PS3Hax Network - Playstation 3 Hacks and Mods - View Single Post - Breaking: Mathieulh decrypts LV0 at FW 3.73

jrtux · 11-13-2011

Sign executables for 3.73+

[21:00:58] <Mathieulh> selfs are a mess to generate properly because a lot of values need to be calculated from the original elf file
[21:01:11] <Mathieulh> the problem is right now all the public tools use hardcoded values
[21:01:19] <Mathieulh> that are grabbed from various self files
[21:01:21] <Mathieulh> but are not calculated
[21:01:34] <Mathieulh> well that's one of the many problems actually
[21:01:35] <jevin> Mathieulh, things other than elf offsets?
[21:01:40] <Mathieulh> yah
[21:02:03] <Mathieulh> sony also did some fancy things with the compression self format
[21:02:12] <Mathieulh> where values are off by a certain offset etc etc
[21:02:38] <Mathieulh> if you want to make a proper self tool
[21:02:44] <Mathieulh> you first need to reverse make_fself
[21:03:06] <jevin> not too hard with hexrays *cough*
[21:03:09] <Mathieulh> that's the initial step
[21:03:15] <Mathieulh> yeah it's not that hard
[21:03:29] <Mathieulh> then you'll figure what a big **** up the self format really is xD
[21:05:14] <Mathieulh> but yeah just my self.cpp is 5 times larger than the entire source for geohot make_self/make_self_npdrm
[21:05:27] <Mathieulh> in terms of lines of code
[21:05:48] <Mathieulh> so his is missing ****loads of stuffs and only relies on hardcoded values
[21:06:06] <jevin> entire headers copypasta'ed from existing selfs
[21:06:11] <Mathieulh> pretty much yah xD
[21:06:23] <Mathieulh> the ones on the tool I use are generated
[21:06:32] <Mathieulh> as in calculated and generated
[21:06:36] <Mathieulh> from the original elf
[21:06:52] <Mathieulh> btw unself is buggy too
[21:06:54] <Mathieulh> just so you know
[21:07:16] <jevin> why havent you labeled the control flags?

[21:08:16] <Mathieulh> jevin I didn't feel the need to, I already know what they do anyway
[21:08:37] <Mathieulh> for example 0x40 is root rights, 0x20 is debugger rights and so on
[21:09:07] <jevin> im guessing the self capabilities flags are offset 0x20 in the self header
[21:09:18] <Mathieulh> capabilities aren't in the header
[21:09:23] <Mathieulh> they are part of the metadata
[21:09:28] <Mathieulh> as in, they are encrypted and signed
[21:10:16] <jevin> offset 0x10 in the section header?
[21:10:29] <Mathieulh> it's after the metadata keys
[21:10:33] <jevin> no, they wouldnt be per section
[21:10:50] <Mathieulh> as in, right after them
[21:11:09] <jevin> i see. so unself doesnt have enough fields in the metadata header
[21:11:35] <jevin> i really should color in the hex values that are mapped to structures in unself vs ones that arent
[21:11:42] <jevin> seems like it is missing a lot
[21:11:49] <Mathieulh> everything public is missing tons
[21:12:15] <Mathieulh> capabilities are optional mind you
[21:12:35] <jevin> are they restrictive or permissive?
[21:13:11] <Mathieulh> restrictive
[21:13:16] <Mathieulh> (for most)
[21:42:15] <jevin> Mathieulh, you said that the geohot npdrm keypair is blacklisted in 3.56
[21:42:30] <jevin> i couldnt find the decrypted or encrypted metadata keypair in 3.56 files
[21:42:47] <jevin> where does the blacklisting occur? is it a hash that is blacklisted?
[21:43:08] <jevin> its interesting to me because we can make our own keypairs now with juan nadie's work
[21:48:45] <Mathieulh> <jevin> Mathieulh, you said that the geohot npdrm keypair is blacklisted in 3.56 <== not only that
[21:49:03] <Mathieulh> geohot stuff doesn't generate some of the npdrm specific values
[21:49:08] <Mathieulh> those were not checked in 3.55
[21:49:13] <Mathieulh> but they are checked in 3.56 now
[21:49:55] <jevin> Mathieulh, gotcha
[21:50:09] <jevin> is his keypair actually blacklisted somewhere though?
[21:50:10] <Mathieulh> there is no whitelist for npdrm
[21:50:22] <Mathieulh> so it's actually possible to generate valid npdrm self for 3.56+
[21:50:42] <jevin> is it a check in appldr?
[21:50:43] <Mathieulh> that tool I made a screenshot of actually does that
[21:51:02] <Mathieulh> jevin yeah, it's enforced by lv1 though
[21:51:16] <jevin> a hash comparison?
[21:51:27] <Mathieulh> yeah it's a hash
[21:51:30] <Mathieulh> but I won't say more
[21:51:35] <jevin> ok

