Enter/Leave Service Mode w/ a USB dongle - 改機
By Gary
at 2011-03-19T17:43
at 2011-03-19T17:43
Table of Contents
graf_chokolo確實很有天份……。
http://grafchokolo.com/ps3-development-page.html/comment-page-8/#comment-2558
graf_chokolo says:
March 16, 2011 at 2:36 pm
Guys, take a look at my ps3dm-utils.
Now you can enable service mode from Linux :-)
Look at ps3dm_usb_dongle_auth :-)
嘿!大家看一下我的ps3dm-utils ,現在可以從 Linux進service mode了。
注意ps3dm_usb_dongle_auth 的部份。
nEsCh says:
March 16, 2011 at 9:32 pm
enable… cool
開啟……,真酷。
Could you disable it to?
那有辦法關閉嗎?
graf_chokolo says:
March 17, 2011 at 7:09 am
Yes :-) You have to write 0xff to EPROM offset "Product Mode" (see
my HV page) by using ps3dm_um :-)
當然可以,只要利用ps3dm_um工具在 EPROM關於Product Mode的位址寫入0xff就
可以離開了。
graf_chokolo says:
March 17, 2011 at 7:59 am
1st step – Generating a challenge
----------------------------------
第一步-讓主機詢問
# ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_challenge
2nd step – Generating a valid response for a challenge
-------------------------------------------------------
第二步-產生正確的回答
You need a dongle id.
Valid range for dongle IDs is 0x0000 ~ 0xffff. So choose one, doesn't
matter which one, but some are revoked !!!
你會需要一個電子狗的ID,在0x0000 ~ 0xffff 的範圍之內隨便選一個,數字不
重要,只是有些已經被列黑名單了(,所以不行的話就換一個)
# ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_resp 0xBABE
here is a challenge like this 0xXX 0xXX ... of size 20 bytes
詢問的形式長得像0xXX 0xXX … 總長度有20個位元組
3rd step – Verifying response (Enabling "Product Mode")
--------------------------------------------------------
第三步-檢查回答(正確就可以啟動Product Mode)
# ps3dm_usb_dongle_auth /dev/ps3dmproxy verify_resp 0xBABE
here is the response from step 2 like this 0xXX 0xXX ... of size 20
bytes"
回答跟詢問格式一樣,長度也是20位元組
4th step – Checking if "Product Mode" is enabled
-------------------------------------------------
第四步-檢查Product Mode是否啟動
The returned value shouldn't be 0xff.
回傳的結果不能是0xff
# ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07
5th step – Disabling "Product Mode"
------------------------------------
第五步-關閉Product Mode
# ps3dm_um /dev/ps3dmproxy write_eprom 0x48C07 0xff
graf_chokolo says:
March 18, 2011 at 12:42 pm
Guys, just to make sure that you understand. There is no need for
Linux and my ps3dm-utils to enable "Service Mode". You could also
create a GameOS app which does the same what i'm doing on PS3 Linux.
GameOS can do it also, communicate with USB Dongle Authenticator in
HV process 6 :-) So, you could create a GameOS app which enables
"Service Mode" without USB dongle.
為了怕大家誤會,我在這裡澄清一下。你們不一定需要靠我的ps3dm_utils 來
啟動Service Mode,你也可以寫一個程式從GameOS啟動,只是我是透過 Linux
來啟動。在GameOS裡面一樣有辦法達成,只要你能夠跟HV程序 6的電子狗認證
管理程式溝通就行,所以說從GameOS的應用程式來進入Service Mode是完全可
行的。
graf_chokolo says:
March 17, 2011 at 7:25 pm
And after you enabled "Service Mode" guys, you can use ps3dm_um
utility to install your new custom CORE_OS_PACKAGE.pkg without PUP
file direct from Linux :-)
另外就是當你進入Service Mode後,就可以使用ps3dm_um的工具,在 Linux下
將自製的CORE_OS_PACKAGE.pkg 檔案寫入主機的NOR Flash (,而不需要破解
SONY在更新管理員裡面新增的檔案完整性查驗機制)
Remote_Buffer says:
March 18, 2011 at 1:37 am
And this core_os can be from the original 3.60 unpacked firmware?
