43w ago - Following up on his
Quick PS3 CoreOS Image Tool code release and
recent hints, today PlayStation 3 developer
Naehrwert has made available PS3 Dump_Rootkey code and a brief guide below so users can dump their own PlayStation 3 root key without Linux.
Download:
PS3 Dump_Rootkey Code /
PS3 Dump_Rootkey Code (Modified and compiled by
Attila for Windows using Cygwin - just provide the IP as parameter after dump_rootkey like this:
dump_rootkey.exe 192.168.0.1) /
PS3 Resigning Tools by
Attila
Naehrwert has also confirmed that Asbestos PKG only works in 3.41. He has posted the
AsbestOS and
Source Code to change the offset for people to adapt it to other PS3 Firmware versions and
tul compiled the ELF to an
AsbestOS 3.55 PKG file.
Additionally,
jrtux compiled the
AsbestOS stage2 for 3.55 with the Toolchain as
naehrwert commented on Twitter, stating: "this is the modified stage2 I'm using (I guess you can change the entry and compile this yourself)"
Build resulted in:
- stage2_raw.bin
- stage2_raw.elf
- stage2_raw.lzma
Shortly following, he also compiled the stage1 and stage2 from the
original AsbestOS source and the
Naehrwert AsbestOS Stage2 source resulting in:
- stage1.elf
- stage2_native.elf
- stage2_raw.elf
- stage2_raw.lzma
Danixleet has also compiled the
PS3 Dump_Rootkey and notes use includes bat file to run the dump_key and just replace with your IP followed by
another compilation that assumes the user has everything ready (3.41 lv2 peek/poke) then simply drop "metldr" from console into "data".
If not.. check your connection between PS3/router, make sure nothing is blocked or add the trusted IP's to dump_rootkey in firewall and ping must be allowed, each setup is diff.. if it fails check your firewall/router settings, it worked out of the box for me connected to the wired router.
From
voldemar_u2: Upload release build, try this one:
From the included ReadMe file, to quote: dump_rootkey - 2012 by naehrwert
How-to:
[1] Install asbestos_ldr.g.pkg on your PS3 (a firmware with lv2 peek/poke is required to run it).
[2] Compile the client (make sure PS3HOST in main.cpp points to your PS3).
[3] Make sure you got your metldr in './data' as 'metldr'.
[4] A prebuilt 'dumper' is included in './data' (dumper.elf and build.bat is
included too if you want to change parameters).
[5] Start asbestos_ldr on your PS3.
[6] Start the client on your PC.
[7] Unicorns!
Asbestos License
Copyright (C) 2010-2011 Hector Martin "marcan" hector AT marcansoft.com
From
cory1492: OK, I had to repackage it a couple different ways but once I got it to install it worked great. The ps3 is a slim running 3.41 hermes cfw, when the app starts the PS3 black screened, I then ran the client after editing in my PS3's IP and copying a metldr extracted from my NOR dump over to the folder as instructed), compiled under cygwin using the supplied .sh script which is really just a gcc command (I added the ULL to those two vars to fix any problems that 'int is not a long' causes under windows) and got:
C:\cygwin\home\Cory\PS3test\dump_rootkey>dump_rootkey.exe
[INFO] Connecting to '192.168.2.110'...ok.
[INFO] Ping...ok.
[INFO] VAS ID = 0x000000000000000B
[INFO] map_lpar_memory_region(data): res = 0
[INFO] Copying files out...done.
[INFO] Constructing SPE...done. (res = 0)
[INFO] priv2 0x00004C00013E0000
[INFO] problem 0x00004C00013C0000
[INFO] LS 0x00004C0001380000
[INFO] shadow 0x0000300000028000
[INFO] ID 0x0000000000000002
[INFO] Setting up SPE...done.
[INFO] map_lpar_memory_region(shadow) : res = 0
[INFO] map_lpar_memory_region(problem) : res = 0
[INFO] map_lpar_memory_region(priv2) : res = 0
[INFO] map_lpar_memory_region(ls) : res = 0
[INFO] set_spe_privilege_state_area_1_register : res = 0
[INFO] Starting SPE in isolation mode...done.
