Dev Tools: Difference between revisions
m (→memdump) |
m (→Memdump) |
||
Line 341: | Line 341: | ||
=== Memdump === | === Memdump === | ||
PS3 memory dumping tool that can dump lv1, lv2, NAND/NOR Flash, and eEID from GameOS. | |||
Download: http://gitorious.ps3dev.net/memdump/memdump/trees/master | Download: http://gitorious.ps3dev.net/memdump/memdump/trees/master | ||
Line 433: | Line 435: | ||
* Can be buggy with strange spoofs | * Can be buggy with strange spoofs | ||
* No reports yet on Kiosk/SEX & Tool/DECR models | * No reports yet on Kiosk/SEX & Tool/DECR models | ||
=== flash dumper === | === flash dumper === |
Revision as of 03:25, 13 May 2012
Tools
Git
fail0VERFLOW
- cospkg
- usage: cospkg cos.pkg dir
- cosunpkg
- usage: cosunpkg filename.pkg target
- pkg
- usage: pkg [key suffix] [contents] [filename.pkg]
- unpkg
- usage: unpkg [-s] filename.pkg target
- readself
- usage: readself file.self
- readselfoffsets
- usage: readselfoffsets file.self
- unself
- usage: unself in.self out.elf
- makeself
- usage: makeself [-c] [type] [version suffix] [version] [vendor id] [auth id] [sdk type] [elf] [self]
- makeself keytype keysuffix sdkversion vendorid authid sdktype file.elf file.self
- keytype=lv0|lv1|lv2|iso|app|ldr
- keysuffix=315|331|341|355
- sdkversion=3.15.0|3.41.0|3.55.0
- vendorid=01000002
- authid=1070000039000001
- sdktype=0000:retail0, 0001:retail, 0002:retail1, 8000 devkit
- usage: makeself [-c] [type] [version suffix] [version] [vendor id] [auth id] [sdk type] [elf] [self]
- puppack
- usage: puppack filename.pup directory [build number]
- pupunpack
- usage: pupunpack filename.pup directory
- norunpack
- usage: norunpack dump.b directory
- sceverify
- usage: sceverify filename
- SCEkrit
- usage: scesekrit filename1 filename2
unself_gnpdrm.c source & unself_gnpdrm.exe Win32 compile : unself_gnpdrm.rar (60.16 KB)
- unself_gnpdrm
- usage: unself_gnpdrm in.self out.elf
self_rebuilder
- usage: self_rebuilder [input.elf] [output.self] [original.self] [keytype] [keysuffix] [sdkversion] [sdktype] [auth id [idps.bin] [act.dat] [game.rif]
- self_rebuilder keytype keysuffix sdkversion sdktype input.elf output.self original.self
- input.elf=The input ELF/PRX to sign
- output.self=The output SELF/SPRX to generate
- original.self=The original SELF/SPRX for reference
- keytype=lv0|lv1|lv2|iso|app|ldr|npd (please note if type is ldr use versionsuffix retail)
- keysuffix=080|092|240|340|350|355|356|360|365|370
- sdkversion=0.80.0|0.92.0|2.40.0|3.40.0|3.50.0|3.55.0|3.56.0|3.60.0|3.65.0|3.70.0
- sdktype=0000:retail0|0001:retail|0002:retail1|0004|0007|000A|000D|0010|0013|0016|8000:devkit
- authid=1070000039000001 (only use if you want to change a revoked authid)
- idps.bin=The input idps.bin to use (only needed for NPD1/NPD2 de/encryption)
- act.dat=The input act.dat to use (only needed for NPD1/NPD2 de/encryption)
- game.rif=The input game.rif to use (only needed for NPD1/NPD2 de/encryption)
- usage: self_rebuilder [input.elf] [output.self] [original.self] [keytype] [keysuffix] [sdkversion] [sdktype] [auth id [idps.bin] [act.dat] [game.rif]
Geohot Signing Tools
- make_self
- usage: make_self input.elf output.self
- make_self_npdrm
- usage: make_self_npdrm input.elf output.self <content_id>
- warning NPDRM cares about the output file name, do not rename
- package_finalize
- usage: package_finalize my.pkg
Graf Chokolo Tools
- sendfile
- pcap2bin
sputnik - Cell/SPU Pipeline viewer
http://www.ps3hax.net/2011/08/sputnik-build-3-cellspu-pipeline-viewer/
- Windows (will also need QT runtime files)
- MAC OSX
netrpc
git://gist.github.com/1041214.git
https://gist.github.com/1041214
Objdump
If you, for whatever reason, need to disassemble non-x86 binary files, you usually look out for a disassembler. If there's nothing free available for your platform (e.g.: ARM) one of the few solutions may be buying something like IDA Pro.
