80w ago - This weekend PlayStation 3 developer
PsDev has released a homebrew application called PS3 CFW Folder Checker along with the source code as well.
Download:
PS3 CFW Folder Checker Homebrew App and Source Code
From the included ReadMe file: Just place the .exe file in your flash drive where you have your folders and cfw setup run it and it will tell you if there is a typo, the foldername correct, the pup name correct and then if so it tell you your ready to go.
Took me 5 min.
Follow me on twitter at
RealPsDev
Source Code:
#include <Windows.h>
#include <direct.h>
#include <iostream>
#include <fstream>
#include <string>
#pragma comment(lib, "shlwapi.lib")
#include <shlwapi.h>
using namespace std;
typedef unsigned int u32;
/*******************************************************************************
* Check if a file or a folder exists
******************************************************************************/
bool Exists(string Path)
{
return GetFileAttributes(Path.c_str()) != INVALID_FILE_ATTRIBUTES;
}
/*******************************************************************************
* Quit the application with a message
******************************************************************************/
void Quit(string Message)
{
cout << Message.c_str() << "\r\nPress any key to continue...";
cin.get();
exit(0);
}
/*******************************************************************************
* Entry Point
******************************************************************************/
int main(int argc, char* argv[])
{
// - Show banner
cout << "*****************************************************\r\n";
cout << "**\r\n";
cout << "** \tCFW Checker\r\n";
cout << "**\tFollow me on twitter @ RealPsDev\r\n";
cout << "**\tI was bored made in 5min\r\n";
cout << "**\r\n";
cout << "*****************************************************\r\n\r\n";
// - Get CFW Path
char ExePath[MAX_PATH];
GetModuleFileName(NULL, ExePath, MAX_PATH);
string SourcePath = string(ExePath);
SourcePath.erase(SourcePath.rfind("\\"));
// - Verify 'Cfw' folder
SourcePath += "\\PS3\\UPDATE\\PS3UPDAT.PUP";
cout << "- Checking see if Folders For CFW are correct" << endl;
if (!Exists(SourcePath))
Quit("Error: Folders are not correct(" + SourcePath + ")\r\n");
Quit("\r\nYou are now ready to the USB into the ps3!\r\n");
return 0;
}
Finally, from
PsDev on PS3 lv0: http://pastie.org/2967339
From PsDev. Nothing Important Just some lv0 stuff / whistle
SELF header
elf #1 offset: 00000000_00000090
header len: 00000000_00000500
meta offset: 00000000_000001e0
phdr offset: 00000000_00000040
shdr offset: 00000000_000e7830
file size: 00000000_000e7640
auth id: 1ff00000_01000001 (Unknown)
vendor id: ff000000
info offset: 00000000_00000070
sinfo offset: 00000000_00000140
version offset: 00000000_00000180
control info: 00000000_00000190 (00000000_00000070 bytes)
app version: 4.0.0
SDK type: Retail (Type 0)
app type: level 0
Control info
control flags:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
file digest:
6e bc 16 e2 38 12 18 df d0 02 18 e1 66 2b fe 5b 65 50 f7 5a
Section header
offset size compressed unk1 unk2 encrypted
00000000_00010500 00000000_00000c70 [NO ] 00000000 00000000 [YES]
00000000_00020500 00000000_000c7380 [NO ] 00000000 00000000 [YES]
Encrypted Metadata
unable to decrypt metadata
ELF header
type: Executable file
machine: PowerPC64
version: 1
phdr offset: 00000000_00000040
shdr offset: 00000000_000e73c0
entry: 00000000_00000c60
flags: 00000000
header size: 00000040
program header size: 00000038
program headers: 2
section header size: 00000040
section headers: 10
section header string table index: 9
Program headers
type offset vaddr paddr
memsize filesize PPU SPE RSX align
LOAD 00000000_00010000 00000000_00000000 00000000_00000000
00000000_00000c70 00000000_00000c70 rwx --- --- 00000000_00010000
LOAD 00000000_00020000 00000000_08000000 00000000_08000000
00000000_000cc250 00000000_000c7380 rwx --- --- 00000000_00010000
Section headers
[Nr] Name Type Addr ES Flg Lk Inf Al
Off Size
[00] <no-name> NULL 00000000_00000000 00 00 000 00
00000000_00000000 00000000_00000000
[01] <no-name> PROGBITS 00000000_00000000 00 wae 00 000 08
00000000_00010000 00000000_00000c70
[02] <no-name> PROGBITS 00000000_08000000 00 wa 00 000 04
00000000_00020000 00000000_00017358
[03] <no-name> PROGBITS 00000000_08017360 00 a 00 000 16
00000000_00037360 00000000_0002c748
[04] <no-name> PROGBITS 00000000_08043ab0 00 ae 00 000 16
00000000_00063ab0 00000000_0007e5f8
[05] <no-name> PROGBITS 00000000_080c20b0 00 ae 00 000 08
00000000_000e20b0 00000000_00004200
[06] <no-name> PROGBITS 00000000_080c62b0 00 ae 00 000 08
00000000_000e62b0 00000000_00000080
[07] <no-name> PROGBITS 00000000_080c6330 00 ae 00 000 08
00000000_000e6330 00000000_00001050
[08] <no-name> NOBITS 00000000_080c7380 00 ae 00 000 128
00000000_000e7380 00000000_00004ed0
[09] <no-name> STRTAB 00000000_00000000 00 00 000 01
00000000_000e7380 00000000_0000003d
After swapping back in my original 160GB HDD, I was still getting the 8002F281 error. I ended up having to do a full PS3 Reset and reformat of the 160...
