Page 1 of 8 123 ... LastLast
Results 1 to 10 of 73



  1. #1
    Registered User RexVF5's Avatar
    Join Date
    Dec 2007
    Posts
    186

    Update: tifozi1 has made available an updated PSGroove v1.1 (LV2 Peek and Poke SysCalls) USBTinymkii patched hex code now, tidusnake666 has shared PSGroove 1.1 for ATAVRXPLAIN users, farenheit has posted a hex code for ATAVRUSBRF01 hardware and an LED Fix, and evilsperm has made available an PSGroove v1.1 All Pack too!

    Yesterday it was reported that a PSGroove update was incoming, and today it has arrived for PlayStation 3 users.

    The PSGroove payload has now been updated with patches to add lv2 peek and poke syscalls along with an analysis of the payload.

    This is great new indeed, as it will allow for proper memory dumps which in turn will enable much wider inspection of inner working of PS3.

    Download: PSGroove v1.1

    To quote from the notes: "A programmed dongle won't enumerate properly on a PC, so don't worry about that.

    This branch has a modified payload that adds peek and poke syscalls to the lv2 kernel. A userspace application can use these syscalls to dump out the entire memory space of the kernel, or patch the kernel as it is running.

    Unfortunately, because the free toolchain/sdk is not ready, we can't distribute an application to do the dumping, so you will have to make your own.

    The lv2 kernel starts at 0x8000000000000000

    Peek
    -Syscall 6.
    -r3 is a 64 bit address to read
    -A 64 bit value will be returned in r3

    Poke
    -Syscall 7.
    -r4 is a 64 bit value
    -r3 is the address to write that value to

    A userspace application can use these syscalls to dump out the entire memory space of the kernel, or patch the kernel as it is running.

    Unfortunately, because the free toolchain/sdk is not ready, we can't distribute an application to do the dumping, so you will have to make your own.

    The lv2 kernel starts at 0x8000000000000000 Peek Syscall 6. r3 is a 64 bit address to read. A 64 bit value will be returned in r3. Poke Syscall 7. r4 is a 64 bit value. r3 is the address to write that value to."

    PSJailbreak Exploit Payload Reverse Engineering (ps3wiki.lan.st/index.php/PSJailbreak_Exploit_Payload_Reverse_Engineering)

    Analysis of the payload

    Part one

    When the first shellcode is done it jumps to offset 0x20 in the payload where part one of the payload gets executed.
    Code:
    ROM:00000020             part_one:                               # fixup r3 to hold current address
    ROM:00000020 38 63 F0 00                 addi    %r3, %r3, -0x1000
    ROM:00000024 38 A0 10 00                 li      %r5, 0x1000     # r5 = 0x1000
    ROM:00000028 38 80 00 01                 li      %r4, 1
    ROM:0000002C 78 84 F8 06                 rldicr  %r4, %r4, 63,0  # r4 = 0x8000 0000 0000 0000
    ROM:00000030 64 84 00 70                 oris    %r4, %r4, 0x70  # r4 = 0x8000 0000 0070 0000
    ROM:00000034
    ROM:00000034             copy_loop:                              # CODE XREF: ROM:00000044�j
    ROM:00000034 38 A5 FF F8                 addi    %r5, %r5, -8    # r5 -= 0x8
    ROM:00000038 7C C3 28 2A                 ldx     %r6, %r3, %r5   # r6 = *(r3 + r5)
    ROM:0000003C 7C C4 29 2A                 stdx    %r6, %r4, %r5   # *(r4 + r5) = r6
    ROM:00000040 28 25 00 00                 cmpldi  %r5, 0          # if r5 == 0
    ROM:00000044 40 82 FF F0                 bne     copy_loop       # if not than jump to copy_loop
    ROM:00000048 38 84 00 80                 addi    %r4, %r4, 0x80  # r4 += 0x80
    ROM:0000004C 7C 89 03 A6                 mtctr   %r4             # jump to r4
    ROM:00000050 4E 80 04 20                 bctr
    This loop will copy the remaining part of the payload to 0x8000000000700000 and so it will find itself in a known location. Then it will jump to the beginning of it.

