graf_chokolo's Payload

This payloads have been around for months, and not many people have played with them.. they do amazing stuff

Source Code for a git bootstrap and the payload from coolstuff.rar:

git http://git-hacks.com/graf_payloads/graf_payloads/

zip http://www.mirrorcreator.com/files/N0XNBWWI/grafchokolo-psgroove-8a5898f.zip_links (grafchokolo-psgroove-8a5898f.zip)

other variant: http://dl.dropbox.com/u/9694818/grafchokolo.zip 17-1-2011 9:44

Requirements:

- Working ppc64 toolchain
- libpcap (sudo apt-get install libpcap-dev)
- libnet (sudo apt-get install libnet1-dev)

Instructions:

- cd bootstrap-8a5898f
- make
- cd ../payload-coolstuff/tools
- make
- Set the options you want in the payload's main.c
- cd ..
- make

Graf's Tutorial (Cut IRC Log):

On decrypter payload https://github.com/grafchokolo/psgroove

<iLLNESS> graf, is your payload to be used with psgroove?

<graf_chokolo> yeah, psgroove, it uses 2 stages

<graf_chokolo> boostrap is programmed into psgroove
<graf_chokolo> payload is sent to ps3 via ethernet
<graf_chokolo> payload is what does the real job :-)

<graf_chokolo> i did it that way because you cannot program psgroove with large piece of code
<graf_chokolo> bootstrap.bin have to be converted to C hex and inserted into psgroove descriptor

<graf_chokolo> i can upload my psgroove descriptor, it's no problem
<graf_chokolo> ok, here is my psgroove desc
<graf_chokolo> http://pastie.org/1368027
<graf_chokolo> just convert bootstrap.bin to payload.h with bin2hex tool i provided
<graf_chokolo> the bytes after payload.h doesn't matter, they are just dummies

<graf_chokolo> program your psgroove with this bootstrap
<graf_chokolo> bootstrap has one purpose, it received payload.bin from me via ethernet and runs it :-)

<graf_chokolo> this way i can run huge piece of code :-)
<graf_chokolo> and do not need to reprogram my psgroove everytime, have just to change payload and it does something different

<graf_chokolo> i'm using tcpdump to capture verything that comes back from ps3 and extract it then with pcap2bin

<graf_chokolo> you can also use wireshark if you want to
<graf_chokolo> payload.bin is sent to ps3 with sendfile tool i provided
<graf_chokolo> and a self to decrypt e.g. is also sent with sendfile via ethernet
<graf_chokolo> all data sent to ps3 is acked by ps3, to make sure that file transferred to ps3 is ok

<graf_chokolo> because sometimes a ethernet frame can get lost

<graf_chokolo> to be able to decrypt selfs you have first to edit main.c file and uncomment it, make sure only self decrypter will be called in main except mm and gelic

<graf_chokolo> to decrypt selfs, first run psgroove with programmed bootstrap
<graf_chokolo> wait some time till it runsa
<graf_chokolo> then send payload.bin

<graf_chokolo> data sent to ps3 should be acked,sendfle will give you feedback
<graf_chokolo> if it doesn't see any acks then there is a problem
<graf_chokolo> i think here it would be best to test it with your ps3
<graf_chokolo> when payload.bin is uploaded to ps3 it will be executed immediately
<graf_chokolo> if the payload.bin does self decryption then it waits now for you to send it some SELF file to decrypt :-)

<graf_chokolo> so send  a SELF to ps3 with sendfile
<graf_chokolo> but before that make sure you start tcpdump to capture the data coming back from ps3 :-)

<graf_chokolo> because the data will contain the decrypted SELF segments :-)
<graf_chokolo> every decrypted self segment is sent using different Ethernet protocol field values

<graf_chokolo> i do it for one purpose, to make extracting decrypted segments easier
<graf_chokolo> here an example
<graf_chokolo> if a SELF has 2 encrypted segments, i send 1st decrypted segment with Ethernet protocol field value 0xBEEF, and the 2nd one i send with protocol (0xBEEF+1)

<graf_chokolo> so to extract the 1st segment from tcpdump pcap file i just use "pcap2bin -p 0xBEEF  <pcap filename>  <segment filename>"

<graf_chokolo> so to extract the 2nd segment from tcpdump pcap file i just use "pcap2bin -p 0xBEF0  <pcap filename>  <segment filename>"

