Graf Chokolo Decrypts OtherOS.self, PS3 Service JIG Lv2diag.self


177w ago - A few weeks back graf_chokolo announced that he decrypted PS3 Firmware 3.50 and work on a free public PS3 Downgrader was underway, followed by a PSGroove Payload update to decrypt PKGs from PlayStation 3 PUP Files with today's update including the OtherOS.self and Lv2diag.self from a PS3 Service JIG decrypted!

Download: Decrypted Lv2diag.self from PS3 Service JIG (Teaser)

To quote via xorloser's blog, linked above, on the PS3 appldr interface reversal progress:

graf_chokolo says: Guys, i know you are waiting for the USB Dongle Master Key from me I have got now 2 fat PS3 with HV 3.15 but unfortunately no SX28 development board yet to exploit it

But i was not idle and the last and this week i was working on reversing of self decryption. And now i'm able to decrypt SELFs and SPRXs on my exploited GameOS by using HV calls only and no GameOS functions at all I reversed the interface to appldr which decrypts SELFs on GameOS 3.41.

So you won't get bored until i get the USB Dongle Master Key, i will make my findings and my source code public very soon and you will be able to decrypt your favourite games and programs by yourself :-) Let the fun begin, guys

Here is a "small" teaser of decrypted Lv2diag.self from service JIG

http://pastie.org/1333833

You cannot decrypt isolated SPUs with appldr, i think, because they are decrypted by isoldr.

I'm able to decrypt hdd_copy.self from 3.42 but not from 3.50

otheros.self decrypted



Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 51 Comments - Go to Forum Thread »

Quick Reply Quick Reply

PS3 News's Avatar
#46 - PS3 News - 176w ago
More graf_chokolo updates: http://xorloser.com/?p=297&cpage=9#comment-1849

Here is what my descriptor looks like:


vsh.self and sys_init_osd.self decrypted

ps1emu*.self decrypted

ps2 emu cannot be decrypted by appldr because it’s like GameOS, it’s decrypted by lv2ldr, ps2 emu is not an application that can be run on GameOS.

Pretty all SPRX file can be decrypted now
I will just polish a bit my source code and then upload it, guys

Reversing lv2ldr interface and decrypting lv2_kernel.self is next on my list, guys

psp_emulator.self decrypted

bdp_BDMV.self

http://pastie.org/1339258

vsh.self

http://pastie.org/1339271

psp_emulator.self decrypted !!!

http://pastie.org/1339276

ps1_emu.self decrypted !!!

http://pastie.org/1339284

I will release my code today

ESID 0xA is used for dynamic memory allocation and memory mapping, so it’s ok. Every page is 01000. You should have several 0xA segments.

ProtectionPage has a member variable log2_size at offset 018 (size 1 byte). 0xC means 2^12 = 4kb

And i was wrong about VA in my first post about ProtectionPage ProtectionPage doesn’t contain VA, it’s EA and not VA. EA is converted by page table to VA.

Sorry EA is converted not by page table but by SLB I need a vacation from reversing

bdp_BDMV.self: http://www.ps3news.com/forums/attachment.php?attachmentid=26042

vsh.self: http://www.ps3news.com/forums/attachment.php?attachmentid=26060

psp_emulator.self: http://www.ps3news.com/forums/attachment.php?attachmentid=26061

ps1_emu.self: http://www.ps3news.com/forums/attachment.php?attachmentid=26062

ESWAMP's Avatar
#45 - ESWAMP - 177w ago
How would they patch this exactly? From what I understand the Jailbreak dongle emulates the JIG device used to boot the system into Factory mode.

I dont believe they would go down the route of changing JIG hardware, I think they would change the response challenge in the firmware itself, then update their JIG dongles.

Sony wouldn't lock themselves out of their own consoles (obviously)... unless this is a similar incident to when they removed OtherOS support.

LOADS of people whined, Sony metaphorically slapped everyone with the excuse "We did it to protect everyone's best interests..." more like "We did it to cash in on future hardware & to ditch the freeloaders from our system (Linux Users!)..."

Who exactly is the 'Everyone'? A small group of autistic aliens that sony keep locked up for game testing & feed them on crack & sushi?
As i recall sony did so non Licensed hardware such as usb and controller do not work on the 3.50.

PS3 News's Avatar
#44 - PS3 News - 177w ago
Some more comments from graf_chokolo: http://xorloser.com/?p=297&cpage=8#comments

I can see now every syscall used by Lv2diag.self Now we can look for exploits in SELFs

Lv2diag.self uses services provided by HV processes a lot, especially Update Manager

polly316's Avatar
#43 - polly316 - 177w ago
it doesn't matter if this leads to a 350 hack 3.51 will be faster with 3.52 faster still, this is way its always flied.

Darkzero51521's Avatar
#42 - Darkzero51521 - 177w ago
Well if they updated their firmware, then updated their hardware, all they'd have to do is use their old jig devices to update to the newest firmware? If anyone sent them a broken ps3, they'd update it before fixing. That locks out hackers from updating passed a certain point, and at the same time leaves them able to fix people's ps3s who have old firmware. It'd also fix ps3s with new firmware.













Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News