Sponsored Links

Sponsored Links

Page 1 of 28 12311 ... LastLast
Results 1 to 10 of 273



  1. #1
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    28,638
    Sponsored Links

    PS3 SCETool, Friday Isolated SPU POC and EIDTool WIP Updates

    Sponsored Links
    This weekend Sony PlayStation 3 hacker naehrwert has released a PS3 SCETool based on the fail0verflow tools, an Isolated SPU binary POC dubbed Friday and some EIDTool work in progress updates for PlayStation 3 developers interested in remarrying Blu-ray drives, motherboard keys, QA tokens, etc via [Register or Login to view links].

    Download: [Register or Login to view links] / [Register or Login to view links] / PS3 SCETool v0.0.3 and VSH.Self Output / [Register or Login to view links]

    Below are the details from the ReadMe files and Tweets, as follows:

    SCETool (C) 2011 by naehrwert - This tool will see more features in the future.

    Notice: THIS CAN DO NOTHING NEW, IT'S CURRENTLY JUST A REWRITE OF f0f TOOLS.

    Keyfile format:

    [Register or Login to view code]

    A sample keyfile is included.

    Shout-outs: I think they know who I mean

    Friday (C) 2011 by naehrwert - This is a POC for a isolated spu binary. Generate a self encrypted+signed with the metldr keys out of friday.elf. Then use friday.h to write a PPU application that loads the self by utilizing metldr and DMAs your console's EID2 to the shared SPU LS. It will generate the P and S block from it, that is used to pair the BD drive to the specific console. Yon can then DMA the blocks out from the LS and send them to the drive to remarry it to the console.

    Communication with the SPU is done over in_mbox and out_mbox. MSG_OUT_* is send from the SPU code to out_mbox. MSG_IN_* should be written from the PPU to in_mbox. When MSG_OUT_READY arrives the PPU should DMA the EID2 to EID2_START and send MSG_IN_READY. When MSG_OUT_GEN_DONE arrives the PPU should DMA the blocks out from BLOCKS_START and send MSG_IN_DIE.

    Note: this is UNTESTED but should just work

    POC [Register or Login to view links]

    note: self part is only for spu yet!

    scetool [Register or Login to view links]

    veeeery nice [Register or Login to view links]

    [Register or Login to view code]

    [Register or Login to view links]

    [Register or Login to view code]


    [Register or Login to view code]

    which I can generate and yes my eid4 passes the hash check

    but one would need to get the aes_omac1 key to be able to check it

    hmm eid4 digest is stored unencrypted

    seems like there are some hardcoded eid4 fallback bytes - [Register or Login to view links]

    [Register or Login to view code]

    scetool/eidtool progress is great

    PS3 SCETool, Friday Isolated SPU POC and EIDTool WIP Updates

    More PlayStation 3 News...
    Attached Files Attached Files

  2. #2
    Member HAVOK7's Avatar
    Join Date
    Feb 2011
    Posts
    66
    Sponsored Links
    Sponsored Links
    wow i am first lol, ok so what can be actually done with this?

  3. #3
    Senior Member Bartholomy's Avatar
    Join Date
    Jan 2011
    Posts
    836
    Sponsored Links
    Sponsored Links
    Yep. WE mortals don't do nothing with this stuff. But i suppose it's an advancement about a free solution...

    Oh, some news: And no, I won't release eidtool. If you want the algorithms, you'll have to start reversing

    Cool, we can close this chapter too
    Last edited by Bartholomy; 11-28-2011 at 03:17 PM Reason: Automerged Doublepost

  4. #4
    Member tulla2010's Avatar
    Join Date
    Sep 2010
    Posts
    67
    shame he will never release the eid tool

  5. #5
    Senior Member Ezio's Avatar
    Join Date
    Aug 2011
    Posts
    355
    Friday is a new legal application developed by naehrwert to remarry bd drive.

    Quote Originally Posted by tulla2010 View Post
    shame he will never release the eid tool
    Yeah, unfortunately he decided to not share his eid tool when it will be ready.

  6. #6
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    28,638

    Arrow

    Here is a follow-up from his blog today as well for those following: nwert.wordpress.com/2011/11/29/about-spu-channels-64-72-and-73/

    If you are reversing the PS3′s isolated SPU modules, you will eventually notice channels 64, 72 and 73. Here are some C functions, that roughly describe how they work:

    About SPU channels 64, 72 and 73


    [Register or Login to view code]

    It seems that lv1ldr is storing it’s version into a special storage area.

    [Register or Login to view code]

    And e.g. isoldr reads the version from the storage area and compares it to it’s own version. If the check fails, isoldr will just stop execution.

    [Register or Login to view code]

    I wonder what else is stored in the area and how long the data in it persists, so my next idea is to code an isolated elf, that allows me to specify the value written to channel 64 and then dumps the data from channel 73.

  7. #7
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    28,638

    Arrow PS3 SCETool v0.0.3 and VSH.Self Output

    Below are some more updates from naehrwert for those following..

    scetool 0.0.3 [Register or Login to view links]

    output for vsh.self pastie.org/2958961

    [Register or Login to view code]

    Added ELF64 support to scetool!

    but I extended eidtool by some new functions
    Attached Files Attached Files

  8. #8
    Senior Member Bartholomy's Avatar
    Join Date
    Jan 2011
    Posts
    836
    Eidtool is what we need, rest is useless I think

  9. #9
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    28,638

    Arrow PS3 SCETool v0.0.4

    Today Naehrwert has released PS3 SCETool v0.0.4 for those interested.

    Download: [Register or Login to view links]

    From his Tweet (twitter.com/#!/naehrwert/status/145481343411830784) the changes are as follows:

    scetool 0.0.4 [Register or Login to view links]

    (added 32 bit ELF "unselfing")

    isoldr_emulate [Register or Login to view links]

    [Register or Login to view code]


  10. #10
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    28,638

    Thumbs Up

    Here are a few quick updates from naehrwert (twitter.com/naehrwert) for those following:
    • haha just figured the eid3 algo, nice!
    • KaKaRoToKS and I added basic NPDRM support to scetool
    • SELF generation works now for SPU and PPU, except for compressing the data and NPDRM
    • added SPU SELF generation to scetool

    Also from his site: nwert.wordpress.com/2011/12/24/individual-infos/

    Individual Infos

    One of the PS3′s console specific cryptography works as follows:

    At factory time there is a console specific key generated, probably from a private constant value and a console specific seed. Maybe that’s the key used for encrypting bootldr and metldr. Fact is, that metldr stores another console specific keyset (key/iv) to LS offset 000000. That keyset is probably calculated from the first one. At factory time the isolated root keyset (how I call it) is used to encrypt the console’s “Individual Infos”, like eEID.

    But not the whole eEID is encrypted the same way, special seeds are used to calculate key/iv pairs for the different sections. And not even that is true for every eEID section, because for e.g. EID0 another step is needed to generate the final section key(set). Each of the isolated modules using such an “Individual Info” has a special section that isoldr uses to generate the derived key(set)s.

    But the generation works in a way, that the section data is encrypted with aes-cbc using the isolated root keyset, so it is not possible to calculate the isolated root keyset back from the derived key(set)s, because aes shouldn’t allow a known plaintext attack. So far I can decrypt some of EID0′s sections, EID1, EID2 and EID4. EID5 encryption should be similar to EID0′s but I lack the generation keys for that one.

 
Sponsored Links

Page 1 of 28 12311 ... LastLast
Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News