WIP: Build your own PS3 Service Jig!

**theruler** · 11-17-2010,08:05 PM

miniv1 a user over at the PS3Hax Network has posted some very interesting news today, after doing some research he seems to have figured out how-to recreated the PS3 SERVICE JIG!

Now before you go crazy and starting updating all your PS3's to try it out!

You MUST understand that this is totally still in development and is currently only an workable theory!

It still requires testing and dumping, on various consoles and firmwares, but its a good start.

miniv1 method requires THREE things:

* Dongle Master Key
* Lv2diag.self
* Challenge/Response (which ultimately allows us to get a dump of lpar1 with a modified dump code)

Add the THREE together in a new payload and you’ve got yourself the PS3 service mode!

News Source: How to recreate the service mode jig (via) PS3Hax Network

The OP over at PS3HAX, should mention that all this info below would have not been possible for him to write/talk about, if it was not for the kind heart of grafchokolo of making his HV findings public!

If someone does end up re-producing the Service Jig, they should at least do the right thing and thank grafchokolo for his original hard-work in detailing how the PS3 really works at it's lowest level of coding!

Been doing a lot of searching the 'net and found lots of useful info and think I’ve discovered the way to recreate the PS3 Service Jig!

Originally Posted by Mathieulh @psx-scene

That’s not about it, it’s about the fact that even if you manage to reproduce the dongle by dumping the decrypted “dongle master key” and reversing the challenge/response algorithm, you’d still need to use a signed/copyrighted self renamed as lv2diag.self from /dev_usb000/ The product mode flag being of no use on its own. The fact that some people know how this process works and the whole theory behind it doesn’t mean they care or have any interest whatsoever in this procedure especially as there is certainly no great mystery about it (at least not as far as we are concerned). Also the other problem that occurs when it comes to using signed selfs (besides the obvious copyright issue) is the self revocation.

Which says we need THREE things:

1 of 3 --> The dongle master key

Originally Posted by Hypervisor Reverse Engineering - PS3Wiki

0×24000 – USB Dongle Authenticator
Packet ID Description
0×24001 Generate Challenge
0×24002 Verify Response
0×24001 – Generate Challenge

* I have got access to this service through DM and tested it
* The service expects no input parameters except those in SS packet header
* It uses 0×5003 service (Generate Random Number) to generate random numbers that are used in challenge body
* The length of a challnge body is always 23 bytes, first 3 bytes are always the same: 0x2E 0×02 0×01

Here are hexdumps of some challenge bodies i let 0×24001 service generate:

Code:

2E 02 01 72 3A 0A 76 BB 81 CB 29 BC E7 B5 D6 62 7C 0E EE 23 18 A9 1D
2E 02 01 F0 DA 78 D4 1D CB D7 C9 C7 F0 32 F4 2E 92 39 BD 3F 32 93 AA
2E 02 01 3B B2 9D FD A8 83 AF 9A C0 E9 13 BB AE D5 6C 8C 45 2E DE 13

0×24002 – Verify Response

* I have got access to this service and tested it with PSGroove
* The response body is 25 bytes large
* The first 3 bytes have to be 0x2E 0×02 0×02 or else the check fails
* The 16 bit at offset 3 is a dongle ID
* The dongle ID is checked if it’s revoked or not
* When the verification succeedes then product mode is set to 1
* The service calculates USB Dongle Key from USB Dongle ID and USB Dongle Master Key by using HMAC SHA-1
* The service uses HMAC SHA-1 to calculate the correct response body from the challenge body and USB Dongle Key
* After that the service compares the calculated response body with the given one that was sent to the service
* It seems that laid and paid from SS packet header are used in decryption process

USB Dongle Master Key

* USB Dongle Master Key is stored encrypted in Process 6
* The encrypted key is 64 bytes large
* The decrypted key is 20 bytes large
* The USB Dongle Master Key is decrypted first time the service 0×24002 is used
* The USB Dongle Master Key is decrypted by using the service 0x200E (Decrpyt Master) of Vitual TRM Manager
* The decrypted USB Dongle Master Key is stored in Process 6 in clear text (after first usage of this service)
* When decrpyption of USB Dongle Master Key fails then a dummy key is used
* Unfortunately, in the HV dump 3.15 the USB Dongle Master Key was not decrypted at the moment of dumping

Here is the encrypted USB Dongle Master Key from HV 3.15:

Code:

22 D5 D1 8C FF E2 4F AC EC 72 A2 42 A7 18 98 10
25 33 E0 96 F2 C1 91 0D 15 23 D3 07 74 E7 2B 72
DF A6 DD E9 68 8B 76 2A 6A 87 51 7F 85 39 0B D4
20 3F 46 89 04 82 B7 30 84 89 4B CC 9D B1 24 7C

Here is the USB Dongle Master Dummy Key from HV 3.15:

Code:

D1 FC 57 55 BF 20 FA B2 D4 A5 4A 0A 0C 5D 52 8E DF 66 CD 74

USB Dongle ID Revoke List

* Process 6 contains a revoke list for USB Dongle IDs
* The revoke list is 0×2000 bytes large. It’s a bitmap.
* Each bit represents a USB Dongle ID. If bit is 0 then USB Dongle ID is revoked.

The following USB Dongle IDs are revoked in HV 3.15:

Code:

0, 2, 13, 32, 34, 176, 241

2 of 3 --> Lv2diag.self

Originally Posted by PS Downgrade Real – Confirmed Working 100% (via) PS3-Hacks.com

Leaked PSDowngrader package: DGF.RAR - 167mb

3 of 3 --> And finally the challenge/response

Originally Posted by Twitter 15th Nov

@ldgchad it’s a reverse of the dongle authentication challenge/response from the ps3 side. If you can dump lpar1 it can be done.

