Sponsored Links

Sponsored Links

Graf Chokolo Shares PS3 LV2 Kernel Decrypter PSGroove Payload


Sponsored Links
189w ago - Scene release group blackb0x have returned today with a PS3 homebrew application that will come in handy for PlayStation 3 developers and JailBreak users called the b0xloader SELF Loader.

Download: b0xloader SELF Loader 1.0 for PS3

The PS3 SELF loader will load the files directly without the need to package them. Just FTP them over to your PS3 or place them on a USB stick and load them.

From the NFO File: b0xloader - SELF Loader 1.0

A Simple SELF launcher for the Playstation 3.

Changelog:

1.0)
Initial release

Instructions:

  • Install the package to PS3
  • Select a Fake signed SELF from the menu and press X to launch.
  • Enjoy.

Limitations:
The SELF you are launching must be "fake signed" for it to launch, if not it will bring you back to XMB, This is good for quick testing your development/test builds without repacking to a PKG every time. Future support will be added for non-signed SELF/ELF's

"The age of miracles is past."

Greetz to DeLiGhT

Releases:

12/9/10 - b0xloader 1.0
10/2/10 - FTP Server 1.2
9/25/10 - FTP Server 1.1b
9/23/10 - FTP Server 1.0b
9/12/10 - LV2Dump 0.7a

-blackb0x





Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 22 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

silencephaze's Avatar
#2 - silencephaze - 189w ago
great awesome news!!

PS3 News's Avatar
#1 - PS3 News - 189w ago
As a follow-up to his recent PS3 SELF Decrypter PSGroove Payload and PS3 3.50 Firmware Decryption work, today PlayStation 3 developer graf_chokolo has released a PS3 LV2 Kernel Decrypter payload for PSGroove.

Download: PS3 LV2 Kernel Decrypter PSGroove Payload / [Register or Login to view links]

To quote from his comment on xorloser's blog, linked above:

graf_chokolo says:

I just release my lv2 kernel decrypter You need metldr, lv2ldr, RL_FOR_PROGRAM.img and lv2_kernel.self. You have first to dump your metldr from FLASH memory. lv2ldr you will find also in your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg from PUP files.

RL_FOR_PROGRAM.img is a revoke list for programs and can be also found in PUP files. lv2_kernel.self is on your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg.

First i send all files to PS3 and store them in memory. After that i load metldr in isolation mode and pass it the addr e ss of lv2ldr. The code is very low level and many things are done by directly manipulating SPU registers

If you have any questions or problems then feel free to contact me or ask here. I will try to help you. I will try to document my findings on my homepage

I also uploaded a code which can communicate with USB Dongle AUthenticator by using Dispatcher Manager without using any GameOS functions It’s exactly what GameOS does, just low level

Have fun guys

lv2_kernel.self from 1.10 firmware decrypted

[Register or Login to view links]

Guys, just to make sure that you know LV2 decrypter is also PS2 emu decrypter, just change LPAR auth id in code PS2 emu is like GameOS, it’s LV2 and is decrypted by lv2ldr

Just decrypted vsh.self from 1.10 firmware Just like old good days

I decrypted software_update_plugin.sprx but didn’t have time to reverse it yet

metldr

Loading metldr

  • Physical/Virtual memory address of an isolation module that should be loaded by metldr is written into SPU register SPU_In_Mbox. The SPU register SPU_In_Mbox is 32bit, so 64bit memory address is written in 2 steps.
  • MFC relocation is turned off by clearing R-bit in SPU register MFC_SR1. By doing this, HV enables real address mode for MFC of SPU.
  • On GameOS, it also works with relocation on. You just have to initialize SLB of SPU and insert valid SLB entries.
  • Physical/Virtual memory address of metldr is written to SPU registers Sig_Notify1 and Sig_Notify2
  • Isolation load request is enabled by writing SPU register SPU_PrivCntl
  • Isolation load request is made by writing value 0x3 into SPU register SPU_RunCntl

Methods

SPE_load_request_metldr - 0x002B00A4 (3.15)

lv2ldr

  • lv2ldr is used to decrypt lv2_kernel.self
  • syscalls 0x10042 and 0x1004A use lv2ldr
  • syscall 0x10042 is used by HV Process 3 during LV2 LPAR construction
  • syscall 0x1004A uses different parameters as syscall 0x10042

Methods

SPE_load_request_lv2ldr_1 - 0x002AE82C (3.15)

SPE_load_request_lv2ldr_2 - 0x002AE8D8 (3.15)

Loading lv2ldr

  • 64 bit memory address of lv2ldr is written into 32 bit SPU register SPU_In_Mbox
  • metldr is loaded

Decrypting SELFs with appldr and lv1_undocumented_function_99

  • lv1_undocumented_function_99 loads and prepares appldr for SELF decryption.
  • When appldr is ready to decrypt data, it sends a message via mailbox.
  • The address and the size of the encrypted data is passed to appldr via a shared memory.


More PlayStation 3 News...

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News