PS3 IDPS Viewer Tool Homebrew Application is Released

Discussion in 'PS3 Hacks / JailBreak' started by nathanr3269, Mar 19, 2012.

Tags: Add Tags
  1. ps3hen

    ps3hen Guest

    He said it's not finished.
     
  2. Portalcake

    Portalcake Guest

    Sorry, didn't know that Rebug CEX wasn't as full-featured as a real DEX, outside of the things pirates would drool over.
    Also, PM.
     
  3. Blade86

    Blade86 Guest

    Thank you so much for answering me. !!BIG THX!!

    At all the peace-breakers: I cannot share the bad mood in here... Even if cfwprophet doesnt give you/us your/our wished tools there is no need to front him.

    At least they (cfwprophet, nabnab) take their time 2 EXPLAIN the users, why a method is not what it looks like. With their knowledge, they acctually dont need to waste their time in helping us, especially when the most of the users cannot do anything with the infos.

    BUT there are some users, for whom their effort is a BIG help, so plz let them "talk" :p

    I just cannot see it, why 1 team (our scene) cannot hold together and just wanted to bring some peace in here..

    Cheers
    Blade
     
  4. cfwprophet

    cfwprophet Guest

    I will release when everything is done and user frindly. I dono see a reason to release ACID CFW when it in first was a Retail/Debug hybried and now im working on the convertion of Retail to Debug Consoles. So i will release ACID CFW together with the convertion tool for cex2dex tool and do a reall full functional Debug CFW.

    To time im testing a lot of stuff and coding the idps-tool app together with end user gui version. the Tool will be able to guid you truth the whole process and have a lot of buttons so you mostly only need to do a click and get your pck calculated, eid decrypted - patched and re- encrypted and a request_idps.txt generated.

    Im working alone cause it seems the most coders of the scene are not interested in to help and others who allready also know what to do wont tell and also wont help us.

    But just be a bit patient and i will do my job as good as i can and at it the end a lot of users will be surprissed what a debug ps3 in conclution with target manager and a few tricks will be possible. ;)
     
  5. 1one

    1one Guest

    Cfwprophet,

    Are we going to have to enter our console eid root key into your GUI tool to get the pck?
     
  6. cfwprophet

    cfwprophet Guest

    PCK is EID key. Let me explain: per_console_key_1 = eid_root_key / per_console_key_2 = eid0_key and so on.

    You wont need to enter something into the app. Just put the files into the folder of the app and hit some buttons. To time it will be pck and a dump of your nand/nor or the eeid it self. The tool will guid you truth the whole process how to optain those two files and have everything you need inside like the cygwin installer or the dump_flash.pkg.

    It will be automated and userfrindly as much as it can.

    For sure i will release also the source code and all files i have used and i will post new infos and keys not puplic released yet.
     
  7. admin

    admin Administrator Staff Member

    PS3 Request IDPS Generator v1.0.0.0 By Rnd is Now Available

    Following up on the previous PS3 IDPS update, today PlayStation 3 homebrew developer Rnd (aka RndRandomizer) has released a Request IDPS Generator version 1.0.0.0 with details below.

    Download: PS3 Request IDPS Generator v1.0.0.0

    From the ReadMe file: REQUEST IDPS Generator - v1.0.0.0 - Rnd

    v1.0.0.0:
    • Initial Release
    Features:
    • Generate a request_idps file
    • Get PerConsole Data (board ID, cid, ecid, kiban ID, ckp2_data, ckp_management_id)
    Usage:

    Just get your NAND/NOR dump and drop it in this application.

    No more need for re-flashing the whole dump in order to convert EID.

    Simply it makes it easier to use it with ObjectiveSuites-SetIdps and you dont have to gether it from Sony's server.

    Put request_idps.txt in Temp folder in ObjectiveSuites, to set your request_idps and you are done with flashing the new EID.

    I'm not responsible for ANY DAMAGE it may cause! USE AT YOUR OWN RISK!

    P.S. If somebody has a script to get the EID with ObjectiveSuites, I would be very kind if you could let me know, I will update the application.

    Sincerely,
    Rnd

    Contact me at RndRandomizer

    Finally, from zecoxao: Found it, now we can make our own request_idps files :D

    request_idps.txt (hex) info by Scorpion2k7

    name Start offset Size (byte)

    per_console_serial 0 8
    header 8 96

    - Header structure

    bytes description
    4 number of file (5)
    4 lenght of entire file (value-8)
    8 unknown (00 03 00 04 00 00 00 00)
    (file table)
    4 file position 1 (value-8)
    4 file lenght 1
    8 file id 1
    4 file position 2 (value-8)
    4 file lenght 2
    8 file id 2
    ...
    ...

    - File info

    File 1 - 16 bytes - 00 12 00 02 00 00 00 00 00 00 00 00 00 00 00 00
    File 2 - 2144 bytes - EID0
    File 3 - 128 bytes - EID2 PBLOCK
    File 4 - 48 bytes - EID4
    File 5 - 2560 - EID5

    Finally, below is a brief guide from Abkarino as follows:

    1 - Dump you NAND/NOR flash using a memDump tool or Hardware flasher if you have a higher firmware.
    2 - Drag this dump into Request IDPS generator tool to generate the request_idps.txt file.
    3 - Set your PC IP Address to: 192.168.0.100 and sub net mask to 255.255.255.0.
    4 - Enter a FSM using any dongle/software method you like.
    5 - Connect your PS3 to your PC directly using Ethernet cable.
    6 - Find the old leaked CEX2DEX conversion tools that contains ObjectiveSuite-SetIDPS.
    7 - copy all files from conversion folder into flash drive and put it in the right USB slot in your PS3.
    8 - in your PC start copy the generated request_idps.txt into the TEMP folder inside the ObjectiveSuite-SetIDPS folder.
    9 - Start ObjectiveSuite.exe then power up your PS3.
    10 - Wait for about 1 min and you will see a "PASS" message in ObjectiveSuite.
    11 - Now turn off your console.
    12 - Flash any 3.55 CFW DEX.
    13 - While in FSM remarry your BD Drive using 3.30 DEX PUP + 3.55 Remarry tools from Wiki.
    14 - Exit from FSM and now you have a fully functional DEX machine.

    From eussNL via IRC: patch SSL, use REQUEST IDPS Generator, lay back bored (since what happens with SetIDPS isn't really a true conversion, because you just write your own EID to the NOR/NAND).

    [imglink=http://www.ps4news.com/images/ps3-request-idps-generator-v1-0-0-0-by-rnd-is-now-available-32643-1.jpg|PS3 Request IDPS Generator v1.0.0.0 By Rnd is Now Available]http://www.ps4news.com/images.php?sm=1&f=ps3-request-idps-generator-v1-0-0-0-by-rnd-is-now-available-32643-1.jpg&w=500&h=400[/imglink]
    More PlayStation 3 News...
     
  8. admin

    admin Administrator Staff Member

    Video: PS3 Unbanning IDPS Proj3ct by Labuse and Raymanvtwo

    Following up on the PS3 IDPS Viewer, PS3 Request IDPS Generator and PS Unban, today French PlayStation 3 homebrew developers Labuse and Raymanvtwo have shared a video introducing their latest PS3 unbanning IDPS Proj3ct.

    To quote, roughly translated:

    :alert: This process deals with modification in the flash memory of your PS3. So beware of the risk involved. As you will be the one responsible for any damages. :alert:

    1 - It’s free.
    2 - It does not provide for IDPS.
    3 - 1 change per member (archiving R_K to control all business)
    4 - no requirement to have an ODE or another to benefit from this service.
    5 - Do not buy IDPS! , but get it by your own means. It does not provide a repair service or any failure or brick If you do not have access to PSN / SEN after our intervention, you you probably have stolen your IDPS, we test the validity of IDPS before making the change.
    6 - You do not store the IDPS valid for use and even less for
    resale.
    7 - No, not the service sony unbanned person a simple phone call, this is totally false.
    8 - No, it is not a simple change with a hex editor, and it does not
    change enough to IDPS only on known offsets.

    To start here are the essential conditions to be fulfilled before you make the final change of IDPS:

    1 - Have their console banned from PSN
    2 - console already be hacked (CFW)
    3 - have a valid IDPS to provide for replacement

    If you do not meet any of these conditions, then it is no need to go further... however if all conditions are met then we will be able to do something for you, but before that take the time to read all the explanations below!

    PS3 IDPS FAQ:

    What is to Proj3ct IDPS?

    To de-ban your console SEN / PSN actually modifying the flash memory of it.

    How do I know if it is my PSN account or if my console ID that is banned?

    If you get this message to the PSN sign: “Access denied or temporarily suspended for this system,” is that your console ID banned.

    To which PS3 models are targeted modification of ID with IDPS Proj3ct?

    For all models Fat and Slim CFW (before 3000 series).

    Who is this service free of IDPS change?

    Everyone has provided to meet the three key points above, nor any ODE Flasher is asked to make the change.

    Why Does not provide you IDPS?

    Just for 2 reasons: The first is that for the time being we do not yet generate non-original identifiers so they must find true and valid they are rare and valuable, however we work in progress to try to remedy this problem... and the second, CFW consoles connecting to PSN are too easily spotted and can not afford to lose identifiers for a few hours / days of games online.

    Why Proj3ct IDPS is not distributed freely?

    Because the conversion of the dump is difficult and requires a good knowledge in this field, any approximation leads directly onto a brick your console, but also to avoid unscrupulous pharmacies that will make their business to make money with our work, we hope that it is Free for the community and we will offer you this service. s

    Secondly, because this change make public console could seriously undermine all users PS3 OFW, and it is only this reason that motivated the choice of delivery method!

    [youtube]eqWub_NoidE[/youtube]​

    How it’s gonna happen to change definitely IDPS?

    1) Visit in [APPLICATION] IDPS PROJ3CT (ps-addict.fr/forum/post96895.html#p96895) to put your formal request for change of IDPS, stating:

    PS3 Slim 320 GB / Fat 40 gb, etc. ...
    Model: CECH .....
    CFW up:
    Level of knowledge PS3 (beginner - expert - expert)

    2) Wait for an consideration answer of your request.

    3) After acceptance of your application to the post in question, you can send your items BUT only in MP to Labuseor Raymanvtwo the following files:
    • Your Root_Key
    • Dump Your conducted with MM
    • Your IDPS (HS recovered on a console, for example)
    • A picture of your system properties in Multiman
    Note: you will find the method and tools to recover these different elements in the [TUTORIAL] IDPS PROJ3CT (ps-addict.fr/forum/post96894.html#p96894).

    4) We check first the actual validity of your IDPS then proceed to the actual change of the IDPS in your dump. We send it back within 2 to 4 days max MP.

    5) You re-flash your PS3 with Multiman to the dump you have recovered.

    6) You still have to format your PS3 to erase all traces using a CFW and you can now enter the OFW update, your console is banned from de-SEN / PSN! attention: any use of PSN CFW after the de-banning your console to deliver in the same situation a few hours / days later... and I recall that we do not make one final change by console! Enjoy!

    [imglink=http://www.ps4news.com/images/video-ps3-unbanning-idps-proj3ct-by-labuse-and-raymanvtwo-34472-1.jpg|Video: PS3 Unbanning IDPS Proj3ct by Labuse and Raymanvtwo]http://www.ps4news.com/images.php?sm=1&f=video-ps3-unbanning-idps-proj3ct-by-labuse-and-raymanvtwo-34472-1.jpg&w=500&h=400[/imglink]
    [imglink=http://www.ps4news.com/images/video-ps3-unbanning-idps-proj3ct-by-labuse-and-raymanvtwo-34472-2.jpg|Video: PS3 Unbanning IDPS Proj3ct by Labuse and Raymanvtwo]http://www.ps4news.com/images.php?sm=1&f=video-ps3-unbanning-idps-proj3ct-by-labuse-and-raymanvtwo-34472-2.jpg&w=500&h=400[/imglink]
    More PlayStation 3 News...
     
  9. Brenza

    Brenza Guest

    That's not hard, you just have to:

    1) Decrypt the whole eEID from the flash using the per_console_key_1 and the various sub-section keys (eid0, eid1, eid2... these keys can be obtained using the pck1 so you won't have any problem to retrieve them)
    2) Replace the IDPS in the decrypted eid0 and eid5
    3) Re-encrypt all the stuff and write it back to the flash
    4) Perform a remarry (i think you might be able to fix the eid4 and update the bd-key directly via pc but i never tried it)

    NB: this practice not so hard and it DOES NOT allow to to play online with CFW, you would get banned again and again... do not try this if you plan to stay on cfw, it's useless!!!

    You should also be awared that changing the console's idps will cause lot of troubles with your savegames and throphy decryption / syncronization.

    Oh, and unbanning the console won't OBVIOUSLY allow to unban your SEN account.

    oh, i forgot it.. it can also be done automatically via Factory Service Mode (currently only on 3.55 and lower as the required sig file hash has been revoked in highter firmwares)

    You just need ObjectiveSuites and a valid request_idps file (that we can generate "easily" with the info HERE)

    And here's a few personal notes:

    1) this practice not so hard and it DOES NOT allow to to play online with CFW, you would get banned again and again... do not try this if you plan to stay on cfw, it's useless!!!
    2) you obviously will not be able to unban yous SEN account
    3) changing the idps will cause troubles with tour save\trophy files (you should be able to resign them properly using aldo's application)
     
  10. mmanolos

    mmanolos Guest

    Thanks for your information, Brenza! Anyway, it sounds too complicated, risky and useless right now as you said.

    I was never really interested in playing online, and I think my PS3 was banned when I went online just to use the Youtube app and launched MM after... I was wondering, as the French guys said "CFW consoles connecting to PSN are too easily spotted", if anyone knows exactly what Sony can see and if a PS3 can really be stealthty in the future. How is the CFW online status today? Is it a matter of time to be banned or is there no way to be unnoticed?
     
  11. Brenza

    Brenza Guest

    sony can read pretty much anything they want. everytime you connect the ps3 to internet (NB: internet, non psn) it automatically uploads the log files

    these files contains the all ps3 activity, sony's fw are 175MB of code (compressed) and they could put some checker everywhere in the firmware, if one of these checks finds out that your ps3 is running a non-original firmware sony'll know it.

    the only thing we can do is locate these checks and find out a way to bypass all of them
     
  12. admin

    admin Administrator Staff Member

    PS3 IDPS Changer v1.1 Homebrew Application is Now Available

    Following up on the PS3 IDPS Proj3ct, today PlayStation 3 developer Joris (aka JorisD33) has made available PS3 IDPS Changer version 1.1 followed by v1.3 and IDPSet v0.6 and some updates with details below.

    Download: PS3 IDPS Changer v1.1 / PS3 IDPS Changer v1.1 (Mirror) / PS3 IDPS Changer v1.3 / IDPS_Changer.zip (Latest Version) / idpstool.pkg / IDPSet_v0.6.pkg (IDPSTool and IDPSet by Zar to change PS3 IDPS) / IDPSet_v0.62.pkg / IDPSet_v0.75.pkg / IDPSet_v0.76.pkg / IDPSet_v0.77.pkg / IDPSet_0.78.pkg / IDPSet_v0.79.pkg / IDPSet_v0.80.pkg / IDPSet_0.82.pkg / IDPSet_v0.83.pkg / IDPSet_v0.84.pkg / IDPSet_v0.85.pkg / IDPSet_v0.86.pkg / IDPSet_v0.87.pkg by Zarh / EIDROOT.rar by Joonie

    From the ReadMe File: What do this application do?

