PS3 Ps3Xploit - Now Install CFW from 4.82 OFW: NOR/NAND Software Flash Writer + NOR Dumper Released

Discussion in 'PS3 News' started by STLcardsWS, Nov 21, 2017.

By STLcardsWS on Nov 21, 2017 at 10:02 PM
  1. 6,318
    4,257
    123
    STLcardsWS

    STLcardsWS Administrator

    Joined:
    Sep 18, 2014
    Messages:
    6,318
    Likes Received:
    4,257
    Trophy Points:
    123
    [UPDATE-2 (11-28-17) - FAQ TAB has been updated again in the article)
    There has been alot of development going on around the PS3 since the discoveries of the PS3Xploit (webkit exploit) on 4.81 OFW, first we seen the IDPS dumper (4.81/2 OFW) released with some big news & hope to come along with it, like a Flash Writer (downgrader) for OFW, so if you have been reluctant to buy a Hardware Flasher such as the E3 Flasher and bust open your PS3, but have been wanting to get your PS3 FAT(PHAT) Console and your Downgradable PS3 SLIM Models (up to & including 25xx models with minimum installable version <= 3.56) on Custom Firmware, then here is your chance with a 100% SOFTWARE SOLUTION thanks to the work of PS3Xploit Team ( @bguerville, @esc0rtd3w & W) along with contributions from new team member @habib to help expedite this release. Essentially what this Software Solution does is write a patch to the CoreOS (on NOR/NAND Chip) and when the PS3 Console is then rebooted you can install a Custom Firmware directly, So downgrading back to 3.55 is not required in the process, rather "Direct OFW to CFW patching" is done to allow for Custom Firmware Installation. Since this exploit is executed from 4.82 OFW, you can only install to a 4.82 CFW, HOWEVER if you wish to use an earlier firmware such as REBUG 4.81 for example, once on 4.82 CFW you must TOGGLE QA using a toggle tool, which allows CFW user's to freely switch CFW version from past and present. Read more about this in the Frequently Asked Question (FAQ) and more info in the details provided:



    UPDATE - View Public Warning
    BfEBwXb.jpg


    Flash Writer Compatible with these PS3 Models:
    Supports FAT Models CECHAxx/Bxx/Cxx/Exx/Gxx/Hxx/Jxx/Kxx/Lxx/Mxx/Pxx/Qxx
    Supports SLIM Models 2xxx (minver 3.56 or lower ONLY, check with >>> minverchk.pup - SEE FAQ TAB for USAGE )


    • PS3 OFW 4.82 NAND/NOR FLASH WRITER v1.0
      ***** IMPORTANT DETAILS BELOW -- AVOIDING A BRICK *****
      • Verify flsh.hex file on a flash drive and in the far right USB slot!
        • 4.82 flsh.hex MD5: 8E156C99101BF36EC3EDB832982AE46D
      • DO NOT USE ON CFW (Custom Firmware) (Only Supports OFW)
      • DO NOT USE ON PS3 Models 3xxx/4xxx (aka SuperSlims / Late Slim models) you will brick those console.
      • USE ONLY ON 4.82 OFW


      PLEASE READ FIRST:

      • It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically..
      • So in short, never use the browser or set a homepage you cancel before running the exploit!
      • If you need to, set the homepage to 'blank', close the browser then reopen it to start the flash writer.

      v1.0.0 - Initial Release
      • Supports Direct OFW to CFW patching for All Phat and 2xxx Slim (minver 3.56 Dec 2010 and lower)
      • the NOR/NAND writer will just copy 3Mb of CoreOS data to both ros0 & ros1 in the flash memory.
      • There is only one version released for 4.82. The same hex patch file can be used on nor & nand.
      • It's as safe as possible, with a check for usb device & patch file making the exploit hang instead of corrupting flash if file is not found.
      • In case of corruption (extremely rare but could always happen), it's only a partial brick because no per console info ever gets erased so a hardware flasher could still be used if ever a recovery reboot was impossible.
      Usage Tips:
      1) Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
      2) If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
      3) If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.​

      Steps:
      1. Setup a small Web server on pc or smartphone. A custom miniweb application (from: https://sourceforge.net/projects/miniweb/files/) with small changes to the JaveScript, and supplied to host files if you would like to use it. Don't come to us for explanations about how to run a http server though. Google it.

