Dismiss Notice

BEWARE of IMPOSTERS, posing as the PS3Xploit Members/Team:


  -PS3Xploit does NOT have a discord channel, some imposter are using one
 

  -If the info can't be found on ps3xploit.com or psx-place.com its fake
 

  -ZuKuTo / OFWModz is one of the fake names of these imposter's are using to represent the PS3xploit team.

 

 

PS3 HAN PS3Xploit v3 HAN/HFW SPRX Module and Library Replacer

Discussion in 'Ps3Xploit Tools & Utilities' started by esc0rtd3w, Mar 30, 2018.

  1. 12,868
    5,150
    647
    pinky

    pinky Retired Developer

    Joined:
    Mar 8, 2015
    Messages:
    12,868
    Likes Received:
    5,150
    Trophy Points:
    647
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    yeah, I'd suggest PUAD. just select dev_flash . the other options will decrypt various files of the flash. you don't need that for sprx files and han. :)
     
    esc0rtd3w and k9mo like this.
  2. 114
    81
    32
    k9mo

    k9mo Member

    Joined:
    Aug 7, 2017
    Messages:
    114
    Likes Received:
    81
    Trophy Points:
    32
    Gender:
    Male
    Thanks bro
    Thanks :)
     
    Last edited: Mar 31, 2018
    esc0rtd3w likes this.
  3. 435
    288
    97
    junaid

    junaid Member

    Joined:
    Dec 30, 2014
    Messages:
    435
    Likes Received:
    288
    Trophy Points:
    97
    Occupation:
    SHOWING DE WAY
    Location:
    Uganda
    but how to know which sprx to replace?
     
  4. 12,868
    5,150
    647
    pinky

    pinky Retired Developer

    Joined:
    Mar 8, 2015
    Messages:
    12,868
    Likes Received:
    5,150
    Trophy Points:
    647
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    xmb_plugin.sprx iirc. I think it shows your ip address or something on the bottom right area of the xmb.
     
    k9mo and junaid like this.
  5. 435
    288
    97
    junaid

    junaid Member

    Joined:
    Dec 30, 2014
    Messages:
    435
    Likes Received:
    288
    Trophy Points:
    97
    Occupation:
    SHOWING DE WAY
    Location:
    Uganda
    is there a documentation on all of them?
     
    k9mo likes this.
  6. 1,236
    3,009
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,236
    Likes Received:
    3,009
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    that's where the fun begins :D
     
    k9mo, pinky and DeViL303 like this.
  7. 435
    288
    97
    junaid

    junaid Member

    Joined:
    Dec 30, 2014
    Messages:
    435
    Likes Received:
    288
    Trophy Points:
    97
    Occupation:
    SHOWING DE WAY
    Location:
    Uganda
    Should I start cuz I have transferred them into the extra directories. Anything particular to look out for ? are there any triggers or something? Also should i copy the rco cuz in some cases they are different than ofw
     
    k9mo likes this.
  8. 1,236
    3,009
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,236
    Likes Received:
    3,009
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    although the DEX SPRX will load, additional VSH memory patches probably required (similar to HAN Enabler) to make use of certain functions
     
    k9mo, pinky and junaid like this.
  9. 114
    81
    32
    k9mo

    k9mo Member

    Joined:
    Aug 7, 2017
    Messages:
    114
    Likes Received:
    81
    Trophy Points:
    32
    Gender:
    Male
    Are those patches possible through the current userland exploit (same exploit used for HAN)??
     
  10. 1,236
    3,009
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,236
    Likes Received:
    3,009
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    of course ;)

    we can patch any part of the VSH memory
     
    junaid, k9mo and pinky like this.
  11. 12,868
    5,150
    647
    pinky

    pinky Retired Developer

    Joined:
    Mar 8, 2015
    Messages:
    12,868
    Likes Received:
    5,150
    Trophy Points:
    647
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    off topic, but @esc0rtd3w , I just realized that you had four links in your sig. I think the limit used to be 3. I just added my ps vita tutorials to mine after seeing that. I just wish we could have around six or seven for my other tutorials. ;) :-p
     
    esc0rtd3w likes this.
  12. 1,236
    3,009
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,236
    Likes Received:
    3,009
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    i started testing and adding SPRX files from DEX that work on 4.82 CEX.