But wait, if you only need to "analyze" a small portion (boot-sector, single routine, ...) and someone already ported GNUs GCC and bintools to your platform, using OBJDUMP may do the trick...
If "raw.bin" is your binary file, just typing
objdump -d raw.bin objdump: raw.bin: File format not recognized
will not work. Objdump needs a file system object or file.
Just do it like this:
# create an empty file touch empty.c # compile this empty file gcc -c -o empty.o empty.c # add binary as a raw section objcopy --add-section raw=raw.bin empty.o # remove ".comment" section to join objcopy -R .comment empty.o # now run objdump on it objdump -d empty.o
Source: http://askrprojects.net/software/objdump.html
Several handy scripts
Most of the scripts are using graf's ps3dm-utils, so make sure you have them in your /bin directory. Also make sure you are using graf's kernel (graf_chokolo kernel 2.6.39).
panic1.sh
This script will panic lv1 and get you back to petitboot, without exiting to GameOS.
ps3hvc_hvcall /dev/ps3hvc panic 1
usb_dongle_auth.sh
This script will get you into Factory/Service mode, without using dongle:
echo Generating a challenge ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_challenge echo Generating a response '(0xAAAA)' ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_resp 0xAAAA echo Verifying response '(0xAAAA)' ps3dm_usb_dongle_auth /dev/ps3dmproxy verify_resp 0xAAAA echo Checking if 'Product Mode is enabled The returned value shouldn't be 0xff ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07
dump_EID0.sh
This script will dump your EID0.
echo Dumping EID0 ps3dm_iim /dev/ps3dmproxy get_data 0x0 > EID0.bin
dump_EID4.sh
This script will dump your EID4.
echo Dumping EID4 ps3dm_iim /dev/ps3dmproxy get_data 0x4 > EID4.bin
get_EID0_size.sh
This script will get the size of your EID0.
echo EID0 size: ps3dm_iim /dev/ps3dmproxy get_data_size 0x0
get_EID4_size.sh
This script will get the size of your EID4.
echo EID4 size: ps3dm_iim /dev/ps3dmproxy get_data_size 0x4
get_metldr_size.sh
This script will get the size of metldr.
echo metldr size: ps3dm_iim /dev/ps3dmproxy get_data_size 0x1000
nor_dump.sh
This will dump your NOR memory.
echo Dumping nor dd if=/dev/ps3nflasha of=nor.bin
dump_ram.sh
This script will dump your ram.
echo Dumping ram dd if=/dev/ps3ram of=ps3ram.bin
dump_vram.sh
This script will dump your vram.
echo Dumping vram dd if=/dev/ps3vram of=ps3vram.bin
Payloader3
source code repository:
Howto
- Set firmware version in Makefile
- Compile with "./build.sh"
- Copy pkg file to usb stick
- Install pkg on PS3
Precompiles
Notes
- Loading ps3load after the payload will execute the appropriate ps3load.self, after your self exits you will be returned to the XMB.
- Loading 'ethdebug' will load ArielX's Kammy self, after it executes you will be returned to the XMB.
