Sponsored Links

Sponsored Links

Page 1 of 24 12311 ... LastLast
Results 1 to 10 of 235



  1. #1
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,389
    Sponsored Links

    PS3 SCETool, Friday Isolated SPU POC and EIDTool WIP Updates

    Sponsored Links
    This weekend Sony PlayStation 3 hacker naehrwert has released a PS3 SCETool based on the fail0verflow tools, an Isolated SPU binary POC dubbed Friday and some EIDTool work in progress updates for PlayStation 3 developers interested in remarrying Blu-ray drives, motherboard keys, QA tokens, etc via [Register or Login to view links].

    Download: [Register or Login to view links] / [Register or Login to view links] / PS3 SCETool v0.0.3 and VSH.Self Output / [Register or Login to view links]

    Below are the details from the ReadMe files and Tweets, as follows:

    SCETool (C) 2011 by naehrwert - This tool will see more features in the future.

    Notice: THIS CAN DO NOTHING NEW, IT'S CURRENTLY JUST A REWRITE OF f0f TOOLS.

    Keyfile format:
    Code:
     [keyname]
     type={SELF, PKG, SPP}
     sdk_type={00, ..., 18, 8000}
     version={..., 0001000000000000, ...}
     self_type={LV0, LV1, LV2, APP, ISO, LDR, NPDRM}
     erk=...
     riv=...
    A sample keyfile is included.

    Shout-outs: I think they know who I mean

    Friday (C) 2011 by naehrwert - This is a POC for a isolated spu binary. Generate a self encrypted+signed with the metldr keys out of friday.elf. Then use friday.h to write a PPU application that loads the self by utilizing metldr and DMAs your console's EID2 to the shared SPU LS. It will generate the P and S block from it, that is used to pair the BD drive to the specific console. Yon can then DMA the blocks out from the LS and send them to the drive to remarry it to the console.

    Communication with the SPU is done over in_mbox and out_mbox. MSG_OUT_* is send from the SPU code to out_mbox. MSG_IN_* should be written from the PPU to in_mbox. When MSG_OUT_READY arrives the PPU should DMA the EID2 to EID2_START and send MSG_IN_READY. When MSG_OUT_GEN_DONE arrives the PPU should DMA the blocks out from BLOCKS_START and send MSG_IN_DIE.

    Note: this is UNTESTED but should just work

    POC [Register or Login to view links]

    note: self part is only for spu yet!

    scetool [Register or Login to view links]

