WIP: V3.50 Decryption and Info - Thanks to graf_chokolo! - Public Release!

[[C*]]

Our Many thanks to graf_chokolo for starting to decrypt the PS3 v3.50 firmware.

He should've shared the news somewhere major like here - No matter, he has got world-wide fame now!

Over the last few months he has been posting some very useful comments on little not so well known, but very informative blog run by XorLoser.

Graf_chokolo has been studying the main hypervisor dumps made possible from the Geohot exploit for a while now, but starting again on Nov. 11th, 2010 he has made some new great comments that looks like he was figured out a way to decrypt the packed contents of the Sony Firmware PUP update files.

I am able now to decrypt and decompress CORE_OS_PACKAGE.pkg from PS3 PUP-Files. The decrypted and decompressed package is a copy of FLASH region where all the important SELFs and isolated SPUs stored, e.g. lv1.self or isoldr.

So, now i could downgrade PS3 by writing this decrypted image to FLASH manually, without Update Manager from HV. In fact, Update Manager just do this :-) But the problem is, that the SHA-1 hash values for these files are stored not in flash but in SC EEPROM and i don’t have access to it yet :-)

News Source: XorHack v2.0: The Updated PS3 Exploit Toolkit (via) xorloser’s blog

UPDATE:

Graf_Chokolo has released all his information on Hypervisor details that he so far has found out, alot of very useful technical info here for developers now can be found on the PS3Wiki thanks to him:

Check it out here: Hypervisor Reverse Engineering - PS3Wiki

Graf_Chokolo also states that he soon release his own custom PSGroove payload that will any any developer to decrypt and study the GameOS in many new ways.

Our many thanks to him for helping to expand the PS3 Scene World even more!

Here is a snippet from CORE_OS_PACKAGE.pkg 3.15:

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 ………….oÿà
00000010 00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00 …….`……..
00000020 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0…..
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000040 00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08 …….`……..
00000050 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version…..
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000070 00 00 00 00 00 04 04 80 00 00 00 00 00 01 E5 CC …….€……åÌ
00000080 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr……….
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000A0 00 00 00 00 00 05 EA 80 00 00 00 00 00 01 6D A0 ……ꀅ…m
000000B0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr……….
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000D0 00 00 00 00 00 07 58 80 00 00 00 00 00 01 2E 44 ……X€…….D
000000E0 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr……….
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000100 00 00 00 00 00 08 87 00 00 00 00 00 00 01 DA E4 ……‡…….Úä
00000110 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr……….
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000130 00 00 00 00 00 0A 61 E4 00 00 00 00 00 00 FA CC ……aä……úÌ
00000140 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri
00000150 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self…….
00000160 00 00 00 00 00 0B 5C B0 00 00 00 00 00 00 5C 94 ……\°……\”
00000170 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces
00000180 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self……..
00000190 00 00 00 00 00 0B B9 44 00 00 00 00 00 00 65 D0 ……¹D……eÐ
000001A0 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce
000001B0 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self…….
000001C0 00 00 00 00 00 0C 1F 14 00 00 00 00 00 01 53 2C …………..S,
000001D0 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self…..
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000001F0 00 00 00 00 00 0D 72 40 00 00 00 00 00 00 44 98 ……r@……D˜
00000200 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s
00000210 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf………….
00000220 00 00 00 00 00 0D B6 D8 00 00 00 00 00 00 D7 F0 ……¶Ø……×ð
00000230 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel
00000240 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f……………
00000250 00 00 00 00 00 0E 8E C8 00 00 00 00 00 00 80 8C ……ŽÈ……€Œ
00000260 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul
00000270 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self……….
00000280 00 00 00 00 00 0F 0F 54 00 00 00 00 00 00 88 B8 …….T……ˆ¸
00000290 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul
000002A0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self……….
000002B0 00 00 00 00 00 0F 98 0C 00 00 00 00 00 00 C0 78 ……˜…….Àx
000002C0 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul
000002D0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self……….
000002E0 00 00 00 00 00 10 58 84 00 00 00 00 00 00 5D B0 ……X„……]°
000002F0 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul
00000300 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self……….
00000310 00 00 00 00 00 10 B6 34 00 00 00 00 00 00 22 A0 ……¶4……”
00000320 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp…..
00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000340 00 00 00 00 00 10 D9 00 00 00 00 00 00 12 B1 70 ……Ù…….±p
00000350 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self……..
00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000370 00 00 00 00 00 23 8A 80 00 00 00 00 00 03 E8 28 …..#Š€……è(
00000380 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0………….
00000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000003A0 00 00 00 00 00 27 72 A8 00 00 00 00 00 16 EE B8 …..’r¨……î¸
000003B0 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self.
000003C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000003D0 00 00 00 00 00 3E 61 60 00 00 00 00 00 07 0F 94 …..>a`…….”
000003E0 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin….
000003F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000400 00 00 00 00 00 45 70 F4 00 00 00 00 00 07 FC 48 …..Epô……üH
00000410 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self..
00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000430 00 00 00 00 00 4D 6D 3C 00 00 00 00 00 06 16 00 …..Mm<……..
00000440 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self…
00000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

