Quick PS3 CoreOS Image Tool Code Released by Naehrwert

[PS3 News]

As a follow-up to his PS3 SCETool v0.2.7 update, today PlayStation 3 homebrew developer Naehrwert has released the source code for a Quick PS3 CoreOS Image Tool via Twitter.

Files included below are the util.h, util.cpp, types.h and main.cpp released under the GPLv2.

Download: Quick PS3 CoreOS Image Tool Code / Quick PS3 CoreOS Image Tool (Compiled) / Quick PS3 CoreOS Image Tool Code (Mirror) / https://github.com/naehrwert

To quote: quick coreos image tool - http://pastie.org/4003488

Code:

## util.h
/*
* Copyright (c) 2012 by naehrwert
* This file is released under the GPLv2.
*/

#ifndef _UTIL_H_
#define _UTIL_H_

#include <stdio.h>

#include "types.h"

/*! Utility functions. */
u8 *_read_buffer(const s8 *file, u32 *length);
int _write_buffer(const s8 *file, u8 *buffer, u32 length);

#endif

Code:

## util.cpp
/*
* Copyright (c) 2012 by naehrwert
* This file is released under the GPLv2.
*/

#include <stdio.h>
#include <stdlib.h>

#include "types.h"
#include "util.h"

u8 *_read_buffer(const s8 *file, u32 *length)
{
	FILE *fp;
	u32 size;

	if((fp = fopen(file, "rb")) == NULL)
		return NULL;

	fseek(fp, 0, SEEK_END);
	size = ftell(fp);
	fseek(fp, 0, SEEK_SET);

	u8 *buffer = (u8 *)malloc(sizeof(u8) * size);
	fread(buffer, sizeof(u8), size, fp);

	if(length != NULL)
		*length = size;

	fclose(fp);

	return buffer;
}

int _write_buffer(const s8 *file, u8 *buffer, u32 length)
{
	FILE *fp;

	if((fp = fopen(file, "wb")) == NULL)
		return 0;

	/*while(length > 0)
	{
		u32 wrlen = 1024;
		if(length < 1024)
			wrlen = length;
		fwrite(buffer, sizeof(u8), wrlen, fp);
		length -= wrlen;
		buffer += 1024;
	}*/

	fwrite(buffer, sizeof(u8), length, fp);

	fclose(fp);

	return 1;
}

Code:

## types.h
/*
* Copyright (c) 2012 by naehrwert
* This file is released under the GPLv2.
*/

#ifndef _TYPES_H_
#define _TYPES_H_

typedef char s8;
typedef unsigned char u8;
typedef short s16;
typedef unsigned short u16;
typedef int s32;
typedef unsigned int u32;
#ifdef _WIN32
typedef __int64 s64;
typedef unsigned __int64 u64;
#else
typedef long long int s64;
typedef unsigned long long int u64;
#endif

#define BOOL int
#define TRUE 1
#define FALSE 0

//Align.
#define ALIGN(x, a) (((x) + (a) - 1) & ~((a) - 1))

//Endian swap for u16.
#define _ES16(val) \
	((u16)(((((u16)val) & 0xff00) >> 8) | \
	       ((((u16)val) & 0x00ff) << 8)))

//Endian swap for u32.
#define _ES32(val) \
	((u32)(((((u32)val) & 0xff000000) >> 24) | \
	       ((((u32)val) & 0x00ff0000) >> 8 ) | \
	       ((((u32)val) & 0x0000ff00) << 8 ) | \
	       ((((u32)val) & 0x000000ff) << 24)))

//Endian swap for u64.
#define _ES64(val) \
	((u64)(((((u64)val) & 0xff00000000000000ull) >> 56) | \
	       ((((u64)val) & 0x00ff000000000000ull) >> 40) | \
	       ((((u64)val) & 0x0000ff0000000000ull) >> 24) | \
	       ((((u64)val) & 0x000000ff00000000ull) >> 8 ) | \
	       ((((u64)val) & 0x00000000ff000000ull) << 8 ) | \
	       ((((u64)val) & 0x0000000000ff0000ull) << 24) | \
	       ((((u64)val) & 0x000000000000ff00ull) << 40) | \
	       ((((u64)val) & 0x00000000000000ffull) << 56)))

