(adsbygoogle = window.adsbygoogle || []).push({}); Yesterday it was You must login or register to view this content. that a PSGroove update was incoming, and today it has arrived for PlayStation 3 users.

The PSGroove payload has now been updated with patches to add lv2 peek and poke syscalls along with an You must login or register to view this content..

This is great new indeed, as it will allow for proper memory dumps which in turn will enable much wider inspection of inner working of PS3.

Download: You must login or register to view this content.

To quote from the notes: "A programmed dongle won't enumerate properly on a PC, so don't worry about that.

This branch has a modified payload that adds peek and poke syscalls to the lv2 kernel. A userspace application can use these syscalls to dump out the entire memory space of the kernel, or patch the kernel as it is running.

Unfortunately, because the free toolchain/sdk is not ready, we can't distribute an application to do the dumping, so you will have to make your own.

The lv2 kernel starts at 0x8000000000000000

Peek
- Syscall 6.
- r3 is a 64 bit address to read
- A 64 bit value will be returned in r3

Poke
- Syscall 7.
- r4 is a 64 bit value
- r3 is the address to write that value to

A userspace application can use these syscalls to dump out the entire memory space of the kernel, or patch the kernel as it is running.

Unfortunately, because the free toolchain/sdk is not ready, we can't distribute an application to do the dumping, so you will have to make your own.

The lv2 kernel starts at 0x8000000000000000 Peek Syscall 6. r3 is a 64 bit address to read. A 64 bit value will be returned in r3. Poke Syscall 7. r4 is a 64 bit value. r3 is the address to write that value to."

PSJailbreak Exploit Payload Reverse Engineering (ps3wiki.lan.st/index.php/PSJailbreak_Exploit_Payload_Reverse_Engineering)

Analysis of the payload

Part one

When the first shellcode is done it jumps to offset 0x20 in the payload where part one of the payload gets executed.

    ROM:00000020             part_one:                               # fixup r3 to hold current address

ROM:00000020 38 63 F0 00                 addi    %r3, %r3, -0x1000

ROM:00000024 38 A0 10 00                 li      %r5, 0x1000     # r5 = 0x1000

ROM:00000028 38 80 00 01                 li      %r4, 1

ROM:0000002C 78 84 F8 06                 rldicr  %r4, %r4, 63,0  # r4 = 0x8000 0000 0000 0000

ROM:00000030 64 84 00 70                 oris    %r4, %r4, 0x70  # r4 = 0x8000 0000 0070 0000

ROM:00000034

ROM:00000034             copy_loop:                              # CODE XREF: ROM:00000044*********j

ROM:00000034 38 A5 FF F8                 addi    %r5, %r5, -8    # r5 -= 0x8

ROM:00000038 7C C3 28 2A                 ldx     %r6, %r3, %r5   # r6 = *(r3 + r5)

ROM:0000003C 7C C4 29 2A                 stdx    %r6, %r4, %r5   # *(r4 + r5) = r6

ROM:00000040 28 25 00 00                 cmpldi  %r5, 0          # if r5 == 0

ROM:00000044 40 82 FF F0                 bne     copy_loop       # if not than jump to copy_loop

ROM:00000048 38 84 00 80                 addi    %r4, %r4, 0x80  # r4 += 0x80

ROM:0000004C 7C 89 03 A6                 mtctr   %r4             # jump to r4

ROM:00000050 4E 80 04 20                 bctr

This loop will copy the remaining part of the payload to 0x8000000000700000 and so it will find itself in a known location. Then it will jump to the beginning of it.

Part two

This is where things are a little bit unclear, because i have no memory dump. First it will load r3 with 0x8000000000050B3C, r4 with 0x80000000007001AC and r5 with 0x4FA and do a bl to 0x7C01C. Then it will load r3 0x8000000000050B5C and do a bl to 0xD22D8.

