January 16, 2011 // 9:50 pm
: PS3 hacker Graf_Chokolo
has now shared news of a PlayStation 3 GameOS Hypervisor exploit (quoted below) and released a NPDRM Decryption Payload
) for developers while JU57FL1P
has decrypted an NCIS Eboot
PlayStation 3 developers were previously unable to decrypt NPDRM EBOOT.BIN's (like those in PKG files) as the PS3's NPDRM encryption differed
, but today Graf_Chokolo
has figured out how to use appldr to decrypt NPDRM encrypted data from Sonic 4.
For those who haven't been following, prior to this PS3 hacking update Graf_Chokolo
was working on porting the LV1 Exploit to GameOS
said the following, to quote: "Dumped appldr arguments for NPDRM decryption on 3.41. I'm able now to decrypt NPDRMs with appldr on 3.41. Thanks to Jack for his support.
Here is a snippet from Sonic 4 NPDRM decrypted on 3.41: http://pastie.org/1463230
[Register or Login to view code]
Guys, if someone has NPDRMs to test please upload it. Thanks.
Uploaded my new stuff: NPDRM, SYSCON, HV exploit from GameOS and other thinsg.
With NPDRM payload you won't be able to decrypt all NPDRMs.
I 'm already able to decrypt dev_flash by using HV calls only.
HV uses ENCDEC device to do storage device encryption/decryption. I'm currently working on reversing of this peripheral. I have full HV access now and can control it
So expect more nice stuff in the future
And thanks for all NPDRMs, guys. I will test them and will let you know which one decrypted.
Guys and be careful with store_file_on_flash.c and replace_lv2.c payloads. With store_file_on_flash.c i'm able to store a new file on FLASH memory where CORE OS files are stored from PUP. If you do not know what that means then don't play with this, it could brick your PS3, but it's safe to use when you know what you do.
With both of those payloads i'm able to boot a patched lv2_kernel.self from FLASH without flashing PUP, i just store a second lv2_lernel.self on FLASH, then patch System Manager in HV which is reponsible for booting GameOS and boot custom LV2 kernel from 3.41. You don't need NOR flasher if something goes wrong, just reboot HV and your original lv2_kernel.self will be booted again
The same way you could boot lv2_kernel.self from dev_flash. Just patch path to lv2_kernel.self in System Manager and point it to lv2_kernel.self stored on dev_flash
Theoretically, yeah, you could run what ever OS you want
It has just to support Cell arch
Today i will try to boot PS2 soft EMU instead of LV2 kernel. Linux would be nice of course and it would have all the rights of GameOS.
I'm reversing currently HDD, BD and FLASH encryption/decryption, trying to understand how HV does it. The key to understanding of it is the ENCDEC peripheral device which i'm currently working with. As soon as i have some good results which can be used by other developers i will make it public and let you know. Are you also reversing this part of HV currently ?
Booting PS2 EMU didn't work, i could boot ps2_emu.self but the screen was black. PS2 Soft EMU ps2_softemu.self didn't boot at all, HV shuts down. You have to patch also LAID in System Manager and not only file path or else lv2ldr wont't decrypt the PS2 kernel.
otheros.self is not a kernel like LV2 or Linux, it's gameOS application, you cannot boot it like a OS kernel on PS3. But i see no problems to boot Linux kernel instead of LV2. To boot Linux kernel image instead of LV2 kernel, you have to store Linux image on CORE OS flash, patch GameOD System Manager and point kernel path to Linux image, then patch System Manager so it won't use lv2ldr to load the Linux image, just memcpy Linux image to memory of GameOS.
HV procs cannot read USB devices because there is no USB device driver in HV. USB device driver is implemnted only in gameOS kernel and without some kind of USB device driver in HV there is no way to boot a LV2 kernel from USB. I can only boot LV2 kernel from CORE OS flash or dev_flash."