Sponsored Links

Sponsored Links

Video: PS3 Unbanning IDPS Proj3ct by Labuse and Raymanvtwo


Sponsored Links
81w ago - Following up on the PS3 IDPS Viewer, PS3 Request IDPS Generator and PS Unban, today French PlayStation 3 homebrew developers Labuse and Raymanvtwo have shared a video introducing their latest PS3 unbanning IDPS Proj3ct.

To quote, roughly translated:

This process deals with modification in the flash memory of your PS3. So beware of the risk involved. As you will be the one responsible for any damages.

1 - It’s free.
2 - It does not provide for IDPS.
3 - 1 change per member (archiving R_K to control all business)
4 - no requirement to have an ODE or another to benefit from this service.
5 - Do not buy IDPS! , but get it by your own means. It does not provide a repair service or any failure or brick If you do not have access to PSN / SEN after our intervention, you you probably have stolen your IDPS, we test the validity of IDPS before making the change.
6 - You do not store the IDPS valid for use and even less for
resale.
7 - No, not the service sony unbanned person a simple phone call, this is totally false.
8 - No, it is not a simple change with a hex editor, and it does not
change enough to IDPS only on known offsets.

To start here are the essential conditions to be fulfilled before you make the final change of IDPS:

1 - Have their console banned from PSN
2 - console already be hacked (CFW)
3 - have a valid IDPS to provide for replacement

If you do not meet any of these conditions, then it is no need to go further... however if all conditions are met then we will be able to do something for you, but before that take the time to read all the explanations below!

PS3 IDPS FAQ:

What is to Proj3ct IDPS?

To de-ban your console SEN / PSN actually modifying the flash memory of it.

How do I know if it is my PSN account or if my console ID that is banned?

If you get this message to the PSN sign: “Access denied or temporarily suspended for this system,” is that your console ID banned.

To which PS3 models are targeted modification of ID with IDPS Proj3ct?

For all models Fat and Slim CFW (before 3000 series).

Who is this service free of IDPS change?

Everyone has provided to meet the three key points above, nor any ODE Flasher is asked to make the change.

Why Does not provide you IDPS?

Just for 2 reasons: The first is that for the time being we do not yet generate non-original identifiers so they must find true and valid they are rare and valuable, however we work in progress to try to remedy this problem... and the second, CFW consoles connecting to PSN are too easily spotted and can not afford to lose identifiers for a few hours / days of games online.

Why Proj3ct IDPS is not distributed freely?

Because the conversion of the dump is difficult and requires a good knowledge in this field, any approximation leads directly onto a brick your console, but also to avoid unscrupulous pharmacies that will make their business to make money with our work, we hope that it is Free for the community and we will offer you this service. s

Secondly, because this change make public console could seriously undermine all users PS3 OFW, and it is only this reason that motivated the choice of delivery method!





How it’s gonna happen to change definitely IDPS?

1) Visit in [APPLICATION] IDPS PROJ3CT (ps-addict.fr/forum/post96895.html#p96895) to put your formal request for change of IDPS, stating:

PS3 Slim 320 GB / Fat 40 gb, etc. ...
Model: CECH .....
CFW up:
Level of knowledge PS3 (beginner - expert - expert)

2) Wait for an consideration answer of your request.

3) After acceptance of your application to the post in question, you can send your items BUT only in MP to Labuseor Raymanvtwo the following files:

  • Your Root_Key
  • Dump Your conducted with MM
  • Your IDPS (HS recovered on a console, for example)
  • A picture of your system properties in Multiman

Note: you will find the method and tools to recover these different elements in the [TUTORIAL] IDPS PROJ3CT (ps-addict.fr/forum/post96894.html#p96894).

4) We check first the actual validity of your IDPS then proceed to the actual change of the IDPS in your dump. We send it back within 2 to 4 days max MP.

5) You re-flash your PS3 with Multiman to the dump you have recovered.

6) You still have to format your PS3 to erase all traces using a CFW and you can now enter the OFW update, your console is banned from de-SEN / PSN! attention: any use of PSN CFW after the de-banning your console to deliver in the same situation a few hours / days later... and I recall that we do not make one final change by console! Enjoy!






Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 44 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

zant's Avatar
#39 - zant - 54w ago
Can somebody make a working NAND version, please? I have been waiting to use something like this for a while now since Joris' didn't work.

