90w ago - It's been awhile since the last IDPS update, and today I've created this PS3 IDPS Viewer homebrew application based on research I'm doing and had not planned to release the tool out yet, but if someone needs it here it is (Thanks to J-Martin for the logo).
When the program starts you will see the typical intro screen, if you choose "Yes" you will see the data from your PS3, if sounds three beeps indicates that it was not possible dump and show the error message, and if all went well sounds a beep and you are able to see the data.
Automatically saves the IDPS in dev_hdd0/IDPS.bin, you must open it with a hex editor and look hexadecimal values, for example (IDPS false, I will not reveal my IDPS):
00 00 00 01 00 85 00 05 87 15 A4 4D 47 64 F6 AA
The IDPS in this case would be: 00 00 00 01 00 85 00 May 87 47 64 15 A4 F6 4D AA
It has been tested on PS3 FAT, SLIM should work perfectly in also.
Finally, in related news PlayStation 3 developer naehrwert has recently blogged (nwert.wordpress.com/2011/12/24/individual-infos/) about PS3 Individual Infos, to quote:
One of the PS3′s console specific cryptography works as follows:
At factory time there is a console specific key generated, probably from a private constant value and a console specific seed. Maybe that’s the key used for encrypting bootldr and metldr. Fact is, that metldr stores another console specific keyset (key/iv) to LS offset 0x00000.
That keyset is probably calculated from the first one. At factory time the isolated root keyset (how I call it) is used to encrypt the console’s “Individual Infos”, like eEID. But not the whole eEID is encrypted the same way, special seeds are used to calculate key/iv pairs for the different sections.
And not even that is true for every eEID section, because for e.g. EID0 another step is needed to generate the final section key(set). Each of the isolated modules using such an “Individual Info” has a special section that isoldr uses to generate the derived key(set)s.
But the generation works in a way, that the section data is encrypted with aes-cbc using the isolated root keyset, so it is not possible to calculate the isolated root keyset back from the derived key(set)s, because aes shouldn’t allow a known plaintext attack.
So far I can decrypt some of EID0′s sections, EID1, EID2 and EID4. EID5 encryption should be similar to EID0′s but I lack the generation keys for that one.
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
To quote: Ok guys, so here's something I have for you. This is an idps/psid changer.
This changes the idps in section 0 or section 6 and the psid in section B (not A sorry, i corrected that on the wiki) PERMANENTLY on flash. so, you know the drill. be VERY careful when using this tool and always take precautions with a flasher.
You're going to need 5 things: root_key, a backup of your nor flash (only nor is supported at the moment but you can easily make it compatible for nand consoles by changing the offsets at merge_section as well as change the name to whatever you wish to call your flash), a back up of eid (you can obtain this with flow rebuilder or using memdump) and, obviously, the idps and the psid you want to use on your console.
As for the final hash in each section, the libeeid creator was kind enough to take care of that, so don't worry about that but PLEASE use valid idps and psid files!!!
Any questions, please ask. and yes, that handles cex2dex too.
hex 0 1 2 3 4 5 6 7 8 9 A B
dec 1 2 3 4 5 6 7 8 9 10 11 12 1000 qubits processing power and Shor's Algorithm at hand...) AES can't be compromised (maybe in a near future)
Per-console key 0 can't be obtained so far. What you see here is what remains. If anything happens that makes any of these things possible or understandable or achievable to be done, i'll delete the respective part of them.
Debunking the idps
Here's my debunking of the idps or console id as you know.
This comes back from the psp era. usually, you'd insert a disc, load a certain save and it'd load a data that'd have a very long string. at the end or the middle of that string you'd see a binary loader (hbl.bin) that would load the main menu of HBL. In the case of the ps3, before the crypto fail was publically announced, little to nothing was possible in regards to load a binary of a savegame. now, thanks to that and thanks to flatz 's amazing tools, it might be a possibility in the near future
Since there isn't a tool that handles savegame crashes (yet), so far we can only manage ourselves with a DEX/Convert and eth debug to know what happens at the time of the crash/freeze.. in my case, i don't have access to such tools, but there are people who do
So, you can try this for yourselves.. this was made in fifa 09. i turned auto-save off (so it didn't overwrite the crafted save i made), made a savegame profile, and loaded the disc. The result was that it crashed while loading the save.
The only thing i changed was SYS-DATA. i opened it in HxD, and filled my name (zecoxao) with o's until it matched Ronaldo's string entry. that caused the game to crash.
Theoretically, you can most likely load a disc-bind 3.55 and below signed self from a register that returns an address and it'll just load the self (i think) although i didn't try this myself yet, because i can't debug it properly on a superslim. Anyone who wishes to give it a go is welcome to do so.
