PS3: Why I don’t like the Hermes payload

On October 16, 2010, in Development, PS3, by kakaroto

First things first, the title says “why I don’t like the hermes Payload” so this has nothing to do with Hermes himself. I don’t know him, I never spoke to him, so I don’t know what kind of person he is and so I have no opinion on him personally. Now, I want to make some things clear, I’ve seen a lot of people criticize me for ‘bashing Hermes’, and many people seem to think that I’m trying to say “I’m better than him” or something. Also, it looks like I created some confusion with my comments from my previous blog post. So I want to apologize and make sure there is no confusion anymore : When I said that the hermes payload is ‘dangerous’, people misunderstood me.. no it is not specifically dangerous for your PS3, it won’t brick it or anything, the only ‘danger’ there is, is that it could (in some situations) crash… then you’d need to reboot, that’s it.. so don’t freak out about his work being harmful or anything, because as far as I know, it’s not! Some people also told me “give credit where its due”, and I want to do it, I’ve always given credit to people, every time I achieved something, I gave credit to those who helped me achieve it. I’m not looking for fame here (if I did, I would have announced PL3′s release 3 weeks ago when I created it) I’m just having some fun in my free time doing something that I like. Hermes did contribute some nice things, and I appreciate what he did, mainly he figured out how to fix the controller issues with some games, that was something very difficult to fix and I’m surprised at how fast he came up with a solution and it was a smart solution and all I can say is “good job”. The other stuff he did in his payload, I don’t like that much, and that’s what I want to cover in this post.. I may have been ‘harsh’, but I don’t see the point in trying to be diplomatic, I’m a programmer, not a politician. I don’t like his code, and I speak my mind, I’m being honest, and I’m not trying to criticize him without any reason, as far as I know, I’ve stayed respectful and that’s all that matters to me. To those who don’t want to know about all the technical details, let me ‘conclude’ here by saying that if the hermes payload works for you, then good, use it, I’m not telling people to stop using it, I’m not saying that PL3 works better either, maybe his payload works better in some situations, maybe not, but overall, the user’s choice should always be “whatever works for you”. The PL3 initiative is about having a standard repository for payloads, and having a common code base for everyone to work on, so in the future, PL3 might evolve faster and have more features, or maybe it won’t, the thing to note is that it’s better for payload developers to base their work off PL3. But again, this is meaningless for most users, apart from maybe clearing up the confusion about all these payloads and nobody knows which one to use. Also, I talked about PL3, which is a common repository for contributors to work on, people seem to have nicknamed it “kakaroto’s payload” or “kakaroto’s pl3″, but I never said it was my payload, PL3 is PL3, it’s not all my work, and if you look at the commit log, you will see that I’m not the only contributor to it. PL3 itself integrates patches and solutions provided by Hermes, Waninkoko and Mathieulh, I improved some of their patches to make sure it works better for non-3.41 firmwares, but it’s still credited to be their work. PL3 is not my payload, PL3 is a payload repository for everyone. Also, PL3 as a project is a repository containing multiple payloads (default one, development one, dump_lv2, dump_elfs, etc..). PL3 is not perfect, nothing in the world is perfect, so it might have bugs, it might not work for some people, who knows what might happen. But I never said that it was perfect, so people should stop thinking that I said that. It’s written more cleanly, it’s better in terms of the infrastructure behind it, but that’s the only thing I can vouch for. Also for those complaining about me adding a donate button to the blog post, I don’t see how that’s relevant, I’m not begging people for money (and I haven’t received any donations in the last ~3 weeks just so you know). If you don’t want to donate, then don’t, no reason to bitch about it. I’ve put the button there so that people who appreciate the work and want to donate something have a way of doing it. I asked for donations before because I needed to buy a PS3 for development, I already raised enough money to buy it, so I don’t need any more donations, so I’m not asking people for donation money anymore, as simple as that. Anyways, here are the more detailed/technical explanations on the reasons why I don’t like his payload : First, the code is not clean, it’s unmaintainable. The fact that he gives his source code in .rar files instead of a git fork is the biggest issue I have with it. And yes, that does not matter for users, it only matters for developers.  The problem with his method of delivery is that you have no way of knowing what he based his code off, so it’s hard to figure out what he changed.. also, when you find out his base, and do a diff, you get a huge diff for everything he did, all in one shot, and then you have to reverse engineer it to understand what he patched. That’s complicated and annoying for developers! For those who follow my twitter, you can see how many commits I do, I always like having “small commits” because each commit becomes independent, self explanatory and easy to review. It also makes things easier to integrate, if you want a specific thing, you just merge/cherry-pick that single commit, instead of copy/pasting code, and editing it to remove the clutter. The  other reason I like git is that if he used it and I merge a commit from him, then the code stays credited to his name in the commit log, it allows me to have his code without ‘taking ownership’ of his work, it allows everyone to be credited for what they did, and I think it’s the first thing to have for an open source and community project. The reason why I said his code could crash is because his payload got too big and couldn’t fit anymore in the allocated memory we have in the kernel (1296 bytes), so he decided to just move the code to a random position (0x7fff000 I think). This means that his payload will work as long as no application, game or kernel allocates memory which ‘randomly’ ends up in that area.. if it does, then the payload would get overwritten and the kernel will crash. The proper way of doing it (PL3 does that) is to allocate memory during the initialization of the payload, copy the functions we want in that memory that we own, and write those functions to be position independent so they would work no matter where they are placed in RAM. Another reason is the way his syscall8 works, I tried to read his assembly and reverse engineer it, and I seriously was lost and couldn’t understand what was happening.. there are no comments (you’ll notice that my payload has a comment on almost every instruction), so how can I integrate his syscall if i don’t even know what it does… if at least it was on git, I could see the commit messages and understand what each chunk of code did, but he doesn’t use git, so… The way he fixed the controller issue was also not very good, he patched two offsets to jump to a function that decides on some kind of enum on what response to return and you controlled that with his own system call 8.. why do something like that? it makes the fix dependent on people using this new syscall, and it’s useless when you can just patch it directly to return the right value. I also didn’t like the fact that his code became a mess that is 3.41 independent, and it would have taken a huge amount of work just to try to make it work again on 3.15. I already spent time cleaning up the payloads and making them work for older firmwares, so why fork and write code that doesn’t integrate that, it just makes collaboration harder. There’s also the whole syscall 35 versus 36 issue, but that has nothing to do with his payload since I added sc35 after he released his payload. It’s not about his payload being bad because it doesn’t support it, it’s simply about PL3 having a ‘superior’ (if I may say so) system call. What it means for users? nothing at the moment, maybe it will be used for doing fancier stuff later on, maybe you can map a game to your bluray and a different game to /app_home, that could be useful for users, but for now, it’s simply more flexible and cleaner code. There are many other small things that I didn’t like, but it mostly just summarizes to “the code is not clean and it’s unmaintainable” and “he doesn’t use git”. Like I said, if you don’t care about that, then I see no reason for you not to use his payload. It doesn’t mean either that he’s not skilled, it simply means that he may lack experience in code sharing and experience in open source. But that doesn’t make his work any less valuable. I hope this clears things up a bit. I criticized his work, said what I thought of it and people over reacted, I wanted to make sure people didn’t  misunderstand me, and didn’t think I don’t respect Hermes for what he’s done already. Everything else is just drama and people trying to get attention. If this post stirs up even more trouble, then so be it, I don’t think I have much more to say. I said what I think, people should take it or leave it. I do not however tolerate people insulting me for no reason at all. So please, criticize me all you want, just stay respectful. Thank you, KaKaRoTo

