Sponsored Links

Sponsored Links

Graf Chokolo Shares PS3 LV2 Kernel Decrypter PSGroove Payload


Sponsored Links
207w ago - Scene release group blackb0x have returned today with a PS3 homebrew application that will come in handy for PlayStation 3 developers and JailBreak users called the b0xloader SELF Loader.

Download: b0xloader SELF Loader 1.0 for PS3

The PS3 SELF loader will load the files directly without the need to package them. Just FTP them over to your PS3 or place them on a USB stick and load them.

From the NFO File: b0xloader - SELF Loader 1.0

A Simple SELF launcher for the Playstation 3.

Changelog:

1.0)
Initial release

Instructions:

  • Install the package to PS3
  • Select a Fake signed SELF from the menu and press X to launch.
  • Enjoy.

Limitations:
The SELF you are launching must be "fake signed" for it to launch, if not it will bring you back to XMB, This is good for quick testing your development/test builds without repacking to a PKG every time. Future support will be added for non-signed SELF/ELF's

"The age of miracles is past."

Greetz to DeLiGhT

Releases:

12/9/10 - b0xloader 1.0
10/2/10 - FTP Server 1.2
9/25/10 - FTP Server 1.1b
9/23/10 - FTP Server 1.0b
9/12/10 - LV2Dump 0.7a

-blackb0x





Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 22 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

datalogger's Avatar
#22 - datalogger - 205w ago
So far, I don't think anyone except Graf Chokolo has been able to boot their PS3 successfully with this payload.

I think there are plenty of people that know what to do with it, if they can get it to boot..

So far I've tried;
Fedora 9 and Ubuntu 10 with both ps3toolchain and IBM SDK 3.0

I can get it to compile cleanly, but I can't get any response from the payload on either my 3.41 or my 3.15 CECHA-01/BC PS3's

It would be nice if Graf Chokolo would chime in with the exact setup he is using to make this work, as in what Linux distro is he using, what toolchain etc.

Also-
Hint for Ubuntu users: You must update your libpcap to version 1.1.1 or else sendfile will pump out an error on PCAP_NETMASK_UNKNOWN because the version Ubuntu 10 thinks is current is old.

deank's Avatar
#21 - deank - 206w ago
I wish there was someone with enough knowledge to implement these awesome discoveries.

Just as a concept my question is: Is there a chance to redirect or alter in any way the authentication requests/responses from the Storage manager? For example returning a O.K. (genuine) for optical media when user uses recordable discs (obviously not genuine).

Dean

PS3 News's Avatar
#20 - PS3 News - 206w ago
More updates: [Register or Login to view links]
graf_chokolo says:

You can decrypt lv2_kernel.self frim Service JIG by using lv2ldr. No need to install it in order to be able to dump it

I uploaded my VUART hook. While your GameOS runs, it communicates with VUARTs 0 (A/V Manager), 2 (System Manager) and 10 (Dispatcher Manager). The VUART hook sends all data written to or read from these VUARTs via Eternet. In this data you will find e.g. communication with Update Manager, Sorage Manager (Disc Authentication etc), Virtual TRM Manager or USB Dongle Authenticator and lots of other very interesting stuff

Aha GameOS uses service 0x200D (Decrypt with Portability) of Virtual TRM Manager to decrypt something

I just tested my code on PS3 FAT with 3.15 and managed to make it work with the latest PSGroove version You don't have to change anything in my code, it's independent of firmware or PSGRoove version. I uploaded new sendfile version which doesn't use VLAN per default, use it with 3.15, if you want to use VLAN just add -v option.

Here is my descriptor for the latest PSGRoove version:
[Register or Login to view links]

12 - CONTROL_LED

  • I have tested this service with PSGroove and GameOS is allowed to use it.
  • GameOS syscall 386 uses this service.