<graf_chokolo> and now you have 2 decrypted segments :-) which are impatient to be loaded into IDA for reversing, but that's not all :-)
<graf_chokolo> forgot to say. when self decrypter is done, ps3 should make 2 beeps :-)
<graf_chokolo> you need also the right load addresses for those segments in order to be able to reverse it
<graf_chokolo> self decrypter sends not only decrypted segments to you, it sends more data :-)
<graf_chokolo> one of the packets sent to PC by self decrypter contains load address of segment, take a look at decrypt_self.c and you will understand what i mean

<graf_chokolo> this paxket is sent just before the decrypted data is sent
<graf_chokolo> so now you have everything to do reversing with IDA
<graf_chokolo> just load these segments into IDA at right addresses

Graf's Tutorial (Full IRC Log):

[23:06] <@graf_chokolo> so guys should i start ?
[23:06] <Heden_DLT> Hi all
[23:06] <thomas> ok what is my first step here?
[23:06] <thomas> psgroove modification?
[23:06] <@arunningp> graf_chokolo everyone is here now...please start
[23:06] <@theruler_> ^ this.
[23:06] <@graf_chokolo> ok
[23:07] <@arunningp> everyone else...let himtalk
[23:07] <@graf_chokolo> i use 2 stages to run my code
[23:07] <@graf_chokolo> 1st stage is kinda bootloader for 2nd stage because psgroove allows only small piece of code
[23:08] <@graf_chokolo> so first i program psgroove with my 1st stage 
[23:08] <@graf_chokolo> it's always the same
[23:08] <@iLLNESS> yo
[23:09] <@graf_chokolo> it creates a memory region of 64kb for 2nd stage and receives 2nd stage binary rom PC via Ethernet, stores received binary in this memory and executes it
[23:09] <@graf_chokolo> so far clear ?
[23:09] <Heden_DLT> yep
[23:09] <@iLLNESS> yes..
[23:09] <@frank> prove it ^
[23:09] <@iLLNESS> i got a quick question
[23:09] <Heden_DLT> lol
[23:09] <@graf_chokolo> ok
[23:09] <@iLLNESS> your payload is slightly different from psgroove
[23:09] <@frank> is that kilobits or bytes?
[23:10] <@graf_chokolo> completely different :-)
[23:10] <@iLLNESS> i mean, the layout of it
[23:10] <@iLLNESS> http://pastie.org/1368027
[23:10] <@iLLNESS> payload.h is the bootstrap header?
[23:10] <@graf_chokolo> first i compile bootloader and convert it to C hex and store it in payload.h
[23:11] <@graf_chokolo> then i include it into psgroove desc
[23:11] <Heden_DLT> does your memory region
[23:11] <@iLLNESS> okay. the pastie link i just provided is the port1 config descriptor in full? aka no extra padding?
[23:11] <Heden_DLT> protected against overwriting
[23:12] <@frank> original psgroove?
[23:12] <@graf_chokolo> iLLNESS: it's complete psgroove desc i use, copied from my code, so you can just use it
[23:12] <@graf_chokolo> there are more psgrooves ?
[23:13] <@iLLNESS> what commands are you using for the bin2hex?
[23:13] <@iLLNESS> oh nm
[23:13] <@iLLNESS> i see the makefile
[23:13] <@graf_chokolo> ./bin2hex bootstrap.bin > payload.h
[23:13] <@frank> PL3 is in the new one, and iirc the FACEBOOK doesn't exist in it
[23:14] <@graf_chokolo> i use an old psgroove version
[23:14] <@graf_chokolo> and compile everything with IBM's ppu cross compiler
[23:14] <@frank> i know :), just wanted to make sure + let them know
[23:15] <@graf_chokolo> more questions ?
[23:15] <Heden_DLT> memory region
[23:15] <Heden_DLT> ?
[23:15] <@graf_chokolo> ah, ok, sorry
[23:15] <Heden_DLT> no prob :)
[23:15] <@graf_chokolo> i allocate the memory direct by using HV call so, gameos doesn't even see it :-)
[23:16] <Heden_DLT> ok
[23:16] <@graf_chokolo> it's hidden from gameos
[23:16] <Heden_DLT> This is what i thought
[23:16] <Heden_DLT> no worry about overwritten
