Dev Tools: Difference between revisions
m (→fail0VERFLOW) |
m (→lv1 dumper) |
||
Line 341: | Line 341: | ||
git source: | git source: | ||
* [http://foxbrew.org/git/otheros-utils/dump_lv1.git/ dump_lv1.git] | * [http://foxbrew.org/git/otheros-utils/dump_lv1.git/ dump_lv1.git] | ||
alternative: | |||
* lv1dumper [] (flukes1) | |||
:This is an application which runs on the PS3 that you can compile and package using PSL1GHT and geohot’s tools. After running it, lv1 will be mapped at 0×8000000014000000 with read/write access, and you will be able to poke lv2 without the system shutting down. | |||
=== lv2 dumper === | === lv2 dumper === | ||
precompiled: | precompiled: |
Revision as of 08:02, 25 November 2011
Tools
Git
fail0VERFLOW
- cospkg
- usage: cospkg cos.pkg dir
- cosunpkg
- usage: cosunpkg filename.pkg target
- pkg
- usage: pkg [key suffix] [contents] [filename.pkg]
- unpkg
- usage: unpkg [-s] filename.pkg target
- readself
- usage: readself file.self
- readselfoffsets
- usage: readselfoffsets file.self
- unself
- usage: unself in.self out.elf
- makeself
- usage: makeself [-c] [type] [version suffix] [version] [vendor id] [auth id] [sdk type] [elf] [self]
- makeself keytype keysuffix sdkversion vendorid authid sdktype file.elf file.self
- keytype=lv0|lv1|lv2|iso|app|ldr
- keysuffix=315|331|341|355
- sdkversion=3.15.0|3.41.0|3.55.0
- vendorid=01000002
- authid=1070000039000001
- sdktype=0000:retail0, 0001:retail, 0002:retail1, 8000 devkit
- usage: makeself [-c] [type] [version suffix] [version] [vendor id] [auth id] [sdk type] [elf] [self]
- puppack
- usage: puppack filename.pup directory [build number]
- pupunpack
- usage: pupunpack filename.pup directory
- norunpack
- usage: norunpack dump.b directory
- sceverify
- usage: sceverify filename
- SCEkrit
- usage: scesekrit filename1 filename2
unself_gnpdrm.c source & unself_gnpdrm.exe Win32 compile : unself_gnpdrm.rar (60.16 KB)
- unself_gnpdrm
- usage: unself_gnpdrm in.self out.elf
self_rebuilder
- usage: self_rebuilder [input.elf] [output.self] [original.self] [keytype] [keysuffix] [sdkversion] [sdktype] [auth id [idps.bin] [act.dat] [game.rif]
- self_rebuilder keytype keysuffix sdkversion sdktype input.elf output.self original.self
- input.elf=The input ELF/PRX to sign
- output.self=The output SELF/SPRX to generate
- original.self=The original SELF/SPRX for reference
- keytype=lv0|lv1|lv2|iso|app|ldr|npd (please note if type is ldr use versionsuffix retail)
- keysuffix=080|092|240|340|350|355|356|360|365|370
- sdkversion=0.80.0|0.92.0|2.40.0|3.40.0|3.50.0|3.55.0|3.56.0|3.60.0|3.65.0|3.70.0
- sdktype=0000:retail0|0001:retail|0002:retail1|0004|0007|000A|000D|0010|0013|0016|8000:devkit
- authid=1070000039000001 (only use if you want to change a revoked authid)
- idps.bin=The input idps.bin to use (only needed for NPD1/NPD2 de/encryption)
- act.dat=The input act.dat to use (only needed for NPD1/NPD2 de/encryption)
- game.rif=The input game.rif to use (only needed for NPD1/NPD2 de/encryption)
- usage: self_rebuilder [input.elf] [output.self] [original.self] [keytype] [keysuffix] [sdkversion] [sdktype] [auth id [idps.bin] [act.dat] [game.rif]
Geohot Signing Tools
- make_self
- usage: make_self input.elf output.self
- make_self_npdrm
- usage: make_self_npdrm input.elf output.self <content_id>
- warning NPDRM cares about the output file name, do not rename
- package_finalize
- usage: package_finalize my.pkg
Graf Chokolo Tools
- sendfile
- pcap2bin
sputnik - Cell/SPU Pipeline viewer
http://www.ps3hax.net/2011/08/sputnik-build-3-cellspu-pipeline-viewer/
- Windows (will also need QT runtime files)
- MAC OSX
netrpc
git://gist.github.com/1041214.git
https://gist.github.com/1041214
Objdump
If you, for whatever reason, need to disassemble non-x86 binary files, you usually look out for a disassembler. If there's nothing free available for your platform (e.g.: ARM) one of the few solutions may be buying something like IDA Pro.
