Details and Payloads for Dumping PS3 Per Console Keys Surface

Category: PS3 Hacks & JailBreak By: Score12 - (ps3iso.com)
Tags: ps3 per console keys payloads dumping ps3 per console keys ps3 per console keys

82w ago - PlayStation 3 developers have been busy recently working on payloads for dumping the PS3 per console keys, as once the per_console_key_0 is obtained with full EID decryption dongles and burned BR-D's may be a thing of the past.

Below are details from sphinxkoma and the PS3 Wiki (ps3devwiki.com/index.php?title=Talk:Per_Console_Keys) on dumping the per_console_key_1 via Kaz... it's only a matter of time for per_console_key_0 which unlocks everything we need.

To quote: PS3 Per Console Keys

EID crypto is very complicated, it is done so on purpose. first of all EID0 isn't decrypted with one key, and one algorithm alone. it is decrypted in several parts which use different algos and keys. the keys are all derivations of a per console key (per_console_key_1) which is stored inside metldr and copied by it to sector 0 and never leaves isolation. that same key is a derivation of the per console key (per_console_key_0) used to encrypt metldr and the bl in the first place as well.

isoldr clears that key from sector 0 before jumping to the isolated module. but before doing so it encrypts it with another keyset and stores it in a buffer so that the isolated module can use the new crafted key. since the operation is AES, if you know that keyset you can decrypt the crafted key and get the eid root key without pwning a loader or metldr through an isolated module.

that is not like you really need it because you can already use the crafted key to decrypt some of eid0, but not all of it. and the crafted key also uses the first elf section to be built as in your isolated module will have a small section which only contains a key. and that key is used as another layer by isoldr to encrypt the buffer with it. so basically you have 2 encryption layers over the root key. the final key then decrypts a specific part of the EID.

eid crypto is actually done smart. that is because most of it originally comes from the cell bootrom, as in they reuse the same algo used for metldr binaries and bl in the eid crypto, including some of the keys and the steps. and you cannot decrypt all of the eid sections unless you gathered every single keys and steps. and there are a lot then you still have to figure out wtf it is you decrypted because eid is actually full of keys.

1. payloader3 create new possible source of or precompiled:

payloader3-341.pkg: http://www.multiupload.com/JKKZG58NOR
payloader3-315.pkg: http://www.multiupload.com/MB7NE5AJYC

2. Install payloader3 pkg on the ps3

3. export in the terminal set
a. export PS3LOAD = tcp: ipaddress.of.ps3
b. start socat (socat tcp-recv: 18194 stdout)

4. payloader3 pkg start on ps3

5. It is quite likely to see is not the picture (black screen) but you will hear a distinct sound (like C64) Now things are different feasible:

a. X 4eck then starts with ps3load ethdebug
b. then you will want to circle back to the xmb and invites ethdebug (for Debuging pkg files)

6. Use your ps3load the mode used to send your ps3 dump_eid_root_key.self (ps3load dump_eid_root_key.self) Now you should see debug Terminal in your debugging and then hopefully you'll find the PCK .. (theoretically)

The per console key is used to derive other keys, some of which Sony can't change as this appears to be the bottom of their encryption chain. It's also important to note that this method is intended for dumping per_console_key_1 and per_console_key_n while per_console_key_0 is currently still required.

However to speculate, in future PS3 CFW updates users may need to be on a Custom Firmware to begin with (or downgrade to one first) and then run a .PKG to get their per console encryption key, followed by using it in a PS3 MFW Builder and installing the resulting modified PS3 Firmware on their PlayStation 3 console.

From ps3devwiki.com/index.php?title=Per_Console_Keys#per_console_root_key_0:

metldr is decrypted with this key
bootldr is decrypted with this key
might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)

Finally, from the PlayStation 3 Wiki (ps3devwiki.com/index.php?title=Per_Console_Keys and ps3devwiki.com/index.php?title=Boot_Order#Chain_of_Trust for the PS3 boot order) pages:

Per Console Keys

per_console_root_key_0

metldr is decrypted with this key
bootldr is decrypted with this key
might be obtained with per_console_root_key_1? (largely speculative, not nec. true - need more looked into, only based on the behavior of the other derivatives known to be obtained through AES)

per_console_root_key_1 / EID_root_key

derived from per_console_key_0
stored inside metldr
copied to sector 0 by metldr
cleared by isoldr
Used to decrypt part of the EID
Used to derive further keys
can be obtained with a modified isoldr that dumps it
can be obtained with a derivation of this key going backwards

obtaining it

launch the patched isoldr with your prefered method

Option 1 - dumper kernel module

modify glevands spp_verifier_direct to dump the mbox to wherever_you_want and then (use the payload below as an example)
the example code on how to dump the mbox can be found on the Option 2 - dumper payload below

insmod ./spp_verifier_direct.ko
cat metldr > /proc/spp_verifier_direct/metldr
cat isoldr_PATCHED > /proc/spp_verifier_direct/isoldr
echo 1 > /proc/spp_verifier_direct/run
cat /proc/spp_verifier_direct/debug
cat /proc/spp_verifier_direct/wherever_you_want

Option 2 - dumper payload

http://pastie.org/pastes/2101977

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#include "types.h"
#include "netrpc.h"
#include "lv1.h"
#include "spu.h"
#include "mm.h"
#include "util.h"

#define PS3HOST "192.168.1.2"

u8 *_read_file(const char *name, u32 *size)
{
	u8 *buf;
	u32 len;
	FILE *fp;
	
	if((fp = fopen(name, "rb")) == NULL)
	{
		printf("could not open %s\n", name);
		return NULL;
	}
	
	//Read into buffer.
	fseek(fp, 0, SEEK_END);
	len = ftell(fp);
	fseek(fp, 0, SEEK_SET);
	buf = (u8 *)malloc(sizeof(u8) * len);
	fread(buf, sizeof(u8), len, fp);
	
	fclose(fp);
	
	//Set buffer size.
	if(size != NULL)
		*size = len;
	
	return buf;
}

u64 _vas_get_id(netrpc_ctxt_t *ctxt)
{
	u64 id;
	netrpc_hvcall(ctxt, _N_lv1_get_logical_ppe_id, NULL, 0, &id, 1);
	netrpc_hvcall(ctxt, _N_lv1_get_virtual_address_space_id_of_ppe, &id, 1, &id, 1);
	return id;
}

s64 _get_spe_intr_status(netrpc_ctxt_t *ctxt, u64 spe_id, u64 cls, u64 *stat)
{
	u64 args[] = {spe_id, cls};
	return netrpc_hvcall(ctxt, _N_lv1_get_spe_interrupt_status, args, 2, stat, 1);
}

s64 _clr_spe_intr_status(netrpc_ctxt_t *ctxt, u64 spe_id, u64 cls, u64 stat)
{
	u64 args[] = {spe_id, cls, stat, 0};
	return netrpc_hvcall(ctxt, _N_lv1_clear_spe_interrupt_status, args, 4, NULL, 0);
}

#define LDR_BASE 0x100000
#define LDR_SIZE 0x2300000
#define METLDR_SIZE 0x100000
#define ISOLDR_SIZE 0x100000