      2. Extract the files from release to your http server root folder.
      2a- To use the miniweb.exe server, it is necessary to create a folder: htdocs
      2b- The files *.html and *.js included in the zip files should be copied/moved to htdocs
      3. Copy the "flsh.hex" file from release folder to root of flash drive.

      4. Put a FAT32 USB key in port closest to BD Drive (/dev_usb000).

      5. DOUBLE-CHECK your flash drive on XMB to make sure it shows up under Music, Photos, Videos, etc.

      6. Open the PS3 browser File Address window, write the IP address of your server (and the port if not 80) & press the Start button.

      7. Select the appropriate button for your console and wait for PS3 to power down. DO NOT STOP THE PROCESS ONCE STARTED!!

      8. Once PS3 has powered down, reboot console and install CFW matching OFW version. If installing through XMB does not work, boot to recovery and install.​

    • PS3 4.81/4.82 NAND/NOR Flash Dumper v1.0
      THE CORRECT FIRMWARE VERSION BETWEEN 4.81 and 4.82 IS AUTOMATICALLY SELECTED!

      UPDATE - ALSO Ported to earlier Official Firmware
      >>> Link

      PLEASE READ FIRST:
      • It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically....
      • So in short, never use the browser or set a homepage you cancel before running the exploit! If you need to, set the homepage to 'blank', close the browser then reopen it to start the flash writer.

      v1.0.0 - Initial Release.
      • Supports Dumping NOR on both 4.81 & 4.82.
      • bguerville tried to produce a release that was easy to port & he succeeded. Anyone able to search for offsets in IDA can add support to any firmware version in the dumper in a matter of minutes.
      • For technical reasons, the Full NAND dumper release is postponed. We will now be focusing on self execution & if we succeed there will be no need for the extra ROP work to do the NAND dumper. If we fail, I will finish it in ROP.
      • A lot of time has been invested into making the javascript + UI more efficient, as well as the trigger phase faster & more stable. I hope you enjoy the result.
      Usage Tips:
      1) Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
      2) If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
      3) If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.​

      Steps:
      1. Setup a small Web server on pc or smartphone. A custom miniweb application (from: https://sourceforge.net/projects/miniweb/files/) with small changes to the JaveScript, and supplied to host files if you would like to use it. Don't come to us for explanations about how to run a http server though. Google it.

      2. Extract the files from release to your http server root folder.
      2a- To use the miniweb.exe server, it is necessary to create a folder: htdocs
      2b- The files *.html and *.js included in the zip files should be copied/moved to htdocs
      3. Put a FAT32 USB key in port closest to BD Drive (/dev_usb000).

      4. DOUBLE-CHECK your flash drive on XMB to make sure it shows up under Music, Photos, Videos, etc.

      5. Open the PS3 browser File Address window, write the IP address of your server (and the port if not 80) & press the Start button.

      6. The dumper will detect the firmware version of your console automatically & setup the code appropriately so there is only one version for both 4.81 & 4.82. Run until ps3 beeps & shutdown. The flash dump should be a 16MB file on your USB drive as dump.hex.​

    • Frequently Asked Questions & Additional Notes


      Any Noob Friendly Guides for OFW to CFW? APRROVED BY TEAM PS3Xploit


      Will this jailbreak my SuperSlim?
      • NO, (PS3Xploit has strong possibility to eventually evolve into a HEN style exploit (that aspect will take some additional development and time, at this time PS3Xploit exploit has not evolved enough)


      Is my Model Compatible & Which Writer does my console need (NOR or NAND)?


      Can I install a CFW before 4.82, such as Rebug 4.81 or an earlier CFW?

      • Yes, however you must Toggle QA Flag. Once the Token is activated you have the ability to then freely jump CFW versions. (see below for details)

      How do I Toggle QA Flag?

