86w ago - Following up on the initial
PS3 JailBreak 2 news comes various PS3 CFW JailBreak 2 and JB2 Updater details today including the examination of an EBOOT.BIN from the Driver: San Francisco Blu-ray Disc in comparison to one from an official PS3 Game (BLES00891) Disc with developments on reverse-engineering the PS3 JB2 file dumps and more below.
To begin,
whyudie states the following on the PS3 CFW JailBreak 2 and JB2 Updater for PlayStation 3: I just wanted to share this CFW. This CFW is intended more specifically for Jailbreak 2 dongle only. Most likely will not run well without that dongle. Perhaps some developers out there could investigate this CFW, and develop it even better.
If anyone out there want to install this CFW on your PS3.
Do it at your own risk!!
JailBreak 2 Dongle Features
- Can play backup games that require firmware 3.60 + (Direct boot just like the original games)
- Only burned BD Disc format with some patches will work. For now, there's no info how to make a backup iso to work with this CFW.
- Can play backup games from the HDD. PS3 games with FW 3.55 or lower (via internal or external hdd)
- Only works on the PS3 with official/custom firmware 3.55, not the downgrade PS3.
Download: http://www.filesonic.com/file/2688912531/Jailbreak2.CFW.zip
Mirror: http://www17.hipfile.com/files/0/qs9pqv38gr6cjw/Jailbreak2.CFW.zip
Mirror: http://www.multiupload.com/64F4BUREL1
Mirror: http://www.multiupload.com/O7SP26A83E
Password: whyudie
And this is PKG files to upgrade dongle Jailbreak 2:
Download: http://www.filesonic.com/file/2689038911/JB2.Dongle.Updater.zip
Mirror: http://www11.hipfile.com/files/1/l3m50jw7p6gqng/JB2.Dongle.Updater.zip
Mirror: http://www.multiupload.com/9YPQX47G7F
Password: whyudie
What's your source? Have you make a dump from JB2 Dongle?
From my local game store. I live in Indonesia. And I bought the dongle. And get the bonus cd and the CFW files is from that cd. And that CFW must be installed first on PS3, and upgrade the dongle with that pkg files.
Driver: San Francisco EBOOT from Blu-ray Disc courtesy of
lindwurm:
http://www.fileserve.com/file/hStSPgF
http://www.multiupload.com/CDXUJVO9HD (Mirrors)
http://www.multiupload.com/4ZD2W888S4 (Mirrors)
Driver: San Francisco EBOOT (BLES00891) from original PS3 game disc courtesy of
elser1:
Download: http://www.mediafire.com/?vlrd968e9jvq3f0
Driver: San Francisco EBOOT (Untested, Generated by
SiLENTGame)
Download: http://www.multiupload.com/67QYYP0YVX
UPLAY SELF (Untested, Patched by
SiLENTGame)
Download: http://www.multiupload.com/S5WQK2U03F
FIFA 12 EBOOT from Blu-ray Disc courtesy of
lindwurm:
http://www.megaupload.com/?d=RKFXL08A
Sniper Ghost EBOOT from Blu-ray Disc courtesy of
lindwurm:
http://www.megaupload.com/?d=DVTJ2G79
Sakunchai also states the following on examination of the PS3 JB2 dump: I find 1 point not same in original FW in lv2_kernel.self
Download: http://www.mediafire.com/?2enon1x5xsujt7o
Also below are some related PlayStation 3 JB2 files from
3muk and
ireggae among others and a preliminary PS3 JB2 RE examination, as follows:
Here is the files changed in the FMW including CORE_OS_PACKAGE.pkg, dev_flash_010.tar.aa.2010_11_27_051337 and dev_flash_016.tar.aa.2010_11_27_051337:
http://www.mediafire.com/download.php?urz4ij6xsq43074
PS3 .PKG File from the dongle, unpacked with an .ELF of the EBOOT included:
http://www.mediafire.com/download.php?2tb21hw4ab901lv
http://www.filesonic.com/file/2691997244/NPXS00020.rar (Mirror)
PS3 JB2 Reverse Engineering
Below is a preliminary synopsis from
moogie via
Twitter and ps3devwiki.com/index.php?title=PS3JB2_Reverse_Engineering and ps3devwiki.com/index.php?title=Talk:Keys#sv_iso_spu_module_1.02-3.55:
JB2's dongle updater pkg, its EBOOT.BIN is just an FSELF (fake signed), the Driver: SF eboot fix is also an FSELF, FSELF's are mean't for debug consoles, easier to fself your game, then to actually sign it, you can patch retail FW to run FSELF's, either through the fw, or you can modify PL3, or even, resign the EBOOT.BIN, its nothing special, from the looks of it, they don't have any keys, just debug EBOOT.BIN's.
