Post: How to recreate the service mode jig
Options
11-18-2010, 08:36 AM
#1
ryan saa
At least I can fight
Originally posted by another user
Originally Posted by Mathieulh @psx-scene
That's not about it, it's about the fact that even if you manage to reproduce the dongle by dumping the decrypted "dongle master key" and reversing the challenge/response algorithm, you'd still need to use a signed/copyrighted self renamed as lv2diag.self from /dev_usb000/ The product mode flag being of no use on its own. The fact that some people know how this process works and the whole theory behind it doesn't mean they care or have any interest whatsoever in this procedure especially as there is certainly no great mystery about it (at least not as far as we are concerned). Also the other problem that occurs when it comes to using signed selfs (besides the obvious copyright issue) is the self revocation.
That's not about it, it's about the fact that even if you manage to reproduce the dongle by dumping the decrypted "dongle master key" and reversing the challenge/response algorithm, you'd still need to use a signed/copyrighted self renamed as lv2diag.self from /dev_usb000/ The product mode flag being of no use on its own. The fact that some people know how this process works and the whole theory behind it doesn't mean they care or have any interest whatsoever in this procedure especially as there is certainly no great mystery about it (at least not as far as we are concerned). Also the other problem that occurs when it comes to using signed selfs (besides the obvious copyright issue) is the self revocation.
Which says we need 3 things
The dongle master key
Originally posted by another user
Originally Posted by You must login or register to view this content.
0x24000 - USB Dongle Authenticator
Packet ID Description
0x24001 Generate Challenge
0x24002 Verify Response
0x24001 - Generate Challenge
* I have got access to this service through DM and tested it
* The service expects no input parameters except those in SS packet header
* It uses 0x5003 service (Generate Random Number) to generate random numbers that are used in challenge body
* The length of a challnge body is always 23 bytes, first 3 bytes are always the same: 0x2E 0x02 0x01
Here are hexdumps of some challenge bodies i let 0x24001 service generate:
2E 02 01 72 3A 0A 76 BB 81 CB 29 BC E7 B5 D6 62 7C 0E EE 23 18 A9 1D
2E 02 01 F0 DA 78 D4 1D CB D7 C9 C7 F0 32 F4 2E 92 39 BD 3F 32 93 AA
2E 02 01 3B B2 9D FD A8 83 AF 9A C0 E9 13 BB AE D5 6C 8C 45 2E DE 13
0x24002 - Verify Response
* I have got access to this service and tested it with PSGroove
* The response body is 25 bytes large
* The first 3 bytes have to be 0x2E 0x02 0x02 or else the check fails
* The 16 bit at offset 3 is a dongle ID
* The dongle ID is checked if it's revoked or not
* When the verification succeedes then product mode is set to 1
* The service calculates USB Dongle Key from USB Dongle ID and USB Dongle Master Key by using HMAC SHA-1
* The service uses HMAC SHA-1 to calculate the correct response body from the challenge body and USB Dongle Key
* After that the service compares the calculated response body with the given one that was sent to the service
* It seems that laid and paid from SS packet header are used in decryption process
USB Dongle Master Key
* USB Dongle Master Key is stored encrypted in Process 6
* The encrypted key is 64 bytes large
* The decrypted key is 20 bytes large
* The USB Dongle Master Key is decrypted first time the service 0x24002 is used
* The USB Dongle Master Key is decrypted by using the service 0x200E (Decrpyt Master) of Vitual TRM Manager
* The decrypted USB Dongle Master Key is stored in Process 6 in clear text (after first usage of this service)
* When decrpyption of USB Dongle Master Key fails then a dummy key is used
* Unfortunately, in the HV dump 3.15 the USB Dongle Master Key was not decrypted at the moment of dumping
Here is the encrypted USB Dongle Master Key from HV 3.15:
0x22 0xD5 0xD1 0x8C 0xFF 0xE2 0x4F 0xAC 0xEC 0x72 0xA2 0x42 0xA7 0x18 0x98 0x10
0x25 0x33 0xE0 0x96 0xF2 0xC1 0x91 0x0D 0x15 0x23 0xD3 0x07 0x74 0xE7 0x2B 0x72
0xDF 0xA6 0xDD 0xE9 0x68 0x8B 0x76 0x2A 0x6A 0x87 0x51 0x7F 0x85 0x39 0x0B 0xD4
0x20 0x3F 0x46 0x89 0x04 0x82 0xB7 0x30 0x84 0x89 0x4B 0xCC 0x9D 0xB1 0x24 0x7C
Here is the USB Dongle Master Dummy Key from HV 3.15:
0xD1 0xFC 0x57 0x55 0xBF 0x20 0xFA 0xB2 0xD4 0xA5 0x4A 0x0A 0x0C 0x5D 0x52 0x8E
0xDF 0x66 0xCD 0x74
USB Dongle ID Revoke List
* Process 6 contains a revoke list for USB Dongle IDs
* The revoke list is 0x2000 bytes large. It's a bitmap.