#define SPU_SHADOW_SIZE 0x1000
#define SPU_PROBLEM_SIZE 0x20000
#define SPU_PRIV2_SIZE 0x20000
#define SPU_LS_SIZE 0x40000

//static volatile u64 ldr_lpar_addr = 0x700020000000ULL + 0xE900000ULL - LDR_SIZE;

static u64 esid = 0x8000000018000000;
static u64 vsid = 0x0000000000001400;

int main(int argc, char **argv)
{
	netrpc_ctxt_t ctxt;
	s64 res;
	
	//Ohai.
	printf("connecting...");
	if(netrpc_connect(&ctxt, inet_addr(PS3HOST), NETRPC_PORT) < 0)
	{
		printf("error\n");
		return 1;
	}
	printf("ok\n");
	
	printf("ping...");
	if(netrpc_ping(&ctxt) < 0)
	{
		printf("error\n");
		return 1;
	}
	printf("ok\n");
	
	//Get vas id.
	u64 vas_id = _vas_get_id(&ctxt);
	
	//File adresses.
	u64 metldr_addr, isoldr_addr;
	metldr_addr = LDR_BASE;
	isoldr_addr = metldr_addr + METLDR_SIZE;
	
	//Map region.
	//res = mm_map_lpar_memory_region(&ctxt, vas_id, MM_EA2VA(metldr_addr), LDR_BASE /*ldr_lpar_addr*/, LDR_SIZE, 0xC, 0, 0);
	//printf("map_lpar_memory_region : %lld\n", res);
	
	netrpc_addmmio(&ctxt, LDR_BASE, LDR_SIZE);
	
	printf("copy files out...");
	
	//Read files.
	u32 metldr_size;
	u8 *metldr = _read_file("./data/metldr", &metldr_size);
	u32 isoldr_size;
	u8 *isoldr = _read_file("./data/isoldr", &isoldr_size);
	//u8 *isoldr = _read_file("./data/isoldr_patched", &isoldr_size);
	
	//Copy files out.
	netrpc_memcpy_out(&ctxt, metldr_addr, metldr, metldr_size);
	netrpc_memcpy_out(&ctxt, isoldr_addr, isoldr, isoldr_size);
	
	//Cleanup.
	free(metldr);
	free(isoldr);
	
	printf("done\n");
	
	printf("construct spe...");
	
	//Construct SPE.
	u64 cspe_args[] = {0xc, 0xc, 0xc, 0xc, 0xc, vas_id, 0};
	u64 cspe_res[] = {0, 0, 0, 0, 0, 0};
	netrpc_hvcall(&ctxt, _N_lv1_construct_logical_spe, cspe_args, 7, cspe_res, 6);
	
	//SPE info.
	u64 priv2_addr, problem_addr, ls_addr, shadow_addr, spe_id;
	priv2_addr = cspe_res[0];
	problem_addr = cspe_res[1];
	ls_addr = cspe_res[2];
	shadow_addr = cspe_res[4];
	spe_id = cspe_res[5];
	
	netrpc_addmmio(&ctxt, priv2_addr, SPU_PRIV2_SIZE);
	netrpc_addmmio(&ctxt, problem_addr, SPU_PROBLEM_SIZE);
	netrpc_addmmio(&ctxt, shadow_addr, SPU_SHADOW_SIZE);
	netrpc_addmmio(&ctxt, ls_addr, SPU_LS_SIZE);
	
	printf("done\n  priv2 @ 0x%016llx\n  problem @ 0x%016llx\n  ls @ 0x%016llx\n  shadow @ 0x%016llx\n  id : 0x%016llx\n",
		priv2_addr, problem_addr, ls_addr, shadow_addr, spe_id);
	
	printf("setup spe...");
	
	//Setup SPE.
	u64 setup_spe_args[] = {spe_id, 0, 0};
	
	setup_spe_args[1] = 6;
	netrpc_hvcall(&ctxt, _N_lv1_enable_logical_spe, setup_spe_args, 2, NULL, 0);
	
	setup_spe_args[1] = 0;
	setup_spe_args[2] = 0x7;
	netrpc_hvcall(&ctxt, _N_lv1_set_spe_interrupt_mask, setup_spe_args, 3, NULL, 0);
	
	setup_spe_args[1] = 1;
	setup_spe_args[2] = 0xf;
	netrpc_hvcall(&ctxt, _N_lv1_set_spe_interrupt_mask, setup_spe_args, 3, NULL, 0);
	
	setup_spe_args[1] = 2;
	setup_spe_args[2] = 0xf;
	netrpc_hvcall(&ctxt, _N_lv1_set_spe_interrupt_mask, setup_spe_args, 3, NULL, 0);
	
	printf("done\n");
	
	u64 set_reg_args[] = {spe_id, _OFFSET_MFC_SR1, 0x10};
	res = netrpc_hvcall(&ctxt, _N_lv1_set_spe_privilege_state_area_1_register, set_reg_args, 3, NULL, 0);
	printf("set_spe_privilege_state_area_1_register : %lld\n", res);
	
	printf("start spe in isolation mode...");
	
	spu_slb_invalidate_all(&ctxt, priv2_addr);
	spu_slb_set_entry(&ctxt, priv2_addr, 0, esid, vsid);
	write_u64(&ctxt, SPU_RADDR(priv2_addr, _OFFSET_SPU_Cfg), 0);
	netrpc_eieio(&ctxt);
	spu_in_mbox_write_64(&ctxt, problem_addr, isoldr_addr);
	spu_sig_notify_1_2_write_64(&ctxt, problem_addr, metldr_addr);
	spu_isolation_req_enable(&ctxt, priv2_addr);
	spu_isolation_req(&ctxt, problem_addr);
	
	printf("done\n");
	
	FILE *fp = fopen("ls.bin", "wb");
	
	u32 spu_status, size = 0;
	u64 intr_status;
	while(1)
	{
		res = _get_spe_intr_status(&ctxt, spe_id, 0, &intr_status);
		if(intr_status)
		{
			printf("intr_status (0) : %016llx\n", intr_status);
			printf("clear_intr_status : %lld\n", _clr_spe_intr_status(&ctxt, spe_id, 0, intr_status));
		}
		
		res = _get_spe_intr_status(&ctxt, spe_id, 1, &intr_status);
		if(intr_status)
		{
			printf("intr_status (1) : %016llx\n", intr_status);
			printf("clear_intr_status : %lld\n", _clr_spe_intr_status(&ctxt, spe_id, 1, intr_status));
		}
		
		res = _get_spe_intr_status(&ctxt, spe_id, 2, &intr_status);
		if(intr_status & 0x1)
		{
			printf("mailbox interrupt\n");
			printf("intr_status (2) : %016llx\n", intr_status);
			printf("clear_intr_status : %lld\n", _clr_spe_intr_status(&ctxt, spe_id, 2, intr_status));
		}
		
		/*
		while(size <= 0x40000)
		{
			netrpc_eieio(&ctxt);
			
			//Wait for mbox value to be written.
			while(spu_mbox_stat_out_mbox_count(&ctxt, problem_addr) == 0);
			
