Hey there.

So... you use an ad blocker. That's cool. Sometimes we do too.

But without ad revenue, we wouldn't even be here. And we might not be here much longer.

Please disable your ad blocker and click to continue.

  1. #1
    MimmoD360 Guest

    Cool Zadow28 PS3 Exploit / Hacking Discussion Thread

    We will use this ongoing thread to discuss the recent zadow28 PS3 exploit / hacking developments.

    Below is some information from zadow28 posted by tthousand via psx-scene.com/forums/content/doors-2088/:

    Got this info in a PM, the *.a files from the sdk is actually elf files packed. you can rename all *.a files from the sdk to elf, and then run readelf on them. you would see where all the elf files write. Have been looking at the libsecure and found out where all the crypto is reading/writing.

    These are the elf that Sony uses to encrypt/decrypt all there elf/bin/sprx, if you look at the libsecure there are 2 kind of *.a file normal and _d in the ending. I think one encrypt one decrypt. So I tried it and it worked from libsecure:

    [Register or Login to view code]

    Well if you look at the thread the *.a files are archives with multiples elf within them. eussNL got this thred right thats why he found an extracter for *.a files thx euss so the libsecure.A have as many as 6 elf inside that where the good stuff is.

    By the way also got his from (he knows himself) haven't check that yet but you could.. the *.a files turned out legit.

    My first attempt at trying to decrypt the lv0 with a something so simple I knew it wouldn't work. But however here is the output I recieved metadataInfo:

    [Register or Login to view code]

    If you looked closely at the pasties you would find the TOC and OPD where it is written:


    The last pastie is the guard for the cell i figured that out after the info.


    The one for the cell is spu based and the one from libsecure is ppc based. Here is one more thing i found out sometime ago:


    Load ida pro then load any self/bin then file---->load---->pdb file then getheader.pdb. Then the header would turn up in any encrypted files.. both spu and ppc you can see for try.

    The libsecure.a files one is where all the encryption is written the libsecure_d.a is where all the decrypted is written. Then there are 100 *.a files in the sdk with a lot of elf files inside all saying where everything is written and the *.a files they or used for base for making all softbto the ps3 that's why they can't change it.

    And if you read the libsecure readelf you would notice that you can see where md5/sha215/aes/blowfish and a lot more is encrypted/decrypted.

    Update: Here are the library files from libsecure extracted and put in the right folder

    Download: http://www.filedropper.com/lib

    Remember one is for decrypting other for encrypting.

    [Register or Login to view code]

    These are relocatable file PPC based.


    And just by chance, PsDev tweeted (twitter.com/#!/RealPsDev/status/185503134498557952) this earlier today:

    [Register or Login to view code]

    Got that from a lv0 output.

    The offsets from the readelfin libsecure is acuelly quite usefull to get extra info out. The offsets have found 2000 more function in the lv1.elf from 3.56. Since i the private keys should be in that if am not wrong. Here is the strings after i use some of the offsets lv1elfstrings.rar notice there is something about master access. read idps etc i can upload the disassembled file also.

    Here if any wanna look at the decrypted file for ida pro: http://www.filedropper.com/lv1extraoffset

    Also another theory from devilangelari:

    Consider the possibility that the "TB dongle updates" update only the game libraries (sprx) on the firmware or on the dongle (maybe it's a dev_flash mounted like dev_blind) ?

    In the TB eboot you can see that it requests updated libraries like in this case 3.60 but they can masked to appear like 3.60 libraries if "TB modified the libraries" :

    These "libraries" are needed to run games or new games that's why TB updates them !

    That part is not encrypted as you can see but if you modify anything there in an self it will ruin the encryption as a whole (maybe after all it will not ruin anything).

    In the PS3 Dev wiki page you can see that TB eboots are FSELF (fake signed elf) but someone (I can't mention his name until he gives me the permission to do , so RESPECT!) mentioned that they are recognized as FSELF (no encrypted metadata in fself when you run readself on it ) and are not true fselfs on his nature.

    FSELF keys are given to game developers to not compromise their "true keys" when they are creating games on the debug stage (debug eboots).