    veeeery nice [Register or Login to view links]
    Code:
    ## scetool
    scetool 0.0.1 (C) 2011 by naehrwert
    [*] Keys loaded.[*] Loaded keys:
     Name        Type SDK-Type Version
     isoldr 3.50 SELF 0x0000   0x0003005000000000
     isoldr 3.41 SELF 0x0000   0x0003004100000000
     isoldr 1.00 SELF 0x0000   0x0001000000000000
     metldr      SELF 0x0000   0x0000000000000000
     spp 0x00    SPP  0x0000   0x0000000000000000
     pkg 0x00    PKG  0x0000   0x0000000000000000[*] File decrypted.[*] SCE Header:
     Magic           0x53434500 [OK]
     Version         0x00000002
     SDK Type        [Type 0]
     Header Type     [SELF]
     Metadata Offset 0x000001B0
     Header Length   0x0000000000000480
     Data Length     0x0000000000012BF4[*] Metadata Info:
     Key 00000000: AC 0E 35 E4 A9 22 07 C7 09 2C 38 66 69 45 34 31 
     IV  00000000: 1C 7D C8 A3 EB B9 C8 9C BB E4 B6 A6 A6 49 61 C2 [*] Metadata Header:
     Signature Input Length 0x0000000000000450
     unknown_0              0x00000001
     Section Count          0x00000003
     Key Count              0x00000016
     Signature Info Size    0x00000030
     unknown_1              0x00000000
     unknown_2              0x00000000[*] Metadata section headers:
     Idx Offset   Size     Type Index unk_1 SHA1 Encrypted Key IV Compressed
     000 00000500 00011C20 02   00    02    00   [YES]     06  07 [NO ]
     001 00012120 000000A0 02   01    02    08   [YES]     0E  0F [NO ]
     002 00012EE4 00000190 01   03    02    10   [NO ]            [NO ][*] SCE File Keys:
      00000000: F9 A1 54 8A A2 E3 12 FE 3B 67 CB 5E 02 03 66 82 
      00000001: EF E2 22 82 00 00 00 00 00 00 00 00 00 00 00 00 
      00000002: F4 06 C9 67 46 0F 09 C3 54 E5 0F DB BD 63 74 A6 
      00000003: A9 00 9B 0D 53 B4 4E 3E F2 EB 3D 7A C3 0A 79 C3 
      00000004: 6A 55 C9 6F 72 DE 4E 7E 7A 0D C2 CB 27 F8 C9 9A 
      00000005: C3 08 9E 65 A9 DF 80 B1 7E 66 DF 6B 9D 10 33 99 
      00000006: 2A 3C 73 80 C6 1B 85 24 9F 95 3D BE A9 A5 63 38 
      00000007: CB 41 E6 46 F8 B2 6E 06 D4 1A 5B F5 08 48 28 D3 
      00000008: 13 07 A2 4F 1C 32 3F D7 15 47 D9 50 BF E4 11 04 
      00000009: 18 7F EC 72 00 00 00 00 00 00 00 00 00 00 00 00 
      0000000a: F4 06 C9 67 46 0F 09 C3 54 E5 0F DB BD 63 74 A6 
      0000000b: A9 00 9B 0D 53 B4 4E 3E F2 EB 3D 7A C3 0A 79 C3 
      0000000c: 6A 55 C9 6F 72 DE 4E 7E 7A 0D C2 CB 27 F8 C9 9A 
      0000000d: C3 08 9E 65 A9 DF 80 B1 7E 66 DF 6B 9D 10 33 99 
      0000000e: 2A 3C 73 80 C6 1B 85 24 9F 95 3D BE A9 A5 63 38 
      0000000f: CB 41 E6 46 F8 B2 6E 06 D4 1A 5B F5 08 48 28 D3 
      00000010: 2A AE E7 5C 8C EB 44 4A 62 F4 DF EF 77 5B 02 42 
      00000011: C7 5C 2D 5C 00 00 00 00 00 00 00 00 00 00 00 00 
      00000012: F4 06 C9 67 46 0F 09 C3 54 E5 0F DB BD 63 74 A6 
      00000013: A9 00 9B 0D 53 B4 4E 3E F2 EB 3D 7A C3 0A 79 C3 
      00000014: 6A 55 C9 6F 72 DE 4E 7E 7A 0D C2 CB 27 F8 C9 9A 
      00000015: C3 08 9E 65 A9 DF 80 B1 7E 66 DF 6B 9D 10 33 99 [*] SELF Header:
     unknown_0           0x0000000000000003
     App Info Offset     0x0000000000000070
     ELF Offset          0x0000000000000090
     PH Offset           0x00000000000000D0
     SH Offset           0x0000000000012EE4
     Section Info Offset 0x0000000000000110
     SCE Version Offset  0x0000000000000150
     Control Info Offset 0x0000000000000160
     Control Info Size   0x0000000000000070[*] Application info:
     Auth ID   [isoldr]
     Vendor ID 0xFF000000
     SELF Type [Secure loader]
     Version   0x0003004100000000[*] Elf32 Header:
     Type      [EXEC]
     Machine   [SPU]
     Version   0x00000001
     Entry     0x000259E0
     PH Offset 0x00000034
     SH Offset 0x00012A64
     Flags     0x00000000
     PH Count  0x0002
     SH Count  0x000A
     SHStr Idx 0x0009[*] Elf32 Section Headers:
     Idx Name     Type         Flags Address Offset Size  ES Align LK
     000 00000000 NULL         ...   00000   00000  00000 00 00000 00
     001 0000000B PROGBITS     .AE   25800   00080  001DC 00 00001 00