    This application will change your IDPS and optionally your MAC address into your flash dump.

    How can I use it?

    Just put a VALID(!) NOR/NAND dump called dump.bin and your eEID Root Key called eid_root_key.bin into the same directory, run the program and enter your new IDPS.

    Your modified dump will be created as dump_patched.bin, you just have to flash it back to your console.

    How can I dump my eEID Root Key?

    http://www.ps4news.com/ps3-hacks-ja...r-from-gameos-pkg-by-flat-z-is-now-available/

    How can I dump my flash?
    • Hardware flasher (E3, Teensy, Progskeet...)
    • Multiman
    • ...
    [youtube]SnmJRq8ePG4[/youtube]​
    How can I byte-reverse my dump?

    Flowrebuilder: FlowRebuilder v.4.2.3.0.exe / FlowRebuilder v.4.2.3.0.exe (Mirror)

    4.2.3.0 Changelog:
    • added support to manage NAND preloader dumps
    • message user about the type of dump
    • message the user if bootloader are missing
    • auto-recognize if dump is normal or byte swapped and automanage them
    If you byte-reverse your dump before using this application, remember to byte-reverse it back after the procedure.

    CHANGELOG 1.0:
    • Initial release
    From haz367: proper eid0 section/part conversion so the new idps at least has correct values after it (cex2dex offsets 002F090-2F14F//omac hash)

    offset 2F077/2F07F (new idps)

    offsets/block: 2F090-2F14F - new values calculated/added to have valid idps change? at least better then only changing IDPS line

    offset 303D7/303DF (new idps)

    offset 3F040-3F045 (new mac)

    tested offline and trashed with my own dumps. not needed but people deserve second change right, only need to brick another PS3 to get new idps. great share for that.

    Update: PS3 IDPS Changer v1.3 Changelog: Here is the latest version of this sweet little app. I had troubles using all versions prior and now I have permanently installed new IDPS on over 30 systems. Make sure you have openssl installed via cygwin, enable XP SP2 compatibility on openssl.exe. Then grant admin access to openssl.exe as well as IDPS Changer then drop these files in the cygwin directory to ensure all the needed dll files are present.

    Name your eEID Root Key - eid_root_key.bin (obtained via FW 3.55)
    Name your NOR/NAND dump - dump.bin

    Then place these in the cygwin folder as well with the other stuff we just installed/added

    Then simply run the IDPS Changer.exe and follow instructions, this also allows changing of your MAC address. After the app is done simply rename the dump_patched.bin to the following depending on your flash type NAND or NOR.

    Nor model = CEX-FLASH.FULL.EID0.NORBIN

    Nand model = CEX-FLASH.FULL.EID0.NANDBIN

    Once you have named the file copy on to a flash drive and open mM and go to mMOS then open the drive with the newly patched dump. Double click on it and wait for it to install. Once done reboot your system and go back to mM and the settings and look at your new MAC/IDPS on your freshly unbanned PS3.

    Update #2: IDPSTool become IDPSet v0.6 is now available (linked above) by Zar from the PS3Gunz French site.

    With this new version, you can permanently change your console IDPS (NAND and NOR). You just have to run IDPSet on your CFW (with Eid Root Key and valid IDPS on your USB key).

    Finally, Zarh made available IDPSet v0.62 PKG with the following updates and further revisions:
    • added the default paths of FLATZ's eid_root_key dumpers
    • added a check of eid_root_key
    • and now it's display the region matching with the target ID
    • fix name of dumps
    IDPSet v0.75 / v0.76 Changelog:
    • Support fw 4.65
    • New UI
    • Remove PSID stuff (it's useless)
    • Remove Save/load to/from file (it's useless)
    • New option: Convert to DEX/CEX only for rebug
    • New option : "Dump eid_root_key" only for cex fw: 4.65, 4.53, 4.50, 4.46, 4.21 to "/dev_usb000/eid_root_key" else "/dev_hdd0/tmp/eid_root_key"
    IDPSet v0.77 Changelog:
    • better check on rebug firmware
    • added swap kernel in ros1 too
    • added check if syscall lv2 peek&poke are available
    IDPSet v0.78 Changelog:

    Indeed, sorry i forgot to tell you v0.78 is out.. I hope this one will be the last update :p

    IDPSet v0.79 Changelog:

    Hi, I have updated IDPSet to v0.79: Changelog since last official release of v0.62
    • Add : version nb in TITLE
    • Add : progress bar
    • Add : nouveau UI
    • Removed : all PSID stuff
    • Removed : save/load from/to file
    • Add : "dump eid_root_key" only for 421C, 450C, 446C, 453C, 465C (ty flatz and zecoxao)
    • Add : "Convert to DEX/CEX" only for rebug
    • Add : "Make CEX/DEX dumps" is faster
    • Add : support fw 4.65 (4.66 too btw)
    Previous changes from v0.62:
    • Added the default paths of FLATZ's eid_root_key dumpers
    • Added a check of eid_root_key
    • And now it's display the region matching with the target ID
    • Fix name of dumps
    The idps.bin and eid_root_key must be in the root of the USB.

    Known issue:

    Dumps & the root_key file have the attribut "system", i don't know why, and i don't know how to remove it with the ps3 system. But here the cmd to remove it with windows.
    Code:
    attrib -R -A -S -H -I DEX-FLASH.EID0.NORBIN
    attrib -R -A -S -H -I CEX-FLASH.EID0.NORBIN
    attrib -R -A -S -H -I eid_root_key
    I've made a batch for the lazy ones: remove_attrib.bat. Just put this file in the root of usb and click on it. it will remove all the attributes.

    Thanks to all testers.

    PS: If someone know why these files have this fcking "system" attribute or how i can remove it, plz help me :(

    IDPSet v0.80 Changelog:

    Thanks to badboy and matsumoto, i have updated to v0.80:

    Changelog v0.80:
    • The dumps no longer have the attribute "system"
    Changelog v0.82:

    I have updated IDPSet to v0.82 thanks to baileyscream and jonnyjaeger

    NEW Changelog - version 0.82:
    • Fix: No more freeze when making CEX&DEX dumps with a DEX system
    Changelog v0.83 (JAN/3/15):
    • Fix: random freeze
    I fixed random freezes described by Tactik-knife. Thanks.

    Changelog v0.84 (FEB/21/15):
    • Added: Swap of "software_update_plugin.sprx"
    Changelog v0.85 (JUL/26/15):
    • Added: Background image (a PNG is: /USRDIR/BG.PNG)
    • Added: Homebrew is compatible with fw 4.70 and 4.75
    • Added: The dumper for the root key is compatible with fw 4.70C, 4.70D and 4.75
    This is just a little update to support new firmware.

    Changelog v0.86 (JUL/27/15):
    • fix: no more freeze when you dump your key for firmware under 4.65.
    FYI. I wasn't in hurry because you still can do it wit the rebug toolbox (that's also why i didn't ported it to every fw) but just to have something proper, I think I solved this issue with this update, can you try ?

    Changelog v0.87 (SEP/23/15): (adds 4.75 DEX support)
    • Added : fw independent
    • Added : root key dumper 4.75D (thanks to Joonie who ported it)
    • Added : more message in the log to be more aware of what's going on and also to allow me to know precisely what's causing some 'random' freeze (thanks to your feedbacks ofc)
    Note:
    • The root key dumper and Converter are not fw independent
    • We can't write PSP IDPS in the EID0 without bricking the system.
    [imglink=http://www.ps4news.com/images/ps3-idps-changer-v1-1-homebrew-application-is-now-available-34521-1.jpg|PS3 IDPS Changer v1.1 Homebrew Application is Now Available]http://www.ps4news.com/images.php?sm=1&f=ps3-idps-changer-v1-1-homebrew-application-is-now-available-34521-1.jpg&w=500&h=400[/imglink]
    [imglink=http://www.ps4news.com/images/ps3-idps-changer-v1-1-homebrew-application-is-now-available-34521-2.jpg|PS3 IDPS Changer v1.1 Homebrew Application is Now Available]http://www.ps4news.com/images.php?sm=1&f=ps3-idps-changer-v1-1-homebrew-application-is-now-available-34521-2.jpg&w=500&h=400[/imglink]
    More PlayStation 3 News...
     
  13. s25s

    s25s Guest

    great work :)

    we need also update for change (psid) because some of ban in psid
     
  14. onik

    onik Guest

    is there any brick possibilities while reflashing??
     
  15. mahidi

    mahidi Guest

    DLL files is missing after downloading the dll it still asking me for ssleay32.dll why they couldn't make this program perfectly??
     
  16. admin

    admin Administrator Staff Member

    PS3 IDPS / PSID Changer by Zecoxao, Permanently Change IDPS / PSID

    Following up on the previous PS3 IDPS Changer and ChangePSID, today PlayStation 3 developer zecoxao has released an updated PS3 IDPS / PSID Changer alongside Dump_Sbmmio.pkg with details below.

    Download: idps_psid_changer.zip / cygwin1.dll / idps_psid_changer.zip (Mirror) / idps_psid_changer.zip (Mirror #2) / Private Key Bruteforcer / dump_sbmmio.pkg / EID Root Key Dumper (Updated) / Dump_EEID / Flash_EEID

    To quote: Ok guys, so here's something I have for you. This is an idps/psid changer.

    This changes the idps in section 0 or section 6 and the psid in section B (not A sorry, i corrected that on the wiki) PERMANENTLY on flash. so, you know the drill. be VERY careful when using this tool and always take precautions with a flasher.

    You're going to need 5 things: root_key, a backup of your nor flash (only nor is supported at the moment but you can easily make it compatible for nand consoles by changing the offsets at merge_section as well as change the name to whatever you wish to call your flash), a back up of eid (you can obtain this with flow rebuilder or using memdump) and, obviously, the idps and the psid you want to use on your console.

    As for the final hash in each section, the libeeid creator was kind enough to take care of that, so don't worry about that but PLEASE use valid idps and psid files!!!

    Any questions, please ask. and yes, that handles cex2dex too.
    Code:
    hex 0 1 2 3 4 5 6 7 8 9 A B
    dec 1 2 3 4 5 6 7 8 9 10 11 12 <- 12 sections
    Anyways, i figured this might be easier to use than c2d, because you can take a look at the source yourself and see and do your own changes, in case there's anything wrong.

    :alert: WARNING. IF YOU USE THIS AND SOMETHING BAD HAPPENS. IT'S YOUR RESPONSIBILITY.

    Finally, in related news zecoxao has also made available a PPU Binary Backup Manager but it needs testing.

    To quote: I have a binary of a backup manager precompiled a long time ago. I'm not sure if it's even possible to boot it but I'm convinced this binary is meant either for 3.41 or 3.55, but i need someone to test it.

    Here's the binary.. please report if it works signed as disc eboot/npdrm eboot on 3.55 or 3.41. Thanks.

    Download: test.elf

    To avoid creating unnecessary new threads i'll just post this here. i need also someone who can test this pkg.

    PLEASE be careful about this one and keep a flasher with a backup of your flash with you! this is dump_flash from gitbrew in psl1ght v1.

    This contains two changes. there's an aditional poking in the memory for NAND flash dumping to allow the bootldr unmasking (as per a specific wiki section on the Hardware flashing page), and there are no debug outputs with udp_printf, so it should be faster to dump. This is ONLY for 3.55!

    You can see the code on wargio's repository (github.com/wargio/dump_flash), but it's adapted to v2. to use it on v1, simply change the file lv2_syscalls.h to the one on gitbrew on the common git and the Makefile must have the respective include for ppu.mk in v1 (it differs in v2). if you just want to use the repository you can clone it or fork it. Careful with it though. it's not guaranteed it works !

    What remains...

    mc_iso and me_iso individuals seed (unknown what this does at the present time)
    Code:
    52 38 D0 FA 23 A9 93 B8 97 1D 40 0F 98 2D 21 77 
    81 30 DC F4 DE 7C 4E 11 9C 1D E2 86 AA 37 61 0B 
    1A B7 11 22 3F 27 68 16 59 AE 6B 71 F1 84 F9 CB 
    0E 00 D0 8A D0 6A F9 F7 A1 D5 5F 69 C7 1D 2B 25
    F2 33 6E 25 63 B6 03 07 7A 76 65 71 26 CA E4 DB
    82 0E 92 85 6B 69 3C E8 14 22 E9 FB 1C 1C A5 B3
    E9 43 38 8E 4B 48 03 50 AA 24 A5 FB FA BF D1 72
    D9 7A 1E 25 DE 3E 64 A0 A7 A4 82 52 84 56 B1 74[/code]EID1 and EID5 still uncovered
    EID0 sections 2,3,4,5,6,8,9,10 (marked as 1,2,...11) still uncovered. BD Drive Firmware (any kind) can't be decrypted yet through the computer. SYSCON Firmware (any kind) can't be decrypted yet through the computer.

    Private Keys can't be obtained (unless somehow someone had a quantum computer with >1000 qubits processing power and Shor's Algorithm at hand...) AES can't be compromised (maybe in a near future)

    Per-console key 0 can't be obtained so far. What you see here is what remains. If anything happens that makes any of these things possible or understandable or achievable to be done, i'll delete the respective part of them.

    Debunking the idps

    Here's my debunking of the idps or console id as you know.

