Clarifications about 3.73 (and 4.0) “jailbreak”

Update:
I tested the jailbreak on the latest firmware 4.0 since it was released and I can confirm that it still works.

Hi all,

I’ve been flooded with questions on twitter and I’ve read many posts on news sites and  I’ve seen some stuff being said on IRC and I thought I needed to clarify a few things…

First of all, I didn’t expect to see my tweet front paged on all ps3 hacking news sites.. although I should have expected it.. but anyways, the “jailbreak” is not ready to be used, at all. I only tweeted that because I was excited having it working and I wanted to share my excitement with everyone. But this is a bit equivalent to the day I released that create_cfw.sh script that created the very first CFW/MFW but it still took a couple of months before a real, easy, multiplatform and fully fledged solution was released : PS3MFW.

We are currently at the same state, I have the proof of concept, it works, but a solution that anyone can use where they just click a button and their PS3 gets jailbroken is still far from ready.

I’ve seen people say (and even write it in their front page news) that I’ll release it in two weeks after I come back from vacation. That is not true and I never said that. What I said was that for the next 2 weeks, the project is on hold until I get back.. but when I get back, then I will continue working on it, and it will then take some more time before it’s ready and released.

Some asked if it’s based on what gitbrew was doing/suggesting or if I used someone else’s exploit or work. No, this solution is my own idea and 100% my own implementation. However, the actual solution for the full jailbreak involves some components on which I will not work, and I expect/hope that someone else will provide the solution for that.

Some speculated it might be what I spoke about back in March which I later said I wasn’t pursuing by lack of motivation.. and yes, you are right. The same hack I had in March is still valid today, I told a few people about it (rms, Mathieulh, an0nym0us, and a couple more), but no one was interested in pursuing it further and actually exploiting that flaw (mainly because it requires a huge amount of work to get a proof of concept working). 10 days ago (I started on the 11th), I got bored and decided to start poking at it again, and yesterday (a lot faster than I thought it would take), I got my first pkg installed on 3.73 firmware.

On twitter, I said “do not update if you are on 3.55”, I said that in response to someone who said he would update.  Because of that, people speculated that you need to be on 3.55 first, and then install something before doing the upgrade. No, that’s not it, that would be useless. The purpose of my solution is to jailbreak a ps3 that is already on 3.73 firmware and which had never been jailbroken before. I told people not to update because, first of all, it’s not yet ready, and second of all, the 3.55 firmware gives you a lot more possibilities than what can be achieved on 3.73.

So what is this jailbreak? I won’t say because I don’t want Sony to block it in a firmware update (and yes, they potentially could) before it’s even released (and yes, I will release it when it’s ready). But I will explain this to you : in order to run your homebrew apps, you need two things. First, to be able to install them on the ps3, and second to be able to run it once installed. I did only one of these two things.

Some may say it’s not a real jailbreak, but the way I see it, there are three ‘jails’ on the ps3, I broke the first one which prevents you from installing anything, so now you can install your .pkg, great, but it won’t run, that’s the second jail. The third jail is being able to modify the firmware (peek&poke).

The second jail (running apps) is something that can be done, but it’s not my area of expertise (npdrm algo), so I will not be working on that. I am waiting for someone else to achieve it (some have succeeded but do not wish to release it, at least not for now) then I will release.

The third jail (modifying the firmware) is not possible with my method, this means that you will  not have a “CFW”, you will run your homebrew applications and games on an official firmware. This also means that without peek&poke support, none of the backup managers will work. So, again, my solution is piracy-free, and as always, I do not plan on working on a way to enable piracy (or even legal backups).

Overall, the purpose will be to allow people who are on 3.73 firmware to enjoy the homebrew games that were released, to play a bit with Eskiss, and to use Showtime for playing their movies. This should be more than enough for everyone.

Finally, I will conclude by replying to another question I received : Do you accept donations? The answer is yes. I do accept donations but I do not seek them out. I will include a donate button to the bottom of this post, so if anyone wishes to donate, they can do so, however, I want to make it clear that whether or not you donate does not and will not affect in any way, the release, or the progress of the work I’m doing. If you donate, you would do it as a sign of appreciation of my efforts, and not in exchange of any favors or anything crazy like that.