Tagged with:  

82 Responses to PS3: Why I don’t like the Hermes payload

  1. Noquarter says:

    Thanks for the response, thing is that no homebrew works whatsoever without a working bluray logic board. I could live without the ps3 games if the homebrew worked.

    Thanks again for all of your time and hardwork, I’ll remember you on payday :)

  2. kakaroto says:

    Humm.. homebrew apps should work regardless of whether or not you have a bluray disc in the drive. homebrew are independent of the bluray. Make sure you’re not doing something else wrong…

  3. Noquarter says:

    I don’t think you understand what I mean. My problem is that the logic board in my blue ray drive is bad. It is easily recreated by completely removing the blue ray drive, no homebrew will boot at all if your blue ray drive is disconnected. This has nothing to do with playing backups. Example: if I have a completely working jailbroken ps3 and disconnect the silver ribbon cable connecting the disc drive no hombrew will boot at all, it always crashes the system. Doesn’t matter what the hombrew is, it just crashes.

  4. Noquarter says:

    I’m positive I’m doing nothing wrong, I have two ps3s I tested this problem with.

  5. kakaroto says:

    Yeah, I understood you, I knew you didn’t say backups.. But I didn’t think that would happen.. it’s weird, homebrew apps shouldn’t depend on the bluray disc.. maybe the kernel does a check.. but if it did, then it would just show an error, and not crash…
    Do you have a psn demo ? tried running that? if it works, then homebrew should just work as well…

  6. madmax says:

    And for to play god of war 3 without BR disc , can you make somethings?