    Part two

    This is where things are a little bit unclear, because i have no memory dump. First it will load r3 with 0x8000000000050B3C, r4 with 0x80000000007001AC and r5 with 0x4FA and do a bl to 0x7C01C. Then it will load r3 0x8000000000050B5C and do a bl to 0xD22D8.
    Code:
    ROM:80000000007000A0                 li      %r31, 1
    ROM:80000000007000A4                 rldicr  %r31, %r31, 63,0
    ROM:80000000007000A8                 mr      %r3, %r31
    ROM:80000000007000AC                 oris    %r3, %r3, 5
    ROM:80000000007000B0                 ori     %r3, %r3, 0xB3C
    ROM:80000000007000B4                 mr      %r4, %r31
    ROM:80000000007000B8                 oris    %r4, %r4, 0x70
    ROM:80000000007000BC                 ori     %r4, %r4, 0x1AC
    ROM:80000000007000C0                 li      %r5, 0x4FA
    ROM:80000000007000C4                 bl      0x7C01C
    ROM:80000000007000C8                 mr      %r3, %r31
    ROM:80000000007000CC                 oris    %r3, %r3, 5
    ROM:80000000007000D0                 ori     %r3, %r3, 0xB3C
    ROM:80000000007000D4                 addi    %r3, %r3, 0x20
    ROM:80000000007000D8                 bl      0xD22D8
    ROM:80000000007000DC                 mr      %r3, %r31
    ROM:80000000007000E0                 oris    %r3, %r3, 5
    ROM:80000000007000E4                 ori     %r3, %r3, 0xB3C
    ROM:80000000007000E8                 mr      %r4, %r31
    ROM:80000000007000EC                 oris    %r4, %r4, 0x2E
    ROM:80000000007000F0                 ori     %r4, %r4, -0x4ED8
    ROM:80000000007000F4                 addi    %r3, %r3, 0x10
    ROM:80000000007000F8                 std     %r3, 0x120(%r4)
    Then it will load r5 with the begin of a patch structure. A patch consists of a 4 byte offset and a 4 byte patch value. The loop will load the offset, add 0x8000000000000000 to it and write the patch value to this address. If the offset is 0 it will jump to 0x7006B0.
    Code:
    ROM:80000000007000FC                 mr      %r5, %r31
    ROM:8000000000700100                 oris    %r5, %r5, 0x70
    ROM:8000000000700104                 ori     %r5, %r5, 0x150
    ROM:8000000000700108                 lwz     %r3, 0(%r5)
    ROM:800000000070010C                 cmplwi  %r3, 0
    ROM:8000000000700110                 beq     0x700128
    ROM:8000000000700114                 lwz     %r4, 4(%r5)
    ROM:8000000000700118                 add     %r3, %r3, %r31
    ROM:800000000070011C                 stw     %r4, 0(%r3)
    ROM:8000000000700120                 addi    %r5, %r5, 8
    ROM:8000000000700124                 b       0x700108
    ROM:8000000000700128                 b       0x7006B0
    Patch table:
    Code:
    ROM:8000000000700150                 patch <0x490E0, 0xE8820F08>
    ROM:8000000000700158                 patch <0x490E4, 0xE87C0020>
    ROM:8000000000700160                 patch <0x490E8, 0xF8640000>
    ROM:8000000000700168                 patch <0x4F0A8, 0x48001A9D>
    ROM:8000000000700170                 patch <0x2AAFC8, 0x4BDA5B80>
    ROM:8000000000700178                 patch <0x4ED18, 0x38800000>
    ROM:8000000000700180                 patch <0x4ED1C, 0x90830000>
    ROM:8000000000700188                 patch <0x4ED20, 0x4E800020>
    ROM:8000000000700190                 patch <0x3BA890, 0x1000000>
    ROM:8000000000700198                 patch <0x505D0, 0x38600001>
    ROM:80000000007001A0                 patch <0x505D4, 0x4E800020>
    Some of the patch values translate to ppc code:
    Code:
    0x490E0:  ld %r4, 0xF08(%rtoc)
    0x490E4:  ld %r3, 0x20(%r28)
    0x490E8:  std %r3, 0(%r4)
    0x4F0A8:  bl 0x1C08
    0x2AAFC8: b # 4B DA 5B 80
    0x4ED18:  li %r4, 0
    0x4ED1C:  stw %r4, 0(%r3)
    0x4ED20:  blr
    0x505D0:  li %r3, 1
    0x505D4:  blr
    There are some more patch tables later in the payload. One of them contains "_tool2.xml#root" which will be written at offset 0x22B888 (probably ored with 0x8000000000000000). Another one contains the same string but the offset is 0xD68B8. It's hard to say what the other code does without a memory dump, so feel free to add more infos to this article.

