Decryption PSGroove Payload by Graf_Chokolo!

[nickcas]

Graf_Chokolo has done it again, first he releases all his Hypervisor details, now he has released his version of the PSGroove payload that allows developers to finally see full details out of the PS3 system firmware complete with decrypted contents. -- This release is advance and for developers only, but hopefully it will give them a very useful tool to expand the PS3 Scene even more!

So guys, i promised to you that i will made my PSGroove payload public.
I just uploaded it to github. Let me first explain how it works. I do not have much free time, so please do not expect me to explain every detail to you :-) The target group of this release are advanced programmers among you. The source code is not commented but it’s clean, well structured and self-explaining.

My payload has 2 stages. The 1st stage is actually a PSGroove payload. It initializes the gelic device and allocates memory needed for the 2nd stage. Just compile the 1st stage binary, convert it to C hex array and replace the PSGroove payload.

The 2nd stage does the real job, e.g. decrypts a CORE_OS_PACKAGE.pkg from a PUP file, runs some isolated SPU module or dumps FLASH. The 2nd stage binary is sent to PS3 over Ethernet with “sendfile” which i also provided. The 1st stage code receives this data and stores it in a memory region of size 64 kb. After the upload is complete, the 1st stage code jumps to the 2nd stage code and executes it. So, you have to program PSGroove only once and can just change the 2nd stage binary to execute different code.

In order to be able to run isolated SPUs, you first need to dump your FLASH memory.
Then extract these files from dump and after that you can use it e.g. to decrypt packages :-) I described how to extract files from FLASH dump on my Hypervisor Reverse Engineering page.

To be able to decrypt packages from PUP file, first you need to extract a revoke list for packages from PUP file 3.41 e.g. (RL_FOR_PACKAGE.pkg). Just extract it, convert it to C hex array and paste it into rvk_pkg_341.c. You have to do it yourself because i don’t want any legal problems with SONY.

I didn’t use any GameOS functions in my code because my goal is to reverse Hypervisor and i wanted to learn how to do it without GameOS. I don’t plan to release any GameOS tools, so feel free to create new cool and helpful programs for GameOS using my code :-)

I’m using ppu toolchain for Linux provided by IBM to compile the source code.

I will try to answer any of your questions here. But please do not ask me questions like how to install ppu compiler or something like that :-) You will find everything on the Internet. I don’t have much time, so try to do as much as you can by yourself, you will benefit from it yourself :-)

So, have fun guys :-)

He's uploaded his payload for all to use. Maybe this should have it's own thread, since it's pretty big news.

News Source: https://github.com/grafchokolo/psgroove

[jayjayusa]

WOOOW you are amazing!

[Whysomangry]

Mods omfg make a thread on this shit.

[mеdi01]

Mods omfg make a thread on this shit.

Indeed.

PS
Jeez, didn't know all that was possible from lv2.

[theruler]

Great work Graf! Thanks v much

[niai]

nice work cant wait to see what comes of this. thanks.

[garyopa]

Mods omfg make a thread on this shit.

Yep, I have.

@nickcas - Many thanks for the news

[vandalj]

: - )

[Za0oO]

pardon my noobness, but would it mean that it would be possible for us to downgrade from an actual psgroove dongle with such payload ?

[Xeauron]

As usual, amazing news keeps coming