That’s about it I think… If you have any more questions, please refrain from asking them, I get enough as it is already.. I also said everything I needed to say and I don’t want to give any more information than that (for now).

KaKaRoTo

The Humble Homebrew Collection

Finally, after almost 2 months of hard work, I’m proud and happy to announce the release of the Homebrew game I’ve been working on : SGT Puzzles. It’s a collection of portable puzzle games for Windows, Mac, Linux, Android, PocketPC, Android, etc.. and I’ve ported it to the PS3 too!

The release of this homebrew game comes with the  release of The Humble Homebrew Collection which is inspired by the Humble Indie Bundle Initiative (but not endorsed by it). The difference here is that you don’t have to pay anything in order to enjoy the games, they are free to download by anyone, but you are also able to donate any amount to the developer of the puzzle games (Simon Tatham) as well as the PS3 port developer (me!) and the EFF. You decide who to send the money to just like with the Humble Bundle. I’ve also linked to the game’s Windows, Mac and Android ports if you want them (they are already available in most Linux distributions).

The addition here and probably the most important part is a petition where yo get to sign and send a message to Sony asking for a legitimate way of having homebrew games on the PS3. Every signature will send an email to SCEE, SCEA, SCE Australia, SCE New Zealand and Kazuo Hirai, the CEO of Sony Computer Entertainment.  This is done in the hopes that Sony will finally see the light, learn from the mistakes they’ve been doing these past few years, and finally give us a legitimate and officially supported way of developing homebrew applications for our PS3 Systems.

Sony would be stupid not to answer to that, considering that Apple complied, Microsoft complied and Google complied, and they are all generating huge revenues thanks to homebrewers, with zero investment from their part. I know that the Sony execs only understand when you talk about money, so I hope this is a good enough incentive for them. Clearly, they do not care about their customers, so I don’t think they’ll change anything only to do what is right.

The SGT Puzzles game includes 33 puzzles, which are excellent for the most part. My favorite is and always will be Pattern, as I’ve spent countless hours playing it. I’ve recently also discovered Rectangles and Net which are also very good (in higher difficulties). I suggest you give those puzzles a try. Above all, I hope everyone can enjoy these games.

This all started about 2 months ago when I found a copy of Pattern on my PC and started playing it again. I tweeted about it and asked if someone wanted to port it to the PS3. Clement Bouvet (@TeToNN) quickly made a proof of concept using cairo. That got me excited and I decided to help him. We ended up writing a PS3 application over Simon Tatham’s Portable Puzzle Collection which, I must say, is very well written and made porting it to the PS3 very easy. It took maybe a day or two and the first game was playable on the PS3. At that point, I discovered the Cairo Drawing API which I loved and and I decided to invest myself entirely in this. It took 3 more weeks of hard work to get the whole system working (choose your puzzle game, change difficulty (Select) and writing the whole menu system for the game). I’ve received various help, Surenix made the designs for the menu graphics and buttons, and BeGamer helped design the HHC website.

The game still lacks a few things, and I will continue to work on it and improve it so everyone can enjoy a quality homebrew game, that, I hope, will make the anti-homebrew purists jealous.

The funny thing is that since day one, the source code for this game was available on my github account, but no one noticed it. Only a few people who accidently ended up on my github page found it, but no news website author found it or reported on it. I’m glad, because it allowed me to make this happen the way I wanted it to and launch this HHC initiative when it became ready. I’d like to ask the various websites out there not to link directly to the games (even if you are allowed to) and instead link to humblehomebrew.com so people can sign the petition while downloading.

Most of the code is licensed under the MIT license. Parts of the code (the cairo menu system) is licensed under the LGPL license and I plan on extracting that into its own library for other developers to use in their applications.

The website took about 3 weeks to code. I learned two valuable lessons.. first, HTML coding is crap… secondly, it’s much more complicated than it looks. I hope people will appreciate this effort and I hope the Humble Homebrew Collection will make a difference.

In the future, I hope to enhance it by adding new homebrew games whenever I find something of quality, and keep the website and this whole initiative going for a long time, for as long as necessary.

 

So.. go ahead, download the games, sign the petition, maybe donate if you’re feeling generous, and most importantly, have fun!

Thank you!