- Loading 'ethdebug/ps3load' will load ethdebug, then ps3load.
ps3load 3.55 make_self fixed
- older versions of ps3load would not work on 3.50/3.55 (¨sysProcessExitSpawn2¨ won't work proper), and you had to use 3.41 instead. This is no longer an issue with the recent version ps3load which fixed the (make_self) issue for 3.55
- standalone precompiled version to try: ps3load.gnpdrm.pkg (522.17 KB) (don't forget to delete your old version first)
The PKG will install to the harddrive (dev_hdd0/game/PS3LOAD04/) with ps3load added as icon to the XMB > Network category.
Using ps3load
- make your app, produce at least an ELF
- sprxlinker yourapp.elf (this should be done for you if you use any of the samples)
- make_self yourapp.elf yourapp.self
- load ps3load on the PS3
- define the PS3LOAD environment variable in your favorite shell with tcp:ip_addr (where ip_addr is your the ip address of your PS3)
- ps3load yourapp.self
lv2-v9.pkg
patch1
# PL3 3.55 # Patches marked with (*1) seem to be unstable. Thanks to drizztbsd and # RandomUse. # PL3: ef48: payload.bin # Segment 0: ### 24e44: 38600000 # patch_func6 *1 55dc4: 38600000 # lv2open: patch_func8_offset1 55f28: 60000000 # lv2open: patch_func8_offset2 ### 79d80: 3880000090830000 # patch_func4 + patch_func4_offset *1 ### 79d88: 4E800020 # cont'd *1 ### 7af7c: 60000000 # patch_func9_offset *1 ### c1dd0: 38600000 # patch_func7 *1 2b3298: 4BD5C050 # hook_open (patch_func3 + patch_func3_offset) # Segment 1: 346688: 800000000000f2dc # syscall_map_open_desc # Spoof # *f3b8: version.bin # 2e8218: 800000000000f378 # syscall_versiontest # 2e82f0: 800000000000f3c0 # syscall_process_sdkversion # 16ad74: 3960000a44000002 # sha1 test # f3e4: find 3437353136000000 # *fe34: 3436313335000000
patch2
# Waninkoko V2 # 3270: e8821030e87c0020 # load unsigned ELFs # 3278: f8640000 # e7f0: 48000c50 # Some jump ef48: payload2.bin 19360: 7c001fac4c00012c 1936c: 7c0018ac7c0004ac 24e44: 4bfea5c5 # patch_func6 55dc4: 38600000 # patch_func8_offset1 55f28: 60000000 # patch_func8_offset2 79d80: 38800000908300004e800020 # patch_func4 + patch_func4_offset *1 7af7c: 60000000 # patch_func9_offset c1dd0: 4bf4d639 # patch_func7 2b3298: 4bd5bf40 # hook_open 3465b0: 80000000002e81e8 # sc8 346688: 8000000000324968 # sc35
patch3
# Syscall36 # by 2 anonymous people 55f14: 60000000 55f1c: 48000098 7af68: 60000000 7af7c: 60000000 2be4a0: payload3.bin 2b3274: 4800b32c2ba30420 # add a jump to payload2_start 55EA0: 63FF003D60000000 # fix 8001003D error 55F64: 3FE080013BE00000 # fix 8001003E error 346690: 80000000002be570 # syscall_map_open_desc
xorhack v2.0
Installing
If you have a previous version of XorHack installed you should remove it first. Do this by navigating to the install dir and typing "make clean" then "make uninstall" and then delete all remaining source files. To install XorHack copy the all files and folders that came with this readme onto your PS3 harddrive and then navigate to the location you copied them to.
Type "make" to build all parts of XorHack. Type "make install" to install all parts of XorHack. Type "make uninstall" to uninstall all parts of XorHack.
Running
- Once installed you can start the exploit loop from the command line by typing "ps3exploit 100" to perform the exploit loop 100 times.
- Once the exploit is successful the hypervisor can be dumped by typing "dumphv". It will dump it to a file in the current dir.
- Once the exploit is successful the bootloader can be dumped by typing "dumpbl". It will dump it to a file in the current dir.
GameOS dumper tools
Memdump
PS3 memory dumping tool that can dump lv1, lv2, NAND/NOR Flash, and eEID from GameOS.