     002 00000022 PROGBITS     .AE   259E0   00260  0F1D0 00 00008 00
     003 00000028 PROGBITS     .A.   34BB0   0F430  02870 00 00010 00
     004 00000030 PROGBITS     WA.   374A0   11CA0  00070 00 00010 00
     005 00000036 PROGBITS     WA.   37510   11D10  0001C 00 00004 00
     006 0000003D PROGBITS     WA.   3752C   11D2C  00014 00 00004 00
     007 00000044 NOBITS       WA.   37540   11D40  039B0 00 00010 00
     008 00000049 PROGBITS     ...   00000   11D40  00CD2 00 00001 00
     009 00000001 STRTAB       ...   00000   12A12  00052 00 00001 00[*] Elf32 Program Headers:
     Idx Type    Offset VAddr PAddr FileSize MemSize Flags Align
     000 LOAD    00080  25800 25800 11C20    11C20   W.E   00080
     001 LOAD    11CA0  374A0 374A0 000A0    03A50   .AE   00080
    [Register or Login to view links]
    Code:
    eidtool (C) 2011 by naehrwert
    Loading iso_root_keyset: done.
    EID2: p_len=0x0080, s_len=0x0690
    Generated blocks from EID2:
    p_block 0000: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
            0010: C2 88 95 D0 7E 9C 7F B5 5A 02 7E E7 D5 81 3B EA 
            0020: 39 3A EE 41 B5 E4 1C B5 38 B9 DA 1E D0 81 60 FB 
            0030: A1 35 2A 13 B1 03 9C A1 EA FD CF 36 82 2B 39 01 
            0040: DD 9E DB 46 BF A6 79 8D 71 75 F7 9A 69 1A AC 3C 
            0050: A7 4C 41 10 9A 90 C2 46 74 18 35 75 37 D6 09 C4 
            0060: F3 BE 0F 25 89 D2 4A C5 5F 42 57 67 A5 F5 18 CC 
            0070: 3C 89 40 BC 5F 7D EB 58 69 D1 1C 56 BC 95 3C 5C 
    s_block 0000: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
            0010: C2 88 95 D0 7E 9C 7F B5 5A 02 7E E7 D5 81 3B EA 
            0020: C9 43 70 6F 98 5C 3B 68 0D C6 58 33 98 D5 B1 6E 
            0030: 82 E3 98 81 FC 73 1B 54 04 BD 6F F4 D6 60 E4 33 
            0040: ED 22 46 B0 17 D0 FB F2 3E 6E 56 2C CD CF D5 FA 
            0050: B2 92 A9 A0 FE 97 63 43 25 C8 E7 7E 57 65 93 A8 
            0060: 1A 27 C4 60 5A 4C 16 59 68 04 34 3B 60 7C 5F B2 
            0070: 1C 98 32 D0 83 89 7E B3 3A 3C 73 D0 DE 18 18 6A 
            0080: E9 B2 A7 56 1D E4 67 BB AD D6 13 54 E7 39 DD 3C 
            0090: 21 48 8F 82 5F C4 F9 E4 CF 0A 4B 8E 69 F2 44 7E 
            00A0: 12 D2 D0 29 16 67 DD 07 8F 60 2C 0A 4A 7A AF D7 
            00B0: D9 8E 84 96 A9 E5 EB 3A 08 FB E8 88 7F 35 1F F6 
            00C0: 2E 5F 59 FD A9 3F 7F F0 BB 17 F3 0C A9 6E 34 59 
            00D0: 9C 5E D9 9B 30 10 A5 6A 8B CD 3E FB 03 2E 3C 91 
            00E0: 4A AA 06 E7 BF 3C 82 69 EF C5 F7 A1 6E 1A 47 AF 
            00F0: F5 74 A6 B0 93 09 F7 BF C3 9E 7C 7D 16 5A 8D B6 
            0100: E6 90 AD C7 26 97 DB A8 52 F6 DB AB D7 FA 37 43 
            0110: A2 56 DF 3A C6 C8 66 F7 55 68 F1 25 CF B0 5F 02 
            0120: ED 0D 66 03 9B 7E 9C D9 BA 0C 6C 77 4A 32 E2 48 
            0130: C9 02 35 47 49 C3 4F C6 35 E5 22 FB CF D5 E0 0B 
            0140: 54 F0 71 B9 7A 4B D2 B0 FD 9B A2 5F 0A D0 9B A7 
            0150: 2B 94 ED 7C 22 51 F5 90 86 36 B5 E0 A7 2F 64 CC 
            0160: 79 39 22 85 3B 44 52 D7 3D A0 54 B7 D4 D3 25 F8 
            0170: F0 EB 6A 12 C0 E6 F0 ED 99 95 79 72 AB 98 A3 50 
            0180: F4 BE F5 E0 8E E8 03 6F F8 8C 54 99 39 66 A0 D0 
            0190: 7A B6 BD 4B 45 4D 57 DB FF 05 B6 4F C3 98 07 CA 
            01A0: FA 3D FF 01 C0 5F F0 02 3C 78 A8 CD 8B 67 68 86 
            01B0: 10 E3 5E C6 9D C3 23 5F 05 21 E8 37 1F 8C 8C FC 
            01C0: D2 38 C4 0F 0A 30 0C DD DA 2A 8E 91 F4 40 74 75 
            01D0: 2A D1 9C 3E 1C 5F 5A 30 A7 69 C4 DB 1E 7F 5A AD 
            01E0: D7 7E 77 74 78 01 B6 2D DE 61 7C 11 70 AB CE F7 
            01F0: 14 02 7B C7 67 92 95 64 51 FF 4E B8 5E 5C 84 33 
            0200: 20 9A F7 9A 05 3C 7F 68 49 53 A0 79 98 C1 1E E5 
            0210: 95 D1 DB 33 D1 96 76 D9 99 32 07 F5 F6 1A 4B D8 
            0220: 07 45 4F 45 3C 2A 82 88 69 DF 13 4B 6B 7C 64 28 
            0230: EE F7 18 E2 8A 82 8A 1E 02 E4 47 A3 40 F8 65 2B 
            0240: 59 2C AB C7 DC 01 9B 01 18 3B 41 B7 16 49 05 B7 
            0250: 9F 6C 58 79 59 18 58 A8 E4 F4 80 C4 62 BC EC AA 
