106w ago - This weekend Sony PlayStation 3 hacker naehrwert has released a PS3 SCETool based on the fail0verflow tools, an Isolated SPU binary POC dubbed Friday and some EIDTool work in progress updates for PlayStation 3 developers interested in remarrying Blu-ray drives, motherboard keys, QA tokens, etc via Twitter.
Friday (C) 2011 by naehrwert - This is a POC for a isolated spu binary. Generate a self encrypted+signed with the metldr keys out of friday.elf. Then use friday.h to write a PPU application that loads the self by utilizing metldr and DMAs your console's EID2 to the shared SPU LS. It will generate the P and S block from it, that is used to pair the BD drive to the specific console. Yon can then DMA the blocks out from the LS and send them to the drive to remarry it to the console.
Communication with the SPU is done over in_mbox and out_mbox. MSG_OUT_* is send from the SPU code to out_mbox. MSG_IN_* should be written from the PPU to in_mbox. When MSG_OUT_READY arrives the PPU should DMA the EID2 to EID2_START and send MSG_IN_READY. When MSG_OUT_GEN_DONE arrives the PPU should DMA the blocks out from BLOCKS_START and send MSG_IN_DIE.
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
[NP_tid]: Title ID OMAC1 key.
[NP_ci]: Control info OMAC1 key.
[NP_klic_free]: Free klicensee.
[NP_klic_key]: Klicensee key.
[NP_sig]: Footer signature ECDSA keyset.
USAGE: scetool [options] command
COMMANDS Parameters Explanation
-h, --help Print this help.
-k, --print-keys List keys.
-i, --print-infos file_in Print SCE file info.
-d, --decrypt file_in file_out Decrypt/dump SCE file.
-e, --encrypt file_in file_out Encrypt/create SCE file.
OPTIONS Possible Values Explanation
-v, --verbose Enable verbose output.
-r, --raw Enable raw value output.
-0, --sce-type SELF/RVK/PKG/SPP SCE File Type
-1, --compress-data TRUE/FALSE(default) Whether to compress data or not.
-2, --key-revision e.g. 00,01,...,0A,... Key Revision
-m, --meta-info Use provided meta info to decrypt.
-3, --self-auth-id e.g. 1010000001000003 Auth ID
-4, --self-vendor-id e.g. 01000002 Vendor ID
-5, --self-type LV0/LV1/LV2/APP/ISO/
LDR/NPDRM SELF Type
-6, --self-fw-version e.g. 0003004100000000 Firmware Version
-7, --self-add-shdrs TRUE(default)/FALSE Whether to add ELF shdrs or not.
-8, --self-ctrl-flags Override control flags.
-9, --self-cap-flags Override capability flags.
-b, --np-license-type FREE License Type
-c, --np-app-type SPRX/EXEC/UPDATE App Type
-f, --np-content-id Content ID
-g, --np-real-fname e.g. EBOOT.BIN Real Filename
-j, --np-add-sig TRUE/FALSE(default) Whether to add a NP sig. or not.
Added option to use provided metadata info for decryption.
"PS3" path environment variable will now be searched for keys/ldr_curves/vsh_curves too.
Added option to display raw values.
Moved factory Auth-IDs to (as they are on ps3devwiki now).
Added options to override control/capability flags (32 bytes each).
Fixed where a false keyset would crash scetool when decrypting a file.
Some source level changes and optimizations.
zlib is required to use scetool.
'sdk_type' was changed to 'revision' in data/keys.
It's just a great tool, a bit difficult to use for the average user. It is a multi-tool based on the fail0verflow tools and mainly it allows to encrypt/decrypt any elf/self with the known keys so far. I'm very glad the coder naehrwert makes it pubblic for all developers and not. I take this opportunity to thank him publicly.