Download: http://gitorious.ps3dev.net/memdump/memdump/trees/master
Applicable firmwares
FW | lv1 | lv2 | Flash | eEID | 0.01 FINAL | |||
---|---|---|---|---|---|---|---|---|
Logs | Notes | |||||||
<=2.60 CEX/Retail | N / A | N / A | N / A | N / A | Not available as target version atm | |||
<=2.60 DEX/Debug | N / A | N / A | N / A | N / A | ||||
2.70 CEX/Retail | Yes | Yes | Yes | Yes | ||||
2.70 DEX/Debug | Yes | Yes | Yes | Yes | ||||
2.76 CEX/Retail | Yes | Yes | Yes | Yes | ||||
2.76 DEX/Debug | Yes | Yes | Yes | Yes | ||||
2.80 CEX/Retail | Yes | Yes | Yes | Yes | ||||
2.80 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.00 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.00 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.01 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.01 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.10 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.10 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.15 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.15 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.20 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.21 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.21 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.30 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.30 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.40 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.41 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.41 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.42 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.50 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.50 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.55 CEX/Retail | Yes | Yes | Yes | Yes | ||||
3.55 DEX/Debug | Yes | Yes | Yes | Yes | ||||
3.56 CEX/Retail | Pending | Pending | Pending | Pending | ||||
3.56 DEX/Debug | Pending | Pending | Pending | Pending | ||||
=>3.60 CEX/Retail | N / A | N / A | N / A | N / A | Not available as target version atm | |||
=>3.60 DEX/Debug | N / A | N / A | N / A | N / A |
Legenda
- NA : Not Available as target version (mostly because of missing lv1:mmap114 or lv2:peek/poke patches)
- Yes: Fully supported
- No: Not supported
- Partial: Some functions work, others might not be complete
- Pending: No reports yet (help out by sending in your logs and dumps in a ZIP/RAR/7z!)
Known bugs
- buttons do not come back up after pressing -> to be fixed in v0.02 (button handler thread)
- exit app gives rightscreen black triangle -> to be fixed in v0.02 (cleanup RSX buffer)
- when free space is 0 bytes when dumping, application will halt -> to be fixed in v0.02 (check freespace first)
Current limitations
- Needs mmap114+peek/poke as minimal patches
- Can be buggy with strange spoofs
- No reports yet on Kiosk/SEX & Tool/DECR models
flash dumper
precompiled:
- NOR flash dump will take about 30 minutes, size: 16 MB (1 file: flash.bin)
- NAND flash dumps will take more then 2½ hours, size: 239MB (1 file: flash.bin) with bootldr missing.
git source:
lv1 dumper
precompiled:
- dump_lv1.pkg (70.11 KB) (glevand)
- lv1 dump will take about 30minutes, size: 16 MB (1 file: lv1.bin)
git source:
alternative:
- lv1dumper FLU1_T_2011.zip (9.72 KB) (flukes1)
- This is an application which runs on the PS3 that you can compile and package using PSL1GHT and geohot’s tools. After running it, lv1 will be mapped at 0×8000000014000000 with read/write access, and you will be able to poke lv2 without the system shutting down.
lv2 dumper
precompiled:
- dump_lv2.pkg (70.11 KB) (glevand)
- lv2 dump will take considerable less than lv1dump, size: 8.5 MB (2 files: lv2.bin.0 & lv2.bin.1)
- lv2dump_07a.pkg (1.48 MB) (other)
- lv2 dump saves to harddrive, you'll have to ftp it out. no sourcecode available.