Thanks by reply friend, you are not alone in this fight against
$QNY, i will help you.
而CORE_OS可以從3.60 版的.PUP檔案得到。感謝回答啦!對抗SONY的路不會孤獨
的。
graf_chokolo says:
March 18, 2011 at 12:41 pm
It can be either original or modified. But i don't think you should
update to 3.60 :-)
對,CORE_OS 可以官方的也可以是自製的,就算如此我不覺得你有升級到3.60版
的需要。
Cookie says:
March 18, 2011 at 4:51 pm
Graf, would downgrading be as simple as entering service mode on your
linux, installing a lower version core_os via your updater, exiting
service mode, and linux and going into recovery mode and installing
the lower version pup? I assume the recovery mode step will be
necessary to flash the other required parts of the firmware.
Or can you emulate the full update process in linux?
Graf,請問一下降級的步驟是不是先進service mode,然後透過你的更新工具安
裝低版本的CORE_OS ,接著離開service mode,最後使用低版本的官方韌體從回
復模式重新安裝一次?我猜必須進回復模式的原因是還有其他的部份的 Flash需
要寫入,還是說你從 Linux也能進行完整的韌體更新?
graf_chokolo says:
March 18, 2011 at 8:26 pm
You have access to all VFLASH regions on Linux with my drivers, so
you could extract dev_flash tars and write the content to VFLASH.
我的工具讓你有讀寫整個VFLASH區域的權限,所以你也可以將dev_flash 相關的
檔案寫到相對應的地方。(譯注:在 Linux下進行完整的降級是可能的)
******
到現在也只有玩玩graf_chokolo的核心而已,這種高度危險性的操作還沒有時間
碰。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
http://grafchokolo.com/ps3-development-page.html/comment-page-8/#comment-2558
graf_chokolo says:
March 16, 2011 at 2:36 pm
Guys, take a look at my ps3dm-utils.
Now you can enable service mode from Linux :-)
Look at ps3dm_usb_dongle_auth :-)
嘿!大家看一下我的ps3dm-utils ,現在可以從 Linux進service mode了。
注意ps3dm_usb_dongle_auth 的部份。
nEsCh says:
March 16, 2011 at 9:32 pm
enable… cool
開啟……,真酷。
Could you disable it to?
那有辦法關閉嗎?
graf_chokolo says:
March 17, 2011 at 7:09 am
Yes :-) You have to write 0xff to EPROM offset "Product Mode" (see
my HV page) by using ps3dm_um :-)
當然可以,只要利用ps3dm_um工具在 EPROM關於Product Mode的位址寫入0xff就
可以離開了。
graf_chokolo says:
March 17, 2011 at 7:59 am
1st step – Generating a challenge
----------------------------------
第一步-讓主機詢問
# ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_challenge
2nd step – Generating a valid response for a challenge
-------------------------------------------------------
第二步-產生正確的回答
You need a dongle id.
Valid range for dongle IDs is 0x0000 ~ 0xffff. So choose one, doesn't
matter which one, but some are revoked !!!
你會需要一個電子狗的ID,在0x0000 ~ 0xffff 的範圍之內隨便選一個,數字不
重要,只是有些已經被列黑名單了(,所以不行的話就換一個)
# ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_resp 0xBABE
here is a challenge like this 0xXX 0xXX ... of size 20 bytes
詢問的形式長得像0xXX 0xXX … 總長度有20個位元組
3rd step – Verifying response (Enabling "Product Mode")
--------------------------------------------------------
第三步-檢查回答(正確就可以啟動Product Mode)
# ps3dm_usb_dongle_auth /dev/ps3dmproxy verify_resp 0xBABE
here is the response from step 2 like this 0xXX 0xXX ... of size 20
bytes"
回答跟詢問格式一樣,長度也是20位元組
4th step – Checking if "Product Mode" is enabled
-------------------------------------------------
第四步-檢查Product Mode是否啟動
The returned value shouldn't be 0xff.
回傳的結果不能是0xff
# ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07
5th step – Disabling "Product Mode"
------------------------------------
第五步-關閉Product Mode
# ps3dm_um /dev/ps3dmproxy write_eprom 0x48C07 0xff
graf_chokolo says:
March 18, 2011 at 12:42 pm
Guys, just to make sure that you understand. There is no need for
Linux and my ps3dm-utils to enable "Service Mode". You could also
create a GameOS app which does the same what i'm doing on PS3 Linux.