JAYRIDER666's Avatar
#38 - JAYRIDER666 - 54w ago
i tried but ps nope 1.05 don't work on my rogero 4.46

Also from zecoxao: Obtaining Packet IDs from Game_OS Syscall Interfaces The Easy Way (RE)

What is required:

  • IDA
  • PS3 Elf Loader
  • Kakaroto's analyze_self64.idc
  • Notepad++
  • lv1.self.elf processes (see SELFs inside ELFs on devwiki)
  • HxD

Tutorial:

Obtain the processes through table at 0x1D0000 (regular elf) or 0x1F0000 (factory elf)
Extract processes.

Load each through IDA with PS3 Elf Loader. Never undefine database and use kakaroto's idc to correctly define the offsets. In the end define the RTOC value in IDA's preferences.

Export each database to an assembly file.

Open the assembly file in IDA (any of them) search for this:

[Register or Login to view code]

The sub HAS to contain only that instruction AND a blr.

Save the offsets in each sub for each asm file. Now, go to ida and load any process elf. Go to the specified offset (pick any). Go to the function, highlight it in IDA-View... ctrl-X (xrefs) it'll show up a list of possible xrefs (most of them are Packet IDs)

Credits:

Hykem, for the work being currently done
deroad, for the help at the weekends
and of course, graf chokolo

Here's a list of offsets of the get_* functions from factory JIG lv1

Download: [Register or Login to view links]

I'll start using this thread to post my findings, even if they are off-topic.. for starters:

[Register or Login to view code]

there are a lot of these under special areas of the ps3. here are a few examples.

[Register or Login to view code]

perconsole nonce is also an interesting bit to watch. it's in metldr,bootldr,eid0,eid3 and eid5. perconsole revision key however, is only on 4 of these and not in eid3.

[Need Testers] Get logs from initialization with Juan Nadie's bootldr exploit

So yesterday i had a very interesting conversation with a friend of mine from irc. He had a theory about the initialization of the ps3. He also had logs, obtained from a modification of Juan Nadie's bootldr exploit. Unfortunately, he had to format the hdd, so the logs were lost. And this happened a long time ago.

right now we're trying to reproduce the same thing. so far:

I've uncommented line 912 ( //createLog(0); )
I've added these lines
[code]
} else if (page >= (FLASH_SEGMENT + FLASH_OFFSET + BOOTLOADER_OFFSET) && page

dyceast's Avatar
#37 - dyceast - 54w ago
PSNope 1.05 is all you need.

Also from zecoxao: Dump Sysrom and the masked bootldr on NANDs

as you can see here (psdevwiki.com/ps3/Talk:Sysrom.bin), dump sysrom was originally released by glevand in an attempt to dump the bootldr in his MFW OTHEROS++. he could do it with graf's payload, so he originally thought of porting it over to psl1ght and trying it on OTHEROS++. the thing is, there is some patch that breaks this, and he failed to find out the cause. as an alternative, memdump was released, and so an alternative method was developed for it (maybe it's the same method, but i don't know for sure).

so, what is the purpose of dump sysrom?

well, like i said before, it dumps the bootldr (the system rom) located at address 0x2401FC0000 on NANDs (in the reset vector and mapped in MMIO) and in some other address on NOR, which doesn't matter because we can fully dump NOR, bootldr included, anyways.

i decided to test it one last time, to see if it'd work differently from the expected FF FF FF FF 80 01 00 03 (not implemented) error, but this time, by launching the self on rebug 4.46. it turns out, it dumped the bootldr in its encrypted form on my NAND. great!

to anyone else decided to do something constructive with this information, i've asked sguerrini97 to set up a github repository of what we successfully ported to psl1ght v2 (which wasn't much)

it's called psl1ghtv2_ports, and contains some of the code used by glevand in the early days of the scene.

[Register or Login to view links]

to anyone concerned, anyone who wants to include this piece of coding, take into consideration that you need lv1 peek poke in order to achieve this. also, dumping random MMIO offsets is very fun to do and you might encounter something cool

Finally, from mind: I just compiled dump_sysrom.self and run it on my CECHA01 (NAND) console - works great. I'm using 455 cfw and multiman v.4.55.00 to run the self.

Download: [Register or Login to view links]

I just made a standalone pkg and it works great on 4.55 cfw, without multiman. Thanks.

Download: [Register or Login to view links]

I just tested preloader advance too. I dumped my nand (Backuprflash.bin). 256MB

I expected two bootldrs on it, but... there are No bootldrs on that "backup".

JAYRIDER666's Avatar
#36 - JAYRIDER666 - 54w ago
I have a working idps but i have no program to put this to my ps3 cfw rogero 4.46 do anyone can help?

Also below is some VTRM crypto and Blu-ray playback from zecoxao, as follows:

This is already known info but i figured i'd make it into a nice post so let's start.

