Jump to content

Enabling FSM Dongle on 4.XX


Recommended Posts

  • Developer

My friend CMX recently shared his old reversing work that would be very useful in near future..

 

Currently I'm able to enable FSM mode with my old dongle and also can get out of FSM as long as CFW has MLT's lv2mem protection patch / a.k.a dev_flash whitelist patch.

 

It worked on 4.70 CEX/DEX fine, but I am having hard time installing PUP via old method.. 

 

we have a few idea of how we are going to use this.. I'll keep you guys posted if there is any success.

 

 


 

ss_server.1
Inside 4.21 lv1
seg000:0000000080000EE0             usb_dongle_authenticator__initialize:   # CODE XREF: sub_80000F74+24p
 
that is the dongle authenticator initialize
 
seg000:00000000800364E0 39 29 FF 7D                 addi      r9, r9, -0x83
seg000:0000000080000AE4             usb_dongle_authenticator__verify_response:
 
seg000:0000000080000B30 89 3C 00 00                 lbz       r9, 0(r28)
seg000:0000000080000B34 2F 89 00 D1                 cmpwi     cr7, r9, 0xD1
seg000:0000000080000B38 40 FE 00 24                 bne+      cr7, loc_80000B5C
seg000:0000000080000B3C 7F 84 E3 78                 mr        r4, r28
seg000:0000000080000B40 7F 43 D3 78                 mr        r3, r26
seg000:0000000080000B44 48 01 6D B5                 bl        sc_cmd_verify_new_challenge
 
if the dongle auth request does not have 0xD1, its the new challenge
 and then it even uses the user token too
 
 seg001:0000000080046498 75 73 65 72+aUser_tokenM_at:.string "user_token:m_attribute: \n"
 
 is part of the printf
 
 seg001:0000000080046258 64 6F 6E 67+aDongleIdRevoke:.string "dongle ID revoked.\n"
 
they revoked a dongle ID too
so the service mode dongle will need to be patched out too if your dongle has the blocked ID
 
seg000:0000000080000CA0 7F A6 EB 78                 mr        r6, r29       # decrypted dongle id key
seg000:0000000080000CA4 38 9B 00 02                 addi      r4, r27, 2    # data to hash
seg000:0000000080000CA8 38 A0 00 14                 li        r5, 0x14      # length to hash
seg000:0000000080000CAC 38 E0 00 14                 li        r7, 0x14      # dongle id hash length
seg000:0000000080000CB0 38 61 00 88                 addi      r3, r1, 0xD0+var_48
seg000:0000000080000CB4 48 04 47 9D                 bl        sha1_hmac
 
 the above code is all from ss_server1.fself inside lv1.elf
 
lv1.self
 

3) allow service mode dongle to work

Search
409E0014880100702F800000409E0008

 

Replace
409E0014380000002F800000409E0008

 
vsh.self
 
1) allow fself applications
F821FF817C0802A6FBE100787C7F1B78
386000004E800020FBE100787C7F1B78
 
lv2_kernel.self
 
1) allow fself applications
E92297603FE0800163FF000988090000
E9229760380000019809000088090000
 
appldr.self
 
1) allow fself applications
04002903330460807E00018A56C00504
04002903408000037E00018A56C00504
 
2) allow fself applications
24FE00D7040006D424FDC0D804000556
24FE00D7408000D424FDC0D804000556
 
those were for v4.25 OFW patches to allow fself on retail CEX

 

Edited by Joonie
  • Upvote 24
Link to post
Share on other sites

this may help my Faty when i got into FSM while i was 4.65?

  • Upvote 1

Long Live Palestine

Link to post
Share on other sites
  • Developer

this may help my Faty when i got into FSM while i was 4.65?

 

The fact that old 3.41/3.55 dongles trigger the FSM on 4.XX is not really helping that type of situation,

 

However if your 4.65 cfw had MLT's appldr patch, you should be able to get out of FSM with old 3.55 lv2diag.self which that works fine on my PS3.

  • Upvote 3
Link to post
Share on other sites

Great info Joonie :)

Back then remember when 3absiso had a +356 with FSM enabled, the 440 i believe or 431 COREOS did the trick...

Thx for sharing the info on the patches that are responsible for this. :)

  • Upvote 1
Link to post
Share on other sites

no my CFW does not have MLT's appldr patches

Long Live Palestine

Link to post
Share on other sites
  • Developer

My friend CMX recently shared his old reversing work that would be very useful in near future..

 

Currently I'm able to enable FSM mode with my old dongle and also can get out of FSM as long as CFW has MLT's lv2mem protection patch / a.k.a dev_flash whitelist patch.