Printing Things to the Screen
As you all know, neither the sdk nor the psl1ght environment allow you to print things natively to the screen , at least not without using rsx. fortunately, inside the cobra sources of their usb, there is something that enables that, making debug output MUCH easier.
The specified functions are debug_install and debug_printf. debug_install patches the necessary offsets and redirects tty output to the screen, and then debug_printf simply prints the thing you want. this might not sound much but it's a VERY useful feature, specially when you want to debug code and you like to visually see what is happening. also, this could turn things such as memory patching and dumping much easier to look at.
I'd like to compile it myself and test for results but i don't have a working hackable console. so i'd like to ask any of you devs to test it and check if it works or not. as i was told it does seem to work, so i hope that this gets adapted to PSL1GHT very soon.
U$er , i'd like you to be the first person to test this, since you have understood the plugin loading and adapted it for ourselves.
Buffer Overflow on Save Games
This comes back from the psp era. usually, you'd insert a disc, load a certain save and it'd load a data that'd have a very long string. at the end or the middle of that string you'd see a binary loader (hbl.bin) that would load the main menu of HBL.
In the case of the ps3, before the crypto fail was publically announced, little to nothing was possible in regards to load a binary of a savegame. now, thanks to that and thanks to flatz 's amazing tools, it might be a possibility in the near future.
Since there isn't a tool that handles savegame crashes (yet), so far we can only manage ourselves with a DEX/Convert and eth debug to know what happens at the time of the crash/freeze.
In my case, i don't have access to such tools, but there are people who do
So, you can try this for yourselves.. this was made in fifa 09. i turned auto-save off (so it didn't overwrite the crafted save i made), made a savegame profile, and loaded the disc.
The result was that it crashed while loading the save.. the only thing i changed was SYS-DATA. i opened it in HxD, and filled my name (zecoxao) with o's until it matched Ronaldo's string entry. that caused the game to crash.
Theoretically, you can most likely load a disc-bind 3.55 and below signed self from a register that returns an address and it'll just load the self (i think) although i didn't try this myself yet, because i can't debug it properly on a superslim.. anyone who wishes to give it a go is welcome to do so.
From pastie.org/private/p1mxjrd6xbmv3hrphazxsw (the freeze):
LR is what matters to us. it's called Link Register and returns the address of what we want to load.
IT'S A TARP! Thanks flatz for the debugging)
FIFA 08 (props to NiceShot for the logs) (via pastie.org/private/9iqksaxgxpo8kdqxc87g):
[TM] Boot mode := System
control_console: Server bound to port number 8080
abort() is called from 0x0000000000151184
added support to manage NAND preloader dumps
message user about the type of dump
message the user if bootloader are missing
auto-recognize if dump is normal or byte swapped and automanage them
If you byte-reverse your dump before using this application, remember to byte-reverse it back after the procedure.
Finally, from haz367: proper eid0 section/part conversion so the new idps at least has correct values after it (cex2dex offsets 002F090-2F14F//omac hash)
offset 2F077/2F07F (new idps)
offsets/block: 2F090-2F14F - new values calculated/added to have valid idps change? at least better then only changing IDPS line
offset 303D7/303DF (new idps)
offset 3F040-3F045 (new mac)
tested offline and trashed with my own dumps. not needed but people deserve second change right, only need to brick another PS3 to get new idps. great share for that.
Update: PS3 IDPS Changer v1.3 Changelog: Here is the latest version of this sweet little app. I had troubles using all versions prior and now I have permanently installed new IDPS on over 30 systems. Make sure you have openssl installed via cygwin, enable XP SP2 compatibility on openssl.exe. Then grant admin access to openssl.exe as well as IDPS Changer then drop these files in the cygwin directory to ensure all the needed dll files are present.
Name your eEID Root Key - eid_root_key.bin (obtained via FW 3.55)
Name your NOR/NAND dump - dump.bin
Then place these in the cygwin folder as well with the other stuff we just installed/added
Then simply run the IDPS Changer.exe and follow instructions, this also allows changing of your MAC address. After the app is done simply rename the dump_patched.bin to the following depending on your flash type NAND or NOR.
Nor model = CEX-FLASH.FULL.EID0.NORBIN
Nand model = CEX-FLASH.FULL.EID0.NANDBIN
Once you have named the file copy on to a flash drive and open mM and go to mMOS then open the drive with the newly patched dump. Double click on it and wait for it to install. Once done reboot your system and go back to mM and the settings and look at your new MAC/IDPS on your freshly unbanned PS3.
Update: IDPSTool become IDPSet v0.6 is now available (linked above) by Zar from the PS3Gunz French site.
With this new version, you can permanently change your console IDPS (NAND and NOR). You just have to run IDPSet on your CFW (with Eid Root Key and valid IDPS on your USB key).