			//Read mbox value.
			u32 mbox_value;
			read_u32(&ctxt, SPU_RADDR(problem_addr, _OFFSET_SPU_Out_Mbox), &mbox_value);
			
			netrpc_eieio(&ctxt);
			
			//Write to file.
			fwrite(&mbox_value, sizeof(u32), 1, fp);
			size += 4;
			
			printf("\rdumped 0x%08x of 0x40000", size);
			
			usleep(10);
		}
		*/
		
		read_u32(&ctxt, SPU_RADDR(problem_addr, _OFFSET_SPU_Status), &spu_status);
		if((spu_status & 0x1) == 0)
			break;
		
		usleep(1000);
	}
	
	fclose(fp);
	
	printf("\ndone\n");
	printf("spu_status: 0x%08x\n", spu_status);
		
	//Bye.
	netrpc_close(&ctxt);
	
	return 0;
}

patched isoldr to dump it
DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
patched isoldr: http://www.multiupload.com/2MP5KY28EZ
this can be loaded as the payload stage2 in the payload marcan used to load linux
http://marcansoft.com/blog/2010/10/asbestos-running-linux-as-gameos/
http://git.marcansoft.com/?p=asbestos.git
this can also be loaded as with lv2patcher and payloader3
https://github.com/euss/payloader3.git

Comments

What this selfs do is dump your ISOLATED SPU LS through your mbox, so you only need a way to cach this info with PPU code in lv2 enviroment aka a dongle payload or linux kernel
This has been tested and proven to work on 3.55 MFW
In the dump the remaining dump is the metldr clear code. metldr clears itself and all the registers an jumps to isoldr.
Overwriting that code lets you dump your key + metldr
Consider that per_console_key_1 and per_console_key_n are in fact still in need decryption.
per_console_key_0 particularly needs to be dumped once revived from per_console_key_1.

per_console_root_key_2 / EID0_key

this key can be obtained through AES from EID_root_key
EID can be partially decrypted by setting this key in anergistics and fireing aim_spu_module.self
Load aim_spu_module.self + EID0 + EID0_key in anegistics = decrypted EID0

This code is to decrypt your EID0 on your PC http://pastie.org/2000330

## channel.h
//Add this defines.

//SPU channels.
#define SPU_RdEventStat 0
#define SPU_WrEventMask 1
#define SPU_WrEventAck 2
#define SPU_RdSigNotify1 3
#define SPU_RdSigNotify2 4
#define SPU_WrDec 7
#define SPU_RdDec 8
#define SPU_RdEventMask 11
#define SPU_RdMachStat 13
#define SPU_WrSRR0 14
#define SPU_RdSRR0 15
#define SPU_WrOutMbox 28
#define SPU_RdInMbox 29
#define SPU_WrOutIntrMbox 30

//MFC channels.
#define MFC_WrMSSyncReq 9
#define MFC_RdTagMask 12
#define MFC_LSA 16
#define MFC_EAH 17
#define MFC_EAL 18
#define MFC_Size 19
#define MFC_TagID 20
#define MFC_Cmd 21
#define MFC_WrTagMask 22
#define MFC_WrTagUpdate 23
#define MFC_RdTagStat 24
#define MFC_RdListStallStat 25
#define MFC_WrListStallAck 26
#define MFC_RdAtomicStat 27

//MFC DMA commands.
#define MFC_PUT_CMD 0x20
#define MFC_GET_CMD 0x40

//MFC tag update commands.
#define MFC_TAG_UPDATE_IMMEDIATE 0
#define MFC_TAG_UPDATE_ANY 1
#define MFC_TAG_UPDATE_ALL 2

## channel.c
// Copyright 2010 fail0verflow <master@fail0verflow.com>
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt

#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <unistd.h>

#include "types.h"
#include "main.h"
#include "config.h"
#include "channel.h"

//Channel names.
static char *ch_names[] = 
{
	"SPU_RdEventStat", //0
	"SPU_WrEventMask", //1
	"SPU_WrEventAck", //2
	"SPU_RdSigNotify1", //3
	"SPU_RdSigNotify2", //4
	"UNKNOWN", //5
	"UNKNOWN", //6
	"SPU_WrDec", //7
	"SPU_RdDec", //8
	"MFC_WrMSSyncReq", //9
	"UNKNOWN", //10
	"SPU_RdEventMask", //11
	"MFC_RdTagMask", //12
	"SPU_RdMachStat", //13
	"SPU_WrSRR0", //14
	"SPU_RdSRR0", //15
	"MFC_LSA", //16
	"MFC_EAH", //17
	"MFC_EAL", //18
	"MFC_Size ", //19
	"MFC_TagID", //20
	"MFC_Cmd", //21
	"MFC_WrTagMask", //22
	"MFC_WrTagUpdate", //23
	"MFC_RdTagStat", //24
	"MFC_RdListStallStat", //25
	"MFC_WrListStallAck", //26
	"MFC_RdAtomicStat", //27
	"SPU_WrOutMbox", //28
	"SPU_RdInMbox", //29
	"SPU_WrOutIntrMbox" //30
};

//MFC channel values.
static u32 _MFC_LSA;
static u32 _MFC_EAH;
static u32 _MFC_EAL;
static u32 _MFC_Size;
static u32 _MFC_TagID;
static u32 _MFC_TagMask;
static u32 _MFC_TagStat;

//Endian swap.
#define _BE(val) ((((val) & 0xff00000000000000ull) >> 56) | \
                  (((val) & 0x00ff000000000000ull) >> 40) | \
                  (((val) & 0x0000ff0000000000ull) >> 24) | \
                  (((val) & 0x000000ff00000000ull) >> 8 ) | \
                  (((val) & 0x00000000ff000000ull) << 8 ) | \
                  (((val) & 0x0000000000ff0000ull) << 24) | \
                  (((val) & 0x000000000000ff00ull) << 40) | \
                  (((val) & 0x00000000000000ffull) << 56))

void handle_mfc_command(u32 cmd)
{
	printf("Local address %08x, EA = %08x:%08x, Size=%08x, TagID=%08x, Cmd=%08x\n",
		_MFC_LSA, _MFC_EAH, _MFC_EAL, _MFC_Size, _MFC_TagID, cmd);
#ifdef DEBUG_CHANNEL
	getchar();
#endif
	
	switch (cmd)
	{
	case MFC_PUT_CMD:
		printf("MFC_PUT (DMA out of LS)\n");
		{
			FILE *fp = fopen("out.bin", "a+");
			fwrite(ctx->ls + _MFC_LSA, sizeof(u8), _MFC_Size, fp);
			fclose(fp);
		}
		break;
	case MFC_GET_CMD:
		printf("MFC_GET (DMA into LS)\n");
		{
			static int round = 0;
			                         //module debug output address, set both to 0x0 for none
			static u64 data0[2] = {_BE(0xbeef0110dead0000), _BE(0xbeef0220dead0000)};
			static u64 data1[4] = {_BE(0xbeef0110dead0000), _BE(0xbeef0220dead0000), 
			                       _BE(0x0000000200000000), _BE(0x0000000000000000)};
			                                  //^-- 1,2,3,4 (device type/id, pscode, psid)
			if(round == 0)
				memcpy(ctx->ls + _MFC_LSA, &data0, _MFC_Size);
			else if(round == 1)
				memcpy(ctx->ls + _MFC_LSA, &data1, _MFC_Size);
			else if(round == 2)
			{
				//Load EID0.
				printf("loading eid...");
				FILE *fp = fopen("EID0", "rb");
				fread(ctx->ls + _MFC_LSA, sizeof(u8), _MFC_Size, fp);
				fclose(fp);
				printf("done\n");
			}
			round++;
		}
		break;
	default:
		printf("unknown command\n");
	}
}