There are two VTRM blocks at the flash. Each block corresponds to each ros. Essentially one VTRM is a backup of the other.

Inside the VTRM block there are encrypted blocks. there might be 4,5,6,etc blocks. The reason why the number of blocks changes we don't know. The blocks have a size of 0x40 bytes.

There are two ways to decrypt the blocks: using aes-xts and sherwood_ss_seed and ss_seed_one more OR (recommended) using aes cbc and keyseed_for_srk2.

Method is the following:

First, encrypt root key with sc_iso metadata seeds. key is at 0x20, size 0x10, iv is at 0x10. then, encrypt (pick one) either sherwood_ss_seed(for data) and ss_seed_one_more (for tweak) or keyseed_for_srk2 (this is a string used as a seed) with aes cbc-128 for block key (iv is 0).

After obtaining the data and tweak keys (or the block key) use the keys and decrypt each block.

Most of the blocks contain nothing inside, except for the very first one.

First block contains a hash of DRL (0x14 bytes) followed by a hash of CRL(0x14 bytes) in sha1 format. If you just remarried your console, you can fix bluray playback by replacing the hashes there with the ones you currently have.

There's another set of hashes in plain sight, and they're probably all sha1. First hash is repeated in a set of patterns. second hash is cleverly hidden among the patterns, and third hash is at the VTRM header. Corruption of these hashes is very likely to cause RSOD. There has been a debate wether replacing a corrupted hash with another equal hash would be advisable ( it fixes the RSOD error, but we don't know the direct consequences of this)

Oh, forgot the link to glevand's mastery: psdevwiki.com/ps3/Fixing_DRL_and_CRL_Hashes

I i just had a word with flatz.. two of the 3 hashes can be calculated already:

[Register or Login to view code]

Empty sector:

[Register or Login to view code]

User i asked you about the method to dump srk and srh, but unfortunately, even with your help, i wasn't able to dump the data. running the code with your pokes hangs at a black screen. if you're interested in sharing that package to dump srk and srh that would be very cool of you

From u$er: the prx has been tested on 446 dex in debug mode. it should work on cex as well, but you won't see any result... just connect to port 4546 and type "dumpsrk".

Download: [Register or Login to view links] (load with prx loader) / pastie.org/private/kfbm2w1dzjddczxvdonba (src)

[Register or Login to view code]

It should look like this:

[Register or Login to view code]

From zecoxao: Thanks u$er. i got the encrypted srk, srh, and something else

Alright, here's the structure of the decrypted data (i'm going to upload the algorithm to generate the backup key and iv to decrypt the data using aes-cbc to my decrypt_tools)

First 0x10 bytes of data are unknown. we don't know what they are basically then comes srh, then srk and finally a padding of 8 zeroes. I've verified this myself

Now what's left to analyze are those 0x10 bytes. flatz wondered if they could be any master key, but i highly doubt it. either way, it's worth checking it out.

Edit: srh is the hash of the signature table (the giant table with the repeated hashes and the hidden one) hashed with srk key

Edit2: header hash is just a hmac sha1 of hmac sha1 of vtrm section without header (0x28 bytes) and signature table (again, with srk key, hashed twice)

More info from flatz: syscon data (total size: 0x400 bytes) includes:

management block:
0x00 - syscon state/status (0x10 bytes with padding)

root info block:
0x10 - key (0x10 bytes)
0x20-0x34 - srh (0x14 bytes)
0x34-0x48 - srk (0x14 bytes)
0x48-0x50 - padding

???:
0x50-0x80: encrypted stuff (???)

updater block/region data block:
0x80-0x380 - system version, coreos hashes (?), etc
each block have a size of 0x30 bytes (?)

From zecoxao:

[Register or Login to view code]

This is the block key.

[Register or Login to view code]

Those are hashes of SC Encrypt Keys using CMAC/OMAC1 mode[/code]They probably use this key:

[Register or Login to view code]

To generate the hash.

eeprom: [Register or Login to view links]

The INDEXAREAISHERE parts are written like that because they might (or not) have to do with perconsole info, so they were left like that.

PS3 News's Avatar
#35 - PS3 News - 54w ago
Following up on the previous PS3 IDPS Changer and ChangePSID, today PlayStation 3 developer zecoxao has released an updated PS3 IDPS / PSID Changer with details below.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2) / Private Key Bruteforcer / EID Root Key Dumper (Updated)

To quote: Ok guys, so here's something I have for you. This is an idps/psid changer.

This changes the idps in section 0 or section 6 and the psid in section B (not A sorry, i corrected that on the wiki) PERMANENTLY on flash. so, you know the drill. be VERY careful when using this tool and always take precautions with a flasher.

