PS3: Introducing PL3 and 3.01 firmware news

On September 27, 2010, in Development, PS3, by kakaroto

Hi,

I’ll announce two things, first, let’s talk about PL3.. PL3 is a new project I started in order to have a common repository of payloads that can be used by any ‘jailbreak’  implementation. I got tired of copying payloads from PSGroove, and I had some nice changes in mine that I thought the PSGroove project could benefit from, so I thought I’d create a single repository that both projects, PSFreedom and PSGroove (or any other similar projects) could use.

You can find it in github, so don’t hesitate to submodule it and use it.

Second important news… I’ve bought a new PS3 just for homebrew. Thanks to all who donated money so I can buy it (I didn’t get enough donations to pay for it, but enough to help me). I bought this PS3 used and it came with firmware 3.01! This is good and bad news : I can’t use PSFreedom to jailbreak it, so i’ve put on hold any improvements for it, however, it will allow me to actually port PSFreedom to older firmwares! My plan is to get the jailbreak working on 3.01, then move on to 3.10 and 3.15 (depending on how hard it is, i might skip 3.10).

Another good news is that after 4 days of  work, I was finally able to dump the LV2 memory from the 3.01 firmware, and now all that remains is to find the right offsets to patch, and port PSFreedom to 3.01, so all those who are still using this firmware version, you will soon be able to jailbreak it! Once I’m done with that, I’ll try to do the same with the 3.10/3.15 firmware versions!

To dump LV2, I used a trick and algorithms found by marcan42, so big thanks goes to him, as well as many other people who helped me out, RichDevX and Aaron in particular. I used RichDevX’s idea of ignoring the JIG and bruteforcing the address in which the port1 descriptor gets stored until I get a hit, then use that payload to dump lv2, then find the right JIG offset for that particular firmware from the dump. Marcan’s trick was to send the data through the ethernet cable by using LV1 only hypercalls, and it worked!

Now the latest git version of PL3 has a new ‘dump_lv2′ payload which you can use, it is firmware independent, and only uses LV1 hypercalls, so it should just work… It will dump all the lv2 memory through ethernet, so fire up wireshark, save the dump to a .pcap file, and use the tool in PL3/tools to extract the memory dump from the .pcap file.

In other news, I will soon upload to Ps3utils an .idc script that will search and find the syscall table, and correctly resolve all of its functions and name them properly.. maybe even have it automatically find all functions of a dump in order to save time creating procs in IDA. I’ll let you know once I’m done with it.

KaKaRoTo

Tagged with:  

49 Responses to PS3: Introducing PL3 and 3.01 firmware news

  1. zerkman says:

    Congratulations for this achievement, and for all the great stuff you’ve done for the PS3 hacking scene ! Keep up the good work !

  2. Logger says:

    You’re my hero…

  3. shamot says:

    Thanks for that, that’s a great job you’ve done.

    Could you please provide some basic info how to use PL3 with psfreedom ? I was trying to compile it (sbox maemo environment) and I didn’t succeed (no probles compiling older psfreedom release) as psfreedom is including .h files while PL3 files are having .S suffixes. Are these 2 projects already working together ?

    Thanks

  4. kakaroto says:

    @shamot: Yes, it’s already working with psfreedom, once you get the latest psfreedom, you need to ‘git submodule update –init’ to get it to download pl3, then inside pl3, you need to ‘git submodule update –init’ to get it to download the ps3 toolchain, then go into the ps3 toolchain’s directory (psfreedom/pl3/ps3toolchain) and read its README file to know how to build it, once the ps3toolchain is built, then you can build pl3 by typing ‘make’, which will create the .h files you need for psfreedom. Then you can build psfreedom inside scratchbox.

  5. Emsi says:

    Impressive!
    I can’t wait for 3.15 dump to reenable OtherOs functionality :)

  6. Shark says:

    We need a Backup loader for 3.50 :D i wanna play games online with it xD

  7. abrek says:

    Nice progress. A few questions, though.

    1) Is there any chance you will investigate the old firmware-s (pre 2.0)?

    2) What is the current situation with re-enabling otheros feature?

    3) Maybe any guide explaining how interested ps3 owners may help hackers (memory dumping, files, etc…)?

