129w ago - A few weeks back
graf_chokolo announced that he decrypted PS3 Firmware 3.50 and work on a free public
PS3 Downgrader was underway, followed by a
PSGroove Payload update to decrypt PKGs from PlayStation 3 PUP Files with today's update including the OtherOS.self and Lv2diag.self from a
PS3 Service JIG decrypted!
Download:
Decrypted Lv2diag.self from PS3 Service JIG (Teaser)
To quote via
xorloser's blog, linked above, on the PS3 appldr interface reversal progress:
graf_chokolo says: Guys, i know you are waiting for the USB Dongle Master Key from me
I have got now 2 fat PS3 with HV 3.15 but unfortunately no SX28 development board yet to exploit it
But i was not idle and the last and this week i was working on reversing of self decryption. And now i'm able to decrypt SELFs and SPRXs on my exploited GameOS by using HV calls only and no GameOS functions at all
I reversed the interface to appldr which decrypts SELFs on GameOS 3.41.
So you won't get bored until i get the USB Dongle Master Key, i will make my findings and my source code public very soon and you will be able to decrypt your favourite games and programs by yourself :-) Let the fun begin, guys
Here is a "small" teaser of decrypted Lv2diag.self from service JIG
http://pastie.org/1333833
You cannot decrypt isolated SPUs with appldr, i think, because they are decrypted by isoldr.
I'm able to decrypt hdd_copy.self from 3.42 but not from 3.50
otheros.self decrypted
51 Comments - Go to Forum Thread »
How would they patch this exactly? From what I understand the Jailbreak dongle emulates the JIG device used to boot the system into Factory mode.
Here is what my descriptor looks like:
const uint8_t PROGMEM port1_config_descriptor[] = {
0×09, 0×02, 0×12, 0×00, 0×01, 0×00, 0×00, 0×80, 0xFA, 0×09, 0×04, 0×00,
0×00, 0×00, 0xFE, 0×01, 0×02, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0xFA, 0xCE, 0xB0, 0×03, 0xAA, 0xBB, 0xCC, 0xDD, 0×60, 0×00, 0×00, 0×00,
#include
———— and here paste dummy bytes ——————-
};
vsh.self and sys_init_osd.self decrypted
ps1emu*.self decrypted
ps2 emu cannot be decrypted by appldr because it’s like GameOS, it’s decrypted by lv2ldr, ps2 emu is not an application that can be run on GameOS.
Pretty all SPRX file can be decrypted now
I will just polish a bit my source code and then upload it, guys
Reversing lv2ldr interface and decrypting lv2_kernel.self is next on my list, guys
psp_emulator.self decrypted
bdp_BDMV.self
http://pastie.org/1339258
vsh.self
http://pastie.org/1339271
psp_emulator.self decrypted !!!
http://pastie.org/1339276
ps1_emu.self decrypted !!!
http://pastie.org/1339284
I will release my code today
ESID 0xA is used for dynamic memory allocation and memory mapping, so it’s ok. Every page is 0×1000. You should have several 0xA segments.
ProtectionPage has a member variable log2_size at offset 0×18 (size 1 byte). 0xC means 2^12 = 4kb
And i was wrong about VA in my first post about ProtectionPage
Sorry