Using USB DRIVE As Blu-Ray Drive, Dump Entire Ram And Cobra USB payload v2 Code Leake - Page 2 - PS3Hax Network

jesdaking · 05-02-2012

Yes i know, but the rumer "PS3 Blu-Ray Drive Emulation" have to know this codes to make there thing work, if its true of couse. right!!!

TizzyT · 05-02-2012

Originally Posted by jesdaking

Yes i know, but the rumer "PS3 Blu-Ray Drive Emulation" have to know this codes to make there thing work, if its true of couse. right!!!

Not quiet.

Calliope · 05-02-2012

Originally Posted by jrtux

Using USB DRIVE as Blu-Ray Drive:

Code:

Code:

/****************************************************************/
/* JaiCraB  17/07/2011                                          */
/* Plugin TheGrid:                                              */
/*      Using USB DRIVE as Blu-Ray Drive                        */
/* File: mount.h                                                */
/* Private use to                                 */
/****************************************************************/
  
#define usb000  0x5F75736230303000ULL
#define bdvd    0x5F62647664000000ULL
#define bdvd2   0x5F62647664320000ULL
  
uint64_t ChangeMountUnit(uint64_t Origen, uint64_t Destino1, uint64_t Destino2);

Using USB DRIVE as Blu-Ray Drive:

Code:

/****************************************************************/
/* JaiCraB  17/07/2011                                          */
/* Plugin TheGrid:                                              */
/*      Using USB DRIVE as Blu-Ray Drive                        */
/* File: main.cpp                                               */
/* Private use to                           */
/****************************************************************/
  
#include "defines.h"
#include "gccpch.h"
#include "ps3Utils.h"
#include "ps3FileSystemUtils.h"
#include "mount.h"
 
int main(void)
{
        uint64_t result;
        int ret;       
        int ret2;      
        int fd;
  
        WriteLog(0,"/dev_usb000","TheGrid Plugin NoBD: Running main base!\n");
        sys_timer_sleep(20);
        WriteLog(0,NULL,"TheGrid Plugin NoBD: Find USB with flag!\n");
        while (1)
        {
                sys_timer_sleep(1);
                ret  = lv2FsOpen("/dev_usb000/GAME_USB", CELL_FS_O_RDONLY, &fd, 0, NULL, 0);
                lv2FsClose(fd);
                ret2  = lv2FsOpen("/dev_bdvd/PS3_DISC.SFB", CELL_FS_O_RDONLY, &fd, 0, NULL, 0);
                lv2FsClose(fd);
                if ((!ret) && (!ret2))
                {
                        WriteLog(0,NULL,"TheGrid Plugin NoBD: Detected USB with flag!\n");
                        WriteLog(0,NULL,"TheGrid Plugin NoBD: Detected BD GAME!\n");
                        WriteLog(0,NULL,"TheGrid Plugin NoBD: Changing mount from bdvd to bdvd2...%d\n",ChangeMountUnit(bdvd,bdvd2,0));
                        WriteLog(0,NULL,"TheGrid Plugin NoBD: Changing mount from usb000 to bdvd...%d\n",ChangeMountUnit(usb000,bdvd,0));
                        return 0;
                }
                
        }
  
        WriteLog(1,NULL, "TheGrid Plugin NoBD: Byez!");
        return 0;
}

Dump entire ram when USB specific is introduced:

Code:

/****************************************************************/
/* JaiCraB  14/07/2011                                          */
/* Plugin TheGrid:                                              */
/*      Dump entire ram  when USB especific is introduced       */
/* Private use to                                 */
/****************************************************************/
#include "defines.h"
#include "gccpch.h"
#include "ps3Utils.h"
#include "ps3FileSystemUtils.h"
  
void lv1dumplv1()
{      
        uint64_t Valor;
        uint64_t x=0,i=0;
 
        char internal_buffer[255];
        unsigned char buffer_dump[0x400];      
        int result, fd;
  
        for (i=0;i<99999;i++)
        {
                sprintf(internal_buffer, "/dev_hdd0/RAM_PS3_%d.bin",i);
                result  = lv2FsOpen("/dev_usb000/dumper.lv1", CELL_FS_O_RDONLY, &fd, 0, NULL, 0);
                if (result!=0)
                {
                        i=99999;
                        lv2FsClose(fd);
                }
        }
        result = lv2FsOpen(internal_buffer, CELL_FS_O_RDWR | CELL_FS_O_CREAT, &fd,CELL_FS_DEFAULT_CREATE_MODE_6, NULL, 0);
        if(!result)
        {
                for (i=0;i< (256 * 1024 * 1024);i+= 0x400)
                {
                        for (x=0; x < 0x400; x+=0x8)
                        {
                                Valor= lv1Peek(x+i);
                                memcpy(buffer_dump+x, &Valor, 8);
                        }
                        lv2FsWrite(fd, buffer_dump, 0x400, NULL);
                }
                lv2FsClose(fd);
        }
}
  
int main(void)
{
        int ret;       
        int fd;
  
        WriteLog(0,"/dev_flash/TheGrid/log","TheGrid Plugin Dumper RAM: Running main base!\n");
        WriteLog(0,NULL,"TheGrid Plugin Dumper RAM: Waiting USB with flag...\n");
        while (1)
        {
                sys_timer_sleep(2);
                ret  = lv2FsOpen("/dev_usb000/dumper.lv1", CELL_FS_O_RDONLY, &fd, 0, NULL, 0);
                if (!ret)
                {
                        lv2FsUnLink("/dev_usb000/dumper.lv1");
                        WriteLog(0,NULL,"TheGrid Plugin Dumper RAM: Detected USB with flag!\n");
                        WriteLog(0,NULL,"TheGrid Plugin Dumper RAM: Dumping fisical ram...(256M)\n");
                        //sys_timer_sleep(2);
                        lv1dumplv1();
                        WriteLog(0,NULL,"TheGrid Plugin Dumper RAM: Waiting USB with flag...\n");
                }              
        }
        WriteLog(1,NULL, "TheGrid Plugin Dumper RAM: Byez!");
        return 0;
}

Using USB DRIVE as Blu-Ray Drive:

Code:

/****************************************************************/
/* JaiCraB  17/07/2011                                          */
/* Plugin TheGrid:                                              */
/*      Using USB DRIVE as Blu-Ray Drive                        */
/* File: mount.cpp                                              */
/* Private use to                                */
/****************************************************************/
  
uint64_t ChangeMountUnit(uint64_t Origen, uint64_t Destino1, uint64_t Destino2)
{
        uint64_t Start= 0x80000000003EE470ULL;          //MTAB  // 0x80000000003EE870
        uint64_t Stop=  0x80000000003EF570ULL;          //end
        uint64_t Current;
        uint64_t Data;
        int status=-1;
  
        for (Current=Start;Current<Stop;Current=Current+0x100)
        {
                Data = lv2Peek(Current);
                if (Data==Origen){
                        lv2Poke(Current, Destino1);
                        lv2Poke(Current+0x8, Destino2);
                        status = 0;
                }
  
        }
        return status ;
}

Cobra USB payload v2:

Code:

/****************************************************************/
/* JaiCraB  29/06/2011                                          */
/* Plugin TheGrid:                                              */
/*      Cobra USB payload v2                                    */
/* File: main.cpp                                               */
/* Private use to                                */
/****************************************************************/
  
uint64_t lv2launch(uint64_t addr)
{
        //addr, offset, opcode
        uint64_t offset=0x8000000000017CE0ULL;          //sc9
        uint64_t opcode=0x3C60800160630003ULL;          //sc9
  
        uint64_t offset2=0x8000000000017CC8ULL;         //sc7
        uint64_t opcode2=0x3C60800160630003ULL;         //sc7
 
