XorHack v2.0: The Updated PS3 Exploit Toolkit

After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line :)

Download XorHack v2.0 here

Hypervisor Exploit Changes

At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.

Kernel Module Changes

In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.

User Library changes

Finally the on outermost level  I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.

Sample Application Changes

As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.

Here are some examples of what these tools can be used for.

Dumping the hypervisor

This reads 0x10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.

ps3peek 0 -s 0x1000000 -d 8 -b > hvdump.bin

Reading the status register for spu0

ps3peek 0x20000044024 -d 4

Loading metldr..

Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.

Everyone loves pictures

The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…

920 thoughts on “XorHack v2.0: The Updated PS3 Exploit Toolkit

  1. Heden, of Team DeLiGhT, has released a wonderful new “package file” on PSGroove.com website that unlike graf_chokolo’s method, this one does not need any special payload, just a simple fast and easy instant SELF/SPRX Decrypter right on your PS3 Console!

    Now everyone can do it! Thank you graf_chokolo! Your work is great! I hope you will bring us other fine stuff. :)

  2. @norman you can already play black ops on 3.41 although some files will need to be modified …

  3. @graf
    some games don’t work, there’s a black screen when loading and nobody has been able to run those ones. There’s also work arounds on some of those ones (ie Modern Warfare 2) where you change the demo eboot’s with the original and works.
    The ones i know that we are getting black screen on start up are Prince of Persia, Split/Second, Assasins Creed, Pure and more…the list is here http://bit.ly/ea2r9U

  4. @ junior 2k9
    oh i know you can play it with modified files. but maybe he cant decrypt eboots with 3.50 compilation.

  5. “Guys, GT5 won’t decrypt on 3.41. I have to decrypt it manually by loading appldr from 3.50. I guess it’s the next step then”.

    well, if it about decrypt keys, what made you think that 3.41 isoldr have keys to decrypt 3.50 appldr? this isolated module probably will not run.

  6. @ Graf

    I can upload for you some eboots, working and non-working, if you are interested on all of them, just tell me and I will upload them for you.

  7. Originally Posted by zAxis
    could some1 do me a favore and post the following (and say it is from me) at xorloser blog (my browser is F***ed up for some reason and won’t let me click the submit button):
    \
    @Graf
    congrats on decrypting the SELF (sry I am late but I know others toke care
    of it [the congratulating] )
    anyway, here is some interesting news:
    3.15 Firmware Downgrade – Linux Reviver! FAT Consoles – $94.99 : OzModChips.com, Australian Supplier of WiiKey, Drivekey, M3, R4DS and CycloDS
    ozmodchips are offering downgradeing services (that is not the interesting
    part). The interesting part is that they are doing it through infectus.
    from what they wrote in their website, they read the PS3 unique key using
    NAND dump and they store it into a host ps3 (probably using x5002 –
    Set/Delete ATA (Encdec) Key\). they then take a nand dump of the host ps3
    and load it to your ps3, and now it is downgraded. I am wondering is that
    if you are able to read the ATA key from the NAND dump, is there a way to
    get it through software exploit (how)?

    Also, about EBOOT.BIN being SELF, well here:
    PS3 PKG Tool v0.5 is Now Released! – Page 5 – PS3 NEWS – PlayStation 3 News – PS3 Forums
    is an app that decrypt EBOOT.BIN and re-encrypt it. I don’t know who they
    got the key for eboot.bin but they did. Also, is it possible to extract
    the SELF key from the ps3 (then maybe we can locate it in the update PUP
    and get the new key)?

    Good Luck
    \
    thanks

  8. From psx-scene member zAxis:

    @Graf
    congrats on decrypting the SELF (sry I am late but I know others toke care
    of it [the congratulating] )
    anyway, here is some interesting news:
    3.15 Firmware Downgrade – Linux Reviver! FAT Consoles – $94.99 : OzModChips.com, Australian Supplier of WiiKey, Drivekey, M3, R4DS and CycloDS
    ozmodchips are offering downgradeing services (that is not the interesting
    part). The interesting part is that they are doing it through infectus.
    from what they wrote in their website, they read the PS3 unique key using
    NAND dump and they store it into a host ps3 (probably using “0x5002 –
    Set/Delete ATA (Encdec) Key”). they then take a nand dump of the host ps3
    and load it to your ps3, and now it is downgraded. I am wondering is that
    if you are able to read the ATA key from the NAND dump, is there a way to
    get it through software exploit (how)?