    Combinations: pastie.org/private/61rdfam68ipwtmvrmgnixg#10
    Code:
    idps combinations 
    
    00 00 00 01 00    00
    1  2  3  4  5  6  7  8  9  10 11 12 13 14 15 16
    
    c  c  c  c  c  17 c  14 5  49 r  r  r  r  r  r
    
    
    with known constants : 						16412805891998351360 possibilities
    knowing target id:     						965459170117550080 possibilities
    knowing target id and revision:				        68961369294110720 possibilities
    discounting static dummy idps 9th byte :	                55169095435288576 possibilities
    discounting static dummy idps 10th byte :	                54043195528445952 possibilities
    knowing all first 10 bytes :				        281474976710656 possibilities
    
    c=constant
    r=random
    n=number of possibilities for byte
    9th byte list (from wiki): pastie.org/private/lqwgs1qzh1jd14kmbea8a
    Code:
    03
    
    00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D  0x81 SD System Debugger / DECR Reference Tool / DECR 0x01 DECR-1000(A/J) / DEH-Z1010 (TMU-520) Static Dummy IDPS  
    
    04
    
    00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001)  
    00 00 00 01 00 A0 00 04 04 00 04 1B 13 AB 46 25  0xA0 ARC Arcade 0x04 GECR-1100 (COK-002) (COK-002 without Bluetooth/Wifi)  
    00 00 00 01 00 85 00 05 04 00 33 A3 44 9D 57 2B  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 A0 00 08 04 00 13 69 BC E4 78 80  0xA0 ARC Arcade 0x08 GECR-1500 (VER-001) (VER-001 without Bluetooth/Wifi)  
    
    10
    
    00 00 00 01 00 84 00 01 10 19 15 0C 45 9F 1C 2A  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001)  
    00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2  0x8A CEX Retail or Shop Kiosk - South Asia 0x01 CECHA (COK-001)  
    00 00 00 01 00 84 00 01 10 1B 23 A2 EA C6 4D D0  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001)  
    00 00 00 01 00 84 00 02 10 01 15 ED DE D8 06 8B  0x84 CEX Retail or Shop Kiosk - USA 0x02 CECHB (COK-001)  
    00 00 00 01 00 85 00 03 10 11 62 95 56 FF DB FD  0x85 CEX Retail or Shop Kiosk - Europe 0x03 CECHC (COK-002)  
    00 00 00 01 00 85 00 03 10 00 3D F9 65 97 B6 EA  0x85 CEX Retail or Shop Kiosk - Europe 0x03 CECHC (COK-002)  
    00 00 00 01 00 85 00 05 10 01 5F 01 12 FF 56 4F  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 87 00 05 10 02 3A 2D 53 AF 66 28  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001)  
    00 00 00 01 00 8C 00 05 10 00 D1 F3 55 2D DA BC  0x8C CEX Retail or Shop Kiosk - Russia 0x05 CECHG (SEM-001)  
    00 00 00 01 00 87 00 05 10 0A EE 67 DD 75 86 DA  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001) (original label stated CECHC model!)  
    00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x07 CECHJ/CECHK (DIA-002)  
    00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D  0x85 CEX Retail or Shop Kiosk - Europe 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 85 00 09 10 0A 27 3E 8E 1D DF 65  0x85 CEX Retail or Shop Kiosk - Europe 0x09 CECH20xx (DYN-001)  
    00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85  0x85 CEX Retail or Shop Kiosk - Europe 0x09 CECH20xx (DYN-001)  
    00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF  0x84 CEX Retail or Shop Kiosk - USA 0x09 CECH20xx (DYN-001)  
    00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF  0x85 CEX Retail or Shop Kiosk - Europe 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 84 00 0C 10 19 15 0C 45 9F 1C 2A  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001) used by PS-Unban  
    00 00 00 01 00 84 00 0C 10 11 21 52 A6 EB 62 10  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001) used by PS-Unban  
    00 00 00 01 00 84 00 0C 10 22 CE B2 EB 40 D9 EB  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001)  
    
    14
    
    00 00 00 01 00 85 00 05 14 02 F7 06 9F 10 B6 22  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)   
    00 00 00 01 00 85 00 05 14 0E F0 DF DC DD 5E 56  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7  0x84 CEX Retail or Shop Kiosk - USA 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 84 00 08 14 11 D8 06 97 94 B6 80  0x84 CEX Retail or Shop Kiosk - USA 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)   
    00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17  0x85 CEX Retail or Shop Kiosk - Europe 0x0A CECH21xx (SUR-001)  
    00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F  0x8C CEX Retail or Shop Kiosk - Russia 0x0C CECH30xx (KTE-001)  
    00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0C CECH30xx (KTE-001)  
    00 00 00 01 00 8C 00 0B 14 00 E1 1D 11 03 C8 65  0x8C CEX Retail or Shop Kiosk - Russia 0x0B CECH25xx (JTP-001/JSD-001) used by PS-Unban  
    00 00 00 01 00 89 00 0D 14 00 93 75 A9 00 4C 96  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0D CECH40xx (MPX-001/MSX-001)
    
    F4
    00 00 00 01 00 87 00 05 F4 01 E9 4F 17 DB D9 5D  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001)  
    00 00 00 01 00 84 00 05 F4 00 41 86 55 9B D3 52  0x84 CEX Retail or Shop Kiosk - USA 0x05 CECHG (SEM-001) 
    00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B  0x85 CEX Retail or Shop Kiosk - Europe 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)
    10th byte list (from wiki): pastie.org/private/ftr9f5yw164jhndy3ieoa
    Code:
    0X
    
    00
    
    00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001)  
    00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2  0x8A CEX Retail or Shop Kiosk - South Asia 0x01 CECHA (COK-001)  
    00 00 00 01 00 85 00 03 10 00 3D F9 65 97 B6 EA  0x85 CEX Retail or Shop Kiosk - Europe 0x03 CECHC (COK-002)  
    00 00 00 01 00 A0 00 04 04 00 04 1B 13 AB 46 25  0xA0 ARC Arcade 0x04 GECR-1100 (COK-002) (COK-002 without Bluetooth/Wifi)
    00 00 00 01 00 85 00 05 04 00 33 A3 44 9D 57 2B  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)
    00 00 00 01 00 84 00 05 F4 00 41 86 55 9B D3 52  0x84 CEX Retail or Shop Kiosk - USA 0x05 CECHG (SEM-001)  
    00 00 00 01 00 8C 00 05 10 00 D1 F3 55 2D DA BC  0x8C CEX Retail or Shop Kiosk - Russia 0x05 CECHG (SEM-001)  
    00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x07 CECHJ/CECHK (DIA-002)  
    00 00 00 01 00 A0 00 08 04 00 13 69 BC E4 78 80  0xA0 ARC Arcade 0x08 GECR-1500 (VER-001) (VER-001 without Bluetooth/Wifi)  
    00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0B CECH25xx (JTP-001/JSD-001)
    00 00 00 01 00 8C 00 0B 14 00 E1 1D 11 03 C8 65  0x8C CEX Retail or Shop Kiosk - Russia 0x0B CECH25xx (JTP-001/JSD-001) used by PS-Unban 
    00 00 00 01 00 89 00 0D 14 00 93 75 A9 00 4C 96  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0D CECH40xx (MPX-001/MSX-001)
    
    01
    
    00 00 00 01 00 84 00 02 10 01 15 ED DE D8 06 8B  0x84 CEX Retail or Shop Kiosk - USA 0x02 CECHB (COK-001)  
    00 00 00 01 00 87 00 05 F4 01 E9 4F 17 DB D9 5D  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001)  
    00 00 00 01 00 85 00 05 10 01 5F 01 12 FF 56 4F  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) 
    00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B  0x85 CEX Retail or Shop Kiosk - Europe 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)   
    
    02
    
    00 00 00 01 00 85 00 05 14 02 F7 06 9F 10 B6 22  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 87 00 05 10 02 3A 2D 53 AF 66 28  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001)  
    
    05
    
    00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D  0x85 CEX Retail or Shop Kiosk - Europe 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17  0x85 CEX Retail or Shop Kiosk - Europe 0x0A CECH21xx (SUR-001)  
    00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76  0x89 CEX Retail or Shop Kiosk - Australia/New Zealand 0x0B CECH25xx (JTP-001/JSD-001)  
    
    06
    
    00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0C CECH30xx (KTE-001)  
    
    0A
    
    00 00 00 01 00 87 00 05 10 0A EE 67 DD 75 86 DA  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x05 CECHG (SEM-001) (original label stated CECHC model!)  
    00 00 00 01 00 85 00 09 10 0A 27 3E 8E 1D DF 65  0x85 CEX Retail or Shop Kiosk - Europe 0x09 CECH20xx (DYN-001)  
    
    0B
    
    00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7  0x84 CEX Retail or Shop Kiosk - USA 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)  
    
    
    0C
    
    00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0B CECH25xx (JTP-001/JSD-001)  
    
    0E
    
    00 00 00 01 00 85 00 05 14 0E F0 DF DC DD 5E 56  0x85 CEX Retail or Shop Kiosk - Europe 0x05 CECHG (SEM-001)  
    00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D  0x87 CEX Retail or Shop Kiosk - United Kingdom 0x0B CECH25xx (JTP-001/JSD-001)  
    00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F  0x8C CEX Retail or Shop Kiosk - Russia 0x0C CECH30xx (KTE-001)  
    
    1X
    
    00 00 00 01 00 85 00 03 10 11 62 95 56 FF DB FD  0x85 CEX Retail or Shop Kiosk - Europe 0x03 CECHC (COK-002)  
    00 00 00 01 00 84 00 08 14 11 D8 06 97 94 B6 80  0x84 CEX Retail or Shop Kiosk - USA 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)
    00 00 00 01 00 84 00 0C 10 11 21 52 A6 EB 62 10  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001) used by PS-Unban 
    
    1B
      
    00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85  0x85 CEX Retail or Shop Kiosk - Europe 0x09 CECH20xx (DYN-001)
    00 00 00 01 00 84 00 01 10 1B 23 A2 EA C6 4D D0  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001) 
    
    1C
      
    00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF  0x84 CEX Retail or Shop Kiosk - USA 0x09 CECH20xx (DYN-001)  
    
    18
    
    00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF  0x85 CEX Retail or Shop Kiosk - Europe 0x0B CECH25xx (JTP-001/JSD-001)  
    
    19
    
    00 00 00 01 00 84 00 0C 10 19 15 0C 45 9F 1C 2A  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001) used by PS-Unban  
    00 00 00 01 00 84 00 01 10 19 15 0C 45 9F 1C 2A  0x84 CEX Retail or Shop Kiosk - USA 0x01 CECHA (COK-001)  
    
    22
    
    00 00 00 01 00 84 00 0C 10 22 CE B2 EB 40 D9 EB  0x84 CEX Retail or Shop Kiosk - USA 0x0C CECH30xx (KTE-001) 
    
    FF
    00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D  0x81 SD System Debugger / DECR Reference Tool / DECR 0x01 DECR-1000(A/J) / DEH-Z1010 (TMU-520) Static Dummy IDPS
    Notes: if you notice, cechgs appear in almost all possibilities of the 9th byte list, except in the static idps 9th byte.

    Banned idps list from "Free IDPS" thread: pastie.org/private/mk0ipzwuo9woejakc45sa
    Code:
    
    0000000100 8400 07 14 01 EEA827A1E790 
    0000000100 8400 0B 10 09 3A9E4193B877 
    0000000100 8C00 09 10 01 B82AEB2F5D4F
    0000000100 8500 08 14 0D 1030CD933117 
    0000000100 8400 0B 10 20 0B9C692AB7F1 
    0000000100 8500 0B 10 0E A29E70DC0774 
    0000000100 8500 0B 10 19 1B4DC8EF9A52 
    0000000100 8C00 07 10 01 96773F4BF2C8 
    0000000100 8600 06 10 00 297CD2B0CE66 
    0000000100 8500 09 14 0D 58433296E50A 
    0000000100 8E00 06 14 00 4981602E3C25 
    0000000100 8500 08 14 0A AF9A79149AAB 
    0000000100 8500 0B 10 1F EC26761625E8 
    0000000100 8500 09 10 10 C424BF296492 
    0000000100 8500 09 10 24 43E3977D72D3 
    0000000100 8900 06 10 00 AEBB1C48C61C 
    0000000100 8500 07 F4 01 223D790CD404 
    0000000100 8500 08 14 0C D655C8E72CB7 
    0000000100 8500 07 10 02 664CDFE6DB35 
    0000000100 0C00 08 00 97 2763B000CCBA ??0C00?? ??97??
    0000000100 8C00 09 10 02 3A9B1639CC70 
    0000000100 8500 08 10 0D 405CB8D55009 
    0000000100 8500 0B F4 04 2F0046D34A8A 
    0000000100 8700 09 10 02 41BA96BD6558 
    0000000100 8C00 09 10 00 719C437E732F 
    0000000100 8400 0B 10 31 AFD1A498EC07 ??31??
    0000000100 8400 07 10 01 0FF3FC501A21
    0000000100 8C00 0B 14 00 D402E0E513CC 
    0000000100 8700 0B 14 0D 998AE449ABA8 
    0000000100 8700 0A 10 00 F860FEB89670 
    0000000100 8500 0A 10 04 2E3F6852CCE4
    Buffer Overflow on Save Games

    This comes back from the psp era. usually, you'd insert a disc, load a certain save and it'd load a data that'd have a very long string. at the end or the middle of that string you'd see a binary loader (hbl.bin) that would load the main menu of HBL. In the case of the ps3, before the crypto fail was publically announced, little to nothing was possible in regards to load a binary of a savegame. now, thanks to that and thanks to flatz 's amazing tools, it might be a possibility in the near future

    Since there isn't a tool that handles savegame crashes (yet), so far we can only manage ourselves with a DEX/Convert and eth debug to know what happens at the time of the crash/freeze.. in my case, i don't have access to such tools, but there are people who do

    So, you can try this for yourselves.. this was made in fifa 09. i turned auto-save off (so it didn't overwrite the crafted save i made), made a savegame profile, and loaded the disc. The result was that it crashed while loading the save.

    The only thing i changed was SYS-DATA. i opened it in HxD, and filled my name (zecoxao) with o's until it matched Ronaldo's string entry. that caused the game to crash.

    Theoretically, you can most likely load a disc-bind 3.55 and below signed self from a register that returns an address and it'll just load the self (i think) although i didn't try this myself yet, because i can't debug it properly on a superslim. Anyone who wishes to give it a go is welcome to do so.

    Printing Things to the Screen

    As you all know, neither the sdk nor the psl1ght environment allow you to print things natively to the screen , at least not without using rsx. fortunately, inside the cobra sources of their usb, there is something that enables that, making debug output MUCH easier.

    The specified functions are debug_install and debug_printf. debug_install patches the necessary offsets and redirects tty output to the screen, and then debug_printf simply prints the thing you want. this might not sound much but it's a VERY useful feature, specially when you want to debug code and you like to visually see what is happening. also, this could turn things such as memory patching and dumping much easier to look at.

    I'd like to compile it myself and test for results but i don't have a working hackable console. so i'd like to ask any of you devs to test it and check if it works or not. as i was told it does seem to work, so i hope that this gets adapted to PSL1GHT very soon.

    U$er , i'd like you to be the first person to test this, since you have understood the plugin loading and adapted it for ourselves.

    Buffer Overflow on Save Games

    This comes back from the psp era. usually, you'd insert a disc, load a certain save and it'd load a data that'd have a very long string. at the end or the middle of that string you'd see a binary loader (hbl.bin) that would load the main menu of HBL.

    In the case of the ps3, before the crypto fail was publically announced, little to nothing was possible in regards to load a binary of a savegame. now, thanks to that and thanks to flatz 's amazing tools, it might be a possibility in the near future.

    Since there isn't a tool that handles savegame crashes (yet), so far we can only manage ourselves with a DEX/Convert and eth debug to know what happens at the time of the crash/freeze.

    In my case, i don't have access to such tools, but there are people who do

    So, you can try this for yourselves.. this was made in fifa 09. i turned auto-save off (so it didn't overwrite the crafted save i made), made a savegame profile, and loaded the disc.

    The result was that it crashed while loading the save.. the only thing i changed was SYS-DATA. i opened it in HxD, and filled my name (zecoxao) with o's until it matched Ronaldo's string entry. that caused the game to crash.

    Theoretically, you can most likely load a disc-bind 3.55 and below signed self from a register that returns an address and it'll just load the self (i think) although i didn't try this myself yet, because i can't debug it properly on a superslim.. anyone who wishes to give it a go is welcome to do so.

