Sponsored Links

Sponsored Links

Results 1 to 6 of 6



  1. #1
    Contributor MimmoD360's Avatar
    Join Date
    Mar 2010
    Posts
    16
    Sponsored Links

    Cool Zadow28 PS3 Exploit / Hacking Discussion Thread

    Sponsored Links
    We will use this ongoing thread to discuss the recent zadow28 PS3 exploit / hacking developments.

    Below is some information from zadow28 posted by tthousand via psx-scene.com/forums/content/doors-2088/:

    Got this info in a PM, the *.a files from the sdk is actually elf files packed. you can rename all *.a files from the sdk to elf, and then run readelf on them. you would see where all the elf files write. Have been looking at the libsecure and found out where all the crypto is reading/writing.

    These are the elf that Sony uses to encrypt/decrypt all there elf/bin/sprx, if you look at the libsecure there are 2 kind of *.a file normal and _d in the ending. I think one encrypt one decrypt. So I tried it and it worked from libsecure:

    [Register or Login to view code]

    Well if you look at the thread the *.a files are archives with multiples elf within them. eussNL got this thred right thats why he found an extracter for *.a files thx euss so the libsecure.A have as many as 6 elf inside that where the good stuff is.

    By the way also got his from (he knows himself) haven't check that yet but you could.. the *.a files turned out legit.

    My first attempt at trying to decrypt the lv0 with a something so simple I knew it wouldn't work. But however here is the output I recieved metadataInfo:

    [Register or Login to view code]

    If you looked closely at the pasties you would find the TOC and OPD where it is written:

    [Register or Login to view links]
    [Register or Login to view links]

    The last pastie is the guard for the cell i figured that out after the info.

    [Register or Login to view links]

    The one for the cell is spu based and the one from libsecure is ppc based. Here is one more thing i found out sometime ago:

    [Register or Login to view links]

    Load ida pro then load any self/bin then file---->load---->pdb file then getheader.pdb. Then the header would turn up in any encrypted files.. both spu and ppc you can see for try.

    The libsecure.a files one is where all the encryption is written the libsecure_d.a is where all the decrypted is written. Then there are 100 *.a files in the sdk with a lot of elf files inside all saying where everything is written and the *.a files they or used for base for making all softbto the ps3 that's why they can't change it.

    And if you read the libsecure readelf you would notice that you can see where md5/sha215/aes/blowfish and a lot more is encrypted/decrypted.

    Update: Here are the library files from libsecure extracted and put in the right folder

    Download: [Register or Login to view links]

    Remember one is for decrypting other for encrypting.

    [Register or Login to view code]

    These are relocatable file PPC based.

    Regards

    And just by chance, PsDev tweeted (twitter.com/#!/RealPsDev/status/185503134498557952) this earlier today:

    [Register or Login to view code]

    Got that from a lv0 output.

    The offsets from the readelfin libsecure is acuelly quite usefull to get extra info out. The offsets have found 2000 more function in the lv1.elf from 3.56. Since i the private keys should be in that if am not wrong. Here is the strings after i use some of the offsets lv1elfstrings.rar notice there is something about master access. read idps etc i can upload the disassembled file also.

    Here if any wanna look at the decrypted file for ida pro: [Register or Login to view links]

    Also another theory from devilangelari:

    Consider the possibility that the "TB dongle updates" update only the game libraries (sprx) on the firmware or on the dongle (maybe it's a dev_flash mounted like dev_blind) ?

    In the TB eboot you can see that it requests updated libraries like in this case 3.60 but they can masked to appear like 3.60 libraries if "TB modified the libraries" :


    These "libraries" are needed to run games or new games that's why TB updates them !

    That part is not encrypted as you can see but if you modify anything there in an self it will ruin the encryption as a whole (maybe after all it will not ruin anything).

    In the PS3 Dev wiki page you can see that TB eboots are FSELF (fake signed elf) but someone (I can't mention his name until he gives me the permission to do , so RESPECT!) mentioned that they are recognized as FSELF (no encrypted metadata in fself when you run readself on it ) and are not true fselfs on his nature.

    FSELF keys are given to game developers to not compromise their "true keys" when they are creating games on the debug stage (debug eboots).

    When you run readself on a TB eboot there you see the "DevKit" SDK used (in which I have no info) but we could assume that there are the devkit (FSELF) keys used :


    And the unself tools that are available doesn't decrypt tb eboots, even in some eboots they give no errors but when you look at them on hex editor you see them encrypted in which case people should look to create new unself tools.