  7. euss says:

    About that failing bluray drive (Noquarter) and unable to start homebrew:

    [Console Serial Number] + [Main circuit board ID] + [BD Drive] + [WLAN board (MAC address)] are bound together (HW-ID) in SCEI Server
    PS3 service mode Jig set-up manual.pdf (page 22)

    Shouldn’t a failing HW_ID result in a TrustedBoot Panic? I’m quite sure that replacing the drive (of Noquarter) should fix the problem, but then the BD Drive FW which is bound to his console should also be transferred.

  8. Noquarter says:

    I have some ps3 games I downloaded from the psn. Unfortunately I’m at work for the next two days and can’t test it. If you have any ideas I can ready them out. when I get back. I’m using the psfreedom recovery mod for the droids eris.

  9. Noquarter says:

    @euss
    Problem is that either my bluray logic bricked, needs reflow or came from another ps3…
    I have no way of knowing what the original owner did. When I get a heat gun I’ll try reflowing the logic board smd. As far as I know there is not currently a way to flash the bluray, wouldn’t it make more sense to write the ID to the firmware? Another problem is that I can’ t run homebrew that could (potentially) do this. I think the only solution would be a payload that bypassed the check. Of course I don’t know how to program so I may completely wrong.

  10. Noquarter says:

    Just to clarify:
    I also tried swapping the bluray logic board from a working ps3, I got the same result.

  11. euss says:

    Noquarter: sadly it is currently not possible to write ID’s to either Blu-ray, Wlan or Mainboard, only to Sony. Same applies to the HW-ID, which is located in de NAND in encrypted format (FW=NAND+HD).

  12. Noquarter says:

    Well, one can hope. Otherwise that ps3 is toast. I would think the encryption is not a problem anymore. I wonder if the wlan failed the check would it cause the same problem?

  13. Noquarter says:

    Kakaroto,
    Could you point me towards a dev who would be interested in my problem?
    After getting home I realized that I would have to do a data transfer over ethernet to test out my psn games. Last time I did that it required me to redownload all of my games, I don’t want to risk losing my paid content.

  14. kakaroto says:

    No I don’t sorry.. I know someone came asking me questions about the same issue (on IRC I think) I directed him to your comments, I think he learned stuff from you, not sure he can help you though (+ I can’t remember who).
    About data transfer, I don’t know what you mean.. But about the psn game activation, read this : http://psx-scene.com/forums/f118/psn-temporary-reactivation-69729/
    Use FTP to get your exdata directory, you can also probably just install the games directly from the .pkg from usb..

  15. shashank says:

    @kakarato: i’ve just bought a ps3 saving money since long time.. I’m going to use a jailbreak for it.. The only thing i want is to play games and nothing else.. Please tell me which payload should i use.. And the only thing i dont want is my ps3 bricked…pls help..also it would be really appreciatable if you could tell me the backup manager that i should use..thanks in advance..:)

  16. Noquarter says:

    @shashank,
    I believe he recommends gaia manager and the default pl3 3.41 payload should work for you. It’s what I use and there is no risk of brick. What are you using for the jailbreak?

  17. shashank says:

    using ps3usbjailbreak its gr8 to use it.. Very simple.. @kakaroto: can you port your payload to nokia 5800 just lyk n900… It would be gr8.. As with 5800 it wud work on some other s60v5 phones as well…:)

  18. JAwofadeju says:

    @KaKaRoToKS Sorry to bother you, im still new to this twitter thing. Not many people have noticed so i thought il contact you directly. Sorry if this sounds stupid but have you noticed when using PL3 and also Hermes that when you try to run photo gallery or life with playstation, it presents you with the error code “8002E302″. I was wondering if theres any fix you can do to solve this because when i try 2 run it wivout using the jailbreak they both work fine. Sorry to bother you and thanks

  19. Menonameyah says:

    you are rather full of yourselve aren’t you?
    ( No Offence )

  20. traccer says:

    I rispect you brother….
    I’m italian
    GOOD WORK

    Sono italiano
    Ti rispetto fratello!
    BUON LAVORO

    Traccer!

  21. sandman says:

    Hi Kakaroto,

    i am very new to psgroove and not really familiar with all the ppc assembly commands.
    Its really good work !!!

    But i am having a problem because my ps3 has this Red Screen problem (either sw or hw firmware fault). I thought that i can maybe use your code to remap the /dev_flash to /dev_usb and then use the xmb acid custom firmware to boot up my ps3. The problem is i need to create a psgroove which automatically maps remaps this paths, cause im not able to install something like a usb firmware loader on a red screen console. Could you please give me some advice of how to create such a psgroove stick. I thought that maybe the map_open_path.h.S is near to something im looking for.