      • When on a CFW download & install >>> QA TOGGLER (Standalone), (Note: Will just show a black screen then reboot the PS3 and returns to xmb. A Restart is Required. After toggling QA, cfw syscalls will be disabled (meaning your CFW patches will be disabled until the next boot, so a reboot is required after the Toggler exits back to the XMB.) Additional Info about Q/A flag can be seen here ( & also @ PS3Devwiki)

      Should i use the "999 Downgrader" vs "Toggle QA" to install a different CFW?

      • No, installing the "999 downgrader" PUP can cause various issues like on a 3.56 minver console, it will brick the console, simply just Toggle the Q/A Flag and play it safe and is so simple to move from CFW versions (up and down from version to version).

      How do i know for sure if my PS3 Model is compatible ?

      • You must have a PS3 Console that has a Factory Firmware of 3.56 and below.
      • To check, its easy with this simple tool for OFW, Download minverchk.rar
      • Then place the .pup file on a FAT32 USB Flash Drive in a PS3/UPDATE folder (create path if needed)
      • Now on the PS3 XMB goto Setting ->> System Update >>> Update via Media Storage
      • Once shown on the list select the PUP and install, shortly after there will be a message showing the factory firmware the console was shipped,
      • For this we want 3.56 and below.
      • ANYTHING HIGHER THEN 3.56 IS NOT ABLE INSTALL A CFW. Sorry this will not work for your console, but there could be a HEN (Homebrew Enabler) possible for running homebrew, but additional research and time is needed for achievement, additional details can be read here.

      What is the basic purpose of the Writer & Dumper Tools Release?

      • The dumper is to get a backup of the nor chip
      • The writer is to jailbreak your console. (Adding a patch to OFW to allow CFW installation)

      Do I have to setup my own web server or can (has) someone host this?

      • For best results and security it's advised/recommended to setup a local web-server to execute the webkit exploit, The best Unofficial Host we have found is from developer RED and his page: http://redthetrainer.com/ps3/

      How to go from Ferrox 4.82 to Rebug 4.81?

      • .Question Raised Here , OR alternatively you can uses this UNOFFICIAL modified version of REBUG 4.81.2, that will install on 4.82 (without QA FLAG as it contains an edit to the syscon version) >>>> (View Tweet & Download Link)

      Where can i find the latest 4.82 CFW?


      Where can i find PS3 Homebrew?


      New to PS3 CFW Community (Have CFW now installed and want to know a bit more)?

      • Here is a thread being started in the forums, An Intro to CFW & PS3 Homebrew . Covers various basic of firmware types and some essential apps. The thread is a WIP so expect additional items to be added.

      PSX-Place Member @lord3490 Provided Some extra FAQ's.
      Q: my console just froze and nothing's happening for over 10 minutes
      • A: turn off console, the exploit failed.
        • 1. Make sure you got the correct file on USB thumb drive and it's formatted to fat32.
        • 2. Clean browser cache
        • 3. Set start page to about:blank (or your exploit host)
        • 4. Restart Browser
        • 5. Try again

      Q: the console shut down and beeped when using the exploit, however I'm getting an error when trying to install cfw?

      • A: there are a couple of possible reasons for that:
        • 1. Did you make sure you flashed the correct file (nand/nor)? See q/a above
        • 2. Try different 4.82 CFWs and make sure the md5 is correct after copying to fat32 thumb drive.
        • 3. Try a different USB thumb drive or reformat it.
        • 4. Make a backup and format internal HDD (I just read that solved the problem for one user).

      Q: when will there be a CFW or a HEN type of hack for newer ps3 models?

      • CFW (Custom Firmware): Not Possible
      • HEN (Homebrew Enabler): you may be able to use homebrew (even backup managers) later on. The devs are working on it and they won't be faster or release it earlier because you ask. The PS Vita / PlayStation TV use a HEN exploit (HENkaku) to give you a idea on what a HEN is for those of you who have followed the Vita Scene.
      • Keep dropping by this forum and you won't miss it once it's there. You will here it first from psx-place.com the official home of the PS3Xploit Team

      Q: okay, I got a cfw installed. What do I do now?

      • A: Read. There is a lot of information on this forum. Use search function for specific topics and check out this thread >> An Intro to CFW & PS3 Homebrew to get started.