* Each bit represents a USB Dongle ID. If bit is 0 then USB Dongle ID is revoked.
The following USB Dongle IDs are revoked in HV 3.15:
0, 2, 13, 32, 34, 176, 241
0x24000 - USB Dongle Authenticator
Packet ID Description
0x24001 Generate Challenge
0x24002 Verify Response
0x24001 - Generate Challenge
* I have got access to this service through DM and tested it
* The service expects no input parameters except those in SS packet header
* It uses 0x5003 service (Generate Random Number) to generate random numbers that are used in challenge body
* The length of a challnge body is always 23 bytes, first 3 bytes are always the same: 0x2E 0x02 0x01
Here are hexdumps of some challenge bodies i let 0x24001 service generate:
2E 02 01 72 3A 0A 76 BB 81 CB 29 BC E7 B5 D6 62 7C 0E EE 23 18 A9 1D
2E 02 01 F0 DA 78 D4 1D CB D7 C9 C7 F0 32 F4 2E 92 39 BD 3F 32 93 AA
2E 02 01 3B B2 9D FD A8 83 AF 9A C0 E9 13 BB AE D5 6C 8C 45 2E DE 13
0x24002 - Verify Response
* I have got access to this service and tested it with PSGroove
* The response body is 25 bytes large
* The first 3 bytes have to be 0x2E 0x02 0x02 or else the check fails
* The 16 bit at offset 3 is a dongle ID
* The dongle ID is checked if it's revoked or not
* When the verification succeedes then product mode is set to 1
* The service calculates USB Dongle Key from USB Dongle ID and USB Dongle Master Key by using HMAC SHA-1
* The service uses HMAC SHA-1 to calculate the correct response body from the challenge body and USB Dongle Key
* After that the service compares the calculated response body with the given one that was sent to the service
* It seems that laid and paid from SS packet header are used in decryption process
USB Dongle Master Key
* USB Dongle Master Key is stored encrypted in Process 6
* The encrypted key is 64 bytes large
* The decrypted key is 20 bytes large
* The USB Dongle Master Key is decrypted first time the service 0x24002 is used
* The USB Dongle Master Key is decrypted by using the service 0x200E (Decrpyt Master) of Vitual TRM Manager
* The decrypted USB Dongle Master Key is stored in Process 6 in clear text (after first usage of this service)
* When decrpyption of USB Dongle Master Key fails then a dummy key is used
* Unfortunately, in the HV dump 3.15 the USB Dongle Master Key was not decrypted at the moment of dumping
Here is the encrypted USB Dongle Master Key from HV 3.15:
0x22 0xD5 0xD1 0x8C 0xFF 0xE2 0x4F 0xAC 0xEC 0x72 0xA2 0x42 0xA7 0x18 0x98 0x10
0x25 0x33 0xE0 0x96 0xF2 0xC1 0x91 0x0D 0x15 0x23 0xD3 0x07 0x74 0xE7 0x2B 0x72
0xDF 0xA6 0xDD 0xE9 0x68 0x8B 0x76 0x2A 0x6A 0x87 0x51 0x7F 0x85 0x39 0x0B 0xD4
0x20 0x3F 0x46 0x89 0x04 0x82 0xB7 0x30 0x84 0x89 0x4B 0xCC 0x9D 0xB1 0x24 0x7C
Here is the USB Dongle Master Dummy Key from HV 3.15:
0xD1 0xFC 0x57 0x55 0xBF 0x20 0xFA 0xB2 0xD4 0xA5 0x4A 0x0A 0x0C 0x5D 0x52 0x8E
0xDF 0x66 0xCD 0x74
USB Dongle ID Revoke List
* Process 6 contains a revoke list for USB Dongle IDs
* The revoke list is 0x2000 bytes large. It's a bitmap.
* Each bit represents a USB Dongle ID. If bit is 0 then USB Dongle ID is revoked.
The following USB Dongle IDs are revoked in HV 3.15:
0, 2, 13, 32, 34, 176, 241
Lv2diag.self
Originally posted by another user
And the challenge/response
Originally posted by another user
Then I stumbled upon
Originally posted by another user
Hi guys, I used an Atmega8 running at 16Mhz (I had a couple lying about from the BT Vision project I was working on) and knocked up a small prog to do the same as the other chips and dump out the PS3 Hypervisor and Bootloader.
