PS3IDA Released!

It’s been a while since my last post! A lot has been happening lately, I’ve mostly kept my followers updated on what’s new through my Twitter account, but I think that this deserves a post of its own!

I’ve  been reversing some PPC code in IDA and unfortunately, it doesn’t handle the PS3 files very well, so I wrote a lot of scripts in order to make  it parse the files properly! There was one thing missing though that I couldn’t do with an .idc script : handling of jump tables.

Yesterday, I took on the task of writing an IDA plugin in order to parse the ppc code and find jump tables and define them in IDA’s kernel so the analysis is done properly! It was a very fun and exciting challenge that I enjoyed doing, and I’m happy to say that I succeeded and it works very well (on the files I tried anyways).

The IDA API is extensive and easy to use, and allows you to do pretty much anything! I also found the IDA Pro Book to be extremely well written and very useful! I would suggest to anyone who likes tinkering to try and write an IDA plugin, because it was a challenging but fun experience!

I initially wrote the plugin thinking that the jump table instruction patterns was always the same, but when I started testing, I found out that some instructions could have a different order, there might be inserted instructions in the middle of the pattern, or different registers being used, etc.. so I eventually had to rewrite my plugin and ended up using a class that comes from IDA’s SDK which takes care of “instruction rescheduling” and “intermingling of the jump sequence with other instructions”, at least I learned from my first try and it made my second try a lot easier. I also realized that I haven’t done any C++ in maybe 5 or 6 years, and I really forgot all about how to write C++ code. It was a bit embarassing to google “how to derive from a class in C++”, lol!

Anyways, I am now releasing my scripts and my PPCJT plugin for IDA under a new project : PS3IDA.

I’ve created the ps3ida repository on git-hacks.com (Thanks again to @dashhacks for providing us with this safe haven for all our legal tools). The repository contains many files, I suggest you read the README file for a description of each, but the most important ones are analyze_self.idc and analyze_sprx.idc. I’ve also ported my lv2_dump_analyzer.idc script to work with IDA 6.0.

There are two plugins in ps3ida, the first one is the well known PPCAltivec released by xorloser, I’ve decided to add it to the project so the source code stays available for anyone who needs it. I also slightly modified the source code so it compiles correctly on Linux using gcc 4.x. The second plugin is PPCJT that I wrote yesterday, it will find jump tables and define them in IDA’s kernel so the functions get properly analyzed. Just install it, and when you see a switch/case in the code, put the cursor on the ‘bctr’ instruction and press ‘C’ so it can parse the jump sequence and fix it, or just go to  “Options->General->Analysis->Reanalyze program” and it will fix them for all the file.

I have built the PPCJT plugin for Windows and Linux for IDA v6.0, you can download it here.

My personal suggestion, since IDA could screw up the analysis in its initial run, would be to completely undefine the file (Ctrl-PageUp + Alt-L + Ctrl-PageDown + U), then run the analyze_self.idc or analyze_sprx.idc.. it will take some time, but then you’ll get a beautiful file loaded 🙂 Especially with the correctly named imports, this should help a lot any reverse engineer out there!

 

p.s: If you have no idea what I’m talking about, then this is not for you, this does not lead to any ‘CFW’ or jailbreaking of 3.60 or whatever else you might hope for… so don’t come here and post stupid and/or irrelevant questions of that kind… please do not comment if you’re not a user of IDA or if you don’t know what IDA is or if you don’t have anything constructive to say.

 

PPCJT v0.1 for IDA v6.0.

Enjoy!

