Sponsored Links

Sponsored Links

PS3 Hypervisor Dump Setup Script for IDA is Now Available

Sponsored Links
252w ago - Today xorloser has shared a PS3 Hypervisor Dump setup script for [Register or Login to view links] (Interactive Disassembler), which automatically sets up function tables, resolves rtoc offsets and finds some common functions in PlayStation 3 Hypervisor Dumps for easier reversing.

Additionally, titanmkd has updated the script with a patch available HERE, and as a result xorloser has now made his more compatible with older versions of IDA and updated it yet again with peek/poke calls labeled.

To quote: "It seems someone took some initiative and made some software themselves to dump the hypervisor once they have the correct hardware and software. So for anyone who has used that and dumped their own hypervisor I present this [Register or Login to view links].

This script will setup function tables including the hypercall (syscall) table, mmcall table, OPD, TOC, GOT. It will find common functions such as puts and printf and very importantly it will fixup all rtoc references which are used to access global variables and strings.

To use the script you should extract it somewhere and then from within IDA select "File->IDC File...", then navigate to where you extracted the file and select it. Please note that this script could overwrite your previous work, so please run backup your idb/i64 file before running it. I recommend running it on a freshly created database by loading your hypervisor dump into IDA as "ppc" at ROM address 0 and then running this script as detailed above before doing anything else.

The other tidbit I wanted to share was the updates to the PPC Altivec plugin source code which I had forgotten to include in the recent releases, but which a few people have since asked for. Here is the [Register or Login to view links]. If anyone makes any fixes or adds support for new functions please pass these updates back to me so I can share them on this site."

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew releases!

Comments 21 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
#21 - ehud0406 - 251w ago
ehud0406's Avatar
you are a the best, i hope that with geohot you all crack this system as fast as possible. it must be great to be so smart and to know you were a part of this hacking

keep up the good work!

#20 - tridentsx - 251w ago
tridentsx's Avatar
I made a quick hack to to the xorloser modified altivec IDA plugin. Now it prints out the sprg short names instead of hex values. It was annoying to go back and forward looking up the sprg's in the documentation.

#19 - ekrboi - 251w ago
ekrboi's Avatar
frinken awesome.. i'm no reverser.. i've been playing with ida and trying to learn as i go.. i thought i was doing good =P took a script 3 minutes to get prob 90% further than i got in a week =P now if we could just get the whole mem dump and try to find some useful stuff in there.. the flash/nand should be mapped in memory.. therefore metldr should be in there as well!

from my understanding that's the next step to being able to load our own "isolated" spe to use to decode things like lv2ldr that are not decoded in the dump we all have or even better decode an update to get lv2 from it.. please someone correct me if i am thinking in the wrong direction!

#18 - tridentsx - 252w ago
tridentsx's Avatar
Quote Originally Posted by tridentsx View Post
When I run the script in IDA Pro 5.4 the script stops without any exception at the function find_opd_start.

I am new to IDA is there a step by step debugger or debug mode with extended exception printouts?

Never mind, it worked like a charm in the 64bit version of IDA.

#17 - PS3 News - 252w ago
PS3 News's Avatar
I updated the first post again with the latest revision, which includes labeled peek/poke calls via sapperlott:
You could add the four additional interrupt vectors mentioned in the CellBE Handbook (page 253):
00F20 – VXU Unavailable
01200 – System Error
01600 – Maintenance
01800 – Thermal Management

Hypercalls 16 and 20 are lv1_peek and lv1_poke. Without the exploit they most probably would point to lv1_invalid_hvcall.

Hypercall 221 contains a typo – it should read “lv1_gpu_context_iomap”.

Also, if anyone is getting an "Attempt to call undefined function Qword" error be aware the "Qword" function xorloser uses wasn't added in until 5.3 (I was on IDA so had to update). Then load in PS3_Memory_Dump.bin using 64-Bit PPC followed by the .IDC file. Here is a link for those who still need it: [Register or Login to view links] (pass: chevrosky)


Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links

Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News