Repacking downgrade lv2diag.self to work in 3.55

[Ben Jeremy]

UPDATE:

This thread has become about more than simply unselfing the lv2diag.self file, altering the authid, and re-selfing it.

In the process, we've discovered problems with both the makeself and unself tools. slynk has been working on fixing these issue, and much of the thread is dedicated to that effort.

As for the original downgrading self, there are modified tools (sceverify) that can take the original self, hex-edited to change the authid, and re-sign it (no decryption/encryption required, since the authid is not part of the encrypted portion). Of course, then the problem came up that Sony fuxxored consoles that had 3.55 installed to not downgrade properly, anyway. Thanks Sony!

Still, we want to be able to create and use NEW lv2diag.self apps to help with diagnosing problems, exploring the "raw" console and perhaps live patching the kernel for hacking.


Assuming they simply revoked the original by hash, it should be a simple matter to decrypt (is it encrypted?), modify a character string somewhere in the binary, and re-encrypt and re-sign it with the proper keys.

Then it's a simple test to try and downgrade a 3.55 upgraded PS3.

I really need to get these tools together, but I can only mash my way through Linux (Mostly a Windows dev for almost 20 years) at the moment, perhaps when evilsperm sees fit to make another update to his ubuntu virtualbox image, I can finally get cracking.

At any rate, it seems like a simple enough thing...

[garyopa]

It should be simple to do.

Later today, their will be more tools released that will re-assembly selfs into the full right format, once you have keys.

You can also rip apart the v3.55 pup and compare it to the v3.50, and see the changes made in the revoke module, so you know for sure what they are checking for, if it just that hash or not.

[cookie42]

Decrypting it is easy, just use the 0.92-3.31 (rev1) appldr key. Decrypt and compare both lv2diag.self for downgrading, and there is a fair portion that is near identical. I haven't gone further than that, but it looks interesting.

[stoker25]

Looking at the decrypted RL_FOR_PROGRAM packages graf posted, I think they are revoked using the authid and version, its already revoked some programs and each authid is decremented by 1 in the 5th byte. If thats done to each new lv2diag thats easy to change:

goto 0x28 in the self, read 8 bytes, go to that address and the next 8 bytes are the authid

just decrement the 5th byte on the authid of both of the lv2diag selfs and then sign them? that should work, but i haven't got a 3.55 ps3 to test it with though...

edit: hmm looking at both the selfs the authid of one is 10700003FD000001 and the other is 10700003FF000001, try changing them to be something like 10700003D0000001 and 10700003D1000001 or something.

[Ruddicz]

Seems geohot updated his webpage with more goodies. released is an Lv2diag.self file.. does this mean 3.55 users can now downgrade to 3.41?

"first piece of homebrew you can run
put in service mode, put on usb stick, boot"

anyone? I wanna know what it does!

[Ruddicz]

I think its done. check geohot dot com.

[chesh]

You obviously didn't read the whole thing. When you boot into service mode and run it it will save a file on your USB thumbdrive called hello world.txt. That's it.

[Ruddicz]

Seems I need to pay attention more... LMAO. Gary already updated the post. same thing as geohot_1st, but loads as a diag. pointless thread at this point.

[n4ru]

You obviously didn't read the whole thing. When you boot into service mode and run it it will save a file on your USB thumbdrive called hello world.txt. That's it.

geohot.txt, not hello world.txt

[Ben Jeremy]

I think its done. check geohot dot com.

Geohot just wrote a "hello world." app. It writes an empty "geohot.txt" file; I tested it on a bricked PS3 I have here.

stoker25, can you rebuild the self after modifying it and post it somewhere? I can test it on a non-3.55 console, just to see if it works (the bricked unit, which actually downgrades and upgrade flashes all day, but RSoDs and won't flash the factory firmware PUP)