You're going to need 5 things: root_key, a backup of your nor flash (only nor is supported at the moment but you can easily make it compatible for nand consoles by changing the offsets at merge_section as well as change the name to whatever you wish to call your flash), a back up of eid (you can obtain this with flow rebuilder or using memdump) and, obviously, the idps and the psid you want to use on your console.

As for the final hash in each section, the libeeid creator was kind enough to take care of that, so don't worry about that but PLEASE use valid idps and psid files!!!

Any questions, please ask. and yes, that handles cex2dex too.

[Register or Login to view code]


9th byte list (from wiki): pastie.org/private/lqwgs1qzh1jd14kmbea8a

[Register or Login to view code]

10th byte list (from wiki): pastie.org/private/ftr9f5yw164jhndy3ieoa

[Register or Login to view code]

Notes: if you notice, cechgs appear in almost all possibilities of the 9th byte list, except in the static idps 9th byte.

Banned idps list from "Free IDPS" thread: pastie.org/private/mk0ipzwuo9woejakc45sa

[Register or Login to view code]

Buffer Overflow on Save Games

This comes back from the psp era. usually, you'd insert a disc, load a certain save and it'd load a data that'd have a very long string. at the end or the middle of that string you'd see a binary loader (hbl.bin) that would load the main menu of HBL. In the case of the ps3, before the crypto fail was publically announced, little to nothing was possible in regards to load a binary of a savegame. now, thanks to that and thanks to flatz 's amazing tools, it might be a possibility in the near future

Since there isn't a tool that handles savegame crashes (yet), so far we can only manage ourselves with a DEX/Convert and eth debug to know what happens at the time of the crash/freeze.. in my case, i don't have access to such tools, but there are people who do

So, you can try this for yourselves.. this was made in fifa 09. i turned auto-save off (so it didn't overwrite the crafted save i made), made a savegame profile, and loaded the disc. The result was that it crashed while loading the save.

The only thing i changed was SYS-DATA. i opened it in HxD, and filled my name (zecoxao) with o's until it matched Ronaldo's string entry. that caused the game to crash.

Theoretically, you can most likely load a disc-bind 3.55 and below signed self from a register that returns an address and it'll just load the self (i think) although i didn't try this myself yet, because i can't debug it properly on a superslim. Anyone who wishes to give it a go is welcome to do so.

Printing Things to the Screen

As you all know, neither the sdk nor the psl1ght environment allow you to print things natively to the screen , at least not without using rsx. fortunately, inside the cobra sources of their usb, there is something that enables that, making debug output MUCH easier.

The specified functions are debug_install and debug_printf. debug_install patches the necessary offsets and redirects tty output to the screen, and then debug_printf simply prints the thing you want. this might not sound much but it's a VERY useful feature, specially when you want to debug code and you like to visually see what is happening. also, this could turn things such as memory patching and dumping much easier to look at.

I'd like to compile it myself and test for results but i don't have a working hackable console. so i'd like to ask any of you devs to test it and check if it works or not. as i was told it does seem to work, so i hope that this gets adapted to PSL1GHT very soon.

U$er , i'd like you to be the first person to test this, since you have understood the plugin loading and adapted it for ourselves.

Buffer Overflow on Save Games

This comes back from the psp era. usually, you'd insert a disc, load a certain save and it'd load a data that'd have a very long string. at the end or the middle of that string you'd see a binary loader (hbl.bin) that would load the main menu of HBL.

In the case of the ps3, before the crypto fail was publically announced, little to nothing was possible in regards to load a binary of a savegame. now, thanks to that and thanks to flatz 's amazing tools, it might be a possibility in the near future.

Since there isn't a tool that handles savegame crashes (yet), so far we can only manage ourselves with a DEX/Convert and eth debug to know what happens at the time of the crash/freeze.

In my case, i don't have access to such tools, but there are people who do

So, you can try this for yourselves.. this was made in fifa 09. i turned auto-save off (so it didn't overwrite the crafted save i made), made a savegame profile, and loaded the disc.

The result was that it crashed while loading the save.. the only thing i changed was SYS-DATA. i opened it in HxD, and filled my name (zecoxao) with o's until it matched Ronaldo's string entry. that caused the game to crash.

Theoretically, you can most likely load a disc-bind 3.55 and below signed self from a register that returns an address and it'll just load the self (i think) although i didn't try this myself yet, because i can't debug it properly on a superslim.. anyone who wishes to give it a go is welcome to do so.