void handle_mfc_tag_update(u32 tag)
{
	switch (tag)
	{
	case MFC_TAG_UPDATE_IMMEDIATE:
		printf("-> MFC_TAG_UPDATE_IMMEDIATE\n");
		_MFC_TagStat = _MFC_TagMask;
		break;
	case MFC_TAG_UPDATE_ANY:
		printf("-> MFC_TAG_UPDATE_ANY\n");
		break;
	case MFC_TAG_UPDATE_ALL:
		printf("-> MFC_TAG_UPDATE_ALL\n");
		break;
	default:
		printf("-> UNKNOWN\n");
		break;
	}
	
	_MFC_TagStat = _MFC_TagMask;
}

void channel_wrch(int ch, int reg)
{
	u32 r = ctx->reg[reg][0];
	
	printf("CHANNEL: wrch ch%d(= %s) r%d(= 0x%08x)\n", ch, (ch <= 30 ? ch_names[ch] : "UNKNOWN"), reg, r);
#ifdef DEBUG_CHANNEL
	getchar();
#endif
	
	switch(ch)
	{
	case MFC_LSA:
		_MFC_LSA = r;
		break;
	case MFC_EAH:
		_MFC_EAH = r;
		break;
	case MFC_EAL:
		_MFC_EAL = r;
		break;
	case MFC_Size:
		_MFC_Size = r;
		break;
	case MFC_TagID:
		_MFC_TagID = r;
		break;
	case MFC_Cmd:
		handle_mfc_command(r);
		break;
	case MFC_WrTagMask:
		_MFC_TagMask = r;
		break;
	case MFC_WrTagUpdate:
		handle_mfc_tag_update(r);
		break;
	}
}

void channel_rdch(int ch, int reg)
{
	u32 r = 0;
	
	printf("CHANNEL: rdch ch%d(= %s) r%d\n", ch, (ch <= 30 ? ch_names[ch] : "UNKNOWN"), reg);
#ifdef DEBUG_CHANNEL
	getchar();
#endif
	
	switch (ch)
	{
	case SPU_RdDec:
		break;
	case MFC_RdTagStat:
		r = _MFC_TagStat;
		break;
	case MFC_RdAtomicStat:
		break;
	}
	
	//Set register.
	ctx->reg[reg][0] = r;
	ctx->reg[reg][1] = 0;
	ctx->reg[reg][2] = 0;
	ctx->reg[reg][3] = 0;
}

int channel_rchcnt(int ch)
{
	u32 r = 0;
	
	printf("CHANNEL: rchcnt ch%d(%s)\n", ch, (ch <= 30 ? ch_names[ch] : "UNKNOWN"));
#ifdef DEBUG_CHANNEL
	getchar();
#endif
	
	switch (ch)
	{
	case MFC_WrTagUpdate:
		r = 1;
		break;
	case MFC_RdTagStat:
		r = 1;
		break;
	case MFC_RdAtomicStat:
		break;
	}
	
	return r;
}

## main.c
int main(int argc, char *argv[])
{
	u32 done;
	memset(&_ctx, 0x00, sizeof _ctx);
	ctx = &_ctx;
	parse_args(argc, argv);

	//Remove old output.
	system("rm -f out.bin");	

	//Set module parameters.
	//PU DMA area start address.
	//Dummy to make the module happy.
	ctx->reg[3][0] = 0xdead0000;
	ctx->reg[3][1] = 0xbeef0000;
	//PU DMA area size.
	//ctx->reg[4][0] = 0x80;
	ctx->reg[4][1] = 0x80;
	//PU EID area start address (first param).
	//Dummy to make the module happy.	
	ctx->reg[5][0] = 0xcafe0000;
	ctx->reg[5][1] = 0xbabe0000;
	//First param size.
	//ctx->reg[6][0] = 0x860;
	ctx->reg[6][1] = 0x860;

	ctx->ls = malloc(LS_SIZE);
	if (ctx->ls == NULL)
		fail("Unable to allocate local storage.");
	memset(ctx->ls, 0, LS_SIZE);

	//Write EID master key (to start of LS).
	u8 eid_mkey[] = {/* ... */};
	memcpy(ctx->ls, eid_mkey, sizeof(eid_mkey));

	//...
}

The prerequisites are:
dump your EID0 from your ps3 and save it in the same folder as EID0
dump your EID0_key from your ps3 and put it on the code above where the key is needed
load all of them in anergistic
EID0_key could also be obtained with EID_root_key directly in the following manners:
knowing the algorithm (located in isoldr)and applying it to the EID_root_key
letting isoldr apply that algorithm directly in anergistic
the process is exactly as the one above (modifing anergistic to feed isoldr with EID_root_key

obtaining it

patched aim_spu_module to dump it
DO NOT CREATE AN MFW USING THIS IT WOULD BRICK
http://www.multiupload.com/1XUOOYS9I0

per_console_root_key_n

these are further derivations of the per_console_key_1/EID_root_key

Documentation

polarssl.org/trac/browser/trunk/library/aes.c

From VenomousX: How to obtain this EID_root_key?

Patch isoldr to dump the local storage of sector 0
Load the patched isoldr
Dump the local storage
You will find eid_root_key
Use it to decrypt the eid0.

How to load back the isoldr:

Use glevand's tools, spp_verifier_direct to be specific: "spp_verifier_direct is a kernel module which shows you how to run isolated SPE modules on OtherOS++ Linux by using metldr directly.
It decrypts default.spp profile.
Once you get the eid rootkey, load aim_spu_module.self with eid0 and the eid root key within anergistics it will decrypt it.
You can modify it easily to run other SPE modules.
Has been done and tested on 3.41 and 3.55 (not by myself)

So yes, you can obtain the eid rootkey and partially decrypt the eid0, but the problem if you want to modify the eid0 (say... to get a DEX idps to convert CEX=>DEX (which doesnt have much got use for end-users, only devs)) then you'd need to re-encrypt the EID0, which you can't. Not with those keys at least.

Oh, and while PS3 rootkeys are per console, and usually FW independent. However I dont know about 3.6+ because I didn't test it on it. But it might be true that 3.6+ eid rootkey have changed since $ony changed a load of keys with 3.6+. So using the 3.55 eid_root_key on 3.6+ to decrypt anything probably wont work.

