KaKaRoTo says something - 改機
By Kumar
at 2012-10-24T02:51
at 2012-10-24T02:51
Table of Contents
Since the LV0 keys have now been leaked, I believe I can now share this info
with you, to help out those who are trying to build their own 4.x CFW:
The NPDRM ECDSA signature in the SELF footer is checked by lv2. It first asks
appldr to tell it whether or not the signature is to be checked, and appldr
will only set the flag if the SELF is a NPDRM with key revision from 3.56+
(the ones without private keys). This means that the SELF files signed with
the new 3.56+ keys still don't have their ecdsa checked (probably to speed up
file loading).
If appldr says the ecdsa signature must be checked, then lv2 will verify it
itself, and return an error if it's not correct. There are many ways to patch
this check out.
1.Patch out the check for the key revision in appldr
2.Patch out the "set flag to 1" in appldr if the key revision is < 0xB
3.Patch out the code in lv2 that stores the result from appldr
4.Patch out the actual sigcheck function from lv2.
5.Ignore the result of the ecdsa from lv2.
編按:1.、2.、4.都是修改檔案,3.、5.是修改記憶體。
修改檔案基本上比較簡單,只要把檔案簽了就行,修改記憶體一定要修改檔案,
才能把peek & poke 的功能開出來,這樣才能修改記憶體。
Here is one of the patches (the 4th one, patching out the check function from
lv2):
In memory 0x800000000005A2A8, which corresponds to offset 0x6a2a8 in
lv2_kernel.elf,
Replace:
e9 22 99 90 7c 08 02 a6
With:
38 60 00 00 4e 80 00 20
This is for the 4.21 kernel (that was the latest one when I investigated
this), I will leave it as an exercise to the reader to find the right offsets
for the 4.25 and upcoming 4.30 kernel files.
And here's another bit of info... in 4.21 lv2, at memory address
0x800000000005AA98 (you figure out the file offset yourself), that's where
lv2 loads the 'check_signature_flag' result from appldr, so if you prefer
implementing method 3 above, just replace the 'ld %r0,
flag_result_from_appldr' by 'ld %r0, 0' and you got another method of
patching it out. Either solutions should work just the same though.
Enjoy homebrew back on 4.x CFW....
p.s: Thanks to flatz and glu0n who helped reversed this bit of info.
看來我還繼續龜在4.20是對的,希望年底回去時會有好消息。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
with you, to help out those who are trying to build their own 4.x CFW:
The NPDRM ECDSA signature in the SELF footer is checked by lv2. It first asks
appldr to tell it whether or not the signature is to be checked, and appldr
will only set the flag if the SELF is a NPDRM with key revision from 3.56+
(the ones without private keys). This means that the SELF files signed with
the new 3.56+ keys still don't have their ecdsa checked (probably to speed up
file loading).
If appldr says the ecdsa signature must be checked, then lv2 will verify it
itself, and return an error if it's not correct. There are many ways to patch
this check out.
1.Patch out the check for the key revision in appldr
2.Patch out the "set flag to 1" in appldr if the key revision is < 0xB
3.Patch out the code in lv2 that stores the result from appldr
4.Patch out the actual sigcheck function from lv2.
5.Ignore the result of the ecdsa from lv2.
編按:1.、2.、4.都是修改檔案,3.、5.是修改記憶體。
修改檔案基本上比較簡單,只要把檔案簽了就行,修改記憶體一定要修改檔案,
才能把peek & poke 的功能開出來,這樣才能修改記憶體。
Here is one of the patches (the 4th one, patching out the check function from
lv2):
In memory 0x800000000005A2A8, which corresponds to offset 0x6a2a8 in
lv2_kernel.elf,
Replace:
e9 22 99 90 7c 08 02 a6
With:
38 60 00 00 4e 80 00 20
This is for the 4.21 kernel (that was the latest one when I investigated
this), I will leave it as an exercise to the reader to find the right offsets
for the 4.25 and upcoming 4.30 kernel files.
And here's another bit of info... in 4.21 lv2, at memory address
0x800000000005AA98 (you figure out the file offset yourself), that's where
lv2 loads the 'check_signature_flag' result from appldr, so if you prefer
implementing method 3 above, just replace the 'ld %r0,
flag_result_from_appldr' by 'ld %r0, 0' and you got another method of
patching it out. Either solutions should work just the same though.
Enjoy homebrew back on 4.x CFW....
p.s: Thanks to flatz and glu0n who helped reversed this bit of info.
看來我還繼續龜在4.20是對的,希望年底回去時會有好消息。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
Tags:
改機
All Comments
Related Posts
中壢哪裡買PS3+改機
By Catherine
at 2012-10-20T21:03
at 2012-10-20T21:03
要注意改機的店家
By Isla
at 2012-10-20T13:47
at 2012-10-20T13:47
PSP改機的不能登PSSTORE帳號嗎?
By Connor
at 2012-10-20T04:28
at 2012-10-20T04:28
請問一下PKG檔怎麼讀取?
By Hedy
at 2012-10-20T03:13
at 2012-10-20T03:13
Rogero CEX-3.55 CFW v3.7
By Hedy
at 2012-10-20T02:58
at 2012-10-20T02:58