        uint64_t offset3=0x8000000000017CBCULL;         //sc6
        uint64_t opcode3=0x3C60800160630003ULL;         //sc6
  
        
        system_call_8(9,(uint64_t) addr, offset,opcode,offset2,opcode2,offset3,opcode3,0);
        return_to_user_prog(uint64_t);
}
int dumplv2(void)
{
        int fd, result;
        uint64_t Valor;
        uint64_t x=0,y=0,i=0;
        char* buffer = NULL;
                result = lv2FsOpen("/dev_usb000/Dumplv2Cobra.bin", CELL_FS_O_RDWR | CELL_FS_O_CREAT, &fd,CELL_FS_DEFAULT_CREATE_MODE_6, NULL, 0);
                if(!result)
                {
                        buffer = (char*)malloc(8 * 1024 * 1024);
                        memset(buffer, 0, sizeof(8 * 1024 * 1024));
                        for (x=0x8000000000000000ULL,y=0; x < 0x8000000000000000ULL + (8 * 1024 * 1024);x+=0x8, y+=0x8)
                        {
                                Valor= lv2Peek(x);
                                memcpy(buffer + y, &Valor, 8);
                        }
                        lv2FsWrite(fd, buffer, 8 * 1024 * 1024, NULL);
                        lv2FsClose(fd);
                        free(buffer);
                }
  
        return 0;
}
  
int main(void)
{
        int i,x;
        WriteLog(0,"/dev_usb000","TheGrid Plugin Payload Cobra: Running main base!\n");
        WriteLog(0,NULL,"TheGrid Plugin Payload Cobra: Patching Block!\n");
        for (x=0;x<25;x++)
        {
                for (i=0; i< 4976;i++)
                {
                        lv2Poke(0x8000000000500000ULL + (i * 0x8),payloadBlock[i]);
                }
                __asm__("sync");
        }
        WriteLog(0,NULL,"TheGrid Plugin Payload Cobra: Patching Step 1...\n");
        for (x=0;x<25;x++)
        {       //SC 9 offset
                lv2Poke(0x8000000000017CE0ULL , 0x7C6903A64E800420ULL);
        __asm__("sync");
        }
        WriteLog(0,NULL,"TheGrid Plugin Payload Cobra: Running payload...\n");
        lv2launch(0x80000000005000A8ULL);
        for (x=0;x<25;x++)__asm__("sync");
  
        WriteLog(1,NULL, "TheGrid Plugin Payload Cobra: Byez!");
        return 0;
}

USB Firm Loader v3:

Code:

/****************************************************************/
/* JaiCraB  30/11/2010                                          */
/* USB Firm Loader v3                                           */
/* File: main.c                                                 */
/* Private use to                                */
/****************************************************************/
 
int main( void )
{
uint64_t dev_flash  = 0x5F666C6173680000;
        uint64_t dev_flashO = 0x5F666C6173684F00;
uint64_t dev_hdd0   = 0x5F68646430000000;
        uint64_t dev_hdd1   = 0x5F68646431000000;
        uint64_t dev_hdd2   = 0x5F68646432000000;
uint64_t dev_usb000 = 0x5F75736230303000;
uint64_t dev_usb001 = 0x5F75736230303100;
uint64_t dev_usb002 = 0x5F75736230303200;
        uint64_t dev_usb003 = 0x5F75736230303300;
 
uint64_t Start= 0x80000000003EE470;             //MTAB  // 0x80000000003EE870
uint64_t Stop=  0x80000000003EF570;             //end
        uint64_t Current;
        uint64_t Data;
 
char debugt[100];
 