 

It worked on 4.70 CEX/DEX fine, but I am having hard time installing PUP via old method.. 

 

we have a few idea of how we are going to use this.. I'll keep you guys posted if there is any success.

does not work for me and vsh pattern is way off record. there are too many possibilities to patch

Link to post
Share on other sites
  • Developer

does not work for me and vsh pattern is way off record. there are too many possibilities to patch

 

i'll find the exact offset for those fself patches 

Link to post
Share on other sites
  • Super Moderator

i'll find the exact offset for those fself patches 

will in the new toolbox qa flag for 4.70CEX added also? :)

Current Owned  Playstation Consoles.

  • PS3 Slim *CFW Rebug 4.82.2 D-Rex
  • Ps3 Phat backwards compatible *CFW Rebug 4.86.1 Lite Rex (2X)
  • PSP3004 *CFW 6.61 LME-2.3 ∞
  • Psvita JP Glacier white *CFW 3.65 Henkaku Enso
  • PSvita 3G *CFW 3.60 Henkaku Enso
  • PS4 Pro *OFW 7.51
  • PS4 Pro *OFW 7.51
  • PS4 Pro *OFW 4.05 (Kexploit)
  • PS4 Slim *OFW 7.51

 

Twitter: https://twitter.com/OfficialThibobo

Discord: Thibobo#0782

Youtube: https://www.youtube.com/channel/UC2PPNGBPaXEDgHD6eqpLc_w

 

Link to post
Share on other sites
  • 2 weeks later...

This project seems very interesting and ambitious, what kind of error are you getting with the installation of pup, Joonie?

Link to post
Share on other sites
  • Developer
LOAD:00000000000CC6EC                 lis       r4, aGameGame_boo_0@h # "Game:Game.bootable"
LOAD:00000000000CC6F0                 li        r5, 0
LOAD:00000000000CC6F4                 addi      r4, r4, aGameGame_boo_0@l # "Game:Game.bootable"
LOAD:00000000000CC6F8                 mr        r3, r27
LOAD:00000000000CC6FC                 stw       r0, 0x320(r31)
LOAD:00000000000CC700                 bl        GetValue_
LOAD:00000000000CC704                 lis       r26, ((off_26E23C+0x10000)@h)
LOAD:00000000000CC708                 extsw     r3, r3
LOAD:00000000000CC70C                 bl        is_product_mode

Btw here is a little code snipped from explore_plugin (prolly also available in other explore_plugin modules) which is responsible for hiding games/apps in factory service mode.

(Has also been for ages on the wiki)

Edited by mysis
  • Upvote 5
Link to post
Share on other sites

it's useless since there are no private keys for usb dongle authenticator keys (no Lv2diag from 4.xx)

Link to post
Share on other sites

it's useless since there are no private keys for usb dongle authenticator keys (no Lv2diag from 4.xx)

yup, I think this point is clear to everyone... in fact Joonie talked about FSM working only in a cfw with MLT's lv2mem protection patch...

Link to post
Share on other sites

yup, I think this point is clear to everyone... in fact Joonie talked about FSM working only in a cfw with MLT's lv2mem protection patch...

he did huh? :)

time to go hunting for lost secrets xD

Link to post
Share on other sites
  • Developer
LOAD:00000000000CC6EC                 lis       r4, aGameGame_boo_0@h # "Game:Game.bootable"
LOAD:00000000000CC6F0                 li        r5, 0
LOAD:00000000000CC6F4                 addi      r4, r4, aGameGame_boo_0@l # "Game:Game.bootable"
LOAD:00000000000CC6F8                 mr        r3, r27
LOAD:00000000000CC6FC                 stw       r0, 0x320(r31)
LOAD:00000000000CC700                 bl        GetValue_
LOAD:00000000000CC704                 lis       r26, ((off_26E23C+0x10000)@h)
LOAD:00000000000CC708                 extsw     r3, r3
LOAD:00000000000CC70C                 bl        is_product_mode

Btw here is a little code snipped from explore_plugin (prolly also available in other explore_plugin modules) which is responsible for hiding games/apps in factory service mode.

(Has also been for ages on the wiki)

 

 

But first we have to find a way to mount dev_hdd0, FSM doesn't mount it on boot. only dev_flash gets mounted, unless your research is the key to mount the dev_hdd0 on FSM.

 

 

This project seems very interesting and ambitious, what kind of error are you getting with the installation of pup, Joonie?

 
The last time I tried PUP installation while on FSM got me an error of bd-revoke, although it was already patched on both side [lv2diag.self by Jaicrab and UPL.pkg from the pup itself]
 
I have dropped this research project, but @zecoxao insists finding some lost secrets from MLT's CFW. So I guess I will try to rip them off from his CFW if it's possible.
 