    From pastie.org/private/p1mxjrd6xbmv3hrphazxsw (the freeze):
    Code:
    # Lv-2 detected an interrupt(exception) in a user PPU Thread.
    #
    # Interrupt(exception) Info.
    #   Type : Trap
    #   SRR0 : 0x000000000006b40c
    #   SRR1 : 0x800000000002c032
    #   DSISR: 0x0000000000200000
    #   DAR  : 0x0000000010002b3c
    #   TB   : 0x0000000f5a4619f2
    #   HW Thread #: 1
    #
    # Backtrace
    #   0x00000000d0124dfc
    #   0x000000000006b67c
    #   0x00000000001a6434
    #   0x00000000001a6624
    #   0x000000000005c354
    #   0x000000000005c3f0
    #   0x0000000000329a18
    #   0x0000000000329b20
    #   0x0000000000329c28
    #   0x0000000000329d98
    #   0x0000000000329e28
    #   0x00000000003795b0
    #   0x0000000000396a34
    #   0x00000000003aa970
    #   0x000000000097ec78
    #   0x00000000009858c4
    #   0x0000000000995df8
    #   0x000000000098dd7c
    #   0x0000000000995df8
    #   0x000000000098c8a4
    #   0x00000000009896f8
    #   0x000000000097d034
    #   0x00000000003a5a98
    #   0x00000000003935cc
    #   0x00000000007ff880
    #   0x00000000007ff9d8
    #   0x0000000000805a64
    #   0x0000000000059f78
    #   0xbadadd0011300b5c
    #
    # User PPU Thread Info.
    #   ID        : 0x011300b6
    #   Name      : FEThread
    #   Stack addr: 0x00000000d0106000
    #   Stack size: 0x0000000000020000
    #   Priority  : 1002
    #   Proc name : /dev_hdd0/game/BLES00314/USRDIR/EBOOT.BIN
    #   Proc ID   : 0x10e0200
    #
    # Register Info.
    #      LR: 0x000000000006b408     CR:0x28000042
    #     CTR: 0x0000000000000000
    #
    #   GPR 0: 0x0000000000000000  GPR 1: 0x00000000d0124d70
    #   GPR 2: 0x0000000001843188  GPR 3: 0x0000000000000000
    #   GPR 4: 0x0000000000122800  GPR 5: 0x00000000014e07b8
    #   GPR 6: 0x00000000019052f0  GPR 7: 0x0000000000000010
    #   GPR 8: 0x0000000000000000  GPR 9: 0x0000000000000000
    #   GPR10: 0x0000000030e4049c  GPR11: 0x00000000d0124e60
    #   GPR12: 0x00000000310dba80  GPR13: 0x00000000100098a0
    #   GPR14: 0x0000000000000000  GPR15: 0x0000000000000000
    #   GPR16: 0x0000000000000000  GPR17: 0x0000000000000000
    #   GPR18: 0x00000000014e07b8  GPR19: 0x0000000000000000
    #   GPR20: 0x0000000000000000  GPR21: 0x0000000000122800
    #   GPR22: 0x0000000000000001  GPR23: 0x0000000000000010
    #   GPR24: 0x0000000000000001  GPR25: 0x0000000000122800
    #   GPR26: 0x0000000000000002  GPR27: 0x0000000001905150
    #   GPR28: 0x0000000001905138  GPR29: 0x0000000001905138
    #   GPR30: 0x0000000001725d18  GPR31: 0x0000000000000000
    #
    #     XER: 0x0000000020000000  FPSCR: 0x82002000
    #
    #   FPR 0: 0x41efffffffe00000  FPR 1: 0x3ff0000000000000
    #   FPR 2: 0x0000000000000000  FPR 3: 0x0000000000000000
    #   FPR 4: 0x0000000000000000  FPR 5: 0x0000000000000000
    #   FPR 6: 0x0000000000000000  FPR 7: 0x0000000000000000
    #   FPR 8: 0x407b300000000000  FPR 9: 0x0000000000000000
    #   FPR10: 0x0000000000000000  FPR11: 0x3ff0000000000000
    #   FPR12: 0x409f400000000000  FPR13: 0x4030000000000000
    #   FPR14: 0x00000011303b6000  FPR15: 0x00000011303b6000
    #   FPR16: 0x00000011303b6000  FPR17: 0x00000011303b6000
    #   FPR18: 0x00000011303b6000  FPR19: 0x00000011303b6000
    #   FPR20: 0x00000011303b6000  FPR21: 0x00000011303b6000
    #   FPR22: 0x00000011303b6000  FPR23: 0x00000011303b6000
    #   FPR24: 0x00000011303b6000  FPR25: 0x00000011303b6000
    #   FPR26: 0x00000011303b6000  FPR27: 0x00000011303b6000
    #   FPR28: 0x00000011303b6000  FPR29: 0x00000011303b6000
    #   FPR30: 0x00000011303b6000  FPR31: 0x00000011303b6000
    #
    # Continue... (Lv-2 is still running.)
    #
    LR is what matters to us. it's called Link Register and returns the address of what we want to load.

    IT'S A TARP! Thanks flatz for the debugging)

    FIFA 08 (props to NiceShot for the logs) (via pastie.org/private/9iqksaxgxpo8kdqxc87g):
    Code:
    
    SDK v4.3.0
    [TM] Boot mode := System
    control_console: Server bound to port number 8080
    abort() is called from 0x0000000000151184
                      from 0x0000000000152b14
                      from 0x0000000000155268
                      from 0x0000000000147a3c
                      from 0x0000000000142fb8
                      from 0x000000000003fe98
                      from 0x00000000000ad5e0
                      from 0xbadadd0010200e50
    
    
    Continue... (Lv-2 is still running.)
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    [TM] Open connection failed (o)
    SDK v4.3.0
    [TM] Boot mode := System
    control_console: Server bound to port number 8080
    [TM] Open connection failed (o)
    SDK v4.3.0
    [TM] Boot mode := System
    control_console: Server bound to port number 8080
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    control_console: Server bound to port number 8080
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    control_console: Server bound to port number 8080
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): System Warning : busy loop detected
    lv2(2): #
    lv2(2): #
    lv2(2): # SDK version: 181001
    lv2(2): # system software version: 4.30 (DEX)
    lv2(2): # revision: 49489
    lv2(2): #
    lv2(2): # Lv-2 detected an interrupt(exception) in a user PPU Thread.
    lv2(2): #
    lv2(2): # Interrupt(exception) Info.
    lv2(2): #   Type : Data Storage
    lv2(2): #   SRR0 : 0x000000000029ee98
    lv2(2): #   SRR1 : 0x800000000000c032
    lv2(2): #   DSISR: 0x0000000040000000
    lv2(2): #   DAR  : 0x0000000036860000
    lv2(2): #   TB   : 0x00000015d962d7f6
    lv2(2): #   HW Thread #: 1
    lv2(2): #
    lv2(2): # Backtrace
    lv2(2): #   0x000000000029eeb0
    lv2(2): #   0x00000000002a8434
    lv2(2): #   0x00000000002b47f0
    lv2(2): #   0x0000000000ac3e64
    lv2(2): #   0x0000000000aca6fc
    lv2(2): #   0x0000000000ad8f00
    lv2(2): #   0x0000000000ad31d0
    lv2(2): #   0x0000000000ad8f00
    lv2(2): #   0x0000000000ad1724
    lv2(2): #   0x0000000000acd924
    lv2(2): #   0x0000000000ac1f7c
    lv2(2): #   0x00000000002b2b40
    lv2(2): #   0x0000000000296f4c
    lv2(2): #   0x000000000001dd4c
    lv2(2): #   0x000000000001f280
    lv2(2): #   0x0000000000026e60
    lv2(2): #   0x000000000087de08
    lv2(2): #   0xbadadd00116008dc
    lv2(2): #
    lv2(2): # User PPU Thread Info.
    lv2(2): #   ID        : 0x0116008e
    lv2(2): #   Name      : FEThread
    lv2(2): #   Stack addr: 0x00000000d00ad000
    lv2(2): #   Stack size: 0x0000000000020000
    lv2(2): #   Priority  : 1002
    lv2(2): #   Proc name : /dev_bdvd/PS3_GAME/USRDIR/EBOOT.BIN
    lv2(2): #   Proc ID   : 0x10e0200
    lv2(2): #
    lv2(2): # Register Info.
    lv2(2): #      LR: 0x000000000029eeb4     CR:0x22000084
    lv2(2): #     CTR: 0x0000000000a3db94
    lv2(2): #
    lv2(2): #   GPR 0: 0x0000000031313131  GPR 1: 0x00000000d00cc4f0
    lv2(2): #   GPR 2: 0x0000000001094e20  GPR 3: 0x0000000030665994
    lv2(2): #   GPR 4: 0x00000000d00cc56c  GPR 5: 0x00000000d00cc4c0
    lv2(2): #   GPR 6: 0x00000000000000cd  GPR 7: 0x0000000000000000
    lv2(2): #   GPR 8: 0x0000000000000000  GPR 9: 0x00000000d00cc56c
    lv2(2): #   GPR10: 0x0000000036860002  GPR11: 0x0000000036860006
    lv2(2): #   GPR12: 0x000000003066ba40  GPR13: 0x00000000300095c0
    lv2(2): #   GPR14: 0x0000000000000000  GPR15: 0x0000000000000000
    lv2(2): #   GPR16: 0x0000000000000000  GPR17: 0x0000000000000000
    lv2(2): #   GPR18: 0x0000000000000000  GPR19: 0x0000000000000000
    lv2(2): #   GPR20: 0x0000000000000000  GPR21: 0x0000000000000000
    lv2(2): #   GPR22: 0x0000000000000000  GPR23: 0x0000000000000000
    lv2(2): #   GPR24: 0x0000000000000001  GPR25: 0x0000000000000000
    lv2(2): #   GPR26: 0x0000000010054a50  GPR27: 0x0000000000000dcc
    lv2(2): #   GPR28: 0x000000003685fffe  GPR29: 0x000000003685919e
    lv2(2): #   GPR30: 0x0000000036857f7e  GPR31: 0x0000000030664a54
    lv2(2): #
    lv2(2): #     XER: 0x0000000000000000  FPSCR: 0x82062000
    lv2(2): #
    lv2(2): #   FPR 0: 0x41efffffffe00000  FPR 1: 0x4131f0544e560419
    lv2(2): #   FPR 2: 0x402e000000000000  FPR 3: 0x4037555560000000
    lv2(2): #   FPR 4: 0x3fd5555560000000  FPR 5: 0x0000000000000000
    lv2(2): #   FPR 6: 0xc022000000000000  FPR 7: 0x4077980000000000
    lv2(2): #   FPR 8: 0x0000000000000000  FPR 9: 0x0000000000000000
    lv2(2): #   FPR10: 0x0000000000000000  FPR11: 0x3f89aa0660000000
    lv2(2): #   FPR12: 0x43e0000000000000  FPR13: 0x41efffffffe00000
    lv2(2): #   FPR14: 0x000000116038e000  FPR15: 0x000000116038e000
    lv2(2): #   FPR16: 0x000000116038e000  FPR17: 0x000000116038e000
    lv2(2): #   FPR18: 0x000000116038e000  FPR19: 0x000000116038e000
    lv2(2): #   FPR20: 0x000000116038e000  FPR21: 0x000000116038e000
    lv2(2): #   FPR22: 0x000000116038e000  FPR23: 0x000000116038e000
    lv2(2): #   FPR24: 0x000000116038e000  FPR25: 0x000000116038e000
    lv2(2): #   FPR26: 0x000000116038e000  FPR27: 0x000000116038e000
    lv2(2): #   FPR28: 0x000000116038e000  FPR29: 0x000000116038e000
    lv2(2): #   FPR30: 0x000000116038e000  FPR31: 0x000000116038e000
    lv2(2): #
    lv2(2): # PRX Info: 16 PRX in process
    lv2(2): #   --/--: id-------- path------------------------------ versi
    on segments---
    lv2(2): #    0/16: 0x23000000 [/dev_flash/sys/external/liblv2.sprx]
    1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10480000+0x00013b68+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x104a0000+0x00000d94+0x00000888 [0x00000001]
    lv2(2): #    1/16: 0x23000c00 [/dev_flash/sys/external/libsysmodule.sp
    rx]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x104b0000+0x00008a48+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x104c0000+0x000014c8+0x00000034 [0x00000001]
    lv2(2): #    2/16: 0x23000e00 [/dev_flash/sys/external/libsysutil.sprx
    ]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x104d0000+0x0001ee10+0x000010f0 [0x00000001]
    lv2(2): #       1/  2: 0x104f0000+0x00000874+0x0000cf8c [0x00000001]
    lv2(2): #    3/16: 0x23002100 [/dev_flash/sys/external/libgcm_sys.sprx
    ]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10500000+0x0000b760+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10510000+0x00000974+0x0000283c [0x00000001]
    lv2(2): #    4/16: 0x23002200 [/dev_flash/sys/external/libaudio.sprx]
      1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10520000+0x000057e0+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10530000+0x00000358+0x000006d0 [0x00000001]
    lv2(2): #    5/16: 0x23002300 [/dev_flash/sys/external/libio.sprx]   1
    .  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10540000+0x0000ccb0+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10550000+0x00000f10+0x00000038 [0x00000001]
    lv2(2): #    6/16: 0x23002400 [/dev_flash/sys/external/libsre.sprx]
    1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10560000+0x0002df00+0x00002100 [0x00000001]
    lv2(2): #       1/  2: 0x10590000+0x00003fe0+0x00000360 [0x00000001]
    lv2(2): #    7/16: 0x23002500 [/dev_flash/sys/external/liblv2coredump.
    sprx]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x105a0000+0x0001d974+0x00000000 [0x00000001...
    Register control in GPR0 (0x31) (via pastie.org/private/hqi53jdrhltfvdaezn3png):
    Code:
    
