106w ago - This weekend Sony PlayStation 3 hacker naehrwert has released a PS3 SCETool based on the fail0verflow tools, an Isolated SPU binary POC dubbed Friday and some EIDTool work in progress updates for PlayStation 3 developers interested in remarrying Blu-ray drives, motherboard keys, QA tokens, etc via Twitter.
Friday (C) 2011 by naehrwert - This is a POC for a isolated spu binary. Generate a self encrypted+signed with the metldr keys out of friday.elf. Then use friday.h to write a PPU application that loads the self by utilizing metldr and DMAs your console's EID2 to the shared SPU LS. It will generate the P and S block from it, that is used to pair the BD drive to the specific console. Yon can then DMA the blocks out from the LS and send them to the drive to remarry it to the console.
Communication with the SPU is done over in_mbox and out_mbox. MSG_OUT_* is send from the SPU code to out_mbox. MSG_IN_* should be written from the PPU to in_mbox. When MSG_OUT_READY arrives the PPU should DMA the EID2 to EID2_START and send MSG_IN_READY. When MSG_OUT_GEN_DONE arrives the PPU should DMA the blocks out from BLOCKS_START and send MSG_IN_DIE.
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
[NP_tid]: Title ID OMAC1 key.
[NP_ci]: Control info OMAC1 key.
[NP_klic_free]: Free klicensee.
[NP_klic_key]: klicensee key.
[NP_idps_const]: IDPS constant.
[NP_rif_key]: rif key.
[NP_sig]: Footer signature ECDSA keyset.
USAGE: scetool [options] command
COMMANDS Parameters Explanation
-h, --help Print this help.
-k, --print-keys List keys.
-i, --print-infos file_in Print SCE file info.
-d, --decrypt file_in file_out Decrypt/dump SCE file.
-e, --encrypt file_in file_out Encrypt/create SCE file.
OPTIONS Possible Values Explanation
-v, --verbose Enable verbose output.
-r, --raw Enable raw value output.
-0, --sce-type SELF/RVK/PKG/SPP SCE File Type
-1, --compress-data TRUE/FALSE(default) Whether to compress data or not.
-s, --skip-sections TRUE(default)/FALSE Whether to skip sections or not.
-2, --key-revision e.g. 00,01,...,0A,... Key Revision
-m, --meta-info Use provided meta info to decrypt.
-3, --self-auth-id e.g. 1010000001000003 Authentication ID
-4, --self-vendor-id e.g. 01000002 Vendor ID
-5, --self-type LV0/LV1/LV2/APP/ISO/
LDR/NPDRM SELF Type
-6, --self-fw-version e.g. 0003004100000000 Firmware Version
-7, --self-add-shdrs TRUE(default)/FALSE Whether to add ELF shdrs or not.
-8, --self-ctrl-flags 32 bytes Override control flags.
-9, --self-cap-flags 32 bytes Override capability flags.
-b, --np-license-type LOCAL/FREE License Type
-c, --np-app-type SPRX/EXEC/UPDATE App Type
-f, --np-content-id Content ID
-l, --np-klicensee 16 bytes Override klicensee.
-g, --np-real-fname e.g. EBOOT.BIN Real Filename
-j, --np-add-sig TRUE/FALSE(default) Whether to add a NP sig. or not.
Added local NP license handling.
Added option to override klicensee.
Added option to disable section skipping (in SELF generation).
Regarding the PS3 SCETool Scripts (linked above): This is a nice little set of batch scripts that someone made to work along side SCETool.
Use the GETSELFINFO.bat to figure out what version your EBOOT (my copy of Resistance 3 was ver. 3.65) is which helped explain why some EBOOTs couldn't be modified. Don't forget to grab the Conent ID if you're changing the EBOOT from an update.
Finally, in related news keperfear has made a https://anonfiles.com/file/a17421e036198d752dac48901e8b6208 stating that you will need to have at least .Net 3.0 Framework installed to use it.