[23:16] <@graf_chokolo> yeah
[23:17] <@graf_chokolo> something unclear maybe ? don't hesitate to ask
[23:17] <Heden_DLT> it's ok
[23:18] <@graf_chokolo> when 1st stage runs, it expects you to send the 2nd stage via Ethernet
[23:18] <@graf_chokolo> i use sendfile for this
[23:19] <@graf_chokolo> you will find it payload/tools
[23:19] <@graf_chokolo> in*
[23:19] <@iLLNESS> what are the symptoms of a successful boot with the bootstrap?
[23:20] <@iLLNESS> ps3 is black screened with light on
[23:20] <@iLLNESS> power light that is
[23:20] <@graf_chokolo> ps3 hangs :-) gameos shouldn't boot, but i could put a beep into bootstrap :-) then you will here it when it's ready
[23:21] <@iLLNESS> yeah that would be good
[23:21] <@iLLNESS> :)
[23:22] <@graf_chokolo> ps3 should send ACKs for every received packet, sendfile will give you feedback about this
[23:22] <@iLLNESS> i get 'nothing to be done for 'all' when compiling your sendfile
[23:22] <@graf_chokolo> maybe it's already compiled ?
[23:23] <@iLLNESS> :o a new error :o
[23:23] <@iLLNESS> sendfile.c:20: fatal error: libnet.h: No such file or directory
[23:23] <@iLLNESS> what are the requisites for compiling this?
[23:23] <@iLLNESS> pre-requisites that is
[23:23] <@graf_chokolo> you need libnet library, libpcap also
[23:24] <@graf_chokolo> so, after the last packet of 2nd stage is received, 1st stage is done and jumps to 2nd stage and executes it
[23:25] <Heden_DLT> ok
[23:25] <@iLLNESS> which distro are you using this on?
[23:25] <@graf_chokolo> arch linux x86
[23:25] <@frank> ill, probably port to win32
[23:25] <@iLLNESS> your porting to win32?
[23:25] <@graf_chokolo> i quit :-)
[23:25] <@theruler_> lol
[23:26] <Heden_DLT> lol
[23:26] <@frank> lol, why so soon? :p
[23:26] <Heden_DLT> win32 !
[23:26] <@frank> guys use ubuntu
[23:26] <@arunningp> ill keep a tally for how many times graf quits :P
[23:27] <@frank> i just prefer VS
[23:27] <@graf_chokolo> it doesn't matter which linux are you using :-) arch linux is just my favorite and dwm manager :-)
[23:27] <Heden_DLT> Then 2nd stage :p
[23:28] <@iLLNESS> ack.
[23:28] <@iLLNESS> �core/config.c:111: error: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
[23:28] <@iLLNESS> make [1]: ***  [core/config.o] Error 1
[23:29] <thomas> "bootloader" == "bootstrap" == "stage 1" ?  just want to keep the terms clear
[23:29] <thomas> you need LATEST libpcap
[23:29] <@iLLNESS> im trying to install libnet :o
[23:29] <@graf_chokolo> thomas, correct
[23:29] <thomas> cool.
[23:29] <thomas> this is being logged to make into a nice tutorial ;)
[23:30] <@graf_chokolo> no problem with that, everything is public anyways, just in code
[23:31] <@graf_chokolo> so, in main.c of 2nd stage you will find many function calls, most of them are disabled, mm_init, gelic_init and param_init should never be disabled
[23:31] <Heden_DLT> mm_init returns 0 :)
[23:31] <@graf_chokolo> to make self decrypter payload e.g. activate decrypt_self call
[23:31] <@graf_chokolo> 0 means success
[23:32] <Heden_DLT> yeah this is the only line 
[23:32] <Heden_DLT> if i remember
[23:32] <@graf_chokolo> to make lv2 decrypter activate decrypt_lv2_direct call and so on
[23:32] <@graf_chokolo> after that compile 2nd stage
[23:33] <@graf_chokolo> you will get payload.bin which you have to send to 1st stage with sendfile
[23:33] <@graf_chokolo> questions ?
[23:33] * thomas is using fedora 14 ... fwiw
[23:33] <@graf_chokolo> i quit :-)
[23:33] <@arunningp> thats 3 so far...
[23:33] <Heden_DLT> I did tell you that I had a problem of linker
[23:34] <Heden_DLT> for this one :(
[23:34] <@frank> graf_chokolo, never give up
[23:34] <@arunningp> never surrender
