PSGroove Payload Updated with PS3 LV2 Peek and Poke SysCalls

[RexVF5]

Update: tifozi1 has made available an updated PSGroove v1.1 (LV2 Peek and Poke SysCalls) USBTinymkii patched hex code now, tidusnake666 has shared PSGroove 1.1 for ATAVRXPLAIN users, farenheit has posted a hex code for ATAVRUSBRF01 hardware and an LED Fix, and evilsperm has made available an PSGroove v1.1 All Pack too!

Yesterday it was reported that a PSGroove update was incoming, and today it has arrived for PlayStation 3 users.

The PSGroove payload has now been updated with patches to add lv2 peek and poke syscalls along with an analysis of the payload.

This is great new indeed, as it will allow for proper memory dumps which in turn will enable much wider inspection of inner working of PS3.

Download: PSGroove v1.1

To quote from the notes: "A programmed dongle won't enumerate properly on a PC, so don't worry about that.

This branch has a modified payload that adds peek and poke syscalls to the lv2 kernel. A userspace application can use these syscalls to dump out the entire memory space of the kernel, or patch the kernel as it is running.

Unfortunately, because the free toolchain/sdk is not ready, we can't distribute an application to do the dumping, so you will have to make your own.

The lv2 kernel starts at 0x8000000000000000

Peek
- Syscall 6.
- r3 is a 64 bit address to read
- A 64 bit value will be returned in r3

Poke
- Syscall 7.
- r4 is a 64 bit value
- r3 is the address to write that value to

A userspace application can use these syscalls to dump out the entire memory space of the kernel, or patch the kernel as it is running.

Unfortunately, because the free toolchain/sdk is not ready, we can't distribute an application to do the dumping, so you will have to make your own.

The lv2 kernel starts at 0x8000000000000000 Peek Syscall 6. r3 is a 64 bit address to read. A 64 bit value will be returned in r3. Poke Syscall 7. r4 is a 64 bit value. r3 is the address to write that value to."

PSJailbreak Exploit Payload Reverse Engineering (ps3wiki.lan.st/index.php/PSJailbreak_Exploit_Payload_Reverse_Engineering)

Analysis of the payload

Part one

When the first shellcode is done it jumps to offset 0x20 in the payload where part one of the payload gets executed.

Code:

ROM:00000020             part_one:                               # fixup r3 to hold current address
ROM:00000020 38 63 F0 00                 addi    %r3, %r3, -0x1000
ROM:00000024 38 A0 10 00                 li      %r5, 0x1000     # r5 = 0x1000
ROM:00000028 38 80 00 01                 li      %r4, 1
ROM:0000002C 78 84 F8 06                 rldicr  %r4, %r4, 63,0  # r4 = 0x8000 0000 0000 0000
ROM:00000030 64 84 00 70                 oris    %r4, %r4, 0x70  # r4 = 0x8000 0000 0070 0000
ROM:00000034
ROM:00000034             copy_loop:                              # CODE XREF: ROM:00000044�j
ROM:00000034 38 A5 FF F8                 addi    %r5, %r5, -8    # r5 -= 0x8
ROM:00000038 7C C3 28 2A                 ldx     %r6, %r3, %r5   # r6 = *(r3 + r5)
ROM:0000003C 7C C4 29 2A                 stdx    %r6, %r4, %r5   # *(r4 + r5) = r6
ROM:00000040 28 25 00 00                 cmpldi  %r5, 0          # if r5 == 0
ROM:00000044 40 82 FF F0                 bne     copy_loop       # if not than jump to copy_loop
ROM:00000048 38 84 00 80                 addi    %r4, %r4, 0x80  # r4 += 0x80
ROM:0000004C 7C 89 03 A6                 mtctr   %r4             # jump to r4
ROM:00000050 4E 80 04 20                 bctr

This loop will copy the remaining part of the payload to 0x8000000000700000 and so it will find itself in a known location. Then it will jump to the beginning of it.

Part two

This is where things are a little bit unclear, because i have no memory dump. First it will load r3 with 0x8000000000050B3C, r4 with 0x80000000007001AC and r5 with 0x4FA and do a bl to 0x7C01C. Then it will load r3 0x8000000000050B5C and do a bl to 0xD22D8.

Code:

ROM:80000000007000A0                 li      %r31, 1
ROM:80000000007000A4                 rldicr  %r31, %r31, 63,0
ROM:80000000007000A8                 mr      %r3, %r31
ROM:80000000007000AC                 oris    %r3, %r3, 5
ROM:80000000007000B0                 ori     %r3, %r3, 0xB3C
ROM:80000000007000B4                 mr      %r4, %r31
ROM:80000000007000B8                 oris    %r4, %r4, 0x70
ROM:80000000007000BC                 ori     %r4, %r4, 0x1AC
ROM:80000000007000C0                 li      %r5, 0x4FA
ROM:80000000007000C4                 bl      0x7C01C
ROM:80000000007000C8                 mr      %r3, %r31
ROM:80000000007000CC                 oris    %r3, %r3, 5
ROM:80000000007000D0                 ori     %r3, %r3, 0xB3C
ROM:80000000007000D4                 addi    %r3, %r3, 0x20
ROM:80000000007000D8                 bl      0xD22D8
ROM:80000000007000DC                 mr      %r3, %r31
ROM:80000000007000E0                 oris    %r3, %r3, 5
ROM:80000000007000E4                 ori     %r3, %r3, 0xB3C
ROM:80000000007000E8                 mr      %r4, %r31
ROM:80000000007000EC                 oris    %r4, %r4, 0x2E
ROM:80000000007000F0                 ori     %r4, %r4, -0x4ED8
ROM:80000000007000F4                 addi    %r3, %r3, 0x10
ROM:80000000007000F8                 std     %r3, 0x120(%r4)

Then it will load r5 with the begin of a patch structure. A patch consists of a 4 byte offset and a 4 byte patch value. The loop will load the offset, add 0x8000000000000000 to it and write the patch value to this address. If the offset is 0 it will jump to 0x7006B0.