He did so much unusual stuff without revealing all the source codes and etc and now he's vanished. The scene would've been much nicer if he shared his stuff with everyone but at least his CFW has no DRM.. :)
Edited by Joonie
  • Upvote 4
Link to post
Share on other sites

 

But first we have to find a way to mount dev_hdd0, FSM doesn't mount it on boot. only dev_flash gets mounted, unless your research is the key to mount the dev_hdd0 on FSM.

 

 
 
The last time I tried PUP installation while on FSM got me an error of bd-revoke, although it was already patched on both side [lv2diag.self by Jaicrab and UPL.pkg from the pup itself]
 
I have dropped this research project, but @zecoxao insists finding some lost secrets from MLT's CFW. So I guess I will try to rip them off from his CFW if it's possible.
 
He did so much unusual stuff without revealing all the source codes and etc and now he's vanished. The scene would've been much nicer if he shared his stuff with everyone but at least his CFW has no DRM.. :)

 

This project is stupefacent

maybe we will can use PSP as a flasher to sbrik PS3 trough the homebrew PS3jig if is possible to came back from FSM

Excellent work Joonie :)

Edited by Orion
  • Upvote 1

PS3 SLIM CFW 4.65 Darknet

PSVITA 1000 3.18 PRIVATE EXPLOIT TN-V/ARK+Antoher Exploit 3.18 VHBL 

PSP SLIM 2004 CFW 6.60 ME 2.2+Padora Battery

Nintendo WII MOD

Nintendo DS R4

Nintendo DSI/XL R4

PS2 MODCHIP

PS1 MODCHIP

Link to post
Share on other sites
  • Developer

This project is stupefacent

maybe we will can use PSP as a flasher to sbrik PS3 trough the homebrew PS3jig if is possible to came back from FSM

Excellent work Joonie :)

Nice!, i am a developer that bricks alot trying out Firmware and Homebrew i make 

Link to post
Share on other sites

There's no dumb question, so lemme ask...

 

From MLT 4.40 and up, (softwarebased?!) FSM trigger was dropped, or was it because things are changed so it didn't work anymore?

MLT4.31 could do it, i suppose like that example that is on the wiki for ages, that says nothing for a leek ofcourse...the wiki....gotta love that shizzle...(if u know what ur doing that is hehehe.... ;)

 

PS: about bricking, didn't know the ps3 had a BSOD also, damn u irisman and all ur jazz...

Link to post
Share on other sites
  • 1 month later...
  • Developer

just want to add to this, there is a way on dex at least, to trigger and run apps in fsm from xmb. if you connect to tm and enable app_home and put in a homebrew in a "PS3_GAME" folder, you can start and run this app. i have tried it myself with rebug toolbox and a selfmade app to exit fsm from (fsm) xmb, lol.

 

edit

btw, does anybody know how to make a lv2diag.self that gets accepted? i have tried with product mode toggle from glevand, but it gets not loaded at all. i am missing something there, but dunno what it is. running this "lv2diag.self" with tm works fine.

 

this method of targetmanager is basically the same function cobra does with netiso support.

btw, cobra works also in fsm and its debug output.

Edited by haxxxen
Link to post
Share on other sites

Just use old lv2diag.self and be sure your cfw has MLT's lv2mem protection, that's all. Rebug 4.70 cex/dex should already have those patches.

Link to post
Share on other sites
  • Developer

Just use old lv2diag.self and be sure your cfw has MLT's lv2mem protection, that's all. Rebug 4.70 cex/dex should already have those patches.

i know that old lv2diag.self works if appldr sig check is patched, but i want to make my own lv2diag.self, that performs some other tasks as well. but i cannot get any self loaded as lv2diag.self and crashserious has made his own lv2diag, too

Link to post
Share on other sites
  • Developer

i know that old lv2diag.self works if appldr sig check is patched, but i want to make my own lv2diag.self, that performs some other tasks as well. but i cannot get any self loaded as lv2diag.self and crashserious has made his own lv2diag, too

i tried to make my own Lv2diag.self too but with no success i think we both are missing something but what?

Link to post
Share on other sites

i know that old lv2diag.self works if appldr sig check is patched, but i want to make my own lv2diag.self, that performs some other tasks as well. but i cannot get any self loaded as lv2diag.self and crashserious has made his own lv2diag, too

I think it's quite to sign properly the custom elf you want to create, just pay attention to the flags of the original self...

Link to post
Share on other sites

resign the lv2diag.self using hdd_copy.self as a template from the cfw you are using at it will work.

  • Upvote 1
Link to post
Share on other sites
  • 2 months later...
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...