 

The aMSN team donates to the EFF

Thanks to the ads that we have displayed on the aMSN website, the aMSN Team was able to gain a bit of money and we decided to donate part of that revenue to the EFF.

The EFF is a donation-funded nonprofit organization that defends our digital rights, helps promote net neutrality and raises questions about our privacy and our rights as consumers of the Internet. It fights for us in court and helps protect the digital world from big corporations who do not care about their consumers. The EFF also has a “Coder’s Rights project”  that defend developers like us.

The aMSN Team has  just donated 2500$ to the EFF and we are glad to help them in their fight. We encourage everyone to help this cause, since we are all benefiting from their hard work and maybe it’s time for us, as Internet consumers, to give back to them.

We wish everyone a Merry Christmas and Happy New Year!

The aMSN Team.

PS3: The payload mess…

Hi all,

I see a lot of people asking me some questions and I notice a lot of ignorance in the net about the different payload and the latest PL3 payload. So I want to make things clear..
First of all, people should stop talking/requesting/using the hermes v3 payload, I don’t like his work, and the payload is not good, it might crash the system in some cases, it’s not written properly, and hermes doesn’t even seem to understand how git works.
Also, PL3 already includes (for some time now) all the good stuff from hermes, it already supports installing game updates, or running games without a disc, anything else that Hermes added is useless and dangerous could crash in some situations (requiring a reboot).

Some might have seen my tweets about my new payload being released, and many are asking me what is the difference between my payload and what is already available.
PL3 doesn’t support syscall 36 anymore, for multiple reasons, first, it was bad code, it was mapping a path to a single hardcoded value (/dev_bdvd or /app_home or /dev_flash or whatever is hardcoded in the payload) which means that, since we (the PSGroove and PSFreedom developers) don’t want to support running backups, all the official payloads weren’t working with the backup manager without being patched first. The syscall 35 I added in my payload is more generic though, it is the proper way of doing things. You can map any path to another other new path, the prototype looks like this :

  syscall_35 (char *old_path, char *new_path);

This means that the payload doesn’t need to have a hardcoded /dev_bdvd path in it, or have extra code for mapping /app_home to something else.. or having syscall 36 change both /dev_bdvd and /app_home breaking homebrew when using a discless mode with a backup manager. You also don’t need a special payload to run the ‘firmware usb loader’.. It all just works because the choice of the path mapping is given to the homebrew applications themselves. This means that the backup managers will just map /dev_bdvd to what they want and they will work by default on my payload, there will be no need for a patched version of the payload to make them work.
This however means that the backup managers that depend on syscall 36 will stop working. For now Gaia Manager is the only backup manager available that is compatible with my payload. But I’m sure more will be ported to use syscall 35.
People need to understand that this new syscall 35 has to become the new standard, this is what all the payloads should use, nothing else, and this is what everyone should start using, not the old, crappy, backup-manager specific, PSJailbreak written, syscall 36.

We need to have some form of standardization for all these payloads, I’m tired of seeing about 100 different payloads floating on the internet, it doesn’t make sense. I always believed in a single payload that works for everyone, and that’s why I created PL3, that’s why it’s a project independent of PSFreedom (and PSGroove has been ported to it) and that’s where all the efforts should go. Also, by using PL3, you automatically gain support, and all the same features, for whatever previous firmwares PL3 already supports (3.01, 3.10, 3.15 and 3.41).

I have just recently seen this new payload that everyone is so happy about that includes “all the good things from 3 worlds”, the one created by Rancid, which includes the stuff from hermes, waninkoko and Mathieulh… and I was shocked to see how much people were happy about this.. people don’t really seem to understand that this wasn’t necessary at all? PL3 has had all those patches for a while now, so why did Rancid even bother making this payload that includes the patches from hermes, waninkoko and Mathieulh? Why would you spend your time doing something that already is available!

This blog post is meant to stop all this ignorance and let people know that they don’t need to look for a special payload, just use PL3 and you’ll get everything you need. It is also meant to explain to everyone what is different about my payload.

On a side, I have received a P3Hub device, kindly donated to me by the people from r4king.com, and I have now tried PSGroove for the first time! I’ve also created a fork of jevinskie’s port of PSGroove which is now improved and updated to support the latest PL3 version. This means that the PL3 payload is available for everyone, those using PSFreedom as well as those using PSGroove, so there is no excuse now on not using it or relying on badly written payloads developed by people who barely know how to code (yes, using winrar instead of git is a good indication of that).