But wait, if you only need to "analyze" a small portion (boot-sector, single routine, ...) and someone already ported GNUs GCC and bintools to your platform, using OBJDUMP may do the trick...
If "raw.bin" is your binary file, just typing
objdump -d raw.bin objdump: raw.bin: File format not recognized
will not work. Objdump needs a file system object or file.
Just do it like this:
# create an empty file touch empty.c # compile this empty file gcc -c -o empty.o empty.c # add binary as a raw section objcopy --add-section raw=raw.bin empty.o # remove ".comment" section to join objcopy -R .comment empty.o # now run objdump on it objdump -d empty.o
Source: http://askrprojects.net/software/objdump.html
Several handy scripts
Most of the scripts are using graf's ps3dm-utils, so make sure you have them in your /bin directory. Also make sure you are using graf's kernel (graf_chokolo kernel 2.6.39).
panic1.sh
This script will panic lv1 and get you back to petitboot, without exiting to GameOS.
ps3hvc_hvcall /dev/ps3hvc panic 1
usb_dongle_auth.sh
This script will get you into Factory/Service mode, without using dongle:
echo Generating a challenge ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_challenge echo Generating a response '(0xAAAA)' ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_resp 0xAAAA echo Verifying response '(0xAAAA)' ps3dm_usb_dongle_auth /dev/ps3dmproxy verify_resp 0xAAAA echo Checking if 'Product Mode is enabled The returned value shouldn't be 0xff ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07
dump_EID0.sh
This script will dump your EID0.
echo Dumping EID0 ps3dm_iim /dev/ps3dmproxy get_data 0x0 > EID0.bin
dump_EID4.sh
This script will dump your EID4.
echo Dumping EID4 ps3dm_iim /dev/ps3dmproxy get_data 0x4 > EID4.bin
get_EID0_size.sh
This script will get the size of your EID0.
echo EID0 size: ps3dm_iim /dev/ps3dmproxy get_data_size 0x0
get_EID4_size.sh
This script will get the size of your EID4.
echo EID4 size: ps3dm_iim /dev/ps3dmproxy get_data_size 0x4
get_metldr_size.sh
This script will get the size of metldr.
echo metldr size: ps3dm_iim /dev/ps3dmproxy get_data_size 0x1000
nor_dump.sh
This will dump your NOR memory.
echo Dumping nor dd if=/dev/ps3nflasha of=nor.bin
dump_ram.sh
This script will dump your ram.
echo Dumping ram dd if=/dev/ps3ram of=ps3ram.bin
dump_vram.sh
This script will dump your vram.
echo Dumping vram dd if=/dev/ps3vram of=ps3vram.bin
Payloader3
- http://git.dashhacks.com/payloader3/payloader3/trees/master (down)
- 2011-06-22 backup: http://gotbrew.org/payloader3.tar.gz / payloader3.tar.gz (55.55 MB)
- Up including last commit before dashhacks went down : payloader3.tar.bz2 (45.49 MB) (full git backup, also includes : payloader3-src-only.rar (2.08 MB))
Howto
- Set firmware version in Makefile
- Compile with "./build.sh"
- Copy pkg file to usb stick
- Install pkg on PS3
Precompiles
Notes
- Loading ps3load after the payload will execute the appropriate ps3load.self, after your self exits you will be returned to the XMB.
- Loading 'ethdebug' will load ArielX's Kammy self, after it executes you will be returned to the XMB.
- Loading 'ethdebug/ps3load' will load ethdebug, then ps3load.
ps3load 3.55 make_self fixed
- older versions of ps3load would not work on 3.50/3.55 (¨sysProcessExitSpawn2¨ won't work proper), and you had to use 3.41 instead. This is no longer an issue with the recent version ps3load which fixed the (make_self) issue for 3.55
- standalone precompiled version to try: ps3load.gnpdrm.pkg (522.17 KB) (don't forget to delete your old version first)
The PKG will install to the harddrive (dev_hdd0/game/PS3LOAD04/) with ps3load added as icon to the XMB > Network category.
