PS3 Hypervisor Dump Setup Script for IDA is Now Available

Category: PS3 Hacks & JailBreak By: PS3 News - (xorloser.com)
Tags: ps3 hypervisor dump ps3 hv dump ps3 hacks ps3 ida setup script

169w ago - Today xorloser has shared a PS3 Hypervisor Dump setup script for IDA (Interactive Disassembler), which automatically sets up function tables, resolves rtoc offsets and finds some common functions in PlayStation 3 Hypervisor Dumps for easier reversing.

Additionally, titanmkd has updated the script with a patch available HERE, and as a result xorloser has now made his more compatible with older versions of IDA and updated it yet again with peek/poke calls labeled.

To quote: "It seems someone took some initiative and made some software themselves to dump the hypervisor once they have the correct hardware and software. So for anyone who has used that and dumped their own hypervisor I present this PS3 HV Dump setup script for IDA.

This script will setup function tables including the hypercall (syscall) table, mmcall table, OPD, TOC, GOT. It will find common functions such as puts and printf and very importantly it will fixup all rtoc references which are used to access global variables and strings.

To use the script you should extract it somewhere and then from within IDA select "File->IDC File...", then navigate to where you extracted the file and select it. Please note that this script could overwrite your previous work, so please run backup your idb/i64 file before running it. I recommend running it on a freshly created database by loading your hypervisor dump into IDA as "ppc" at ROM address 0 and then running this script as detailed above before doing anything else.

The other tidbit I wanted to share was the updates to the PPC Altivec plugin source code which I had forgotten to include in the recent releases, but which a few people have since asked for. Here is the PPC Altivec plugin v1.6 for IDA v5.6 with sourcecode. If anyone makes any fixes or adds support for new functions please pass these updates back to me so I can share them on this site."

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

21 Comments - Go to Forum Thread »

#21 - ehud0406 - 168w ago

you are a the best, i hope that with geohot you all crack this system as fast as possible. it must be great to be so smart and to know you were a part of this hacking

keep up the good work!

#20 - tridentsx - 168w ago

I made a quick hack to to the xorloser modified altivec IDA plugin. Now it prints out the sprg short names instead of hex values. It was annoying to go back and forward looking up the sprg's in the documentation.

#19 - ekrboi - 168w ago

frinken awesome.. i'm no reverser.. i've been playing with ida and trying to learn as i go.. i thought i was doing good =P took a script 3 minutes to get prob 90% further than i got in a week =P now if we could just get the whole mem dump and try to find some useful stuff in there.. the flash/nand should be mapped in memory.. therefore metldr should be in there as well!

from my understanding that's the next step to being able to load our own "isolated" spe to use to decode things like lv2ldr that are not decoded in the dump we all have or even better decode an update to get lv2 from it.. please someone correct me if i am thinking in the wrong direction!

#18 - tridentsx - 168w ago

Originally Posted by tridentsx

When I run the script in IDA Pro 5.4 the script stops without any exception at the function find_opd_start.

I am new to IDA is there a step by step debugger or debug mode with extended exception printouts?

Never mind, it worked like a charm in the 64bit version of IDA.

#17 - PS3 News - 168w ago

I updated the first post again with the latest revision, which includes labeled peek/poke calls via sapperlott:

You could add the four additional interrupt vectors mentioned in the CellBE Handbook (page 253):
0�0F20 – VXU Unavailable
0�1200 – System Error
0�1600 – Maintenance
0�1800 – Thermal Management

Hypercalls 16 and 20 are lv1_peek and lv1_poke. Without the exploit they most probably would point to lv1_invalid_hvcall.

Hypercall 221 contains a typo – it should read “lv1_gpu_context_iomap”.

Also, if anyone is getting an "Attempt to call undefined function Qword" error be aware the "Qword" function xorloser uses wasn't added in until 5.3 (I was on IDA 5.2.0.908 so had to update). Then load in PS3_Memory_Dump.bin using 64-Bit PPC followed by the .IDC file. Here is a link for those who still need it: http://rapidshare.com/files/322368444/idp55.rar (pass: chevrosky)