[INFO] Interrupt status (2, application) = 0x0000000000000010
[INFO] -> SPU mailbox threshold interrupt
[INFO] Interrupt status (2, application) = 0x0000000000000011
[INFO] -> SPU mailbox threshold interrupt
[INFO] -> mailbox interrupt
[INFO] Mailbox value = 1
[INFO] -> Dumper loaded.
[INFO] Transferring eid_root_key to buffer...finished.
[INFO] Dumping eid_root_key...done.
[INFO] SPU status = 0x00000081
[INFO] Requesting SPE isolation exit and stop.
[INFO] Destructing SPE...done.
[INFO] Press any key to exit...
I reflashed from 4.11 dex back to hermes to test this easy way to get the RPC server going that doesn't involve installing asbestos and not only does the RPC server work a treat, I can also confirm this release dumped the same EID root key that I had obtained previously via a metldr dump.
I'm a happy camper now, with a RPC server I can just run like an app. Sure beats going back to those old graf dongle payloads thanks naehrwert or marcan, whoever made that pkg!
Tut: follow the info deank posted to use multiman to take a dump of your console flash, and use one of the existing tools to extract the crypted metdlr - that is all you need to do to get metldr for this.
- Create a dump of your NOR/NAND (use multiMAN to create a .NORBIN/.NANDBIN file - USB connected as /dev_usb000 required)
- To dump flash: mmOS->Select any file->Open in HEX viewer->[SELECT]->[START]->DUMP LV2(NO)->DUMP LV1(NO)->DUMP FLASH(YES)
- Transfer to your PC and unpack it with norunpack.exe or cex2dex to a folder and grab "metldr" from the "asecure_loader" folder
- Put "metldr" into the "metldrpwn" folder on your USB
From
aldostools: To get the "metldr", just dump your flash with the latest build of multiMAN: mmOS->Select any file->Open in HEX viewer->[SELECT]->[START]->DUMP LV2(NO)->DUMP LV1(NO)->DUMP FLASH(YES)
Transfer the dumped file of the NOR or NAND flash (copied to the USB) to your PC, and use norunpack.exe:
norunpack.exe flash.BIN extract_folder. In the extract_folder you will find the "metldr" (59KB) inside the folder "asecure_loader".
An alternative method to extract "metldr" is using the CEX2DEX application by Gunner54. You first have to downgrade to 3.55 (DEX or CEX), to apply any flash patch using multiMAN.
Btw, this is the fix for line 243:
spu_slb_set_entry(&ctxt, priv2_addr, 0, 0x8000000018000000ULL, 0x0000800000001400ULL);
Tt was missing ULL and many (well mostly just windows/32bit ones really) compilers will treat it as a 32bit value instead of a 64bit value when you forget that.
From
KitsunePaws: To get this to compile is VS 2010 alter the header of main.cpp
#define _ERROR(...) printf("[ERROR] " __VA_ARGS__)
#define _INFO(...) printf("[INFO] " __VA_ARGS__)
#pragma comment(lib, "ws2_32.lib") Using Dump_Rootkey on Ubuntu 12.04 Guide by
jrtux:
1- Extracting :
sudo apt-get install p7zip
p7zip -d dump_rootkey.7z
2- Edit PS3HOST in main.cpp with the IP of your ps3 :
gedit main.cpp
edit :
#define PS3HOST "169.254.0.2" <- your PS3 ip
save
3- Compile :
sudo apt-get --reinstall install build-essential
chmod +x build.sh
sudo ./build.sh
4- Extract the metldr from your flash dump and copy your metldr in 'data' dir as 'metldr' : (Get your flash dump with mmOs or memdump_0.01-FINAL and extract METLDR with CEX2DEX Application)
5- Run :
Enjoy!
From his Twitter (linked above) some recent related Tweets:
hint: pastie.org/4301209
[INFO] Connecting...ok.
[INFO] Ping...ok.
[INFO] VAS ID = 0x000000000000000b
[INFO] map_lpar_memory_region(data): res = 0
[INFO] Copying files out...done.
[INFO] Constructing SPE...done. (res = 0)
[INFO] priv2 0x00004c00016e0000
[INFO] problem 0x00004c00016c0000
[INFO] LS 0x00004c0001680000
[INFO] shadow 0x000030000002e000
[INFO] ID 0x0000000000000002
[INFO] Setting up SPE...done.