    i added them to OP, and will update as i go

    ..and yes xmb_plugin.sprx does work and shows the ip address on XMB! ;)
     
    junaid, pinky and DeViL303 like this.
  13. 435
    288
    97
    junaid

    junaid Member

    Joined:
    Dec 30, 2014
    Messages:
    435
    Likes Received:
    288
    Trophy Points:
    97
    Occupation:
    SHOWING DE WAY
    Location:
    Uganda
    So you are testing on 4.82. Well I'm try them all on 4.81 and report my findings. I got the dex from psdevwiki so I assume it must be the real deal.
     
    esc0rtd3w likes this.
  14. 435
    288
    97
    junaid

    junaid Member

    Joined:
    Dec 30, 2014
    Messages:
    435
    Likes Received:
    288
    Trophy Points:
    97
    Occupation:
    SHOWING DE WAY
    Location:
    Uganda
    Also have a few more questions.

    1. How will I know if it worked? Should I assume it worked if the console reboots?

    2. Can I edit the html to add more than one sprx at a time?

    3. Some RCO and xml are of different sizes so should I add them?
     
  15. 9
    0
    5
    Squaardo

    Squaardo Forum Noob

    Joined:
    Mar 21, 2018
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    5
    Gender:
    Male
    [QUOTE = "esc0rtd3w, post: 114038, membre: 28568"] NON !! maintenant partez [/ QUOTE]
    Est-ce un site web public ...
     
  16. 435
    288
    97
    junaid

    junaid Member

    Joined:
    Dec 30, 2014
    Messages:
    435
    Likes Received:
    288
    Trophy Points:
    97
    Occupation:
    SHOWING DE WAY
    Location:
    Uganda
    found something which might explain things a bit

    NPDRM Self algorithm

    THIS DOES NOT ALLOW TO OBTAIN 3.60+ keys

    On NPDRM self decryption all the security levels of the PS3 are involved: user space (vsh), kernel space(lv2), hypervisor( lv1) and isolated SPU (metldr + appldr)

    The process start on vsh.elf...

    VSH:

    Once the vsh detects that user is trying to start a self, it looks for the appinfo header type. If the type is 8, then the control digest element type 3 (NPD element) is located. From this NPD header the vsh gets the license type (free, local or network license).

    If a free content(type 3) is detected then a generic klicense will be use for further steps (go to LV2). That klicensee is already public (see geohot npdrm_omac_key_1).

    However if a paid content is to be loaded the vsh loads the act.dat and the rif associated to the content (if local it will locate a file with the same titleid on NPD element, if remote it will download to vsh process memory)

    Then the signature is checked (last 0x28 bytes of both RIF and act.dat). The curves used are on vsh.self. It is a 3 element table, having the first curve nulled. The curve index for rif/act is 2. The curve values are negated as in the apploader and has the following structure

    struct curve {
    uint8_t p[0x14];
    uint8_t a[0x14];
    uint8_t b[0x14];
    uint8_t N[0x14];
    uint8_t Gx[0x14];
    uint8_t Gy[0x14];
    }

    If the curve checks then vsh will process the rif:

    struct rif {
    uint8_t unk1[0x10]; //version, license type and user number
    uint8_t titleid[0x30]; //Content ID
    uint8 padding[0xC]; //Padding for randomness
    uint32_t actDatIndex; //Key index on act.dat between 0x00 and 0x7F
    uint8 key[0x10]; //encrypted klicensee
    uint64_t unk2; //timestamp??
    uint64_t unk3; //Always 0
    uint8_t rs[0x28];
    };

    struct ACTDAT {
    uint8_t unk1[0x10]; //Version, User number
    uint8_t keyTable[0x800]; //Key Table
    ......
    uint8_t signature[0x28];
    }

    Using the RIF_KEY it will obtain the actdatIndex:

    AES_KEY rifKey;
    int result = AES_set_decrypt_key(RIF_KEY, 0x80, &rifKey);
    AES_decrypt(&rif->padding, &rif->padding, &rifKey);

    And finally having the actDat key index the execution pass to LV2 syscall 471

    LV2

    Lv2 is accessed using syscall471 which haves the following syntax:

    int syscall_471(uint32_t type, char* titleID, void* klicensee, uint8_t* actdat, uint8_t* rif, int32_t licenseType, uint8_t* magicVersion);

    The function has different parameters depending if the content is debug, free or paid:

    FREE: syscall471(npd.type, &npd.titleID, freeklicensee, NULL, NULL, npd.license, &npd);
    PAID: syscall471(npd.type, &npd.titleID, NULL, &actdat.keyTable[rif.actDatIndex*0x10], &rif.key, npd.license, &npd);