[21:51:55] <Mathieulh> everything you need is in the 3.56 fw :P
[21:52:16] <jevin> rgr, i will poke around later
[21:52:34] <jevin> the checks are unmodified in 3.60+?
[21:52:43] <jevin> + new keys of course
[21:52:51] <Mathieulh> same checks
[21:54:53] <Mathieulh> jevin you won't get around crafting valid 3.56+ npdrm selfs without a proper makeself tool though
[21:57:18] <jevin> would SCE make npdrm selfs work if actually signed?
[21:57:25] <jevin> + crypted

http://www.ps3devwiki.com/index.php?...and_Decryption

11-13-2011	#124
jrtux Member Join Date: Oct 2011 Location: Brazil - São Paulo Posts: 79 Likes: 39 Liked 40 Times in 23 Posts Mentioned: 5 Post(s) Tagged: 0 Thread(s)	Sign executables for 3.73+ [21:00:58] <Mathieulh> selfs are a mess to generate properly because a lot of values need to be calculated from the original elf file [21:01:11] <Mathieulh> the problem is right now all the public tools use hardcoded values [21:01:19] <Mathieulh> that are grabbed from various self files [21:01:21] <Mathieulh> but are not calculated [21:01:34] <Mathieulh> well that's one of the many problems actually [21:01:35] <jevin> Mathieulh, things other than elf offsets? [21:01:40] <Mathieulh> yah [21:02:03] <Mathieulh> sony also did some fancy things with the compression self format [21:02:12] <Mathieulh> where values are off by a certain offset etc etc [21:02:38] <Mathieulh> if you want to make a proper self tool [21:02:44] <Mathieulh> you first need to reverse make_fself [21:03:06] <jevin> not too hard with hexrays cough [21:03:09] <Mathieulh> that's the initial step [21:03:15] <Mathieulh> yeah it's not that hard [21:03:29] <Mathieulh> then you'll figure what a big ** up the self format really is xD [21:05:14] <Mathieulh> but yeah just my self.cpp is 5 times larger than the entire source for geohot make_self/make_self_npdrm [21:05:27] <Mathieulh> in terms of lines of code [21:05:48] <Mathieulh> so his is missing **loads of stuffs and only relies on hardcoded values [21:06:06] <jevin> entire headers copypasta'ed from existing selfs [21:06:11] <Mathieulh> pretty much yah xD [21:06:23] <Mathieulh> the ones on the tool I use are generated [21:06:32] <Mathieulh> as in calculated and generated [21:06:36] <Mathieulh> from the original elf [21:06:52] <Mathieulh> btw unself is buggy too [21:06:54] <Mathieulh> just so you know [21:07:16] <jevin> why havent you labeled the control flags? [21:08:16] <Mathieulh> jevin I didn't feel the need to, I already know what they do anyway [21:08:37] <Mathieulh> for example 0x40 is root rights, 0x20 is debugger rights and so on [21:09:07] <jevin> im guessing the self capabilities flags are offset 0x20 in the self header [21:09:18] <Mathieulh> capabilities aren't in the header [21:09:23] <Mathieulh> they are part of the metadata [21:09:28] <Mathieulh> as in, they are encrypted and signed [21:10:16] <jevin> offset 0x10 in the section header? [21:10:29] <Mathieulh> it's after the metadata keys [21:10:33] <jevin> no, they wouldnt be per section [21:10:50] <Mathieulh> as in, right after them [21:11:09] <jevin> i see. so unself doesnt have enough fields in the metadata header [21:11:35] <jevin> i really should color in the hex values that are mapped to structures in unself vs ones that arent [21:11:42] <jevin> seems like it is missing a lot [21:11:49] <Mathieulh> everything public is missing tons [21:12:15] <Mathieulh> capabilities are optional mind you [21:12:35] <jevin> are they restrictive or permissive? [21:13:11] <Mathieulh> restrictive [21:13:16] <Mathieulh> (for most) [21:42:15] <jevin> Mathieulh, you said that the geohot npdrm keypair is blacklisted in 3.56 [21:42:30] <jevin> i couldnt find the decrypted or encrypted metadata keypair in 3.56 files [21:42:47] <jevin> where does the blacklisting occur? is it a hash that is blacklisted? [21:43:08] <jevin> its interesting to me because we can make our own keypairs now with juan nadie's work [21:48:45] <Mathieulh> <jevin> Mathieulh, you said that the geohot npdrm keypair is blacklisted in 3.56 <== not only that [21:49:03] <Mathieulh> geohot stuff doesn't generate some of the npdrm specific values [21:49:08] <Mathieulh> those were not checked in 3.55 [21:49:13] <Mathieulh> but they are checked in 3.56 now [21:49:55] <jevin> Mathieulh, gotcha [21:50:09] <jevin> is his keypair actually blacklisted somewhere though? [21:50:10] <Mathieulh> there is no whitelist for npdrm [21:50:22] <Mathieulh> so it's actually possible to generate valid npdrm self for 3.56+ [21:50:42] <jevin> is it a check in appldr? [21:50:43] <Mathieulh> that tool I made a screenshot of actually does that [21:51:02] <Mathieulh> jevin yeah, it's enforced by lv1 though [21:51:16] <jevin> a hash comparison? [21:51:27] <Mathieulh> yeah it's a hash [21:51:30] <Mathieulh> but I won't say more [21:51:35] <jevin> ok [21:51:55] <Mathieulh> everything you need is in the 3.56 fw :P [21:52:16] <jevin> rgr, i will poke around later [21:52:34] <jevin> the checks are unmodified in 3.60+? [21:52:43] <jevin> + new keys of course [21:52:51] <Mathieulh> same checks [21:54:53] <Mathieulh> jevin you won't get around crafting valid 3.56+ npdrm selfs without a proper makeself tool though [21:57:18] <jevin> would SCE make npdrm selfs work if actually signed? [21:57:25] <jevin> + crypted http://www.ps3devwiki.com/index.php?...and_Decryption