Update: I forgot to rant about peek&poke!!! So let’s do it now… well, the default payload in PL3 has peek and poke disabled, and for a simple reason : Nobody needs them! and more importantly they are misued! I’ve look at the code of the different backup managers, and it looks like all of them use poke to patch the memory to ‘fix something’ because they think that it’s their job to do it.. no it’s not! If you have a working patch, then submit it to PL3 and if people complain, tell them “use the proper payload”, don’t try to take advantage of peek&poke to go and modify the kernel’s instructions! The reason is simple.. you are a homebrew app that does X, then do X, leave the kernel patching to the payloads! Just as PL3 doesn’t map /dev_bdvd to /dev_usb000/I.Like.This.Game/ and locks it out! Also, I’m on firmware 3.15, so when you decide to poke and patch the kernel with a hardcoded offset, you’re just screwing up my kernel because the offset is firmware dependent! it’s not the same depending on the firmware you use, and I don’t want you playing with it. So.. peek&poke are really not useful to anybody, they are not even available on a normal linux pc, so why would you want them in your default payload, right?! The only people who should use a payload with those syscalls enabled are real developers, people who want to analyze and patch the kernel on the fly while they are doing some development of, maybe, a kernel driver! That’s it. Anyways, that’s enough ranting from me for today!

P.s: In my branch of PSGroove, I wrote a script that build the .hex file for every supported device (from the README) for every supported firmware. You can find all the hex files here : PSGroove+PL3 hex files

Update: Thanks to evilsperm, I’ve updated the archive with hex files for these devices : Blackcat, Xplain, Olimex, UsbTinyMkII, Bentio and OpenKubus.
Update 2: Some people reported crashes with my payload when running backups with installed updates. I figured out the cause and fixed it now in git. The hex files above have also been updated

Thanks for reading.
KaKaRoTo

PSFreedom now supports firmware 3.01, 3.10 and 3.15

Hi,

I’ve got some great news for those of you who have not updated your PS3 firmware! I have just succeeded in adding Firmware 3.01 support into PSFreedom. I’ve pushed the latest code to github and you can now download the source and compile PSFreedom for 3.01.
For now, you will need to edit config.h and change the FIRMWARE_3_41 into FIRMWARE_3_01, then recompile. However, I will soon add support for dynamically choosing the target firmware version by simply doing a :
echo 3.01 > /proc/psfreedom/fw_version

I will soon add support for firmware 3.10 and 3.15, so be patient, and you will be rewarded. I would like to thank Klutsh as well as Philippe Hug who helped me achieve this port to 3.01.
The new payload changes are available in the PL3 github and any project/port that is also using PL3 should automatically gain support for the 3.01 firmware.
You will also be able to enjoy some new ‘tools’ in PL3 that will allow you to dump the LV2 kernel as well as the decrypted ELF files of the XMB and other configuration files it uses. The ethernet dumping is also now compatible with PS3 Slim models.

Update:
Philhug and I have worked together recently to make PL3 compatible with 3.15, and it is now done, working and ready for you to use. I have just pushed the latest changes to github, so just update both PSFreedom and PL3, and define FIRMWARE_3_15 in PSFreedom’s config.h and recompile. You will then be able to enjoy your unrestricted PS3 on 3.15 firmwares. Enjoy!

Update 2:
I have just added support for firmware 3.10 to PL3. You can get it by upgrading to the latest git version of PL3. There are however some changes in there that might break PSFreedom, so wait until I update PSFreedom tomorrow to be compatible with the latest PL3 changes!
I have also added a HOWTO file that explains the steps required to port PSFreedom to an exploitable firmware. Enjoy

I would like to thank, again, those who have donated. For the others, you can still donate, if you appreciate the work I’ve done.

Enjoy!
KaKaRoTo

PS3: Introducing PL3 and 3.01 firmware news

Hi,

I’ll announce two things, first, let’s talk about PL3.. PL3 is a new project I started in order to have a common repository of payloads that can be used by any ‘jailbreak’  implementation. I got tired of copying payloads from PSGroove, and I had some nice changes in mine that I thought the PSGroove project could benefit from, so I thought I’d create a single repository that both projects, PSFreedom and PSGroove (or any other similar projects) could use.