git source:
sysrom dumper
precompiled:
dump_sysrom.pkg (69.67 KB) (glevand)
- sysrom dump takes only few seconds, size: 256KB (1 file: sysrom.bin)
git source:
vflash dumper
git source:
vsh dumper
precompiled:
dev_flash and dev_flash3 unpacker
it's a simple dev_flash extractor for 3.56+ PUPs
Before using it: Change this line "TOOLS=/home/wargio/.ps3tools" with the path of your tools, example: TOOLS=/home/god/ps3dev/ps3tools
LINUX version: http://pastebin.com/kLrPFb7y
OSX version: http://pastebin.com/FDMbgyVk
Usage: unpack_dev_flash.sh <*.pup>
example: unpack_dev_flash.sh PS3UPDAT.PUP
core os extractor
it's a simple core os extractor for 3.56+ PUPs
Before using it: Change this line "TOOLS=/home/wargio/.ps3tools" with the path of your tools, example: TOOLS=/home/god/ps3dev/ps3tools
Linux/OSX: http://pastebin.com/1AkEgW3y
Usage: ./extract_coreos.sh <PUP>
example: extract_coreos.sh PS3UPDAT.PUP
Syscon FW Reader
This simple program will read and show information about a Syscon Firmware package.
To compile it, just run make.
SRC
SFO Reader
it will show useful informations, built initially for vita pkgs
To build it, just run make.
SRC
Example of output:
[SFO HDR] 0x46535000 [SFO Version] 0x00000101 [SFO N] 13 Value(s) [SFO Values] 0x000000e4 [SFO Params] 0x0000016c [ SFO ] [ 1 ] APP_VER | Param: 01.00 [ 2 ] ATTRIBUTE | Param: 0x0 [ 3 ] BOOTABLE | Param: 0x1 [ 4 ] CATEGORY | Param: AV [ 5 ] LICENSE | Param: Library programs ©Sony Computer Entertainment Inc. Licensed for play on the PLAYSTATION®3 Computer Entertainment System or authorized PLAYSTATION®3 format systems. For full terms and conditions see the user's manual. This product is authorized and produced under license from Sony Computer Entertainment Inc. Use is subject to the copyright laws and the terms and conditions of the user's license. [ 6 ] PARENTAL_LEVEL | Param: 0x1 [ 7 ] PS3_SYSTEM_VER | Param: 03.4200 [ 8 ] REGION_DENY | Param: 0xfffffffd [ 9 ] RESOLUTION | Param: 0x1d [ 10 ] SOUND_FORMAT | Param: 0x307 [ 11 ] TITLE | Param: Netflix Instant Streaming [ 12 ] TITLE_ID | Param: NPUP00030 [ 13 ] VERSION | Param: 01.03
SFO2SFX
it's a really simple Sfo to sfx converter.
for now it's not able to convert from sfx to sfo (when i will have more time, i will write a SFX2SFO. deroad)
Download ps3tool_with_sfo2sfx (this is my full SRC. all the tools are already compiled)
Mirror
From
[SFO HDR] 0x00505346 [SFO Version] 0x00000101 [SFO N] 6 Value(s) [SFO Params Offsets] 0x000000b4 [ SFO ] [ 1 ] CATEGORY | Param: 2D [ 2 ] PARENTAL_LEVEL | Param: 0x1 [ 3 ] PS3_SYSTEM_VER | Param: 01.3100 [ 4 ] TITLE | Param: PS2 System Data [ 5 ] TITLE_ID | Param: NPIA00001 [ 6 ] VERSION | Param: 01.00
to
<?xml version="1" encoding="utf-8" standalone=yes"?> <paramsfo add_hidden="false"> <param key="CATEGORY" fmt="utf8" max_len="4">2D</param> <param key="PARENTAL_LEVEL" fmt="int32" max_len="4">1</param> <param key="PS3_SYSTEM_VER" fmt="utf8" max_len="8">01.3100</param> <param key="TITLE" fmt="utf8" max_len="128">PS2 System Data</param> <param key="TITLE_ID" fmt="utf8" max_len="16">NPIA00001</param> <param key="VERSION" fmt="utf8" max_len="8">01.00</param> </paramsfo>
HIP2HIS
This app simply convert a PARAM.HIP file to PARAM.HIS http://www.mediafire.com/?rv6jajz3nfy53iw
ReactPSN .rap -> .rif converter
This tool will convert .rap files to .rif. Place it to the ps3tools directory along with other tools and then place your idps and act.dat files to appropriate folders.
http://www.mediafire.com/?sgxq5r7twy9907d
- usage: rap2rif <rap file> <rif file>