You don't need that dongle either, just resign the EBOOT.BIN or patch the FW to run FSELF's, their MFW could have these patches, or maybe, their dongle deliver's the patches. I do not know for sure, maybe their dongle does something else entirely, but I know its an FSELF, and you can make that run, without their dongle.
Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it. Contentdisc's contain fself'ed eboot.bin's.
Those JB2 eboot.bin stuff, actually isn't debug fself's, but readself says it is
its their DRM. Can't be decrypted without their stuff. They have their own keys, which they are signing the EBOOT.BIN's with, I think they are debug eboot's resigned with their stuff.
SELF header
elf #1 offset: 00000000_00000090
header len: 00000000_00000a80
meta offset: 00000000_000004a0
phdr offset: 00000000_00000040
shdr offset: 00000000_002117f8
file size: 00000000_0021150c
auth id: 10100000_01000003 (Unknown)
vendor id: 01000002
info offset: 00000000_00000070
sinfo offset: 00000000_00000290
version offset: 00000000_00000390
control info: 00000000_000003c0 (00000000_00000100 bytes)
app version: 1.0.0
SDK type: Devkit
app type: NP-DRM application
Control info
control flags:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
file digest:
62 7c b1 80 8a b9 38 e3 2c 8c 09 17 08 72 6a 57 9e 25 86 e4
f1 95 cf a4 c0 04 0f c9 14 de 1f 9a 21 4e 10 ca 6b a6 8c 86
NPDRM info:
magic: 4e504400
unk0 : 00000001
unk1 : 00000003
unk2 : 00000001
content_id: IV0002-NPXS00020_00-TEST000000000001
digest: 09 37 f1 32 60 b9 70 02 76 9e e4 0f 7b 10 70 0f
invdigest: f6 c8 0e cd 9f 46 8f fd 89 61 1b f0 84 ef 8f f0
xordigest: 5c 62 a4 67 35 ec 25 57 23 cb b1 5a 2e 45 25 5b Section header
offset size compressed unk1 unk2 encrypted
00000000_00000a80 00000000_00209dc0 [NO ] 00000000 00000000 [NO ]
00000000_00210a80 00000000_000005b0 [NO ] 00000000 00000000 [NO ]
00000000_00211030 00000000_00000000 [NO ] 00000000 00000000 [NO ]
00000000_00211030 00000000_00000000 [NO ] 00000000 00000000 [NO ]
00000000_00211030 00000000_00000000 [NO ] 00000000 00000000 [NO ]
00000000_00210df8 00000000_00000004 [NO ] 00000000 00000000 [N/A]
00000000_0020a7e0 00000000_00000020 [NO ] 00000000 00000000 [N/A]
00000000_0020a800 00000000_00000040 [NO ] 00000000 00000000 [N/A]
Encrypted Metadata
no encrypted metadata in fselfs.
ELF header
type: Executable file
machine: PowerPC64
version: 1
phdr offset: 00000000_00000040
shdr offset: 00000000_00210e08
entry: 00000000_002200f0
flags: 00000000
header size: 00000040
program header size: 00000038
program headers: 8
section header size: 00000040
section headers: 28
section header string table index: 27
FW Info
PS3 System Software
MFW 3.55-Dongle (Jailbreak2.CFW)
filedate: juli 13 2011 2:08:58
174639 KB
MD5: 43C522F8897D77B6165F95BCF3409090
SHA1: A64B010DB98996C7E53768D37D4D346F271D5950
CRC32: A32FDD1D
CRC16: 6420
HMAC_SHA1: 0x88EF9FEB9BB80ABE7CF68EB3BD76148F7AD6230C
Remarks: needs JB2 dongle as DRM
PUP file information
Package version: 1
Image version: 47517
File count: 7
Header length: 528
Data length: 178829542
PUP file hash : 88EF9FEB9BB80ABE7CF68EB3BD76148F7AD6230C
File 0
Entry id: 0x100
Filename : version.txt
Data offset: 0x210
Data length: 13
File hash : 8E533875E1B43B6CBAF5E91663EB7554107B5509
File 1
Entry id: 0x101
Filename : license.xml