      Q: where can I download games?

      • A: From PSN, for anything else you may want to read the forums rules! psx-place.com
      --------------------------------------------------------​


    Downloads:

    Courtesy of Team PS3Xploit:
    W (Javascript, Research & Testing)
    @esc0rtd3w (Debugging, Research & Testing)
    @habib (ROP & Debugging)
    @bguerville (ROP/Javascript & Debugging)


    From PSX-Place & Team PS3Xploit: Happy Holiday's !!!!
    (First Q1 of 2018 came early, but that was really supposed to be a surprise X-Mas Gift ;p )

    USE AT YOUR OWN RISK & READ ALL INSTRUCTIONS
     

    Attached Files:

    Last edited: Dec 3, 2017

Comments

Discussion in 'PS3 News' started by STLcardsWS, Nov 21, 2017.

    1. Vuk1987
      Vuk1987
      Is there any software that is suitable for checking this type of NOR dump (dump.hex instead of earlier backup.bin dump file) since I always get the error on ROS1 part. Let's assume someone bricks the console this way, is a procedure to unbricking same as if one would have a .bin NOR dump using E3 flasher, or it's a different one for this type of NOR dump.
    2. esc0rtd3w
      esc0rtd3w
      lol, just rename it to .bin

      E3 flasher is reversed bytes. you can use a hex editor to byte swap, or another tool, i assume for reading PS3 Flash

      ros version may be wrong and show bad, idk
    3. bguerville
      bguerville
      You don't need a backup to fix a partial brick that occurred with ps3xploit flasher writer.
      The whole point of the project is to avoid full brick. It means that the 3Mb overwritten in ros0/ros1 is common to all consoles. You can get that part from any dump from any console on same ofw or assemble it yourself using extracted PUP files. In any case, no backup dumps is necessary to recover...
      esc0rtd3w likes this.
    4. Vuk1987
      Vuk1987
      Ok, thanks for the answer, but I'm afraid I don't know how to do that. How do I extract ros0/ros1 form another bakup file, and write it to my NOR chip?
    5. emstion
      emstion
      I have a model 2501A w/ minver of 3.40 so I know it's compatible, but I'm have a problem. I've tried it several times hosting the files locally on miniweb with a SUCCESS but it never beeps and shuts down. So I tried redthetrainer's site and keep getting Triggering exploit failed 10 times....Refresh Page. Have tried a couple different USB sticks as well and have checked MD5 everytime. Anybody run into this problem before and any clue as to what may be the problem?
    6. aldostools
      aldostools
      Use an ethernet wired connection and miniweb. Try setting nor-482.html as homepage in PS3 browser, clean the cache, close the browser and open it again.

      Use a small pendrive formatted with FAT32 and confirm that flsh.hex has MD5 = 8E156C99101BF36EC3EDB832982AE46D.

      If it fails, keep trying, it eventually will work.
      bitsbubba likes this.
    7. bguerville
      bguerville
      Do you have a working hardware flasher to begin with? Because if you don't, it's not worth having this conversation right away, better wait until you have one & it's properly setup & ready to flash. Then we can discuss solutions.
      esc0rtd3w likes this.
    8. sandungas
      sandungas
      As said, this needs to be explained better, and someone should make a thread about it, but i think i can resume in a couple of sentences as an overview of the procedure
      First take a look here, that tables are like a "map" of the flash http://www.psdevwiki.com/ps3/Flash

      As example for NOR... you need to get a dump from other PS3, working, with the same flash type and in OFW 4.82... then open the dump in a hexeditor app and "select block"... from offset 0x0C0000 length 0xE00000... and "copy" it
      Then open your damaged dump in the hexeditor and "select block" again (same values)... and "paste" it

      And thats all, you have your flash dump repaired, ready to be written back to flash... by using a hardware flasher (teensy, E3, etc...)
      esc0rtd3w and pinky like this.
    9. bguerville
      bguerville
      Yes except there is one more step if you you are going to make this manually, there is a part of an index with CoreOS file sizes to tweak...

