PSGrade 開放原始碼的降級方式不遠了？ - 改機

http://ppt.cc/gJn_

zAxis, of PSX-Scene has been working diligently on an open source
version of psdowngrade known as "PSGRADE." Today he shares his work
with the public however it is not fully functional. As his code still
requires the dongle master key which is buried under the PS3 console.
The good news however s that zAxis can retrieve the key via 3.15
firmware

He is asking the community, anyone with a 3.15 console, to help
retrieve this key. Once retrieved, PSGrade should become fully
functional. Below, is his request to the public.

To anyone who wants to help, here is what you have to do:
1- run the PSGrade I posted (just like jb)
2- reboot into linux (no power cycling!!)
3- dump HV (and post it)

if you don't know how to dump HV in linux, then google it (you will
need to open your ps3 and solder it DON'T DO IT IF YOU ARE NOT AN
EXPERT!!!)

once you get the key, post it in key.h and try it.

Please remember, this is a work in progress, nothing is working
yet (so dont ask for hexes), and nothing is for sure.

Good Luck!

Oh, and thanks to graf_chokolo for ... everything, Hansi for the
dump, and mathieulh for PSGroove (PSGrade is a derivative of PSGroove)
and everyone else.

Accorking to graf_chokolo, to get the ps3 to decrypte the master
key, then you have to call "Verify Response" and the master key will
saved in plain text. it is called when plugin a jig, and that is what
PSGrade is.

Once we have the key, we will have a working jig :-)

And no 3.41 is no good even if you have dump the HV

Download PSGrade (not yet fully functioning):
https://github.com/zAxis/PSGrade

******

這篇技術性的字眼很多，首先解釋一下 JIG的工作原理： JIG是一個主動元件，
必須要有硬體運算的能力，當主機準備要進入Factory/Service 模式時，會偵測
USB連接埠是否有 JIG元件存在， JIG元件有特殊的USB ID，前四碼是 0xAAAA
，符合後系統會隨機產生一個亂數，然後利用上面文章中提到的金鑰將：1.某個
亂數；2. JIG的USB ID兩者加密起來，然後傳給 JIG， JIG接到後利用同一個金
鑰將加密的訊息解密，然後將解密的結果回傳，主機比對相符後才允許進入F/S
模式。偷轉本文的傢伙生兒子沒屁眼

因此，PSDG之所以能讓主機進入F/S 模式，有很大的可能是已經取得那個關鍵金
鑰了。偷轉本文的傢伙生兒子沒屁眼

那個金鑰平時是以加密的形式存在主機裡面，只有當有 JIG元件連接並要求認證
時，才會暫時解密（因為要用來加密亂數跟USB ID，所以不解密還原不行），然
後存在主機記憶體的某個地方。偷轉本文的傢伙生兒子沒屁眼

zAxis@psx-scene提出的方法是這樣的：首先將PSGrade 的程式碼編譯成
.hex（目前只有支援atmega32u4）後放到JB工具上，然後按照普通的JB流程操作
。JB開始後PSGrade 的程式會假冒成 JIG然後向主機提出認證要求，提出後主機
當然就把金鑰解密，然後加密某個亂數傳給PSGrade ，然而PSGrade 會嘗試用
key.h 裡的金鑰解密後回傳，但目前那個金鑰還是錯的。

主機因為沒收到正確地亂數值，所以不會進去F/S 模式，接著在不重新開機的情
況下利用OtherOS 執行Linux ，以免金鑰被重開機的過程洗去。

最後利用外部電路讀出整個記憶體的內容，然後開始人肉搜索（256 MB而已）。
金鑰長度有160 個 bit。偷轉本文的傢伙生兒子沒屁眼

或許有人會問說$QNY怎麼不讓金鑰用過即丟，反而還存在記憶體裡面等著給人搜
索，這不能怪$QNY，因為絕大部分的程式語言如 C語言，裡面把東西刪掉只是把
該記憶位址標注釋放而已，沒有其他資料蓋過去的話原本的內容不會被改寫。

******

唉唉，寫這麼多， 426大概又要偷偷轉載了。..╮(﹋﹏﹌)╭..

--

○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
ｏ _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
ｏ

--