PS3: First ‘Custom Firmware’ now working!

Update: I’ve now fixed the issue about the missing game data icons. PS3-Hacks.com has a nice step-by-step tutorials and they posted the PUP files.

Update 2: DO NOT try to install this from the service mode, it might brick your console, install it normally from the normal menu or the recovery menu.

Great news!

Thanks to the tools made by the fail0verflow team (and thanks to sven in particular for his work on the pkg/unpkg tools), the first “Custom Firmware” is now available for the PS3!

I see a lot of questions coming up really fast on my Twitter account, so here are the basic things you need to know :

Because of legal/copyright issues, I will not provide the custom firmware to anyone, however, I’ve made available all the tools necessary to transform an Official firmware update, into a custom one, just grab my ps3utils repository from github, compile, then run :

./create_cfw.sh PS3UPDATE.PUP CFW.PUP

This will take the official firmware, unpack it, modify it, then repack it correctly (requires you to install ps3tools).

This should work on Linux and Mac for now, but I’m sure others will do it for the masses and illegally release those files somewhere.

The advantage here is that you can do it for any firmware, if you want to keep version 3.41, then give it the 3.41 update, if you are on 3.55 already and can’t downgrade, then run the script on the official 3.55 firmware and it will create a modified 3.55 firmware.

You can put the file in a USB drive under the filename “PS3/UPDATE/PS3UPDAT.PUP” and then go to system update in the XMB, and it will allow you to install the update (even if you’re already on 3.55).

People are asking what are the features of this firmware, it’s simple, all it does is to add those “Install Package Files” options to the Game section of the XMB. It doesn’t do anything else!

This firmware will not allow you to run the currently available homebrew application. Once the homebrew developers re-package their files in a ‘retail’ .pkg format with signed executable, then it will work (this should be coming soon thanks to the work of the fail0verflow team).

Since the kernel is left unmodified, this means that this custom firmware is really meant for future homebrew installation, and it will not allow piracy. I plan on keeping it that way.

This is just the first attempt at custom firmware, and it only contains a minor modification to allow you to install pkg files directly, eventually we’ll get some more options added to it in the future. This is just starting to get interesting!

p.s: Thanks to everyone who helped make this possible!

Enjoy! 🙂
KaKaRoTo

PS3: Introducing PL3 and 3.01 firmware news

Hi,

I’ll announce two things, first, let’s talk about PL3.. PL3 is a new project I started in order to have a common repository of payloads that can be used by any ‘jailbreak’  implementation. I got tired of copying payloads from PSGroove, and I had some nice changes in mine that I thought the PSGroove project could benefit from, so I thought I’d create a single repository that both projects, PSFreedom and PSGroove (or any other similar projects) could use.

You can find it in github, so don’t hesitate to submodule it and use it.

Second important news… I’ve bought a new PS3 just for homebrew. Thanks to all who donated money so I can buy it (I didn’t get enough donations to pay for it, but enough to help me). I bought this PS3 used and it came with firmware 3.01! This is good and bad news : I can’t use PSFreedom to jailbreak it, so i’ve put on hold any improvements for it, however, it will allow me to actually port PSFreedom to older firmwares! My plan is to get the jailbreak working on 3.01, then move on to 3.10 and 3.15 (depending on how hard it is, i might skip 3.10).

Another good news is that after 4 days of  work, I was finally able to dump the LV2 memory from the 3.01 firmware, and now all that remains is to find the right offsets to patch, and port PSFreedom to 3.01, so all those who are still using this firmware version, you will soon be able to jailbreak it! Once I’m done with that, I’ll try to do the same with the 3.10/3.15 firmware versions!

To dump LV2, I used a trick and algorithms found by marcan42, so big thanks goes to him, as well as many other people who helped me out, RichDevX and Aaron in particular. I used RichDevX’s idea of ignoring the JIG and bruteforcing the address in which the port1 descriptor gets stored until I get a hit, then use that payload to dump lv2, then find the right JIG offset for that particular firmware from the dump. Marcan’s trick was to send the data through the ethernet cable by using LV1 only hypercalls, and it worked!

Now the latest git version of PL3 has a new ‘dump_lv2’ payload which you can use, it is firmware independent, and only uses LV1 hypercalls, so it should just work… It will dump all the lv2 memory through ethernet, so fire up wireshark, save the dump to a .pcap file, and use the tool in PL3/tools to extract the memory dump from the .pcap file.

In other news, I will soon upload to Ps3utils an .idc script that will search and find the syscall table, and correctly resolve all of its functions and name them properly.. maybe even have it automatically find all functions of a dump in order to save time creating procs in IDA. I’ll let you know once I’m done with it.

KaKaRoTo