Sponsored Links

Sponsored Links

PS3 Request IDPS Generator v1.0.0.0 By Rnd is Now Available


Sponsored Links
93w ago - Following up on the previous PS3 IDPS update, today PlayStation 3 homebrew developer Rnd (aka RndRandomizer) has released a Request IDPS Generator version 1.0.0.0 with details below.

Download: [Register or Login to view links]

From the ReadMe file: REQUEST IDPS Generator - v1.0.0.0 - Rnd

v1.0.0.0:

  • Initial Release

Features:

  • Generate a request_idps file
  • Get PerConsole Data (board ID, cid, ecid, kiban ID, ckp2_data, ckp_management_id)

Usage:

Just get your NAND/NOR dump and drop it in this application.

No more need for re-flashing the whole dump in order to convert EID.

Simply it makes it easier to use it with ObjectiveSuites-SetIdps and you dont have to gether it from Sony's server.

Put request_idps.txt in Temp folder in ObjectiveSuites, to set your request_idps and you are done with flashing the new EID.

I'm not responsible for ANY DAMAGE it may cause! USE AT YOUR OWN RISK!

P.S. If somebody has a script to get the EID with ObjectiveSuites, I would be very kind if you could let me know, I will update the application.

Sincerely,
Rnd

Contact me at RndRandomizer

Finally, from zecoxao: Found it, now we can make our own request_idps files

request_idps.txt (hex) info by Scorpion2k7

name Start offset Size (byte)

per_console_serial 0 8
header 8 96

- Header structure

bytes description
4 number of file (5)
4 lenght of entire file (value-8)
8 unknown (00 03 00 04 00 00 00 00)
(file table)
4 file position 1 (value-8)
4 file lenght 1
8 file id 1
4 file position 2 (value-8)
4 file lenght 2
8 file id 2
...
...

- File info

File 1 - 16 bytes - 00 12 00 02 00 00 00 00 00 00 00 00 00 00 00 00
File 2 - 2144 bytes - EID0
File 3 - 128 bytes - EID2 PBLOCK
File 4 - 48 bytes - EID4
File 5 - 2560 - EID5

Finally, below is a brief guide from Abkarino as follows:

1 - Dump you NAND/NOR flash using a memDump tool or Hardware flasher if you have a higher firmware.
2 - Drag this dump into Request IDPS generator tool to generate the request_idps.txt file.
3 - Set your PC IP Address to: 192.168.0.100 and sub net mask to 255.255.255.0.
4 - Enter a FSM using any dongle/software method you like.
5 - Connect your PS3 to your PC directly using Ethernet cable.
6 - Find the old leaked CEX2DEX conversion tools that contains ObjectiveSuite-SetIDPS.
7 - copy all files from conversion folder into flash drive and put it in the right USB slot in your PS3.
8 - in your PC start copy the generated request_idps.txt into the TEMP folder inside the ObjectiveSuite-SetIDPS folder.
9 - Start ObjectiveSuite.exe then power up your PS3.
10 - Wait for about 1 min and you will see a "PASS" message in ObjectiveSuite.
11 - Now turn off your console.
12 - Flash any 3.55 CFW DEX.
13 - While in FSM remarry your BD Drive using 3.30 DEX PUP + 3.55 Remarry tools from Wiki.
14 - Exit from FSM and now you have a fully functional DEX machine.

From eussNL via IRC: patch SSL, use REQUEST IDPS Generator, lay back bored (since what happens with SetIDPS isn't really a true conversion, because you just write your own EID to the NOR/NAND).




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 40 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

scousetomo's Avatar
#40 - scousetomo - 42w ago
i've got a working ps3 id, is there any tool available to use without a flasher? i'm on harib 4.50 cfw now on a banned slim but the id off a fat unbanned one

zant's Avatar
#39 - zant - 42w ago
Can somebody make a working NAND version, please? I have been waiting to use something like this for a while now since Joris' didn't work.