Data offset: 0x21D
Data length: 267513
File hash : B77EFE54859738385DD803E88FB5E807FF1BC6AB
File 2
Entry id: 0x103
Filename : update_flags.txt
Data offset: 0x41716
Data length: 5
File hash : FD7C893936FDFC668922BE6D119A462111B2BBDB
File 3
Entry id: 0x200
Filename : ps3swu.self
Data offset: 0x4171B
Data length: 5661656
File hash : C61DDE12E75C2218214700D7D49006583F1B968B
File 4
Entry id: 0x201
Filename : vsh.tar
Data offset: 0x5A7AF3
Data length: 10240
File hash : D9B66E0D2845D71A67D76E7907AB06368CE61E08
File 5
Entry id: 0x202
Filename : dots.txt
Data offset: 0x5AA2F3
Data length: 3
File hash : 1AA4749D0EE0D0AE937FBF73BC4B9ACD352F732A
File 6
Entry id: 0x300
Filename : update_files.tar
Data offset: 0x5AA2F6
Data length: 172890112
File hash : 93A7A95BFCFC263DCB4A18477062FDCC72BE47A0
Firmware Changes compared to OFW 3.55:
Download: http://www.multiupload.com/LAIIB6IMX0
EULA.xml
<str id="msg_updater_10">This update will install PS3 system software version 3.55, modified to support homebrew software and the disc dongle.</str>
Version.txt
CORE_OS_PACKAGE.pkg
lv1.self
Just one patch:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
OFW: 000F5A40 39 20 00 00 9 .. li r9,0
JB2: 000F5A40 39 20 00 01 9 .. li r9,1
This is in lv1_map_htab to allow for RW mapping of all RAM. So who knows how many other lv1 patches are done at runtime.
lv2_kernel.self
dev_flash_010.tar.aa.2010_11_27_051337
\dev_flash\vsh\module\nas_plugin.sprx
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
OFW: 00003250 7C 60 1B 78 |`.x mr r0, r3
JB2: 00003250 38 00 00 00 8... li r0, 0
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
OFW: 00037350 41 9E 00 4C Až.L beq- cr7,4c
JB2: 00037350 60 00 00 00
"standard pkg patches"
dev_flash_016.tar.aa.2010_11_27_051337
\dev_flash\vsh\resource\explore\xmb\category_game.xml
\dev_flash\vsh\resource\explore\xmb\category_video.xml
Description
Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it. Contentdisc's contain fself'ed eboot.bin's
Debunking
- It does not play 3.6x+/3.7x+ original content (it does not have the keys for it).
- It can only play such content which is re-encrypted/resigned with their donglekeys.
- Such content will be limited to those already decryptable and debug eboot.bin's.
- Content for 3.55 and lower still work (after all, its just a MFW 3.55)
- Needs the MFW (and cannot work on OFW's, that is why there is 'no power/eject trick')
- If you are using special firmwares now, they will not be compatible with this one. e.g.
- Incompatible with: OtherOS++, Cobra, pre 3.50 etc.
Hardware Dongle
Below are some pictures of the PS3 JailBreak 2 (JB2) aka True Blue dongole disassembled using an Actel ProASIC3 A3P250 - FPGA, a 24.000 MHz Crystal and a AMS1117 2.851049 Low Dropout Linear Regulator.
Components
Actel ProASIC3 A3P250 - FPGA
A3P250 = 250,000 System Gates
blank = Speed Grade: Standard
VQ = Package Type: Very Thin Quad Flat Pack (0.5mm pitch)
G = Lead-Free Packaging: RoHS-Compliant (Green)
100 = Package Lead Count : 100 pins
blank = Security Feature : no IP license
blank = Temperature Range: Commercial (0�C to +70�C Ambient Temperature)
File: VQ100.png (below)
128-bit AES
1,024 bits of user flash memory
Datasheets and usermanuals: http://www.actel.com/products/pa3/docs.aspx#ds
Familyroot: http://www.actel.com/products/pa3/