    Also, about EBOOT.BIN being SELF, well here:
    PS3 PKG Tool v0.5 is Now Released! – Page 5 – PS3 NEWS – PlayStation 3 News – PS3 Forums
    is an app that decrypt EBOOT.BIN and re-encrypt it. I don’t know who they
    got the key for eboot.bin but they did. Also, is it possible to extract
    the SELF key from the ps3 (then maybe we can locate it in the update PUP
    and get the new key)?

    Good Luck

  9. @Graf
    congrats on decrypting the SELF (sry I am late but I know others toke care
    of it [the congratulating] )
    anyway, here is some interesting news:
    3.15 Firmware Downgrade – Linux Reviver! FAT Consoles – $94.99 : OzModChips.com, Australian Supplier of WiiKey, Drivekey, M3, R4DS and CycloDS
    ozmodchips are offering downgradeing services (that is not the interesting
    part). The interesting part is that they are doing it through infectus.
    from what they wrote in their website, they read the PS3 unique key using
    NAND dump and they store it into a host ps3 (probably using “0x5002 –
    Set/Delete ATA (Encdec) Key”). they then take a nand dump of the host ps3
    and load it to your ps3, and now it is downgraded. I am wondering is that
    if you are able to read the ATA key from the NAND dump, is there a way to
    get it through software exploit (how)?

    Also, about EBOOT.BIN being SELF, well here:
    PS3 PKG Tool v0.5 is Now Released! – Page 5 – PS3 NEWS – PlayStation 3 News – PS3 Forums
    is an app that decrypt EBOOT.BIN and re-encrypt it. I don’t know who they
    got the key for eboot.bin but they did. Also, is it possible to extract
    the SELF key from the ps3 (then maybe we can locate it in the update PUP
    and get the new key)?

    Good Luck

    thanks

  10. what is with the big flood of noobs?

    leave the discussing to the devs! seriously. this stuff is interesting (im not a dev) and i just sit back and watch what advances are happening. all i see is a bunch of whiners wanting a downgrade or CFW. STFU it will happen when/if it happens.

    just because you ask for it doesnt mean it will happen just like that.

    i guess we can blame the news sites for posting technical news like this and then showing the way for all of these ungrateful shits to troll here.

  11. graf should really have his own moderated blog so we could get rid of all these teenagers who just want free games.
    Or just a way to collectively downvote them and not have their comments pollute this amazing work into the inner workings of the PS3 that graf_choko seems is leading at the moment. As a fellow programmer I have a lot of respect for you graf, keep up the good work.

  12. @zAxis wat r u testing is the psgrade because u had that one blog thing on psgroove.com that said u wud

  13. yay, I can post again.
    @graf
    sorry for spamming your thread.
    anyway, do think it is possible to get ATA key by software (not just a nand dump)?

    also, what would happen if you call ““0×5002 – Set/Delete ATA (Encdec) Key” with Delete option only? do you think that it wont encrypt your nand and hard drive (or just brick your ps3)?

    and, what format is a decrypted self? is it elf (as in secure-elf)? I know that EBOOT.BIN is fself (fat-self). if it is elf, we could use “readelf” in a shell to read it and then reconstruct it. then we can run it on 3.50 by renaming it to Lv2Diag.self, putting it on a usb, and plugging it into a 3.50 that is in service mode (it seems that there is not any authentication for Lv2Diag.self, so that is a good way of running unsigned code on 3.50). then we could decrypt eboot.bin without having to extract the new appldr from the update PUP.

    these are just my theory, unfortunately I can’t test them because I just bricked my ps3 doing some tests (I am buying a new one once I get my Christmases gifts), but I would love your input :-)
    ty

  14. Graf, If you’d like your own blog or what ever but don’t want to go with the free services (I.E. WordPress.com/etc..) I can setup a site on my dedi for you just shoot me an email tim@thedefaced.org.