      IMO the easiest way to do it for a noob is to get access to a dump from any NOR chip on ofw 4.82, you only need 3 contiguous Mb from that dump. Many members could provide it for you because it's only CoreOS files, no per consoles keys in there.
      But come to this support thread, we will give you the part you need to overwrite if you cannot sort it out yourself...
      We might consider posting it so ppl can get it a copy just in case...
      DeViL303, esc0rtd3w and sandungas like this.
    10. sandungas
      sandungas
      Hmm, agreed better that way with 3mb only, i was thinking someone could make a small tutorial (not members of the team, but anyone that experienced this brick and repaired it), but most important than a tutorial is to know how to get that "patch" data needed to apply over the damaged dump, and because that "patch" is generic i guess it can be tell its MD5
      esc0rtd3w likes this.
    11. bguerville
      bguerville
      Yes it can use md5.
      It would be a file basically equivalent to flsh.hex but totally ofw with no patches.
      sandungas and esc0rtd3w like this.
    12. Vuk1987
      Vuk1987
      I have a working e3 flasher, I do a ps3 moding for a hoby, but I am a noob. Thank you all for the answers, I hope I'm getting closer to the solution. If i understood correctly, once one bricks the console, he can dump the NOR flash (110000 jumpers e3), modifes that dump by replacing ros1 and ros0 parts of it (this is a mystery for me), and writes back modified dump to NOR chip (using 000000 jumper set if I'm correct), and that's it. I don't also mind dumping NOR flash (16 MB dump) using this "soft" NOR dumper, checking it (which program to use was the question since the one I tried to use always shows an error on ros1 part), and use it as a backup in case one bricks the console. This takes about 5 minutes, and it's totally worth it if you have a good backup to restore your console in case of bricking. I was also wondering if the procedure (jumper set, ect. ) for writing a .hex flash using e3 flasher is the same as writing a bkpps3.bin file to the nor chip. If these parts are explained to me, I don't mind posting a step by step tutorial for unbricking the console bricked this way.
    13. bguerville
      bguerville
      @Vuk1987
      Actually, half your questions go well beyond the scope of this simple support thread tbh. Here we assume that if you use a flasher for debricking, you know how to use it & use the documentation + eventually the files we may provide.
      Don't get me wrong, one has to start somewhere so if you have questions regarding E3, the ros regions & hardware flashing in general I suggest you create your own thread on that topic. Various members here are well versed in this kind of thing & there are good guides from @playerkp420 & @baileyscream on the subject out there.
      And don't forget to refer to psdevwiki for technical information as well...
    14. Vuk1987
      Vuk1987
      Ok then. thanks.
    15. emstion
      emstion
      Sorry, it's been a couple days since I posted about this. I finally got it to work! Don't know exactly what the issue(s) were but I used 6 different flash drives (the one I started with was the one that eventually worked) and 4 different LAN cables. Anyways it worked and I am now on Rebug 4.81.2 UNOFFICIAL. Thanks to all the devs responsible for this xploit, you have my deepest gratitude!

      I have a question though. I have 2 PS3's, unfortunately one is not exploitable (3.66), but my question is can I swap out the HDD from the OFW console to the CFW console without screwing things up on the CFW console that took me forever (it seems like) to get xploited?

      I have purchased PSN games on the OFW console that I would like to move over, without having to risk logging in to PSN. or is that even possible?
      aldostools likes this.
    16. habib
      habib
      Easiest way is to just dump the nor and patch it with any tool for cfw and it will work lol

      If you brick 3k/4K then you would have to download pup, extract core_os and write to both ros
    17. bitsbubba
      bitsbubba
      it doesn't work that way each hdd has a per console key, read up on the safest way to connect to PSN on CFW and download them again. but for anything furter please start another thread
      aldostools likes this.
    18. Vuk1987
      Vuk1987
      I agree, it takes 5 minutes, and you are brick safe (somewhat)

      Sent from my Lenovo K10a40 using Tapatalk
    19. lickmyballsack
      lickmyballsack
      can any1 tell me how to update to another firmware other than ferrox please.?
    20. Vuk1987
      Vuk1987



      Sent from my Lenovo K10a40 using Tapatalk
      esc0rtd3w and lickmyballsack like this.

Share This Page