Sony PlayStation 3 hacker moogie301 states the following on this via Twitter: "There are 3 per console keys. it tells you how to obtain 2 (per console key 1 and per console key n) not THE root key. It will not lead to a new CFW, it is fun for devs, you can decrypt a lot of eid and reverse it.. it is not newb friendly at all."

PlayStation 3 hacker defyboy has also added the following: "I don't think this is a step closer to discovering the per-console root key. The EID root key is generated at factory and incorporated into metldr. metldr is encrypted with your per-console root key and stored on flash. Please note that while it is speculated that the EID root key is a derivative of the root key, that does not mean that it can be used to calculate the root key. Infact, being able to do so is idiotically counter-intuitive of the purpose of having two separate keys.

The per-console root key is likely burnt into the CPU via One Time Programming over the JTAG port, of which is disabled after programming. There is a hardware decryption routine that uses this key called Runtime Secure Boot, you cannot access or invoke this routine because it only runs when you load an encrypted image into an isolated SPU.

This is IBM's design, not sony's. This was designed to be a very secure multi-purpose processor and it was designed by a company that designs security and military systems for governments and large organizations, not a company that mostly makes consumer grade TV's and DVD Players. It was Sony's implementation of the secure chain of trust that failed but I don't see IBM's part failing anytime soon.

This paper explains everything: http://www.ibm.com/developerworks/power/library/pa-cellsecurity/

Anyway, Sony cannot change metldr or bootldr on current hardware so they no longer have control of those, we only need to dump bootldr to get the lv0 key, this is the highest level sony can change. If we get the lv0 key we can generate a private key where we will be able to decrypt/re-encrypt the entire chain of firmware for current/future firmware."

The Per Console Key in the Cell decrypts bootldr, which is encrypted with the PCK. Bootldr decrypted is the same in EVERY console to date (except possibly the 3K series). When bootldr decrypts lv0, bootldr will be as if it were nowhere to be found. Then you go from there to the Chain of Trust.

Below is Gitbrew's feedback on the PS3 Per Console Key and future developments from them, as follows:

what do you think about the new method of getting the per_console_key?

Durandal: Glevand and many others have been working feverishly to develop methods of obtaining this key. It's nice to see it's paid off. I'm looking forward to a day when the PS3 is as open a development as the PSP.

Snowy: One step closer, sooner or later ibm is going to finally send a cease and desist. We'll put that right up next to dasmoovers sign.

Do you have anyone working on an easy to use tool for the key? we are already used to gitbrew pkgs

Durandal: If we weren't, we'd have to quit gitbrew and join PS360...

Snowy: I'm pretty sure anything related to the rootkey, we might leave out just so that people actually learn how to get their own keys. As a sort of accomplishment type thing, but eventually there will be simple pkg files released to do it.

What next projects are we going to see from gitbrew regarding the ps3 scene? can we see some sort of "one day one announcement", like you did a couple of weeks ago?

Durandal: Well RSX is taken care of, NPDRM is getting very close to being irrelevant, and I've heard there's almost usable versions of psl1ght floating around. I guess the next really big thing you'll see is the release of the gitSkeet flasher.

We teamed up with progskeet and rebug to create a special edition of the progskeet2 that will have solderless clips and the kind of support and documentation only gitbrew is capable of providing. It also gives us an opportunity to branch out into the actual hardware exploitation as well. As far as having announcement a day weeks, expect to see more of them in the not so distant future.

What is your thought on the recent discoveries on the ps3 scene?

The new jb2 dongle AKA true blue.

Durandal: I'm always very wary of dongles. Usually they're just a ploy to make a buck, and these days it doesn't take long for someone to reverse what the software they're trying to hide does. Expect to see the same happen here. If we want to deter others from trying to peddle their software in a dongle form, we should make a point of reversing a dongle's functionality
and implementing it in a package. I'm sure that group paid a lot of money to get all those dongles made, and they'd hate to see that money go to waste.

Snowy: Yet again as durandal said, dongles are dongles, regardless someone is going to take a crack at them and release a free version of it. Cobra hasn't even been touched by most of the developers, and those who have touched it don't really care for piracy. I would like to thank dean for taking the first step in making psx backups working though, a small step but none the less towards the proper direction for the scene.

Finally, FiniteElement via ps3devwiki.com/index.php?title=Special:Contributions/FiniteElement states the following hint for those interested, to quote: "(you have all you need already

just read carefully (compare option2 code with the kernel module code))

He also updated the PS3 SPU Isolated Modules Reverse Engineering page with the changes documented here: ps3devwiki.com/index.php?title=SPU_Isolated_Modules_Reverse_Engineering&diff=prev&oldid=6328

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

860 Comments - Go to Forum Thread »

#860 - PS3 News - 29w ago

Recently and_fis reports that the PS3 Slim 3K series of PlayStation 3 consoles are surfacing on 3.55 Custom Firmware (CFW), leading to speculation of a new DRM-infected JailBreak Software Tanpa dongle or service from Indonesia.

To quote (via ps3crunch.net/forum/threads/5321-3K?p=58294&viewfull=1#post58294) on the (tokoteknologi.com/home/browse/25-consolemesin.html?sef=hc):

For some Indonesian rupies according to the site above you can purchase A 3K console with a Seri CFW 3.55 (RFW Version) installed! Which also comes with a JAILBREAK SOFTWARE TANPA DONGLE as they call it... If this site is real then someone has found a new exploit that allows 300X version ps3 consoles to downgrade to 3.55 cfw. They have also locked this to a new drm dongle... Let the games begin again!

Rp 3.700.000,00 or about $320 usa, for a base model 160 gb ps3

The only way this would be possiable is if they used hardware to somehow reflash the syscon. that is where the hash checks are that determine the lowest firmware you can have...or they were able to use a hardware flasher and a cfw that had all the hash checks removed.

Or changed and reflashed a cfw that the ps3 "thought" was the right firmware... IDK there is nothing on wiki about either processes

From Abkarino: I know this seller and i talked with him and have a deal 1 and half month ago, they offer me a pre-moded 3K console and they does not sell the modchip/method used to do that. Also he claim that this console uses a special modified CFW based on Rogero CFW.

Also they had used some kind of modchip/flasher to do that. Also he told me that there is a modchip under development for hacking 3K console and it must be released around this month, but till now no new news from him.

From and_fis: I found this info (lan.st/showthread.php?t=3313&page=2) from back in 2010 when 3.41 had alot of access and workings... So if it is true that syscon can be written to with a pkg BUT, it would have to be offically signed or a hardware flasher of some sorts would have to be used if a pkg could not. So in theory, it would be possiable to reflash a syscon from a factory install of 3.60 to 3.55

He is talking about the syscon's eeprom, we can already (at least in private) read and write to it, in fact I am trying to find a way to contact graf_chokolo (he has been absent from irc lately) since he seems somewhat interested in it, at worse I'll add this the wiki's private sections. The syscon's eeprom doesn't seem to be touched on a debug console though, I dumped mine on 3.41, then downgraded to 3.40 and it was still untouched.

