Hey there.

So... you use an ad blocker. That's cool. Sometimes we do too.

But without ad revenue, we wouldn't even be here. And we might not be here much longer.

Please disable your ad blocker and click to continue.

Page 1 of 34 1211 ... Last
  1. #1
    Join Date
    Apr 2005

    PS3 SCETool, Friday Isolated SPU POC and EIDTool WIP Updates

    This weekend Sony PlayStation 3 hacker naehrwert has released a PS3 SCETool based on the fail0verflow tools, an Isolated SPU binary POC dubbed Friday and some EIDTool work in progress updates for PlayStation 3 developers interested in remarrying Blu-ray drives, motherboard keys, QA tokens, etc via Twitter.

    Download: PS3 SCETool / Friday Isolated SPU Binary POC / PS3 SCETool v0.0.3 and VSH.Self Output / PS3 SCETool v0.0.4

    Below are the details from the ReadMe files and Tweets, as follows:

    SCETool (C) 2011 by naehrwert - This tool will see more features in the future.


    Keyfile format:

    [Register or Login to view code]

    A sample keyfile is included.

    Shout-outs: I think they know who I mean

    Friday (C) 2011 by naehrwert - This is a POC for a isolated spu binary. Generate a self encrypted+signed with the metldr keys out of friday.elf. Then use friday.h to write a PPU application that loads the self by utilizing metldr and DMAs your console's EID2 to the shared SPU LS. It will generate the P and S block from it, that is used to pair the BD drive to the specific console. Yon can then DMA the blocks out from the LS and send them to the drive to remarry it to the console.

    Communication with the SPU is done over in_mbox and out_mbox. MSG_OUT_* is send from the SPU code to out_mbox. MSG_IN_* should be written from the PPU to in_mbox. When MSG_OUT_READY arrives the PPU should DMA the EID2 to EID2_START and send MSG_IN_READY. When MSG_OUT_GEN_DONE arrives the PPU should DMA the blocks out from BLOCKS_START and send MSG_IN_DIE.

    Note: this is UNTESTED but should just work

    POC http://www.mediafire.com/?u8lvl08h1lai2nb

    note: self part is only for spu yet!

    scetool http://www.mediafire.com/?31r5482wy28sc9c

    veeeery nice http://pastie.org/2928187

    [Register or Login to view code]


    [Register or Login to view code]

    [Register or Login to view code]

    which I can generate and yes my eid4 passes the hash check

    but one would need to get the aes_omac1 key to be able to check it

    hmm eid4 digest is stored unencrypted

    seems like there are some hardcoded eid4 fallback bytes - http://pastie.org/private/oxy580s4omh8ofbdfgj3dq

    [Register or Login to view code]

    scetool/eidtool progress is great

    More PlayStation 3 News...

  2. #2
    HAVOK7 Guest
    wow i am first lol, ok so what can be actually done with this?

  3. #3
    Bartholomy Guest
    Yep. WE mortals don't do nothing with this stuff. But i suppose it's an advancement about a free solution...

    Oh, some news: And no, I won't release eidtool. If you want the algorithms, you'll have to start reversing

    Cool, we can close this chapter too

  4. #4
    tulla2010 Guest
    shame he will never release the eid tool

  5. #5
    Ezio Guest
    Friday is a new legal application developed by naehrwert to remarry bd drive.

    Quote Originally Posted by tulla2010 View Post
    shame he will never release the eid tool
    Yeah, unfortunately he decided to not share his eid tool when it will be ready.

  6. #6
    Join Date
    Apr 2005


    Here is a follow-up from his blog today as well for those following: nwert.wordpress.com/2011/11/29/about-spu-channels-64-72-and-73/

    If you are reversing the PS3′s isolated SPU modules, you will eventually notice channels 64, 72 and 73. Here are some C functions, that roughly describe how they work:

    About SPU channels 64, 72 and 73

    [Register or Login to view code]

    It seems that lv1ldr is storing it’s version into a special storage area.

    [Register or Login to view code]

    And e.g. isoldr reads the version from the storage area and compares it to it’s own version. If the check fails, isoldr will just stop execution.

    [Register or Login to view code]

    I wonder what else is stored in the area and how long the data in it persists, so my next idea is to code an isolated elf, that allows me to specify the value written to channel 64 and then dumps the data from channel 73.

  7. #7
    Join Date
    Apr 2005

    Arrow PS3 SCETool v0.0.3 and VSH.Self Output

    Below are some more updates from naehrwert for those following..

    scetool 0.0.3 http://www.mediafire.com/?ykjil6hn2xai5qw

    output for vsh.self pastie.org/2958961

    [Register or Login to view code]

    Added ELF64 support to scetool!

    but I extended eidtool by some new functions

  8. #8
    Bartholomy Guest
    Eidtool is what we need, rest is useless I think

  9. #9
    Join Date
    Apr 2005

    Arrow PS3 SCETool v0.0.4

    Today Naehrwert has released PS3 SCETool v0.0.4 for those interested.

    Download: PS3 SCETool v0.0.4

    From his Tweet (twitter.com/#!/naehrwert/status/145481343411830784) the changes are as follows:

    scetool 0.0.4 http://www.mediafire.com/?c10cwi77n7h4o3o

    (added 32 bit ELF "unselfing")

    isoldr_emulate http://pastie.org/3001424

    [Register or Login to view code]

  10. #10
    Join Date
    Apr 2005

    Thumbs Up

    Here are a few quick updates from naehrwert (twitter.com/naehrwert) for those following:
    • haha just figured the eid3 algo, nice!
    • KaKaRoToKS and I added basic NPDRM support to scetool
    • SELF generation works now for SPU and PPU, except for compressing the data and NPDRM
    • added SPU SELF generation to scetool

    Also from his site: nwert.wordpress.com/2011/12/24/individual-infos/

    Individual Infos

    One of the PS3′s console specific cryptography works as follows:

    At factory time there is a console specific key generated, probably from a private constant value and a console specific seed. Maybe that’s the key used for encrypting bootldr and metldr. Fact is, that metldr stores another console specific keyset (key/iv) to LS offset 000000. That keyset is probably calculated from the first one. At factory time the isolated root keyset (how I call it) is used to encrypt the console’s “Individual Infos”, like eEID.

    But not the whole eEID is encrypted the same way, special seeds are used to calculate key/iv pairs for the different sections. And not even that is true for every eEID section, because for e.g. EID0 another step is needed to generate the final section key(set). Each of the isolated modules using such an “Individual Info” has a special section that isoldr uses to generate the derived key(set)s.

    But the generation works in a way, that the section data is encrypted with aes-cbc using the isolated root keyset, so it is not possible to calculate the isolated root keyset back from the derived key(set)s, because aes shouldn’t allow a known plaintext attack. So far I can decrypt some of EID0′s sections, EID1, EID2 and EID4. EID5 encryption should be similar to EID0′s but I lack the generation keys for that one.

Page 1 of 34 1211 ... Last

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Log in