Graf Chokolo Shares PS3 LV2 Kernel Decrypter PSGroove Payload

Category: PS3 Hacks & JailBreak By: PS3 News - (xorloser.com)
Tags: graf chokolo ps3 lv2 kernel decrypter ps3 decrypter ps3 hacks psgroove payloads

128w ago - Scene release group blackb0x have returned today with a PS3 homebrew application that will come in handy for PlayStation 3 developers and JailBreak users called the b0xloader SELF Loader.

Download: b0xloader SELF Loader 1.0 for PS3

The PS3 SELF loader will load the files directly without the need to package them. Just FTP them over to your PS3 or place them on a USB stick and load them.

From the NFO File: b0xloader - SELF Loader 1.0

A Simple SELF launcher for the Playstation 3.

Changelog:

1.0)
Initial release

Instructions:

Install the package to PS3
Select a Fake signed SELF from the menu and press X to launch.
Enjoy.

Limitations:
The SELF you are launching must be "fake signed" for it to launch, if not it will bring you back to XMB, This is good for quick testing your development/test builds without repacking to a PKG every time. Future support will be added for non-signed SELF/ELF's

"The age of miracles is past."

Greetz to DeLiGhT

Releases:

12/9/10 - b0xloader 1.0
10/2/10 - FTP Server 1.2
9/25/10 - FTP Server 1.1b
9/23/10 - FTP Server 1.0b
9/12/10 - LV2Dump 0.7a

-blackb0x

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

22 Comments - Go to Forum Thread »

#22 - datalogger - 126w ago

So far, I don't think anyone except Graf Chokolo has been able to boot their PS3 successfully with this payload.

I think there are plenty of people that know what to do with it, if they can get it to boot..

So far I've tried;
Fedora 9 and Ubuntu 10 with both ps3toolchain and IBM SDK 3.0

I can get it to compile cleanly, but I can't get any response from the payload on either my 3.41 or my 3.15 CECHA-01/BC PS3's

It would be nice if Graf Chokolo would chime in with the exact setup he is using to make this work, as in what Linux distro is he using, what toolchain etc.

Also-
Hint for Ubuntu users: You must update your libpcap to version 1.1.1 or else sendfile will pump out an error on PCAP_NETMASK_UNKNOWN because the version Ubuntu 10 thinks is current is old.

#21 - deank - 127w ago

I wish there was someone with enough knowledge to implement these awesome discoveries.

Just as a concept my question is: Is there a chance to redirect or alter in any way the authentication requests/responses from the Storage manager? For example returning a O.K. (genuine) for optical media when user uses recordable discs (obviously not genuine).

Dean

#20 - PS3 News - 127w ago

More updates: http://xorloser.com/?p=297&cpage=19#comment-3027

graf_chokolo says:

You can decrypt lv2_kernel.self frim Service JIG by using lv2ldr. No need to install it in order to be able to dump it

I uploaded my VUART hook. While your GameOS runs, it communicates with VUARTs 0 (A/V Manager), 2 (System Manager) and 10 (Dispatcher Manager). The VUART hook sends all data written to or read from these VUARTs via Eternet. In this data you will find e.g. communication with Update Manager, Sorage Manager (Disc Authentication etc), Virtual TRM Manager or USB Dongle Authenticator and lots of other very interesting stuff

Aha

GameOS uses service 0x200D (Decrypt with Portability) of Virtual TRM Manager to decrypt something

I just tested my code on PS3 FAT with 3.15 and managed to make it work with the latest PSGroove version

You don't have to change anything in my code, it's independent of firmware or PSGRoove version. I uploaded new sendfile version which doesn't use VLAN per default, use it with 3.15, if you want to use VLAN just add -v option.

Here is my descriptor for the latest PSGRoove version:
http://pastie.org/1389868

12 - CONTROL_LED

• I have tested this service with PSGroove and GameOS is allowed to use it.
• GameOS syscall 386 uses this service.