            0260: CE EE 79 21 DA D5 99 AC B8 DE FE 4F CC 75 C9 96 
            0270: D6 5B AE 93 D3 2D AA F5 EA 74 E3 FF 67 CB 32 63 
            0280: 82 DD 83 D0 1A 0E 51 29 43 E3 56 82 79 9E 58 B3 
            0290: D9 2A 75 26 A0 2E 52 50 85 B1 06 65 CD 9F B3 B7 
            02A0: 04 EA 7E A2 1D C2 0D 36 DF 19 A2 AB AA 3F 9B AD 
            02B0: 8D B8 CC 68 5D B8 C3 B5 EC D7 1D 73 84 56 33 F5 
            02C0: 76 6F 67 2C 6D F2 84 C0 31 C9 D8 2A 0D DA 88 52 
            02D0: 06 C9 82 83 F3 58 1B DB EF 7D 85 68 7D 5C 94 73 
            02E0: B0 B8 B4 74 10 3F 60 0F EE 21 F5 BC E5 55 66 E1 
            02F0: 70 EA 02 9B 78 10 F3 AF 33 5C 7F 9D CD 67 09 E5 
            0300: 57 8E 8E 28 34 01 99 9D 61 01 DF 28 D0 1F 33 0F 
            0310: 83 76 4E 40 74 7D 69 72 3F 2F FC 7A D7 CC 33 DE 
            0320: 95 17 BF 91 6F 03 2B E0 3D 34 D6 D1 5B 12 A7 A2 
            0330: 89 D4 AB EB A2 93 49 4D C1 13 BB D0 4F 72 5C BD 
            0340: 41 1B F3 8C 24 70 B5 4C F2 31 E0 D4 B8 00 91 BF 
            0350: 31 42 76 60 65 DD B8 FE E8 14 FE 03 A4 FF 69 48 
            0360: 7E 57 90 B1 0C 93 E7 2A FF 6C BF 57 60 AB 9E E4 
            0370: 08 6D 63 66 E5 9B 5D 99 C6 14 14 8A 82 15 85 D0 
            0380: 62 D7 32 35 29 E5 4D 8C D6 4B 39 94 4D 80 52 66 
            0390: 69 94 A3 31 43 7A A5 F7 98 09 AB AA 5F 3C A2 B3 
            03A0: 64 70 86 E1 F5 D0 BB 14 3B A5 3E 45 DD 41 30 73 
            03B0: 91 97 5D F4 7C 56 6C 65 1D 2E 5D 6F EE 7C D2 CB 
            03C0: 41 3C B3 74 38 90 A4 65 0C 26 C8 17 14 35 D2 25 
            03D0: 45 9D 9F 6D 47 80 9F 01 2D DE 4A C1 4D FD 06 67 
            03E0: D1 2E 77 62 DF 08 D8 F0 B5 C0 22 37 4C 71 9A 51 
            03F0: DD 34 5D 22 AC 54 DC 56 81 31 0A 2C B9 2B D9 BB 
            0400: AF 03 A1 A5 5F D0 D5 0A 02 14 04 4D D0 92 EF EF 
            0410: DE 3B 58 28 B2 68 33 E2 A2 CA 08 A9 55 06 CF 50 
            0420: D9 BA 40 97 FB 9A 34 B5 7B BA 14 54 E4 93 AB CA 
            0430: D7 56 CB 9B 16 0E 48 D1 A6 76 3C 69 ED 05 BE AD 
            0440: 63 B2 AA 97 44 7F BC 9C 4F 33 05 16 76 F4 98 C3 
            0450: 6C 25 DE 43 88 A7 7A D2 32 A0 88 0E 6B 50 23 8D 
            0460: F3 7C B3 A3 68 3B 2C 43 3C 9F D5 0F D1 37 0D 11 
            0470: 93 E6 DA B4 BB 45 0F 0E C8 4C FA D8 09 28 F7 58 
            0480: 72 84 DA CC ED 45 20 25 EF 2B E8 EB 81 CA 26 10 
            0490: BB 47 8A 0E 2D 67 2B 35 95 D9 E2 59 0E C5 99 73 
            04A0: 6A 82 E1 CC 0C F7 39 E1 5F DB 50 2C 9E E7 FC 18 
            04B0: 13 96 E3 C6 1C 66 B6 7D D3 BC 4A 9F DB 1D 7C 87 
            04C0: 7A 8A 61 95 0C A4 C4 3B 77 DA 46 08 46 E3 52 6F 
            04D0: 32 CF 2A 1E 2C 99 2B 65 A2 32 86 0D 10 03 45 BF 
            04E0: 82 32 60 F0 0C C6 6D 6B C2 AE D0 18 2B 47 8B 83 
            04F0: 86 34 D8 23 0D EC 6F 7A D0 17 53 AF D5 DC F0 EF 
            0500: 49 D7 31 1E F1 02 D3 9C 15 D2 04 AE 44 95 7E F4 
            0510: 4E 32 58 94 9B 9A 8C 72 12 76 CC D0 4A B8 87 FC 
            0520: 2F 7F 79 1A A8 78 A1 53 83 90 90 EC FF 8D 2B 46 
            0530: CB A4 C9 79 E1 92 A0 FC 37 63 CD 9D 3B D7 C9 2D 
            0540: C7 85 C0 EE E3 E1 6A 43 31 B2 4F CA 25 71 7A 23 
            0550: 7F 78 D0 A2 6E FF B6 B3 14 D5 55 CB 10 64 7D 11 
            0560: 8D 9A 0B 26 22 3F 64 1C C0 9C C4 44 1C C3 12 43 
            0570: 37 51 7E E6 62 B1 F7 39 83 A3 BC 5E 5A AC 6A 1C 
            0580: 8F 7E A3 8D 4A E2 60 44 8E 50 EA 33 4B 12 D2 C1 
            0590: 22 F0 59 A1 B3 C8 97 C0 81 D7 EB 54 78 0A 9E 1C 
            05A0: DD 3B 3C A8 D3 EA 4A 0A 3E BF 32 A0 96 62 89 78 
            05B0: 55 5E 3E 2E B8 DA 86 4E 18 5E 85 99 69 EA 8F CC 
            05C0: 31 2C 62 BF A0 F2 B9 3F 3E AC D5 0A B3 61 01 10 
            05D0: 9B 45 D7 D6 B0 12 7A 76 A9 79 6F B3 1F A3 DD 56 
            05E0: 1E 0F 7A 16 25 EA 8C 86 D1 06 75 56 76 4F D5 5F 
            05F0: C2 07 92 9F A2 0F B6 D1 0E 44 B8 8F 98 8A FC A5 
            0600: 48 08 4C E8 F0 DC C3 B2 15 92 72 35 00 FD D0 A8 
            0610: 90 A4 95 6D BD D9 33 36 5A 06 32 53 82 F8 4E 8A 
