- 精华
- 3
- 帖子
- 1099
- 威望
- 9 点
- 积分
- 1351 点
- 种子
- 5 点
- 注册时间
- 2005-5-9
- 最后登录
- 2020-4-9
|
本帖最后由 skygunner 于 2010-11-18 11:30 编辑
http://psx-scene.com/forums/f6/w ... -service-jig-70826/
Miniv1 , PS3Hax Network的一个用户帖了一些非常有意思的新闻今天, 研究了一阵后,他好像已经弄明白怎么自己制作降级狗了。
注意现在这个还在开发中,并且只是理论上能行。不过是一个好的开始。
他的方法需要3个东西:
Master Key电子狗;
LV2diag.self文件
握手验证(最终允许我们把lpar1 dump下来)
把这3个东西合到一起就差不多了。
News source: http://www.ps3hax.net/showthread.php?p=138759
Been doing a lot of searching the 'net and found lots of useful info and think I’ve discovered the way to recreate the PS3 Service Jig!
Originally Posted by Mathieulh @psx-scene
That’s not about it, it’s about the fact that even if you manage to reproduce the dongle by dumping the decrypted “dongle master key” and reversing the challenge/response algorithm, you’d still need to use a signed/copyrighted self renamed as lv2diag.self from /dev_usb000/ The product mode flag being of no use on its own. The fact that some people know how this process works and the whole theory behind it doesn’t mean they care or have any interest whatsoever in this procedure especially as there is certainly no great mystery about it (at least not as far as we are concerned). Also the other problem that occurs when it comes to using signed selfs (besides the obvious copyright issue) is the self revocation.
Which says we need THREE things:
1 of 3 --> The dongle master key
Originally Posted by Hypervisor Reverse Engineering - PS3Wiki
0×24000 – USB Dongle Authenticator
Packet ID Description
0×24001 Generate Challenge
0×24002 Verify Response
0×24001 – Generate Challenge
* I have got access to this service through DM and tested it
* The service expects no input parameters except those in SS packet header
* It uses 0×5003 service (Generate Random Number) to generate random numbers that are used in challenge body
* The length of a challnge body is always 23 bytes, first 3 bytes are always the same: 0x2E 0×02 0×01
Here are hexdumps of some challenge bodies i let 0×24001 service generate:
Code:
2E 02 01 72 3A 0A 76 BB 81 CB 29 BC E7 B5 D6 62 7C 0E EE 23 18 A9 1D2E 02 01 F0 DA 78 D4 1D CB D7 C9 C7 F0 32 F4 2E 92 39 BD 3F 32 93 AA2E 02 01 3B B2 9D FD A8 83 AF 9A C0 E9 13 BB AE D5 6C 8C 45 2E DE 13
0×24002 – Verify Response
* I have got access to this service and tested it with PSGroove
* The response body is 25 bytes large
* The first 3 bytes have to be 0x2E 0×02 0×02 or else the check fails
* The 16 bit at offset 3 is a dongle ID
* The dongle ID is checked if it’s revoked or not
* When the verification succeedes then product mode is set to 1
* The service calculates USB Dongle Key from USB Dongle ID and USB Dongle Master Key by using HMAC SHA-1
* The service uses HMAC SHA-1 to calculate the correct response body from the challenge body and USB Dongle Key
* After that the service compares the calculated response body with the given one that was sent to the service
* It seems that laid and paid from SS packet header are used in decryption process
USB Dongle Master Key
* USB Dongle Master Key is stored encrypted in Process 6
* The encrypted key is 64 bytes large
* The decrypted key is 20 bytes large
* The USB Dongle Master Key is decrypted first time the service 0×24002 is used
* The USB Dongle Master Key is decrypted by using the service 0x200E (Decrpyt Master) of Vitual TRM Manager
* The decrypted USB Dongle Master Key is stored in Process 6 in clear text (after first usage of this service)
* When decrpyption of USB Dongle Master Key fails then a dummy key is used
* Unfortunately, in the HV dump 3.15 the USB Dongle Master Key was not decrypted at the moment of dumping
Here is the encrypted USB Dongle Master Key from HV 3.15:
Code:
22 D5 D1 8C FF E2 4F AC EC 72 A2 42 A7 18 98 1025 33 E0 96 F2 C1 91 0D 15 23 D3 07 74 E7 2B 72DF A6 DD E9 68 8B 76 2A 6A 87 51 7F 85 39 0B D420 3F 46 89 04 82 B7 30 84 89 4B CC 9D B1 24 7C
Here is the USB Dongle Master Dummy Key from HV 3.15:
Code:
D1 FC 57 55 BF 20 FA B2 D4 A5 4A 0A 0C 5D 52 8E DF 66 CD 74
USB Dongle ID Revoke List
BAN掉的工厂模式电子狗ID,6个,也就是说3.15的时候SONY已经丢了6个了,
现在更多丢的在psjb手里,到下次3.6,会有多少个呢:)
* Process 6 contains a revoke list for USB Dongle IDs
* The revoke list is 0×2000 bytes large. It’s a bitmap.
* Each bit represents a USB Dongle ID. If bit is 0 then USB Dongle ID is revoked.
The following USB Dongle IDs are revoked in HV 3.15:
Code:
0, 2, 13, 32, 34, 176, 241
2 of 3 --> Lv2diag.self
Originally Posted by PS Downgrade Real – Confirmed Working 100% (via) PS3-Hacks.com
Leaked PSDowngrader package: DGF.RAR - 167mb
3 of 3 --> And finally the challenge/response
Originally Posted by Twitter 15th Nov
@ldgchad it’s a reverse of the dongle authentication challenge/response from the ps3 side. If you can dump lpar1 it can be done.
Then I stumbled upon
Hi guys, I used an Atmega8 running at 16Mhz (I had a couple lying about from the BT Vision project I was working on) and knocked up a small prog to do the same as the other chips and dump out the PS3 Hypervisor and Bootloader.
I was quite surprised, It actually worked fairly straight away! I only had one pulse going everytime I pressed the button at first but not a lot was happening.
So I did what xorloser did, and modded it so it pulsed every 100ms while the switch is pressed.
After about 30-40 seconds… I got a hit with the exploit code posted here. Then I used the dumper (posted here) to dump the 10mb bin.
Just having a look through the dump, lots of strings in there.. I haven’t dropped it into IDA yet tho…
This is the source and hex (for those who dont want to compile it) for the Atmega8 which I glitched my PS3 with. The Chip I used was the Atmega8-16pu. You will also need a 16mhz Crystal, and 2 x 22pf Capacitors.
Grounding pin 14 on the chip will produce a pulse on Pins 2 of the chip (infact it does all of PORTD) This should then go to the memory bus point on the ps3. See Circuit diagram (below).
I used ponyprog to program my chip, with CKOPT ticked in the fuse settings, everything else was unticked.
Mick
|
|
川公网安备 51019002005286号
楼主
发表于 2010-11-18 10:06 · 广东
可以自己降了
福音啊 。。。。。。。