  8. [...] Source Download PL3 Via Github Just a note, ps3hax.net are not associated nor hold responsibility with files hosted off forum, you download at your own risk. var AdBrite_Title_Color = 'e58138'; var AdBrite_Text_Color = '64647e'; var AdBrite_Background_Color = 'f0f0f0'; var AdBrite_Border_Color = 'f0f0f0'; var AdBrite_URL_Color = 'e58138'; try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==''?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe='';var AdBrite_Referrer='';} document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(' src="http://ads.adbrite.com/mb/text_group.php?sid=1429547&zs=3330305f323530&ifr='+AdBrite_Iframe+'&ref='+AdBrite_Referrer+'" type="text/javascript">');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62)); Your Ad Here [...]

  9. SnoopDo2G says:

    Hi ! KaKaRoTo !
    Very good job , i had to donate something , it ain’t much , but just to show you my support !!!

    Keep up the good job !

  10. [...] de 2010 KaKaRoTo nos habla de PL3 y otro proyecto KaKaRoTo ha anunciado a través de su blog personal que está trabajando en dos proyectos, uno de ellos es PL3, el cual es un almacén común de [...]

  11. Paul says:

    Great stuff! keep up the good work.

  12. shamot says:

    @kakaroto

    thx for explanation..will try it out .)

  13. Mewster says:

    Too bad i just bought a 3.30… I hope someone will find soon a way to downgrade from 3.41 to 3.15, or a 3.30 jailbreak xD

  14. Gam Boi says:

    Music to my ears.

  15. kashman says:

    I’ve got a PAL refurbished ps3 fat unit with FW2.53, that I’m preserving. Will you be trying for anything that far low. I read that the vulnerability was discovered in lower firmwares and that it would be relatively easy to make it available to those but dont know when that might materialise. I could even send you the PS3 (provided you’re in the UK) if you want it, however, I would like it back.

  16. zeek says:

    This is exciting news. Maybe someday, somehow, a 3.42 or higher payload could be figured out? I’m not sure how Sony blocked it of course but a man can hope. Otherwise, I need to see about buying a new PS3 – my second generation one is getting a bit unstable anyway :/

  17. Dmitriy Fedotov says:

    The friend give, we in you trust, I will pray on you if you make jalibreak
    That would work on an insertion 3.15

  18. Banelos says:

    Good job Kakaroto, great to see all the progress you are making.
    Here’s a well deserved donation :)

  19. kakaroto says:

    @Mewster, @kashman: Right now, the lower firmware PS3 i have is a 3.01, that’s why I’m doing it for 3.01, then i’ll upgrade to 3.10 and 3.15.. I can’t downgrade, and I don’t want to loose OtherOS on this, so I won’t go above 3.15. However, once I’m done, and once i get some more free time, I would be glad to port to other firmware versions.. the more the better :)
    I will post some instructions at some point on how to do it so people can figure it out on their own even.. or with my help.

    @zeek: 3.42 and higher do not have the exploit, so the payload couldn’t even run, so it’s not gonna happen.

    @Banelos: Thank you, that was very generous of you :) You’re currently holding the record for highest donation :)

  20. 315Groove says:

    Woo! I have been patiently waiting for someone to port this to 3.15! I have otherOS installed and could care less about backups but bring on the homebrew, I got screwed into being stuck on 3.15 homebrew will ease my loss.
    PS Stop complaining about 3.42 and up. Since some of you guys clearly don’t understand the exploit is now closed go do it yourselves. Personally I hope another exploit is never found. Go buy some games, support the guys who work hard on the games you want…

  21. ZaiLH says:

    Great news and superb work as usual. Got my FW @ 3.01 to and want to save other OS for now atleast. I hope this will work out with my ti84 to, damn fine calculator.

    take care man

  22. kashman says:

    kakarot, instructions on doing this would be amazing. I’m probably only a little better than a typical woman with technology, you know how they get overwhelmed at the sight of a few too many options.

    So yeah, something step by step with a troubleshooting guide would be extremely helpful.

    If I cant make it work I might just upgrade to 3.15 so I can keep OtherOS and have jailbreak. Although if marcan’s AsbestOS project comes through we may not even need to keep it at 3.15.

    Many Thanks and keep up the good work kakarotto.

  23. tiktak says:

    a question kakaroto,

    is there the hermes payload v2 in work ? a port to the maemo nokia’s?

  24. Banelos says:

    @kashman Instructions would most likely be in the form of offsets for a specific firmware and how to apply these to the exploit payload. This would require a lot of programming experience to use.