            0620: E2 B1 F9 EE 43 96 75 27 13 CF 52 A6 C7 BF 9A 30 
            0630: 44 00 26 5F BC E8 97 CD 74 AE FF 3A CA 46 6D 20 
            0640: E4 51 35 3E B8 24 AC F9 A5 DE 70 A1 73 0D D1 78 
            0650: BF A5 EB 5F 25 E9 17 3F 88 50 09 B3 14 06 E7 2B 
            0660: 6B 4D F5 9E 5B 27 6D A1 21 F9 F9 06 4A 6C 7B F4 
            0670: C3 ED 96 32 08 2E 50 E4 FC F3 DD F1 2D 7F B1 1E 
            0680: 56 38 FE 50 0D 36 F0 FF C1 C7 6E 97 5B D7 31 B2
    Code:
    00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00 00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00 00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01 00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02 00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03 00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04 00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05 00 00 00 01 00 82 00 05 14 04 16 89 7A 00 AB FC 00 12 00 0B 4D 7F 52 09 69 36 EC 12 00 66 33 13 00 00 00 01 00 82 00 05 14 04 16 89 7A 00 AB FC 1F C0 CA 95 CF 0F 90 B8 BD 71 59 73 07 2B 4C 3F E5 D5 54 C2 57 7B EB 07 B6 12 6C F5 2D A5 FD 93 B8 C0 57 8E 6C 9E 97 E7 94 86 C5 DA FF D3 32 35 B3 06 EC D2 F7 FC 2F FF 31 71 9F FE 42 C9 93 D6 7C 09 6F D6 19 82 EE 2D B2 E6 1C CF 2A DF B2 7A 94 D1 00 BE 6E 24 99 1D 65 D9 3F 3D A9 38 85 8C EC 2D 13 30 51 F4 7D B4 28 7A C8 66 31 71 9B 31 57 3E F7 CC E0 71 CA 8A 59 FE 58 F0 53 18 AA 86 63 73 C1 59 D7 15 E9 11 57 84 A0 4F 3C 49 32 10 2F 3F 91 44 D0 84 75 03 DF DE 24 80 63 9A 78 38 82 E5 59 11 81 84 8D AC 00 00 00 00 00 00 00 00 DD 0B 8B 71 E5 3F 30 9F E7 12 E6 DC 0D F0 5B 71 73 AB 6F 54 E1 2A 8D 8A 1C BC 8F E7 11 17 BD 13 F6 F3 34 73 5E 6E 7B 68 28 8E E6 17 B5 1E 33 6E BD 73 99 74 EC 22 4D 86 CA 72 0F BA 5A F2 9E 60 82 D3 96 77 E4 61 37 FC 27 6F E8 5F 86 DC A8 05 C5 4E 50 F7 A5 FF 15 33 0D 26 E1 AE AB E5 4D B7 4C A6 28 82 1B 52 89 61 E2 AB CD 90 75 D2 4B 5E 97 A5 39 B7 71 45 3D 9A 24 06 AE 68 50 E1 58 B7 53 B3 AF CA DA 9A FE 16 2E AA 27 CE B7 E8 67 E2 D5 B0 C6 3C 84 62 41 C7 28 33 BC E9 64 A0 75 8E 34 0E DB FF E5 D6 01 1A EC 5D BE 1E CF 74 0E B9 66 D1 E0 68 D9 F3 DF 3F BA DE B2 A5 7A B1 0F 28 A8 D8 E0 05 73 65 94 70 87 89 6B 68 AB 69 8D 57 5C 54 16 AA 4F 62 E3 F7 1D 65 C6 C9 00 ED 30 9E 29 EA 6C 2A 16 8D 44 50 00 2D C1 86 5F 08 C0 5B EC C5 13 ED CE 5D 5C DE 0B A0 4A 72 5F FF D7 41 49 B4 48 52 FC B4 9D DD 0A 48 0B E1 CA 0F AC EF AC 19 B8 37 CF 9E 10 81 42 72 9C 7E 1C 06 6A 8C 5C DD 85 33 4A F3 F2 A8 C2 C2 92 21 4B 11 AB FB 0B 3B 50 17 F5 23 F7 C8 0A CF B3 8D 74 B0 66 39 4E 48 5B F4 46 29 0B 59 53 75 F0 EA 40 F5 C4 25 5E 18 96 A0 6D 92 5B 98 66 6E 9B 55 81 EB 13 C6 0D E2 18 AE 42 3E 77 C9 60 AF 4F 4A 60 7A 96 8A 5E 85 3A 60 7C E8 68 F1 DB 8B 15 AF C5 E7 F4 51 B9 18 E2 6F 62 BC 8C 1A A3 3B A2 96 39 AD A3 F1 B9 89 47 DE 41 F7 9B 78 39 EF 56 EF DD 96 0D 4C 41 15 D7 33 E8 0D BA 61 9E 64 1C CE 32 F5 1E 2A 37 6F F0 9C 8C 62 30 76 DC 58 FD B5 CF 65 96 49 5A 0D 92 4A 07 56 A8 B1 90 A9 E7 AF A2 FC 19 F1 24 96 3A 5E C1 83 3B 82 62 5A 28 3D D1 55 D5 D1 22 C6 D1 02 94 8D 67 95 76 4C FC 25 EA 45 69 B4 39 B7 96 E1 34 89 EC FB AF ED 05 5F 8B AC 79 5E 5E 7E AB D2 D5 0F 21 BA 98 BD 6F 26 8E 0B BA 1E CC 2E 67 9A 40 90 BE F1 48 42 14 72 E6 7A A9 22 BC 8D 53 5F 58 A5 E7 CC 68 2B 25 27 1C 33 FF B3 0E E1 3C 73 D1 73 AC DA 54 CC DA 6E 64 93 F2 0B 6A A7 61 77 83 31 71 1E ED C0 8F C1 5B F4 D9 E6 6A 21 BF 4E 8B 90 E5 E2 71 BB 52 8D 59 B3 06 15 86 D3 56 B6 3C 83 51 A4 5C E3 0A CC AB 49 FE 23 20 C6 E1 5F B5 B8 E6 09 DA 90 32 AB EE AE 42 B6 F4 5B B4 19 DB 40 2C B5 62 5D 48 63 39 53 D6 E8 6C 69 63 D0 93 6F 9A E6 49 B4 FD E6 41 49 79 BB 5A 4D 61 AD 6F 62 0F F5 BE D8 CC 86 51 F6 3C 7B B5 DE DA 74 11 1A 88 D7 8F C5 34 DF FE 40 12 AE 1E C9 71 C7 8A CB F3 E3 FE 2D 81 83 15 C5 1D 60 4D D3 F4 F6 BE 6C 80 DC CF 58 06 0B A7 C6 1D 72 33 A2 AF D9 DA 9B AA 64 E0 1E 36 7E 3A 63 6D 40 C2 09 D6 8A 09 77 C7 25 49 51 16 8D 1E DD 64 FB 87 E0 53 29 25 A8 27 3D CE 08 DD DB 89 78 0E 97 1E 9C 14 92 0B 70 F9 9B 73 6C 2E 26 33 7C 59 FE 09 BF 75 34 55 1E 42 C0 4C 5A EA EB 4B D3 14 8C
    which I can generate and yes my eid4 passes the hash check