    When you run readself on a TB eboot there you see the "DevKit" SDK used (in which I have no info) but we could assume that there are the devkit (FSELF) keys used :

    And the unself tools that are available doesn't decrypt tb eboots, even in some eboots they give no errors but when you look at them on hex editor you see them encrypted in which case people should look to create new unself tools.

    With the theories until now you need 3 things : eboots decrypted ,updated libraries and the correct payload to patch lv2. Only the decrypted eboots will not suffice because they request updated libraries to run new games.

  2. #2
    Bartholomy Guest
    Erm.. I suppose i have to write "cool" , but i'll wait a dev's post about it..

  3. #3
    Tidusnake666 Guest
    zadow is a member here too, i had a discussion with him about decrypting eboots with ps3gen/ps3sys tools, he said that he's managed to crack Portal 2 for 3.55 but it won't run somehow.

    As for his libsecure stuff, most it was also posted here, I don't remember where exactly.

    In overall, I'm being sceptical about it, as I didn't manage to duplicate what he was doing.

  4. #4
    NTA Guest
    Intersting. Hoping to see more about this in the future

  5. #5
    zadow30 Guest
    i would mention that i have nothing to do, with the fake CFW. so here some news for you.

    There have always been problems debugging SPU elf files, since there are almost no debugger know to do this, except really slow terminal and anergistic. which is almost impossible to use.. and its in the spu files, the goodie stuff is.

    normally in example ida pro, you could open spu, but not debug them, so almost useless.

    you have to find the software, yourself but this little command in linux or cygwin

    appldr.elf (SPU FILE)

    [Register or Login to view code]

    isoldr.elf (SPU FILE)

    [Register or Login to view code]

    it turns the appldr into PPC insteed of SPU.

    [Register or Login to view code]

    Now we can debugging into Memory, and find those hidden goddies

    this is some of the string from the RAM from isoldr.elf in memory

    [Register or Login to view code]

    normally it look like this

    [Register or Login to view code]

    this would help those, that hunt for keys now lets dump some stuff

    i have unself and signed the eboot from Two TB games. with 3.55 keys

    Batman: Arkham City http://www.filefactory.com/file/1nyi...t3.55EBOOT.zip

    and ace combat Assault_Horizon http://www.filedropper.com/showdownl...acecombateboot (http://www.filedropper.com/acecombateboot)

    i was then able to sign with 3.55 keys. one fellow in irc tried on rebug, but didn't run.

    so check and try them out. the eboot.bin unself without errors and the hex is readeble..

    eboot ace combat Assault_Horizon with TB and with my signed 3.55.

    [Register or Login to view code]

    the eboot.elf inside.

    [Register or Login to view code]

    here is the decrypted eboot batman ACE combat and skyrim an my key folder.


    the skirim gives an error but still decrypt, don't notice the 4.11 keys those are from nodex and is not why i can decrypt. i also could before putting those in.

    From KaKaRoToKS (twitter.com/#!/KaKaRoToKS/status/190266134887546882): zadow28 a PDB for lv0? ida decrypting lv0 ? hexray on PPC code? spu stuff on lv0 which is PPC, not SPU... it smells fake 10000%

    From zadow28: So why dont they just ru the command that i posted and see if the spu turnes into ppu files. Quite easy since the command is there idiots.



    one off the commands

    [Register or Login to view code]

    and i'll have to make and video i guess off the spu ida files with code.

    if the morons including kakaroto before accusing, well think i know why he didn't release any crap.

    Below are some keys from Icy and zadow28, which could be either for the TB EBOOTs or for decrypting the CFW.

    [Register or Login to view code]

    From Twitter: twitter.com/#!/zadow28/status/202836460418772992

    uuhhh been having fun first i converted the new trueblue payload 2.61 and run it throw an simulator.

    then i fake the cobraupdate and found where the upgrade communicated with the dongle.

    I know that the converted payload can be debuged in ida pro motorola hc8112 maybe some expert got an pro simulator.