Packet Body

struct sysmgr_ctrl_led
{
u8 field0;
u8 field1;
u8 field2;
u8 res1;
u8 field4;
u8 field5;
u8 res2[10];
};

Parameters
I have tested the following parameters with this service:
[quote]
field0 field1 field2 field4 field5 Description
0x1 0x0 0xFF 0xFF 0xFF Turns off the power button LED
0x1 0x1 0xFF 0xFF 0xFF Turns on the power button LED

21 - RING_BUZZER

• I have tested this service with PSGroove and GameOS is allowed to use it

Packet Body

struct sysmgr_ring_buzzer
{
u8 res1;
u8 field1;
u8 field2;
u8 res2;
u32 field4;
};

Parameters

• I have tested the following parameters with this service:

field1 field2 field4 Description
0x29 0x4 0x6 Makes a short single beep
0x29 0xA 0x1B6 Makes a double beep
0x29 0x7 0x36 -
0x29 0xA 0xFFF Makes a continuous beep

HV call

• The address of HV table is stored at -0x6FC8(HSPRG0).
• The address of HV table size is stored at -0x6FD0(HSPRG0).

HV call

Id Name Description
62 lv1_undocumented_function_62 SPE (isolation, it updates a SLB entry, writes to SLB_Index, SLB_VSID, SLB_ESID and SLB_Invalidate_Entry registers)
89 lv1_undocumented_function_89 SPE (writes to MFC_TLB_Invalidate_Entry register)
99 lv1_authenticate_program_segment SPE (isolation, syscall 0x10043, syscall 0x10042, syscall 0x1004A)
102 lv1_undocumented_function_102 Returns current TB ticks
137 lv1_undocumented_function_137 SPE
138 lv1_undocumented_function_138 SPE
167 lv1_undocumented_function_167 SPE (isolation, reads from SPU_Out_Intr_Mbox and MFC_CNTL registers)
168 lv1_undocumented_function_168 SPE (isolation, writes to MFC_CNTL register)
195 lv1_undocumented_function_195 WLAN Gelic device
196 lv1_undocumented_function_196 WLAN Gelic device
200 lv1_undocumented_function_200 SPE (isolation)
201 lv1_undocumented_function_201 SPE (isolation)
209 lv1_undocumented_function_209 SPE (isolation)
250 lv1_undocumented_function_250 Storage device
251 lv1_undocumented_function_251 Storage device
252 lv1_undocumented_function_252 Storage device
253 lv1_undocumented_function_253 Storage device

Memory HV call

• All memory HV calls branch to lv1_mm_call
• lv1_mm_call has it's own function table
• Memory HV call number = HV call number

Memory HV call table

• Each entry is a pointer to a function TOC entry.
• table size = 256
• 0x00364208 (3.15)

Memory HV calls

lv1_map_htab - 0x002D595C (3.15)
lv1_unmap_htab - 0x002D56B8 (3.15)
lv1_allocate_memory - 0x002D72F0 (3.15)
lv1_release_memory - 0x002D66A4 (3.15)
lv1_query_logical_partition_address_region_info - 0x002C9B24 (3.15)
lv1_create_repository_node - 0x002DD014 (3.15)
lv1_get_repository_node_value - 0x002DD260 (3.15)
lv1_undocumented_function_231 - 0x0030B560 (3.15)

[/quote]

#19 - cfwprophet - 127w ago

Thats reall great

I knowed it. The debug strings for debug system settings, debug update settings along some more are in the kernel. Also i'm pretty sure that otheros is patched out of kernel. So dumping and decrypting some debug and retail kernels from diff versions will be main goal to enable the missing options.

#18 - PS3 News - 127w ago

More updates: http://xorloser.com/?p=297&cpage=19#comment-2909

graf_chokolo says: Holy crap, guys

Did you know that LV2 kernel from service JIG is very different from retail version, it contains e.g. LPM (Logical Performance Monitor) and other stuff which LV2 3.41 doesn’t contain

I want to install it on my FAT ps3 and dump HV kernel Maybe then i will found out how to use those isolated SPU modules contained in service JIG PUP

WOW

LV2 kernel from service JIG contains a lot more debug strings

Here an example:

http://pastie.org/1381942

Guys, you know how $ONY calls HVCALL99 ?

They call it: lv1_authenticate_program_segment

I released several days ago my SELF decrypter. With that you will be able to decrypt all SELFs upto 3.41 firmware. The payload is in file decrypt_self_direct.c. It uses metldr and appldr directly to decrypt SELFs.

Furthermore, you will need a revoke list for programs which can be extracted from PUP files. Have fun guys