After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line
Hypervisor Exploit Changes
At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.
Kernel Module Changes
In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.
User Library changes
Finally the on outermost level I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.
Sample Application Changes
As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.
Here are some examples of what these tools can be used for.
Dumping the hypervisor
This reads 0x10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.
ps3peek 0 -s 0x1000000 -d 8 -b > hvdump.bin
Reading the status register for spu0
ps3peek 0x20000044024 -d 4
Loading metldr..
Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.
Everyone loves pictures
The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…
Guys, i’m able now to decrypt games, EBOOT.bins
I will make my findings public very soon
Here is a snippet of a game i decrypted:
http://pastie.org/1347337
Guys, how can i install NP-DRMs on my PS3, i have no clue
@Graf_chokolo
MAn you are a Reversere Beast…incridebele, you are a very talented coder.. But..the best is you try to teach antother guys something..
I read yor comments at from the beginning.You are the reason..
to here and read yor last findings…
Some words in german:
Ich finde Super was du da leistetst..DU hast meinen grössten respekt..
Bitte lass uns weiterhin an deinem wissen teil haben..
MFG STAR
@graf congratz your work.
@Graf,
Great job! You work so fast!, At this rate will will see more compatibility and a CUSTOM FIRMWARE. =)
So, I didn’t get any help and I’m not sharing it yet. Has the scene pussified? That’s the mark of a liar. Graf_chokolo may be the only honest one here. So I’ll wait for the trustworthy one and not someone who just came out of nowhere claiming he got the key. Did your e-peen get bigger having your name on sites?
Either release it now or stfu, We have enough bullshitters in the scene.
Graf,
Seriously, thank you for all your continued hard work and excellent results.
Way to go man. Keep it up!!
Sincerely,
EVERYONE
@Estx
You are full of ****.
Graf.
In response to your question I mainly want to mod my copy of fallout new Vegas my pc can’t run the game.
Also, ETSX the trolls are bad enough stop feeding them
@Graf, as far as im aware you can only install certain retail .pkg,s i think at some point they changed the authentication process. You could search some newsgroups for the few working games e.g super street fighter 2 hd remix and lumines ps3.
then you would need latest hermes or pl3 payload and put them on the root of a usb and install them from the xmb under install package file
Hope this helps,
p.s @ graf, can you re-encrypt the self files at the moment?
junior2k9, this guy did not found anything, even the mk can jump into his face and he wont be able to recognise it.
all those losers writing ‘i found but wont share bla bla’ are pussies, just trying to get response because of their damn boring lifes.
i never read so many brainfucked crap from so many braindead assholes b4.
cmon, whimps and posers leave the scene plz.
great work!
It’s awesome !
Congrats Graf_chokolo 😉
But after you decrypt/crypt a eboot ,could you run it on a jb ps3 ?
ima sony worker.
graf, stop hacking our console or else my children must die of hunger. no wait … we sell more ps3s thanks to you. keep up the good work 😉
hey x3max just jailbroke the 3.50 ps3?.. im guessing that your focus shouldnt be to downgrade anymore, but to maybe make ur own firmware? i.e custom firmware?
38 bytes? not 20?
please read the following post before you post “non-sense”. Graf has no desire to downgrade but only to decrypt.
@ace We need a open source solution for the rest of us
@graf_chokolo Is that Sonic? 😀
Using that key, input data:
0x56, 0x7f, 0x4a, 0x53, 0x0f, 0xe1, 0x72, 0x3b, 0x6d,
0xc0, 0x49, 0x42, 0x34, 0x3b, 0x27, 0xc0, 0x3f, 0x13,
0x83, 0x4a
the output:
0x51, 0x37, 0x3f, 0x5b, 0x29, 0x4b, 0x7c, 0x90, 0xa7,
0x34, 0x70, 0xb9, 0x4e, 0x82, 0xa7, 0xcf, 0x25, 0x69,
0xcc, 0xf6
not match hansi’s dump.