    With the theories until now you need 3 things : eboots decrypted ,updated libraries and the correct payload to patch lv2. Only the decrypted eboots will not suffice because they request updated libraries to run new games.
    Attached Thumbnails<br><br> Attached Thumbnails

    346548461c.jpg   f41223ea3b.jpg  
    Attached Files Attached Files

  2. #2
    Senior Member Bartholomy's Avatar
    Join Date
    Jan 2011
    Posts
    836
    Sponsored Links
    Sponsored Links
    Erm.. I suppose i have to write "cool" , but i'll wait a dev's post about it..

  3. #3
    Senior Member Tidusnake666's Avatar
    Join Date
    Sep 2008
    Posts
    802
    Sponsored Links
    Sponsored Links
    zadow is a member here too, i had a discussion with him about decrypting eboots with ps3gen/ps3sys tools, he said that he's managed to crack Portal 2 for 3.55 but it won't run somehow.

    As for his libsecure stuff, most it was also posted here, I don't remember where exactly.

    In overall, I'm being sceptical about it, as I didn't manage to duplicate what he was doing.

  4. #4
    Senior Member NTA's Avatar
    Join Date
    Dec 2009
    Posts
    726
    Intersting. Hoping to see more about this in the future

  5. #5
    Junior Member zadow30's Avatar
    Join Date
    Sep 2010
    Posts
    18
    i would mention that i have nothing to do, with the fake CFW. so here some news for you.

    There have always been problems debugging SPU elf files, since there are almost no debugger know to do this, except really slow terminal and anergistic. which is almost impossible to use.. and its in the spu files, the goodie stuff is.

    normally in example ida pro, you could open spu, but not debug them, so almost useless.

    you have to find the software, yourself but this little command in linux or cygwin

    appldr.elf (SPU FILE)

    [Register or Login to view code]

    isoldr.elf (SPU FILE)

    [Register or Login to view code]

    it turns the appldr into PPC insteed of SPU.

    [Register or Login to view code]

    Now we can debugging into Memory, and find those hidden goddies

    this is some of the string from the RAM from isoldr.elf in memory

    [Register or Login to view code]

    normally it look like this

    [Register or Login to view code]

    this would help those, that hunt for keys now lets dump some stuff

    i have unself and signed the eboot from Two TB games. with 3.55 keys

    Batman: Arkham City [Register or Login to view links]

    and ace combat Assault_Horizon [Register or Login to view links] ([Register or Login to view links])

    i was then able to sign with 3.55 keys. one fellow in irc tried on rebug, but didn't run.

    so check and try them out. the eboot.bin unself without errors and the hex is readeble..

    eboot ace combat Assault_Horizon with TB and with my signed 3.55.

    [Register or Login to view code]

    the eboot.elf inside.

    [Register or Login to view code]

    here is the decrypted eboot batman ACE combat and skyrim an my key folder.

    [Register or Login to view links]

    the skirim gives an error but still decrypt, don't notice the 4.11 keys those are from nodex and is not why i can decrypt. i also could before putting those in.

    From KaKaRoToKS (twitter.com/#!/KaKaRoToKS/status/190266134887546882): zadow28 a PDB for lv0? ida decrypting lv0 ? hexray on PPC code? spu stuff on lv0 which is PPC, not SPU... it smells fake 10000%

    From zadow28: So why dont they just ru the command that i posted and see if the spu turnes into ppu files. Quite easy since the command is there idiots.

    [Register or Login to view links]

    [Register or Login to view links]

    one off the commands

    [Register or Login to view code]

    and i'll have to make and video i guess off the spu ida files with code.

    if the morons including kakaroto before accusing, well think i know why he didn't release any crap.

    Below are some keys from Icy and zadow28, which could be either for the TB EBOOTs or for decrypting the CFW.

    [Register or Login to view code]

    From Twitter: twitter.com/#!/zadow28/status/202836460418772992

    uuhhh been having fun first i converted the new trueblue payload 2.61 and run it throw an simulator.





    then i fake the cobraupdate and found where the upgrade communicated with the dongle.





    I know that the converted payload can be debuged in ida pro motorola hc8112 maybe some expert got an pro simulator.

