Following his PS3 STARBUCKS 4.81 CFW v1.02 update, today PlayStation 3 developer @smhabib released a PS3 IDPS Bruteforcer homebrew application, although he notes it takes considerable time even on a fast server to crack the IDPS based on archive2.dat and therefore not really worth the effort for most end-users. 
Download: idps_brute.7z (973.96 KB) / idps_brute.7z (Updated / Optimized) (973.95 KB) / save_idps_bruteforce.7z (Attempt 3) (180.35 KB) / save_idps_bruteforce.7z (Attempt 4) (180.24 KB) / IDPSet (Latest Version) by Zarh / IDPSet_v0.91.pkg (Unofficial - Support FW 4.85C and 4.85D for my study only. Please test.) via theheroGAC
Previously ps3dev was working on a similar tool that attempted to bruteforce the PS3 IDPS from save data, however according to PSDevWiki Sony now uses Open PSID instead of IDPS and it's still up for debate whether the IDPS can be obtained that way.
To quote from Habib on the PlayStation 3 IDPS Bruteforcer revisions:
optimized for i9 7900x since thats what i use
it will take 250 days approx to find the idps based on archive2.dat
it bruteforces last bytes after chassis check
threadripper should do in 150 days if you add more threads so if you have like a big server you can crack the idps in few days.
i tried cuda aes but i couldnt get it to work, it would not encrypt properly idk why
Notes:
needs 16 threads to operate so get a modern cpu like ryzen 1700 or something. if you truly wanna crack it then get couple of threadripper cpus.this program takes advantage of aes-ni.im pretty sure you can further optimize by atleast 30%
Compile:
also can anyone port this for cuda please?
Update:
190 days on i9 7900x now
this cpu already is known to get hot so oc+this software really takes of the temperature, keep that in check my cpu reached 97 c but its kinda norm for i9 lol
20 threads now
This can be optimized further too pretty sure. Ideal way would be to also use gpu with cpu and that would be amazing.
Some more updates from Habib, to quote on Attempt 3:
i have been able to reach 10 day mark on 2 1080 ti
in reality it should take around 5 days or so because 10 is for all the possible combinations (that is if you get your chassis correct)
a system with 2 1080 ti and ryzen threadripper can successfully test 3 chassis numbers checks in 15 days. a common chassis is 1400 which my ps3 has too so if you get that or check devwiki for common chassis for your console you can now crack idps very fast.
src is VERY messy but thats how it is rn
How to use:
theres instruction to compile inside
to use program put param.sfo and param.pfd in the folder
in sha1.cu line 1181 and 1179 you can choose first bytes of idps
at line 1242 and 1243 you have to paste the bytes of param.pfd at offset 0x2e4
at line 1285 max combos should be defined as max combinations of idps. it depends on chassis. for example if you choose chassis to bruteforce completely it should be 8 0xff bytes. if you choose not to bruteforce 2 chassis bytes then 6 0xff
also please disable printf at line 1296 because it will keep on going even when idps is found resulting in the idps printf gone.
its only good to benchmark
its 5 am lol. gotta get some sleep now XD
im still trying to improve the speed even more. 10 vs 4 days a lot of difference lol
Attempt 4:
Download: idps_brute.7z (973.96 KB) / idps_brute.7z (Updated / Optimized) (973.95 KB) / save_idps_bruteforce.7z (Attempt 3) (180.35 KB) / save_idps_bruteforce.7z (Attempt 4) (180.24 KB) / IDPSet (Latest Version) by Zarh / IDPSet_v0.91.pkg (Unofficial - Support FW 4.85C and 4.85D for my study only. Please test.) via theheroGAC
Previously ps3dev was working on a similar tool that attempted to bruteforce the PS3 IDPS from save data, however according to PSDevWiki Sony now uses Open PSID instead of IDPS and it's still up for debate whether the IDPS can be obtained that way.
To quote from Habib on the PlayStation 3 IDPS Bruteforcer revisions:
optimized for i9 7900x since thats what i use
it will take 250 days approx to find the idps based on archive2.dat
it bruteforces last bytes after chassis check
threadripper should do in 150 days if you add more threads so if you have like a big server you can crack the idps in few days.
i tried cuda aes but i couldnt get it to work, it would not encrypt properly idk why
Notes:
needs 16 threads to operate so get a modern cpu like ryzen 1700 or something. if you truly wanna crack it then get couple of threadripper cpus.this program takes advantage of aes-ni.im pretty sure you can further optimize by atleast 30%
Compile:
Code:
cc -msse2 -msse -maes tools.c main.c aes.c sha1.c paged_file.c vtrm.c keys.c -lpthreadUpdate:
190 days on i9 7900x now
this cpu already is known to get hot so oc+this software really takes of the temperature, keep that in check my cpu reached 97 c but its kinda norm for i9 lol
20 threads now
This can be optimized further too pretty sure. Ideal way would be to also use gpu with cpu and that would be amazing.
Some more updates from Habib, to quote on Attempt 3:i have been able to reach 10 day mark on 2 1080 ti
in reality it should take around 5 days or so because 10 is for all the possible combinations (that is if you get your chassis correct)
a system with 2 1080 ti and ryzen threadripper can successfully test 3 chassis numbers checks in 15 days. a common chassis is 1400 which my ps3 has too so if you get that or check devwiki for common chassis for your console you can now crack idps very fast.
src is VERY messy but thats how it is rn
How to use:
theres instruction to compile inside
to use program put param.sfo and param.pfd in the folder
in sha1.cu line 1181 and 1179 you can choose first bytes of idps
at line 1242 and 1243 you have to paste the bytes of param.pfd at offset 0x2e4
at line 1285 max combos should be defined as max combinations of idps. it depends on chassis. for example if you choose chassis to bruteforce completely it should be 8 0xff bytes. if you choose not to bruteforce 2 chassis bytes then 6 0xff
also please disable printf at line 1296 because it will keep on going even when idps is found resulting in the idps printf gone.
its only good to benchmark
its 5 am lol. gotta get some sleep now XD
im still trying to improve the speed even more. 10 vs 4 days a lot of difference lol
Attempt 4:
- removed printf
- fixed idps display
- idps max combo is 6 bytes (after chassis check)