    [14:51:46] NiceShot: # SDK version: 181001
    lv2(2): # system software version: 4.30 (DEX)
    lv2(2): # revision: 49489
    lv2(2): #
    lv2(2): # Lv-2 detected an interrupt(exception) in a user PPU Thread.
    lv2(2): #
    lv2(2): # Interrupt(exception) Info.
    lv2(2): #   Type : Data Storage
    lv2(2): #   SRR0 : 0x000000000029ee98
    lv2(2): #   SRR1 : 0x800000000000c032
    lv2(2): #   DSISR: 0x0000000040000000
    lv2(2): #   DAR  : 0x0000000036860000
    lv2(2): #   TB   : 0x00000015d962d7f6
    lv2(2): #   HW Thread #: 1
    lv2(2): #
    lv2(2): # Backtrace
    lv2(2): #   0x000000000029eeb0
    lv2(2): #   0x00000000002a8434
    lv2(2): #   0x00000000002b47f0
    lv2(2): #   0x0000000000ac3e64
    lv2(2): #   0x0000000000aca6fc
    lv2(2): #   0x0000000000ad8f00
    lv2(2): #   0x0000000000ad31d0
    lv2(2): #   0x0000000000ad8f00
    lv2(2): #   0x0000000000ad1724
    lv2(2): #   0x0000000000acd924
    lv2(2): #   0x0000000000ac1f7c
    lv2(2): #   0x00000000002b2b40
    lv2(2): #   0x0000000000296f4c
    lv2(2): #   0x000000000001dd4c
    lv2(2): #   0x000000000001f280
    lv2(2): #   0x0000000000026e60
    lv2(2): #   0x000000000087de08
    lv2(2): #   0xbadadd00116008dc
    lv2(2): #
    lv2(2): # User PPU Thread Info.
    lv2(2): #   ID        : 0x0116008e
    lv2(2): #   Name      : FEThread
    lv2(2): #   Stack addr: 0x00000000d00ad000
    lv2(2): #   Stack size: 0x0000000000020000
    lv2(2): #   Priority  : 1002
    lv2(2): #   Proc name : /dev_bdvd/PS3_GAME/USRDIR/EBOOT.BIN
    lv2(2): #   Proc ID   : 0x10e0200
    lv2(2): #
    lv2(2): # Register Info.
    lv2(2): #      LR: 0x000000000029eeb4     CR:0x22000084
    lv2(2): #     CTR: 0x0000000000a3db94
    lv2(2): #
    lv2(2): #   GPR 0: 0x0000000031313131  GPR 1: 0x00000000d00cc4f0
    lv2(2): #   GPR 2: 0x0000000001094e20  GPR 3: 0x0000000030665994
    lv2(2): #   GPR 4: 0x00000000d00cc56c  GPR 5: 0x00000000d00cc4c0
    lv2(2): #   GPR 6: 0x00000000000000cd  GPR 7: 0x0000000000000000
    lv2(2): #   GPR 8: 0x0000000000000000  GPR 9: 0x00000000d00cc56c
    lv2(2): #   GPR10: 0x0000000036860002  GPR11: 0x0000000036860006
    lv2(2): #   GPR12: 0x000000003066ba40  GPR13: 0x00000000300095c0
    lv2(2): #   GPR14: 0x0000000000000000  GPR15: 0x0000000000000000
    lv2(2): #   GPR16: 0x0000000000000000  GPR17: 0x0000000000000000
    lv2(2): #   GPR18: 0x0000000000000000  GPR19: 0x0000000000000000
    lv2(2): #   GPR20: 0x0000000000000000  GPR21: 0x0000000000000000
    lv2(2): #   GPR22: 0x0000000000000000  GPR23: 0x0000000000000000
    lv2(2): #   GPR24: 0x0000000000000001  GPR25: 0x0000000000000000
    lv2(2): #   GPR26: 0x0000000010054a50  GPR27: 0x0000000000000dcc
    lv2(2): #   GPR28: 0x000000003685fffe  GPR29: 0x000000003685919e
    lv2(2): #   GPR30: 0x0000000036857f7e  GPR31: 0x0000000030664a54
    lv2(2): #
    lv2(2): #     XER: 0x0000000000000000  FPSCR: 0x82062000
    lv2(2): #
    lv2(2): #   FPR 0: 0x41efffffffe00000  FPR 1: 0x4131f0544e560419
    lv2(2): #   FPR 2: 0x402e000000000000  FPR 3: 0x4037555560000000
    lv2(2): #   FPR 4: 0x3fd5555560000000  FPR 5: 0x0000000000000000
    lv2(2): #   FPR 6: 0xc022000000000000  FPR 7: 0x4077980000000000
    lv2(2): #   FPR 8: 0x0000000000000000  FPR 9: 0x0000000000000000
    lv2(2): #   FPR10: 0x0000000000000000  FPR11: 0x3f89aa0660000000
    lv2(2): #   FPR12: 0x43e0000000000000  FPR13: 0x41efffffffe00000
    lv2(2): #   FPR14: 0x000000116038e000  FPR15: 0x000000116038e000
    lv2(2): #   FPR16: 0x000000116038e000  FPR17: 0x000000116038e000
    lv2(2): #   FPR18: 0x000000116038e000  FPR19: 0x000000116038e000
    lv2(2): #   FPR20: 0x000000116038e000  FPR21: 0x000000116038e000
    lv2(2): #   FPR22: 0x000000116038e000  FPR23: 0x000000116038e000
    lv2(2): #   FPR24: 0x000000116038e000  FPR25: 0x000000116038e000
    lv2(2): #   FPR26: 0x000000116038e000  FPR27: 0x000000116038e000
    lv2(2): #   FPR28: 0x000000116038e000  FPR29: 0x000000116038e000
    lv2(2): #   FPR30: 0x000000116038e000  FPR31: 0x000000116038e000
    lv2(2): #
    lv2(2): # PRX Info: 16 PRX in process
    lv2(2): #   --/--: id-------- path------------------------------ versi
    on segments---
    lv2(2): #    0/16: 0x23000000 [/dev_flash/sys/external/liblv2.sprx]
    1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10480000+0x00013b68+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x104a0000+0x00000d94+0x00000888 [0x00000001]
    lv2(2): #    1/16: 0x23000c00 [/dev_flash/sys/external/libsysmodule.sp
    rx]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x104b0000+0x00008a48+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x104c0000+0x000014c8+0x00000034 [0x00000001]
    lv2(2): #    2/16: 0x23000e00 [/dev_flash/sys/external/libsysutil.sprx
    ]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x104d0000+0x0001ee10+0x000010f0 [0x00000001]
    lv2(2): #       1/  2: 0x104f0000+0x00000874+0x0000cf8c [0x00000001]
    lv2(2): #    3/16: 0x23002100 [/dev_flash/sys/external/libgcm_sys.sprx
    ]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10500000+0x0000b760+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10510000+0x00000974+0x0000283c [0x00000001]
    lv2(2): #    4/16: 0x23002200 [/dev_flash/sys/external/libaudio.sprx]
      1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10520000+0x000057e0+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10530000+0x00000358+0x000006d0 [0x00000001]
    lv2(2): #    5/16: 0x23002300 [/dev_flash/sys/external/libio.sprx]   1
    .  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10540000+0x0000ccb0+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10550000+0x00000f10+0x00000038 [0x00000001]
    lv2(2): #    6/16: 0x23002400 [/dev_flash/sys/external/libsre.sprx]
    1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10560000+0x0002df00+0x00002100 [0x00000001]
    lv2(2): #       1/  2: 0x10590000+0x00003fe0+0x00000360 [0x00000001]
    lv2(2): #    7/16: 0x23002500 [/dev_flash/sys/external/liblv2coredump.
    sprx]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x105a0000+0x0001d974+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x105c0000+0x00002fac+0x00007448 [0x00000001]
    lv2(2): #    8/16: 0x23000b02 [/dev_flash/sys/external/libnetctl.sprx]
       1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x105d0000+0x00006bc8+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x105e0000+0x00000294+0x000000d4 [0x00000001]
    lv2(2): #    9/16: 0x23000c02 [/dev_flash/sys/external/libnet.sprx]
    1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x105f0000+0x00020ff8+0x0000f008 [0x00000001]
    lv2(2): #       1/  2: 0x10620000+0x00001580+0x000011b0 [0x00000001]
    lv2(2): #   10/16: 0x23000d02 [/dev_flash/sys/external/libusbd.sprx]
     1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10630000+0x00009800+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10640000+0x00000380+0x00000008 [0x00000001]
    lv2(2): #   11/16: 0x23000e02 [/dev_flash/sys/external/libfs.sprx]   1
    .  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10650000+0x0000fe48+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10660000+0x0000172c+0x00008b14 [0x00000001]
    lv2(2): #   12/16: 0x23002402 [/dev_flash/sys/external/libresc.sprx]
     1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): #       0/  2: 0x10670000+0x0000ac20+0x00000000 [0x00000001]
    lv2(2): #       1/  2: 0x10680000+0x00001794+0x00000414 [0x00000001]
    lv2(2): #   13/16: 0x23002502 [/dev_flash/sys/external/libsysutil_np.s
    prx]   1.  1  2 segments
    lv2(2): #      ---/--- base------+filesz----+(mem-file) [flags-----]
    lv2(2): ...
    Controlling r0 is pretty much the same as controlling the link register. if we control r1 we can control the rop.

    Here are the core dumps for fifa 08 and 09. r0 is controllable in both games (it's probably hitting the stack)

    Download: fifacoredumps.tar.7z

    It'll take some minutes to upload them, so please wait.

    :arrow: Lv2diag.self bricking consoles?

    I told myself i wasn't going to post any more about ps3s but this is really bugging me so... i was hanging out in skype when suddenly vapour barges in and says a self he created with Objective Suites bricked his ps3.

    Naturally, for a person who bricked 7 consoles by flashing ways, i thought he was kidding, since nowhere in the world Sony would do such a thing. then i asked hellsing9 to test it somewhere. he tested the self. it bricked. he tested again, bricked again. then i asked greysmoke. he tested the self. it didn't brick.

    My question is this: in which consoles can the brick be caused, what causes the brick to be triggered, and most importantly, can we intercept the process of the command of bricking and replace it with something else?

    This is the self (3.42 appldr signed): https://dl.dropboxusercontent.com/u/35197530/Lv2diag.self

    Needless to say flashers can and MUST be used before doing anything. They can unbrick. E3 flasher can be used as any regular flasher. as for the pinouts, i believe they are available on the wiki (NiceShot has the picture).

    From NiceShot: Uhm... you should have the original dump before trying this, I'm not sure if dumping it, byte swapping and flashing it back will solve the problem but it is worth trying, I had a broken e3 flasher clip so I had to map the whole points to use e3 linker but if you have an e3 flasher with e3 clip you can do the job the same way, but there you have the pinout for MSX-001:

    https://www.dropbox.com/s/0y96aa8q8cpo2ng/MSX-001 NOR Test Points TeaM_X_TudO.bmp

    Cheers

    PS3 IDA Stuff

    So, i was bored and i decided to open ida pro and take a look at things. then, someone told me that i could open idb files in ida. so i went to graf's bible and opened a few. fun. anyways, here are some scripts/updates of scripts.

    HV Dump script has "new" function names instead of the usual "undocumented_function" crap and export script prints all the function names to the screen (the ones that don't start with sub_) consider this a release of sorts. i'll try to take care of syscall_names.idh tomorrow for the lv2 dump script.

    Download: stuff_for_ida.zip
    GIT: github.com/zecoxao/ps3ida

    Github contains precompiled loaders, plugins, signatures, and the new scripts. i've updated the zip. you should have now two aditional export functions. one for the syscalls, and another for the hvcalls. gonna see if i can take care of syscall_names, idh today.

    Edit: taken care of: github.com/zecoxao/ps3ida/blob/master/syscall_names.idh

    Kinda piggish but it does the trick :)

    Added some more signatures. had to use a trick. They're on github: github.com/zecoxao/ps3ida/tree/master/sig/ppc

    eEID5 Keyseed and Section Keys Found :D
    Code:
    u8 unk_keyseed[EID0_KEYSEED_SIZE] =
    {
    	0x33, 0x79, 0x3B, 0x9F, 0x79, 0xE2, 0xEB, 0xAE, 0x55, 0xD4, 0xD6, 0xBF, 0x0E, 0xD3, 0x76, 0xE6
    };
    Edit: some corrections: psdevwiki.com/ps3/Keys#KIRK (thanks euss)

    KIRK

    A68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B

    location: in lv2_kernel.self

    More KIRK keys
    • github.com/uofw/upspd/wiki/KIRK-13---ECDSA-point-multiplication
    • code.google.com/p/kirk-engine/source/browse/trunk/libkirk/kirk_engine.c
      AES requires a 16 byte multiple message.. i have no idea of what unk_keyseed is.
      Code:
      u8 kirk1_key[] =   {0x98, 0xC9, 0x40, 0x97, 0x5C, 0x1D, 0x10, 0xE8, 0x7F, 0xE6, 0x0E, 0xA3, 0xFD, 0x03, 0xA8, 0xBA};
      u8 kirk7_key02[] = {0xB8, 0x13, 0xC3, 0x5E, 0xC6, 0x44, 0x41, 0xE3, 0xDC, 0x3C, 0x16, 0xF5, 0xB4, 0x5E, 0x64, 0x84}; // New from PS3
      u8 kirk7_key03[] = {0x98, 0x02, 0xC4, 0xE6, 0xEC, 0x9E, 0x9E, 0x2F, 0xFC, 0x63, 0x4C, 0xE4, 0x2F, 0xBB, 0x46, 0x68};
      u8 kirk7_key04[] = {0x99, 0x24, 0x4C, 0xD2, 0x58, 0xF5, 0x1B, 0xCB, 0xB0, 0x61, 0x9C, 0xA7, 0x38, 0x30, 0x07, 0x5F};
      u8 kirk7_key05[] = {0x02, 0x25, 0xD7, 0xBA, 0x63, 0xEC, 0xB9, 0x4A, 0x9D, 0x23, 0x76, 0x01, 0xB3, 0xF6, 0xAC, 0x17};
      u8 kirk7_key07[] = {0x76, 0x36, 0x8B, 0x43, 0x8F, 0x77, 0xD8, 0x7E, 0xFE, 0x5F, 0xB6, 0x11, 0x59, 0x39, 0x88, 0x5C}; // New from PS3
      u8 kirk7_key0C[] = {0x84, 0x85, 0xC8, 0x48, 0x75, 0x08, 0x43, 0xBC, 0x9B, 0x9A, 0xEC, 0xA7, 0x9C, 0x7F, 0x60, 0x18};
      u8 kirk7_key0D[] = {0xB5, 0xB1, 0x6E, 0xDE, 0x23, 0xA9, 0x7B, 0x0E, 0xA1, 0x7C, 0xDB, 0xA2, 0xDC, 0xDE, 0xC4, 0x6E};
      u8 kirk7_key0E[] = {0xC8, 0x71, 0xFD, 0xB3, 0xBC, 0xC5, 0xD2, 0xF2, 0xE2, 0xD7, 0x72, 0x9D, 0xDF, 0x82, 0x68, 0x82};
      u8 kirk7_key0F[] = {0x0A, 0xBB, 0x33, 0x6C, 0x96, 0xD4, 0xCD, 0xD8, 0xCB, 0x5F, 0x4B, 0xE0, 0xBA, 0xDB, 0x9E, 0x03};
      u8 kirk7_key10[] = {0x32, 0x29, 0x5B, 0xD5, 0xEA, 0xF7, 0xA3, 0x42, 0x16, 0xC8, 0x8E, 0x48, 0xFF, 0x50, 0xD3, 0x71};
      u8 kirk7_key11[] = {0x46, 0xF2, 0x5E, 0x8E, 0x4D, 0x2A, 0xA5, 0x40, 0x73, 0x0B, 0xC4, 0x6E, 0x47, 0xEE, 0x6F, 0x0A};
      u8 kirk7_key12[] = {0x5D, 0xC7, 0x11, 0x39, 0xD0, 0x19, 0x38, 0xBC, 0x02, 0x7F, 0xDD, 0xDC, 0xB0, 0x83, 0x7D, 0x9D};
      u8 kirk7_key38[] = {0x12, 0x46, 0x8D, 0x7E, 0x1C, 0x42, 0x20, 0x9B, 0xBA, 0x54, 0x26, 0x83, 0x5E, 0xB0, 0x33, 0x03};
      u8 kirk7_key39[] = {0xC4, 0x3B, 0xB6, 0xD6, 0x53, 0xEE, 0x67, 0x49, 0x3E, 0xA9, 0x5F, 0xBC, 0x0C, 0xED, 0x6F, 0x8A};
      u8 kirk7_key3A[] = {0x2C, 0xC3, 0xCF, 0x8C, 0x28, 0x78, 0xA5, 0xA6, 0x63, 0xE2, 0xAF, 0x2D, 0x71, 0x5E, 0x86, 0xBA};
      u8 kirk7_key44[] = {0x7D, 0xF4, 0x92, 0x65, 0xE3, 0xFA, 0xD6, 0x78, 0xD6, 0xFE, 0x78, 0xAD, 0xBB, 0x3D, 0xFB, 0x63};  // New from PS3
      u8 kirk7_key4B[] = {0x0C, 0xFD, 0x67, 0x9A, 0xF9, 0xB4, 0x72, 0x4F, 0xD7, 0x8D, 0xD6, 0xE9, 0x96, 0x42, 0x28, 0x8B}; //1.xx game eboot.bin
      u8 kirk7_key53[] = {0xAF, 0xFE, 0x8E, 0xB1, 0x3D, 0xD1, 0x7E, 0xD8, 0x0A, 0x61, 0x24, 0x1C, 0x95, 0x92, 0x56, 0xB6};
      u8 kirk7_key57[] = {0x1C, 0x9B, 0xC4, 0x90, 0xE3, 0x06, 0x64, 0x81, 0xFA, 0x59, 0xFD, 0xB6, 0x00, 0xBB, 0x28, 0x70};
      u8 kirk7_key5D[] = {0x11, 0x5A, 0x5D, 0x20, 0xD5, 0x3A, 0x8D, 0xD3, 0x9C, 0xC5, 0xAF, 0x41, 0x0F, 0x0F, 0x18, 0x6F};
      u8 kirk7_key63[] = {0x9C, 0x9B, 0x13, 0x72, 0xF8, 0xC6, 0x40, 0xCF, 0x1C, 0x62, 0xF5, 0xD5, 0x92, 0xDD, 0xB5, 0x82};
      u8 kirk7_key64[] = {0x03, 0xB3, 0x02, 0xE8, 0x5F, 0xF3, 0x81, 0xB1, 0x3B, 0x8D, 0xAA, 0x2A, 0x90, 0xFF, 0x5E, 0x61}; 
      u8 kirk16_key[]  = {0x47, 0x5E, 0x09, 0xF4, 0xA2, 0x37, 0xDA, 0x9B, 0xEF, 0xFF, 0x3B, 0xC0, 0x77, 0x14, 0x3D, 0x8A};
      