for (Current=Start;Current<Stop;Current=Current+0x100)
{
Data = syscall_peek(Current);
//Flash -> FlashO
//HDD   -> Flash
//USB   -> HDD
if (Data==dev_flash){
//      sprintf(debugt,"Found in %016llX -> _flash\n",Current);
//      DebugTest(debugt);
syscall_pook(Current,dev_flashO);
//      sprintf(debugt,"Parchet in %016llX -> _flashO\n",Current);
//      DebugTest(debugt);
//VolcarLv2("/dev_usb000/dumpf.bin");
}
if (Data==dev_hdd0){
//      sprintf(debugt,"Found in %016llX -> _hdd0\n",Current);
//      DebugTest(debugt);
//                      syscall_pook(Current,dev_flashO);
//      sprintf(debugt,"Parchet in %016llX -> _flash\n",Current);
//      DebugTest(debugt);
 
//VolcarLv2("/dev_usb000/dumph.bin");
}
 
if ((Data==dev_usb000)||(Data==dev_usb001)||(Data==dev_usb002)||(Data==dev_usb003)){
//      sprintf(debugt,"Found in %016llX -> _usb000\n",Current);
//      DebugTest(debugt);
                        syscall_pook(Current,dev_flash);
                        //      sprintf(debugt,"Parchet in %016llX -> dev_hdd0\n",Current);
//      DebugTest(debugt);
//VolcarLv2("/dev_hdd0/dumpx.bin");
Current=Stop;
}
                if (Data==dev_hdd1){
//      sprintf(debugt,"Found in %016llX -> _usb000\n",Current);
//      DebugTest(debugt);
//                      syscall_pook(Current,dev_hdd2);
                        //      sprintf(debugt,"Parchet in %016llX -> dev_hdd0\n",Current);
//      DebugTest(debugt);
//VolcarLv2("/dev_hdd0/dumpx.bin");
}
}
 
return 0;
}

Dump Syscon ROM From GameOS :

Code:

 /**********************************/
    /* JaiCraB  21/09/2011            */
    /* Dump syscon rom from GameOs    */
    /* Private use for  */
    /**********************************/
     
    #include "defines.h"
    #include "gccpch.h"
    #include "ps3Utils.h"
    #include "ps3FileSystemUtils.h"
     
    #define DUMP_OFFSET                     0x2401fc00000ull
    #define DUMP_SIZE                       0x400000ull
     
    void DumpSyscon()
    {
           
            uint64_t Valor;
            uint64_t x=0,i=0;
     
            unsigned char buffer_dump[0x200];      
            int result, fd;
     
            WriteLog(0,NULL, "TheGrid Plugin Dumper Syscon: Dumping...");
            result = lv2FsOpen("/dev_usb000/syscon.rom", CELL_FS_O_RDWR | CELL_FS_O_CREAT, &fd, CELL_FS_DEFAULT_CREATE_MODE_6, NULL, 0);
            if(!result)
            {
                    for (i=DUMP_OFFSET;;i+=0x2000)
                    {
                            for (x=0; x < 0x200; x+=0x8)
                            {
                                    Valor= lv1Peek(i+x);
                                    memcpy(buffer_dump+x, &Valor, 8);
                            }
                            lv2FsWrite(fd, buffer_dump, 0x200, NULL);
                            lv2FsFSync(fd);
                    }
                    WriteLog(0,NULL, "Finish!\n");
                    lv2FsClose(fd);
            }
    }
     
    int main(void)
    {
            int ret;       
            int fd;
     
            WriteLog(0,"/dev_usb000/","TheGrid Plugin Dumper Syscon: Running main base!\n");
            DumpSyscon();
            WriteLog(1,NULL, "TheGrid Plugin Dumper Syscon: Byez!");
            return 0;
    }

This is indeed interesting if it holds any truth to it! :-)

BobbyBlunt · 05-02-2012

It came form DemonHades so take it with a grain of salt

DEFAULTDNB · 05-02-2012

I always thought JaiCraB was a trusted dev?

Is it possible with this leak to make a 3.55 firmloader/nflash loader? to emulate higher firmware? or is that idea a deadend due to enhanced security since 3.6+?

