PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

March 19, 2012 // 11:23 pm - It's been awhile since the last IDPS update, and today I've created this PS3 IDPS Viewer homebrew application based on research I'm doing and had not planned to release the tool out yet, but if someone needs it here it is (Thanks to J-Martin for the logo).

Download: PS3 IDPS Viewer Homebrew Application / PS3 IDPS Viewer Homebrew Application (USB)

What does this tool?

  • Displays the IDPS
  • Shows Target ID
  • Displays Motherboard revision
  • Save your IDPS in IDPS.bin file

Note: THIS TOOL IS SAFE

When the program starts you will see the typical intro screen, if you choose "Yes" you will see the data from your PS3, if sounds three beeps indicates that it was not possible dump and show the error message, and if all went well sounds a beep and you are able to see the data.

Automatically saves the IDPS in dev_hdd0/IDPS.bin, you must open it with a hex editor and look hexadecimal values, for example (IDPS false, I will not reveal my IDPS):

e.g Notepad

[Register or Login to view code]

Hex Editor
[Register or Login to view code]

The IDPS in this case would be: 00 00 00 01 00 85 00 May 87 47 64 15 A4 F6 4D AA

It has been tested on PS3 FAT, SLIM should work perfectly in also.

Regards

Finally, in related news PlayStation 3 developer naehrwert has recently blogged (nwert.wordpress.com/2011/12/24/individual-infos/) about PS3 Individual Infos, to quote:

One of the PS3′s console specific cryptography works as follows:

At factory time there is a console specific key generated, probably from a private constant value and a console specific seed. Maybe that’s the key used for encrypting bootldr and metldr. Fact is, that metldr stores another console specific keyset (key/iv) to LS offset 0x00000.

That keyset is probably calculated from the first one. At factory time the isolated root keyset (how I call it) is used to encrypt the console’s “Individual Infos”, like eEID. But not the whole eEID is encrypted the same way, special seeds are used to calculate key/iv pairs for the different sections.

And not even that is true for every eEID section, because for e.g. EID0 another step is needed to generate the final section key(set). Each of the isolated modules using such an “Individual Info” has a special section that isoldr uses to generate the derived key(set)s.

But the generation works in a way, that the section data is encrypted with aes-cbc using the isolated root keyset, so it is not possible to calculate the isolated root keyset back from the derived key(set)s, because aes shouldn’t allow a known plaintext attack.

So far I can decrypt some of EID0′s sections, EID1, EID2 and EID4. EID5 encryption should be similar to EID0′s but I lack the generation keys for that one.


PS3 IDPS Viewer Tool Homebrew Application is Released

PS3 IDPS Viewer Tool Homebrew Application is Released

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew.



#46 - Anton1997 - October 30, 2014 // 10:49 pm
Anton1997's Avatar
thanks

#45 - robbie1234999 - October 29, 2014 // 3:29 pm
robbie1234999's Avatar
hello, nice bro.. working?

#44 - dj1138 - October 19, 2014 // 3:32 am
dj1138's Avatar
i use both (not at the same time) psnpatch and webman. with webman IDPS and PSID are both spoofed from the get go and stay spoofed till you turn off the spoofing function, psnpatch spoofs till you turn off/restart then you have to use psnpatch again unless u use the .cfg file.

or you can have webman spoof one IDPS/PSID and psnpatch spoof another (obviously not at the same time). psn patch also installs rap and edat files while webman lets you stream games from external computer/over network.

#43 - badchimp - October 19, 2014 // 12:11 am
badchimp's Avatar
I'm using ccapi console control, you need to sign in with a legit valid cid, then change it to a banned or made up cid.

#42 - Akephalos - October 18, 2014 // 10:19 pm
Akephalos's Avatar
Sure is. I myself use PSNPatch.

It includes a .cfg file you can edit and set a spoofed ID to. It boots via USB with a .pkg and works wonders for me. On Habib 4.65 Cobra and no issues getting on PSN.

#41 - djstiff - October 18, 2014 // 8:43 pm
djstiff's Avatar
I was wondering if there was any reliable to spoof a cid?

#40 - scousetomo - October 10, 2013 // 1:10 pm
scousetomo's Avatar
i've got a working ps3 id, is there any tool available to use without a flasher? i'm on harib 4.50 cfw now on a banned slim but the id off a fat unbanned one

#39 - zant - October 5, 2013 // 8:21 pm
zant's Avatar
Can somebody make a working NAND version, please? I have been waiting to use something like this for a while now since Joris' didn't work.