    Jesus its not sdk 3.85 but loader keys 3.85: [Register or Login to view links] and that only one of many:

    [Register or Login to view code]

    Also from Zadow via: [Register or Login to view links]

    [Register or Login to view code]

    From Twitter: Funny no one notice OFW 4.11patchupdate yet. [Register or Login to view links] more interesting inside are an file patchdata.pkg [Register or Login to view links]

    And dont install the ps3updatepatch.PUP the interesting one is the PKG inside

    "Dont install the patch PUP" but the pkg should hold the info off how the OFW is patched, thats the name patchdata.pkg
    Attached Files Attached Files

  6. #6
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,849

    Arrow

    Below is another update from zadow (twitter.com/#!/zadow28) for those following:

    The Lost files off Dev flash: One day i was looking at the dev flash and i noticed a pattern. Where SCE would turn up regularly. So i had hunch, i searched for all SCE in the hex and then extracted that hex and save it to some self files and that worked, so after investigating some more, i found that many off the files from the devflash, aren’t just elf ppc or spu files. like the lv1.self contains off 6 files both ppc and spu.

    And best thing normally in ida pro when loaded a PPC file some areas are still “encrypted”. When extracted they come too there right meaning, and all codes are shown. Now the devflash files can contain self files, thats why i search for SCE. Thats the top of the header. But can also contain just elf files. The easiest way to locate them are ELF or search for hex string:

    [Register or Login to view code]

    Here is some that i extracted so far. all the download links have a password = zadow

    lv1.self from the debug CFW 3.56: [Register or Login to view links]

    its like the lv1 is fully decrypted. got stuff like eid data decrypt/ encrypt guest OS

    trueblue on 3.55: [Register or Login to view links]

    BDDVD.SELF: 7 files: [Register or Login to view links]

    emulator_drm.sprx.elf: [Register or Login to view links]

    there are two files one elf, one self. also i think a new key on the self, you have to unself yourself

    PSemuCORE.sprx.elf: [Register or Login to view links]

    5 files elf SPU and PPC ones

    Vsh.elf: [Register or Login to view links]

    two files one spu one PPC. and looks mighty interesting too. especially like this one since 100 people was looking for QA over at psx but nobody noticed. this one took awhile 45 files is the:

    ps3swu.self.elf: [Register or Login to view links]

    Almost gonna trible the dev flash, no wonder they didn’t decrypt all in the files, when there are self inside elf and spu inside PPU.
    Regards and try work together on this one.

    here is the video off the basic, 5 minutes the quality is better. used TB lv1.elf.also some WMware stuff there:





    Some more via Twitter:

    Did the nono and bought an cobra dongle. well im not planing, playing games lets see how FM is writin to cobra:





    maybe i should make an exseption and release the database i debugged, well hopefully the cobra is out off the way

    mmh stage two tomorrow gonna try different debugging tecnics. and leave all the junk behind

    well i would just follow that lead [Register or Login to view links] gonna look more tomorrow

    [Register or Login to view code]

    Little feeling of dex forum ready Have fun [Register or Login to view links]

    Been playing around as i always do

    been bugging me there arent any disasemplers that can view any code, only dissasemply.

    and some interesting stuff came up

    first you should build all the samples and projects in the sdk.

    you would need to do an batch build with both debug and release.

    after build you would have debug and an realese folder.

    now open up tuner software from the sdk.

    Choose open static analyze

    now if you open any elf from the build, and open them in the tuner it looks like this after
    using sample from libsecure release build.
    Aes.obj
    right click it, then it shows disasemply


    now this is okay since you can get some info in tuner what the functions are for.

    but now comes the neat part if you do the same with the debug buils
    Aes.obj

    right click it.

    shows all the source code insteed

    [Register or Login to view code]

    this works on all the debug objects files in debug build.

    could be off use when looking at big builds
    and when building you own

    and one more thing the tuner can take alot off the extracted files that i posted,
    and show there build too.
    also some of the files if you used dev_blinds to copy intire dev flash/2/3 from ps3
    some of the elf files there are debugs and the pic files are also shown and how there build there.
    And work also if you take all the *.a files extract them with 7zip you have alot off *.o files they work there also.

    so for exampel libguard.a extarcted there are alot of *.o inside
    just one in the tuner with sources

    [Register or Login to view code]

    and that aint in the wiki
    Attached Thumbnails<br><br> Attached Thumbnails

    AVEGX.png  
    Attached Files Attached Files

 

Sponsored Links
Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News