    but one would need to get the aes_omac1 key to be able to check it

    hmm eid4 digest is stored unencrypted

    seems like there are some hardcoded eid4 fallback bytes - [Register or Login to view links]
    Code:
    ## sv_iso
    eid4_fallback_0x00 FF1471C135E4593D0D27F9CAA3795BD9
    eid4_fallback_0x10 DD38369F0175173CE32BEED051FD4EF3
    scetool/eidtool progress is great

    PS3 SCETool, Friday Isolated SPU POC and EIDTool WIP Updates

    More PlayStation 3 News...
    Attached Files Attached Files

  2. #2
    Member HAVOK7's Avatar
    Join Date
    Feb 2011
    Posts
    66
    Sponsored Links
    Sponsored Links
    wow i am first lol, ok so what can be actually done with this?

  3. #3
    Senior Member Bartholomy's Avatar
    Join Date
    Jan 2011
    Posts
    836
    Sponsored Links
    Sponsored Links
    Yep. WE mortals don't do nothing with this stuff. But i suppose it's an advancement about a free solution...

    Oh, some news: And no, I won't release eidtool. If you want the algorithms, you'll have to start reversing

    Cool, we can close this chapter too
    Last edited by Bartholomy; 11-28-2011 at 02:17 PM Reason: Automerged Doublepost

  4. #4
    Junior Member tulla2010's Avatar
    Join Date
    Sep 2010
    Posts
    63
    shame he will never release the eid tool

  5. #5
    Senior Member Ezio's Avatar
    Join Date
    Aug 2011
    Posts
    355
    Friday is a new legal application developed by naehrwert to remarry bd drive.

    Quote Originally Posted by tulla2010 View Post
    shame he will never release the eid tool
    Yeah, unfortunately he decided to not share his eid tool when it will be ready.

  6. #6
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,389

    Arrow

    Here is a follow-up from his blog today as well for those following: nwert.wordpress.com/2011/11/29/about-spu-channels-64-72-and-73/

    If you are reversing the PS3′s isolated SPU modules, you will eventually notice channels 64, 72 and 73. Here are some C functions, that roughly describe how they work:

    About SPU channels 64, 72 and 73

    Code:
    void read_ch73(u32 skip, u32 *buf, u32 len)
    {
    	u32 i;
    	spu_wrch(64, 0x10000);
    	for(i = 0; i < skip; i++)
    		spu_rdch(73);
    	for(i = 0; i < len; i++)
    		buf[i] = spu_rdch(73);
    }
    
    void write_ch72(u32 skip, u32 *buf, u32 len)
    {
    	u32 i:
    	spu_wrch(64, 0x10000);
    	for(i = 0; i < skip; i++)
    		spu_wrch(72, spu_rdch(73));
    	for(i = 0; i < len; i++)
    		spu_wrch(72, buf[i]);
    }
    It seems that lv1ldr is storing it’s version into a special storage area.
    Code:
    s64 lv1ldr_main(...)
    {
    	//...
    	u64 ldr_ver = 0x0003004100000000;
    	write_ch72(0, &ldr_ver, 2);
    	//...
    }
    And e.g. isoldr reads the version from the storage area and compares it to it’s own version. If the check fails, isoldr will just stop execution.
    Code:
    s64 check_version(u64 ldr_ver)
    {
    	u64 stored_ver;
    	read_ch73(0, &stored_ver, 2);
    	//...
    }
    
    s64 load_isoself(...)
    {
    	ldr_ver = 0x0003004100000000;
    	if(check_version(ldr_ver) != 0)
    		return 0x30;
    	//...
    }
    I wonder what else is stored in the area and how long the data in it persists, so my next idea is to code an isolated elf, that allows me to specify the value written to channel 64 and then dumps the data from channel 73.

  7. #7
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,389

    Arrow PS3 SCETool v0.0.3 and VSH.Self Output

    Below are some more updates from naehrwert for those following..

    scetool 0.0.3 [Register or Login to view links]

