PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

December 11, 2010 // 2:34 am - As a follow-up to his recent PS3 SELF Decrypter PSGroove Payload and PS3 3.50 Firmware Decryption work, today PlayStation 3 developer graf_chokolo has released a PS3 LV2 Kernel Decrypter payload for PSGroove.

Download: PS3 LV2 Kernel Decrypter PSGroove Payload / GIT

To quote from his comment on xorloser's blog, linked above:

graf_chokolo says:

I just release my lv2 kernel decrypter You need metldr, lv2ldr, RL_FOR_PROGRAM.img and lv2_kernel.self. You have first to dump your metldr from FLASH memory. lv2ldr you will find also in your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg from PUP files.

RL_FOR_PROGRAM.img is a revoke list for programs and can be also found in PUP files. lv2_kernel.self is on your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg.

First i send all files to PS3 and store them in memory. After that i load metldr in isolation mode and pass it the addr e ss of lv2ldr. The code is very low level and many things are done by directly manipulating SPU registers

If you have any questions or problems then feel free to contact me or ask here. I will try to help you. I will try to document my findings on my homepage

I also uploaded a code which can communicate with USB Dongle AUthenticator by using Dispatcher Manager without using any GameOS functions It’s exactly what GameOS does, just low level

Have fun guys

lv2_kernel.self from 1.10 firmware decrypted

Guys, just to make sure that you know LV2 decrypter is also PS2 emu decrypter, just change LPAR auth id in code PS2 emu is like GameOS, it’s LV2 and is decrypted by lv2ldr

Just decrypted vsh.self from 1.10 firmware Just like old good days

I decrypted software_update_plugin.sprx but didn’t have time to reverse it yet


Loading metldr

  • Physical/Virtual memory address of an isolation module that should be loaded by metldr is written into SPU register SPU_In_Mbox. The SPU register SPU_In_Mbox is 32bit, so 64bit memory address is written in 2 steps.
  • MFC relocation is turned off by clearing R-bit in SPU register MFC_SR1. By doing this, HV enables real address mode for MFC of SPU.
  • On GameOS, it also works with relocation on. You just have to initialize SLB of SPU and insert valid SLB entries.
  • Physical/Virtual memory address of metldr is written to SPU registers Sig_Notify1 and Sig_Notify2
  • Isolation load request is enabled by writing SPU register SPU_PrivCntl
  • Isolation load request is made by writing value 0x3 into SPU register SPU_RunCntl


SPE_load_request_metldr - 0x002B00A4 (3.15)


  • lv2ldr is used to decrypt lv2_kernel.self
  • syscalls 0x10042 and 0x1004A use lv2ldr
  • syscall 0x10042 is used by HV Process 3 during LV2 LPAR construction
  • syscall 0x1004A uses different parameters as syscall 0x10042


SPE_load_request_lv2ldr_1 - 0x002AE82C (3.15)

SPE_load_request_lv2ldr_2 - 0x002AE8D8 (3.15)

Loading lv2ldr

  • 64 bit memory address of lv2ldr is written into 32 bit SPU register SPU_In_Mbox
  • metldr is loaded

Decrypting SELFs with appldr and lv1_undocumented_function_99

  • lv1_undocumented_function_99 loads and prepares appldr for SELF decryption.
  • When appldr is ready to decrypt data, it sends a message via mailbox.
  • The address and the size of the encrypted data is passed to appldr via a shared memory.

Patent Reveals Sony to Increase PS3 Power via External Processor

Patent Reveals Sony to Increase PS3 Power via External Processor

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew.

#38 - inginear - December 22, 2010 // 7:03 pm
inginear's Avatar
since the original playstation was originally developed as an add-on for the super nintendo, this patent may very well become it's own console. as far as gaming goes, sony was software only until nintendo screwed them over by canceling the disc drive add-on in favor of remaining with carts.

#37 - hacked2123 - December 16, 2010 // 12:06 pm
hacked2123's Avatar
I think for this it would be like a cartridge like system interface...except it will house CPU+COOLER in these cartridges. Maybe 2 slots, and if the CELL had stayed on it advanced track as initially proposed, would just be swapping them out ever 4 years for the faster, smaller, less heat version.

This would only work with digital only content, because prior to purchasing the newest game it could then prompt you that your hardware is inadequate (that's not what she said ) and suggest you buy the upgrade. (maybe trade-in?)

