It works by capturing VSH code in the moment after it decrypts INDEX.DAT.
Unluckily, it is not enough to connect to the PSN, it still refuses to connect. I have only faked the version but there are other numbers, such as release numbers. I don’t know what these numbers would be on v3.50. You can try by modifying the payload with an hex-editor and maybe someone finds the proper numbers.
Unluckily, it is not enough to connect to the PSN, it still refuses to connect. I have only faked the version but there are other numbers, such as release numbers. I don’t know what these numbers would be on v3.50. You can try by modifying the payload with an hex-editor and maybe someone finds the proper numbers.
Technical info for geeks:
INDEX.DAT is the encrypted version of VERSION.TXT. After decryption, INDEX.DAT is a 20 bytes SHA1 followed by 12 bytes of PADDING, followed by a content identical to that of VERSION.TXT.
My payload works by hooking the MEMCMP that the VSH performs with the SHA1 to a syscall, the SYSCALL 10, which is implemented in the payload to fill the buffer with other data.
The payload is just a PL3 default payload with that syscall 10 added and two additional patches added to memory_patch_table_1 (PATCH_INST(0x190C90, li %r11, 10) and PATCH_INST(0x190C94, sc)), and converted to the port1_config_descriptor.bin format.
Only for v3.41. Have fun!
UPDATE: second version
Now it also fakes the auth/revision code from 45039 to 46135, which is the supposed one for v3.50. This value was also hard-coded in VSH.SELF, so two additional patches are done to change that string in VSH.SELF too. If you are gonna change the auth number, remember that you must update that patch too, or you will get a beautiful red screen.
Also it now patches a syscall that gets the SDK version of a process, the patch only fakes the one for vsh. Vsh calls this function before entering the PSN. Despite all of this, PSN still doesn’t connect, but now there is a different behavior: before it told you to update and if you answered yes, you could go through the update process. Now it still tells you to update, but i you click yes, then it tells you that you are on latest version and doesn’t let you to update.
I post binary and the three source files that must replace/add to the PL3 one.
Update: 2.01, small bug-fix (cmpwi != cmpw), still no luck with psn.
INDEX.DAT is the encrypted version of VERSION.TXT. After decryption, INDEX.DAT is a 20 bytes SHA1 followed by 12 bytes of PADDING, followed by a content identical to that of VERSION.TXT.
My payload works by hooking the MEMCMP that the VSH performs with the SHA1 to a syscall, the SYSCALL 10, which is implemented in the payload to fill the buffer with other data.
The payload is just a PL3 default payload with that syscall 10 added and two additional patches added to memory_patch_table_1 (PATCH_INST(0x190C90, li %r11, 10) and PATCH_INST(0x190C94, sc)), and converted to the port1_config_descriptor.bin format.
Only for v3.41. Have fun!
UPDATE: second version
Now it also fakes the auth/revision code from 45039 to 46135, which is the supposed one for v3.50. This value was also hard-coded in VSH.SELF, so two additional patches are done to change that string in VSH.SELF too. If you are gonna change the auth number, remember that you must update that patch too, or you will get a beautiful red screen.
Also it now patches a syscall that gets the SDK version of a process, the patch only fakes the one for vsh. Vsh calls this function before entering the PSN. Despite all of this, PSN still doesn’t connect, but now there is a different behavior: before it told you to update and if you answered yes, you could go through the update process. Now it still tells you to update, but i you click yes, then it tells you that you are on latest version and doesn’t let you to update.
I post binary and the three source files that must replace/add to the PL3 one.
Update: 2.01, small bug-fix (cmpwi != cmpw), still no luck with psn.
No comments:
Post a Comment