    The lv2 keeps a memory table with contentID and the associated key.
    When it receives a free content (r5 is not null) then copies the titleID and the klicensee to the table. For a paid content the rif.key is converted to the klicensee using:

    AES_KEY IDPSKey, ConstKey, ActDatKey;
    uint8_t encrConst[0x10];
    uint8_t decryptedActDat[0x10];
    uint8_t klicensee[0x10];
    int result = AES_set_encrypt_key(&IDPSVariation, 0x80, &IDPSKey);
    AES_encrypt(&CONSTACTDAT, &encrConst, &IDPSKey);
    result = AES_set_decrypt_key(&encrConst,0x80,&ConstKey);
    AES_decrypt(actDat,&decryptedActDat,&ConstKey);
    result = AES_set_decrypt_key(&decryptedActDat,0x80,&ActDatKey);
    AES_decrypt(rif,&klicensee,&ActDatKey);


    where CONSTACTDAT is a constant value on lv2, IDPSVaritaion appears to be IDPS (not checked but DRM_Manager_initialize (see graf_chokolo's "bible") to something with the same structure), actdat are the 0x10bytes selected by rif keyIndex, and rif is rif.key (bytes 0x50-0x5f).

    Once transformed it is stored on memory table...

    I haven't check further steps on vsh nor lv2 so perhaps there are further transformations on the paid case (NOT FOR THE FREE AS I HAVE DECRYPTED THOSE) so we are jumping directly to the appldr

    AppLdr

    As you can see from graf_chokolo payloads a parameter is passed on spu_args.field60. That parameter is the previously stored klicensee.

    However this key must be transformed (again) even for the free case. The transformation is:

    uint8_t decryptedKLicensee[0x10]
    AES_KEY KLicenseeKey
    int result = AES_set_decrypt_key(&KLicenseeDecryptKey,0x80,&KLICENSEEKEY);
    AES_decrypt(klicensee,&decryptedKLicensee,&KLicenseeKey);
    EY is another key located inside the apploader and klicensee is the parameter.

    Then we can finally remove the NPDRM layer using:


    AES_KEY key;
    uint8_t iv[0x10];
    memset(&iv[0],0,0x10);
    int result = AES_set_decrypt_key(&KLicenseeDecryptKey,0x80,&key);
    AES_cbc_encrypt(self + self->metaoffset + 0x20, self + self->metaoffset + 0x20,0x40,&key,&iv,0);

    Once that layer is removed we proceed as normal:
    -Decrypt using AESCBC256 with the NPDRM keys to obtain the metadata keys
    -Decrypt using AESCTR128 the data sha,hmac,iv keys
    -Decrypt the data.

    SOURCE
     
    esc0rtd3w likes this.
  17. 8,337
    9,454
    797
    DeViL303

    DeViL303 Developer PSX-Place Supporter

    Joined:
    Jan 23, 2016
    Messages:
    8,337
    Likes Received:
    9,454
    Trophy Points:
    797
    That is not related to sprx really. Also you won't find something like that 7 year old info that team ps3xploit does not already know about. Especially not stuff like that based on grafs Bible.

    https://www.theregister.co.uk/2011/02/28/jailbreaker_defies_sony/
     
    Last edited: Apr 1, 2018
    esc0rtd3w likes this.
  18. 231
    52
    82
    Ps3_dev

    Ps3_dev Member

    Joined:
    Dec 20, 2017
    Messages:
    231
    Likes Received:
    52
    Trophy Points:
    82
    Gender:
    Male
    Success with xmb_plugin what is the uses of wedftp_severe
     
  19. 435
    288
    97
    junaid

    junaid Member

    Joined:
    Dec 30, 2014
    Messages:
    435
    Likes Received:
    288
    Trophy Points:
    97
    Occupation:
    SHOWING DE WAY
    Location:
    Uganda
    @esc0rtd3w I edited the html to select multiple sprx but will it work? or just copy the first one?
     
  20. 3,338
    5,498
    522
    aldostools

    aldostools Developer Developer

    Joined:
    Oct 30, 2014
    Messages:
    3,338
    Likes Received:
    5,498
    Trophy Points:
    522
    @esc0rtd3w is it possible to replace vsh.self with this tool? Or is there a "self replacer" incoming?
     
    esc0rtd3w and k9mo like this.

Share This Page