    ROM:80000000007000A0                 li      %r31, 1

ROM:80000000007000A4                 rldicr  %r31, %r31, 63,0

ROM:80000000007000A8                 mr      %r3, %r31

ROM:80000000007000AC                 oris    %r3, %r3, 5

ROM:80000000007000B0                 ori     %r3, %r3, 0xB3C

ROM:80000000007000B4                 mr      %r4, %r31

ROM:80000000007000B8                 oris    %r4, %r4, 0x70

ROM:80000000007000BC                 ori     %r4, %r4, 0x1AC

ROM:80000000007000C0                 li      %r5, 0x4FA

ROM:80000000007000C4                 bl      0x7C01C

ROM:80000000007000C8                 mr      %r3, %r31

ROM:80000000007000CC                 oris    %r3, %r3, 5

ROM:80000000007000D0                 ori     %r3, %r3, 0xB3C

ROM:80000000007000D4                 addi    %r3, %r3, 0x20

ROM:80000000007000D8                 bl      0xD22D8

ROM:80000000007000DC                 mr      %r3, %r31

ROM:80000000007000E0                 oris    %r3, %r3, 5

ROM:80000000007000E4                 ori     %r3, %r3, 0xB3C

ROM:80000000007000E8                 mr      %r4, %r31

ROM:80000000007000EC                 oris    %r4, %r4, 0x2E

ROM:80000000007000F0                 ori     %r4, %r4, -0x4ED8

ROM:80000000007000F4                 addi    %r3, %r3, 0x10

ROM:80000000007000F8                 std     %r3, 0x120(%r4)

Then it will load r5 with the begin of a patch structure. A patch consists of a 4 byte offset and a 4 byte patch value. The loop will load the offset, add 0x8000000000000000 to it and write the patch value to this address. If the offset is 0 it will jump to 0x7006B0.

    ROM:80000000007000FC                 mr      %r5, %r31

ROM:8000000000700100                 oris    %r5, %r5, 0x70

ROM:8000000000700104                 ori     %r5, %r5, 0x150

ROM:8000000000700108                 lwz     %r3, 0(%r5)

ROM:800000000070010C                 cmplwi  %r3, 0

ROM:8000000000700110                 beq     0x700128

ROM:8000000000700114                 lwz     %r4, 4(%r5)

ROM:8000000000700118                 add     %r3, %r3, %r31

ROM:800000000070011C                 stw     %r4, 0(%r3)

ROM:8000000000700120                 addi    %r5, %r5, 8

ROM:8000000000700124                 b       0x700108

ROM:8000000000700128                 b       0x7006B0

Patch table:

    ROM:8000000000700150                 patch <0x490E0, 0xE8820F08>

ROM:8000000000700158                 patch <0x490E4, 0xE87C0020>

ROM:8000000000700160                 patch <0x490E8, 0xF8640000>

ROM:8000000000700168                 patch <0x4F0A8, 0x48001A9D>

ROM:8000000000700170                 patch <0x2AAFC8, 0x4BDA5B80>

ROM:8000000000700178                 patch <0x4ED18, 0x38800000>

ROM:8000000000700180                 patch <0x4ED1C, 0x90830000>

ROM:8000000000700188                 patch <0x4ED20, 0x4E800020>

ROM:8000000000700190                 patch <0x3BA890, 0x1000000>

ROM:8000000000700198                 patch <0x505D0, 0x38600001>

ROM:80000000007001A0                 patch <0x505D4, 0x4E800020>

Some of the patch values translate to ppc code:

    0x490E0:  ld %r4, 0xF08(%rtoc)

0x490E4:  ld %r3, 0x20(%r2

0x490E8:  std %r3, 0(%r4)

0x4F0A8:  bl 0x1C08

0x2AAFC8: b # 4B DA 5B 80

0x4ED18:  li %r4, 0

0x4ED1C:  stw %r4, 0(%r3)

0x4ED20:  blr

0x505D0:  li %r3, 1

0x505D4:  blr

There are some more patch tables later in the payload. One of them contains "_tool2.xml#root" which will be written at offset 0x22B888 (probably ored with 0x8000000000000000). Another one contains the same string but the offset is 0xD68B8. It's hard to say what the other code does without a memory dump, so feel free to add more infos to this article.

The new version adds two new syscalls, peek (6) and poke (7). It's done with four new entries in the patch table.

For peek syscall:

    0x17CBC: E8 63 00 00 # ld %r3, 0(%r3)

0x17CC0: 4E 80 00 20 # blr

For poke syscall:

    0x17CC8: F8 83 00 00 # std %r4, 0(%r3)

0x17CCC: 4E 80 00 20 # blr

You must login or register to view this content.

Thanks PS3News.com

In english ?

wow you posted where i got my news from

doesnt everyone elses posts like this come from other sites, yeah i thought so.

Are They Selling The Things Yet ????

Yes they do but they also GIVE CREDIT. How would you like it if someone took all your work and posted it without giving credit.

i usually do put the link at he end, it mustve not shown up

Psgroove is open source and free. It's been ported to at least 2 devices you could find around your house. I'm talking about ps3 controllers, ipods, sansas, wii chip upgraders, calculators, cable modems, etc, etc, etc. The whole ps3 hacking thing is still very new but it's going to get better very soon. So yeah, they've been selling ipods for years.