KaKaRoTo

PS3: Why I don’t like the Hermes payload

First things first, the title says “why I don’t like the hermes Payload” so this has nothing to do with Hermes himself. I don’t know him, I never spoke to him, so I don’t know what kind of person he is and so I have no opinion on him personally. Now, I want to make some things clear, I’ve seen a lot of people criticize me for ‘bashing Hermes’, and many people seem to think that I’m trying to say “I’m better than him” or something. Also, it looks like I created some confusion with my comments from my previous blog post. So I want to apologize and make sure there is no confusion anymore : When I said that the hermes payload is ‘dangerous’, people misunderstood me.. no it is not specifically dangerous for your PS3, it won’t brick it or anything, the only ‘danger’ there is, is that it could (in some situations) crash… then you’d need to reboot, that’s it.. so don’t freak out about his work being harmful or anything, because as far as I know, it’s not! Some people also told me “give credit where its due”, and I want to do it, I’ve always given credit to people, every time I achieved something, I gave credit to those who helped me achieve it. I’m not looking for fame here (if I did, I would have announced PL3’s release 3 weeks ago when I created it) I’m just having some fun in my free time doing something that I like. Hermes did contribute some nice things, and I appreciate what he did, mainly he figured out how to fix the controller issues with some games, that was something very difficult to fix and I’m surprised at how fast he came up with a solution and it was a smart solution and all I can say is “good job”. The other stuff he did in his payload, I don’t like that much, and that’s what I want to cover in this post.. I may have been ‘harsh’, but I don’t see the point in trying to be diplomatic, I’m a programmer, not a politician. I don’t like his code, and I speak my mind, I’m being honest, and I’m not trying to criticize him without any reason, as far as I know, I’ve stayed respectful and that’s all that matters to me. To those who don’t want to know about all the technical details, let me ‘conclude’ here by saying that if the hermes payload works for you, then good, use it, I’m not telling people to stop using it, I’m not saying that PL3 works better either, maybe his payload works better in some situations, maybe not, but overall, the user’s choice should always be “whatever works for you”. The PL3 initiative is about having a standard repository for payloads, and having a common code base for everyone to work on, so in the future, PL3 might evolve faster and have more features, or maybe it won’t, the thing to note is that it’s better for payload developers to base their work off PL3. But again, this is meaningless for most users, apart from maybe clearing up the confusion about all these payloads and nobody knows which one to use. Also, I talked about PL3, which is a common repository for contributors to work on, people seem to have nicknamed it “kakaroto’s payload” or “kakaroto’s pl3”, but I never said it was my payload, PL3 is PL3, it’s not all my work, and if you look at the commit log, you will see that I’m not the only contributor to it. PL3 itself integrates patches and solutions provided by Hermes, Waninkoko and Mathieulh, I improved some of their patches to make sure it works better for non-3.41 firmwares, but it’s still credited to be their work. PL3 is not my payload, PL3 is a payload repository for everyone. Also, PL3 as a project is a repository containing multiple payloads (default one, development one, dump_lv2, dump_elfs, etc..). PL3 is not perfect, nothing in the world is perfect, so it might have bugs, it might not work for some people, who knows what might happen. But I never said that it was perfect, so people should stop thinking that I said that. It’s written more cleanly, it’s better in terms of the infrastructure behind it, but that’s the only thing I can vouch for. Also for those complaining about me adding a donate button to the blog post, I don’t see how that’s relevant, I’m not begging people for money (and I haven’t received any donations in the last ~3 weeks just so you know). If you don’t want to donate, then don’t, no reason to bitch about it. I’ve put the button there so that people who appreciate the work and want to donate something have a way of doing it. I asked for donations before because I needed to buy a PS3 for development, I already raised enough money to buy it, so I don’t need any more donations, so I’m not asking people for donation money anymore, as simple as that. Anyways, here are the more detailed/technical explanations on the reasons why I don’t like his payload : First, the code is not clean, it’s unmaintainable. The fact that he gives his source code in .rar files instead of a git fork is the biggest issue I have with it. And yes, that does not matter for users, it only matters for developers.  