[23:34] <Heden_DLT> toilets ?
[23:34] <@graf_chokolo> Heden_DLT, with IBM's ppu compiler ?
[23:35] <Heden_DLT> coffee ?
[23:35] <Heden_DLT> no choko
[23:35] <Heden_DLT> I don't use this one
[23:35] <Heden_DLT> I should ?
[23:35] <@graf_chokolo> hm, i only tested with IBM's ppu compiler, not sure about others
[23:35] <Heden_DLT> Once lv1 functions compiled
[23:35] <@graf_chokolo> with IBM's compiler i have no problems at all
[23:36] <Heden_DLT> the linker cannot find them
[23:36] <Heden_DLT> but continue
[23:36] <Heden_DLT> I'll will look deeper
[23:37] <@graf_chokolo> ok, we can discuss your problems with compiler another day
[23:37] <Heden_DLT> yep
[23:37] <@graf_chokolo> ok, now you send payload.bin to bootloader, it receives it and executes
[23:37] <@iLLNESS> would libpcap-dev be okay to use?
[23:37] <@graf_chokolo> yeah
[23:38] <@iLLNESS> :)
[23:38] <@graf_chokolo> i assume now that we want to decrypt selfs
[23:38] <@graf_chokolo> should i go deeper into details or just user manual ?
[23:39] <Heden_DLT> lol
[23:39] <Heden_DLT> I just see
[23:39] <@frank> when will women stop bitching
[23:39] <@theruler_> never.
[23:39] <Heden_DLT> that you isolated a SPU
[23:40] <@frank> when all men are dead
[23:40] <@theruler_> :P
[23:40] <@iLLNESS> damnit
[23:40] <@iLLNESS> still get libnet errors
[23:41] <Heden_DLT> put your self in memory
[23:41] <Heden_DLT> and ask the spu to decrypt it using a mailbox
[23:41] <@theruler_> @Rich: You following along or how are you making out?
[23:41] <@graf_chokolo> you are looking at decrypt_self.c or decrypt_self_direct.c ?
[23:42] <Heden_DLT> me ?
[23:42] <@iLLNESS> inflate.c:20: fatal error: zlib.h: No such file or directory 
[23:42] <@graf_chokolo> yeah
[23:42] <@iLLNESS> :o
[23:42] <@graf_chokolo> install zlib
[23:42] <Heden_DLT> choko : decrypt_self.x
[23:42] <Heden_DLT> choko : decrypt_self.c
[23:42] <@graf_chokolo> you need inflate for decrypting update packages
[23:43] <@graf_chokolo> i do not load isolated module (appldr) manually, HV call 99 does it, in decrypt_self_direct.c i do it manually
[23:44] <Heden_DLT> inflate or deflate ?
[23:44] <thomas> sorry graf, one question ... what is the difference between the config_descriptor [] you provided in the pastie, and the stage1 bootstrap?  I ask because the bootstrap I compile is MUCH larger
[23:44] <@graf_chokolo> zlib calls it inflate
[23:44] <Heden_DLT> ok
[23:44] <@frank> like a balloon :)
[23:45] <Heden_DLT> :)
[23:45] <@graf_chokolo> bootstrap.bin ?
[23:45] <thomas> right, now bootstrap.hex via bin2hex
[23:46] <@graf_chokolo> compile bootstrap.bin, convert it to payload.h with ./bin2hex bootstrap.bin > payload.h and place payload.h into psgroove dir
[23:46] <thomas> are they the same?  I compiled from latest git
[23:46] <thomas> ok
[23:47] <@graf_chokolo> then compile psgroove and flash it
[23:47] <@graf_chokolo> but use my config desc and not the one from psgroove
[23:47] <@iLLNESS> i have the bootstrap compiled if you guys want it
[23:47] <@iLLNESS> just give me board info
[23:48] <@iLLNESS> i cant compile the payload tools though :(
[23:48] <thomas> when you say you use an old version of psgroove, do you suspect latest git (with PL3) to be incompatible?
[23:49] <@frank> grab the one that added peek/poke
[23:49] <@iLLNESS> :o
[23:49] <@iLLNESS> i got it :)
[23:49] <@theruler_> sweet
[23:49] <@graf_chokolo> hm, really don't know, because i compiled bootstrap once, flashed psgroove and have not changed it since ages
[23:49] <@iLLNESS> thomas, i used evilsperms psgroove fork for this
[23:49] <@iLLNESS> just remove the #ifdef before port1 config descriptor
[23:49] <Heden_DLT> a stupid question choco
