PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

December 11, 2010 // 2:34 am - As a follow-up to his recent PS3 SELF Decrypter PSGroove Payload and PS3 3.50 Firmware Decryption work, today PlayStation 3 developer graf_chokolo has released a PS3 LV2 Kernel Decrypter payload for PSGroove.

Download: PS3 LV2 Kernel Decrypter PSGroove Payload / GIT

To quote from his comment on xorloser's blog, linked above:

graf_chokolo says:

I just release my lv2 kernel decrypter You need metldr, lv2ldr, RL_FOR_PROGRAM.img and lv2_kernel.self. You have first to dump your metldr from FLASH memory. lv2ldr you will find also in your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg from PUP files.

RL_FOR_PROGRAM.img is a revoke list for programs and can be also found in PUP files. lv2_kernel.self is on your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg.

First i send all files to PS3 and store them in memory. After that i load metldr in isolation mode and pass it the addr e ss of lv2ldr. The code is very low level and many things are done by directly manipulating SPU registers

If you have any questions or problems then feel free to contact me or ask here. I will try to help you. I will try to document my findings on my homepage

I also uploaded a code which can communicate with USB Dongle AUthenticator by using Dispatcher Manager without using any GameOS functions It’s exactly what GameOS does, just low level

Have fun guys

lv2_kernel.self from 1.10 firmware decrypted

Guys, just to make sure that you know LV2 decrypter is also PS2 emu decrypter, just change LPAR auth id in code PS2 emu is like GameOS, it’s LV2 and is decrypted by lv2ldr

Just decrypted vsh.self from 1.10 firmware Just like old good days

I decrypted software_update_plugin.sprx but didn’t have time to reverse it yet


Loading metldr

  • Physical/Virtual memory address of an isolation module that should be loaded by metldr is written into SPU register SPU_In_Mbox. The SPU register SPU_In_Mbox is 32bit, so 64bit memory address is written in 2 steps.
  • MFC relocation is turned off by clearing R-bit in SPU register MFC_SR1. By doing this, HV enables real address mode for MFC of SPU.
  • On GameOS, it also works with relocation on. You just have to initialize SLB of SPU and insert valid SLB entries.
  • Physical/Virtual memory address of metldr is written to SPU registers Sig_Notify1 and Sig_Notify2
  • Isolation load request is enabled by writing SPU register SPU_PrivCntl
  • Isolation load request is made by writing value 0x3 into SPU register SPU_RunCntl


SPE_load_request_metldr - 0x002B00A4 (3.15)


  • lv2ldr is used to decrypt lv2_kernel.self
  • syscalls 0x10042 and 0x1004A use lv2ldr
  • syscall 0x10042 is used by HV Process 3 during LV2 LPAR construction
  • syscall 0x1004A uses different parameters as syscall 0x10042


SPE_load_request_lv2ldr_1 - 0x002AE82C (3.15)

SPE_load_request_lv2ldr_2 - 0x002AE8D8 (3.15)

Loading lv2ldr

  • 64 bit memory address of lv2ldr is written into 32 bit SPU register SPU_In_Mbox
  • metldr is loaded

Decrypting SELFs with appldr and lv1_undocumented_function_99

  • lv1_undocumented_function_99 loads and prepares appldr for SELF decryption.
  • When appldr is ready to decrypt data, it sends a message via mailbox.
  • The address and the size of the encrypted data is passed to appldr via a shared memory.

Patent Reveals Sony to Increase PS3 Power via External Processor

Patent Reveals Sony to Increase PS3 Power via External Processor

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew.

#28 - bernywtf - December 12, 2010 // 9:53 am
bernywtf's Avatar
Quote Originally Posted by silencephaze View Post
I'm not sure how they want us to connect this to the ps3. Would they give every customer instructions how to connection via opening the ps3 console which would result in fail of customers, who don't have any knowledge of electonics.

they can always send everyone to the "repair centers" to get the ps3 updated, like they did with the "ops, we broke your ps3 with our update, come and pay for repair"

#27 - SwordOfWar - December 12, 2010 // 6:16 am
SwordOfWar's Avatar
The ps3 does not have a sufficient interface to connect an external processor. If anything maybe it is related to the rumored ps2 compatibility add-on.

#26 - Pcsx2006 - December 12, 2010 // 4:47 am
Pcsx2006's Avatar
Well in my opinion the only thing PS3 needs is more xdr ram, make it 1GB (currently only 256mb) and itll blows everything even PS4.

#25 - SDF - December 12, 2010 // 12:44 am
SDF's Avatar
100% bs, this patent is older than the ps3.

#24 - tilla - December 11, 2010 // 9:57 pm
tilla's Avatar
Gotta agree that there is simply no sign that this has anything to do with the PS3. Also, Patents that never get used get filed all the time..

#23 - silencephaze - December 11, 2010 // 6:27 pm
silencephaze's Avatar
I'm not sure how they want us to connect this to the ps3. Would they give every customer instructions how to connection via opening the ps3 console which would result in fail of customers, who don't have any knowledge of electonics. I don't think external device is there best bet. They could also make everyone who owns a ps3 send there console into sony and they implement the new device on the mother board and update are ps3, but still that is risky and i wouldn't trust sony with my ps3. I had one sent in before and they never send your same ps3 back.

I even put a sticker inside the ps3 to test if they would send the ps3 i sent into them, but didn't happen. This is interesting process, but i feel its not possible unless sony finds a external solution that works and is very small, and doesn't stick out the front of the ps3.

Sony could be making patent, so there competition can't release a external device to update there system in anyway shape or form for security reasons.

#22 - bernywtf - December 11, 2010 // 5:36 pm
bernywtf's Avatar
nice idea, but it will phail if they take the "wrong approach" (which happens too many times for sony)

#21 - sapperlott - December 11, 2010 // 5:00 pm
sapperlott's Avatar
Funny what people read into this patent. This merely seems to describe the BIF bus used to connect two Cell processors to create a memory coherent SMP system (as done in the IBM Cell and PowerXCell 8i blades).

This cannot be used on the PS3 since the IOIF which can be configured to be used as a BIF interface is already used by the RSX.

#20 - viewtonic - December 11, 2010 // 4:55 pm
viewtonic's Avatar
I don't think I've experienced the true potential of the Ps3 yet and if they've bottlenecked, ythen i think buying a 360 wouldv'e been a better investment for me. Nevertheless, I think they should think about bringing out the next console after a gap of atleast 5 years from now.

#19 - TonyHart - December 11, 2010 // 3:30 pm
TonyHart's Avatar
Quote Originally Posted by semitope View Post
why bother. they can just put those processors in a new console and add a better gpu. call it a day.

I have to disagree with your memory comments. People with 256MB memory on their GPU can still run quite a few of the newer games and even more so with that memory on a console.

Point taken, your logic seems good. Still, this patent probably has nothing to do with the PS3, so the post title "Patent Reveals Sony to Increase PS3 Power via External Processor" is just inaccurate speculation.