    @tiktak hermes All port authors should be able to incorporate this new exploit/payload. Hermes should be able to port his payload to the new firmware offsets. Kakaroto will probably have more important things to see to, than porting it to a ton of devices.

  25. Klaisto says:

    Could they do the same for FW 3.21?
    Thanks

  26. [...] quote from kakaroto’s blog: PL3 is a new project I started in order to have a common repository of payloads that can be used [...]

  27. fish says:

    I am so happy on the recent progress on ps3 jailbreak not because of piracy but for the possible solution to the locked DVD region code. I hope sometime soon in the future someone will be able to add that feature for all the anime/movie/jpop fans around the world.

    I imported a lot of region 2 DVD from yesasia and cdjapan, and I would like to see them being played by the ps3 one day so I don’t need to buy another machine to play it.

    Your effort is very appreciated!

  28. Spork Schivago says:

    Hey KaKaRoTo. I will donate money soon (after the third). We have a Teensy 1.0 board without a RESET button. We have downloaded the payload and compiled it many times. Every time we must modify psgroove.c. The code we add is some where before main():

    void (*start_bootloader)(void)=(void(*)(void))0×1800;

    And in main() after the for(;;) loop:
    if((PIND & (1<<7))==0) {
    TIMSK1=0;//Disable timer interrupt
    USB_ShutDown(); //Shutdown USB
    _delay_ms(100); //Wait
    (*start_bootloader)();
    }

    We did not wrote the code ourselves. Everyone with this specific type of board, which is an AT90USB162 (Atmel), needs this code or they cannot get into DFU programming mode without manually shorting out some pins (and risking frying the chip). I do not think it would hurt other boards. Maybe you could add it to the psgroove.c file so we no longer have to add it manually every time? Thanks.

  29. kakaroto says:

    @Spork Schivago:
    Humm.. I sent that info to the psgroove devs, they’ll know better what to do with it.
    My suggestion is that once you do those changes on the git clone of psgroove, make a commit, then don’t ever redownload psgroove, simply do ‘git pull’ to get all the latest changes merged into your repository, while leaving your changes intact.

  30. Spork Schivago says:

    Thank you KaKaRoTo for the quick response. We have been trying to figure out how to update the code for a couple days now. I read the man page for git and I was trying git pull Never thought of just using git pull. Worked like a charm. Thanks again.

  31. Spork Schivago says:

    I know this isn’t the proper place but yeah, we managed to get semi-on the PSN kinda. We got on the What’s New and the PS Store. Is this new or can people besides us get on? We tried the PSN thing and it said we had to sign up or sign on, so we signed on, then it said we needed to update our firmware, even when we tried getting back on the PS Store and stuff….so we did a thing or two so we could get back on the PS Store….was thinking maybe we could run wireshark or something and see what’s downloaded when we try signing on to the PSN to see why the PS3 blocks our attempts in the future. I do believe that whatever it does, it does not do it to the hard drive but to flash…maybe /dev_flash2 or /dev_flash3? We’re willing to try stuff if anyone has any suggestions.

  32. kakaroto says:

    As far as I know, noone can get online on PSN…
    Who are you by the way? What are you working on ?

  33. Spork Schivago says:

    I’m no one really. We (my girlfriend and I) just want to help, you know? So do you know if anyone besides us has figured out how to get on the PS Store or the What’s New thing?

  34. kakaroto says:

    Like I said, as far as I know, nobody else did.. It would be nice if you could share that information, I’m sure many people would be grateful (not Sony) :)

  35. Spork Schivago says:

    It’s not really that hard or special. I think Sony would be able to block it pretty easy. Like I said previously, it doesn’t allow you to do anything once you sign up but the PS Store and What’s New works until you sign up. Umm, it’s more of a work around. Basically, what you do is you go into system settings and you do Restore PS3 System (or something similiar). I was on some medicine when I did what I did last night so it’s a bit fuzzy. But we formatted the hard drive. I do not believe the changes Sony does to the PS3 that prevent us from using the PS Store and What’s New is stored on the hard drive because I made a copy of the drive (using dd in Linux) before I signed up to the network and then I restored the image (using dd in Linux :) ) after I signed up and I still could not access the PS Store. Currently, I’m backing up the flash directories using ftp (yuck). Currently, I cannot go to the PS Store because I signed in to the network last night. Once I finish backing it up, I am going to do the system restore, run the ftp server, back up the directories again, and compare the two. If you have any ideas on what I can try, i’m all ears. I had wireshark running and captured the network traffic while I was signing in to the PSN. Oh, I also have a DNS server setup on my Linux machine that the PS3 uses. The PS3 grabs my version of the ps3-updatelist.txt file (which says in it that it requires 3.15 to get on the PSN stuff). I think this is important because without this file, I do not think I would be able to view the What’s New and the PS Store. I will also like to add that although I can see the Netflix Discless program app, it will NOT let me download it without being signed into the PSN. I will help you set up a DNS thing if you don’t have one setup or if you want to try and use mine, I could probably open a port on the router but I do not want to give out my IP to everyone so maybe we could chat about it privately or something? Just a thought.