I was quite surprised, It actually worked fairly straight away! I only had one pulse going everytime I pressed the button at first but not a lot was happening.
So I did what xorloser did, and modded it so it pulsed every 100ms while the switch is pressed.
After about 30-40 seconds... I got a hit with the exploit code posted here. Then I used the dumper (posted here) to dump the 10mb bin.
Just having a look through the dump, lots of strings in there.. I haven't dropped it into IDA yet tho...
This is the source and hex (for those who dont want to compile it) for the Atmega8 which I glitched my PS3 with. The Chip I used was the Atmega8-16pu. You will also need a 16mhz Crystal, and 2 x 22pf Capacitors.
Grounding pin 14 on the chip will produce a pulse on Pins 2 of the chip (infact it does all of PORTD) This should then go to the memory bus point on the ps3. See Circuit diagram (below).
I used ponyprog to program my chip, with CKOPT ticked in the fuse settings, everything else was unticked.
Mick
I was quite surprised, It actually worked fairly straight away! I only had one pulse going everytime I pressed the button at first but not a lot was happening.
So I did what xorloser did, and modded it so it pulsed every 100ms while the switch is pressed.
After about 30-40 seconds... I got a hit with the exploit code posted here. Then I used the dumper (posted here) to dump the 10mb bin.
Just having a look through the dump, lots of strings in there.. I haven't dropped it into IDA yet tho...
This is the source and hex (for those who dont want to compile it) for the Atmega8 which I glitched my PS3 with. The Chip I used was the Atmega8-16pu. You will also need a 16mhz Crystal, and 2 x 22pf Capacitors.
Grounding pin 14 on the chip will produce a pulse on Pins 2 of the chip (infact it does all of PORTD) This should then go to the memory bus point on the ps3. See Circuit diagram (below).
I used ponyprog to program my chip, with CKOPT ticked in the fuse settings, everything else was unticked.
Mick
Which should be enough to get a dump of lpar1 with a modified (existing or new) dump code.
Add the 3 together in a nice new payload and you've got service mode.
You must login or register to view this content.
The following 8 users say thank you to ryan saa for this useful post:
11-19-2010, 12:16 AM
#3
hunter12
Retired, done with gaming
jesus christ you guys act like a bunch of 12 year olds..
Since when is it a crime to post something that was publically released? He put
the source link whats wrong with that? This is something that should be posted everywhere since its such huge news.. Intead of crying about how its a copy paste does anybody here even understand the thread, and the whole meaning of service mode OTHER THAN DOWNGRADING, AND how powerful it is?
Since when is it a crime to post something that was publically released? He put
the source link whats wrong with that? This is something that should be posted everywhere since its such huge news.. Intead of crying about how its a copy paste does anybody here even understand the thread, and the whole meaning of service mode OTHER THAN DOWNGRADING, AND how powerful it is?
The following 3 users say thank you to hunter12 for this useful post:
11-19-2010, 01:29 AM
#4
ZoneTw0
You talkin to me?
Originally posted by hunter12
jesus christ you guys act like a bunch of 12 year olds..
Since when is it a crime to post something that was publically released? He put
the source link whats wrong with that? This is something that should be posted everywhere since its such huge news.. Intead of crying about how its a copy paste does anybody here even understand the thread, and the whole meaning of service mode OTHER THAN DOWNGRADING, AND how powerful it is?
Since when is it a crime to post something that was publically released? He put
the source link whats wrong with that? This is something that should be posted everywhere since its such huge news.. Intead of crying about how its a copy paste does anybody here even understand the thread, and the whole meaning of service mode OTHER THAN DOWNGRADING, AND how powerful it is?
You must login or register to view this content.
Intopic: I do understand service mode, and knew how powerfull it was since RichDevX was working on a payload with it and some other cases before PS3 Hacking.
The following user thanked ZoneTw0 for this useful post:
11-19-2010, 04:32 AM
#6
chrisisadude
Brute
Originally posted by hunter12
jesus christ you guys act like a bunch of 12 year olds..
Since when is it a crime to post something that was publically released? He put
the source link whats wrong with that? This is something that should be posted everywhere since its such huge news.. Intead of crying about how its a copy paste does anybody here even understand the thread, and the whole meaning of service mode OTHER THAN DOWNGRADING, AND how powerful it is?
Since when is it a crime to post something that was publically released? He put
the source link whats wrong with that? This is something that should be posted everywhere since its such huge news.. Intead of crying about how its a copy paste does anybody here even understand the thread, and the whole meaning of service mode OTHER THAN DOWNGRADING, AND how powerful it is?
What are the possabilites?
11-19-2010, 10:06 PM
#7
Ix Benere xI
At least I can fight
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