Code:

ROM:80000000007000FC                 mr      %r5, %r31
ROM:8000000000700100                 oris    %r5, %r5, 0x70
ROM:8000000000700104                 ori     %r5, %r5, 0x150
ROM:8000000000700108                 lwz     %r3, 0(%r5)
ROM:800000000070010C                 cmplwi  %r3, 0
ROM:8000000000700110                 beq     0x700128
ROM:8000000000700114                 lwz     %r4, 4(%r5)
ROM:8000000000700118                 add     %r3, %r3, %r31
ROM:800000000070011C                 stw     %r4, 0(%r3)
ROM:8000000000700120                 addi    %r5, %r5, 8
ROM:8000000000700124                 b       0x700108
ROM:8000000000700128                 b       0x7006B0

Patch table:

Code:

ROM:8000000000700150                 patch <0x490E0, 0xE8820F08>
ROM:8000000000700158                 patch <0x490E4, 0xE87C0020>
ROM:8000000000700160                 patch <0x490E8, 0xF8640000>
ROM:8000000000700168                 patch <0x4F0A8, 0x48001A9D>
ROM:8000000000700170                 patch <0x2AAFC8, 0x4BDA5B80>
ROM:8000000000700178                 patch <0x4ED18, 0x38800000>
ROM:8000000000700180                 patch <0x4ED1C, 0x90830000>
ROM:8000000000700188                 patch <0x4ED20, 0x4E800020>
ROM:8000000000700190                 patch <0x3BA890, 0x1000000>
ROM:8000000000700198                 patch <0x505D0, 0x38600001>
ROM:80000000007001A0                 patch <0x505D4, 0x4E800020>

Some of the patch values translate to ppc code:

Code:

0x490E0:  ld %r4, 0xF08(%rtoc)
0x490E4:  ld %r3, 0x20(%r28)
0x490E8:  std %r3, 0(%r4)
0x4F0A8:  bl 0x1C08
0x2AAFC8: b # 4B DA 5B 80
0x4ED18:  li %r4, 0
0x4ED1C:  stw %r4, 0(%r3)
0x4ED20:  blr
0x505D0:  li %r3, 1
0x505D4:  blr

There are some more patch tables later in the payload. One of them contains "_tool2.xml#root" which will be written at offset 0x22B888 (probably ored with 0x8000000000000000). Another one contains the same string but the offset is 0xD68B8. It's hard to say what the other code does without a memory dump, so feel free to add more infos to this article.

The new version adds two new syscalls, peek (6) and poke (7). It's done with four new entries in the patch table.

For peek syscall:

Code:

0x17CBC: E8 63 00 00 # ld %r3, 0(%r3)
0x17CC0: 4E 80 00 20 # blr

For poke syscall:

Code:

0x17CC8: F8 83 00 00 # std %r4, 0(%r3)
0x17CCC: 4E 80 00 20 # blr

More PlayStation 3 News...

[Mbb]

Does this work with firmware 3.42?

I guess not...

[GohanX]

This is awesome news for ps3 homebrew devs. Before anyone asks, no there's no reason to update right now if you're just using the exploit for backup manager.

And to the poster above me, no it doesn't work with 3.42. The exploit hole was closed so that specific exploit probably won't ever work again on ps3's at 3.42 or higher. This new payload does allow people to inspect the ps3's memory more closely and theres a chance it could lead to other exploits however.

[peshkohacka]

To stop the gazillion questions to come: This update won't make the 3.42 work with the dongle/phone/calculator, however it allows the devs/researchers to write a program that can dump the memory from lvl2, which 'till now was pain in the rear.

[jokr2k10]

This update is only good for developers, not "end users" or "every day users", so unless you program or are a developer, no real purpose in updating unless you just want to have the latest... but you know, once devs do figure out if they can exploit 3.42... we'll be seeing updates like the PSP... I don't even know what the PSP firmware is at right now... all i know is mine is 5.50 GEN-D3 and anything beyond that is worthless LOL... *crosses fingers for PSP Port soon!*

[Darkar]

this is definitely good news.

[chrykel]

Is there a psgroove for mytouch 3g slide? It has android os... if there is do I need to root my phone?

[PS3 News]

For anyone seeking it, I have added the PSGroove v1.1 (LV2 Peek and Poke SysCalls) USBTinymkii patched hex code to the first post courtesy of tifozi1.

[philjay]

hi, anyone can compile the hex to work with olimex avr usb 162 (with led function opened) Thanx

[BlankCD01]

can someone compile this for blackcat?