You can find it in github, so don’t hesitate to submodule it and use it.

Second important news… I’ve bought a new PS3 just for homebrew. Thanks to all who donated money so I can buy it (I didn’t get enough donations to pay for it, but enough to help me). I bought this PS3 used and it came with firmware 3.01! This is good and bad news : I can’t use PSFreedom to jailbreak it, so i’ve put on hold any improvements for it, however, it will allow me to actually port PSFreedom to older firmwares! My plan is to get the jailbreak working on 3.01, then move on to 3.10 and 3.15 (depending on how hard it is, i might skip 3.10).

Another good news is that after 4 days of  work, I was finally able to dump the LV2 memory from the 3.01 firmware, and now all that remains is to find the right offsets to patch, and port PSFreedom to 3.01, so all those who are still using this firmware version, you will soon be able to jailbreak it! Once I’m done with that, I’ll try to do the same with the 3.10/3.15 firmware versions!

To dump LV2, I used a trick and algorithms found by marcan42, so big thanks goes to him, as well as many other people who helped me out, RichDevX and Aaron in particular. I used RichDevX’s idea of ignoring the JIG and bruteforcing the address in which the port1 descriptor gets stored until I get a hit, then use that payload to dump lv2, then find the right JIG offset for that particular firmware from the dump. Marcan’s trick was to send the data through the ethernet cable by using LV1 only hypercalls, and it worked!

Now the latest git version of PL3 has a new ‘dump_lv2’ payload which you can use, it is firmware independent, and only uses LV1 hypercalls, so it should just work… It will dump all the lv2 memory through ethernet, so fire up wireshark, save the dump to a .pcap file, and use the tool in PL3/tools to extract the memory dump from the .pcap file.

In other news, I will soon upload to Ps3utils an .idc script that will search and find the syscall table, and correctly resolve all of its functions and name them properly.. maybe even have it automatically find all functions of a dump in order to save time creating procs in IDA. I’ll let you know once I’m done with it.

KaKaRoTo

PS3: Registry viewer and PDB generator

Hi all,

Here’s a quick post to share these small tools I wrote.

First, there’s  a .pdb file generator, it’s useful to install demos, I wrote this 6 days ago, but didn’t want to release it, I didn’t want people to use it to pirate PSN games, but it turns out it only works for demos… Even if it installs full retail games, they won’t run because you still need a license to run them. Also, two other people released similar tools (but much better, with more customization, good UIs, etc..) so I don’t need to keep this to myself anymore!

Second is a registry viewer! The /dev_flash2/etc/xRegistry.sys file contains a lot of interesting stuff, mostly your user settings, but it also contains some settings that you cannot change through the XMB (like QAMode or debugSoftwareUpdate, etc..). The file format is quite weird, SKFU attempted to reverse engineer it but didn’t really succeed, but thanks to Matsy who figured out how to link the keys with their values, I was able to understand the file format (most of it anyways) and write this app.  It’s just a crappy tcl/tk script that I wrote real quick! I’m really bad at UIs so I thought I’d put a quick and dirty tcl/tk script to build the UI for it.. it’s not much, it doesn’t allow you to change values, so don’t pay it much attention. Matsy is working on building a QT application to allow you to view and edit the registry values, so be patient, in the meantime, you can use this simple viewer to check out the contents of the file!

You can grab these tools (and possibly other stuff I might write in the future) from my new git repository at : http://github.com/kakaroto/ps3utils. They are both released under the GPL license.

On a side note, I just upgraded to firmware 3.42, so I’ll be taking a bit less active from the ps3 hacking scene for a little while, until I get enough money to buy a new (used actually) PS3. I also want to thank everyone who donated so far, so… thank you 🙂

KaKaRoTo

PSFreedom news, homebrew and donations

Hi all,

I suppose many people are now following my blog and you’re all eager to learn more about the latest PSFreedom news!

Important things first : Please stop asking me if PSFreedom will work on your phone, NO it will not work on any Symbian phones and it won’t work on iPhones (see next paragraph though). Stop asking and just accept that and buy yourself a Teensy board or an AT90USB microcontroller or similar and install PSGroove on it, then you’ll have your own dedicated dongle.

