Archive for the 'PS3' Category

Rip freebsd code and use in your own commercial project, heh.

inside libfs_utility_init.sprx from /dev_flash ps3 partition, after decrypting:

@(#) Copyright (c) 2000 Christoph Herrmann, Thomas-Henning von Kamptz
Copyright (c) 1980, 1989, 1993 The Regents of the University of California.
All rights reserved.
$FreeBSD: src/sbin/growfs/growfs.c,v 2009/04/15 03:14:26 kensmith Exp $

BSD license allows it tho.

Guide: extracting dev_flash from firmware update.

With recent release of geohot’s depkg its now easy for everyone to extract content of dev_flash and dev_flash3 from ps3 update pup file.

get files first –  ps3 pup unpacker, depkg

extract and compile depkg.c (linux/osx/windows+cygwin):

gcc ./depkg.c -o depkg -lz -lssl

then extract PS3UPDAT.PUP with pup unpacker, find File_7.tar in extracted folder, untar it to new folder, you will get a lot of pkgs there and dev_flash files.

enter dir with extracted files, copy compiled depkg to it and run this bash script:

for i in `ls dev_flash*`; do ./depkg $i $i.tar ; tar -xvf ./$i.tar ; rm $i.tar; done

after it you will get content of dev_flash and dev_flash3 of firmware you choosed.

How to reconstruct ps3 selfs after decrypting

Here is a little, noob-unfriendly howto about recreating ps3 apps after you have decrypted it

as example, I will talk about vsh.self, which everyone on jb ps3 can find in /dev_flash/

1) decrypt it with graf_chokolo’s payload, you will get two files after all, lets call them vsh.0 and vsh.1

2) compress these files with zlib, I use zpipe for it

cat vsh.0 | ./zpipe > vsh.0z
cat vsh.1 | ./zpipe > vsh.1z

size of files:

6951464 2010-12-05 02:06 vsh.0
2930941 2010-12-05 04:04 vsh.0z
338832 2010-12-05 02:06 vsh.1
133356 2010-12-05 04:04 vsh.1z

3) going into vsh.self
look at 64-bit big endian value at 0x290 – 0x0000000000000900 (2304 decimal), its start of first segment (vsh0) in vsh.self, next 64bit BE value at 0x298 is size of this section – 0x00000000002cb8fd (2930941 decimal) , perfectly matched to size of out vsh.0z 😉
same for vsh1, start at 0x2b0 – 0x00000000002dafe0 (2994144 decimal), size at 0x2b8 – 0x00000000000208ec == 133356 (size of vsh.1z)

4) now we need to copy decrypted and inflated sections to the vsh.self

dd if=./vsh.0z of=./vsh.self bs=1 seek=2304 conv=notrunc

dd if=./vsh.1z of=./vsh.self bs=1 seek=2994144 conv=notrunc

5) need to edit some headers –

0x08 big endian 0004 to 8000

0x2af, 0x2cf, 0x2ef, 0x30f, 0x32f – change 0x01 to 0x02.

6) now u have this pseudo-debug self, and can use usual three steps to make it run on jb ps3, where EBOOT.BIN is our final self after 5th step

Selftool.exe -o EBOOT2.BIN -c0 EBOOT.BIN
unfself.exe EBOOT2.BIN EBOOT3.BIN
make_fself.exe EBOOT3.BIN EBOOT4.BIN

EBOOT3.BIN is a nice to analyze elf, EBOOT4.BIN is a ready to run SELF.

PS3 hdd fs is UFS

Here is something from lv2 dump



ufs is a fs used by bsd systems

ps3 also supports iso9660, udf, fat, netfs (?)

but it seems for now only fat can be used on usb drive.

also, filesystem of /dev/flashX is FAT