Hi Internets. Long time, no speak.
Over the weekend I dusted off my trusty Xbox360 and figured I should give it a little bit of use before its next gen replacement arrives. While I was setting it up and preparing it for use I thought it was about time I shared the current versions of my Xbox360 tools as well as a new one that is not feature complete, but at this stage may never be.
Here is a small update for XexTool and the Xex Loader for IDA to fix some reported bugs.
This adds some enhancements to the IDC file creation in XexTool to bring it as close to the level of the Xex Loader plugin as is possible with a script. It also adds checks to ensure the file was loaded as a Binary PPC file. It is a common mistake to use IDAs default option of “Load as a PE file” so this will now catch this error and warn the user.
This update also fixes a bug in the Xex Loader for IDA that stopped it being usable in some versions of IDA such as v5.5. It is recommended to use this update even if the last version gave you no noticable issues.
Lastly I’ve also included the latest revision of the “PPC Altivec” plugin for IDA. This was a plugin originally created by Dean Ashton to add Altivec and VMX support to IDAs PPC processor module. It is now up to v1.8 and has been added to and tweaked by many people including myself. This plugin now also adds support to IDA for the processor specific instructions available on PS3 (CellBE), Xbox360 (Xenon) and Gamecube/Wii (Gekko). Continue reading
I have been meaning to update this site for a while, and also to release updates for XexTool and the Xex Loader for IDA. So over the weekend I finally got around to doing so.
For those who don’t know, XexTool is a windows command line tool that gives info on every aspect of an Xbox360 xex file. It also extracts the file that the xex is based on (usually an exe file) and has the ability to alter most of the various flags and parameters set inside an xex file.
The IDA loader for XEX files enables you to directly load an xex file into the IDA disassembler in order to look at what the internal code is doing. This is extremely useful for developers and reversers. If you don’t know what IDA is or what this loader does, then this tool isn’t for you.
Xex Loader for IDA v6.0
August 27 2010
SONY COMPUTER ENTERTAINMENT ANNOUNCES REMOVAL OF THE GAMEOS FEATURE FROM THE PLAYSTATION®3 SYSTEM IN NEXT UPDATE Continue reading
After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line
Download XorHack v2.0 here
I finally found the time to complete the PS3 exploit toolkit software I mentioned to in my previous posts. I call it XorHack. It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:
- ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).
- dumphv – Dumps the hypervisor to a file in the current directory.
- dumpbl – Dumps the bootloader to a file in the current directory.
- dumprom – Dumps the system rom to a file in the current directory.
I haven’t gotten around to doing an update in a while due to work (and a little relaxation) taking all my time. Rather than wait till I have finished all of the stuff I wanted to before posting again I decided to post some tidbits to tide you over until the rest is ready. Before I do so I’d like to make the following clear as no matter how many times I say it, people believe what they want to believe instead:
THIS PS3 EXPLOIT WILL NOT ENABLE PLAYING OF COPIED OR BACKED UP GAMES. THE EXPLOIT IS FOR RESEARCH PURPOSES ONLY. Continue reading
Just a quick pic of it all working together cos everyone loves pictures!
This is the PS3 with the newer motherboard where the socket I installed in the front actually looks nice, the other one was a bit of a hack job 😉
This post will deal with the hardware required to trigger the PS3 hypervisor memory access exploit. The purpose of the hardware is to stop the PS3 from saving a change to a value that we don’t want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.
The PS3 sends the write command to the RAM over some control lines, so we interfere with these control lines when the write command is sent. The result we want is having the PS3 think it has successfully written the value to RAM, but the RAM didn’t receive the write command due to our interference and so it did not perform the write operation. Continue reading
As I’m sure everybody heard, the memory access exploit for the PS3 hypervisor was released recently by geohotz. I was finally able to replicate his hack so I thought I’d take the time to help out others who may also have trouble due to being linux n00bs like me If I were to post everything at once it would be too much work and I’d never get around to it, so I’ll post bits at a time to ensure I actually do post it heh. Today’s post will talk about the software side of the exploit.
Please note that the geohotz exploit software was hardcoded for the v2.42 firmware, I have made a small fix that attempts to dynamically support all firmware versions. I have only tested and used it on v3.15 however.
Fixed PS3 Exploit Files
As more special PPC instructions are stumbled across, support for them gets added to the plugin. I know I could go through an exhaustive list of all instructions and add them all, but for now I am content with adding them a few at a time 😛
PPC Altivec plugin v1.6 for IDA v5.6
Support added for the instructions: attn, lwsync, ptesync, tlbiel, tlbie, tlbi, slbie.
