Sponsored Links

Sponsored Links

Graf Chokolo Decrypts OtherOS.self, PS3 Service JIG Lv2diag.self

Sponsored Links
212w ago - A few weeks back graf_chokolo announced that he decrypted PS3 Firmware 3.50 and work on a free public PS3 Downgrader was underway, followed by a PSGroove Payload update to decrypt PKGs from PlayStation 3 PUP Files with today's update including the OtherOS.self and Lv2diag.self from a PS3 Service JIG decrypted!

Download: Decrypted Lv2diag.self from PS3 Service JIG (Teaser)

To quote via xorloser's blog, linked above, on the PS3 appldr interface reversal progress:

graf_chokolo says: Guys, i know you are waiting for the USB Dongle Master Key from me I have got now 2 fat PS3 with HV 3.15 but unfortunately no SX28 development board yet to exploit it

But i was not idle and the last and this week i was working on reversing of self decryption. And now i'm able to decrypt SELFs and SPRXs on my exploited GameOS by using HV calls only and no GameOS functions at all I reversed the interface to appldr which decrypts SELFs on GameOS 3.41.

So you won't get bored until i get the USB Dongle Master Key, i will make my findings and my source code public very soon and you will be able to decrypt your favourite games and programs by yourself :-) Let the fun begin, guys

Here is a "small" teaser of decrypted Lv2diag.self from service JIG


You cannot decrypt isolated SPUs with appldr, i think, because they are decrypted by isoldr.

I'm able to decrypt hdd_copy.self from 3.42 but not from 3.50

otheros.self decrypted

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew releases!

Comments 51 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
#46 - PS3 News - 211w ago
PS3 News's Avatar
More graf_chokolo updates: [Register or Login to view links]

Here is what my descriptor looks like:

[Register or Login to view code]

vsh.self and sys_init_osd.self decrypted

ps1emu*.self decrypted

ps2 emu cannot be decrypted by appldr because it’s like GameOS, it’s decrypted by lv2ldr, ps2 emu is not an application that can be run on GameOS.

Pretty all SPRX file can be decrypted now
I will just polish a bit my source code and then upload it, guys

Reversing lv2ldr interface and decrypting lv2_kernel.self is next on my list, guys

psp_emulator.self decrypted


[Register or Login to view links]


[Register or Login to view links]

psp_emulator.self decrypted !!!

[Register or Login to view links]

ps1_emu.self decrypted !!!

[Register or Login to view links]

I will release my code today

ESID 0xA is used for dynamic memory allocation and memory mapping, so it’s ok. Every page is 01000. You should have several 0xA segments.

ProtectionPage has a member variable log2_size at offset 018 (size 1 byte). 0xC means 2^12 = 4kb

And i was wrong about VA in my first post about ProtectionPage ProtectionPage doesn’t contain VA, it’s EA and not VA. EA is converted by page table to VA.

Sorry EA is converted not by page table but by SLB I need a vacation from reversing

bdp_BDMV.self: [Register or Login to view links]

vsh.self: [Register or Login to view links]

psp_emulator.self: [Register or Login to view links]

ps1_emu.self: [Register or Login to view links]

#45 - ESWAMP - 212w ago
ESWAMP's Avatar
Quote Originally Posted by mushy409 View Post
How would they patch this exactly? From what I understand the Jailbreak dongle emulates the JIG device used to boot the system into Factory mode.

I dont believe they would go down the route of changing JIG hardware, I think they would change the response challenge in the firmware itself, then update their JIG dongles.

Sony wouldn't lock themselves out of their own consoles (obviously)... unless this is a similar incident to when they removed OtherOS support.

LOADS of people whined, Sony metaphorically slapped everyone with the excuse "We did it to protect everyone's best interests..." more like "We did it to cash in on future hardware & to ditch the freeloaders from our system (Linux Users!)..."

Who exactly is the 'Everyone'? A small group of autistic aliens that sony keep locked up for game testing & feed them on crack & sushi?

As i recall sony did so non Licensed hardware such as usb and controller do not work on the 3.50.

#44 - PS3 News - 212w ago
PS3 News's Avatar
Some more comments from graf_chokolo: [Register or Login to view links]

I can see now every syscall used by Lv2diag.self Now we can look for exploits in SELFs

Lv2diag.self uses services provided by HV processes a lot, especially Update Manager

#43 - polly316 - 212w ago
polly316's Avatar
it doesn't matter if this leads to a 350 hack 3.51 will be faster with 3.52 faster still, this is way its always flied.

#42 - Darkzero51521 - 212w ago
Darkzero51521's Avatar
Well if they updated their firmware, then updated their hardware, all they'd have to do is use their old jig devices to update to the newest firmware? If anyone sent them a broken ps3, they'd update it before fixing. That locks out hackers from updating passed a certain point, and at the same time leaves them able to fix people's ps3s who have old firmware. It'd also fix ps3s with new firmware.


Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links

Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News