Archive for December, 2010

Guide: extracting dev_flash from firmware update.

With recent release of geohot’s depkg its now easy for everyone to extract content of dev_flash and dev_flash3 from ps3 update pup file.

get files first –  ps3 pup unpacker, depkg

extract and compile depkg.c (linux/osx/windows+cygwin):

gcc ./depkg.c -o depkg -lz -lssl

then extract PS3UPDAT.PUP with pup unpacker, find File_7.tar in extracted folder, untar it to new folder, you will get a lot of pkgs there and dev_flash files.

enter dir with extracted files, copy compiled depkg to it and run this bash script:

for i in `ls dev_flash*`; do ./depkg $i $i.tar ; tar -xvf ./$i.tar ; rm $i.tar; done

after it you will get content of dev_flash and dev_flash3 of firmware you choosed.

Radeon 6xxx OSX support status

As of 10.6.6 beta release, atiradeonX3000.kext – the accelerator, it sets up card and provide bridge for using hardware accelerated opengl/quartz extreme/core image.

So, ATIRadeonX3000.kext supports radeon 6xx0 series card (already released 6870/6850 and upcoming tomorrow 6950/6970).

But, OSX still missing the framebuffer driver for 6xxx series. Framebuffer drivers sets up output screen, manages resolutions, multiple displays, does power management and etc.

How to reconstruct ps3 selfs after decrypting

Here is a little, noob-unfriendly howto about recreating ps3 apps after you have decrypted it

as example, I will talk about vsh.self, which everyone on jb ps3 can find in /dev_flash/

1) decrypt it with graf_chokolo’s payload, you will get two files after all, lets call them vsh.0 and vsh.1

2) compress these files with zlib, I use zpipe for it

cat vsh.0 | ./zpipe > vsh.0z
cat vsh.1 | ./zpipe > vsh.1z

size of files:

6951464 2010-12-05 02:06 vsh.0
2930941 2010-12-05 04:04 vsh.0z
338832 2010-12-05 02:06 vsh.1
133356 2010-12-05 04:04 vsh.1z

3) going into vsh.self
look at 64-bit big endian value at 0x290 – 0x0000000000000900 (2304 decimal), its start of first segment (vsh0) in vsh.self, next 64bit BE value at 0x298 is size of this section – 0x00000000002cb8fd (2930941 decimal) , perfectly matched to size of out vsh.0z 😉
same for vsh1, start at 0x2b0 – 0x00000000002dafe0 (2994144 decimal), size at 0x2b8 – 0x00000000000208ec == 133356 (size of vsh.1z)

4) now we need to copy decrypted and inflated sections to the vsh.self

dd if=./vsh.0z of=./vsh.self bs=1 seek=2304 conv=notrunc

dd if=./vsh.1z of=./vsh.self bs=1 seek=2994144 conv=notrunc

5) need to edit some headers –

0x08 big endian 0004 to 8000

0x2af, 0x2cf, 0x2ef, 0x30f, 0x32f – change 0x01 to 0x02.

6) now u have this pseudo-debug self, and can use usual three steps to make it run on jb ps3, where EBOOT.BIN is our final self after 5th step

Selftool.exe -o EBOOT2.BIN -c0 EBOOT.BIN
unfself.exe EBOOT2.BIN EBOOT3.BIN
make_fself.exe EBOOT3.BIN EBOOT4.BIN

EBOOT3.BIN is a nice to analyze elf, EBOOT4.BIN is a ready to run SELF.