Using ps3load
- make your app, produce at least an ELF
- sprxlinker yourapp.elf (this should be done for you if you use any of the samples)
- make_self yourapp.elf yourapp.self
- load ps3load on the PS3
- define the PS3LOAD environment variable in your favorite shell with tcp:ip_addr (where ip_addr is your the ip address of your PS3)
- ps3load yourapp.self
lv2-v9.pkg
patch1
# PL3 3.55 # Patches marked with (*1) seem to be unstable. Thanks to drizztbsd and # RandomUse. # PL3: ef48: payload.bin # Segment 0: ### 24e44: 38600000 # patch_func6 *1 55dc4: 38600000 # lv2open: patch_func8_offset1 55f28: 60000000 # lv2open: patch_func8_offset2 ### 79d80: 3880000090830000 # patch_func4 + patch_func4_offset *1 ### 79d88: 4E800020 # cont'd *1 ### 7af7c: 60000000 # patch_func9_offset *1 ### c1dd0: 38600000 # patch_func7 *1 2b3298: 4BD5C050 # hook_open (patch_func3 + patch_func3_offset) # Segment 1: 346688: 800000000000f2dc # syscall_map_open_desc # Spoof # *f3b8: version.bin # 2e8218: 800000000000f378 # syscall_versiontest # 2e82f0: 800000000000f3c0 # syscall_process_sdkversion # 16ad74: 3960000a44000002 # sha1 test # f3e4: find 3437353136000000 # *fe34: 3436313335000000
patch2
# Waninkoko V2 # 3270: e8821030e87c0020 # load unsigned ELFs # 3278: f8640000 # e7f0: 48000c50 # Some jump ef48: payload2.bin 19360: 7c001fac4c00012c 1936c: 7c0018ac7c0004ac 24e44: 4bfea5c5 # patch_func6 55dc4: 38600000 # patch_func8_offset1 55f28: 60000000 # patch_func8_offset2 79d80: 38800000908300004e800020 # patch_func4 + patch_func4_offset *1 7af7c: 60000000 # patch_func9_offset c1dd0: 4bf4d639 # patch_func7 2b3298: 4bd5bf40 # hook_open 3465b0: 80000000002e81e8 # sc8 346688: 8000000000324968 # sc35
patch3
# Syscall36 # by 2 anonymous people 55f14: 60000000 55f1c: 48000098 7af68: 60000000 7af7c: 60000000 2be4a0: payload3.bin 2b3274: 4800b32c2ba30420 # add a jump to payload2_start 55EA0: 63FF003D60000000 # fix 8001003D error 55F64: 3FE080013BE00000 # fix 8001003E error 346690: 80000000002be570 # syscall_map_open_desc
GameOS dumper tools
precompiled:
- (glevand e.a.; includes several dumpertools : flash, lv1, lv2, sysrom)
flash dumper
precompiled:
git source:
lv1 dumper
precompiled:
- dump_lv1.pkg (70.11 KB) (glevand)
- lv1 dump will take about 30minutes, size: 16 MB (1 file: lv1.bin)
git source:
alternative:
- lv1dumper [] (flukes1)
- This is an application which runs on the PS3 that you can compile and package using PSL1GHT and geohot’s tools. After running it, lv1 will be mapped at 0×8000000014000000 with read/write access, and you will be able to poke lv2 without the system shutting down.
lv2 dumper
precompiled:
- dump_lv2.pkg (70.11 KB) (glevand)
- lv2 dump will take considerable less than lv1dump, size: 8.5 MB (2 files: lv2.bin.0 & lv2.bin.1)
- lv2dump_07a.pkg (1.48 MB) (other)
- lv2 dump saves to harddrive, you'll have to ftp it out. no sourcecode available.
git source:
sysrom dumper
precompiled:
dump_sysrom.pkg (69.67 KB) (glevand)
- sysrom dump takes only few seconds, size: 256KB (1 file: sysrom.bin)
git source:
vflash dumper
git source:
vsh dumper
precompiled:
dev_flash and dev_flash3 unpacker
it's a simple dev_flash extractor for 3.56+ PUPs
Before using it: Change this line "TOOLS=/home/wargio/.ps3tools" with the path of your tools, example: TOOLS=/home/god/ps3dev/ps3tools
LINUX version: http://pastebin.com/kLrPFb7y
OSX version: http://pastebin.com/FDMbgyVk
Usage: unpack_dev_flash.sh <*.pup>
example: unpack_dev_flash.sh PS3UPDAT.PUP
core os extractor
it's a simple core os extractor for 3.56+ PUPs
Before using it: Change this line "TOOLS=/home/wargio/.ps3tools" with the path of your tools, example: TOOLS=/home/god/ps3dev/ps3tools
Linux/OSX: http://pastebin.com/1AkEgW3y
Usage: ./extract_coreos.sh <PUP>
example: extract_coreos.sh PS3UPDAT.PUP