Calliope · 05-02-2012

What if the True Blue Dongle merely loads a custom firmware from the USB the beginning? As anyone considered that possibility?

GregoryRasputin · 05-02-2012

Originally Posted by BobbyBlunt

It came form DemonHades so take it with a grain of salt

Its from JaiCraB who is a decent dev, it seems someone has leaked his work, one of these files is over a year old and some are 10 months old.

Calliope · 05-02-2012

What am I thinking right now is what is the True Blue dongle simply loads a custem payload in the lv1/dev_flash and the eboots are simply redirected to it? By redirecting they are perhaps avoiding the whole security cycle?? Just an idea that I just got while cooking :-D

mcmrc1 · 05-02-2012

Originally Posted by Calliope

What am I thinking right now is what is the True Blue dongle simply loads a custem payload in the lv1/dev_flash and the eboots are simply redirected to it? By redirecting they are perhaps avoiding the whole security cycle?? Just an idea that I just got while cooking :-D

hahaha

maybe it is realy just a very simple trick and no one has realised it now...i wish you good luck

Laocedric16 · 05-02-2012

What if.. Jaicrab is the one who developed TB and now is getting tired because JB-King kept copying them and many people are leeching of his earnings and now is releasing it to the public? :O

05-02-2012	#11
jesdaking Member Join Date: Dec 2007 Posts: 195 Likes: 58 Liked 20 Times in 9 Posts Mentioned: 7 Post(s) Tagged: 0 Thread(s)	Yes i know, but the rumer "PS3 Blu-Ray Drive Emulation" have to know this codes to make there thing work, if its true of couse. right!!! __________________ Ps3hax is for me, like Reading a good book!

05-02-2012	#14
BobbyBlunt Senior Member Join Date: Aug 2007 Location: Virginia US Posts: 3,023 Likes: 1,591 Liked 1,935 Times in 912 Posts Mentioned: 193 Post(s) Tagged: 0 Thread(s)	It came form DemonHades so take it with a grain of salt __________________ Follow me on Twitter @BobbyBlunt83 Contact me via our irc server irc.ps3sanctuary.com/6667 You can figure out how to do so here. Don't start sh!t, there wont be sh!t.

05-02-2012	#15
DEFAULTDNB Join Date: Mar 2012 Posts: 8,854 Likes: 6,244 Liked 3,801 Times in 2,469 Posts Mentioned: 939 Post(s) Tagged: 0 Thread(s)	I always thought JaiCraB was a trusted dev? Is it possible with this leak to make a 3.55 firmloader/nflash loader? to emulate higher firmware? or is that idea a deadend due to enhanced security since 3.6+? __________________ ★STATUS★MINVERCHK★DOWNGRADE★JAILBREAK★SKU's★ ★PPC+MD5★QUICK SWAP FW★MULTIMAN★IRISMANAGER★ Last edited by DEFAULTDNB; 05-02-2012 at 07:08 AM.

		PS3Hax Network - Playstation 3 Hacks and Mods > PS3Hax > PS3 \| Technical Development and Coding Area
Using USB DRIVE As Blu-Ray Drive, Dump Entire Ram And Cobra USB payload v2 Code Leake

05-02-2012	#16
Calliope Join Date: Apr 2012 Posts: 121 Likes: 26 Liked 55 Times in 16 Posts Mentioned: 28 Post(s) Tagged: 0 Thread(s)	What if the True Blue Dongle merely loads a custom firmware from the USB the beginning? As anyone considered that possibility?

05-02-2012	#20
Laocedric16 Member Join Date: Apr 2011 Location: Ci Bai Posts: 64 Likes: 15 Liked 4 Times in 3 Posts Mentioned: 0 Post(s) Tagged: 0 Thread(s)	What if.. Jaicrab is the one who developed TB and now is getting tired because JB-King kept copying them and many people are leeching of his earnings and now is releasing it to the public? :O

User Name		Remember Me?
Password