    The new version adds two new syscalls, peek (6) and poke (7). It's done with four new entries in the patch table.

    For peek syscall:
    Code:
    0x17CBC: E8 63 00 00 # ld %r3, 0(%r3)
    0x17CC0: 4E 80 00 20 # blr
    For poke syscall:
    Code:
    0x17CC8: F8 83 00 00 # std %r4, 0(%r3)
    0x17CCC: 4E 80 00 20 # blr
    PSGroove Payload Updated with PS3 LV2 Peek and Poke SysCalls

    More PlayStation 3 News...
    Attached Files Attached Files

  2. #2
    Senior Member Mbb's Avatar
    Join Date
    Jan 2010
    Posts
    323

    Does this work with firmware 3.42?

    I guess not...

  3. #3
    Registered User GohanX's Avatar
    Join Date
    Apr 2005
    Posts
    18
    This is awesome news for ps3 homebrew devs. Before anyone asks, no there's no reason to update right now if you're just using the exploit for backup manager.

    And to the poster above me, no it doesn't work with 3.42. The exploit hole was closed so that specific exploit probably won't ever work again on ps3's at 3.42 or higher. This new payload does allow people to inspect the ps3's memory more closely and theres a chance it could lead to other exploits however.
    Last edited by GohanX; 09-07-2010 at 11:43 AM

  4. #4
    Banned User peshkohacka's Avatar
    Join Date
    Sep 2010
    Posts
    25
    To stop the gazillion questions to come: This update won't make the 3.42 work with the dongle/phone/calculator, however it allows the devs/researchers to write a program that can dump the memory from lvl2, which 'till now was pain in the rear.

  5. #5
    Registered User jokr2k10's Avatar
    Join Date
    Sep 2010
    Posts
    55
    This update is only good for developers, not "end users" or "every day users", so unless you program or are a developer, no real purpose in updating unless you just want to have the latest... but you know, once devs do figure out if they can exploit 3.42... we'll be seeing updates like the PSP... I don't even know what the PSP firmware is at right now... all i know is mine is 5.50 GEN-D3 and anything beyond that is worthless LOL... *crosses fingers for PSP Port soon!*

  6. #6
    Registered User Darkar's Avatar
    Join Date
    Apr 2010
    Posts
    10

    Smile

    this is definitely good news.

  7. #7
    Contributor chrykel's Avatar
    Join Date
    Jul 2008
    Posts
    88
    Is there a psgroove for mytouch 3g slide? It has android os... if there is do I need to root my phone?

  8. #8
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    26,857

    Cool

    For anyone seeking it, I have added the PSGroove v1.1 (LV2 Peek and Poke SysCalls) USBTinymkii patched hex code to the first post courtesy of tifozi1.

  9. #9
    Registered User philjay's Avatar
    Join Date
    Jun 2005
    Posts
    15
    hi, anyone can compile the hex to work with olimex avr usb 162 (with led function opened) Thanx

  10. #10
    Registered User BlankCD01's Avatar
    Join Date
    Sep 2010
    Posts
    9
    can someone compile this for blackcat?

 


 
Page 1 of 8 123 ... LastLast