    Jesus its not sdk 3.85 but loader keys 3.85: http://tinypaste.com/439616bb and that only one of many:

    [Register or Login to view code]

    Also from Zadow via: http://tinypaste.com/6068d4b3

    [Register or Login to view code]

    From Twitter: Funny no one notice OFW 4.11patchupdate yet. http://deu01.ps3.update.playstation....4/PS3PATCH.PUP more interesting inside are an file patchdata.pkg http://www.mediafire.com/?q1r72ejar44kwcr

    And dont install the ps3updatepatch.PUP the interesting one is the PKG inside

    "Dont install the patch PUP" but the pkg should hold the info off how the OFW is patched, thats the name patchdata.pkg

  6. #6
    Join Date
    Apr 2005


    Below is another update from zadow (twitter.com/#!/zadow28) for those following:

    The Lost files off Dev flash: One day i was looking at the dev flash and i noticed a pattern. Where SCE would turn up regularly. So i had hunch, i searched for all SCE in the hex and then extracted that hex and save it to some self files and that worked, so after investigating some more, i found that many off the files from the devflash, aren’t just elf ppc or spu files. like the lv1.self contains off 6 files both ppc and spu.

    And best thing normally in ida pro when loaded a PPC file some areas are still “encrypted”. When extracted they come too there right meaning, and all codes are shown. Now the devflash files can contain self files, thats why i search for SCE. Thats the top of the header. But can also contain just elf files. The easiest way to locate them are ELF or search for hex string:

    [Register or Login to view code]

    Here is some that i extracted so far. all the download links have a password = zadow

    lv1.self from the debug CFW 3.56: http://www.mediafire.com/?99cunniz7vn5yha

    its like the lv1 is fully decrypted. got stuff like eid data decrypt/ encrypt guest OS

    trueblue on 3.55: http://www.mediafire.com/?chtxq98y3rwiw81

    BDDVD.SELF: 7 files: http://www.mediafire.com/?bbbomnyz3x257aq

    emulator_drm.sprx.elf: http://www.mediafire.com/?t21p5dzgvskzmld

    there are two files one elf, one self. also i think a new key on the self, you have to unself yourself

    PSemuCORE.sprx.elf: http://www.mediafire.com/?fm5k3c4j4mxbwz9

    5 files elf SPU and PPC ones

    Vsh.elf: http://www.mediafire.com/?nj7tdx7fqmxyqnb

    two files one spu one PPC. and looks mighty interesting too. especially like this one since 100 people was looking for QA over at psx but nobody noticed. this one took awhile 45 files is the:

    ps3swu.self.elf: http://www.mediafire.com/?r3vr9pitlqvfeir

    Almost gonna trible the dev flash, no wonder they didn’t decrypt all in the files, when there are self inside elf and spu inside PPU.
    Regards and try work together on this one.

    here is the video off the basic, 5 minutes the quality is better. used TB lv1.elf.also some WMware stuff there:

    Some more via Twitter:

    Did the nono and bought an cobra dongle. well im not planing, playing games lets see how FM is writin to cobra:

    maybe i should make an exseption and release the database i debugged, well hopefully the cobra is out off the way

    mmh stage two tomorrow gonna try different debugging tecnics. and leave all the junk behind

    well i would just follow that lead http://tinypaste.com/6883a961 gonna look more tomorrow

    [Register or Login to view code]

    Little feeling of dex forum ready Have fun http://pastebin.com/PD4ruicg

    Been playing around as i always do

    been bugging me there arent any disasemplers that can view any code, only dissasemply.

    and some interesting stuff came up

    first you should build all the samples and projects in the sdk.

    you would need to do an batch build with both debug and release.

    after build you would have debug and an realese folder.

    now open up tuner software from the sdk.

    Choose open static analyze

    now if you open any elf from the build, and open them in the tuner it looks like this after
    using sample from libsecure release build.
    right click it, then it shows disasemply

    now this is okay since you can get some info in tuner what the functions are for.

    but now comes the neat part if you do the same with the debug buils

    right click it.

    shows all the source code insteed

    [Register or Login to view code]

    this works on all the debug objects files in debug build.

    could be off use when looking at big builds
    and when building you own

    and one more thing the tuner can take alot off the extracted files that i posted,
    and show there build too.
    also some of the files if you used dev_blinds to copy intire dev flash/2/3 from ps3
    some of the elf files there are debugs and the pic files are also shown and how there build there.
    And work also if you take all the *.a files extract them with 7zip you have alot off *.o files they work there also.

    so for exampel libguard.a extarcted there are alot of *.o inside
    just one in the tuner with sources

    [Register or Login to view code]

    and that aint in the wiki

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Log in