      /* ECC Curves for Kirk 1 and Kirk 0x11 */
      // Common Curve paramters p and a
      static u8 ec_p[20] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
      static u8 ec_a[20] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC}; // mon
      
      // Kirk 0xC,0xD,0x10,0x11,(likely 0x12)- Unique curve parameters for b, N, and base point G for Kirk 0xC,0xD,0x10,0x11,(likely 0x12) service
      // Since public key is variable, it is not specified here
      static u8 ec_b2[20] = {0xA6, 0x8B, 0xED, 0xC3, 0x34, 0x18, 0x02, 0x9C, 0x1D, 0x3C, 0xE3, 0x3B, 0x9A, 0x32, 0x1F, 0xCC, 0xBB, 0x9E, 0x0F, 0x0B};// mon
      static u8 ec_N2[21] = {0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xB5, 0xAE, 0x3C, 0x52, 0x3E, 0x63, 0x94, 0x4F, 0x21, 0x27};
      static u8 Gx2[20] = {0x12, 0x8E, 0xC4, 0x25, 0x64, 0x87, 0xFD, 0x8F, 0xDF, 0x64, 0xE2, 0x43, 0x7B, 0xC0, 0xA1, 0xF6, 0xD5, 0xAF, 0xDE, 0x2C };
      static u8 Gy2[20] = {0x59, 0x58, 0x55, 0x7E, 0xB1, 0xDB, 0x00, 0x12, 0x60, 0x42, 0x55, 0x24, 0xDB, 0xC3, 0x79, 0xD5, 0xAC, 0x5F, 0x4A, 0xDF };
      
      // KIRK 1 - Unique curve parameters for b, N, and base point G
      // Since public key is hard coded, it is also included
          
      static u8 ec_b1[20] = {0x65, 0xD1, 0x48, 0x8C, 0x03, 0x59, 0xE2, 0x34, 0xAD, 0xC9, 0x5B, 0xD3, 0x90, 0x80, 0x14, 0xBD, 0x91, 0xA5, 0x25, 0xF9};
      static u8 ec_N1[21] = {0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x01, 0xB5, 0xC6, 0x17, 0xF2, 0x90, 0xEA, 0xE1, 0xDB, 0xAD, 0x8F};
      static u8 Gx1[20] = {0x22, 0x59, 0xAC, 0xEE, 0x15, 0x48, 0x9C, 0xB0, 0x96, 0xA8, 0x82, 0xF0, 0xAE, 0x1C, 0xF9, 0xFD, 0x8E, 0xE5, 0xF8, 0xFA };
      static u8 Gy1[20] = {0x60, 0x43, 0x58, 0x45, 0x6D, 0x0A, 0x1C, 0xB2, 0x90, 0x8D, 0xE9, 0x0F, 0x27, 0xD7, 0x5C, 0x82, 0xBE, 0xC1, 0x08, 0xC0 };
      static u8 Px1[20] = {0xED, 0x9C, 0xE5, 0x82, 0x34, 0xE6, 0x1A, 0x53, 0xC6, 0x85, 0xD6, 0x4D, 0x51, 0xD0, 0x23, 0x6B, 0xC3, 0xB5, 0xD4, 0xB9 };
      static u8 Py1[20] = {0x04, 0x9D, 0xF1, 0xA0, 0x75, 0xC0, 0xE0, 0x4F, 0xB3, 0x44, 0x85, 0x8B, 0x61, 0xB7, 0x9B, 0x69, 0xA6, 0x3D, 0x2C, 0x39 };
      Interesting info on KIRK 0xC, 0xD, 0x10, and 0x11 functions by Proxima
      Code:
      The curve used for KIRK function 0xC, 0xD, 0x10, and 0x11 y^2 = x^3 +ax +b mod p
      
      p = FFFFFFFFFFFFFFFF00000001FFFFFFFFFFFFFFFF
      N= FFFFFFFFFFFFFFFEFFFFB5AE3C523E63944F2127
      a= -3
      b= A68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B
      Gx= 128EC4256487FD8FDF64E2437BC0A1F6D5AFDE2C
      Gy= 5958557EB1DB001260425524DBC379D5AC5F4ADF
      
      Kirk 0xC - Generate new private/public key set
      Invocation:
      u8 keypair[0x3c]
      sceUtilsBufferCopyWithRange(keypair,0x3c,0,0,0xC);
      
      This returns the following into the keypair buffer (each value is 0x14 bytes long):
      0x00 - randomly generated private key
      0x14 - Public Key point x value
      0x28 - Public Key point y value
      
      Basically function 0xC generates a random number < N and multiplies it to the base point G to get the new public key.
      
      Kirk 0xD - point multiplication
      Invocation:
      u8 buffer[0x3C]
      u8 newpoint[0x28]
      memcpy(buffer, multiplier, 0x14);
      memcpy(buffer+0x14, pointx, 0x14);
      memcpy(buffer+0x28, pointy, 0x14);
      sceUtilsBufferCopyWithRange(newpoint,0x28,buffer,0x3c,0xD);
      
      The result is a new point(x and y are each 0x14 bytes long).
      
      To test this, you can call 0xC service and copy the first 0x14 bytes to a new buffer, then copy the Gx and Gy values after that. Calling 0xD with the new buffer will return the values of x and y that were generated by the 0xC call.
      
      Kirk 0x10 - ECDSA Sign hash
      Invocation:
      u8 buffer[0x34]
      u8 encryptedprivatekey[0x20] - the private key returned by KIRK 0xC must be AES encrypted somehow
      u8 SHA1hashofmessagetosign[0x14]
      memcpy(buffer,encryptedprivatekey,0x20)
      memcpy(buffer+0x20,SHA1hashofmessagetosign,0x14)
      sceUtilsBufferCopyWithRange(newsig,0x28,buffer,0x34,0x10);
      
      newsig will have the r and s values for an ECDSA signature
      
      This isn't that useful since it is not clear how to encrypt the private key to sign the message. There are some examples in IDStorage where a pre-encrypted private key and public key pair can be used, but no general cases yet.
      
      Kirk 0x11 - ECDSA Verify Signature
      Invocation:
      u8 buffer[0x64]
      memcpy(buffer,publickey,0x28)
      memcpy(buffer+0x28,SHA1hashofmessagetosign,0x14)
      memcpy(buffer+0x3C,newsig,0x28)
      sceUtilsBufferCopyWithRange(0,0,buffer,0x64,0x11);
      
      This returns 0 (good) or not 0 (bad) based on if the signature is successfully verify.
      
      These functions seem secure. The random number generation they use seems to be strong and they do not have any of the gaps that the PS3 or KIRK1 have around re-use of random numbers.
      Download: ps3_decrypt_tools-master.zip

      To quote(from pastie.org/private/hzqhpgaxgdybq3zjudqpva):
      Code:
      LOAD:000146FC                 il             r2, 0x220
      LOAD:00014700                 ai             r3, sp, arg_20
      LOAD:00014704                 a              r2, r3, r2
      LOAD:00014708                 ila            r4, eid0_keyseed_6
      LOAD:0001470C                 ai             r5, sp, arg_150
      LOAD:00014710                 lr             r3, r2
      LOAD:00014714                 lqd            r2, arg_140(sp)
      LOAD:00014718                 lr             r6, r2
      LOAD:0001471C                 brsl           lr, sbox_stuff
      LOAD:00014720                 lr             r4, r3
      .......
      LOAD:00014744                 br             loc_148A8
      
      LOAD:00016FCC                 ai             r2, sp, arg_1F0
      LOAD:00016FD0                 ila            r4, eid0_keyseed_6
      LOAD:00016FD4                 ai             r5, sp, arg_100
      LOAD:00016FD8                 lr             r3, r2
      LOAD:00016FDC                 lqd            r2, arg_E0(sp)
      LOAD:00016FE0                 lr             r6, r2
      LOAD:00016FE4                 brsl           lr, sbox_stuff
      LOAD:00016FE8                 lr             r4, r3
      ....
      LOAD:00017018                 br             loc_17158
      
      LOAD:00016354                 il             r2, 0x360
      LOAD:00016358                 ai             r3, sp, arg_20
      LOAD:0001635C                 a              r2, r3, r2
      LOAD:00016360                 ila            r4, key_unknown
      LOAD:00016364                 ai             r5, sp, arg_1F0
      LOAD:00016368                 lr             r3, r2
      LOAD:0001636C                 lqd            r2, arg_1D0(sp)
      LOAD:00016370                 lr             r6, r2
      LOAD:00016374                 brsl           lr, sbox_func
      LOAD:00016378                 lr             r4, r3
      ........
      LOAD:000163A4                 stqd           r3, arg_1C0(sp)
      Finally, from LiquidManZero (via psx-scene.com/forums/f153/new-63886/index28.html#post992654):

      Welp. I'm just going to leave these here... Also Rand, I know you're watching.
      Code:
      me_iso_spu_module:
      
      0x6DB0: 51ED689419A83AD8
      0x6DD0: 65E88B1A9E3FD268
      0x6DE0: 7D16C46313C3711C
      0x6DF0: D56604A445781EC4
      0x6E00: E773089E35D26A1B
      0x6E10: 38C761029437CEE3
      0x6E20: 20CB60F58D24BE50
      0x6E30: 35C860019222BB60
      0x6E40: 8C2BD03EC245C56D
      0x6E50: 5001C87121F939C144D86B069224B247
      0x6E60: 77F38314B047D87C9B37D266049228C4
      
      mc_iso_spu_module:
      
      0x6680: 6C26D37F46EE9DA9
      0x6690: CE62F68420B65A81E459FA9A2BB3598A
      0x66A0: 2CD160FA8C2ED362
      0x66B0: 7014A32FCC5B1237AC1FBF4ED26D1CC1
      0x74A0: 2C5BF48D32749127
      From zecoxao: Euss right next to this (psdevwiki.com/ps3/Seeds#sc_iso_key_seeds) there's a chunk of data, size 0x290, which is loaded twice in two separate functions. i'm guessing that this is some sort of eid1 in disguise? this is on the jig firmware btw.

      There is also a third value which i don't recognize (next to be2sc and sc2be keys):
      Code:
      2E A2 67 09 3B 45 56 ED  9D 3B E6 2E 11 5D 6D 59
      Dump_Sbmmio.pkg (linked above)

      Dumps sbmmio to any usb port. i need to know what lies at offset 0xC000 in different consoles. so, bring me your dumps :D (they don't come with personal information AFAIK) or you can just tell me the first 0x14 bytes of offset 0xC000.

      You need:
      • usb stick in ps3
      • lv1 peek and poke by graf
      That's the southbridge dump. i was using it to know what the hell was wrong with syscon by flatz. Turns out it wasn't the device/distro/linux kernel/firmware version it was the code, and he fixed it.

      Now a friend of mine is trying to overflow packets sent to the syscon in order to obtain the syscon content keys.. btw, here is the fixed code:

      Download: https://dl.dropboxusercontent.com/u/35197530/zip/syscon.7z

      These last days I've been trying to make the syscon command work on linux, only to find out it didn't work as it should. Here are the proper sources (linked above).

      [imglink=http://www.ps4news.com/images/ps3-idps-psid-changer-by-zecoxao-permanently-change-idps-psid-36595-1.jpg|PS3 IDPS / PSID Changer by Zecoxao, Permanently Change IDPS / PSID]http://www.ps4news.com/images.php?sm=1&f=ps3-idps-psid-changer-by-zecoxao-permanently-change-idps-psid-36595-1.jpg&w=500&h=400[/imglink]
      More PlayStation 3 News...
     
  17. JAYRIDER666

    JAYRIDER666 Guest

    VTRM crypto and Blu-ray playback

    I have a working idps but i have no program to put this to my ps3 cfw rogero 4.46 do anyone can help?

    Also below is some VTRM crypto and Blu-ray playback from zecoxao, as follows:

    This is already known info but i figured i'd make it into a nice post so let's start.

    There are two VTRM blocks at the flash. Each block corresponds to each ros. Essentially one VTRM is a backup of the other.

    Inside the VTRM block there are encrypted blocks. there might be 4,5,6,etc blocks. The reason why the number of blocks changes we don't know. The blocks have a size of 0x40 bytes.

    There are two ways to decrypt the blocks: using aes-xts and sherwood_ss_seed and ss_seed_one more OR (recommended) using aes cbc and keyseed_for_srk2.

    Method is the following:

    First, encrypt root key with sc_iso metadata seeds. key is at 0x20, size 0x10, iv is at 0x10. then, encrypt (pick one) either sherwood_ss_seed(for data) and ss_seed_one_more (for tweak) or keyseed_for_srk2 (this is a string used as a seed) with aes cbc-128 for block key (iv is 0).