    Would be great if you or somebody else could help me

    Thanks in Advance!!!

  22. kakaroto says:

    @sandman: look at the default payload, it already maps one path to another :
    https://github.com/kakaroto/PL3/blob/master/default_payload.S
    at the bottom, just change the paths in there to have it map dev_flash to dev_usb000.. the problem is that the usb isn’t mounted yet when the ps3 boots, so you’d need a few things :
    1 – make sure you can boot with the psgroove AND a usb stick (for some reason, it works for my n900 but not for psgroove, probably a timing issue)
    2 – call the mount function directly from inside the lv2 kernel to tell it to mount the usb device.

    good luck.

  23. sandman says:

    Many Thanks for your fast reply, but how could i do the usb mounting inside the lv2 kernel ?

    THX

  24. kakaroto says:

    You need to find the internal mount function, it’s used by system call 837.
    You can’t use the system call directly, so try to find the internal mount function being called. The arguments are
    static uint64_t mount(char *device, char *fs_type, char *path,
    uint64_t unknown1, uint64_t unknown2, uint64_t unknown3,
    char **str_array, int array_len)
    The device argument must be the string “CELL_FS_IOS:USB_MASS_STORAGE000″, the fs_type must be “CELL_FS_FAT”, the path would be “/dev_usb000″,
    the other arguments should be unknown1 = 0, unknown2 = 1, unknown3 = 0, str_array = NULL and array_len would be 0.
    Hope that helps.

  25. Sandman says:

    Hy Kakaroto,

    thank you for your help!
    I tried doing it with psgroove but didn’t work out, as you said. So now i’m trying it with psfreedom on a beagle board (omap3 platform).

    But im not really sure about the the internal mount function, how could i add this system call to the psfreedom?? And what did you mean with finding it (mem adr?). Could you please help me out.

    Thank You

  26. kakaroto says:

    @Sandman,
    you’re welcome.
    I can’t do everyone’s work, I can only help when it doesn’t take more than 5 minutes of my time.
    I think you can compile psfreedom on a beagle board with “make omap-1″, check the makefile to make sure, it’s the musb controller anyways, so you should be safe.

    About the internal mount function, like I said, lv2 has a “mount” function that it calls to tell it to mount a device to a path, I gave you the prototype for it. the thing is that I don’t know where it is located (the address of the function), I only know it for the 3.15 firmware, not for 3.41 (because I use 3.15), and for 3.15 I think it’s 0x2AA414 and it’s called by syscall 837 in address 0x1B9B20
    The way you can find the function is easy, go to system call 837, then read its ppc code, you will see it parses and copies the arguments from user space to kernel space, then it calls the internal mount function, that’s what you need to call.
    Syscall 837 is just exposing that “mount” function, but you can’t use it directly from a payload because you can’t call system calls from within the kernel, that’s why I told you to find the internal function instead (one that uses kernel space memory, and not user space memory).
    And how to add it? see the code in PL3, you need to modify PL3 to make it do what you want, in your case, probably in the main, call it with
    BRANCH_ABSOLUTE (%r11, mount);
    and make sure you define mount wth the correct offset in firmware_symbols.h.S
    If you can’t figure that out, then you need to learn how ppc works..
    good luck

  27. sandman says:

    Many Thanks for all that!! I am really new to all this PS3 stuff but now i know what to do. The last question for me is where should i look for the system call 837? Should it be somewhere in the sdk package. Am I right ?

    Thanks

  28. kakaroto says:

    no….
    you must dump lv2 using the dump_lv2 payload (and get the dump through ethernet) and use a disassembler to disasm the dump, find the system call table (using IDA, you can use the tools/analyze_lv2_dump.idc from Pl3).
    You don’t need the SDK for this, at all, we’re not talking about ‘normal’ code, we’re talking about in memory patching of the running kernel.

  29. xJustiinsane says:

    Contact me, I got something for you, but I have no idea other than this to reach you.

  30. jijayles says:

    this kakaroto guy is likeeeeeeeeeeee a godd wkwkwkwkwk i always admire smart person, since i no goood in IT or computer staff

  31. diablposs74 says:

    i have a new blu ray drive on my 60gb ps3. I have lost my original logic board.

    i want to install my new blue ray drive and a new logic board on my ps3.

    Can i possabilly do this?

    if so how?

    can i make it work?