Another example
http://pastie.org/1347672
Pingback: PS3 Master Key Found? Game EBOOT.BIN File Decrypted! | PS3 Hacks :: PS3 Homebrew :: PS3 Downloads
Heya Nice work
wats the benefit of decrypting look towards opensource!!!! I wanna mk mw2 chllgne lobbies
Hey guys, couls someone please upload me Star Wars: Force Unleashed EBBOT.BIN Thanks.
http://www.megaupload.com/?d=1GC6Q8XI
Here is the eboot 😉
you should decrypt a real 3.50 game like GT5
is that possible?
sw:fw2
http://www.megaupload.com/?d=LSPAQV1N
Star Wars: Force Unlashed EBOOT.BIN
http://www.megaupload.com/?d=M1756Q1C
Thanks to theruler @ psx-scene.
Thanks graf!
SWTFU eboot for GRAF: http://www.megaupload.com/?d=M1756Q1C
Here you go Graf! Thanks very much
http://www.megaupload.com/?d=M1756Q1C
Why not the Eboot of GT5 ? 😀
@graf_chokolo
Someone might have it earlier, but I’ll probably have it by tomorrow at the latest for you.
~~Just a lurker who wants to help.
Also graf, here is an EBOOT.BIN from SPLIT/SECOND (USA-NTSC) this is a game that FREEZES w/BLACK SCREEN in JB mode, maybe you can take a look and suggest why.
http://www.megaupload.com/?d=Q6UABZFY
BLES00893
hxxp://www.multiupload.com/WGIBEI8VT0
PW: schokilade
Uploading Now
http://www.megaupload.com/?d=M1756Q1C
this is what you seek graf…
wasnt posted by me so dont thank me.
thank theruler over at psx-scene
http://www.megaupload.com/?d=RLU0DT7K
http://www.megaupload.com/?d=M1756Q1C
http://www.megaupload.com/?d=M1756Q1C
eboot 4 U
heres an eboot.bin of star wars the force unleashed
http://www.megaupload.com/?d=M1756Q1C
Here Is Another Link http://www.mediafire.com/download.php?5tub4yqak3wy4xf
hey graf hv u got the dev board et if not gv us a timefram to when u will pleeeeeeeez answer i know its not a tech question but pleeeeeeeez answer
SWTFU: http://www.megaupload.com/?d=M1756Q1C
sorry about that ppl, i just had an urge to troll.
you know it is when you see trolls everywhere?
you become a little… troll… yourself
@Etsx
You’re sorry for trolling with that “big penis” message, or you’re sorry for even claiming to have the key in the first place?
It’s still not clear whether Estx and Etsx are different people or not.
As graf said, if you have it, post it, otherwise don’t jerk everyone’s chain.
Asking you some question:
1- Well im coming from psp word wich has MIPS as ASM and there are out alot of good tools for MIPS like IDA,PS2DIS,MARS and so on but for PPC64/PPC what do you suggest?? only usefull thing that i found out was a shity wii tool to translate OPCODE in hex.
2- The PS3 read the Decrypted EBOOT.BIN as psp or we need to re-encrypt it?
3- I think an Game-os app for eboot.bin decrypter would be the best thing you can do, making life easier for me as a noob dev, do you think that possible?
4- Do you know a way to dump the ram in game? im looking everywhere for something that dump the ram while you are in game but without the unsiged sprx support is pretty hard.
5- i was thinking if maybe is possible to build something in ppc that load .bin (something like a prx) based on SCEs of the game and insert it in decrypted eboot.bin and launch it trough a branch comand, possible?
PS: Sorry for my bad english
Star Wars: Force Unleashed EBOOT.BIN
http://www.megaupload.com/?d=RLU0DT7K
http://www.mediafire.com/download.php?5tub4yqak3wy4xf
@ Graf
Mack702 from psx-scene has done the job.
DEV BOARD!!!!!!!!!????????????????????????????????????
@hprocks123
No i don’t have my devboard yet It have to be imported from the USA so i guess it will take long, sorry.
Hey guys, the Jedi returned But now decrypted
http://pastie.org/1347788
so is there a key to downgrade yet?