I don't know about retail though, I only have one and it's already on 3.41 so I rather not touch it, but I didn't see anything that looks like hashes. Flags are there though. (like the product mode flag, QA flag, debug support flag etc etc...) There are also factory informations stored in there (such as the first firmware flashed at factory) but no hash that I could see, though maybe I overlooked something.

Of course the bootloader wouldn't be in any eeprom, lv0 probably starts and talks to syscon through a vuart in order to read the eeprom content (if the hashes are there) and look at the hashes (to compare them to the digests from the other coreos selfs)

Thanks Abkarino I posted this at the same time you did.. So my suspicions were true about a hardware flasher.. Thank you for the info

From Abkarino: Yea may be they had found a way to reprogram Syscon EEPROM may be they had used an SPI Flasher since SysCon conect to Cell/BE using SPI Bus. I think that they had used a hardware method not a software (sure if this is legit and not a fake, until some one get this console and confirm this news).

#859 - PS3 News - 37w ago

Below is a video from dantezteam (via twitter.com/dantezteam/status/244856386469638144) demonstrating what appears to be PSN back online for PS3 3.55 TB CFW using a ppoof method.

The video shows today's date (September 9, 2012) with him downloading files from Sony's PS Store while being connected to PlayStation Network using a new PSN passphrase that has surfaced in encrypted and decrypted format (via ps3devwiki.com/wiki/Online_Connections#Online_Connections).

3.55 / 3.56: saktdlMapxsbsghmq5dhlwrmtsicyijmzntqaLcpgd8ybbetdmsha=jm

09138F12484EA4F0D04CEDF4B82280E4
3CB588767503D5EFB170AA194D427D4F
CAD86C5A2BE0C38074228675105D4099
630138067959B9629653DD677D244FA3

3.60 / 3.61 / 3.65 / 3.66: c4ce4023bd7e0345feeb0dca80caf487a03b4545a8230a5d41fe9855

3.70 / 3.72 / 3.73 / 3.74 / 4.00: f81c4c14a0cd2c2dc566a885136fd5b51ca847cbb70fcc296b24ec20

4.10 / 4.11: 0e444f4dbd92145de39ab5bff3a23071f9d44db7bcf13e8c455c81f1

49E4B56D14FE48B9D1877FDF1CE0C621
A3742C45678B694D32C0DCD9404FB8F6
12E0603C37209D8B93716CD709C82021
D7E5246A36BEE099A10E8F400D8E0D95

4.20 / 4.21: t2wSyoqasqb_wndpmdmbhputnokghlupgtpighyrsygfbmrsectfkqOb

2D445C392753C85067B9B56ED883B27C
9E5C26973A949E4F4AA144B40483A0FC
A8F2069BD47F81FDEC413BBE4EF26573
9008294F6149FE5D6174D99FA8E59C9C

From Twitter: TB dongle is not needed works on rebug or kmeaw etc .. The method is turn on fake plus go to store and buy plus free games

From hellsing9: Games, PSTORE. (Someone signs out) Borderlands downloading. Closes PSSTORE.

He is on DEX, uses FAKE PLUS and points the finger showing is ON with a CFW (according to him) 3.55 TB spoof.

In short: He bought borderlands in the video via DEX with PLUS option ON... For me is just another attemp to troll or to give some life to TB, since he says he is using CFW TB 3.55 Spoof. And in the part description he says later I will add the Web.

So he avoided so far any download link and surveys because he knows what happens next: youtube.com/user/dantezteam

From dantezteam comes a FckPSN revision by Chinese developer Luckystar (via bbs.duowan.com/thread-28656355-1-1.html): http://www.multiupload.nl/40S5UPQYVH / http://www.putlocker.com/file/E62645DA4EE9339C (Mirror) / https://anonfiles.com/file/03cb21c25efd41bda59885fd2edfca51 (Mirror #2)

Here is the upstreams and video for those interested: ustream.tv/recorded/25308408 and ustream.tv/recorded/25328218

Finally, below is what redcfw claims is a real TB2 LV2 dump for those interested:

Download: http://www.sendspace.com/file/feuu9h

ALL TB2LV2 DUMPs posted before were FAKE!! tb2.51 lv2 dumped on Mar 2012. folks, feel free to study it.

some IDA list

pl2:8000000000528EFC getKeyV5_: # DATA XREF: pl2

ff_8000000000539F78o
pl2:8000000000528EFC
pl2:8000000000528EFC .set var_358, -0x358
pl2:8000000000528EFC .set var_310, -0x310
pl2:8000000000528EFC .set var_308, -0x308
pl2:8000000000528EFC .set var_300, -0x300
pl2:8000000000528EFC .set var_2F0, -0x2F0
pl2:8000000000528EFC .set var_2E0, -0x2E0
pl2:8000000000528EFC .set var_2D0, -0x2D0
pl2:8000000000528EFC .set var_2BC, -0x2BC
pl2:8000000000528EFC .set var_264, -0x264
pl2:8000000000528EFC .set var_200, -0x200
pl2:8000000000528EFC .set var_1FC, -0x1FC
pl2:8000000000528EFC .set var_1F8, -0x1F8
pl2:8000000000528EFC .set var_1E8, -0x1E8
pl2:8000000000528EFC .set var_140, -0x140
pl2:8000000000528EFC
pl2:8000000000528EFC mflr r0
pl2:8000000000528F00 bl save_r24_r31r0
pl2:8000000000528F04 ld r30, off_8000000000538F08 # byte_8000000000537C88
pl2:8000000000528F08 .using byte_8000000000537C88, r30
pl2:8000000000528F08 stdu r1, -0x380(r1) # ver == 5 getkey
pl2:8000000000528F0C mr r31, r3 # r31 ptr = copy from sce+0x980 len =0x100
pl2:8000000000528F10 addi r29, r1, 0x240
pl2:8000000000528F14 mr r3, r30
pl2:8000000000528F18 mr r27, r4 # r4 = 0x100
pl2:8000000000528F1C mr r28, r5 # r5 qword_8000000000538670
pl2:8000000000528F20 mr r4, r30
pl2:8000000000528F24 li r5, 0x10
pl2:8000000000528F28 bl encKey # in byte_8000000000537C88:.byte 0x8A, 0x97, 0xB7, 0x2C, 0xC1, 0x10, 0x62, 0x22, 0x7B, 0x33, 0x39, 0xCB, 0x61, 0x2E, 0x80, 0xE9
pl2:8000000000528F28 # out 00000470h: 4C 79 E1 8F 34 A9 D6 7D 74 33 9C D7 5D 09 20 B7 ;
pl2:8000000000528F2C nop
pl2:8000000000528F30 mr r5, r29 # r1+0x240
pl2:8000000000528F34 mr r3, r30 # 4c 79 ..
pl2:8000000000528F38 li r4, 0x80
pl2:8000000000528F3C bl sub_800000000052F278
pl2:8000000000528F40 nop
pl2:8000000000528F44 mr r3, r30
pl2:8000000000528F48 mr r4, r30 # restore key
pl2:8000000000528F4C li r5, 0x10
pl2:8000000000528F50 addi r30, r31, 0x10 # in r3+0x10
pl2:8000000000528F54 bl encKey # 000007b0h: 4C 79 E1 8F 34 A9 D6 7D 74 33 9C D7 5D 09 20 B7
pl2:8000000000528F54 # 000007f0h: 8A 97 B7 2C C1 10 62 22 7B 33 39 CB 61 2E 80 E9
pl2:8000000000528F58 nop
pl2:8000000000528F5C addi r5, r27, -0x10 # r5 = 0x100 -0x10
pl2:8000000000528F60 mr r6, r29 # r1+0x240
pl2:8000000000528F64 mr r3, r30 # r30=byte_8000000000537C88
pl2:8000000000528F68 mr r4, r30
pl2:8000000000528F6C extsw r5, r5 # r5=0xf0
pl2:8000000000528F70 mr r7, r31 # in r3+0x10

how to hook decKey?

