Subsequent very last week’s PS3 LV2 Kernel Peek / Poke Patched information, today flukes1 has launched his LV1 and LV2 Peek and Poke Equipment for PlayStation 3 builders.
To quote: As you may possibly know if you’ve been subsequent my progress, final week I took a brief break from Wi-Fi Sync to appear at the PS3 and how it operates behind the scenes. The PS3 homebrew scene is at the moment at a position exactly where you can install userland deals, these kinds of as FTPDs and SNES emulators, but you nevertheless don’t have any access to the hypervisor or GameOS kernel. It’s nonetheless quite a lot a closed method.
As an iPhone developer with an app on Cydia, I can see excellent possible inside of the PS3. It’s crying out for a decent package manager, but you require OS-stage entry to do that proficiently. Unlocking the PS3 in this way has other positive aspects as well; the technique can effectively be modified in any way you wish.
So these days I’m releasing 3 instruments which open the PS3’s hypervisor (lv1) and GameOS (lv2) to complete go through/create accessibility from packaged userland purposes. These instruments can be applied to create and test lv1/lv2 patches in RAM, which negates the danger of bricking your PS3 by flashing it with an incorrectly patched lv1 or lv2 binary. You can also use the resources to produce a patched lv1 or lv2 binary, if you desire, despite the fact that I suggest completely testing your patches in-memory 1st.
I will make a few points clear ahead of continuing: I do not condone piracy and these resources DO NOT allow copied video games to run on the PS3. Again: these tools will not permit backup managers to all of a sudden start off working on firmware 3.55. The equipment are packaged in source code type and do not incorporate any Sony code or other Sony property this kind of as encryption keys. If you’re not a developer, these equipment will be useless to you, so please do not test to use them. They are made readily available with no implied guarantee of fitness for a certain objective.
3 equipment are getting created accessible right now:
* resign_self.py. This enables you to immediately substitute any section within a self and re-signal the self so the signature and hashes are all legitimate again. Similar to makeself, but it is much more suited in the direction of patching lv1 and lv2 (and has been tested for this objective).
* insert_lv1_lv2.py. This is just a usefulness script I made to get a modified, re-signed lv1.self and lv2_kernel.self, and immediately produce a PUP which is identical to an authentic PUP except for these two files.
* lv1dumper. This is an software which runs on the PS3 that you can compile and bundle utilizing PSL1GHT and geohot’s instruments. Immediately after working it, lv1 will be mapped at 0x8000000014000000 with go through/create accessibility, and you will be in a position to poke lv2 without having the method shutting down. It disables the new lv2 memory hashing attribute Sony added to 3.55 (almost certainly to cease long term USB jailbreaks).
lv1dumper demands that some patches to lv1 and lv2 are previously in location. I’ll explain how to add these patches. They have been tested but I are not able to ensure that they won’t brick your PS3. Do not do this except you’re cozy with that.
First of all, you want to extract the decrypted code segments from lv1.self and lv2_kernel.self (just use unself and duplicate them right out of the ELF), and make the subsequent adjustments to to them, assuming you’re utilizing 3.55:
Update: the code section is not the total ELF file, it’s inside the ELF file. Use readelf to locate out the place it is. You require to duplicate it out of the ELF into a separate file.
* lv1_undocumented_operate_114 in lv1 need to be patched so that it can be employed to map any location of genuine memory. graf_chokolo discovered this trick months in the past, but it nevertheless applies right here. Patch the byte at D5A47 from 00 to 01 (2D5A47 if you’re searching for it in IDA) in segment #one.
* You then want to add peek and poke to lv2. Patch 1933C to E8 63 00 00 60 00 00 00 and 19348 to F8 83 00 00 60 00 00 00 in segment #.
You can then use resign_self.py to re-insert your patched code segment again into the self. You’ll first of all need to have to adjust a handful of bytes in some useless strings since of the way zlib deflate operates; the script will tell you what to do. I observed that shifting strings was the best way to do this, it just will take a bit of trial and error.
Lastly, use insert_lv1_lv2.py to produce your modified PUP. You’ll will need to update to the PUP, then set up geohot’s jailbreak PUP more than the best of it. If you’ve done anything correct, lv1dumper need to just exit soon after you run it and you’ll have r/w entry to lv1 and lv2 (peek and poke). The lv1_peek, lv1_poke, lv2_peek and lv2_poke capabilities in lv1dumper display how to use that entry.
I’m hoping that some intriguing and innovative things can arrive out of this, and maybe we can start to see ‘unofficial’ apps savoring the identical achievement on the PS3 that they do on the iPhone.