    After obtaining the data and tweak keys (or the block key) use the keys and decrypt each block.

    Most of the blocks contain nothing inside, except for the very first one.

    First block contains a hash of DRL (0x14 bytes) followed by a hash of CRL(0x14 bytes) in sha1 format. If you just remarried your console, you can fix bluray playback by replacing the hashes there with the ones you currently have.

    There's another set of hashes in plain sight, and they're probably all sha1. First hash is repeated in a set of patterns. second hash is cleverly hidden among the patterns, and third hash is at the VTRM header. Corruption of these hashes is very likely to cause RSOD. There has been a debate wether replacing a corrupted hash with another equal hash would be advisable ( it fixes the RSOD error, but we don't know the direct consequences of this)

    Oh, forgot the link to glevand's mastery: psdevwiki.com/ps3/Fixing_DRL_and_CRL_Hashes

    I i just had a word with flatz.. two of the 3 hashes can be calculated already:
    Code:
    hash_repeated:hmac_sha1(srk,empty data)
    hash_hidden:hmac_sha1(srk,0x58 bytes of empty sector)
    hash_header:unknown.
    Empty sector:
    Code:
    10 70 00 00 02 00 00 01 10 70 00 00 39 00 00 01
    [0x40 encrypted empty section here]
    00 00 00 00 00 00 00 01
    User i asked you about the method to dump srk and srh, but unfortunately, even with your help, i wasn't able to dump the data. running the code with your pokes hangs at a black screen. if you're interested in sharing that package to dump srk and srh that would be very cool of you :)

    From u$er: the prx has been tested on 446 dex in debug mode. it should work on cex as well, but you won't see any result... just connect to port 4546 and type "dumpsrk".

    Download: test.sprx (load with prx loader) / pastie.org/private/kfbm2w1dzjddczxvdonba (src)
    Code:
    uint64_t backup_srk(uint8_t *data)
    {
    	system_call_3(862, 0x2014, 0x60, (uint64_t)data);
    	return_to_user_prog(uint64_t);
    }
    
    
    
    void patch_proc_checks()
    {
    	//disable product mode check
    	lv1_poke(0x720670, 0x2F3E000060000000ULL);
    	lv1_poke(0x720680, 0x7FA3EB7860000000ULL);
    	//disable auth check
    	lv1_poke(0x16fb64, 0x2f80000048000050ULL);
    }
    
    int dump_srk()
    {
    	patch_proc_checks();
    
    	uint8_t data[0x60];
    	uint64_t res;
    
    	memset(data, 0, 0x60);
    	res = backup_srk(data);
    	printf("backup srk: %llx\n", res);
    	print_hex(data, 0x60);
    	return 0;
    }
    It should look like this:
    Code:
    0x00: 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 60
    0x10: encrypted srk (0x40 bytes)
    0x50: omac of header and encrypted data
    From zecoxao: Thanks u$er. i got the encrypted srk, srh, and something else :p

    Alright, here's the structure of the decrypted data (i'm going to upload the algorithm to generate the backup key and iv to decrypt the data using aes-cbc to my decrypt_tools)

    First 0x10 bytes of data are unknown. we don't know what they are basically then comes srh, then srk and finally a padding of 8 zeroes. I've verified this myself :)

    Now what's left to analyze are those 0x10 bytes. flatz wondered if they could be any master key, but i highly doubt it. either way, it's worth checking it out.

    Edit: srh is the hash of the signature table (the giant table with the repeated hashes and the hidden one) hashed with srk key

    Edit2: header hash is just a hmac sha1 of hmac sha1 of vtrm section without header (0x28 bytes) and signature table (again, with srk key, hashed twice)

    More info from flatz: syscon data (total size: 0x400 bytes) includes:

    management block:
    0x00 - syscon state/status (0x10 bytes with padding)

    root info block:
    0x10 - key (0x10 bytes)
    0x20-0x34 - srh (0x14 bytes)
    0x34-0x48 - srk (0x14 bytes)
    0x48-0x50 - padding

    ???:
    0x50-0x80: encrypted stuff (???)

    updater block/region data block:
    0x80-0x380 - system version, coreos hashes (?), etc
    each block have a size of 0x30 bytes (?)

    From zecoxao:
    Code:
    0x10 - key (0x10 bytes)
    This is the block key.
    Code:
    ???:
    0x50-0x80: encrypted stuff (???)
    Those are hashes of SC Encrypt Keys using CMAC/OMAC1 mode[/code]They probably use this key:
    Code:
    8CB782E53E8AEB8A768D366598281B9B
    To generate the hash.

    eeprom: https://dl.dropboxusercontent.com/u/35197530/eeprom.bin

    The INDEXAREAISHERE parts are written like that because they might (or not) have to do with perconsole info, so they were left like that.
     
  18. dyceast

    dyceast Guest

    Dump Sysrom and the masked bootldr on NANDs

    PSNope 1.05 is all you need.

    Also from zecoxao: Dump Sysrom and the masked bootldr on NANDs

    as you can see here (psdevwiki.com/ps3/Talk:Sysrom.bin), dump sysrom was originally released by glevand in an attempt to dump the bootldr in his MFW OTHEROS++. he could do it with graf's payload, so he originally thought of porting it over to psl1ght and trying it on OTHEROS++. the thing is, there is some patch that breaks this, and he failed to find out the cause. as an alternative, memdump was released, and so an alternative method was developed for it (maybe it's the same method, but i don't know for sure).

    so, what is the purpose of dump sysrom?

    well, like i said before, it dumps the bootldr (the system rom) located at address 0x2401FC0000 on NANDs (in the reset vector and mapped in MMIO) and in some other address on NOR, which doesn't matter because we can fully dump NOR, bootldr included, anyways.

    i decided to test it one last time, to see if it'd work differently from the expected FF FF FF FF 80 01 00 03 (not implemented) error, but this time, by launching the self on rebug 4.46. it turns out, it dumped the bootldr in its encrypted form on my NAND. great! :)

    to anyone else decided to do something constructive with this information, i've asked sguerrini97 to set up a github repository of what we successfully ported to psl1ght v2 (which wasn't much)

    it's called psl1ghtv2_ports, and contains some of the code used by glevand in the early days of the scene.

    https://github.com/sguerrini97/psl1ghtv2_ports

    to anyone concerned, anyone who wants to include this piece of coding, take into consideration that you need lv1 peek poke in order to achieve this. also, dumping random MMIO offsets is very fun to do and you might encounter something cool :)

    Finally, from mind: I just compiled dump_sysrom.self and run it on my CECHA01 (NAND) console - works great. I'm using 455 cfw and multiman v.4.55.00 to run the self.

    Download: dump_sysrom.self

    I just made a standalone pkg and it works great on 4.55 cfw, without multiman. Thanks.

    Download: Dump_SYSROM.pkg

    I just tested preloader advance too. I dumped my nand (Backuprflash.bin). 256MB :)

    I expected two bootldrs on it, but... there are No bootldrs on that "backup".
     
  19. JAYRIDER666

    JAYRIDER666 Guest

    Obtaining Packet IDs from Game_OS Syscall Interfaces The Easy Way (RE)

    i tried but ps nope 1.05 don't work on my rogero 4.46

    Also from zecoxao: Obtaining Packet IDs from Game_OS Syscall Interfaces The Easy Way (RE)

    What is required:
    • IDA
    • PS3 Elf Loader
    • Kakaroto's analyze_self64.idc
    • Notepad++
    • lv1.self.elf processes (see SELFs inside ELFs on devwiki)
    • HxD
    Tutorial:

    Obtain the processes through table at 0x1D0000 (regular elf) or 0x1F0000 (factory elf)
    Extract processes.

    Load each through IDA with PS3 Elf Loader. Never undefine database and use kakaroto's idc to correctly define the offsets. In the end define the RTOC value in IDA's preferences.

    Export each database to an assembly file.

    Open the assembly file in IDA (any of them) search for this:
    Code:
    		ld	  r3, off_
    The sub HAS to contain only that instruction AND a blr.

    Save the offsets in each sub for each asm file. Now, go to ida and load any process elf. Go to the specified offset (pick any). Go to the function, highlight it in IDA-View... ctrl-X (xrefs) it'll show up a list of possible xrefs (most of them are Packet IDs)

    Credits:

    Hykem, for the work being currently done
    deroad, for the help at the weekends
    and of course, graf chokolo

    Here's a list of offsets of the get_* functions from factory JIG lv1

    Download: factory243.zip

    I'll start using this thread to post my findings, even if they are off-topic.. for starters:
    Code:
    00 00 00 01
    there are a lot of these under special areas of the ps3. here are a few examples.
    Code:
    0x200 next to IFI area (NOR)
    0x400 next to filetable
    0x800 next to metldr file entry
    0x2f070 in idps EID0 (i don't believe idps is really 0x10 bytes but instead, a concatenation of these bytes with persystem info)
    0x302A0 in EID3
    0x303D0 in EID5 idps
    0x3f800 in cCSD
    0xc0010 in ros0
    0x7c0010 in ros1
    0xf20000 in cell_extnor_area
    0xf40000 in CRL1
    0xf80000 in CRL2
    perconsole nonce is also an interesting bit to watch. it's in metldr,bootldr,eid0,eid3 and eid5. perconsole revision key however, is only on 4 of these and not in eid3.

    [Need Testers] Get logs from initialization with Juan Nadie's bootldr exploit

    So yesterday i had a very interesting conversation with a friend of mine from irc. He had a theory about the initialization of the ps3. He also had logs, obtained from a modification of Juan Nadie's bootldr exploit. Unfortunately, he had to format the hdd, so the logs were lost. And this happened a long time ago.

    right now we're trying to reproduce the same thing. so far:

    I've uncommented line 912 ( //createLog(0); )
    I've added these lines
    Code:
    } else if (page >= (FLASH_SEGMENT + FLASH_OFFSET + BOOTLOADER_OFFSET) && page <= (FLASH_SEGMENT + FLASH_OFFSET + BOOTLOADER_END_OFFSET)) {
            *ptr = bufferFlash + (ea & 0xFFFFFFUL);
    	}
    in function getPointer

    Download: rr7_355.zip

    this is the code so far. peekpoke is already precompiled, but btldr8 needs recompiling. red ribbon rc7 was the version used. this only works on NOR consoles though (my biggest difficulty, since i have a NAND) so, i'll need some testers for this.

    also, notice that this may not be complete. my friend says that he's still trying to remember what he did to enable logging so we don't know if it might work or not.. and i just need to check the logs. :)

    logging of the instalation of pups. not of dumping bootldr.

    logs galore: http://pastebin.com/LLWSbAQT

    notice:
    Code:
    Starting main loop
    STATUS 289
    MFCCNTL 0
    1403462305117247 - 0000: 0x000002401FFC0000 -> 0x3FFC0 unknown page: 2401FFC0000(0x40) <- this means bootldr has a header of 0x40 bytes that is passed to LS before anything else
    1403462305117313 - 0000: 0x000002401FFC0040 -> 0x00000 unknown page: 2401FFC0000(0x0) 
    1403462305117352 - 0000: 0x000002401FFC00C0 -> 0x3F080 unknown page: 2401FFC0000(0xF80) <- decrypting first block
    1403462305117395 - 0000: 0x000002401FFC0140 -> 0x3F100 unknown page: 2401FFC0000(0xF00) <- decrypting second block 
    1403462305117491 - 0000: 0x000002401FFC01C0 -> 0x3F180 unknown page: 2401FFC0000(0xE80)
    1403462305117534 - 0000: 0x000002401FFC0240 -> 0x3F200 unknown page: 2401FFC0000(0xE00)
    1403462305117577 - 0000: 0x000002401FFC02C0 -> 0x3F280 unknown page: 2401FFC0000(0xD80)
    1403462305118045 - 0000: 0x000002401FFC0340 -> 0x3F300 unknown page: 2401FFC0000(0xD00)
    1403462305118089 - 0000: 0x000002401FFC03C0 -> 0x3F380 unknown page: 2401FFC0000(0xC80)
    1403462305118132 - 0000: 0x000002401FFC0440 -> 0x3F400 unknown page: 2401FFC0000(0xC00)
    1403462305118175 - 0000: 0x000002401FFC04C0 -> 0x3F480 unknown page: 2401FFC0000(0xB80)
    1403462305118218 - 0000: 0x000002401FFC0540 -> 0x3F500 unknown page: 2401FFC0000(0xB00)
    1403462305118260 - 0000: 0x000002401FFC05C0 -> 0x3F580 unknown page: 2401FFC0000(0xA80)
    MANY MANY thanks to my friend without whom this wouldn't have been possible.

    it can help us understand how the chain of trust works at its very early stages. this is useful for documenting purposes, and possibly to find other hidden secrets. here's how it looks like it's working.

    first stage:
    Code:
    fetches 0x40 bytes (extra header?) and memcpy to LS address 0x3F000
    starts decrypting first block (0x80) (maybe with 0x40 bytes?)
    continues decrypting blocks until 0x1000
    second stage:
    Code:
    fetches 0x40 bytes and memcpy to LS address 0x3E000
    starts decrypting first block from second block-chain (0x80)
    continues decrypting blocks until end of block chain
    next stages:
    Code:
    repeats first stage and second stage until there's no more bytes from bootldr left
    It might be possible that bootldr and metldr headers are seeds.

    [0x0-0x10]
    [0x10-0x20] -> seed for iv
    [0x20->0x40] -> seed for key

    My friend thinks the most plausible possibility is this: psdevwiki.com/ps3/Flash:Individual_System_Data_-_cISD some of this data (CID for example) is used to generate two sets of keys.

    The ldrkey (used to decrypt metldr and lv0ldr) located at cell. this key encrypts metldr header as a seed and generates another key, used for decrypting metldr blocks and it does the same with bootldr.
    the eidkey (copied to LS at the beginning of chain of trust) also located at cell. this is known as the eid_root_key and is used to decrypt the HDD, authenticate for SYSCON, decrypt the eEID, and of course generate Backup and VTRM seeds for the hashes in cVTRM.

    My friend was able to hang Runtime Secure Boot stating:

    The good thing: while hang spu is running in isolation load mode. i'm trying to determine what causes this hang and i have some thoughts about time when decryption and verification happens.. if i'm right then i'm able to modify encrypted btldr after verification but before decryption. also i know that encrypted loader contains only this loader and no other data after it.

    So, i got a little early christmas gift and i checked inside it and saw a really old lv1 from version 0.83. since this thread is about the embedded selfs, i figured i might post what i found inside it. And it turns out, Sony stored every manager inside lv1 instead of only a couple of them with the functions bulked up. here they are:

    Download: embedded_files_083.zip
    Code:
    .pme_init
    .sysmgr_ss.fself
    .tsma
    .pme_init.conf
    .lv2_loader.fself
    .profile_loader.fself
    .spm_server.fself
    .ss_init.fself
    .update_manager_server.fself
    .sc_manager_server.fself
    .updater_frontend.fself
    .dispatcher.fself
    .individual_info_mgr_server.fself
    .app_info_manager_server.fself
    .framework.fself
    .sb_manager_server.fself
    .secure_rtc_server.fself
    .vtrm_server.fself
    Dumping EEPROM from lv2 (graf's payload used)

    Download: dump_eeprom.self

    This is a program that simply dumps some of the eeprom offsets using only the lv2 update manager interface syscall and a few patches applied.