JAYRIDER666's Avatar
#38 - JAYRIDER666 - 42w ago
i tried but ps nope 1.05 don't work on my rogero 4.46

Also from zecoxao: Obtaining Packet IDs from Game_OS Syscall Interfaces The Easy Way (RE)

What is required:

  • IDA
  • PS3 Elf Loader
  • Kakaroto's analyze_self64.idc
  • Notepad++
  • lv1.self.elf processes (see SELFs inside ELFs on devwiki)
  • HxD

Tutorial:

Obtain the processes through table at 0x1D0000 (regular elf) or 0x1F0000 (factory elf)
Extract processes.

Load each through IDA with PS3 Elf Loader. Never undefine database and use kakaroto's idc to correctly define the offsets. In the end define the RTOC value in IDA's preferences.

Export each database to an assembly file.

Open the assembly file in IDA (any of them) search for this:

The sub HAS to contain only that instruction AND a blr.

Save the offsets in each sub for each asm file. Now, go to ida and load any process elf. Go to the specified offset (pick any). Go to the function, highlight it in IDA-View... ctrl-X (xrefs) it'll show up a list of possible xrefs (most of them are Packet IDs)

Credits:

Hykem, for the work being currently done
deroad, for the help at the weekends
and of course, graf chokolo

Here's a list of offsets of the get_* functions from factory JIG lv1

Download: [Register or Login to view links]

I'll start using this thread to post my findings, even if they are off-topic.. for starters:

there are a lot of these under special areas of the ps3. here are a few examples.

perconsole nonce is also an interesting bit to watch. it's in metldr,bootldr,eid0,eid3 and eid5. perconsole revision key however, is only on 4 of these and not in eid3.

[Need Testers] Get logs from initialization with Juan Nadie's bootldr exploit

So yesterday i had a very interesting conversation with a friend of mine from irc. He had a theory about the initialization of the ps3. He also had logs, obtained from a modification of Juan Nadie's bootldr exploit. Unfortunately, he had to format the hdd, so the logs were lost. And this happened a long time ago.

right now we're trying to reproduce the same thing. so far:

I've uncommented line 912 ( //createLog(0); )
I've added these lines

} else if (page >= (FLASH_SEGMENT + FLASH_OFFSET + BOOTLOADER_OFFSET) && page

dyceast's Avatar
#37 - dyceast - 42w ago
PSNope 1.05 is all you need.

Also from zecoxao: Dump Sysrom and the masked bootldr on NANDs

as you can see here (psdevwiki.com/ps3/Talk:Sysrom.bin), dump sysrom was originally released by glevand in an attempt to dump the bootldr in his MFW OTHEROS++. he could do it with graf's payload, so he originally thought of porting it over to psl1ght and trying it on OTHEROS++. the thing is, there is some patch that breaks this, and he failed to find out the cause. as an alternative, memdump was released, and so an alternative method was developed for it (maybe it's the same method, but i don't know for sure).

so, what is the purpose of dump sysrom?

well, like i said before, it dumps the bootldr (the system rom) located at address 0x2401FC0000 on NANDs (in the reset vector and mapped in MMIO) and in some other address on NOR, which doesn't matter because we can fully dump NOR, bootldr included, anyways.

i decided to test it one last time, to see if it'd work differently from the expected FF FF FF FF 80 01 00 03 (not implemented) error, but this time, by launching the self on rebug 4.46. it turns out, it dumped the bootldr in its encrypted form on my NAND. great!

to anyone else decided to do something constructive with this information, i've asked sguerrini97 to set up a github repository of what we successfully ported to psl1ght v2 (which wasn't much)

it's called psl1ghtv2_ports, and contains some of the code used by glevand in the early days of the scene.

[Register or Login to view links]

to anyone concerned, anyone who wants to include this piece of coding, take into consideration that you need lv1 peek poke in order to achieve this. also, dumping random MMIO offsets is very fun to do and you might encounter something cool

Finally, from mind: I just compiled dump_sysrom.self and run it on my CECHA01 (NAND) console - works great. I'm using 455 cfw and multiman v.4.55.00 to run the self.

Download: [Register or Login to view links]

I just made a standalone pkg and it works great on 4.55 cfw, without multiman. Thanks.

Download: [Register or Login to view links]

I just tested preloader advance too. I dumped my nand (Backuprflash.bin). 256MB

I expected two bootldrs on it, but... there are No bootldrs on that "backup".

