PS3 SCETool v0.2.7 by Naehrwert Updated, Adds Local NP License


101w ago - Following up on his previous release, today PlayStation 3 developer naehrwert (with flat_z's help) has updated PS3 SCETool v0.2.7 which adds local NP license handling among the changes outlined below.

Download: PS3 SCETool v0.2.7 / ZLib1.dll File (Required) / PS3 SCETool GUI / PS3 SCETool v0.2.7 (Full) / PS3 SCETool Scripts

scetool 0.2.7 [public build] (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz

Setup:

  • /data/keys : Keyfile.
  • /data/ldr_curves : Loader curves (7744 bytes).
  • /data/vsh_curves : VSH curves (360 bytes).
  • /data/idps : IDPS as binary file
  • /data/act.dat : act.dat
  • /rifs/* : *.rif files
  • /raps/* : *.rap files

Keyfile format:

Keyset example:

NPDRM key(set) names:

  • [NP_tid]: Title ID OMAC1 key.
  • [NP_ci]: Control info OMAC1 key.
  • [NP_klic_free]: Free klicensee.
  • [NP_klic_key]: klicensee key.
  • [NP_idps_const]: IDPS constant.
  • [NP_rif_key]: rif key.
  • [NP_sig]: Footer signature ECDSA keyset.

Help text:

Version 0.2.7:

  • Added local NP license handling.
  • Added option to override klicensee.
  • Added option to disable section skipping (in SELF generation).

Regarding the PS3 SCETool Scripts (linked above): This is a nice little set of batch scripts that someone made to work along side SCETool.

Use the GETSELFINFO.bat to figure out what version your EBOOT (my copy of Resistance 3 was ver. 3.65) is which helped explain why some EBOOTs couldn't be modified. Don't forget to grab the Conent ID if you're changing the EBOOT from an update.

Finally, in related news keperfear has made a GUI for SCETool stating that you will need to have at least .Net 3.0 Framework installed to use it.




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 231 Comments - Go to Forum Thread »

Quick Reply Quick Reply

JOshISPoser's Avatar
#41 - JOshISPoser - 83w ago
if that was to me, it doesn't make sense.

eh, whatever. i know it's not exactly for me, i was just wondering the possibilities but i'm guessing it's not something easily explained in a sentence or two in laymen terms.

xrayglasses's Avatar
#40 - xrayglasses - 83w ago
You don't need a lv1 exploit, it can glitch HTAB..

JOshISPoser's Avatar
#39 - JOshISPoser - 83w ago
what does all that mean?

PS3 News's Avatar
#38 - PS3 News - 83w ago
Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.

To quote from his blog: Exploiting (?) lv2

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.

2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

From Mathieulh (via pastebin.com/naxXkv3M):

The footer signature is still not checked upon npdrm self files execution as of 4.21.

Because kakaroto says something that doesn't make it true. Basically he found a check in 3.55 that was not even called and assumed they used it in 3.60+.

Of course they do whitelist npdrm now so even if the footer isn't checked you cannot run your own npdrm selfs signed with keyset lower than 0x0D making the whole debate rather pointless. Aditional checks are now performed on the actual file format as well such as the segment counter flag that needs to be set to 0x01 except for the very last segment.

Finally, from KDSBest (via twitlonger.com/show/jcmh80): Since naehrwert posted an lv2 exploit I will do so too . The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA.

Btw. It just crashes the console for now, since I totally overwrite dump the lv2 or some memory addresses I don't know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^

I didn't managed to make it work on 4.21 so I just did on 4.20

More PlayStation 3 News...

Ezio's Avatar
#37 - Ezio - 85w ago
The last versions of scetool work fine also without zlib1.dll, I tested them myself.













Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News