The problem with his method of delivery is that you have no way of knowing what he based his code off, so it’s hard to figure out what he changed.. also, when you find out his base, and do a diff, you get a huge diff for everything he did, all in one shot, and then you have to reverse engineer it to understand what he patched. That’s complicated and annoying for developers! For those who follow my twitter, you can see how many commits I do, I always like having “small commits” because each commit becomes independent, self explanatory and easy to review. It also makes things easier to integrate, if you want a specific thing, you just merge/cherry-pick that single commit, instead of copy/pasting code, and editing it to remove the clutter. The  other reason I like git is that if he used it and I merge a commit from him, then the code stays credited to his name in the commit log, it allows me to have his code without ‘taking ownership’ of his work, it allows everyone to be credited for what they did, and I think it’s the first thing to have for an open source and community project. The reason why I said his code could crash is because his payload got too big and couldn’t fit anymore in the allocated memory we have in the kernel (1296 bytes), so he decided to just move the code to a random position (0x7fff000 I think). This means that his payload will work as long as no application, game or kernel allocates memory which ‘randomly’ ends up in that area.. if it does, then the payload would get overwritten and the kernel will crash. The proper way of doing it (PL3 does that) is to allocate memory during the initialization of the payload, copy the functions we want in that memory that we own, and write those functions to be position independent so they would work no matter where they are placed in RAM. Another reason is the way his syscall8 works, I tried to read his assembly and reverse engineer it, and I seriously was lost and couldn’t understand what was happening.. there are no comments (you’ll notice that my payload has a comment on almost every instruction), so how can I integrate his syscall if i don’t even know what it does… if at least it was on git, I could see the commit messages and understand what each chunk of code did, but he doesn’t use git, so… The way he fixed the controller issue was also not very good, he patched two offsets to jump to a function that decides on some kind of enum on what response to return and you controlled that with his own system call 8.. why do something like that? it makes the fix dependent on people using this new syscall, and it’s useless when you can just patch it directly to return the right value. I also didn’t like the fact that his code became a mess that is 3.41 independent, and it would have taken a huge amount of work just to try to make it work again on 3.15. I already spent time cleaning up the payloads and making them work for older firmwares, so why fork and write code that doesn’t integrate that, it just makes collaboration harder. There’s also the whole syscall 35 versus 36 issue, but that has nothing to do with his payload since I added sc35 after he released his payload. It’s not about his payload being bad because it doesn’t support it, it’s simply about PL3 having a ‘superior’ (if I may say so) system call. What it means for users? nothing at the moment, maybe it will be used for doing fancier stuff later on, maybe you can map a game to your bluray and a different game to /app_home, that could be useful for users, but for now, it’s simply more flexible and cleaner code. There are many other small things that I didn’t like, but it mostly just summarizes to “the code is not clean and it’s unmaintainable” and “he doesn’t use git”. Like I said, if you don’t care about that, then I see no reason for you not to use his payload. It doesn’t mean either that he’s not skilled, it simply means that he may lack experience in code sharing and experience in open source. But that doesn’t make his work any less valuable. I hope this clears things up a bit. I criticized his work, said what I thought of it and people over reacted, I wanted to make sure people didn’t  misunderstand me, and didn’t think I don’t respect Hermes for what he’s done already. Everything else is just drama and people trying to get attention. If this post stirs up even more trouble, then so be it, I don’t think I have much more to say. I said what I think, people should take it or leave it. I do not however tolerate people insulting me for no reason at all. So please, criticize me all you want, just stay respectful. Thank you, KaKaRoTo

