70w ago - Following up on his PS3Tools GUI Edition v3.1 release, today PlayStation 3 homebrew developer PsDev has updated the homebrew application to version 3.2 which includes a PS3 EBOOT Re-Signer followed by version 3.3 and v3.5 / v3.6 / v3.7 by Ac1DMoDz as detailed below.
To quote: It's about time for another update to my program, this time around I added a scetool section. It has 3 new options with one favorite thanks to andreus for a script that I use, I also update the SFO Reader tool and fix some bugs. See official changelog below.
PS3Tools GUI Edition v3.2 Changes:
Added scetool section
Show curent keylist
Decrypt EBOOT.BIN up to 3.60
Decrypt and resign EBOOT.BIN automatically
Fixed SFOREADER bug
When ever you get a output it autp copys to clipboard
Minor bug fixes through out program to make it run a little more fluently.
Just to elaborate some on the auto EBOOT.BIN re-signer, just put the 3.60 EBOOT.BIN in the root of folder run the tool it will decrypt it and re-sign it for use on lower Firmware.
Note: Dropping a SPRX file and clicking decrypt will not decrypt it, nor error out, but report success and magically delete the SPRX file from the folder it was in.
Soon after the 3.2 release, he released 3.3 (via psx-scene.com/forums/content/releases-2479/), but claims it will be his final update, and the source code will be also released in the near future. To quote:
It has been fun making this program, it has gone threw 12 awesome updates. I'm sad to stop working on it, but I'm happy to see what you guys can continue to make it into. I will release the source code, but not today.
Lets leave that for another time and focus on this release. This is also the most stable version, all features have been tested not only by me but other people too, (Dcnigma, Industerialcode) and all features work properly.
v3.3 Final Changes:
SCETool v0.28 added
New keys added to keyset
New script for EBOOT resigning
New file system layout
Removed do it button
Now everytime you select a option from one of the drop down menu it does that option right away
Removed SELF tool
Every option has its individual message box completion of operation
There is a new way that the file system works. There is a individual folder for all the tools (PUP Tools, scetool, Core_os Tool ect) And when you want to use the tool just place the file in the correct folder and use the GUI. This system is cleaner and allows me to not use as much code.
There is a script in the scetool folder called fix. This script is what can be edited to your standards for the EBOOT resigning. I did this so if you want to sign for 3.41 ect or change compression or anything just edit the script and run the GUI no need for new update, much more efficient.
FOR /F "tokens=1,2 delims= " %%A IN ('scetool.exe -i EBOOT.BIN') DO (
if [%%A]==[ContentID] set CID=%%B
scetool.exe --decrypt EBOOT.BIN EBOOT.ELF
rename EBOOT.BIN ORIGINAL_EBOOT.BIN > NUL
scetool.exe --sce-type=SELF --compress-data=FALSE --skip-sections=TRUE --key-revision=0A --self-auth-id=1010000001000003 --self-add-shdrs=TRUE --self-vendor-id=01000002 --self-type=NPDRM --self-fw-version=0003005500000000 --np-license-type=FREE --np-content-id=%CID% --np-app-type=EXEC --np-real-fname=EBOOT.BIN --encrypt EBOOT.ELF EBOOT.BIN
del /Q EBOOT.ELF > NUL
scetool -i EBOOT.BIN
There is no more "Do It" button, since I change the way the files are modified I thought I will just make every option a button it self, is when you click the option you like from the drop down menu it will do the operation. Note: After click may take a sec for the operation to start be patient.
About PS3Tools GUI Edition v3.5 Ac1DMoDz Version, to quote (via psx-scene.com/forums/content/exclusive-2499/):
PS3Tools 3.5 GUI Edition is finally here! Ac1DMoDz has released a new sleek version of PS3Tools GUI Edition. This update includes a new layout and design. He plans on adding more tools and a theme in version 3.6.
Thanks to PsDev, Snowydew, Geohot, Fail0verFlow and everyone else who made this possible.
How to use:
Put the PS3UPDAT file into the PUP Tools folder and select PUP unpack in the GUI same with all the other files.
PS3Tools 3.6 GUI Edition: Some improvements were to add a SFO Editor under the SFO Tools category. I also added a Package Viewer to the tools along with a new category named Package Tools. The Core_os HexDump was removed because this feature was disabled in version 3.3 any ways, and along with all of them improvements I added very nice looking theme!
PS3Tools 3.7 GUI Edition Changelog:
PS3 HDD Studio Added!