#endif

Code:

## main.cpp
/*
* Copyright (c) 2012 by naehrwert
* This file is released under the GPLv2.
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "types.h"
#include "util.h"

/*! Header. */
typedef struct _cos_header
{
	/*! Version maybe. */
	u32 version;
	/*! Entry count. */
	u32 entcnt;
	/*! Image size. */
	u64 imgsize;
} cos_header_t;

static void _es_cos_header_t(cos_header_t *ch)
{
	ch->version = _ES32(ch->version);
	ch->entcnt = _ES32(ch->entcnt);
	ch->imgsize = _ES64(ch->imgsize);
}

static void _print_cos_header_t(FILE *fp, cos_header_t *ch)
{
	fprintf(fp, "CoreOS Header:\n");
	fprintf(fp, " Version     0x%08X\n", ch->version);
	fprintf(fp, " Entry Count 0x%08X\n", ch->entcnt);
	fprintf(fp, " Image Size  0x%016llX\n", ch->imgsize);
}

/*! Entry. */
typedef struct _cos_entry
{
	/*! Offset. */
	u64 offset;
	/*! Size. */
	u64 size;
	/*! Name (zero padded). */
	s8 name[0x20];
} cos_entry_t;

static void _es_cos_entry_t(cos_entry_t *ce)
{
	ce->offset = _ES64(ce->offset);
	ce->size = _ES64(ce->size);
}

static void _print_cos_entry_t(FILE *fp, cos_entry_t *ce, u32 idx)
{
	fprintf(fp, "CoreOS Entry %02d:\n", idx);
	fprintf(fp, " Offset 0x%016llX\n", ce->offset);
	fprintf(fp, " Size   0x%016llX\n", ce->size);
	fprintf(fp, " Name   %s\n", ce->name);
}

/*! Context. */
typedef struct _cos_ctxt
{
	/*! Buffer. */
	u8 *buffer;
	/*! Buffer length. */
	u32 length;
	/*! Pointer to header. */
	cos_header_t *header;
	/*! Pointer to entries. */
	cos_entry_t *entries;
} cos_ctxt_t;

cos_ctxt_t *cos_load(const s8 *file)
{
	u32 i;
	cos_ctxt_t *res;

	if((res = (cos_ctxt_t *)malloc(sizeof(cos_ctxt_t))) == NULL)
		return NULL;

	if((res->buffer = _read_buffer(file, &res->length)) == NULL)
	{
		free(res);
		return NULL;
	}

	//Fix header and entries.
	res->header = (cos_header_t *)res->buffer;
	res->entries = (cos_entry_t *)(res->buffer + sizeof(cos_header_t));

	_es_cos_header_t(res->header);
	for(i = 0; i < res->header->entcnt; i++)
		_es_cos_entry_t(&res->entries[i]);

	return res;
}

void cos_free(cos_ctxt_t *ctxt)
{
	free(ctxt->buffer);
	free(ctxt);
}

void cos_print(cos_ctxt_t *ctxt)
{
	u32 i;

	_print_cos_header_t(stdout, ctxt->header);
	for(i = 0; i < ctxt->header->entcnt; i++)
		_print_cos_entry_t(stdout, &ctxt->entries[i], i);
}

void cos_unpack(cos_ctxt_t *ctxt, const s8 *base_path)
{
	s8 path[256];
	u32 i;

	for(i = 0; i < ctxt->header->entcnt; i++)
	{
		sprintf(path, "%s/%s", base_path, ctxt->entries[i].name);
		_write_buffer(path, ctxt->buffer + ctxt->entries[i].offset, ctxt->entries[i].size);
	}
}

void _print_usage()
{
	printf("costool (c) 2012 by naehrwert\n");
	printf("Usage: costool [option] image\n");
	printf("Options:\n");
	printf(" -i ... Print infos.\n");
	printf(" -u ... Unpack.\n");
	exit(1);
}