PSFreedom 1.0 and lots of news!

Hi all,

I’ve wanted to post about PSFreedom for the last 4 days now but everytime there’s something that prevents me from doing so.. there is so much happening that it’s hard to keep up and I’ve been overwhelmed by the reaction!

PSFreedom has seen a tremendous success, it’s been featured on multiple news sites  including Engadget, we’ve had a huge number of ‘fans’ (more like leechers:p) popping up on the newly created IRC channel (#PSFreedom @ irc.freenode.net). Someone (devz3ro) donated a domain and web hosting for our new http://psfreedom.com/wiki website. The number of people who have worked hard to create a beautiful and well organized wiki to keep track of all the ports. The number of  people who have tried (and many succeeded) to port PSFreedom to so many different devices and those who sent me pull requests on github as well as those who simply read my code and reviewed it and decided to comment on my commits so I can improve the code.

Anyways, it has been a tremendous success, real community work and I want to thank personally everyone involved, everyone who helped, whether it be with a small or a big contribution to the project.

Now about the news, I have quite a few… first, a lot of people are asking me how to get this working on the N800 and N810! Well, it’s been working for a few days now, but the mass storage driver was conflicting and made the controller unstable. However, today, drizztbsd contributed a patch that fixes this issue (by killing hald-addon-usb) without modifying any file from your system, so enabling the exploit on the N800, N810 and N900 is all a matter of running the ./psfreedom-enable-maemo.sh script! There is also an easy to use graphical application that should be released today by MohammadAG and a special thank you to Bash who also contributed the PSFreedom logo.

I have also received a ton of requests from people to port this to the iPhone and/or one of their Symbian devices… my answer to that is : RTFM!! In other words, no it is simply *impossible*. It can only be ported to other Linux devices. However, we are close to having it work with IphoneLinux (actually, I just got confirmation a few seconds ago that it’s finally working) as NTAuthority spent countless hours porting it and fixing the controller’s incomplete driver in order to make this work. Once his port is finished, and stable, he will make it available to everyone, so stay tuned and follow the Device compatibility list on the wiki!

Other good news, PSFreedom has been ported to a huge amount of devices already, and the list keeps growing every day! We currently support and have working binaries for not only the N800/N810/N900 but also the Palm Pre, Archos 5 (Generation 6), Archos 5 IMT (Generation 7), as well as, thanks to the work of DocMon in porting PSFreedom to the MSM72K controller, The HTC Desire (Bravo), Nexus One, HTC Dream (G1), HTC Sapphire (HTC Magic 32A/32B), HTC HD2 (running Android), HTC Wildfire and I’ve received confirmation a few minutes ago that it’s been successfully ported to the HTC Evo as well as HTC Diamond. Also, waninkoko recently ported PSFreedom to work on the Dingoo open game console.

For the future, you can expect a lot more devices to be supported, like the iPhone/iPod (Through iPhoneLinux only) as well as the Gp2x Wiz game console, and the huge list of compatible devices available in our wiki. Also note that running the PSFreedom on an Android device isn’t as easy as it is on the N900, you need to flash some nandroid thing, then flash a custom kernel (because Android’s kernel sucks) then run PSFreedom in that environment, then run Nandroid again to restore your system… It is quite complicated but many people are working on making it much simpler to do, the famous AmonRA contacted me and said he started working on building a PSFreedom-compatible recovery image with a menu item to enable/disable the PSFreedom functionality.

There is one last  important bit of news I want to share with you : PSFreedom 1.0 has been released (more like tagged) and it adds support for many devices, the Makefile allows you to build for a specific platform by specifying it as a target, ‘make N900’ or ‘make Desire’ or ‘make Dingoo’ will build it for your needs with the right configuration. Also more importantly, this version will allow you to customize which payload or shellcode you want to send to your PS3 during the exploit. Many people have requested a version that allows you to play backups, while the original release of PSFreedom didn’t allow that, it quickly got patched to allow the backup manager to work. The new release of the PSGroove yesterday also adds 2 system calls that allows user space application to modify the GameOS kernel, and that meant a new payload is available for developers. This version of PSFreedom provides all these payloads and you can choose which one to set by simply copying it to /proc/psfreedom/payload once the module has been loaded. The same also applies to the shellcode.

That’s it for now, there are a ton of other news I’d like to share, but this post is long enough and I’d like to keep some surprises for next time!

Thanks to all for your support!

KaKaRoTo

PSFreedom source code released!

Hi again,

As promised yesterday, I’ve just released the source code for PSFreedom. You can grab it now on github.

If you want to port it to work on another device, then fork the repository and start working, you can send me a pull request once it’s done. See the end of this post for a little howto on porting it to a new device.

I have also decided to remove that video I put yesterday on youtube. I didn’t give the link to anyone, but somehow people found it and it got linked on multiple news sites… that video is useless, hard to watch, and I’m sorry! I’ve made a new video that you can view here :

Since yesterday I’ve been spammed with emails, comments on my blog, PMs and pings on IRC, etc.. and my server even went down (doesn’t seem to be because of high traffic). So I’d like to answer everyone with this FAQ :

Q : What is your relationship with the PSGroove project ?

