PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

December 9, 2010 // 9:26 pm - Scene release group blackb0x have returned today with a PS3 homebrew application that will come in handy for PlayStation 3 developers and JailBreak users called the b0xloader SELF Loader.

Download: b0xloader SELF Loader 1.0 for PS3

The PS3 SELF loader will load the files directly without the need to package them. Just FTP them over to your PS3 or place them on a USB stick and load them.

From the NFO File: b0xloader - SELF Loader 1.0

A Simple SELF launcher for the Playstation 3.


Initial release


  • Install the package to PS3
  • Select a Fake signed SELF from the menu and press X to launch.
  • Enjoy.

The SELF you are launching must be "fake signed" for it to launch, if not it will bring you back to XMB, This is good for quick testing your development/test builds without repacking to a PKG every time. Future support will be added for non-signed SELF/ELF's

"The age of miracles is past."

Greetz to DeLiGhT


12/9/10 - b0xloader 1.0
10/2/10 - FTP Server 1.2
9/25/10 - FTP Server 1.1b
9/23/10 - FTP Server 1.0b
9/12/10 - LV2Dump 0.7a


Graf Chokolo Shares PS3 LV2 Kernel Decrypter PSGroove Payload

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#21 - datalogger - December 26, 2010 // 7:15 am
datalogger's Avatar
So far, I don't think anyone except Graf Chokolo has been able to boot their PS3 successfully with this payload.

I think there are plenty of people that know what to do with it, if they can get it to boot..

So far I've tried;
Fedora 9 and Ubuntu 10 with both ps3toolchain and IBM SDK 3.0

I can get it to compile cleanly, but I can't get any response from the payload on either my 3.41 or my 3.15 CECHA-01/BC PS3's

It would be nice if Graf Chokolo would chime in with the exact setup he is using to make this work, as in what Linux distro is he using, what toolchain etc.

Hint for Ubuntu users: You must update your libpcap to version 1.1.1 or else sendfile will pump out an error on PCAP_NETMASK_UNKNOWN because the version Ubuntu 10 thinks is current is old.

#20 - deank - December 19, 2010 // 10:56 am
deank's Avatar
I wish there was someone with enough knowledge to implement these awesome discoveries.

Just as a concept my question is: Is there a chance to redirect or alter in any way the authentication requests/responses from the Storage manager? For example returning a O.K. (genuine) for optical media when user uses recordable discs (obviously not genuine).


#19 - PS4 News - December 19, 2010 // 4:19 am
PS4 News's Avatar
More updates:
graf_chokolo says:

You can decrypt lv2_kernel.self frim Service JIG by using lv2ldr. No need to install it in order to be able to dump it

I uploaded my VUART hook. While your GameOS runs, it communicates with VUARTs 0 (A/V Manager), 2 (System Manager) and 10 (Dispatcher Manager). The VUART hook sends all data written to or read from these VUARTs via Eternet. In this data you will find e.g. communication with Update Manager, Sorage Manager (Disc Authentication etc), Virtual TRM Manager or USB Dongle Authenticator and lots of other very interesting stuff

Aha GameOS uses service 0x200D (Decrypt with Portability) of Virtual TRM Manager to decrypt something

I just tested my code on PS3 FAT with 3.15 and managed to make it work with the latest PSGroove version You don't have to change anything in my code, it's independent of firmware or PSGRoove version. I uploaded new sendfile version which doesn't use VLAN per default, use it with 3.15, if you want to use VLAN just add -v option.

Here is my descriptor for the latest PSGRoove version:


  • I have tested this service with PSGroove and GameOS is allowed to use it.
  • GameOS syscall 386 uses this service.

Packet Body

[Register or Login to view code]

I have tested the following parameters with this service:
field0 field1 field2 field4 field5 Description
0x1 0x0 0xFF 0xFF 0xFF Turns off the power button LED
0x1 0x1 0xFF 0xFF 0xFF Turns on the power button LED


  • I have tested this service with PSGroove and GameOS is allowed to use it

Packet Body

[Register or Login to view code]


  • I have tested the following parameters with this service:

field1 field2 field4 Description
0x29 0x4 0x6 Makes a short single beep
0x29 0xA 0x1B6 Makes a double beep
0x29 0x7 0x36 -
0x29 0xA 0xFFF Makes a continuous beep

HV call

  • The address of HV table is stored at -0x6FC8(HSPRG0).
  • The address of HV table size is stored at -0x6FD0(HSPRG0).