Pinout A3P250 VQ100
Pin Function Notes
1 GND Ground
2 GAA2/IO118UDB3
3 IO118VDB3
4 GAB2/IO117UDB3
5 IO117VDB3
6 GAC2/IO116UDB3
7 IO116VDB3
8 IO112PSB3
9 GND Ground
10 GFB1/IO109PDB3
11 GFB0/IO109NDB3
12 VCOMPLF
13 GFA0/IO108NPB3
14 VCCPLF
15 GFA1/IO108PPB3
16 GFA2/IO107PSB3
17 VCC
18 VCCIB3
19 GFC2/IO105PSB3
20 GEC1/IO100PDB3
21 GEC0/IO100NDB3
22 GEA1/IO98PDB3
23 GEA0/IO98NDB3
24 VMV3
25 GNDQ Ground
26 GEA2/IO97RSB2
27 GEB2/IO96RSB2
28 GEC2/IO95RSB2
29 IO93RSB2
30 IO92RSB2
31 IO91RSB2
32 IO90RSB2
33 IO88RSB2
34 IO86RSB2
35 IO85RSB2
36 IO84RSB2
37 VCC
38 GND Ground
39 VCCIB2
40 IO77RSB2
41 IO74RSB2
42 IO71RSB2
43 GDC2/IO63RSB2
44 GDB2/IO62RSB2
45 GDA2/IO61RSB2
46 GNDQ Ground
47 TCK
48 TDI
49 TMS
50 VMV2
51 GND Ground
52 VPUMP
53 NC
54 TDO
55 TRST
56 VJTAG
57 GDA1/IO60USB1
58 GDC0/IO58VDB1
59 GDC1/IO58UDB1
60 IO52NDB1
61 GCB2/IO52PDB1
62 GCA1/IO50PDB1
63 GCA0/IO50NDB1
64 GCC0/IO48NDB1
65 GCC1/IO48PDB1
66 VCCIB1
67 GND Ground
68 VCC
69 IO43NDB1
70 GBC2/IO43PDB1
71 GBB2/IO42PSB1
72 IO41NDB1
73 GBA2/IO41PDB1
74 VMV1
75 GNDQ Ground
76 GBA1/IO40RSB0
77 GBA0/IO39RSB0
78 GBB1/IO38RSB0
79 GBB0/IO37RSB0
80 GBC1/IO36RSB0
81 GBC0/IO35RSB0
82 IO29RSB0
83 IO27RSB0
84 IO25RSB0
85 IO23RSB0
86 IO21RSB0
87 VCCIB0
88 GND Ground
89 VCC
90 IO15RSB0
91 IO13RSB0
92 IO11RSB0
93 GAC1/IO05RSB0
94 GAC0/IO04RSB0
95 GAB1/IO03RSB0
96 GAB0/IO02RSB0
97 GAA1/IO01RSB0
98 GAA0/IO00RSB0
99 GNDQ Ground
100 VMV0
24.000 MHz Crystal
CLK for Actel
AMS1117 2.851049 - Low Dropout Linear Regulator
Datasheet: http://www.sltdigital.com/product/product_pdf/AMS1117.pdf / http://home1.cyber-labo.co.jp/board/goods/pdf/AMS1117.pdf
File: AMS1117 - SOT-223.png (below)
A 47 (unreferenced 5pin IC) - 5-pin SOT5 A 47 pinout
package: SOT5 / SOT23-5
pins: 3 x 2 (5)
markings: A 47
Pin Usage Remarks
1
2 GND Ground
3
4
5
Winbond 25X16AVS1G (SPI Flash 16Mbit) - 8-pin TSSOP Winbond 25X16A SOIC-8 pinout
W - Winbond
25X - SPI Flash
16 - 16Mbit / 2M-byte (Uniform 4Kbyte sectors/64Kbyte blocks)
AVS1G - 100MHz (200Mbits/sec)
datasheet:
W25X16A.pdf Pin Usage Remarks
1 /CS Chip Select
2 DO Data output
3 /WP Write Protect
4 GND Ground
5 DIO Serial data input/output
6 CLK Serial Clock
7 /HOLD Hold
8 VCC Vcc (min 2.7-max 3.6V)
Sony PlayStation 3 hacker
Mathieulh has also made some
comments via IRC today on how the PS3 JailBreak 2 works with a follow-up
HERE for those interested.
From
PatrickBatman on the PS3 JB2 device, to quote:
It seems the ps3jb2 loads masterdiscs with fself, with the algo provided and the right keyyou can decrypt said masterdiscs images right on pc and grab the fself files.
// do crypt
unsigned char sector_key[16];
memset(sector_key, 0, 16);
sector_key[12] = (sector_num & 0xFF000000)>>24;
sector_key[13] = (sector_num & 0x00FF0000)>>16;
sector_key[14] = (sector_num & 0x0000FF00)>> 8;
sector_key[15] = (sector_num & 0x000000FF)>> 0;
// encrypt sector
aes_context aes_ctx;
aes_setkey_enc(&aes_ctx, G_DEBUG_KEY, 128);
aes_crypt_cbc(&aes_ctx, AES_ENCRYPT, aligned_size, sector_key, buff, buff);
// decrypt
aes_context aes_ctx;
aes_setkey_dec(&aes_ctx, G_DEBUG_KEY, 128);
aes_crypt_cbc(&aes_ctx, AES_DECRYPT, aligned_size, sector_key, buff, buff);
That's the algo for masterdiscs, ps3gen.dll has the static keys for masterdiscs. You can also get it from sv_iso the sdk tool that generates masterdisc images.