[INFO] map_lpar_memory_region(shadow) : res = 0
[INFO] map_lpar_memory_region(problem) : res = 0
[INFO] map_lpar_memory_region(priv2) : res = 0
[INFO] map_lpar_memory_region(ls) : res = 0
[INFO] set_spe_privilege_state_area_1_register: res = 0
[INFO] Starting SPE in isolation mode...done.
[INFO] Interrupt status (2, application) = 0000000000000010
[INFO] -> SPU mailbox threshold interrupt
[INFO] Interrupt status (2, application) = 0000000000000011
[INFO] -> SPU mailbox threshold interrupt
[INFO] -> mailbox interrupt
[INFO] Mailbox value = 1
[INFO] -> Dumper loaded.
[INFO] Transferring eid_root_key to buffer...finished.
[INFO] Dumping eid_root_key...done.
[INFO] SPU status = 0x00000081
[INFO] Destructing spe...done.
[INFO] Press any key to exit...
look ma, no linux
Thanks to
mrlowalowa for the news tip!
From
JayDee78: This is the MFW 3.41 PUP I myself used, with the patches added, use if you trust me.. Get OFW and do it yourself otherwise.
Download Mirrors:
- http://www.multiupload.nl/8STDLOS3V4
- http://www.putlocker.com/file/FF3BA90203DC4798
- http://freakshare.com/files/bz4m49s4/PS3UPDAT_341_peek_pook_for_use_with_asbestos_ldr_cex2dex.rar.html
- http://turbobit.net/5o8n0rnpjzzx.html
- http://www.filefactory.com/file/6j4dhxptk2jj/n/PS3UPDAT_341_peek_pook_for_use_with_asbestos_ldr_cex2dex.rar
- http://oron.com/8wg6sczi569c
- http://bayfiles.com/file/i0TB/9OVdY9/PS3UPDAT_341_peek_pook_for_use_with_asbestos_ldr_cex2dex.rar
Finally, below is a brief guide on how to do it from him as follows:
On PC:
- Extract the dump_rootkey.7z (or the precompiled dump_rootkey modified by Attila) to c:
- Put the metldr in the c:\dump_rootkey\data folder (read below on how you get this file)
PS3:
- Get your flash dump with Memdump v0.01 Final, and extract the metldr with cex2dex etc, and put it in the data folder on the pc
- Install the asbestos_ldr.g.pkg from Naehrwert's original download (dump_rootkey.7z)
- As I was on 3.55 kmeaw and could downgrade I just got the 3.41 OFW and ran it through MFW Builder v0.2
The settings I used:
- Patch LV1 hypervisor
- Patch LV2 kernel
- Patch package installer
- Patch application launcher
Went into recovery on the ps3 and flashed the mfw 3.41
Started the asbestos loader after boot up and then started dump_rootkey on my pc with the right IP and as promised: UNICORNS!
[INFO] Connecting to '192.168.2.186'...ok.
[INFO] Ping...ok.
[INFO] VAS ID = 0x000000000000000B
[INFO] map_lpar_memory_region(data): res = 0
[INFO] Copying files out...done.
[INFO] Constructing SPE...done. (res = 0)
[INFO] priv2 0x00004C0001260000
[INFO] problem 0x00004C0001240000
[INFO] LS 0x00004C0001200000
[INFO] shadow 0x0000300000025000
[INFO] ID 0x0000000000000002
[INFO] Setting up SPE...done.
[INFO] map_lpar_memory_region(shadow) : res = 0
[INFO] map_lpar_memory_region(problem) : res = 0
[INFO] map_lpar_memory_region(priv2) : res = 0
[INFO] map_lpar_memory_region(ls) : res = 0
[INFO] set_spe_privilege_state_area_1_register : res = 0
[INFO] Starting SPE in isolation mode...done.
[INFO] Interrupt status (2, application) = 0x0000000000000011
[INFO] -> SPU mailbox threshold interrupt
[INFO] -> mailbox interrupt
[INFO] Mailbox value = 1
[INFO] -> Dumper loaded.
[INFO] Transferring eid_root_key to buffer...finished.
[INFO] Dumping eid_root_key...done.
[INFO] SPU status = 0x00000081
[INFO] Requesting SPE isolation exit and stop.
[INFO] Destructing SPE...done.