Download: http://www.mediafire.com/?ct93xuobw87zfnz
Below are the changes, to quote:
Changes
GUI has been changed a lot:
• added some cleaner selection of tools
• not as many screens
• faster
• less memory
Bug Fixes
Only1, but it was a big one:
• fixed the bug that would duplicate the process and not allow you to delete, move or do anything to the program.
More PlayStation 3 News...
That system uses 2 processes appldr, the 3.55, which installs the homebrew, and appldr (that of the Sony OFW) who starts the game 4.00.
A CFW obtained with a scrum of the various self of the core_os (4.00 and 3.55) but with a bit of reprogramming, so that uses two processes, depending on the function
Download: http://www.mediafire.com/?5kpbnpb4bujs3rz
To quote: Features:
• Can unpack any "PS3" Firmware up to date. Gets really fast after first or second use.
• A console is built into the program showing you the exact log a cmd would.
• Can Decrypt PS3/PSP retail PKG files (Signed by sony installable via OFW).
• Can readself of, Appldr, lv0, lv1ldr, lv2ldr, isoldr, EBOOT.BIN or if any of the things that you want to read are not listed on a button you can run a custom command to do it, for example: aim_spu_module.self just type that in where it says input and it will read it. So any file that is possible to use via readself, can be done in a fast manor 1-2 sec.
• A full featured .Conf editor. view .Conf files edit them then hit save button when finished.
• A awesome Core_os_package tool that can decrypt, extract and encrypt the Core_os_package.pkg all in about 1-2 sec.
• Sign pkg for 3.55 or 3.41
• UnSELF a file.
• Build SELF a file.
• Whenever a tar file is modified, it's permissions need to be set, this tool can do that for you. fix the tar file for the following FW. retail fw up to 3.72, debug fw up to 3.72 and retail and debug fw 4.0.
Usage:
Lets use a example: If you want to unpack a ps3 update just get the PS3UPDAT.PUP
(Don't change the name of any file in ps3 FW keep original) and put in tool folder, run my program click unpack and it will unpack it.
So like if you want to fix tar make sure the update_files.tar stays the same name and put in the main folder where program is located. same for anyfile keep the original name. So it's pretty simple just drag the file that you want the tool to do something with and keep the original name.
Here is a video I made (I am pretty bad a videos) to help it' a tutorial that covers everything. If some one else could make a better one that would be awesome.
Notes: PS3Tools GUI Edition will create two new files for the Core_os_package. "decrypted_core_os" and "CORE_OS_PACKAGE_ENCRYPTED.pkg" don't change the name of the decrypted one or else you won't be able to encrypt it
BETA Tester Thoughts: Tested by jhax78
All those command line tools that takes loads of time and sometimes commands that you need to understand will be replaced by this 1 click tool, even a trained monkey could extract repack sign with this now.. it's taking literally 3 seconds to extract a pup resign or whatever you need to do.
I'm no dev but like to poke around in stuff and i think more ppl think like this with this tool all that is just peanuts now.
More PlayStation 3 News...
OK so lets get right to it. This is a theory, nothing more.
There has been information available for quite some time. and I took it, thought about it, researched and experimented and I come out with my theory below to exploit 4.00 part of the way. This is not a random theory to, this is logical stuff and true facts. I'm providing this info for other devs to look at and lets see if this can work. I don't keep my work to my self, I like to share in give other people chances in discovering stuff. It always makes me happy when someone finds something out using my work, it just tells me I did a good job in describing and helping and they did a good job in listening and learning the material in order to trigger the exploit or whatever it might be.
So the lv2ldr verifys decrypts the lv2_kernal.self. we can get the address of this happening. inside Parameters Layout there are arguments, they are used as commands basically to load a function you want to use. they start in the lv2 @ 0x3E800(seems to be same for other ldrs) that address. There is a argument that is called lv2_in and lv2_out (we have know about these) basically we can use lv2_in to map out the address and lv2_out to map out the address for where the lv2ldr decryptes the self file.
We can make a program like readself basically and get the offset, u8* means read one byte from the address. use that and we can actually be get the exact offset where it all happens at. once we have the location grabbing this decrypted self should be the easy task. Like I said some info we had and some we did not know about can be obtained like this and used to get keys.
exploiting 4.00 with this method would work most likely because I doubt sony changed all the locations where the loaders do there thing, sure there encapsulated in the bootloader but they still pass over into the ram at one point before being fed over to the metldr which loads ldrs and if all that is still happening then Sony didn't change nothing.. some where along these lines:
[code]
void *buf; //