Sponsored Links

Sponsored Links

Page 1 of 8 123 ... LastLast
Results 1 to 10 of 73



  1. #1
    Contributor RexVF5's Avatar
    Join Date
    Dec 2007
    Posts
    185
    Sponsored Links
    Sponsored Links
    Update: tifozi1 has made available an updated PSGroove v1.1 (LV2 Peek and Poke SysCalls) USBTinymkii patched hex code now, tidusnake666 has shared PSGroove 1.1 for ATAVRXPLAIN users, farenheit has posted a hex code for ATAVRUSBRF01 hardware and an LED Fix, and evilsperm has made available an PSGroove v1.1 All Pack too!

    Yesterday it was reported that a PSGroove update was incoming, and today it has arrived for PlayStation 3 users.

    The PSGroove payload has now been updated with patches to add lv2 peek and poke syscalls along with an analysis of the payload.

    This is great new indeed, as it will allow for proper memory dumps which in turn will enable much wider inspection of inner working of PS3.

    Download: PSGroove v1.1

    To quote from the notes: "A programmed dongle won't enumerate properly on a PC, so don't worry about that.

    This branch has a modified payload that adds peek and poke syscalls to the lv2 kernel. A userspace application can use these syscalls to dump out the entire memory space of the kernel, or patch the kernel as it is running.

    Unfortunately, because the free toolchain/sdk is not ready, we can't distribute an application to do the dumping, so you will have to make your own.

    The lv2 kernel starts at 0x8000000000000000

    Peek
    - Syscall 6.
    - r3 is a 64 bit address to read
    - A 64 bit value will be returned in r3

    Poke
    - Syscall 7.
    - r4 is a 64 bit value
    - r3 is the address to write that value to

    A userspace application can use these syscalls to dump out the entire memory space of the kernel, or patch the kernel as it is running.

    Unfortunately, because the free toolchain/sdk is not ready, we can't distribute an application to do the dumping, so you will have to make your own.

    The lv2 kernel starts at 0x8000000000000000 Peek Syscall 6. r3 is a 64 bit address to read. A 64 bit value will be returned in r3. Poke Syscall 7. r4 is a 64 bit value. r3 is the address to write that value to."

    PSJailbreak Exploit Payload Reverse Engineering (ps3wiki.lan.st/index.php/PSJailbreak_Exploit_Payload_Reverse_Engineering)

    Analysis of the payload

    Part one

    When the first shellcode is done it jumps to offset 0x20 in the payload where part one of the payload gets executed.

    [Register or Login to view code]

    This loop will copy the remaining part of the payload to 0x8000000000700000 and so it will find itself in a known location. Then it will jump to the beginning of it.

    Part two

    This is where things are a little bit unclear, because i have no memory dump. First it will load r3 with 0x8000000000050B3C, r4 with 0x80000000007001AC and r5 with 0x4FA and do a bl to 0x7C01C. Then it will load r3 0x8000000000050B5C and do a bl to 0xD22D8.

    [Register or Login to view code]

    Then it will load r5 with the begin of a patch structure. A patch consists of a 4 byte offset and a 4 byte patch value. The loop will load the offset, add 0x8000000000000000 to it and write the patch value to this address. If the offset is 0 it will jump to 0x7006B0.

    [Register or Login to view code]

    Patch table:

    [Register or Login to view code]

    Some of the patch values translate to ppc code:

    [Register or Login to view code]

    There are some more patch tables later in the payload. One of them contains "_tool2.xml#root" which will be written at offset 0x22B888 (probably ored with 0x8000000000000000). Another one contains the same string but the offset is 0xD68B8. It's hard to say what the other code does without a memory dump, so feel free to add more infos to this article.

    The new version adds two new syscalls, peek (6) and poke (7). It's done with four new entries in the patch table.

    For peek syscall:

    [Register or Login to view code]

    For poke syscall:

    [Register or Login to view code]

    PSGroove Payload Updated with PS3 LV2 Peek and Poke SysCalls

    More PlayStation 3 News...
    Attached Files Attached Files

  2. #2
    Senior Member Mbb's Avatar
    Join Date
    Jan 2010
    Posts
    323
    Sponsored Links
    Sponsored Links
    Does this work with firmware 3.42?

    I guess not...

  3. #3
    Contributor GohanX's Avatar
    Join Date
    Apr 2005
    Posts
    18
    Sponsored Links
    Sponsored Links
    This is awesome news for ps3 homebrew devs. Before anyone asks, no there's no reason to update right now if you're just using the exploit for backup manager.

    And to the poster above me, no it doesn't work with 3.42. The exploit hole was closed so that specific exploit probably won't ever work again on ps3's at 3.42 or higher. This new payload does allow people to inspect the ps3's memory more closely and theres a chance it could lead to other exploits however.
    Last edited by GohanX; 09-07-2010 at 11:43 AM

  4. #4
    Banned User peshkohacka's Avatar
    Join Date
    Sep 2010
    Posts
    25
    To stop the gazillion questions to come: This update won't make the 3.42 work with the dongle/phone/calculator, however it allows the devs/researchers to write a program that can dump the memory from lvl2, which 'till now was pain in the rear.

  5. #5
    Contributor jokr2k10's Avatar
    Join Date
    Sep 2010
    Posts
    55
    This update is only good for developers, not "end users" or "every day users", so unless you program or are a developer, no real purpose in updating unless you just want to have the latest... but you know, once devs do figure out if they can exploit 3.42... we'll be seeing updates like the PSP... I don't even know what the PSP firmware is at right now... all i know is mine is 5.50 GEN-D3 and anything beyond that is worthless LOL... *crosses fingers for PSP Port soon!*

  6. #6
    Contributor Darkar's Avatar
    Join Date
    Apr 2010
    Posts
    10

    Smile

    this is definitely good news.

  7. #7
    Contributor chrykel's Avatar
    Join Date
    Jul 2008
    Posts
    88
    Is there a psgroove for mytouch 3g slide? It has android os... if there is do I need to root my phone?

  8. #8
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    28,106

    Cool

    For anyone seeking it, I have added the PSGroove v1.1 (LV2 Peek and Poke SysCalls) USBTinymkii patched hex code to the first post courtesy of tifozi1.

  9. #9
    Contributor philjay's Avatar
    Join Date
    Jun 2005
    Posts
    15
    hi, anyone can compile the hex to work with olimex avr usb 162 (with led function opened) Thanx

  10. #10
    Contributor BlankCD01's Avatar
    Join Date
    Sep 2010
    Posts
    9
    can someone compile this for blackcat?

 

Sponsored Links

Page 1 of 8 123 ... LastLast
Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News