GameOS can do it also, communicate with USB Dongle Authenticator in
HV process 6 :-) So, you could create a GameOS app which enables
"Service Mode" without USB dongle.
為了怕大家誤會,我在這裡澄清一下。你們不一定需要靠我的ps3dm_utils 來
啟動Service Mode,你也可以寫一個程式從GameOS啟動,只是我是透過 Linux
來啟動。在GameOS裡面一樣有辦法達成,只要你能夠跟HV程序 6的電子狗認證
管理程式溝通就行,所以說從GameOS的應用程式來進入Service Mode是完全可
行的。
graf_chokolo says:
March 17, 2011 at 7:25 pm
And after you enabled "Service Mode" guys, you can use ps3dm_um
utility to install your new custom CORE_OS_PACKAGE.pkg without PUP
file direct from Linux :-)
另外就是當你進入Service Mode後,就可以使用ps3dm_um的工具,在 Linux下
將自製的CORE_OS_PACKAGE.pkg 檔案寫入主機的NOR Flash (,而不需要破解
SONY在更新管理員裡面新增的檔案完整性查驗機制)
Remote_Buffer says:
March 18, 2011 at 1:37 am
And this core_os can be from the original 3.60 unpacked firmware?
Thanks by reply friend, you are not alone in this fight against
$QNY, i will help you.
而CORE_OS可以從3.60 版的.PUP檔案得到。感謝回答啦!對抗SONY的路不會孤獨
的。
graf_chokolo says:
March 18, 2011 at 12:41 pm
It can be either original or modified. But i don't think you should
update to 3.60 :-)
對,CORE_OS 可以官方的也可以是自製的,就算如此我不覺得你有升級到3.60版
的需要。
Cookie says:
March 18, 2011 at 4:51 pm
Graf, would downgrading be as simple as entering service mode on your
linux, installing a lower version core_os via your updater, exiting
service mode, and linux and going into recovery mode and installing
the lower version pup? I assume the recovery mode step will be
necessary to flash the other required parts of the firmware.
Or can you emulate the full update process in linux?
Graf,請問一下降級的步驟是不是先進service mode,然後透過你的更新工具安
裝低版本的CORE_OS ,接著離開service mode,最後使用低版本的官方韌體從回
復模式重新安裝一次?我猜必須進回復模式的原因是還有其他的部份的 Flash需
要寫入,還是說你從 Linux也能進行完整的韌體更新?
graf_chokolo says:
March 18, 2011 at 8:26 pm
You have access to all VFLASH regions on Linux with my drivers, so
you could extract dev_flash tars and write the content to VFLASH.
我的工具讓你有讀寫整個VFLASH區域的權限,所以你也可以將dev_flash 相關的
檔案寫到相對應的地方。(譯注:在 Linux下進行完整的降級是可能的)
******
到現在也只有玩玩graf_chokolo的核心而已,這種高度危險性的操作還沒有時間
碰。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
Tags:
改機
All Comments
By Tristan Cohan
at 2011-03-21T12:38
at 2011-03-21T12:38
By Leila
at 2011-03-26T01:14
at 2011-03-26T01:14
By Hardy
at 2011-03-30T18:55
at 2011-03-30T18:55
By Hamiltion
at 2011-04-04T04:12
at 2011-04-04T04:12
By Frederica
at 2011-04-04T09:10
at 2011-04-04T09:10
Related Posts
2007改機問題...
By James
at 2011-03-19T17:18
at 2011-03-19T17:18
關於連線LAN開關鬆動
By Thomas
at 2011-03-19T03:45
at 2011-03-19T03:45
Sony 對越獄(JB)駭客全面宣戰,誓言ꠠ…
By Jack
at 2011-03-19T01:05
at 2011-03-19T01:05
把MM1.15升級成1.16出了點問題
By Suhail Hany
at 2011-03-19T00:05
at 2011-03-19T00:05
FTP傳輸問題
By William
at 2011-03-18T22:52
at 2011-03-18T22:52