00263264 33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00 315.000………
00263280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

I have already decrypted Core OS Packages from 3.15, 3.41 and 3.50 PUP-Files. Also decrypted Revoke List for Packages and Programs which can be also found in PUP-Files. And also SYSCON firmware was decrypted by me.

Sony uses zlib to compress Core OS Packages. But not all packages are compressed, e.g. SYSCON firmwares are not compressed, just crypted.
Packages are first compressed and then decrypted. So first they have to be decrypted and then decompressed with zlib on Linux e.g.

I have also decrypted profile file DEFAULT.SPP. There are stored e.g. System manager configuration and other things like ACLs.

Today decrypted Core OS Package 2.80, BlueRay Drive Firmware, Bluetooth Firmware and System Controller Firmware.

Bluetooth/WLAN is a Marvell chip.

Some interesting strings from Bluetooth Firmware 3.41:

Marvell Firmware SDK Version 2.3.0

Eurus_Primary_Phy Marvell_AP

DoSharedKeySeq1

mlmeAuthDoSharedKeySeq3

There is a new isolated SPU module in Firmware 3.50 which is not contained in older firmwares.

manu_info_spu_module.self

Just decrypted 1.80 debug firmware.
Contents of DEFAULT.SPP file are a little bit different.

all his posts from the comments the only thing i know is truth is that zlib part since we all know sony loves its zlib and psarc files.

past that the core os snippet is anyones guess

[VriskaBlack]

How did he do this then?
How does this affect the end-user?

[nikeymikey]

I would think this would be a bigger news item than this!! (Front page anyone??) This could be the first step to a REAL custom firmware.

[121]

I would think this would be a bigger news item than this!! (Front page anyone??) This could be the first step to a REAL custom firmware.

nope

[[C*]]

This is a very big step towards us being able to run the forthcoming 350 SDK games. Since with the flash of 3.50 we'd be able to emulate it, or load the files required for the 3.50 games to play. Maybe the loading of the files could be via a payload? Anyway it's massive news.

[mеdi01]

Could we change title to something a bit more modest please? ("BM with NTFS support" cough) The thing we know for sure is that a guy who was commenting xorloser's blog for a couple of month claimed he did it. We don't know if he did and even if he did whether he's going to share it with the public.

So maybe "graf_chokolo claims to have decrypted 3.50 firmware" as a title?

I would think this would be a bigger news item than this!! (Front page anyone??) This could be the first step to a REAL custom firmware.

Indeed, this would be the biggest breakthrough after geohot's explit that would basically finish the business.

But we need to confirm he did what he says first.

[meffle]

I think this is great news, far more interesting than front page news about a motherboard lol

[titchy]

I think this is great news, far more interesting than front page news about a motherboard lol

Lol'd IRL

[Xeauron]

Amazing news

One step closer to full control.

[ModIT]

Well this is a very high-end, endusers unfriedly, discussion there,
i'm quite sure nobody there is claiming anything untrue.