Also added support for the SystemSim “callthru” instruction (should this even be used outside of a simulator?) and lastly an instruction that I cannot find any information about. The hex value is 0x02002000 so for now I have added this instruction as opcode_02002000 so that it will at least disassemble to code and can therefore be treated as code. If anyone knows what this instruction is please let me know
Here is version 1.5 of the PPC Altivec Plugin for IDA v5.6 which adds support for special instructions that are used by some PPC based devices. This was originally written by Dean Ashton and then updated by Takires.
This is useful when disassembling Xbox360 and PS3 binaries in IDA as they utilise these special instructions that are not supported by IDAs built in PPC disassembler module.
I have done some fixes to instructions that were previously handled incorrectly, as well as adding support for some new instructions. I also fixed an issue where instruction sizes were being reported incorrectly resulting in an incorrect disassembly.
In lieu of adding real content to my blog, here is some more broken techonology I came across. It is an electronic billboard that is basically a computer running ads on a widescreen LCD screen. It seems to be lonely without its keyboard however.
Close up of electronic billboard
Electronic billboard in its environment
The Homebrew Channel (HBC) was designed to be used with the Homebrew SDK aka devkitPro. So any files you compile with devkitPro should load OK via the HBC.
If you try to load a file that was compiled with the Nintendo SDK however you will get an error that “This is not a valid Wii application”. This is because the Homebrew Channel retrieves the load addresses for each ELF program segment from the Physical Address field, and in Nintendo SDK files this field is set to zero.
Hopefully the HBC guys will fix this in the next release, making the HBC more compatible. In the meantime you can use this little tool I made to patch your ELF file. It copies the values from the Virtual Address field into the Physical Address field for each program segment in your ELF file.
I love seeing these kinds of things, so when I saw this at my local pub I thought I would share it with the world.
I’ve got the faulty-dongle-driver blues
Standing back to show where the picture is from
I’ve been busy digging into the PS3 lately, I decided it’s finally time to see what secrets can be extracted from it. During my investigations I found that level-1 syscalls, a.k.a. hypercalls, are not handled by IDA so I decided to add support for it to the existing PPC Altivec plugin. Continue reading
When it comes to cryptography algorithms the topic of bruteforcing them appears often, however is rarely dealt with in a satisfying way. Usually such a discussion will start with someone asking “Why not just bruteforce it?” and end with someone stating “It is not possible, it would take too long”. Occasionally someone will chip in with “Why not randomly guess it? You might get lucky”. So one day I decided to find out if it is possible, and if not, to at least get an idea of just how long “too long” is.
This is a very basic overview of some common cryptographic terms and techniques employed not just in videogame consoles but universally. I will make generalisations in order to simplify the explanations, so I urge you to read more elsewhere to get a fuller understanding. Bruce Schneier’s Applied Cryptography is widely regarded as the best introduction and reference book on cryptography. Continue reading
Everyone has heard about the Xbox360 bans that stop a console from connecting to Xbox Live, however not many people realise that Xbox360 consoles can also be revoked. Below you can find a list of all the currently revoked consoles at the time of the Fall’08 system update release. Read on to find out why and how an Xbox360 gets revoked and what effect it has. Continue reading
Now that my blog is up I have a virtual license to rant!
Now what shits me most about the Wii is it’s wireless networking. Why does it not like to work? I have used many wireless devices on my current router with no troubles, but the Wii only works about 1 in 20 times, and even then it only seems to work for a short amount of time.
I’ve tried all of Nintendo’s suggestions like moving the Wii, channel 1 or 11, static ip, mixed mode B+G etc. Nothing works.
Being the friend he is, Google pats me on the back and assures me that I am not alone in my struggles. Wireless networking is not a new technology, it really should not cause such issues, especially on a device that only provides wireless and no built in Ethernet port.
SelfTool v1.0 – Download
SelfTool Example Results
I’ve finally gotten around to finishing my SelfTool for manipulating Self and Sprx files. Self files are like exe files for the PS3 and Sprx files are like dll files for the PS3.
Among other things, SelfTool can be used to print out information stored in the file in a readable format to make studying them easier.
NOTE: This DOES NOT enable booting of copied games in any way. It also does not support decrypting or encrypting of self/sprx files. It is really only useful for those who are interested in looking a bit deeper at self/sprx files.
I noticed the other day that when FIFA’09 for Xbox360 is patched with the latest update, the flags that specify what media the game is allowed to run from have changed. Originally it was allowed to boot from a standard original Xbox360 disc, however now it is only allowed to boot from a new media type which is basically an updated version of the original Xbox360 disc type. Continue reading
Like the title says welcome to my new blog. I hope to update this a little more often than my webpage which had just turned into a download center for my projects.
I also hope to make this a bit more interesting by writing about projects I am currently working on. I enjoy reading similar pages by others such as tmbinc’s blog and bunnie’s blog, so I thought I’d give it a go.