PSGroove Payload Update: Decrypt PKGs from PUP Files Possible

131w ago - As a follow-up to his PS3 Hypervisor Reverse Engineering Progress report, today graf_chokolo has published on xorloser's blog (linked above) his updated PSGroove payload which now allows for decrypting PKGs from PS3 PUP files.

Download: Grafchokolo PSGroove Payload / Grafchokolo GIT

To quote: "So guys, I promised to you that I will made my PSGroove payload public.

I just uploaded it to github. Let me first explain how it works. I do not have much free time, so please do not expect me to explain every detail to you. The target group of this release are advanced programmers among you. The source code is not commented but it's clean, well structured and self-explaining.

My payload has 2 stages. The 1st stage is actually a PSGroove payload. It initializes the gelic device and allocates memory needed for the 2nd stage. Just compile the 1st stage binary, convert it to C hex array and replace the PSGroove payload.

The 2nd stage does the real job, e.g. decrypts a CORE_OS_PACKAGE.pkg from a PUP file, runs some isolated SPU module or dumps FLASH. The 2nd stage binary is sent to PS3 over Ethernet with "sendfile" which I also provided.

The 1st stage code receives this data and stores it in a memory region of size 64 kb. After the upload is complete, the 1st stage code jumps to the 2nd stage code and executes it. So, you have to program PSGroove only once and can just change the 2nd stage binary to execute different code.

In order to be able to run isolated SPUs, you first need to dump your FLASH memory.

Then extract these files from dump and after that you can use it e.g. to decrypt packages I described how to extract files from FLASH dump on my Hypervisor Reverse Engineering page.

To be able to decrypt packages from PUP file, first you need to extract a revoke list for packages from PUP file 3.41 e.g. (RL_FOR_PACKAGE.pkg).

Just extract it, convert it to C hex array and paste it into rvk_pkg_341.c. You have to do it yourself because i don't want any legal problems with SONY.

I didn't use any GameOS functions in my code because my goal is to reverse Hypervisor and I wanted to learn how to do it without GameOS. I don't plan to release any GameOS tools, so feel free to create new cool and helpful programs for GameOS using my code.

I'm using ppu toolchain for Linux provided by IBM to compile the source code.

I will try to answer any of your questions here. But please do not ask me questions like how to install ppu compiler or something like that. You will find everything on the Internet.

I don't have much time, so try to do as much as you can by yourself, you will benefit from it yourself. So, have fun guys"