[23:49] <@iLLNESS> as well as the #endif
[23:49] <@frank> ya, peek/poke was my last update, so i haven't changed it, heh
[23:50] <Heden_DLT> all packets received and sent
[23:50] <@graf_chokolo> waiting for question
[23:51] <Heden_DLT> are done with a "simple" ETH link between PC and PS3 ?
[23:51] <@graf_chokolo> i have a router and ps3 and pc are connected to it
[23:52] <@graf_chokolo> ps3 sends packets with broadcast dest mac addr
[23:52] <Heden_DLT> Gelic gives the opportunity then to a direct link ?
[23:53] <@graf_chokolo> gelic is just a low level device driver which sends raw ethernet frames
[23:53] <@graf_chokolo> i do not use IPv4 :-)
[23:53] <Heden_DLT> lol
[23:53] <@frank> no layer 3? :O
[23:53] <@graf_chokolo> so to use sendfile you need root rights
[23:54] <@graf_chokolo> no, i wanted first to use UDP but i thouth then what for ?
[23:54] <@frank> i know, just pulling ur leg :p
[23:54] <@graf_chokolo> :-)
[23:55] <@graf_chokolo> no more questions ?
[23:55] <thomas> I have done this to the descriptor.h file... http://pastie.org/1374542
[23:56] <@graf_chokolo> looks fine i would say
[23:56] <@graf_chokolo> so about self decrypter
[23:56] <@graf_chokolo> it expects you to send a SELF which it will decrypt
[23:57] <Heden_DLT> :)
[23:57] <@graf_chokolo> so grab some SELF and again use sendfile to send it to ps3
[23:57] <@graf_chokolo> you should see ACKS comming from ps3
[23:58] <@graf_chokolo> sendfile will give you feedback about that
[23:58] <@graf_chokolo> it is also ok if some packets get lost, sendfile will retransmit it
[23:58] <Heden_DLT> great!
[23:59] <@graf_chokolo> but before sending a SELF start tcpdump to capture the decrypted segments sent by ps3
[23:59] <@graf_chokolo> or else you could miss them if you are not fast enough :-)
[00:00] <@graf_chokolo> after self decrypter is done it should make 2 beeps :-)
[00:00] <Heden_DLT> double beep ;)
[00:00] <@graf_chokolo> yeah, and now you can terminate tcpdump
[00:01] <@graf_chokolo> it should contains decrypted segments now
[00:01] <@graf_chokolo> which are impatient to be reversed by you :-)
[00:01] <@arunningp> lulz
[00:01] <Heden_DLT> yet the problem
[00:02] <Heden_DLT> to separate payload
[00:02] <Heden_DLT> from "header"
[00:02] <@graf_chokolo> no problem :-)
[00:02] <@graf_chokolo> i send decrypted segmnets with Ethernet protocol field starting with 0xBEEF :-)
[00:03] <@frank> yum
[00:03] <Heden_DLT> 0xBEEF...payload....0xBEEF..payload
[00:03] <Heden_DLT> right ?
[00:03] <@graf_chokolo> so data from 1st decrypted segment has protocol 0xBEEF, data from 2nd decrypted segment has protocol 0xBEEF+1 and so on
[00:03] <@graf_chokolo> yeah, right
[00:03] <Heden_DLT> nice !
[00:04] <Heden_DLT> 0xCAFE is better
[00:04] <Heden_DLT> :p
[00:04] <@graf_chokolo> now use pcap2bin and dump_segs_from_pcap.sh to extract those segments
[00:04] <@graf_chokolo> segments are pure ppc asm :-)
[00:05] <@graf_chokolo> no, in case of executable files the 1st segment contains also ELF header
[00:05] <Heden_DLT> ah..
[00:05] <Heden_DLT> a true ELF ?
[00:05] <@graf_chokolo> and strings of course
[00:05] <@graf_chokolo> no, not true ELF ready to run
[00:06] <Heden_DLT> I saw a tutorial
[00:06] <Heden_DLT> using zlib to reconstruct
[00:06] <@graf_chokolo> just segments of ELF, but you can make an ELF, for reversing you don't need true ELFs
[00:06] <Heden_DLT> sure
[00:06] <@graf_chokolo> zlib ?
[00:07] <Heden_DLT> zpipe
[00:07] <Heden_DLT> sorry
[00:07] <@graf_chokolo> segments are not compressed, appldr already decompressed them
[00:08] <Heden_DLT> look : http://netkas.org/?p=573
[00:08] <@graf_chokolo> yeah, but why compressing them ?
