[PS3 ] Flukes1 lv1/lv2 Peek/Poke Tools Rele …

看板Modchip作者cassine (Savannah)時間13年前 (2011/01/17 09:35)推噓7(7推 0噓 1→)

留言8則, 7人參與討論串1/1

As you may know if you've been following my progress, last week I took a short break from Wi-Fi Sync to look at the PS3 and how it works behind the scenes. The PS3 homebrew scene is currently at a point where you can install userland packages, such as FTPDs and SNES emulators, but you still don't have any access to the hypervisor or GameOS kernel. It's still very much a closed system. 在3.55版韌體上雖然已經可以執行一些自製程式，但遇到要存取HV或是核心的狀況，暫時還沒轍，所以不算完全開放。 As an iPhone developer with an app on Cydia, I can see great potential within the PS3. It's crying out for a decent package manager, but you need OS-level access to do that effectively. Unlocking the PS3 in this way has other benefits too; the system can effectively be modified in any way you wish. Cydia 在iPhone上面賺了不少錢，而且潛力仍然深不可測，如果 PS3也能學學人家iPhone，應該會是件好事，每個人都可以打造自己理想中的主機。 So today I'm releasing three tools which open the PS3's hypervisor (lv1) and GameOS (lv2) to full read/write access from packaged userland applications. These tools can be used to create and test lv1/lv2 patches in RAM, which negates the risk of bricking your PS3 by flashing it with an incorrectly patched lv1 or lv2 binary. You can also use the tools to create a patched lv1 or lv2 binary, if you wish, although I suggest thoroughly testing your patches in-memory first. 因此，今天我釋出能夠完整存取HV與GameOS核心的三個工具，這些工具可以直接在記憶體裡面操握，換句話說能夠免除不小心讓自己的主機磚掉的風險。當然，如果測試一切正常，要直接修正Lv1 與Lv2 的執行檔也不是不可以。當然我還是建議先做好完整的測試再來。 I will make a few things clear before continuing: I do not condone piracy and these tools DO NOT enable copied games to run on the PS3. Again: these tools will not allow backup managers to suddenly start working on firmware 3.55. The tools are packaged in source code form and do not include any Sony code or other Sony assets such as encryption keys. If you're not a developer, these tools will be useless to you, so please do not try to use them. They are made available with no implied warranty of fitness for a particular purpose. 在介紹工具之前，有些事我必須先講明：1.我不支持盜版，這些工具也不會突然讓盜版遊戲變得可執行，備份管理員也不會因此突然就可以在3.55版韌體上執行。2.這些程式都是以原始碼的形式釋出，藉此證明裡面完全沒有$QNY的任何資產，包含加密金鑰之類的。所以說，如果你不是開發者的話，這些工具對你而言是完全沒用的，因此你也不用特地浪費時間去抓來用。3.使用這些工具的人必須自行承擔風險。 Three tools are being made available today: * resign_self.py. This allows you to automatically replace any segment within a self and re-sign the self so the signatures and hashes are all valid again. Similar to makeself, but it is more suited towards patching lv1 and lv2 (and has been tested for this purpose). 跟makeself很類似的東西，將改過的.elf檔案重新加密成.self 檔。 * insert_lv1_lv2.py. This is just a convenience script I made to take a modified, re-signed lv1.self and lv2_kernel.self, and automatically create a PUP which is identical to an original PUP except for those two files. 將改過的lv1.self與lv2_kernel.self 檔案置入.PUP更新檔。 * lv1dumper. This is an application which runs on the PS3 that you can compile and package using PSL1GHT and geohot's tools. After running it, lv1 will be mapped at 0x8000000014000000 with read/write access, and you will be able to poke lv2 without the system shutting down. It disables the new lv2 memory hashing feature Sony added to 3.55 (probably to stop future USB jailbreaks). 將整個lv1 記憶體全部讀出的工具，$QNY為3.55版韌體的 lv2加上了防護，如果 lv2 記憶體遭到未獲授權的寫入，就會立刻切斷主機電源，所以要先把這道防護措施關閉。讀出的記憶體會映對在0x8000000014000000這個位址上。 lv1dumper requires that some patches to lv1 and lv2 are already in place. I'll describe how to add these patches. They have been tested but I cannot guarantee that they won't brick your PS3. Do not do this unless you're comfortable with that. 要讓lv1dumper 可以動作，有些手續要先完成。我會告訴你們怎麼做，雖然我本身有測試過了，但我還是不能保證他們絕對安全，如果你願意冒險，那請繼續看下去。 Firstly, you need to extract the decrypted code segments from lv1.self and lv2_kernel.self (just use unself and copy them directly out of the ELF), and make the following changes to to them, assuming you're using 3.55: 首先要把lv1.self與lv2_kernel.self 這兩個檔案解密，假設你用的是3.55版韌體。 * lv1_undocumented_function_114 in lv1 must be patched so that it can be used to map any area of real memory. graf_chokolo found this trick months ago, but it still applies here. Patch the byte at D5A47 from 00 to 01 (2D5A47 if you’re looking for it in IDA). lv1 未記載的第 114號函式必須經過處理。 * You then need to add peek and poke to lv2. Patch 1933C to E8 63 00 00 60 00 00 00 and 19348 to F8 83 00 00 60 00 00 00. 同時lv2_kernel.self 也要經過處理。 You can then use resign_self.py to re-insert your patched code segment back into the self. You'll firstly need to change a few bytes in some useless strings because of the way zlib deflate works; the script will tell you what to do. I found that changing strings was the easiest way to do this, it just takes a bit of trial and error. 都搞定後使用resign_self.py將處理過後的執行檔重新加密成.self 檔案，在此之前要砍掉一些不需要的字串否則zlib沒辦法正常處理。放心，我的程序會告訴你怎麼做。我個人認為修改字串是最簡單的方法，稍微嘗試一下就能成功了。 Finally, use insert_lv1_lv2.py to create your modified PUP. You'll need to update to the PUP, then install geohot's jailbreak PUP over the top of it. If you've done everything right, lv1dumper should just exit after you run it and you'll have r/w access to lv1 and lv2 (peek and poke). The lv1_peek, lv1_poke, lv2_peek and lv2_poke functions in lv1dumper show how to use that access. 最後當然是利用insert_lv1_lv2.py 去產生修改過的.PUP檔案。要能讓效果展現首先必須要重新更新韌體一次，然後再使用geohot的.PUP檔案。如果一切順利， lv1dumper 在執行後會自動離開，然後主機就會有lv1 跟 lv2的peek & poke 功能。程式原始碼中的幾個函式算是示範，會告訴你怎麼用。 I'm hoping that some interesting and innovative stuff can come out of this, and maybe we can start to see 'unofficial' apps enjoying the same success on the PS3 that they do on the iPhone. 我希望大家把我的工具用於正途，也希望眾多高手能夠慷慨解囊，也許不久，就能看到一些非官方的軟體在 PS3主機上大方光彩，就跟iPhone上面一樣。 ****** 基本上lv1 記體都被讀出之後，就是尋找dev_bdvd的掛載(hook)的位址了，只要能夠掛上去備份管理員應該就能動了。 -- ○ ____ _ _ _ _ ____ _ _ ____ _____ ____ 。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \ ｏ _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧ (____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★ ｏ -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 122.117.54.160 ※ 編輯: cassine 來自: 122.117.54.160 (01/17 09:36)

推

a1234957

01/17 10:14, , 1^F

01/17 10:14, 1^F

推

toro1144

01/17 10:16, , 2^F

01/17 10:16, 2^F

推

psplay

01/17 10:21, , 3^F

01/17 10:21, 3^F