    Spork

  36. Spork Schivago says:

    I backed up the system and redid it. Just so you’re clear on it, I went to Settings -> System Settings -> Restore PS3 System and then did a Quick Format. I tried doing Settings -> System Settings -> Restore Default Settings (I think this might work?) but there was a problem with my DNS server and I did not realize it so I chalked it up to it needing the full format when in fact, it might not of. Also, none of the games or anything on the PS Store will download without signing into the PSN. You can browse them though and that’s a start I think to maybe finding a way to trick the system.

  37. Spork Schivago says:

    Sorry for all the posts, I have ran some tests and the information that allows us to get on to the PS Store and What’s New is in fact stored in the Registry. I had to restore xRegistry.sys and xRegistry.sys.val. They reside in /dev_flash2/etc. Although on my system the files are of the same length, they are not the same. I looked at xRegistry.sys with Stoker25′s registry editor and compared it to the xRegistry.sys file AFTER signing up, the one that will not allow us on to the PS Store. There are some changes. Certain keys are missing (for example, /setting/user/00000007/npaccountid is black before I sign up for the PSN, after it is completely missing). Perhaps these keys are the ones that prevent people from accessing the store? If xRegistry.sys.val is not uploaded with xRegistry.sys, the system will tell you it’s corrupt next time it’s rebooted. We had to reboot after we uploaded the two files as well. Make sure you upload them as binary files if anyone decides to verify this. :)

  38. Spork Schivago says:

    I took the fresh registry that lets me log onto part of the network and I filled in various information from the registry that says I need to update my firmware to login, most notably the /setting/user/…/npaccount/accountid, loginid, and password. Once I rebooted, it still let me look at the What’s New but it would not let me log into the Store anymore. Once I removed the accountid and the loginid, I could go back to getting into the Store. I think this is important. I also think, but cannot verify, that maybe the accountid I got from the bad registry is what’s preventing us from actually being able to login to the PSN. Our accountid starts with a 7 and ends with a 5. If someone could perhaps check to see if their accountid is the same? If we have a PS3 that’s not hacked and capable of logging into the network, maybe we can use a sniffer to snatch a valid accountid?

  39. Spork Schivago says:

    I think i’m gonna move this convo over to a forum. I’m thinking psx-scene (that’s where I found that registry editor at). This way more people can maybe suggest some stuff. I won’t forget to donate on the 3rd though. :) Thanks again for all the great work with the PL3 stuff. A repository was long over due. Awesome job.

  40. Spork Schivago says:

    Your donation sir, has been sent. I will try to donate again in the future but cannot make any promises. The misses got layed off not too long ago and I’m kinda taking a break from the working scene. Sorry it couldn’t be more. We have a copy of the new Netflix app and when we go to install it (it’s a .pkg), it errors out around 14% or so. Would that be a firmware issue that might be fixed eventually or wouldn’t you know? Peace.

  41. kakaroto says:

    Thanks a lot for that, it was very generous of you. Don’t worry about sending anything else. Keep your money, you need it more than I do.
    About the netflix issue, I have no idea. some packages just fail to install for some reason..

  42. AJ says:

    is this on?!…. kakaroto THANKS!!!!!!!!!!!!!

  43. tohdom says:

    Hi, KaKaRoTo.
    For the love of god, please make in your firmware option to disable trophy notifications. I dont care for them and i hate that they are popping in distracting from the game.

    Why on earth Sony still did not do that option officially? ;/

  44. Saurian says:

    @ tohdom – could not agree more. I’m at my wits end playing games on the PS3 now, as soon as a custom firmware is available which allows the disabling of this idiotic notification I would be all over it.

  45. kakaroto says:

    hehe, I don’t know how to do it, but we’ll look into it, it’s definitely a good idea to have that sort of choice.