#38 - JAYRIDER666 - October 5, 2013 // 12:23 pm
JAYRIDER666's Avatar
i tried but ps nope 1.05 don't work on my rogero 4.46

Also from zecoxao: Obtaining Packet IDs from Game_OS Syscall Interfaces The Easy Way (RE)

What is required:

  • IDA
  • PS3 Elf Loader
  • Kakaroto's analyze_self64.idc
  • Notepad++
  • lv1.self.elf processes (see SELFs inside ELFs on devwiki)
  • HxD

Tutorial:

Obtain the processes through table at 0x1D0000 (regular elf) or 0x1F0000 (factory elf)
Extract processes.

Load each through IDA with PS3 Elf Loader. Never undefine database and use kakaroto's idc to correctly define the offsets. In the end define the RTOC value in IDA's preferences.

Export each database to an assembly file.

Open the assembly file in IDA (any of them) search for this:

[Register or Login to view code]

The sub HAS to contain only that instruction AND a blr.

Save the offsets in each sub for each asm file. Now, go to ida and load any process elf. Go to the specified offset (pick any). Go to the function, highlight it in IDA-View... ctrl-X (xrefs) it'll show up a list of possible xrefs (most of them are Packet IDs)

Credits:

Hykem, for the work being currently done
deroad, for the help at the weekends
and of course, graf chokolo

Here's a list of offsets of the get_* functions from factory JIG lv1

Download: factory243.zip

I'll start using this thread to post my findings, even if they are off-topic.. for starters:

[Register or Login to view code]

there are a lot of these under special areas of the ps3. here are a few examples.

[Register or Login to view code]

perconsole nonce is also an interesting bit to watch. it's in metldr,bootldr,eid0,eid3 and eid5. perconsole revision key however, is only on 4 of these and not in eid3.

[Need Testers] Get logs from initialization with Juan Nadie's bootldr exploit

So yesterday i had a very interesting conversation with a friend of mine from irc. He had a theory about the initialization of the ps3. He also had logs, obtained from a modification of Juan Nadie's bootldr exploit. Unfortunately, he had to format the hdd, so the logs were lost. And this happened a long time ago.

right now we're trying to reproduce the same thing. so far:

I've uncommented line 912 ( //createLog(0); )
I've added these lines
[code]
} else if (page >= (FLASH_SEGMENT + FLASH_OFFSET + BOOTLOADER_OFFSET) && page

#37 - dyceast - October 5, 2013 // 12:09 pm
dyceast's Avatar
PSNope 1.05 is all you need.

Also from zecoxao: Dump Sysrom and the masked bootldr on NANDs

as you can see here (psdevwiki.com/ps3/Talk:Sysrom.bin), dump sysrom was originally released by glevand in an attempt to dump the bootldr in his MFW OTHEROS++. he could do it with graf's payload, so he originally thought of porting it over to psl1ght and trying it on OTHEROS++. the thing is, there is some patch that breaks this, and he failed to find out the cause. as an alternative, memdump was released, and so an alternative method was developed for it (maybe it's the same method, but i don't know for sure).

so, what is the purpose of dump sysrom?

well, like i said before, it dumps the bootldr (the system rom) located at address 0x2401FC0000 on NANDs (in the reset vector and mapped in MMIO) and in some other address on NOR, which doesn't matter because we can fully dump NOR, bootldr included, anyways.

i decided to test it one last time, to see if it'd work differently from the expected FF FF FF FF 80 01 00 03 (not implemented) error, but this time, by launching the self on rebug 4.46. it turns out, it dumped the bootldr in its encrypted form on my NAND. great!

to anyone else decided to do something constructive with this information, i've asked sguerrini97 to set up a github repository of what we successfully ported to psl1ght v2 (which wasn't much)

it's called psl1ghtv2_ports, and contains some of the code used by glevand in the early days of the scene.

https://github.com/sguerrini97/psl1ghtv2_ports

to anyone concerned, anyone who wants to include this piece of coding, take into consideration that you need lv1 peek poke in order to achieve this. also, dumping random MMIO offsets is very fun to do and you might encounter something cool

Finally, from mind: I just compiled dump_sysrom.self and run it on my CECHA01 (NAND) console - works great. I'm using 455 cfw and multiman v.4.55.00 to run the self.

Download: dump_sysrom.self

I just made a standalone pkg and it works great on 4.55 cfw, without multiman. Thanks.

Download: Dump_SYSROM.pkg

I just tested preloader advance too. I dumped my nand (Backuprflash.bin). 256MB

I expected two bootldrs on it, but... there are No bootldrs on that "backup".