[zecoxao]

Taken from a certain site:

I am able now to decrypt and decompress CORE_OS_PACKAGE.pkg from PS3 PUP-Files. The decrypted and decompressed package is a copy of FLASH region where all the important SELFs and isolated SPUs stored, e.g. lv1.self or isoldr. So, now i could downgrade PS3 by writing this decrypted image to FLASH manually, without Update Manager from HV. In fact, Update Manager just do this But the problem is, that the SHA-1 hash values for these files are stored not in flash but in SC EEPROM and i don’t have access to it yet

graf_chokolo says: November 15, 2010 at 11:21 pm I completely reversed the Update Manager that runs in Process 6 in HV. And it decrypts CORE_OS_PACKAGE.pkg, calculates hash values of lv0 and lv1.self, sends these hash values to SC Manager (runs also in a HV Process), that stores it either in EEPROM or somewhere else. After that the decrypted CORE_OS_PACKAGE.pkg is stored on the flash. So, by decrypting of CORE_OS_PACKAGE.pkg i just did a part of what UM does. And i have write access to FLASH but NO access to SC Manager. During booting, System Manager (runs in HV Process 9) tells Update Manager to do integrity check. Among other things, Update Manager reads lv0 and lv1.self hash values from SC Manager, calculates hash values of these files from FLASH and compares them. If they do not match, then it reboots or power off. So that is why i said in my earlier post, that before i will do downgrading, i need SC Manager access. GameOS has a VUART communication link to HV Processes which provide different services to GameOS. Updater from GameOS e.g. communicates with Update Manager from HV through this link. And SC Manager can also be accessed through VUART link (Dispatcher Manager) but unfortunately it has ACLs and denies all accesses to SC Manager from GameOS :-( . If i had access to SC Manager, i could do so many cool things :-) E.g. decrypt USB Dongle Master Key that is stored decrypted in HV Process 6 (the same process where Update Manager runs). USB Dongle Master Key is decrypted by SC Manager :-) I guess Jailbreak people have decrypted USB Dongle Master Key. If you have this key, then you can bring your PS3 intp product mode. In this mode e.g. integrity checks done by Update Manager are skipped :-) BTW, USB Dongle Authenticator runs also in HV Process 6 and GameOS has free access to it, but you need the master key :-) BTW, System Controller (SC or SYSCON) is accessed in HV through VUARTs from LPAR1. And the VUARTS send data to ioif, address somewhere 0×2400009000, don’t know exactly, have to look up it HV. So if someone manages to map this address into LPAR’s memory, the he got access to SC. I have now a very rock solid knowledge of HV and it’s Processes but unfortunately no HV access yet :-) So, here is some piece of my knowledge i gathered by reversing HV :-) I’am able to run isolated SPUs from GameOS but i didn’t use any GameOS functions. I used ONLY HV calls. I’m more intersed in HV r eversing :-) I will soo make public how to decrypt CORE_OS_PACKAGE.pkg.

This is graf talking about SYSCON and ways to access it from Hypervisor.
He talks more, specifically about downgrading and other kinds of things. I'll try to put the most info i can find about him in this space.

[donglehater]

Oh sh!t just realized today is dig up news from 2 years ago day.

[GregoryRasputin]

Originally Posted by donglehater Oh sh!t just realized today is dig up news from 2 years ago day.

This is the "Technical Development and Coding Area", he isn't digging up old news, he is adding information to this section.......

[donglehater]

Im just being a tard. Please excuse me while I wipe the slobber off my chin.




"There is nothing to see here...................move along."

[zecoxao]

@donglehater this may be old information, but it is information nevertheless. you may not believe it, but there are a lot of things graf said in dukio's blog that are not documented in the wiki. i'm trying to find the most i can about his publications, and since no one has actually accessed syscon directly (not that i know of) or downgraded through syscon, without qa flag / factory service / cfw, i intend to leave some of the things here i think are worthy of seeing.

edit: so, i'm going to put the important parts (or the parts which i think are important) in bold, to make this more easily readable.

Also, in case people haven't noticed, Juan added something to his first post about "how to dump the bootldr" in this very section.

I suggest you guys take a look at it, if you're interested.

[donglehater]

Its all good. I was just being an ass.

[defyboy]

This is why we can downgrade via flashers, We patch those hash checks out of lv1.self so the console doesn't panic on boot.

[tiefputin2]

core-os hashes :-)
ye seems they are sent to EPROM in update manager automatically...