Then you take the decrypted fself and resign it for 3.55 with makeself then swap eboot. I think it should be somewhere in the PS3_Generator_Tools-312.zip in the
3.60 SDK but I'm not finding it, but that's where the master disc stuff is.
Finally, upon examination several users including
DanyL,
TheLostDeathKnight and
bubbleboy have stated that the JB2 doesn't use a new PlayStation 3 exploit nor contain PS3 3.6+ keys, and that the dongle is only used as identification for activating the patch.
For those curious, patching the appldr keys has been done but not made public back with the PS3 3.56 keys so it isn't unfamiliar to most PlayStation 3 developers but unfortunately it is patchable by Sony. A brief outline of the process involved is below, as follows:
Obtain PS3 Debug EBOOT file from Sony's Developer Network via Debug console by one of the following methods:
- Boot up your PS3 to the XMB, make sure in debug settings that NP environment is set to “sp-int” or “prod-qa”, sign into PSN (with sp-int or prod-qa credentials, you can use the quick sign-up), and launch the game. If your in luck, it will say an update is available – download it!
- To get the URL you have a few options. You could either sniff out the connection with something like Wireshark - that takes a bit more setup. Other times the URL is actually passed right to dtccons - so make sure you have the debugging windows open. Or, you could use any number of the PS3 Proxy applications to grab the link.
- Those who know their PS3 Game's Title ID and are seeking PS3 Game Update Packages can now use this simple guide to grab them while they last.
- Patch Retail PS3 Firmware to run a Debug EBOOT file
- Dump and burn the PS3 3.60+ games to BD-DVD with the included Debug EBOOT file
- Add the DRM to the PS3 MFW / CFW that JB2 uses and validate it via the dongle
The above process will likely continue to work until Sony locks down the PS3 Debug EBOOT files.
PS3 JB2 Keys
The encryption keys for PS3 Debug Discs utilized by the PS3 JB2 method can be found below.
Download:
PS3 Keys /
GIT
sv_iso_spu_module 1.02-3.55
key_0: EF4F6A107742E8448BC1F9D8F2481B31 //key_0 is an aes_cfb128 iv
iv_0: 2226928D44032F436AFD267E748B2393
key_0_0: 126C6B5945370EEECA68262D02DD12D2 //key_0_0 is used with iv_0 to generate gen_key_0
key_0_1: D9A20A79666C27D11032ACCF0D7FB501 //key_0_1 is used with iv_0 to generate gen_key_1
key_1: 7CDD0E02076EFE4599B1B82C359919B3 //key_1 is used with iv_0
iv_1: 3BD624020BD3F865E80B3F0CD6566DD0 //iv_1 is used with gen_key_0 and gen_key_1
key_2: 380BCF0B53455B3C7817AB4FA3BA90ED //key_2 + iv_2 are used to generate something from the disk name (id?)
iv_2: 69474772AF6FDAB342743AEFAA186287
debug_disc_fallback: 67C0758CF4996FEF7E88F90CC6959D66 //this fallback is used if the disk name (id?) is 'PS3_L_DEBUG_DISC'
Hi,
I have a question regarding my PS3 CEX to DEX console.
The console's Blu Ray drive died, so, many months ago, I converted to DEX. I believe ...
- Neverdead.Eboot.Patch.DirFix.PS3-DUPLEX
- Tiger.Woods.PGA.Tour.13.Eboot.Patch.PS3-DUPLEX
- PS3 Dirt.Showdown.Eboot.Patch.PS3-DUPLEX
- Devil.May.Cry.HD.Collection.Eboot.Patch.PS3-DUPLEX
- Sniper.Elite.V2.Eboot.Patch.PS3-DUPLEX
- Syndicate.Eboot.Patch.PS3-DUPLEX
- Twisted.Metal.Eboot.Patch.PS3-DUPLEX
- Snipers.Invisible.Silent.Deadly.Eboot.Patch.PS3-DUPLEX
- Puss.in.Boots.Eboot.Patch.PS3-DUPLEX
- Assassins.Creed.Revelations.Eboot.Patch.PS3-DUPLEX
One last word about credit's... if i want to have credit's i would release stuff under my public name and not under a "anonymous" name
racer0018 You misunderstood me. I'm still there and do thing's and from time to time you will also see releases under my puplic name. But yea... those are 2 diff world's... the public scene and the underground scene. Really you can't imagine. Everything start underground. And sooner or later it get's public. But the real ongoing is in underground scene.