    output for vsh.self pastie.org/2958961
    Code:
    scetool 0.0.3 (C) 2011 by naehrwert
    [*] Loaded keysets:
     Name   Type SDK-Type Version            SELF-Type
     pkg    PKG  0x0000   0x0000000000000000 
     spp    SPP  0x0000   0x0000000000000000 
     metldr SELF 0x0000   0x0000000000000000 [Secure Loader]
     isoldr SELF 0x0000   0x0001000000000000 [Isolated SPU Module]
     appldr SELF 0x0000   0x0003001500000000 [Application]
     isoldr SELF 0x0000   0x0003004100000000 [Isolated SPU Module]
     appldr SELF 0x0004   0x0003004100000000 [Application]
     isoldr SELF 0x0000   0x0003005000000000 [Isolated SPU Module]
     rvk    RVK  0x0000   0x0003005500000000 [*] Header decrypted.[*] Data decrypted.[*] SCE Header:
     Magic           0x53434500 [OK]
     Version         0x00000002
     SDK Type        [3.40 - 3.42]
     Header Type     [SELF]
     Metadata Offset 0x000003F0
     Header Length   0x0000000000000900
     Data Length     0x00000000007033E0[*] Metadata Info:
     Key F9 F8 37 BB D6 B4 90 75 AF 8F D5 8C 36 8A 0C CE 
     IV  18 27 0D 71 1E 37 1D 0A 95 D3 28 BB CB 95 04 B8 [*] Metadata Header:
     Signature Input Length 0x00000000000008A0
     unknown_0              0x00000001
     Section Count          0x00000006
     Key Count              0x0000002E
     Signature Info Size    0x00000030
     unknown_1              0x00000000
     unknown_2              0x00000000[*] Metadata Section Headers:
     Idx Offset   Size     Type Index Hashed SHA1 Encrypted Key IV Compressed
     000 00000900 002CB8FD 02   00    [YES]  00   [YES]     06  07 [YES]
     001 002DAFE0 000208EC 02   01    [YES]  08   [YES]     0E  0F [YES]
     002 002FB8D0 00000000 02   02    [YES]  10   [YES]     16  17 [NO ]
     003 002FB8D0 00000000 02   03    [YES]  18   [YES]     1E  1F [NO ]
     004 002FB8D0 00000000 02   04    [YES]  20   [YES]     26  27 [NO ]
     005 002FB9E0 00000740 01   03    [YES]  28   [NO ]     --  -- [NO ][*] SCE File Keys:
     00: F1 E9 B8 35 F0 7E 78 FF 54 70 D9 64 CA 1A 5D AB 
     01: 22 03 D7 61 00 00 00 00 00 00 00 00 00 00 00 00 
     02: C4 7C 03 A7 8C F6 FA B6 E9 09 DA C8 D1 B9 C2 95 
     03: A3 DA 6A 34 D2 3F 01 56 23 CC DD FB A4 EB A3 17 
     04: C3 83 AF F5 66 A8 A4 0F 07 ED 77 CD 74 FC 0A 75 
     05: E9 8E B9 36 38 26 87 97 45 C1 B4 9E B1 11 42 B9 
     06: 83 01 1F 35 4C 13 15 BC 38 2C AD E8 1A AD 16 84 
     07: FA E8 56 C6 07 15 C3 3C C5 0E 2B 9C 17 AD 72 88 
     08: DD 0D 18 5F 5A 1E 21 E9 08 2C 0F A8 25 FB D0 B0 
     09: 47 5E 2F 88 00 00 00 00 00 00 00 00 00 00 00 00 
     0A: C4 7C 03 A7 8C F6 FA B6 E9 09 DA C8 D1 B9 C2 95 
     0B: A3 DA 6A 34 D2 3F 01 56 23 CC DD FB A4 EB A3 17 
     0C: C3 83 AF F5 66 A8 A4 0F 07 ED 77 CD 74 FC 0A 75 
     0D: E9 8E B9 36 38 26 87 97 45 C1 B4 9E B1 11 42 B9 
     0E: 83 01 1F 35 4C 13 15 BC 38 2C AD E8 1A AD 16 84 
     0F: FA E8 56 C6 07 15 C3 3C C5 0E 2B 9C 17 AD 72 88 
     10: 25 48 16 0F 7B C8 98 8B D2 7E DF 38 B4 42 0B 7C 
     11: 17 70 C7 32 00 00 00 00 00 00 00 00 00 00 00 00 
     12: C4 7C 03 A7 8C F6 FA B6 E9 09 DA C8 D1 B9 C2 95 
     13: A3 DA 6A 34 D2 3F 01 56 23 CC DD FB A4 EB A3 17 
     14: C3 83 AF F5 66 A8 A4 0F 07 ED 77 CD 74 FC 0A 75 
     15: E9 8E B9 36 38 26 87 97 45 C1 B4 9E B1 11 42 B9 
     16: 83 01 1F 35 4C 13 15 BC 38 2C AD E8 1A AD 16 84 
     17: FA E8 56 C6 07 15 C3 3C C5 0E 2B 9C 17 AD 72 88 
     18: 25 48 16 0F 7B C8 98 8B D2 7E DF 38 B4 42 0B 7C 
     19: 17 70 C7 32 00 00 00 00 00 00 00 00 00 00 00 00 
     1A: C4 7C 03 A7 8C F6 FA B6 E9 09 DA C8 D1 B9 C2 95 
     1B: A3 DA 6A 34 D2 3F 01 56 23 CC DD FB A4 EB A3 17 
     1C: C3 83 AF F5 66 A8 A4 0F 07 ED 77 CD 74 FC 0A 75 
     1D: E9 8E B9 36 38 26 87 97 45 C1 B4 9E B1 11 42 B9 
     1E: 83 01 1F 35 4C 13 15 BC 38 2C AD E8 1A AD 16 84 
     1F: FA E8 56 C6 07 15 C3 3C C5 0E 2B 9C 17 AD 72 88 
     20: 25 48 16 0F 7B C8 98 8B D2 7E DF 38 B4 42 0B 7C 
     21: 17 70 C7 32 00 00 00 00 00 00 00 00 00 00 00 00 
     22: C4 7C 03 A7 8C F6 FA B6 E9 09 DA C8 D1 B9 C2 95 
     23: A3 DA 6A 34 D2 3F 01 56 23 CC DD FB A4 EB A3 17 
     24: C3 83 AF F5 66 A8 A4 0F 07 ED 77 CD 74 FC 0A 75 
     25: E9 8E B9 36 38 26 87 97 45 C1 B4 9E B1 11 42 B9 
     26: 83 01 1F 35 4C 13 15 BC 38 2C AD E8 1A AD 16 84 
     27: FA E8 56 C6 07 15 C3 3C C5 0E 2B 9C 17 AD 72 88 
     28: FE 14 10 F8 87 F2 19 67 FF DA D2 A7 8D 67 7C 35 
     29: 6E DC 94 28 00 00 00 00 00 00 00 00 00 00 00 00 
     2A: C4 7C 03 A7 8C F6 FA B6 E9 09 DA C8 D1 B9 C2 95 
     2B: A3 DA 6A 34 D2 3F 01 56 23 CC DD FB A4 EB A3 17 
     2C: C3 83 AF F5 66 A8 A4 0F 07 ED 77 CD 74 FC 0A 75 
     2D: E9 8E B9 36 38 26 87 97 45 C1 B4 9E B1 11 42 B9 [*] SELF Header:
     unknown_0           0x0000000000000003
     App Info Offset     0x0000000000000070
     ELF Offset          0x0000000000000090
     PH Offset           0x00000000000000D0
     SH Offset           0x00000000002FB9E0
     Section Info Offset 0x0000000000000290
     SCE Version Offset  0x0000000000000390
     Control Info Offset 0x00000000000003A0
     Control Info Size   0x0000000000000070[*] Application Info:
     Authentication ID   [vsh]
     Vendor ID           [SCEx]
     SELF Type           [Application]
     Version             0x0003004100000000[*] ELF64 Header:
     Type                   [EXEC]
     Machine                [PPC64]
     Version                0x00000001
     Entry                  0x00000000006D7918
     Program Headers Offset 0x0000000000000040
     Section Headers Offset 0x0000000000702CA0
     Flags                  0x00000000
     Program Headers Count  0x0008
     Section Headers Count  0x001D
     SH String Index        0x001C[*] ELF64 Program Headers:
     Idx Type     Offset   VAddr    PAddr    FileSize MemSize  PPU SPU RSX Align
     000 LOAD     00000000 00010000 00010000 006A1228 006A1228 X-R --R --- 00010000
     001 LOAD     006B0000 006C0000 006C0000 00052B90 000A8DE8 -WR -WR --- 00010000
     002 LOAD     00702B90 00000000 00000000 00000000 00000000 --R --- --- 00010000
     003 LOAD     00702B90 00000000 00000000 00000000 00000000 -WR --- --- 00010000
     004 LOAD     00702B90 00000000 00000000 00000000 00000000 -WR -WR -WR 00010000
     005 TLS      006EC37C 006FC37C 006FC37C 00000008 0000018C --R --- --- 00000008
     006 60000001 006A1200 006B1200 006B1200 00000028 00000028 --- --- --- 00000008
     007 60000002 00000000 00000000 006B1228 00000000 00000000 --- --- --- 00000008[*] ELF64 Section Headers:
     Idx Name Type          Flags Address    Offset    Size     ES   Align    LK
     000 0000 NULL          ---   00000000   00000000  00000000 0000 00000000 00
     001 000B PROGBITS      -AE   00010200   00000200  0000002C 0000 00000004 00
     002 001F PROGBITS      -AE   00010230   00000230  00623054 0000 00000008 00
     003 0011 PROGBITS      -AE   00633284   00623284  00000024 0000 00000004 00
     004 0017 PROGBITS      -AE   006332A8   006232A8  00001440 0000 00000004 00
     005 0025 PROGBITS      -A-   006346E8   006246E8  00009960 0000 00000004 00
     006 0039 PROGBITS      -A-   0063E048   0062E048  00000288 0000 00000004 00
     007 0049 PROGBITS      -A-   0063E2D0   0062E2D0  00000004 0000 00000004 00
     008 0056 PROGBITS      -A-   0063E2D4   0062E2D4  000002D8 0000 00000004 00
     009 005F PROGBITS      -A-   0063E5AC   0062E5AC  00000004 0000 00000004 00
     010 006C PROGBITS      -A-   0063E5B0   0062E5B0  00000004 0000 00000004 00
     011 007A PROGBITS      -A-   0063E5B4   0062E5B4  000003F4 0000 00000004 00
     012 0084 PROGBITS      -A-   0063E9A8   0062E9A8  00000004 0000 00000004 00
     013 0092 PROGBITS      -A-   0063E9B0   0062E9B0  00070308 0000 00000010 00
     014 009A PROGBITS      -A-   006AED00   0069ED00  00002500 0000 00000080 00
     015 00A5 PROGBITS      WA-   006B1200   006A1200  00000028 0000 00000008 00
     016 00B5 PROGBITS      WA-   006C0000   006B0000  0000029C 0000 00000004 00
     017 00BC PROGBITS      WA-   006C029C   006B029C  00000230 0000 00000004 00
     018 00C3 PROGBITS      WA-   006C04CC   006B04CC  00000004 0000 00000004 00
     019 00C8 PROGBITS      WA-   006C04D0   006B04D0  00014AF8 0000 00000008 00
     020 00D5 PROGBITS      WA-   006D4FC8   006C4FC8  00000288 0000 00000004 00
     021 00E4 PROGBITS      WA-   006D5250   006C5250  000026B8 0000 00000008 00
     022 00EA PROGBITS      WA-   006D7908   006C7908  000171F8 0000 00000008 00
     023 00EF PROGBITS      WA-   006EEB00   006DEB00  0000D87C 0000 00000008 00
     024 00F4 PROGBITS      WA-   006FC37C   006EC37C  00000008 0000 00000004 00
     025 00FB NOBITS        WA-   006FC388   006EC384  00000180 0000 00000008 00
     026 0101 PROGBITS      WA-   006FC508   006EC508  00016688 0000 00000008 00
     027 0107 NOBITS        WA-   00712B90   00702B90  00056258 0000 00000010 00
     028 0001 STRTAB        ---   00000000   00702B90  0000010C 0000 00000001 00
    Added ELF64 support to scetool!