[INFO] Press any key to exit...
Hope this helps some of you (at least you that CAN downgrade). From IRC:
[naehrwert] reversing challenge: http://www.sendspace.com/file/asd7fp
[naehrwert] anyone who succeeds to unpack this, get's some unicorn rainbow poop!
[antikhris] unpack the elf?
[naehrwert] nah the hidden payload
[sandungas] unicorns \o/
[antikhris] ah santa wont b much help then
[antikhris] whats it for anyway?
[sandungas] hidden where ? o0
[naehrwert] custom spu elf protector
[naehrwert] need to see if it's a good one or not haha
[kamel] naehrwert did anyone ever succesfully reverse your challenge?
[naehrwert] dunno, noone contacted me at least
[kamel] :/
[naehrwert] kamel need one protected with an updated version? 
[kamel] ?
[naehrwert] challenge
[kamel] i have no idea how to reverse
[kamel]
[naehrwert] in case the first one was too easy
[naehrwert] objdump
[naehrwert] ida
[naehrwert] spud
[kamel] i dont even know what any of that is
[naehrwert] objdump is like the name tell an object dumper, thus it will print infos about the binary object and one use is to disassemble it
[naehrwert] ida is THE interactive disasm
[naehrwert] and spud is spu-decompiler (sort of)
[naehrwert] *tells
[kamel] oh
[naehrwert] the more people are willing to try reversing stuff the more progress
Doesnt sounds like the sort of game I would find fun. Who wants to clean piss for a game? People don't want to do it for a job so why would a game of ...
Files included below are the util.h, util.cpp, types.h and main.cpp released under the GPLv2.
Download: http://uploadmirrors.com/download/14ELETJ5/costool-src.rar / http://uploadmirrors.com/download/0VY4YSGE/costool.exe / http://www.mirrorcreator.com/files/1O3NYXPQ/costool-src.rar_links (Mirror) / https://github.com/naehrwert
To quote: quick coreos image tool - http://pastie.org/4003488
## util.h
/*
* Copyright (c) 2012 by naehrwert
* This file is released under the GPLv2.
*/
#ifndef _UTIL_H_
#define _UTIL_H_
#include
#include "types.h"
/*! Utility functions. */
u8 *_read_buffer(const s8 *file, u32 *length);
int _write_buffer(const s8 *file, u8 *buffer, u32 length);
#endif
/*
* Copyright (c) 2012 by naehrwert
* This file is released under the GPLv2.
*/
#include
#include
#include "types.h"
#include "util.h"
u8 *_read_buffer(const s8 *file, u32 *length)
{
FILE *fp;
u32 size;
if((fp = fopen(file, "rb")) == NULL)
return NULL;
fseek(fp, 0, SEEK_END);
size = ftell(fp);
fseek(fp, 0, SEEK_SET);
u8 *buffer = (u8 *)malloc(sizeof(u8) * size);
fread(buffer, sizeof(u8), size, fp);
if(length != NULL)
*length = size;
fclose(fp);
return buffer;
}
int _write_buffer(const s8 *file, u8 *buffer, u32 length)
{
FILE *fp;
if((fp = fopen(file, "wb")) == NULL)
return 0;
/*while(length > 0)
{
u32 wrlen = 1024;
if(length < 1024)
wrlen = length;
fwrite(buffer, sizeof(u8), wrlen, fp);
length -= wrlen;
buffer += 1024;
}*/
fwrite(buffer, sizeof(u8), length, fp);
fclose(fp);
return 1;
}
/*
* Copyright (c) 2012 by naehrwert
* This file is released under the GPLv2.
*/
#ifndef _TYPES_H_
#define _TYPES_H_
typedef char s8;
typedef unsigned char u8;
typedef short s16;
typedef unsigned short u16;
typedef int s32;
typedef unsigned int u32;
#ifdef _WIN32
typedef __int64 s64;
typedef unsigned __int64 u64;
#else
typedef long long int s64;
typedef unsigned long long int u64;
#endif
#define BOOL int
#define TRUE 1
#define FALSE 0
//Align.
#define ALIGN(x, a) (((x) + (a) - 1) & ~((a) - 1))
//Endian swap for u16.