Packet Body

[Register or Login to view code]


Parameters
I have tested the following parameters with this service:
[quote]
field0 field1 field2 field4 field5 Description
0x1 0x0 0xFF 0xFF 0xFF Turns off the power button LED
0x1 0x1 0xFF 0xFF 0xFF Turns on the power button LED

21 - RING_BUZZER

  • I have tested this service with PSGroove and GameOS is allowed to use it

Packet Body

[Register or Login to view code]


Parameters

  • I have tested the following parameters with this service:


field1 field2 field4 Description
0x29 0x4 0x6 Makes a short single beep
0x29 0xA 0x1B6 Makes a double beep
0x29 0x7 0x36 -
0x29 0xA 0xFFF Makes a continuous beep

HV call

  • The address of HV table is stored at -0x6FC8(HSPRG0).
  • The address of HV table size is stored at -0x6FD0(HSPRG0).

HV call
Id Name Description
62 lv1_undocumented_function_62 SPE (isolation, it updates a SLB entry, writes to SLB_Index, SLB_VSID, SLB_ESID and SLB_Invalidate_Entry registers)
89 lv1_undocumented_function_89 SPE (writes to MFC_TLB_Invalidate_Entry register)
99 lv1_authenticate_program_segment SPE (isolation, syscall 0x10043, syscall 0x10042, syscall 0x1004A)
102 lv1_undocumented_function_102 Returns current TB ticks
137 lv1_undocumented_function_137 SPE
138 lv1_undocumented_function_138 SPE
167 lv1_undocumented_function_167 SPE (isolation, reads from SPU_Out_Intr_Mbox and MFC_CNTL registers)
168 lv1_undocumented_function_168 SPE (isolation, writes to MFC_CNTL register)
195 lv1_undocumented_function_195 WLAN Gelic device
196 lv1_undocumented_function_196 WLAN Gelic device
200 lv1_undocumented_function_200 SPE (isolation)
201 lv1_undocumented_function_201 SPE (isolation)
209 lv1_undocumented_function_209 SPE (isolation)
250 lv1_undocumented_function_250 Storage device
251 lv1_undocumented_function_251 Storage device
252 lv1_undocumented_function_252 Storage device
253 lv1_undocumented_function_253 Storage device

Memory HV call

  • All memory HV calls branch to lv1_mm_call
  • lv1_mm_call has it's own function table
  • Memory HV call number = HV call number

Memory HV call table

  • Each entry is a pointer to a function TOC entry.
  • table size = 256
  • 0x00364208 (3.15)

Memory HV calls

lv1_map_htab - 0x002D595C (3.15)
lv1_unmap_htab - 0x002D56B8 (3.15)
lv1_allocate_memory - 0x002D72F0 (3.15)
lv1_release_memory - 0x002D66A4 (3.15)
lv1_query_logical_partition_address_region_info - 0x002C9B24 (3.15)
lv1_create_repository_node - 0x002DD014 (3.15)
lv1_get_repository_node_value - 0x002DD260 (3.15)
lv1_undocumented_function_231 - 0x0030B560 (3.15)

[/quote]

cfwprophet's Avatar
#19 - cfwprophet - 206w ago
Thats reall great

I knowed it. The debug strings for debug system settings, debug update settings along some more are in the kernel. Also i'm pretty sure that otheros is patched out of kernel. So dumping and decrypting some debug and retail kernels from diff versions will be main goal to enable the missing options.

PS3 News's Avatar
#18 - PS3 News - 206w ago
More updates: [Register or Login to view links]

graf_chokolo says: Holy crap, guys Did you know that LV2 kernel from service JIG is very different from retail version, it contains e.g. LPM (Logical Performance Monitor) and other stuff which LV2 3.41 doesn’t contain I want to install it on my FAT ps3 and dump HV kernel Maybe then i will found out how to use those isolated SPU modules contained in service JIG PUP

WOW LV2 kernel from service JIG contains a lot more debug strings

Here an example:

[Register or Login to view links]

Guys, you know how $ONY calls HVCALL99 ?

They call it: lv1_authenticate_program_segment

I released several days ago my SELF decrypter. With that you will be able to decrypt all SELFs upto 3.41 firmware. The payload is in file decrypt_self_direct.c. It uses metldr and appldr directly to decrypt SELFs.

Furthermore, you will need a revoke list for programs which can be extracted from PUP files. Have fun guys

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News