int main(int argc, char **argv)
{
	cos_ctxt_t *ctxt;

	if(argc < 3)
		_print_usage();

	if(strcmp(argv[1], "-i") == 0) //Print infos.
	{
		ctxt = cos_load(argv[2]);
		cos_print(ctxt);
		cos_free(ctxt);
	}
	else if(strcmp(argv[1], "-u") == 0) //Unpack.
	{
		ctxt = cos_load(argv[2]);
		cos_unpack(ctxt, ".");
		cos_free(ctxt);
	}
	else
	{
		printf("Unknown option.\n");
		return 1;
	}

	return 0;
}

More PlayStation 3 News...

[LKJHGFDSA]

What's the purpose of this?

[kavechick1]

I wonder

[Ezio]

It's only the source code of an unpacker for coreos, so you need to compile it. Anyway, it's not big news since there is already a similar tool between fail0verflow tools.

[PS3 News]

Following up on his Quick PS3 CoreOS Image Tool code release and recent hints, today PlayStation 3 developer Naehrwert has made available PS3 Dump_Rootkey code and a brief guide below so users can dump their own PlayStation 3 root key without Linux.

Download: PS3 Dump_Rootkey Code / http://disk.karelia.pro/fast/7WzfCmJ/dump_rootkey%20modifie%20par%20Attila.zip (Modified and compiled by Attila for Windows using Cygwin - just provide the IP as parameter after dump_rootkey like this: dump_rootkey.exe 192.168.0.1) / PS3 Resigning Tools by Attila

Naehrwert has also confirmed that Asbestos PKG only works in 3.41. He has posted the AsbestOS and Source Code to change the offset for people to adapt it to other PS3 Firmware versions and tul compiled the ELF to an AsbestOS 3.55 PKG file.

Additionally, jrtux compiled the AsbestOS stage2 for 3.55 with the Toolchain as naehrwert commented on Twitter, stating: "this is the modified stage2 I'm using (I guess you can change the entry and compile this yourself)"

Build resulted in:

• stage2_raw.bin
• stage2_raw.elf
• stage2_raw.lzma

Shortly following, he also compiled the stage1 and stage2 from the original AsbestOS source and the Naehrwert AsbestOS Stage2 source resulting in:

• stage1.elf
• stage2_native.elf
• stage2_raw.elf
• stage2_raw.lzma

Danixleet has also compiled the PS3 Dump_Rootkey and notes use includes bat file to run the dump_key and just replace with your IP followed by another compilation that assumes the user has everything ready (3.41 lv2 peek/poke) then simply drop "metldr" from console into "data".

If not.. check your connection between PS3/router, make sure nothing is blocked or add the trusted IP's to dump_rootkey in firewall and ping must be allowed, each setup is diff.. if it fails check your firewall/router settings, it worked out of the box for me connected to the wired router.

From voldemar_u2: Upload release build, try this one:

• UP0001-ASBLDR000_00-0000111122223333.7z
• Dump_Rootkey.7z
• Repack PKG (Installs fine via PKG Toolkit GUI)

From the included ReadMe file, to quote: dump_rootkey - 2012 by naehrwert

How-to:

[1] Install asbestos_ldr.g.pkg on your PS3 (a firmware with lv2 peek/poke is required to run it).
[2] Compile the client (make sure PS3HOST in main.cpp points to your PS3).
[3] Make sure you got your metldr in './data' as 'metldr'.
[4] A prebuilt 'dumper' is included in './data' (dumper.elf and build.bat is
included too if you want to change parameters).
[5] Start asbestos_ldr on your PS3.
[6] Start the client on your PC.
[7] Unicorns!

