132w ago - Scene release group
blackb0x have returned today with a PS3 homebrew application that will come in handy for PlayStation 3 developers and JailBreak users called the b0xloader SELF Loader.
Download:
b0xloader SELF Loader 1.0 for PS3
The PS3 SELF loader will load the files directly without the need to package them. Just FTP them over to your PS3 or place them on a USB stick and load them.
From the NFO File: b0xloader - SELF Loader 1.0
A Simple SELF launcher for the Playstation 3.
Changelog:
1.0)
Initial release
Instructions:
- Install the package to PS3
- Select a Fake signed SELF from the menu and press X to launch.
- Enjoy.
Limitations:
The SELF you are launching must be "fake signed" for it to launch, if not it will bring you back to XMB, This is good for quick testing your development/test builds without repacking to a PKG every time. Future support will be added for non-signed SELF/ELF's
"The age of miracles is past."
Greetz to DeLiGhT
Releases:
12/9/10 - b0xloader 1.0
10/2/10 - FTP Server 1.2
9/25/10 - FTP Server 1.1b
9/23/10 - FTP Server 1.0b
9/12/10 - LV2Dump 0.7a
-blackb0x
22 Comments - Go to Forum Thread »
After swapping back in my original 160GB HDD, I was still getting the 8002F281 error. I ended up having to do a full PS3 Reset and reformat of the 160...
graf_chokolo says:
I just release my lv2 kernel decrypter
RL_FOR_PROGRAM.img is a revoke list for programs and can be also found in PUP files. lv2_kernel.self is on your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg.
First i send all files to PS3 and store them in memory. After that i load metldr in isolation mode and pass it the addr e ss of lv2ldr. The code is very low level and many things are done by directly manipulating SPU registers
If you have any questions or problems then feel free to contact me or ask here. I will try to help you. I will try to document my findings on my homepage
I also uploaded a code which can communicate with USB Dongle AUthenticator by using Dispatcher Manager without using any GameOS functions
Have fun guys
lv2_kernel.self from 1.10 firmware decrypted
http://pastie.org/1360067
Guys, just to make sure that you know
Just decrypted vsh.self from 1.10 firmware
I decrypted software_update_plugin.sprx but didn’t have time to reverse it yet
metldr
Loading metldr
• Physical/Virtual memory address of an isolation module that should be loaded by metldr is written into SPU register SPU_In_Mbox. The SPU register SPU_In_Mbox is 32bit, so 64bit memory address is written in 2 steps.
• MFC relocation is turned off by clearing R-bit in SPU register MFC_SR1. By doing this, HV enables real address mode for MFC of SPU.
• On GameOS, it also works with relocation on. You just have to initialize SLB of SPU and insert valid SLB entries.
• Physical/Virtual memory address of metldr is written to SPU registers Sig_Notify1 and Sig_Notify2
• Isolation load request is enabled by writing SPU register SPU_PrivCntl
• Isolation load request is made by writing value 0x3 into SPU register SPU_RunCntl
Methods
SPE_load_request_metldr - 0x002B00A4 (3.15)
lv2ldr
• lv2ldr is used to decrypt lv2_kernel.self
• syscalls 0x10042 and 0x1004A use lv2ldr
• syscall 0x10042 is used by HV Process 3 during LV2 LPAR construction
• syscall 0x1004A uses different parameters as syscall 0x10042
Methods
SPE_load_request_lv2ldr_1 - 0x002AE82C (3.15)
SPE_load_request_lv2ldr_2 - 0x002AE8D8 (3.15)
Loading lv2ldr
• 64 bit memory address of lv2ldr is written into 32 bit SPU register SPU_In_Mbox
• metldr is loaded
Decrypting SELFs with appldr and lv1_undocumented_function_99
• lv1_undocumented_function_99 loads and prepares appldr for SELF decryption.
• When appldr is ready to decrypt data, it sends a message via mailbox.
• The address and the size of the encrypted data is passed to appldr via a shared memory.