HV call
Id Name Description
62 lv1_undocumented_function_62 SPE (isolation, it updates a SLB entry, writes to SLB_Index, SLB_VSID, SLB_ESID and SLB_Invalidate_Entry registers)
89 lv1_undocumented_function_89 SPE (writes to MFC_TLB_Invalidate_Entry register)
99 lv1_authenticate_program_segment SPE (isolation, syscall 0x10043, syscall 0x10042, syscall 0x1004A)
102 lv1_undocumented_function_102 Returns current TB ticks
137 lv1_undocumented_function_137 SPE
138 lv1_undocumented_function_138 SPE
167 lv1_undocumented_function_167 SPE (isolation, reads from SPU_Out_Intr_Mbox and MFC_CNTL registers)
168 lv1_undocumented_function_168 SPE (isolation, writes to MFC_CNTL register)
195 lv1_undocumented_function_195 WLAN Gelic device
196 lv1_undocumented_function_196 WLAN Gelic device
200 lv1_undocumented_function_200 SPE (isolation)
201 lv1_undocumented_function_201 SPE (isolation)
209 lv1_undocumented_function_209 SPE (isolation)
250 lv1_undocumented_function_250 Storage device
251 lv1_undocumented_function_251 Storage device
252 lv1_undocumented_function_252 Storage device
253 lv1_undocumented_function_253 Storage device

Memory HV call

  • All memory HV calls branch to lv1_mm_call
  • lv1_mm_call has it's own function table
  • Memory HV call number = HV call number

Memory HV call table

  • Each entry is a pointer to a function TOC entry.
  • table size = 256
  • 0x00364208 (3.15)

Memory HV calls

lv1_map_htab - 0x002D595C (3.15)
lv1_unmap_htab - 0x002D56B8 (3.15)
lv1_allocate_memory - 0x002D72F0 (3.15)
lv1_release_memory - 0x002D66A4 (3.15)
lv1_query_logical_partition_address_region_info - 0x002C9B24 (3.15)
lv1_create_repository_node - 0x002DD014 (3.15)
lv1_get_repository_node_value - 0x002DD260 (3.15)
lv1_undocumented_function_231 - 0x0030B560 (3.15)


#18 - cfwprophet - December 17, 2010 // 5:27 am
cfwprophet's Avatar
Thats reall great

I knowed it. The debug strings for debug system settings, debug update settings along some more are in the kernel. Also i'm pretty sure that otheros is patched out of kernel. So dumping and decrypting some debug and retail kernels from diff versions will be main goal to enable the missing options.

#17 - PS4 News - December 17, 2010 // 5:00 am
PS4 News's Avatar
More updates:

graf_chokolo says: Holy crap, guys Did you know that LV2 kernel from service JIG is very different from retail version, it contains e.g. LPM (Logical Performance Monitor) and other stuff which LV2 3.41 doesn’t contain I want to install it on my FAT ps3 and dump HV kernel Maybe then i will found out how to use those isolated SPU modules contained in service JIG PUP

WOW LV2 kernel from service JIG contains a lot more debug strings

Here an example:

Guys, you know how $ONY calls HVCALL99 ?

They call it: lv1_authenticate_program_segment

I released several days ago my SELF decrypter. With that you will be able to decrypt all SELFs upto 3.41 firmware. The payload is in file decrypt_self_direct.c. It uses metldr and appldr directly to decrypt SELFs.

Furthermore, you will need a revoke list for programs which can be extracted from PUP files. Have fun guys

#16 - cfwprophet - December 16, 2010 // 11:31 pm
cfwprophet's Avatar
I for myself think its the kernel or the lv2.self.If im not wrong then i have read a post some where, where all boot files of a debug was be listed and there was also a lv2debug.self.And for what i know the service jig use a lv2diag.self.

Anyway i'll try to compile psgroove with grafchokolos bootstrap and first dump whole flash and then ill try to decrypt with his payload.

#15 - barrybarryk - December 16, 2010 // 10:48 pm
barrybarryk's Avatar
I'm sure the code is still in there, why would they bother removing all of it when they can just remove the menu options for launching the formatter, installer and setting the boot flag. When it was taken out the system was still locked up so they didn't have to worry about scraping every piece of code out.

But why all the interest in otherOS? can't people just downgrade or use asbestOS to get it back if they want it back that badly.

Still looking forward to seeing whats in those SELF's and how appldr really works

#14 - cfwprophet - December 16, 2010 // 9:56 pm
cfwprophet's Avatar
So this does mean that the code for the otheros is still in the driver of the ps3. Then i'm right with that they have patched it out from kernel.

We will see, one step after the other.In a few we will dump the whole flash including all boot files and also we will decrypt them to be able to bring back otheros. (if its possible)

Big thx to grafchokolo and his payloads and also for teaching me how to use his tools.

Oh and to all others sooo nice sceners they tried to direct us in the wrong direction... i'm maybe no learned coder..but im' also no noob and i hack consoles with love from heart.And if i need a reall coder to get the thing done, ill find one and do it.

#13 - PS4 News - December 15, 2010 // 5:59 am
PS4 News's Avatar
Some more updates:
graf_chokolo says:

Guys, i'm able now to decrypt all SELF upto 3.41 firmware using appldr directly without HVCALL 99 Just decrypted vsh.sekf from 3.15 firmware with this method. I will make everything public very soon And then you will see the low level interface to appldr. It's partially hidden by lv1_undocumented_function_99

Guys, look at wahta i have found in sysconf_plugin.sprx
OtherOS support is still there

Here is a snippet from sysconf_plugin.sprx 3.41:

#12 - BwE - December 14, 2010 // 3:17 am
BwE's Avatar
i see... this could have been done neater but its better than nothing