Debugging full games + sniffing

[sguerrini97]

Good evening everybody.
Now i try to explain what i understood from mine experiment with a DEX 4.20 console and some games that requires 3.73+ firmware.
Please correct me if i write something wrong.
- you can connect to your ps3 with debugger or target manager only if you select development mode.

You can connect also in System Software Mode, but you can't use some debugger's / target manager's functions.

- when you are connected with target manager you can set a folder to be mounted as /app_home/ but you can't run anything because you're in development mode and you need a bin with debug enabled.

You can use the /app_home/PS3_GAME/ in system software mode, i tried only with a fself because you have to change the "/dev_bdvd/" in the EBOOT to "/app_home/".

- i try to look in ps3devwiki to understand how convert an EBOOT.BIN from retail to debug, i found that in ELF header at byte 0x14 should be 10 for retail and 20 for debug; but when i look inside the EBOOT.BIN i didn't find anything at that position just 00.

As far as i know the only way to convert a retail eboot to a debug one is to decrypt it and resign it with "make_fself". Changing the header will cause a crash (the ps3 will try to decrypt the eboot with "debug keys", this will fail with a retail eboot).

- in release mode you can run only games that has already received one patch, probably you cannot run anything except things that you have in /dev_hdd0/game

Also in system software mode you need a game update (an EBOOT in /dev_hdd0/game/GAMEID/USRDIR folder. not just game data), but you can run fake signed selfs without any update (didn't test in release mode).

Now my questions are:
For develpoment is there some EBOOT.BIN debug to check the header difference between retail one?

A debug eboot is just a self signed with "make_fself", anyway here you can find some original debug updates.

For release mode is there a way to create a pkg that can install the EBOOT.BIN taken from the original disc?

There's a problem: you need a NPDRM EBOOT to make a PKG, and the EBOOT in disc isn't npdrm.
I tried this with Jak and Daxter Collection:
-Make a package with a npdrm self (make_fself_npdrm and make_package_npdrm / psn_package_npdrm);
-install the PKG;
-Change the EBOOT from /dev_hdd0/game/GAMEID/USRDIR/ with the original EBOOT from disc.

And it didn't work. Anyway if you want to run games with no updates, you can decrypt all selfs and sprx and sign them with make_fself. The problem is that you can do this only with 3.60 selfs.

Sorry for my english.

[stranculet]

Thanks for reply. Just one thing

"You can connect also in System Software Mode, but you can't use some debugger's / target manager's functions."

No i mean th flag Release Check Mode (Development Mode/Release Mode) not the flag Boot Mode (Debugger Mode/System Software Mode/Release Mode)

[zadow28]

There's a problem: you need a NPDRM EBOOT to make a PKG, and the EBOOT in disc isn't npdrm.
I tried this with Jak and Daxter Collection:
-Make a package with a npdrm self (make_fself_npdrm and make_package_npdrm / psn_package_npdrm);


And it didn't work. Anyway if you want to run games with no updates, you can decrypt all selfs and sprx and sign them with make_fself. The problem is that you can do this only with 3.60 selfs.

Sorry for my english.

You can install the npdrm eboot normally, then in target manager just drag/drop the debug one, and delete the npdrm one. then run it.

[stranculet]

You can install the npdrm eboot normally, then in target manager just drag/drop the debug one, and delete the npdrm one. then run it.

Ok, but where can i find the debug EBOOT?

There's a problem: you need a NPDRM EBOOT to make a PKG, and the EBOOT in disc isn't npdrm.
I tried this with Jak and Daxter Collection:

I tried with AStool but also for me this solution did not work. Sei Italiano?

[hansdamft]

what about running the game, put cell reset line and reboot to debugger to dump memory with game selfs? is it possible?

[sguerrini97]

Sei Italiano?

Sì.

what about running the game, put cell reset line and reboot to debugger to dump memory with game selfs? is it possible?

I read some info on that exploit but I didn't undestand how to try..
But I'm not sure that you can dump an "old" game with a core dump..

[hansdamft]

i have not investigated that much with memory dumping and target manager or debugger, but isn't it possible to make a memdump without any restriction from debugger? or without running anything?

so maybe it works like this: set up debugger in settings, start up retail game, pull reset line and then make a normal memory dump in debugger if it reboots to debugger

[sguerrini97]

i have not investigated that much with memory dumping and target manager or debugger, but isn't it possible to make a memdump without any restriction from debugger? or without running anything?

so maybe it works like this: set up debugger in settings, start up retail game, pull reset line and then make a normal memory dump in debugger if it reboots to debugger

We need a running process to make a dump from the debugger, and we can dump memory only with peek & poke (on 3.55) as far as I nkow..
The exploit is intrasting but I don't know what to do with it.

[zadow28]

there havent been an app or game, that i havent been able to dump memory from yet.

[zadow28]

If you havent figured it out yet you can debugg patches also .Like nodrm ones, or games.
When you get the patches. you have to set the folders strait.

Make Ps3_Game folder , copy the USRDIR inside ,put the app_home ,then debugg as normal. the nodrm patch wpould show up as any other patch for an game. ( remember to Fself the EBOOT)
if you want redump as nodrm did it, rebuild eboot.elf the elf would get decrypted right this time.and off coause this eboot work on any rip games.