached Files Attached Files

  8. #38
    Senior Member dyceast's Avatar
    Join Date
    Oct 2006
    Posts
    308
    PSNope 1.05 is all you need.

  9. #39
    Member JAYRIDER666's Avatar
    Join Date
    Dec 2012
    Posts
    68
    i tried but ps nope 1.05 don't work on my rogero 4.46

  10. #40
    Junior Member zant's Avatar
    Join Date
    Sep 2010
    Posts
    92
    Can somebody make a working NAND version, please? I have been waiting to use something like this for a while now since Joris' didn't work.

 


 
Page 4 of 5 FirstFirst ... 2345 LastLast