Asbestos License
Copyright (C) 2010-2011 Hector Martin "marcan" hector AT marcansoft.com

From cory1492: OK, I had to repackage it a couple different ways but once I got it to install it worked great. The ps3 is a slim running 3.41 hermes cfw, when the app starts the PS3 black screened, I then ran the client after editing in my PS3's IP and copying a metldr extracted from my NOR dump over to the folder as instructed), compiled under cygwin using the supplied .sh script which is really just a gcc command (I added the ULL to those two vars to fix any problems that 'int is not a long' causes under windows) and got:

Code:

C:\cygwin\home\Cory\PS3test\dump_rootkey>dump_rootkey.exe
[INFO] Connecting to '192.168.2.110'...ok.
[INFO] Ping...ok.
[INFO] VAS ID = 0x000000000000000B
[INFO] map_lpar_memory_region(data): res = 0
[INFO] Copying files out...done.
[INFO] Constructing SPE...done. (res = 0)
[INFO] priv2   0x00004C00013E0000
[INFO] problem 0x00004C00013C0000
[INFO] LS      0x00004C0001380000
[INFO] shadow  0x0000300000028000
[INFO] ID      0x0000000000000002
[INFO] Setting up SPE...done.
[INFO] map_lpar_memory_region(shadow) : res = 0
[INFO] map_lpar_memory_region(problem) : res = 0
[INFO] map_lpar_memory_region(priv2) : res = 0
[INFO] map_lpar_memory_region(ls) : res = 0
[INFO] set_spe_privilege_state_area_1_register : res = 0
[INFO] Starting SPE in isolation mode...done.
[INFO] Interrupt status (2, application) = 0x0000000000000010
[INFO] -> SPU mailbox threshold interrupt
[INFO] Interrupt status (2, application) = 0x0000000000000011
[INFO] -> SPU mailbox threshold interrupt
[INFO] -> mailbox interrupt
[INFO] Mailbox value = 1
[INFO] -> Dumper loaded.
[INFO] Transferring eid_root_key to buffer...finished.
[INFO] Dumping eid_root_key...done.
[INFO] SPU status = 0x00000081
[INFO] Requesting SPE isolation exit and stop.
[INFO] Destructing SPE...done.
[INFO] Press any key to exit...

I reflashed from 4.11 dex back to hermes to test this easy way to get the RPC server going that doesn't involve installing asbestos and not only does the RPC server work a treat, I can also confirm this release dumped the same EID root key that I had obtained previously via a metldr dump.

I'm a happy camper now, with a RPC server I can just run like an app. Sure beats going back to those old graf dongle payloads thanks naehrwert or marcan, whoever made that pkg!

Tut: follow the info deank posted to use multiman to take a dump of your console flash, and use one of the existing tools to extract the crypted metdlr - that is all you need to do to get metldr for this.

• Create a dump of your NOR/NAND (use multiMAN to create a .NORBIN/.NANDBIN file - USB connected as /dev_usb000 required)
• To dump flash: mmOS->Select any file->Open in HEX viewer->[SELECT]->[START]->DUMP LV2(NO)->DUMP LV1(NO)->DUMP FLASH(YES)
• Transfer to your PC and unpack it with norunpack.exe or cex2dex to a folder and grab "metldr" from the "asecure_loader" folder
• Put "metldr" into the "metldrpwn" folder on your USB

From aldostools: To get the "metldr", just dump your flash with the latest build of multiMAN: mmOS->Select any file->Open in HEX viewer->[SELECT]->[START]->DUMP LV2(NO)->DUMP LV1(NO)->DUMP FLASH(YES)

Transfer the dumped file of the NOR or NAND flash (copied to the USB) to your PC, and use norunpack.exe:
norunpack.exe flash.BIN extract_folder. In the extract_folder you will find the "metldr" (59KB) inside the folder "asecure_loader".

An alternative method to extract "metldr" is using the CEX2DEX application by Gunner54. You first have to downgrade to 3.55 (DEX or CEX), to apply any flash patch using multiMAN.

Btw, this is the fix for line 243:

Code:

	
spu_slb_set_entry(&ctxt, priv2_addr, 0, 0x8000000018000000ULL, 0x0000800000001400ULL);

Tt was missing ULL and many (well mostly just windows/32bit ones really) compilers will treat it as a 32bit value instead of a 64bit value when you forget that.