    You can do what ever you want with it and I’m not too worried about DMCA or etc crap.

  15. Ah, so you are that DeadlyData. My sister was a fame junky back when you and Silent first got it running.

  16. @hprocks123

    Unfortunately, I have not had any time to work on it and it is now a dropped project. So, no, there is no progress with any open source downgrade at the moment.

  17. @zAxis

    That’s a real shame. Are you having excessive difficulties with anything in particular? If so, I maybe able to help :)

    I just recieved my board so every one can expect a key shortly :)

    So maybe you can all stop harrasing me for it :)

    I’m also working on the GT5 eboot a little more and seem to be making progess :)

  18. thanks a ton graf, I ordered a E3, but i’m still interested in compiling some of this stuff and seeing what I can do about producing a solution for the evo 4g, something to jailbreak and downgrade.

  19. if you can get the the key, I wonder how long it would take for it to get ported to the iphone 3g. =)

  20. @graf

    Personally I think u should devote *YOUR* time to what *YOU* want to be doing, not what every other little pirate sh*t is coming on here demanding u do. Hopefully the 3.50 jailbreak from x3 will be genuine, everyone will go away from here, then this blog can go back to what it should be. A place for technical discussion about hv reversing, not what I’ve watched it degrade into over the past couple of weeks.

  21. I have dumped the key but will not make it public for now. I don’t want people developing more dongles and making more money off it :)

    Don’t worry, I have contacted zAxis and he will use it for his PSGrade :)

    @beavis

    I know where you’re coming from and feel the same way but to be honest figuring this whole key thing out was interesting and that’s what motivated me :)

    As for the 3.50 jailbreak, I have been working on any possible exploits or methods using one my original 3.15 and I have made some interesting progress :)

  22. Graf: You are a legend, and it’s so much because of your passion and your focus. Keep doing what you’re doing. So many are very thankful for all your efforts and contributions on our behalf. You rock!

  23. @ graf
    so your not making it public but your giving it to zaxis so he can make it public? or will it just not be public?

  24. @norman

    I was going to just post it here but like I said, I have contacted zAxis and asked him to keep it to himself for now :)

    I plan to release publicly after PSGrade has become wide spread :)

    Please understand :)

  25. ohhhhhhhhhh i see what your saying!. ight sounds good.
    and hey thanks thats a great contribution to the community

  26. how long for psgrade?. i think id pay for psgrade. because i think you guys actually deserve it

  27. graf, you have proven that you rule, you were able to get what we needed within hours of receiving your sx28, great work! I look forward to zAxis’ release and will be watching his github closely!

  28. Awesome news. I look forward to you releasing the key (but don’t let that affect your release plan at all).

    It shan’t be too long before this news hits every PS3 hacking news site.

  29. congrats man , you have soon gone from unheard of to being a bit of a legend mate 😀

  30. Good thing you didnt put it on here cuz some1 would of probably passed psgrade as their own on ps3-hacks for the money compensation.

  31. I was just reading through the comments, there sure are some whiny little bitches here, I suppose including ‘me’.

    @graf:
    Should I withhold the key as well? I don’t wish to ruin the progress of the scene.. Do you have an e-mail I can contact you by?

  32. @Estx

    I was thinking and maybe my logic is a little flawed :)

    It’s up to you if you want to release it :)

  33. I don’t understand the thought graf… maybe you can explain it?

    If you release it.. psgrade will get it regardless.. how do the clone makers profit as the first integration will be open source?

  34. Estx says: Should I withhold the key as well?

    Ha! what a joke.
    Crawl back in the hole you came from.

    You don’t have the key, you want graf_chokolo to send you his real Key so you can “compare” it to your imaginary key.

    Yeah, right..like anyone would fall for that.

    If you had the key you would have posted it by now.

  35. he never said anything about comparing a key. geez calm down. Don’t judge what a person has or don’t have. keep that kind of stuff to yourself. A attitude like that is what makes most devs quick, it’s sickening..

Leave a Reply

Your email address will not be published. Required fields are marked *