Added HDD Section (I plan on adding more tools to this once Naehrwert releases his HDD Decryption tools? )
Updated the SCETool
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
The Appldr from 3.60 + firmware has been encapsulated in lv0. So we must first access the lv0 (not yet decrypted). In firmware 3.60-instead appldr is independent of other processes. If you change the system so that the install package files installs games appldr using of the firmware 3.55 (which we know keys), so installing a backup managers, which mounts the boot path of the games and then uses the appldr of the firmware 4.00.
That system uses 2 processes appldr, the 3.55, which installs the homebrew, and appldr (that of the Sony OFW) who starts the game 4.00.
A CFW obtained with a scrum of the various self of the core_os (4.00 and 3.55) but with a bit of reprogramming, so that uses two processes, depending on the function
Can unpack any "PS3" Firmware up to date. Gets really fast after first or second use.
A console is built into the program showing you the exact log a cmd would.
Can Decrypt PS3/PSP retail PKG files (Signed by sony installable via OFW).
Can readself of, Appldr, lv0, lv1ldr, lv2ldr, isoldr, EBOOT.BIN or if any of the things that you want to read are not listed on a button you can run a custom command to do it, for example: aim_spu_module.self just type that in where it says input and it will read it. So any file that is possible to use via readself, can be done in a fast manor 1-2 sec.
A full featured .Conf editor. view .Conf files edit them then hit save button when finished.
A awesome Core_os_package tool that can decrypt, extract and encrypt the Core_os_package.pkg all in about 1-2 sec.
Sign pkg for 3.55 or 3.41
UnSELF a file.
Build SELF a file.
Whenever a tar file is modified, it's permissions need to be set, this tool can do that for you. fix the tar file for the following FW. retail fw up to 3.72, debug fw up to 3.72 and retail and debug fw 4.0.
Lets use a example: If you want to unpack a ps3 update just get the PS3UPDAT.PUP
(Don't change the name of any file in ps3 FW keep original) and put in tool folder, run my program click unpack and it will unpack it.
So like if you want to fix tar make sure the update_files.tar stays the same name and put in the main folder where program is located. same for anyfile keep the original name. So it's pretty simple just drag the file that you want the tool to do something with and keep the original name.
Here is a video I made (I am pretty bad a videos) to help it' a tutorial that covers everything. If some one else could make a better one that would be awesome.
Notes: PS3Tools GUI Edition will create two new files for the Core_os_package. "decrypted_core_os" and "CORE_OS_PACKAGE_ENCRYPTED.pkg" don't change the name of the decrypted one or else you won't be able to encrypt it
BETA Tester Thoughts: Tested by jhax78
All those command line tools that takes loads of time and sometimes commands that you need to understand will be replaced by this 1 click tool, even a trained monkey could extract repack sign with this now.. it's taking literally 3 seconds to extract a pup resign or whatever you need to do.
I'm no dev but like to poke around in stuff and i think more ppl think like this with this tool all that is just peanuts now.
Developer PsDev is back again today with another article (psx-scene.com/forums/content/possible-1885/) for everyone to read and enjoy. This time, the topic revolves around a possible PS3 4.0 exploit, and the theory around it. This is information that he would like to share with the scene, in hopes of change and overcoming the current barriers to jailbreaking the PS3 console. Feedback welcomed, as PsDev has put a lot of thought and time into this theory.
OK so lets get right to it. This is a theory, nothing more.
There has been information available for quite some time. and I took it, thought about it, researched and experimented and I come out with my theory below to exploit 4.00 part of the way. This is not a random theory to, this is logical stuff and true facts. I'm providing this info for other devs to look at and lets see if this can work. I don't keep my work to my self, I like to share in give other people chances in discovering stuff. It always makes me happy when someone finds something out using my work, it just tells me I did a good job in describing and helping and they did a good job in listening and learning the material in order to trigger the exploit or whatever it might be.
So the lv2ldr verifys decrypts the lv2_kernal.self. we can get the address of this happening. inside Parameters Layout there are arguments, they are used as commands basically to load a function you want to use. they start in the lv2 @ 0x3E800(seems to be same for other ldrs) that address. There is a argument that is called lv2_in and lv2_out (we have know about these) basically we can use lv2_in to map out the address and lv2_out to map out the address for where the lv2ldr decryptes the self file.
We can make a program like readself basically and get the offset, u8* means read one byte from the address. use that and we can actually be get the exact offset where it all happens at. once we have the location grabbing this decrypted self should be the easy task. Like I said some info we had and some we did not know about can be obtained like this and used to get keys.
exploiting 4.00 with this method would work most likely because I doubt sony changed all the locations where the loaders do there thing, sure there encapsulated in the bootloader but they still pass over into the ram at one point before being fed over to the metldr which loads ldrs and if all that is still happening then Sony didn't change nothing.. some where along these lines:
void *buf; //