#####################patch tb2 lv2 plugin##########################
.set jb2pBASE, 0x8000000000700000
.set jb2pTOC , 0x7000
.set hookDNum, 0
.align 4
hookT:
#patchtbl
.quad jb2pBASE,hooks-hookT,hook_data-hooks
.quad 0x8000000000520568,pt520568-hookT,8
.quad 0x80000000005205e8,pt5205e8-hookT,8
.quad 0
pt520568:
bl pt520568+((hook_520568-hooks)+jb2pBASE-0x8000000000520568)
#.long 0x48000001 | ((hook_520568-hooks)+jb2pBASE-0x8000000000520568)
lwz r4, 8(r11)
pt5205e8:
bl pt5205e8+((hook_520568-hooks)+jb2pBASE-0x80000000005205e8)
#.long 0x48000001 | ((hook_520568-hooks)+jb2pBASE-0x80000000005205e8)
lwz r4, 8(r11)

#jb2pBASE
.align 4
hooks:
hookDNum_ptr:
.quad hookDNum
hook_data_ptr:
.quad hook_data-hooks+jb2pBASE

hook_encKey_ptr:
.quad 0x8000000000533470
hook_encKey_callin_ptr:
.quad 0x800000000052056C

hook_encKey_ptr_n0:
.quad 0x8000000000523f14
hook_encKey_ptr_n1:
.quad 0x8000000000524004
hook_encKey_ptr_n2:
.quad 0x8000000000523fc0 # newcode
hook_encKey_ptr_tl0:
.quad 0x80000000005243e4
hook_encKey_ptr_tl1:
.quad 0x8000000000524428

hook_TEA_dec_ptr:
.quad 0x8000000000533450
hook_encTEA2_dec_ptr:
.quad 0x8000000000533220

encKeySi:.string "encKeyI"
encKeySo:.string "encKeyO"
TEAdecS: .string "TEAdec "
encTEA2S:.string "encTEA2"

# secret prg run before
hook_520568:
lis r8,-0x8000
sldi r8, r8, 32
oris r8, r8,(jb2pBASE+jb2pTOC)@h
ori r8, r8,(jb2pBASE+jb2pTOC)@l

ld r10, (hook_data_ptr-hooks-jb2pTOC)(r8)
ld r9, (hookDNum_ptr-hooks-jb2pTOC)(r8)
add r10, r10, r9

lis r11,0xc #r11 0xc00000

cmpld cr7,r9,r11
bgt cr7,hook_520568_exit

ld r11, 0x70(r1)

.if 0 # dis all call
std r11, 0(r10)
addi r10,r10,8
addi r9,r9,8
b hook_520568_exit
.endif
#####################################################
hook_encKey:
ld r4, (hook_encKey_ptr-hooks-jb2pTOC)(r8)
cmpld cr7,r4,r11
bne cr7,hook_TEA_dec
.if 1
################dis normal
ld r4,(hook_encKey_ptr_n0-hooks-jb2pTOC)(r8)
ld r5,0xa0(r1)
cmpld cr7,r4,r5 #dont hook hook_encKey_ptr_n0
beq cr7,hook_TEA_dec
.if 1
ld r4,(hook_encKey_ptr_n1-hooks-jb2pTOC)(r8)
ld r5,0xa0(r1)
cmpld cr7,r4,r5 #dont hook hook_encKey_ptr_n0
beq cr7,hook_TEA_dec
.endif
.if 1
ld r4,(hook_encKey_ptr_n2-hooks-jb2pTOC)(r8)
ld r5,0xa0(r1)
cmpld cr7,r4,r5 #dont hook hook_encKey_ptr_n0
beq cr7,hook_TEA_dec
.endif

.endif
...
b hook_520568_exit
#######################################################
hook_TEA_dec:
ld r4, (hook_TEA_dec_ptr-hooks-jb2pTOC)(r8)
cmpld cr7,r4,r11
bne cr7,hook_encTEA2
# wname
...
b hook_520568_exit
############################################################
hook_encTEA2:
ld r4, (hook_encTEA2_dec_ptr-hooks-jb2pTOC)(r8)
cmpld cr7,r4,r11
bne cr7,hook_520568_exit
# wname
......
hook_520568_exit:
std r9, (hookDNum_ptr-hooks-jb2pTOC)(r8)
ld r11, 0x70(r1)
blr

.align 4
hook_data:
hookTe:

#858 - PS3 News - 37w ago

Today /GriFFin reports that OxweB has apparently leaked the True Blue PS3 disc BCA codes (although curiously a source wasn't specified), however, they are now conveniently deemed useless as the DRM-infected USB dongle itself.

To quote: When the True Blue dongle first launched last year, it was originally using 'special' blu-ray discs to play games, instead of just DRMencoded eboots on the HDD.

But even after all the Paradox releases, there was a few games that only were available still on 'special' blu-ray discs. Over the course of last year, various groups try to figure out how to copy these discs, as they were sadly pirate stores that wish to sell them to their customers. Finally have much research the BD-Rom marks called 'BCA Codes' were figured out so they could by copied on normal blu-ray burner.

And now an person by the name 'OxweB' has leaked them onto the 'net, as basically they are useless now, but still it is part of sad scene PS3 history!

These are BCA codes off the TB discs (the barcode on the inner part of the disc).

You to can read them off the disc yourself with a scanner or magnifying glass, they are in binary format (skinny line = 0, Fat line = 1). Binary to HEX and there you go, a code almost ready to be stamped on to a BD-R.

*Note - It's not that simple for regular retail games as there is still the PIC Zone to contend with.
**Note - I realize these aren't overly useful but it's information which is all worth it in the long run.

RESISTANCE 3

041E1015D0001520
11030800364995AE
041E1015D0001520
11030800364995AE
FC42445201120100
0000000000000000
FC42445201120100
0000000000000000

DISGEA 4

041E1015D0001620
110308101021C054
041E1015D0001620
110308101021C054
FC42445201120100
0000000000000000
FC42445201120100
0000000000000000

FIFA2012

041E1015D0001620
110310005010EBD2
041E1015D0001620
110310005010EBD2
FC42445201120100
0000000000000000
FC42445201120100
0000000000000000

PES2012

041E1015D0001520
110309053550B929
041E1015D0001520
110309053550B929
FC42445201120100
0000000000000000
FC42445201120100
0000000000000000

XMEN DESTINY

041E1015D0001520
1103070035337952
041E1015D0001520
1103070035337952
FC42445201120100
0000000000000000
FC42445201120100
0000000000000000

BATMAN ARKHAN CITY

041E100D00000000
0000000000230611
FC42445201120100
0000000000000000
041E100D00000000
0000000000230611
FC42445201120100
0000000000000000

Finally, in related news from GoD]oF[WaR (via nextgenupdate.com/forums/playstation-3-exploits-hacks/583397-bca.html#post4685403) to quote:

I have done more research on BCA codes, they seem to be the new protection put on games, meaning with these values they can be cracked, and possibly pirated to even non-jailbroken systems.