    It currently works only on 4.46 mfw, and it's for debugging purposes, although this doesn't help much because lv1 has higher access than lv2 (sorry for the mess flatz , i hope you can forgive me).

    What can be dumped:

    [0x2F00] <- no signs of minimal downgrade version here
    [0x48C00] <- some things like the spu number, other things, not so much
    [0x3000]<- everything could be dumped, but it's all 0xFF

    What can't be dumped:

    [0x48000]
    [0x48800]

    It was developed by sguerrini and myself. Alex gave us a hand with the code, Also. however, i can't release the source of it because it only worked when compiled with the oficial sdk. i have no idea why this happened.

    The fail char is 0xBE. you'll see it in the fail offsets. The dumps and the log go to /dev_usb000, so just plug a usb device in the rightmost port near the bd drive. Sure. i'll just leave the code here, since they're both illegal lol.
    • pastie.org/private/switlfzehknqgosckb6zka
    • pastie.org/private/szj5r5darigrj9loidfrcq
    Small update. We were only trying to dump 5 offset areas, there are 6 of them. The link is the same, but the self has been updated.. the 6th area still doesn't return anything though.

    It can work with any firmware, as long as the correct offsets are there. Smhabib, maybe you can help me out verifying why this freezes on 3.55 rebug?

    Download: read_eprom.zip

    I tried porting the payload to a working psl1ght app, but i failed at making it run properly. I have no idea of what could be wrong.. it freezes when running the app in a black screen. Didn't work, even with all the patches enabled. i'll port the offsets to 4.46 and check there, since it's a better version to test for me.

    Edit: Smhabib we found out why it wasn't working. Apparently the lv1 hvcalls aren't executed, and we don't know why. Perhaps it's something that only otheros ++ has and rebug doesn't have. We just don't know what... in the meantime, me and sguerrini (via github.com/sguerrini97/psl1ghtv2_ports) have ported a couple more things from glevand to psl1ght v2 (recover_mode_toggle, reboot, get_token_seed):

    Download: psl1ghtv2_ports-master.zip

    Customer ID and Perconsole Crypto by zecoxao

    This is what i know so far, either from chatting with other people or by doing assumptions (a lot of this info is an assumption, quite a big one, but most of the info people have gathered over the years seems to be correct)

    In the Cell BE CPU chip, there are 48 efuses. each of the efuses holds a bit. there are, therefore, 6 bytes of information stored in those efuses. these 6 bytes may or may not contain what Sony calls it the Serial Number or Customer ID. the Customer ID is a unique 6 byte ID that defines every single bit of perconsole information stored in the ps3 console.

    It is believed that this Customer ID is tied to metldr/bootldr/eid/perconsole keys/etc. Sony most likely uses a custom algo to forge every bit of information from the Customer ID, together with some statics and variables they have created and which they use, such as the revision key and the perconsole nonce, the statics and variables inside the cISD1, amongst other things.

    There would only exist two ways of obtaining the algo Sony uses. one of them would be by decapping the chip and analyzing it and finding the necessary information. That would cost thousands of dollars, so it wouldn't be a viable way. Another way would be to access sony servers and test until the algo is figured out (change bits in the statics and the variables, to see what would change, and fetch the algo that way).

    Unfortunately, due to the leak of Objective Suites, Sony changed authentication procedures and unfortunately it's not possible to access that info anymore (unless someone else has a newer version of the tool and is able to do those tests).

    This is completely annoying because, since we can't figure out the algo, we can't do anything on unhackables. If we had that information we could sign our own bootldrs and metldrs, and forge our own keys. that doesn't seem to be the case.

    This is just for clarification. Most of what i've said here are assumptions, because we can't know without the algorithm. Please take them as such. And here (psdevwiki.com/ps3/Flash:Individual_System_Data_-_cISD#example_4) is the wiki page that displays the location of the Customer ID.

    Update: Corrected bytes information. Customer ID is actually 6 bytes. i'm an idiot. thanks tiefputin2 for the information :)

    Adding more information, here's an example of a similar ID but on psp:

    Check fuse id. 6 bytes. however. check this: code.google.com/p/kirk-engine/source/browse/trunk/libkirk/kirk_engine.c#366

    And this: code.google.com/p/kirk-engine/source/browse/trunk/libkirk/kirk_engine.c#434

    8 bytes are used. so fuse id is 6 bytes of info padded with zeroes. it also has the name fuse in it which suggests it could be inside efuses. but who knows... both the psp fuse id and ps3 customer id can be read in mmio. depends if you have the right permissions to do so.

    :arrow: Private Key Bruteforcer by zecoxao (via pastie.org/private/u0gxobslhxvez7tjemitvg)

    Download: p2p.7z
    Code:
    #!python2
    
    import ecdsa, random, struct
    from random import SystemRandom
    from distutils.core import setup
    import py2exe, operator
    
    def wowrange(start, stop, step=1):
      if step == 0:
        raise ValueError('step must be != 0')
      elif step < 0:
        proceed = operator.gt
      else:
        proceed = operator.lt
      while proceed(start, stop):
        yield start
        start += step
    
    
    randrange = SystemRandom().randrange
    
    def s2i(s):
     result = 0L
     for c in s:
      result = 256 * result + ord(c)
     return result
    
    def get_vsh_curves(file_path):
     curves = []
     curve_fmt = '>20s20s20s20s20s20s'
     with open(file_path, 'rb') as in_file:
      file_data = in_file.read()
      file_size = len(file_data)
      num_curves = int(file_size / struct.calcsize(curve_fmt))
      for i in xrange(num_curves):
       data = file_data[i * struct.calcsize(curve_fmt):(i + 1) * struct.calcsize(curve_fmt)]
       inv_data = ''.join([chr((~ord(x)) & 0xff) for x in data])
       p, a, b, n, gx, gy = struct.unpack(curve_fmt, inv_data)
       curves.append({
        'p': s2i(p),
        'a': s2i(a),
        'b': s2i(b),
        'n': s2i(n),
        'gx': s2i(gx),
        'gy': s2i(gy)
       })
     return curves
    
    def get_ldr_curves(file_path):
     curves = []
     curve_fmt = '>20s20s20s21s20s20s'
     with open(file_path, 'rb') as in_file:
      file_data = in_file.read()
      file_size = len(file_data)
      num_curves = int(file_size / struct.calcsize(curve_fmt))
      for i in xrange(num_curves):
       data = file_data[i * struct.calcsize(curve_fmt):(i + 1) * struct.calcsize(curve_fmt)]
       inv_data = ''.join([chr((~ord(x)) & 0xff) for x in data])
       p, a, b, n, gx, gy = struct.unpack(curve_fmt, inv_data)
       curves.append({
        'p': s2i(p),
        'a': s2i(a),
        'b': s2i(b),
        'n': s2i(n),
        'gx': s2i(gx),
        'gy': s2i(gy)
       })
     return curves
    
    curves = get_ldr_curves('ldr_curves')
    
    def get_curve_parameters(type):
     params = curves[type]
     return params['p'], params['a'], params['b'], params['n'], params['gx'], params['gy']
    
    curve_type = 0x30
    p, a, b, n, gx, gy = get_curve_parameters(curve_type) # parameters
    c = ecdsa.ellipticcurve.CurveFp(p, a, b) # curve equation
    g = ecdsa.ellipticcurve.Point(c, gx, gy, n) # generator point
    q = ecdsa.ellipticcurve.Point(c, gx, gy) # public point
    
    xpected=0x503172C9551308A87621ECEE90362D14889BFED2L
    ypected=0xCF32B0B3E32A4F9FE527A41464B735E1ADBC6762L
    
    for k in wowrange(0x1L,0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL):
    	public_key = ecdsa.ecdsa.Public_key(g, g * k)
    	#print 'Qx: {0:040X}'.format(public_key.point.x())
    	if(public_key.point.x()==xpected and public_key.point.y()==ypected):
    		print 'private key: {0:042X}'.format(k)
    		break
    You can modify the range at will.. selected curve type and x,y points are for the latest npdrm private key (4.65) good luck (maybe you'll have it)

    Credits: Flatz, for helping me out in like 5 minutes.. AlexAltea, for a quick hand as well. Enjoy! :)

    Well, from what i can tell, you just need to port offsets. this goes valid to two things:
    • symbols.h from the payload folder
    • main.c from the source folder (most specifically the make_patches function)
    This is what i've been doing for the past minutes:

    http://pastie.org/private/6ylhh0r3x4nyenjihn97w
    http://pastie.org/private/ujlevqshhlzf9xcfpq7mia

    Together with Abkarino. The only issue is that metldr fails to load the self. figure that out and you have a working dumper. he just resigned the self?

    https://dl.dropboxusercontent.com/u/35197530/zip/EBOOT.7z

    In case someone wants to test. happy bricking ^w^. load it with iris on the file manager in 4.65

    socat: https://dl.dropboxusercontent.com/u/35197530/zip/socat.7z

    i'm using a custom scetool with mingw. just discard -p ~/data if you use the windows scetool ;)

    Btw, there's something missing. it's the spu self source.

    Here it is: https://mega.co.nz/#!Q18UlC6b!5N5mZvDIMe0ae_zwP5LzMjSSCfDiZgWUxstSan8bxBA

    Thanks. you need 4.65 for this. i'll upload it.

    https://dl.dropboxusercontent.com/u/35197530/zip/EBOOT.7z

    Load it with Iris Manager or any other app that can load selfs

    Hold on, let me check if i did something wrong. in the meantime, use the socat zip to get debug output from the payload, and check if you see anything on screen (you need the same connection in ps3 and pc)

    Let's try again: https://dl.dropboxusercontent.com/u/35197530/zip/EBOOT.BIN , try that one. btw, see if there's some file called eid_root_key on /dev_hdd0/tmp

    In case you still wish to test (and use habib's mfw this time):

    https://dl.dropboxusercontent.com/u/35197530/bin/EBOOT.BIN

    ok, my mistake. it should be on USRDIR of the dumper, NOT tmp.

    I'll give up on the project for now. here are the sources with new build scripts :)

    https://dl.dropboxusercontent.com/u/35197530/zip/erkdumper_new.7z

    Here's another attempt: https://dl.dropboxusercontent.com/u/11973972/UP0001-FLTZ00010_00-ERKDUMPER0000000.pkg

    This time flatz compiled it himself so i'm assume that one should work. I'm going to need some dumps from 4.46 from lv1 and lv2. don't worry that i won't share.

    I double checked. looks like we have to see with socat.

    https://dl.dropboxusercontent.com/u/35197530/zip/socat.7z

    Tun the command in listen.sh to see where it fails. put the log here. pc and ps3 must share the same Internet connection. In case you don't know the command:
    Code:
    socat udp-recv:18194 stdout
    Nevermind, logs don't work. ok, i think we should do it like this. FIRST we test 4.50, THEN we test the firmwares closest to 4.50 (4.53/4.46) and after that, and only THEN, we go to 4.65.

    This one is for 4.50. i know it's redundant but we have to start slow first:

    https://dl.dropboxusercontent.com/u/35197530/PKG/450.pkg

    ok, next we try with rebug 4.46. I'm uploading the pkg. good luck:

    https://dl.dropboxusercontent.com/u/35197530/PKG/446.pkg

    Hold on, let me check if i signed it properly.

    Try now: https://dl.dropboxusercontent.com/u/35197530/PKG/446.pkg

    I've updated it again. now it works on 4.46 :D

    Here it is: https://dl.dropboxusercontent.com/u/35197530/pkg/446.pkg
    Source: https://dl.dropboxusercontent.com/u/35197530/pkg/rootkey_446.zip

    U'll now take care of 4.53 :)

    I couldn't do this without the help of haxxen, playerkp420, harryoke and flatz. Props to them for the help and testing.

    4.53, confirmed working: https://dl.dropboxusercontent.com/u/35197530/pkg/453.pkg

    Source: https://dl.dropboxusercontent.com/u/35197530/pkg/rootkey_453.zip

    PKG and source for 4.21:

    https://dl.dropboxusercontent.com/u/35197530/pkg/421.pkg
    https://dl.dropboxusercontent.com/u/35197530/pkg/rootkey_421.zip

    If you guys want to help me with 4.65, just port symbols.h and i'll take care of the rest :)

    :alert: Just a warning. in case you haven't noticed, i left a readme in each of the source links i distributed. That readme explains how to port to the different firmwares. once you follow it it'll work for other firmwares such as 4.65 or even a dex firmware like 4.46 DEX.

    Just ported to 4.65:

    https://dl.dropboxusercontent.com/u/35197530/pkg/465.pkg
    https://dl.dropboxusercontent.com/u/35197530/pkg/rootkey_465.zip

    I'm done porting. you can get through this yourselves :) Also, cobra might interfere. don't use it :)

    Could you pack them all together, with sources, as soon you finished porting?

    Yes, i can sinsizer. i'm done porting.

    https://dl.dropboxusercontent.com/u/35197530/pkg/rootkey_pack.7z

    Finally, from haxxxen: The built pkg for 4.21 does not work, that i can confirm. thus i have made new ones for cex and dex kernel.

    Download: rootkey_421.zip

    To dump to /dev_usb000/ : pastie.org/private/n8hxkaikdpiihljfluenw

    PKG: https://dl.dropboxusercontent.com/u/35197530/pkg/446_usb.pkg

    :arrow: Dump_EEID and Flash_EEID (NOR and NAND) by zecoxao and sguerrini97

    Dump_eeid dumps eeid to a file called eeid.bin (if there's a usb stick in the ps3 it'll copy from the hdd to there, if not it'll stay in the hdd). Flash_eeid flashes a file called eeid.bin (the eEID) to your flash. The code is universal, meaning it works in any mfw with enough permissions.

    Packages:

    https://github.com/sguerrini97/psl1ghtv2_ports/blob/master/BUILD_4.46/dump_eeid.pkg
    https://github.com/sguerrini97/psl1ghtv2_ports/blob/master/BUILD_4.46/flash_eeid.pkg

    Source:

    https://github.com/sguerrini97/psl1ghtv2_ports/tree/master/extras/dump_eeid
    https://github.com/sguerrini97/psl1ghtv2_ports/tree/master/extras/flash_eeid

    :alert: BRICK RISK WARNING WITH FLASH_EEID! BE CAREFUL!

    It says BUILD_4.46 but the packages are universal.. be free to test on any mfw and see for yourself. NOR and NAND supported.

    CREDITS:

    I forgot to mention that without sguerrini's help i wouldn't have gotten very far. kudos to him :)

    Props to glevand for the original sources. Kudos to the authors of PSL1GHT for making such a great working environment. Props also to 3141card for finding the right offsets and sizes of eeid (3 simple rule :p)
     
  20. zant

    zant Guest

    Can somebody make a working NAND version, please? I have been waiting to use something like this for a while now since Joris' didn't work.