#36 - TargTrainer - December 15, 2010 // 11:37 am
TargTrainer's Avatar
Quote Originally Posted by Neo Cyrus View Post
This is unlikely, especially since older games may have to be patched and we all know how lazy-as-hell developers are... especially those at Sega, Namco, Tecmo, Capcom, Squarenix, EA, THQ... okay, all of them.

I think, for the developers who put months or years of their lives into these games, they'd want to do those updates and make their work really shine. It's the publishers, and sony's own restrictions, that would make things difficult. Publishers don't want to spend any more money once a game is released, and sony would of course require the patches to be run through the full QA again, which means it's not just a fire-and-forget patch - the publisher has to keep the developers on payroll long enough to make sure it passes QA.

#35 - Neo Cyrus - December 15, 2010 // 9:28 am
Neo Cyrus's Avatar
Quote Originally Posted by bozobuttz View Post
+1 By "external", they mean external to the processor system described in the patent, not external to a PS3. Now everyone put away their Jump to Conclusions mat.

Ouch, so much for that. Oh well, one can dream... and nice Office Space reference.

In the next generation of consoles they should design them with upgrades in mind. It would have been nice to upgrade the PS3 to play games at 60fps instead of 20, and dare I say it... in real 1080p (outrageous, I know, since most games are not really even 720p). This is unlikely, especially since older games may have to be patched and we all know how lazy-as-hell developers are... especially those at Sega, Namco, Tecmo, Capcom, Squarenix, EA, THQ... okay, all of them.

#34 - bozobuttz - December 15, 2010 // 6:20 am
bozobuttz's Avatar
Quote Originally Posted by sapperlott View Post
Funny what people read into this patent. This merely seems to describe the BIF bus used to connect two Cell processors to create a memory coherent SMP system (as done in the IBM Cell and PowerXCell 8i blades).

This cannot be used on the PS3 since the IOIF which can be configured to be used as a BIF interface is already used by the RSX.

+1 By "external", they mean external to the processor system described in the patent, not external to a PS3. Now everyone put away their Jump to Conclusions mat.

#33 - imperfectionest - December 13, 2010 // 8:51 am
imperfectionest's Avatar
A thought: What is the bandwidth on the ribbon cable going to the usb controller chip? Replace that, and make the new chip control usb, wifi and and bluetooth, and leave the internal cell to do the dirty work.

An obvious drawback they would require certain firmwares and liscensed installers to do such, which they would probably look at the device to see if its jb'd too.

#32 - moja - December 12, 2010 // 5:46 pm
moja's Avatar
Quote Originally Posted by SDF View Post
100% bs, this patent is older than the ps3.

Actually, the patent was filed on 18 Aug 2010, which may be older than the slim you may have just bought, but not older than my launch 60GB. Not sure you even read or could understand the patent.

#31 - SwordOfWar - December 12, 2010 // 4:07 pm
SwordOfWar's Avatar
I really think games look great already so I'm not ready to dish out a bunch of money for a new console anyway.

Sony would have to design a console with an expansion interface for something like that to work. I think expansions are a great idea since it saves a lot of money by extending the life of a console.

#30 - Bishoff - December 12, 2010 // 2:33 pm
Bishoff's Avatar
I also think this isn't an add-on for the ps3 to enhance it... rather add PS2 backwards compatibility, but I highly doubt that while they still sell PS2's. It has to be for something else or something that will never see production. The processing power of the ps3 is still relevant to today. It's the graphics and memory that is the weak link. No way to fix that without a new board, period. Simply look back in history, this is how the console market is.

Take a look at the 360... there is no way M$ could add on anything to make it faster. Sony will not be doing so either. If for some odd reason Sony could do this and actually did, then M$ would simply release the xbox 720 and blow it away. Not happening

#29 - Neo Cyrus - December 12, 2010 // 1:55 pm
Neo Cyrus's Avatar
Quote Originally Posted by brucestone View Post
I have a question. If they talk about this "Add-on" to the PS3 because of power. Than what about the eighth Core in the CELL. The one which far as I know is restricted?

It's most likely disabled to increase yields. Sony/IBM probably had (have?) a ridiculous amount of defective ones and decided to disable 1/8 of the SPEs to make use of all those defective chips they had. Meaning they can't just enable the 8th one because on a lot of PS3s it's defective and can't function properly.

As for an add-on, I'm all for it assuming things are actually programmed to make use of it... AFAIK a lot of ports are butchered because they simply make use of the one core/PPE while all 7 functioning SPEs are left idle. That and the RSX is weaker than the Xenos and the PS3's memory is not shared (256MB XDR system memory and 256MB GDDR3 on the RSX)... also it doesn't have 10MB of eDRAM, lol.