61w ago - Following up on his
previous revision, today PlayStation 3 developer
naehrwert has updated PS3 SCETool v0.2.5 which utilizes metadata information for decryption among the changes outlined below.
Download:
PS3 SCETool v0.2.5 /
ZLib1.dll File (Required)
scetool 0.2.5 public build (C) 2011-2012 by naehrwert
Setup:
- /data/keys : Keyfile.
- /data/ldr_curves : Loader curves (7744 bytes).
- /data/vsh_curves : VSH curves (360 bytes).
Keyfile format:
[keyname]
type={SELF, RVK, PKG, SPP, OTHER}
revision={00, ..., 18, 8000}
version={..., 0001000000000000, ...}
self_type={LV0, LV1, LV2, APP, ISO, LDR, UNK_7, NPDRM}
key=...
erk=...
riv=...
pub=...
priv=...
ctype=... Keyset example:
[metldr]
type=SELF
revision=00
self_type=LDR
erk=0000000000000000000000000000000000000000000000000000000000000000
riv=00000000000000000000000000000000
pub=00000000000000000000000000000000000000000000000000000000000000000000000000000000
priv=000000000000000000000000000000000000000000
ctype=00
NPDRM key(set) names:
- [NP_tid]: Title ID OMAC1 key.
- [NP_ci]: Control info OMAC1 key.
- [NP_klic_free]: Free klicensee.
- [NP_klic_key]: Klicensee key.
- [NP_sig]: Footer signature ECDSA keyset.
Help text:
USAGE: scetool [options] command
COMMANDS Parameters Explanation
-h, --help Print this help.
-k, --print-keys List keys.
-i, --print-infos file_in Print SCE file info.
-d, --decrypt file_in file_out Decrypt/dump SCE file.
-e, --encrypt file_in file_out Encrypt/create SCE file.
OPTIONS Possible Values Explanation
-v, --verbose Enable verbose output.
-r, --raw Enable raw value output.
-0, --sce-type SELF/RVK/PKG/SPP SCE File Type
-1, --compress-data TRUE/FALSE(default) Whether to compress data or not.
-2, --key-revision e.g. 00,01,...,0A,... Key Revision
-m, --meta-info Use provided meta info to decrypt.
-3, --self-auth-id e.g. 1010000001000003 Auth ID
-4, --self-vendor-id e.g. 01000002 Vendor ID
-5, --self-type LV0/LV1/LV2/APP/ISO/
LDR/NPDRM SELF Type
-6, --self-fw-version e.g. 0003004100000000 Firmware Version
-7, --self-add-shdrs TRUE(default)/FALSE Whether to add ELF shdrs or not.
-8, --self-ctrl-flags Override control flags.
-9, --self-cap-flags Override capability flags.
-b, --np-license-type FREE License Type
-c, --np-app-type SPRX/EXEC/UPDATE App Type
-f, --np-content-id Content ID
-g, --np-real-fname e.g. EBOOT.BIN Real Filename
-j, --np-add-sig TRUE/FALSE(default) Whether to add a NP sig. or not. History:
Version 0.2.5:
- Added option to use provided metadata info for decryption.
- "PS3" path environment variable will now be searched for keys/ldr_curves/vsh_curves too.
Version 0.2.4:
- Added option to display raw values.
- Moved factory Auth-IDs to (as they are on ps3devwiki now).
Version 0.2.2:
- Added options to override control/capability flags (32 bytes each).
- Fixed where a false keyset would crash scetool when decrypting a file.
- Some source level changes and optimizations.
Version 0.2.1:
- zlib is required to use scetool.
- 'sdk_type' was changed to 'revision' in data/keys.
Greetings to: you know who you are!
hope to find something usefull here .. hello 
...
One you get a stable execution (hint ROP) you can glitch HTAB entries and do anything except persistent root because bootldr couldn't even be figured out by fa1loverflow team..
If you're looking for a lv1 exploit you'll never get anywhere unless you get a talented RE person with a lot of time, and since it's obvious Linux means less than piracy is PS3 scene that isn't likely to happen..
I still prefer to use 0xFACEBOOC instead of 0xABADCAFE lol
so the payload which has been loaded there is being over written before it has been read and is deleted so if you could somehow make the ps3 read from stack or load the payload just before the stack gets read the payload would be loaded and you have a new jailbreak.