For those unaware, BCA is the new protection utilized in newer games and with a future editor you can have the BCA codes to use with the a loader which can patch games to run without the needed keys.

There will be a patch released for each game, which is basically 64 bytes of BCA data in the form of a separate text file, that will come with the ISO file (this obviously only applies to scene releases)

IF you have access to a retail copy of the game, then you can obtain the BCA code yourself to patch the game.

Changelog, roughly translated:

• New IOS 38 base. dev/mload with powerful features and EHCI driver based in interruptions and more stable
• Support for DVD USB Devices: It can run only DVD backups from .iso (original don't work because DVD drivers don't support the Wii format). Remember you must insert a DVD to work at start the program.
• Support for BCA datas. You can add it from .ISO offset 0x100 (64 bytes). If this area is filled with zeroes it use one BCA by default (NSMB compatible).
• New ioctl 0xda function supported in dip_plugin and new option added for
• DVD mode to read the BCA Datas from the original DVD
• Support to load games from DVD with alternative DOL (press '2' without
• USB device or press the DVD icon from the upper-right corner in the selection game screen)
• Support for SD and USB FAT/FAT32: Now you can use cheats codes and loads alternative .dol from the USB 2.0 device (FAT partition is required)
• Added alternative dol loader (now support for 5+ dols) for games as Red Steel and othrers (see readme.txt) , New error 002 patch and videomode autodetection patch (for PAL2NTSC, NTSC2PAL and NTSC2PAL60 (use F. PAL60 for this))
• Added direct access for Dol Alternative selection
• You can load differents ehcmodule.elf from sd:/apps/uloader/
• Parental control added: by default the password is 00000 (the last 0 is the 'ENTER', so you can program as new password as XXXX0 ). You can change it from special menu pressing HOME. You can exits from the password box pressing B. Parental control list the last 8 games launched with date/time, enables the password box and fix a new password. Now 00000 disables the Parental Control
• Support for covers (less than 200KB 160x224). You can download from internet or adquire covers from the curren tfolder in the SD automatically
• Added one option to delete PNG icons/covers
• Some bugs fixed (bug with no modchip game instal, for examplel)
• Support for multiples WBFS partitions (max 4).
• Possiblity to use the alternative cIOS 223 (only to launch games)
• Added one option to rename games
• Added one option to record the cheats selected from txt files
• New usb code and more!

The above thread gives information on BCA codes for the Wii, which could also apply to PS3 games in the same way. Meaning these BCA codes could lead to easily pirating games on all consoles who utilize the BCA algorithm.

After further research, I am under the suspicion that these BCA codes are in fact a lead to playing pirated games (3.60+ games burned to BD/Launched via USB or external HDD - played on 3.55 WITHOUT CFW) possibly on current firmwares with a real developer at hand.

Basically these BCA codes could lead to playing these burned ISO images on 3.55 (No CFW; without 3.60+ keys) and possibly current firmwares.

The BCA codes that True Blue "leaked" are actually the codes to games that have been tested and work on 3.55 OFW. With the use of a new true blue dongle (JB2/Jailbreak2), games played off the BD without 3.60+ keys.

The games that have been tested are the ones listed below;

• Fifa 2012
• Pes 2012
• Driver san Fransisco
• God of war Origin
• X-men Destiny
• Sniper ghost warrior

Games that are in process of being tested;

• Resistance 2
• Disgaea 2
• Batman Arkham City

POC:

More PlayStation 3 News...

#857 - StanSmith - 39w ago

I just tried V2 and it doesn't work.

I load up Multiman, select Ghost Recon FS and it goes backt o XMB like normal.
I try to run GRFS and it black screens and locks up.
I reboot and load up multiman and it also black screens and locks up.
I reboot WITHOUT the dongle and it finally loads MM.
I copy the file over to the PC, convert from ELF to BIN, put it in GRFS folder.
I reboot WITH the dongle. goto MM select GRFS go back to XMB.
I run GRFS from DVD. It loads up Multiman.

I tried this 3 times and each time its the dump of Multiman NOT GRFS. And the file DOESN'T go, 00, 01, 02 etc, there is only 1 file and its 00. At least v1 gave multiple files but I couldn't get GRFS to work without the tb patched files.

#856 - imajei - 39w ago

Can you do ghost recon eboot? please

Page 1 of 172 12 3 4 5 6 7 8 9 ›LAST »

Related PS3 News and PS3 CFW Hacks or JailBreak Articles

• Guide to Install multiMAN PS3 Themes via USB from a PKG File
• Simple PS3Updates v1.6 Build 2 Final PS3 Homebrew App Updated
• Video: Super Pixel Jumper v1.2 PS3 Homebrew Game is Released
• Video: Pointman: The Akkadian Wars PS3 Homebrew Game Arrives
• PSPMinis / PS3Minis / Bite v1.5.1 Update for PS3 is Now Released
• PS3 Fan Control Utility v1.7 for PS3 CFW CEX 3.41 to 4.41 Arrives

PlayStation 3 Links
• Contact Us E-Mail
• PS3 Affiliates
• PS3 CFW & MFW
• PS3 Debug Firmware
• PS3 Decrypted PSN Links for CFW
• PS3 Downloads
• PS3 EBOOT.BIN Original File Links
• PS3 Firmware
• PS3 Game Releases List
• PS3 Guides & Tutorials
• PS3 Hacking Guides and Tutorials
• PS3 Hacks & JailBreak
• PS3 Help & Support
• PS3 JailBreak Game Compatibility List
• PS3 JB2 / True Blue (TB) Game Links
• PS3 multiMAN Updates
• PS3 News Forums
• PS3 News Site FAQ
• PS3 News Site Advertising FAQ
• PS3 News Site Posting FAQ
• PS3 News Site Privacy FAQ
• PS3 News Site Rules
• PS3 News Site Tag Cloud
• PS3 News Site Terms
• PS3 Resources
• PS3 Reviews
• PS3 Save Files Repository
• PS3 Themes
• PS3 Trophies List
• PS3 Videos
• PS Vita Trophies List

PlayStation 3 News Discussions

Introductions: Hello Everyone, I'm New at PS3News.com! - 14m ago

Hi, Im John from the USA. I've had a PS3 since release. It somehow disappeared when moving and I ended up getting a SLIM about a year and a half to tw...

By dmjohn0x with

7021 Comments »

Video: E3 PS3 CFW v4.30 on PlayStation 3 Factory 3.56 with Flasher - 3h ago