    but I extended eidtool by some new functions
    Attached Files Attached Files

  8. #8
    Senior Member Bartholomy's Avatar
    Join Date
    Jan 2011
    Posts
    836
    Eidtool is what we need, rest is useless I think

  9. #9
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,389

    Arrow PS3 SCETool v0.0.4

    Today Naehrwert has released PS3 SCETool v0.0.4 for those interested.

    Download: [Register or Login to view links]

    From his Tweet (twitter.com/#!/naehrwert/status/145481343411830784) the changes are as follows:

    scetool 0.0.4 [Register or Login to view links]

    (added 32 bit ELF "unselfing")

    isoldr_emulate [Register or Login to view links]
    Code:
    ## fun with anergistic2
    get pscode
     result: 00 01 00 84 00 0B 00 04
    get psid
     result: 77 19 BD ** ** ** ** ** ** ** ** ** ** ** ** **

  10. #10
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,389

    Thumbs Up

    Here are a few quick updates from naehrwert (twitter.com/naehrwert) for those following:
    • haha just figured the eid3 algo, nice!
    • KaKaRoToKS and I added basic NPDRM support to scetool
    • SELF generation works now for SPU and PPU, except for compressing the data and NPDRM
    • added SPU SELF generation to scetool

    Also from his site: nwert.wordpress.com/2011/12/24/individual-infos/

    Individual Infos

    One of the PS3′s console specific cryptography works as follows:

    At factory time there is a console specific key generated, probably from a private constant value and a console specific seed. Maybe that’s the key used for encrypting bootldr and metldr. Fact is, that metldr stores another console specific keyset (key/iv) to LS offset 000000. That keyset is probably calculated from the first one. At factory time the isolated root keyset (how I call it) is used to encrypt the console’s “Individual Infos”, like eEID.

    But not the whole eEID is encrypted the same way, special seeds are used to calculate key/iv pairs for the different sections. And not even that is true for every eEID section, because for e.g. EID0 another step is needed to generate the final section key(set). Each of the isolated modules using such an “Individual Info” has a special section that isoldr uses to generate the derived key(set)s.

    But the generation works in a way, that the section data is encrypted with aes-cbc using the isolated root keyset, so it is not possible to calculate the isolated root keyset back from the derived key(set)s, because aes shouldn’t allow a known plaintext attack. So far I can decrypt some of EID0′s sections, EID1, EID2 and EID4. EID5 encryption should be similar to EID0′s but I lack the generation keys for that one.

 

Sponsored Links

Page 1 of 24 12311 ... LastLast
Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News