From pastie.org/private/p1mxjrd6xbmv3hrphazxsw (the freeze):

[Register or Login to view code]

LR is what matters to us. it's called Link Register and returns the address of what we want to load.

IT'S A TARP! Thanks flatz for the debugging)

FIFA 08 (props to NiceShot for the logs) (via pastie.org/private/9iqksaxgxpo8kdqxc87g):

[Register or Login to view code]


Register control in GPR0 (0x31) (via pastie.org/private/hqi53jdrhltfvdaezn3png):

[Register or Login to view code]

Controlling r0 is pretty much the same as controlling the link register. if we control r1 we can control the rop.

Here are the core dumps for fifa 08 and 09. r0 is controllable in both games (it's probably hitting the stack)

Download: [Register or Login to view links]

It'll take some minutes to upload them, so please wait.

Lv2diag.self bricking consoles?

I told myself i wasn't going to post any more about ps3s but this is really bugging me so... i was hanging out in skype when suddenly vapour barges in and says a self he created with Objective Suites bricked his ps3.

Naturally, for a person who bricked 7 consoles by flashing ways, i thought he was kidding, since nowhere in the world Sony would do such a thing. then i asked hellsing9 to test it somewhere. he tested the self. it bricked. he tested again, bricked again. then i asked greysmoke. he tested the self. it didn't brick.

My question is this: in which consoles can the brick be caused, what causes the brick to be triggered, and most importantly, can we intercept the process of the command of bricking and replace it with something else?

This is the self (3.42 appldr signed): [Register or Login to view links]

Needless to say flashers can and MUST be used before doing anything. They can unbrick. E3 flasher can be used as any regular flasher. as for the pinouts, i believe they are available on the wiki (NiceShot has the picture).

From NiceShot: Uhm... you should have the original dump before trying this, I'm not sure if dumping it, byte swapping and flashing it back will solve the problem but it is worth trying, I had a broken e3 flasher clip so I had to map the whole points to use e3 linker but if you have an e3 flasher with e3 clip you can do the job the same way, but there you have the pinout for MSX-001:

[Register or Login to view links]

Cheers

PS3 IDA Stuff

So, i was bored and i decided to open ida pro and take a look at things. then, someone told me that i could open idb files in ida. so i went to graf's bible and opened a few. fun. anyways, here are some scripts/updates of scripts.

HV Dump script has "new" function names instead of the usual "undocumented_function" crap and export script prints all the function names to the screen (the ones that don't start with sub_) consider this a release of sorts. i'll try to take care of syscall_names.idh tomorrow for the lv2 dump script.

Download: [Register or Login to view links]
GIT: github.com/zecoxao/ps3ida

Github contains precompiled loaders, plugins, signatures, and the new scripts. i've updated the zip. you should have now two aditional export functions. one for the syscalls, and another for the hvcalls. gonna see if i can take care of syscall_names, idh today.

Edit: taken care of: github.com/zecoxao/ps3ida/blob/master/syscall_names.idh

Kinda piggish but it does the trick

Added some more signatures. had to use a trick. They're on github: github.com/zecoxao/ps3ida/tree/master/sig/ppc

eEID5 Keyseed and Section Keys Found

[Register or Login to view code]

Edit: some corrections: psdevwiki.com/ps3/Keys#KIRK (thanks euss)

KIRK

A68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B

location: in lv2_kernel.self

More KIRK keys

  • github.com/uofw/upspd/wiki/KIRK-13---ECDSA-point-multiplication
  • code.google.com/p/kirk-engine/source/browse/trunk/libkirk/kirk_engine.c
  • wololo.net/talk/viewtopic.php?p=80302#p80302

AES requires a 16 byte multiple message.. i have no idea of what unk_keyseed is.

[Register or Login to view code]

Interesting info on KIRK 0xC, 0xD, 0x10, and 0x11 functions by Proxima

[Register or Login to view code]

Download: [Register or Login to view links]

To quote(from pastie.org/private/hzqhpgaxgdybq3zjudqpva):

[Register or Login to view code]

Finally, from LiquidManZero (via psx-scene.com/forums/f153/new-63886/index28.html#post992654):

Welp. I'm just going to leave these here... Also Rand, I know you're watching.

[Register or Login to view code]

From zecoxao: Euss right next to this (psdevwiki.com/ps3/Seeds#sc_iso_key_seeds) there's a chunk of data, size 0x290, which is loaded twice in two separate functions. i'm guessing that this is some sort of eid1 in disguise? this is on the jig firmware btw.

There is also a third value which i don't recognize (next to be2sc and sc2be keys):

[Register or Login to view code]

More PlayStation 3 News...

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News