From KitsunePaws: To get this to compile is VS 2010 alter the header of main.cpp

Code:

#define _ERROR(...) printf("[ERROR] " __VA_ARGS__)
#define _INFO(...) printf("[INFO] " __VA_ARGS__)
#pragma comment(lib, "ws2_32.lib")

Using Dump_Rootkey on Ubuntu 12.04 Guide by jrtux:

1- Extracting :

Code:

sudo apt-get install p7zip
p7zip -d dump_rootkey.7z

2- Edit PS3HOST in main.cpp with the IP of your ps3 :

Code:

cd dump_rootkey/

gedit main.cpp
edit :

Code:

#define PS3HOST "169.254.0.2" <- your PS3 ip

save

3- Compile :

Code:

sudo apt-get --reinstall install build-essential
chmod +x build.sh
sudo ./build.sh

4- Extract the metldr from your flash dump and copy your metldr in 'data' dir as 'metldr' : (Get your flash dump with mmOs or memdump_0.01-FINAL and extract METLDR with CEX2DEX Application)

5- Run :

Code:

./dump_rootkey

Enjoy!

From his Twitter (linked above) some recent related Tweets:

hint: pastie.org/4301209

Code:

[INFO] Connecting...ok.
[INFO] Ping...ok.
[INFO] VAS ID = 0x000000000000000b
[INFO] map_lpar_memory_region(data): res = 0
[INFO] Copying files out...done.
[INFO] Constructing SPE...done. (res = 0)
[INFO] priv2   0x00004c00016e0000
[INFO] problem 0x00004c00016c0000
[INFO] LS      0x00004c0001680000
[INFO] shadow  0x000030000002e000
[INFO] ID      0x0000000000000002
[INFO] Setting up SPE...done.
[INFO] map_lpar_memory_region(shadow) : res = 0
[INFO] map_lpar_memory_region(problem) : res = 0
[INFO] map_lpar_memory_region(priv2) : res = 0
[INFO] map_lpar_memory_region(ls) : res = 0
[INFO] set_spe_privilege_state_area_1_register: res = 0
[INFO] Starting SPE in isolation mode...done.
[INFO] Interrupt status (2, application) = 0000000000000010
[INFO] -> SPU mailbox threshold interrupt
[INFO] Interrupt status (2, application) = 0000000000000011
[INFO] -> SPU mailbox threshold interrupt
[INFO] -> mailbox interrupt
[INFO] Mailbox value = 1
[INFO] -> Dumper loaded.
[INFO] Transferring eid_root_key to buffer...finished.
[INFO] Dumping eid_root_key...done.
[INFO] SPU status = 0x00000081
[INFO] Destructing spe...done.
[INFO] Press any key to exit...

look ma, no linux

Thanks to mrlowalowa for the news tip!

From JayDee78: This is the MFW 3.41 PUP I myself used, with the patches added, use if you trust me.. Get OFW and do it yourself otherwise. Download Mirrors:

• http://www.multiupload.nl/8STDLOS3V4
• http://www.putlocker.com/file/FF3BA90203DC4798
• http://freakshare.com/files/bz4m49s4...x2dex.rar.html
• http://turbobit.net/5o8n0rnpjzzx.html
• http://www.filefactory.com/file/6j4d...dr_cex2dex.rar
• http://oron.com/8wg6sczi569c
• http://bayfiles.com/file/i0TB/9OVdY9...dr_cex2dex.rar

Finally, below is a brief guide on how to do it from him as follows:

On PC:

• Extract the dump_rootkey.7z (or the precompiled dump_rootkey modified by Attila) to c:
• Put the metldr in the c:\dump_rootkey\data folder (read below on how you get this file)

PS3:

• Get your flash dump with Memdump v0.01 Final, and extract the metldr with cex2dex etc, and put it in the data folder on the pc
• Install the asbestos_ldr.g.pkg from Naehrwert's original download (dump_rootkey.7z)
• As I was on 3.55 kmeaw and could downgrade I just got the 3.41 OFW and ran it through MFW Builder v0.2

The settings I used:

• Patch LV1 hypervisor
• Patch LV2 kernel
• Patch package installer
• Patch application launcher

Went into recovery on the ps3 and flashed the mfw 3.41

Started the asbestos loader after boot up and then started dump_rootkey on my pc with the right IP and as promised: UNICORNS!