JAYRIDER666's Avatar
#36 - JAYRIDER666 - 42w ago
I have a working idps but i have no program to put this to my ps3 cfw rogero 4.46 do anyone can help?

Also below is some VTRM crypto and Blu-ray playback from zecoxao, as follows:

This is already known info but i figured i'd make it into a nice post so let's start.

There are two VTRM blocks at the flash. Each block corresponds to each ros. Essentially one VTRM is a backup of the other.

Inside the VTRM block there are encrypted blocks. there might be 4,5,6,etc blocks. The reason why the number of blocks changes we don't know. The blocks have a size of 0x40 bytes.

There are two ways to decrypt the blocks: using aes-xts and sherwood_ss_seed and ss_seed_one more OR (recommended) using aes cbc and keyseed_for_srk2.

Method is the following:

First, encrypt root key with sc_iso metadata seeds. key is at 0x20, size 0x10, iv is at 0x10. then, encrypt (pick one) either sherwood_ss_seed(for data) and ss_seed_one_more (for tweak) or keyseed_for_srk2 (this is a string used as a seed) with aes cbc-128 for block key (iv is 0).

After obtaining the data and tweak keys (or the block key) use the keys and decrypt each block.

Most of the blocks contain nothing inside, except for the very first one.

First block contains a hash of DRL (0x14 bytes) followed by a hash of CRL(0x14 bytes) in sha1 format. If you just remarried your console, you can fix bluray playback by replacing the hashes there with the ones you currently have.

There's another set of hashes in plain sight, and they're probably all sha1. First hash is repeated in a set of patterns. second hash is cleverly hidden among the patterns, and third hash is at the VTRM header. Corruption of these hashes is very likely to cause RSOD. There has been a debate wether replacing a corrupted hash with another equal hash would be advisable ( it fixes the RSOD error, but we don't know the direct consequences of this)

Oh, forgot the link to glevand's mastery: psdevwiki.com/ps3/Fixing_DRL_and_CRL_Hashes

I i just had a word with flatz.. two of the 3 hashes can be calculated already:

Empty sector:

User i asked you about the method to dump srk and srh, but unfortunately, even with your help, i wasn't able to dump the data. running the code with your pokes hangs at a black screen. if you're interested in sharing that package to dump srk and srh that would be very cool of you

From u$er: the prx has been tested on 446 dex in debug mode. it should work on cex as well, but you won't see any result... just connect to port 4546 and type "dumpsrk".

Download: [Register or Login to view links] (load with prx loader) / pastie.org/private/kfbm2w1dzjddczxvdonba (src)

It should look like this:

From zecoxao: Thanks u$er. i got the encrypted srk, srh, and something else

Alright, here's the structure of the decrypted data (i'm going to upload the algorithm to generate the backup key and iv to decrypt the data using aes-cbc to my decrypt_tools)

First 0x10 bytes of data are unknown. we don't know what they are basically then comes srh, then srk and finally a padding of 8 zeroes. I've verified this myself

Now what's left to analyze are those 0x10 bytes. flatz wondered if they could be any master key, but i highly doubt it. either way, it's worth checking it out.

Edit: srh is the hash of the signature table (the giant table with the repeated hashes and the hidden one) hashed with srk key

Edit2: header hash is just a hmac sha1 of hmac sha1 of vtrm section without header (0x28 bytes) and signature table (again, with srk key, hashed twice)

More info from flatz: syscon data (total size: 0x400 bytes) includes:

management block:
0x00 - syscon state/status (0x10 bytes with padding)

root info block:
0x10 - key (0x10 bytes)
0x20-0x34 - srh (0x14 bytes)
0x34-0x48 - srk (0x14 bytes)
0x48-0x50 - padding

???:
0x50-0x80: encrypted stuff (???)

updater block/region data block:
0x80-0x380 - system version, coreos hashes (?), etc
each block have a size of 0x30 bytes (?)

From zecoxao:

This is the block key.

Those are hashes of SC Encrypt Keys using CMAC/OMAC1 modeThey probably use this key:

To generate the hash.

eeprom: [Register or Login to view links]

The INDEXAREAISHERE parts are written like that because they might (or not) have to do with perconsole info, so they were left like that.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News