Then I stumbled upon

Hi guys, I used an Atmega8 running at 16Mhz (I had a couple lying about from the BT Vision project I was working on) and knocked up a small prog to do the same as the other chips and dump out the PS3 Hypervisor and Bootloader.

I was quite surprised, It actually worked fairly straight away! I only had one pulse going everytime I pressed the button at first but not a lot was happening.

So I did what xorloser did, and modded it so it pulsed every 100ms while the switch is pressed.

After about 30-40 seconds… I got a hit with the exploit code posted here. Then I used the dumper (posted here) to dump the 10mb bin.

Just having a look through the dump, lots of strings in there.. I haven’t dropped it into IDA yet tho…

This is the source and hex (for those who dont want to compile it) for the Atmega8 which I glitched my PS3 with. The Chip I used was the Atmega8-16pu. You will also need a 16mhz Crystal, and 2 x 22pf Capacitors.

Grounding pin 14 on the chip will produce a pulse on Pins 2 of the chip (infact it does all of PORTD) This should then go to the memory bus point on the ps3. See Circuit diagram (below).

I used ponyprog to program my chip, with CKOPT ticked in the fuse settings, everything else was unticked.

Mick

**niai** · 11-17-2010,08:16 PM

lol this just moved from the last front page topic.

but this is very interesting news to say the lest. i dont think its going to be to legal though.

**theruler** · 11-17-2010,08:17 PM

Originally Posted by niai

lol this just moved from the last front page topic.

but this is very interesting news to say the lest.

Yeah I posted it in the wrong thread because I found it as I was reading that one.

LOL thanks gary/mod for moving it. And thanks miniv1, mathieulh, mick and others for the work.

**garyopa** · 11-17-2010,08:25 PM

Originally Posted by theruler

Yeah I posted it in the wrong thread because I found it as I was reading that one.

LOL thanks gary/mod for moving it. And thanks miniv1, mathieulh, mick and others for the work.

No problem, I edited a bit. -- Sure a busy day of news. -- I like the "revoke" list, looks like Sony is MISSING already SEVEN Service Dongles, and that was back with V3.15 firmware, I wonder how long the v3.60+ firmware list will be!

**57413** · 11-17-2010,08:26 PM

Now before you go crazy and starting updating all your PS3's to try it out!

Is this for PS3 consoles above 3.41?

**theruler** · 11-17-2010,08:32 PM

Uh, yeah so I guess my next question is who can reproduce what miniv1 has outlined here and test to see if it works?

**Xeron** · 11-17-2010,08:33 PM

Could someone explain what is accomplished with this exactly?

**theruler** · 11-17-2010,08:38 PM

Originally Posted by Xeron

Could someone explain what is accomplished with this exactly?

Service mode!

Originally Posted by CJPC

Over the months there has been a lot of inaccurate information circulating in regards to how exactly the PlayStation 3's Service Mode works, and as promised in our previous Dev updates here are some of the facts to help separate the rumors and speculation.

It is a fairly simple process as follows.. For starters, the PS3 is powered off, and a special USB dongle, known as the Jig, is connected. The PS3 is then turned on, and then off, once it has detected the Jig.

After this occurs, the PS3 is then turned back on, into "Service" Mode. From here, the PS3 is re-flashed using a Firmware Update on a USB stick, specifically designed to only install from the Service Mode. Once the PS3 is re-flashed with the software, it is then used in conjunction with a PC running customized software, specifically the DEX.exe and CEX.exe's.

There are a multitude of special PS3 firmwares, basically three major ones. The first is a Core System, followed by the Service System, then finishing it off with the Final Software.. usually Retail.

From the CEX/DEX PC side software, just about anything can be done: Copying, transfer and resigning of box-specific items like PSN games, user profiles, etc.

Furthermore, the systems can be re-flashed to any software version as well. The system's keys can also be "rearranged", such as the marrying of the PS3's BD-ROM Drive (or controller) with the mainboard. Needless to say, this can do a lot more than a simple "Recovery Menu", as it can change firmware and more.

Over the last few months we have also compared the flash dumps (pictured below) done by our very own courier of a PS3 in Service Mode with a Retail (and a Debug) and found that the systems are primarily alike, however the Bootloader 1 of the Service Mode PS3 differs than that of the other systems. Work is still being done by the resident PS3 Devs in trying to pinpoint exactly why this is the case.

**iLLNESS** · 11-17-2010,08:49 PM

Originally Posted by garyopa

No problem, I edited a bit. -- Sure a busy day of news. -- I like the "revoke" list, looks like Sony is MISSING already SEVEN Service Dongles, and that was back with V3.15 firmware, I wonder how long the v3.60+ firmware list will be!

they might not be missing. they could have broken/failed and rather then risking someone having the info from the dongle and being able to reuse it they disable it all together.

**theruler** · 11-17-2010,08:51 PM

Originally Posted by iLLNESS

they might not be missing. they could have broken/failed and rather then risking someone having the info from the dongle and being able to reuse it they disable it all together.

They're not missing, the people who took them know exactly where they are.

But good point iLLNESS, btw is this something you have the technical ability to build/test?

It would be great to have some 'in house' testing and confirmation!

User Tag List

Thread: WIP: Build your own PS3 Service Jig!

Tweet

LinkBack

Thread Tools

Display


	Would you like to get all the new info from PSX-Scene in your email each day? Subscribe to our Daily Digest! Want to learn more about the team keeping you up to date with the latest scene news? Read about them now! Check out our Developer bios, too!