#define _ES16(val) \
((u16)(((((u16)val) & 0xff00) >> 8) | \
((((u16)val) & 0x00ff) > 24) | \
((((u32)val) & 0x00ff0000) >> 8 ) | \
((((u32)val) & 0x0000ff00) 56) | \
((((u64)val) & 0x00ff000000000000ull) >> 40) | \
((((u64)val) & 0x0000ff0000000000ull) >> 24) | \
((((u64)val) & 0x000000ff00000000ull) >> 8 ) | \
((((u64)val) & 0x00000000ff000000ull) entcnt);
ch->imgsize = _ES64(ch->imgsize);
}
static void _print_cos_header_t(FILE *fp, cos_header_t *ch)
{
fprintf(fp, "CoreOS Header:\n");
fprintf(fp, " Version 0x%08X\n", ch->version);
fprintf(fp, " Entry Count 0x%08X\n", ch->entcnt);
fprintf(fp, " Image Size 0x%016llX\n", ch->imgsize);
}
/*! Entry. */
typedef struct _cos_entry
{
/*! Offset. */
u64 offset;
/*! Size. */
u64 size;
/*! Name (zero padded). */
s8 name[0x20];
} cos_entry_t;
static void _es_cos_entry_t(cos_entry_t *ce)
{
ce->offset = _ES64(ce->offset);
ce->size = _ES64(ce->size);
}
static void _print_cos_entry_t(FILE *fp, cos_entry_t *ce, u32 idx)
{
fprintf(fp, "CoreOS Entry %02d:\n", idx);
fprintf(fp, " Offset 0x%016llX\n", ce->offset);
fprintf(fp, " Size 0x%016llX\n", ce->size);
fprintf(fp, " Name %s\n", ce->name);
}
/*! Context. */
typedef struct _cos_ctxt
{
/*! Buffer. */
u8 *buffer;
/*! Buffer length. */
u32 length;
/*! Pointer to header. */
cos_header_t *header;
/*! Pointer to entries. */
cos_entry_t *entries;
} cos_ctxt_t;
cos_ctxt_t *cos_load(const s8 *file)
{
u32 i;
cos_ctxt_t *res;
if((res = (cos_ctxt_t *)malloc(sizeof(cos_ctxt_t))) == NULL)
return NULL;
if((res->buffer = _read_buffer(file, &res->length)) == NULL)
{
free(res);
return NULL;
}
//Fix header and entries.
res->header = (cos_header_t *)res->buffer;
res->entries = (cos_entry_t *)(res->buffer + sizeof(cos_header_t));
_es_cos_header_t(res->header);
for(i = 0; i < res->header->entcnt; i++)
_es_cos_entry_t(&res->entries[i]);
return res;
}
void cos_free(cos_ctxt_t *ctxt)
{
free(ctxt->buffer);
free(ctxt);
}
void cos_print(cos_ctxt_t *ctxt)
{
u32 i;
_print_cos_header_t(stdout, ctxt->header);
for(i = 0; i < ctxt->header->entcnt; i++)
_print_cos_entry_t(stdout, &ctxt->entries[i], i);
}
void cos_unpack(cos_ctxt_t *ctxt, const s8 *base_path)
{
s8 path[256];
u32 i;
for(i = 0; i < ctxt->header->entcnt; i++)
{
sprintf(path, "%s/%s", base_path, ctxt->entries[i].name);
_write_buffer(path, ctxt->buffer + ctxt->entries[i].offset, ctxt->entries[i].size);
}
}
void _print_usage()
{
printf("costool (c) 2012 by naehrwert\n");
printf("Usage: costool [option] image\n");
printf("Options:\n");
printf(" -i ... Print infos.\n");
printf(" -u ... Unpack.\n");
exit(1);
}
int main(int argc, char **argv)
{
cos_ctxt_t *ctxt;
if(argc < 3)
_print_usage();
if(strcmp(argv[1], "-i") == 0) //Print infos.
{
ctxt = cos_load(argv[2]);
cos_print(ctxt);
cos_free(ctxt);
}
else if(strcmp(argv[1], "-u") == 0) //Unpack.
{
ctxt = cos_load(argv[2]);
cos_unpack(ctxt, ".");
cos_free(ctxt);
}
else
{
printf("Unknown option.\n");
return 1;
}
return 0;
}
More PlayStation 3 News...