Code:

[INFO] Connecting to '192.168.2.186'...ok.
[INFO] Ping...ok.
[INFO] VAS ID = 0x000000000000000B
[INFO] map_lpar_memory_region(data): res = 0
[INFO] Copying files out...done.
[INFO] Constructing SPE...done. (res = 0)
[INFO] priv2 0x00004C0001260000
[INFO] problem 0x00004C0001240000
[INFO] LS 0x00004C0001200000
[INFO] shadow 0x0000300000025000
[INFO] ID 0x0000000000000002
[INFO] Setting up SPE...done.
[INFO] map_lpar_memory_region(shadow) : res = 0
[INFO] map_lpar_memory_region(problem) : res = 0
[INFO] map_lpar_memory_region(priv2) : res = 0
[INFO] map_lpar_memory_region(ls) : res = 0
[INFO] set_spe_privilege_state_area_1_register : res = 0
[INFO] Starting SPE in isolation mode...done.
[INFO] Interrupt status (2, application) = 0x0000000000000011
[INFO] -> SPU mailbox threshold interrupt
[INFO] -> mailbox interrupt
[INFO] Mailbox value = 1
[INFO] -> Dumper loaded.
[INFO] Transferring eid_root_key to buffer...finished.
[INFO] Dumping eid_root_key...done.
[INFO] SPU status = 0x00000081
[INFO] Requesting SPE isolation exit and stop.
[INFO] Destructing SPE...done.
[INFO] Press any key to exit...

Hope this helps some of you (at least you that CAN downgrade). From IRC:

Code:

[naehrwert] reversing challenge: http://www.sendspace.com/file/asd7fp
[naehrwert] anyone who succeeds to unpack this, get's some unicorn rainbow poop!
[antikhris] unpack the elf?
[naehrwert] nah the hidden payload ;)
[sandungas] unicorns \o/
[antikhris] ah santa wont b much help then
[antikhris] whats it for anyway?
[sandungas] hidden where ? o0
[naehrwert] custom spu elf protector
[naehrwert] need to see if it's a good one or not haha

[kamel] naehrwert did anyone ever succesfully reverse your challenge?
[naehrwert] dunno, noone contacted me at least
[kamel] :/
[naehrwert] kamel need one protected with an updated version? :D
[kamel] ?
[naehrwert] challenge
[kamel] i have no idea how to reverse
[kamel]
[naehrwert] in case the first one was too easy
[naehrwert] objdump
[naehrwert] ida
[naehrwert] spud
[kamel] i dont even know what any of that is
[naehrwert] objdump is like the name tell an object dumper, thus it will print infos about the binary object and one use is to disassemble it
[naehrwert] ida is THE interactive disasm
[naehrwert] and spud is spu-decompiler (sort of)
[naehrwert] *tells
[kamel] oh
[naehrwert] the more people are willing to try reversing stuff the more progress

More PlayStation 3 News...

[niwakun]

abestos provided on this tool only works on 3.41 Hermes, so expect that it wont work above firmware requirements.

But hey, at least you're not going to install linux and demand for command for it. I just do hope that the abestos also works on 3.55 firmware.

[romantizma]

We need an easy method for CEX/DEX conversion on NOR consoles please..

[henno]

This one is not working for me. I have 3.55 CFW and built dump_rootkey.exe and started it while running the 3.41 version of the included tool on the ps3 - the 3.55 version will just exit when starting.

I get the Info "Connecting to 192.168.254.2 ..." when connecting to 192.168.0.2... i tried forcing 192.168.0.2 but it won't work.

What did i do wrong? Do i need AsbestOS running for that?

[Luckystar]

not working on 3.55 CFW

I need AsbestOS 3.55 PKG

[Tidusnake666]

naehrwert's asbestos loader is for 3.41 only, tul's 3.55 port doesn't work, voldemar_u2's asbestos is also for 3.41.

There's no point for me to downgrade to 3.41 to use it, it's simplier to install linux and wipe out data.