Now that that’s out of the way, let’s get back to business! I told you last time that NTAuthority almost had the iPhoneLinux port working, well the good news is that it does indeed work and it’s been released! Please read the instructions to get it installed from the wiki. Note however that it only works on iPod Touch 1G, iPhone 2G and iPhone 3G, it will not work on iPhone 3GS or 4G or any other iPod… so please don’t even ask about it!!!!

In similar news, we’ve added support for many new Android devices, the list almost reaches 40 models, and about 25 unique devices are now PSFreedom compatible! Again, you can see the whole list of supported devices in the wiki. I just want to make one thing clear : I made PSFreedom for the N800/N810/N900 phones, but I didn’t port it to android. Although I helped some developers port PSFreedom to new USB controllers, I didn’t port or compile any build of PSFreedom for any Android device, so your thanks should go to those responsible for doing it. This is a community effort and those from the community who helped this project should receive our thanks!

Now, what you’ve been waiting for, what’s new in the  PS3 scene, well, many things. First, I’ve recently joined the group of Mathieulh and I’ve been working with them to figure out how the kernel and payload works! I’ve also recently created a new branch in git for writing custom assembly for the payloads instead of using the hardcoded binary blob from PSJailbreak. I’ve cleaned up the payload used by PSJailbreak as well as documented it so others can read it and better understand how it works. The reverse engineering and information has been provided by the group of Mathieulh as well as some of my own reverse engineering work. You can find the ASM payload file here. AerialX from the PSGroove team is also working on cool payloads so you should check out his git repository too!

Also, Matsy and I have reverse engineered the xRegistry.sys file format and are now able to modify the XMB registry in order to enable new features (QA mode, debug options, etc..), and we’ll be working in the next few days on making a homebrew application that would allow you to change these settings safely.

Now for the sad news.. I will be forced to update my PS3 system very soon, for multiple reasons.. First, I’m getting the PS Move tomorrow and I really want to buy Tumble (PSN game) which looks like an awesome game and I can’t do that if I don’t upgrade my PS3 since PSN is locked for firmware 3.41. I also am a PSN+ subscriber and not being able to connect to PSN and enjoy the content I paid for is absurd and it feels like it’s wasting those 50$ I paid for PSN+. Finally, I had to reformat (and restore from backup, Thank God) my PS3 hardrive yesterday because as I was testing the payloads, I kept crashing the PS3 and I kept shutting it down the hard way which seemed to have corrupted my hard drive. After I restored my backup, all my content is there, but when I try to launch a game it says “To access this content, you must active this system. Go to ‘Playstation Network->Account Management’ to activate this system”, which I cannot do without connecting to PSN. This basically means that the 50+ games that I have bought on PSN are now inaccessible to me. So for all these reasons, I have chosen to update my PS3 to the latest firmware version.

As you all know by now, Sony has fixed the vulnerability we’re using to run homebrew in the latest firmware update, which means that once I update, I won’t be able to use PSFreedom or run homebrew applications anymore. This means that I won’t be able to work anymore on homebrew and custom payloads.. I could try to write something but I won’t be able to use it or test it, so the motivation will not be the same. For that, I’m asking you, those of you who used and enjoyed PSFreedom and are grateful for it or those who would like to see more of my work in the future, that you please donate a little something. Your donation will be used in order to buy a new PS3 that will be used only for homebrew and development. Note that I am not requesting you to donate, you have no obligations to do so and I’m not promising you anything either in exchange for a donation. Also note that, as stated earlier, I do not make ports of PSFreedom to new devices/phones, so don’t hope or expect me to make it work for your phone because you donated something. So only donate to me if you are grateful for everything I’ve done so far and you want to show your appreciation. If you decide to donate to me, then thank you very much! Your donations are very much appreciated and they might allow me to release something cool and useful to the PS3 homebrew scene in the future (but I can’t guarantee anything to anyone of course).

So if you want to donate some money, just click on the Donate button below! If you want to donate some hardware (a PS3 maybe, or a Teensy board or anything), contact me and let me know.

Thank you all for your support!
KaKaRoTo