[00:09] <Heden_DLT> well good question
[00:09] <@graf_chokolo> that's not all guys
[00:09] <@graf_chokolo> you have got now segments, but to reverse it you also need load addresses of these segments
[00:10] <@theruler_> @thomas/@iLLNESS: you guys still following along?
[00:10] <@graf_chokolo> ask questions if you have any, i will help
[00:11] <@graf_chokolo> no questions ?
[00:11] <Heden_DLT> i will have
[00:11] <Heden_DLT> concerning LV2..
[00:11] <Heden_DLT> But I let the others
[00:11] <@graf_chokolo> yeah
[00:11] <Heden_DLT> finish with this step
[00:12] <@graf_chokolo> guys, ask me anything, don't hesitate, i won't laugh you out
[00:12] <@arunningp> although he might quit :P
[00:12] <Heden_DLT> :p
[00:13] <Heden_DLT> choko ?
[00:13] <@graf_chokolo> so no questions then ? :-)
[00:13] <@theruler_> not sure if thomas/ill are AFK or what
[00:13] <@theruler_> but if heden is good you can keep going
[00:13] <Heden_DLT> okay
[00:13] <thomas> ok, got it compiled and my minimus flashed ... first boot looks successful! \o/ ps3 is at black screen and minimus blue light is off
[00:13] <@theruler_> great job thomas
[00:13] <@theruler_> :D
[00:14] <@graf_chokolo> try to send something with sendfile, you should see acks
[00:14] * thomas is up-reading ... 
[00:14] <Heden_DLT> the way you described is simply amazing :)
[00:15] <Heden_DLT> Now..let's talk if you want
[00:15] <thomas> ok, as far as tcpdump goes, *what* should I be looking for, udp? port?
[00:15] <@graf_chokolo> you know tcpdump a bit ?
[00:15] <thomas> sure
[00:16] <@graf_chokolo> you could e.g. filter only traffic comming from ps3's mac address
[00:16] <thomas> ok, I should be using a cross-over cable?
[00:16] <thomas> or was I supposed to set an IP address somewhere?
[00:16] <thomas> ie destination
[00:16] <@graf_chokolo> hm, i used router, didn't try cross over
[00:17] <@graf_chokolo> i don't use IP, just Ethernet
[00:17] <thomas> my sniffer(tcpdump) and the ps3 are on the same switch, but its a switch not a hub
[00:17] <Heden_DLT> thomas : try a direct link ?
[00:17] <@graf_chokolo> ps3 use brodcast dst addr so it should be no problem
[00:17] <thomas> kk
[00:18] <thomas> that I think answers my question
[00:18] <@graf_chokolo> i mean filter for eth src addr of ps3
[00:18] <thomas> right
[00:18] <@graf_chokolo> not dst
[00:19] <@graf_chokolo> more questions ?
[00:19] <Heden_DLT> does all worl on old fat PS3 ?
[00:19] <Heden_DLT> thomas : slim or fat ?
[00:19] <thomas> is it by chance sending anything periodicall?
[00:19] <thomas> fat 3.15
[00:19] <thomas> CECHG01
[00:20] <Heden_DLT> ok
[00:20] <@graf_chokolo> i have not tried it yet, but intend to do it, someone reported that it has problems with FATs
[00:20] <@graf_chokolo> i use slim
[00:20] <Heden_DLT> thomas seems to success on a fat
[00:20] <@graf_chokolo> but i will test it in the next days with a fat
[00:21] <thomas> I have a minor chicken/egg problem atm ... it is booted with payload, but arp -a gives me an incomplete address ... let me read up this tcpdump that has been running for 2 days watching the ps3 to see if mac is in there
[00:21] <@graf_chokolo> you need the filter for tcpdump, just capture everything, no problem with that
[00:21] <@graf_chokolo> don't need*
[00:22] <@graf_chokolo> you can use it but it's not required
[00:22] <Heden_DLT> may i continue thomas or you need details from choco ?
[00:22] <thomas> go on ;)
[00:23] <Heden_DLT> sure ?
[00:23] <Heden_DLT> choko ?
[00:23] <@graf_chokolo> yeah
[00:39] <Heden_DLT> a big thank to theruler
[00:39] <Heden_DLT> and choko
[00:39] <@graf_chokolo> yeah
[00:40] <@theruler_> @graf: thanks for all your help
[00:40] <Heden_DLT> bye bye