A: PSGroove was released a while ago while I was already working (about 50% done) on PSFreedom. I had help from Mathieulh and Phire from the PSGroove team, who gave me insight on what the jailbreak does. When PSGroove was released, I read its code to understand what it does and to make sure my code worked in the same way. I copied the descriptors and payload from the code of PSGroove, and I give them credit for what they did, and for what I copied from their project. I set my license to GPL v3 to match theirs, and I gave credits to those who helped me on IRC. However, I say and I insist that PSFreedom is not a port of PSGroove, because I never took their code and ported it to the N900, this is my original work, and I wrote all of its code from scratch. Some of the PSGroove team seem to be in conflict with me because of that, they insist that “if you looked at our code, then it is a without question a port of PSGroove”, and I believe we have two very different understanding of the term ‘port’.

Q : Can/when is it going to work on the iPhone/Symbian/My phone ?

A: PSFreedom is a  Linux driver, so it will only work on Linux-enabled devices.. which means, not on iOS, and not on Symbian, so please stop asking about that!

Q: Will it work on the 770/N800/N810 ?

A: I only did this for the N900, I might port it to other devices, but right now, I cannot give any guarantees to anyone that it will be ported or that it will work on another device… The source code has been released and whoever wants to contribute can go ahead, fork my repository, and send me a pull request when you got something working.

These are linux devices, so yes, it should work, but just like any other device, they use a different controller than the N900, so a little porting will be necessary.

Q: Will it work from a linux PC ?

A: Unfortunately, no, most PCs have a USB controller  that only supports Host mode, but you need Slave mode to be able to make this work.

Q: Can I run backups with this ?

A: At the moment, no, I have used the same payload as PSGroove, which means backups are disabled, although someone already released a version of PSFreedom with backups enabled. In the future, I will hopefully  make the module load any payload at runtime, this way you could choose between different payloads.

Q: Can you make it easier to use ?

A: Me? No.. someone else? Yes.. there is already someone working on a UI for PSFreedom, and it will be available once it’s ready.

Q: What do I need to use PSFreedom on my N900 ?

A: First, you need a N900 (duh) and a PS3 (duh) with firmware 3.41. The N900 should be running the stock kernel (-omap1) not a modified kernel. Then you just need to scp the files to the N900 and run the -enable script.

Q: How much of the source is Nokia N900 specific? Are you using the Linux USB Gadgets library?

A: Very little is N900 specific, I’m using the include/linux/gadget.h if that’s what you mean. See next Q/A for more info.

Q: How hard is it to port it to a new device ?

A: Well, I’ve just separated my code from the N900 specific stuff, so it’s quite easy, there are mainly two functions to write, one to get and one to set the USB address.. two other functions that only return some static result depending on the configuration of the controller (the name of the endpoints, and whether the controller supports high speed or full speed mode).

Read the README file provided with PSFreedom, and check the psfreedom_machine.c file for specifics on what to implement.

Q: How can I port it to a new device.

A: Well, first, you need to figure out what controller your device uses, in the case of the N900, it’s ‘musb’..

Then go to the driver code for that controller (probably in drivers/usb/gadget) and look for ‘SET_ADDRESS’. In the case of musb, it was in drivers/usb/musb/musb_gadget_ep0.c. In there it was setting the address to the USB device, so just copy that code into the psfreedom_machine.c to allow setting the address, and add a similar function to be able to retreive the address.

Then add a function to return 0 or 1 depending on whether the controller supports HIGH, FULL or LOW speed mode (go to usb_gadget_register_driver for your controller, and in the first lines, it should validate the speed argument, it will tell you which ones are acceptable), set LOW speed mode to return TRUE only if FULL speed isn’t available .

Finally, add a function to return the endpoint names.. it will usually be something like ‘epXin’ and ‘epXout’ (where X is the endpoint number), or “epXin-bulk”, etc.. look at how the driver initializes its endpoints or grep for “->name” in the file to find where it sets it…

That should be enough!

Ok this is it for now with the FAQ. Next time, I’ll tell you all about my experience, what problems I encountered and how I fixed them, maybe it will help others!

Enjoy it!

KaKaRoTo