Features

Feature/Payload list

Communication

• • gelic_xmit_test
  • gelic_recv_test

Dump

• • dump_lv2
  • dump_slb
  • dump_sprg0
  • dump_htab
  • dump_stor
  • dump_flash
  • dump_repo_nodes
  • dump_repo_nodes_spu
  • dump_profile
  • dump_sysrom
  • dump_dev_flash
  • dump_hvcall99_param
  • dump_lpar_ra
  • dump_lv1

Decrypt

• • decrypt_profile
  • decrypt_usb_dongle_master_key
  • decrypt_pkg
  • decrypt_self
  • decrypt_npdrm
  • decrypt_game
  • decrypt_lv2_direct
  • decrypt_lv2_direct_355
  • decrypt_self_direct
  • decrypt_self_direct_355
  • decrypt_profile_direct

QA flag and token

• • update_mgr_qa_flag
  • update_mgr_get_token_seed
  • update_mgr_set_token
  • update_mgr_calc_token
  • update_mgr_verify_token

PKG's

• • update_mgr_inspect_pkg

Hooks

• • self_decrypter_hook
  • vuart_hook
  • stor_hook
  • hvcall209_hook

Dongle/Product Mode (recovery mode)

• • usb_dongle_auth
  • product_mode_off

Exploits

• • hv_mmap_exploit
  • exploit_isoldr_mbox
  • exploit_lv2ldr_mbox
  • exploit_lv2ldr_ls
  • exploit_appldr_mbox

System Controller (SC) manager

• • sc_mgr_read_eprom
  • sc_mgr_get_region_data
  • sc_mgr_get_sc_status
  • sc_mgr_get_srh

aim - aim_spu_module.self

• • aim_get_device_type
  • aim_get_device_id
  • aim_get_ps_code
  • aim_get_open_ps_id

SC - sc_iso.self

• • sc_iso_sc_binary_patch
  • sc_iso_get_sc_status
  • sc_iso_get_property
  • sb_iso_get_rnd
  • sb_iso_encdec_key

MFW/CFW/Patch Testing

• • store_file_on_flash
  • replace_lv2

vflash/flash/hdd

• • patch_vflash_region
  • create_vflash_region
  • store_file_on_vflash
  • create_hdd_region

Patches

• • patch_region_access
  • patch_sll_load_lv2
  • disable_hdd_crypto

MISC

• • vuart_sysmgr
  • vuart_dispmgr
  • query_lpar_address
  • encdec_cmd_0x85
  • edec_kgen1

Dumping Flash

Uncomment dump_dev_flash() compile and run the payload

Setting QA Mode

'''This section is in development anyone feel free to share and edit this section'''

First you have to dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c

• To do this you can use Hardware_flashing, Linux with graf_chokolo kernel with acces to /dev/ps3nflasha Links_to_precompiled_stuff or using this payload uncommenting dump_dev_flash()

• More info in Flash

Once you are set

Use the payloads in the following order uncommenting the required function

• Set the QA flag
  • update_mgr_qa_flag()
• Calculate the token
  • update_mgr_calc_token()
• Verify token
  • update_mgr_verify_token()
• Set the calculated and verified token in update_mgr_set_token.c
  • update_mgr_set_token()

You should use wireshark or tcpdump to capture the responses

v e Custom Firmware PS3UPDAT.PUP update_files.tar CoreOS · Bluray Firmware · Bluetooth Firmware · MultiCardReader Firmware · Syscon Firmware · Wifi Firmware · Index.dat · UPL.xml Other Entries default.spp · dots.txt · license.xml · patch_build.txt · patch_data.pkg · promo_flags.txt · ps3swu.self · ps3swu2.self · spkg_hdr.tar · update_flags.txt · version.txt · vsh.tar Modifications Patches · Cex2Dex · Cinavia (DRM) · Graf's PSGroove Payload · PSGroove · PSJailbreak Exploit Payload Reverse Engineering Tools PS3MFW Builder CFW Releases MFW releases · Rebug · Miralatijera