PS3 Official Firmware 4.81 Exploit - Software Downgrader & More Incoming! Could SuperSlim be hacked?

Discussion in 'PS3 News' started by STLcardsWS, Nov 9, 2017.

By STLcardsWS on Nov 9, 2017 at 6:45 PM
  1. 9,642

    STLcardsWS Administrator

    Sep 18, 2014
    Likes Received:
    Trophy Points:
    It was nearly 7 years ago since we have seen a PS3 Official Firmware Exploited (3.55 being the last), which predates many PS3 models and thus why those later Slim & SuperSlim models could never install Custom Firmware (CFW) and/or Downgrade. However that could all change as a team of three have been developing a new project (4.81 OFW Exploit) called PS3Xploit. The "Unhackable PS3 models" will be a term of the past, but the exploits not quite there yet but the possibility of a HENkaku (vita) style hack is very plausible. Currently the exploit has allowed for access to enable Flash dumps on all consoles, Then Write access to Flash, unhackables (25xx +) will not be able to write but all previous PS3 will so that means Goodbye Hardware Flashers and Hello Software Downgradrs. The team is consisting of psx-place's very own @bguerville, @esc0rtd3w and W form the team behind PS3Xploit.

    The theory behind the project started off when bguerville was looking through some of the webkit source code (for unrelated research) and stumbled on a discovery and a discussion here on the psx-place forums was formed with theories on how the PS3 could be attacked with his findings. As time passed the team formed and an idea became a full-fledged project in development, A request came to temporary remove the said discussion as the idea spawned a project with alot of potential. Sadly this is not ready for release quite yet (but soon), while we know it is working there is additional development needed to make this complete. The team has a goal of 2018 (first Q1) target for the release of the exploit.

    PS3 SuperSlim.jpg

    Recently team member esc0rtd3w announced the tentative release date on another forum and it seemed some were so grateful they decided to intrude and breach his MEGA account and leak what they thought was the exploit / key component but was only a small puzzle piece of the entire thing and quite useless itself . While the good news it did not harm the project or discourage the development team behind Ps3Xploit. However esc0rtd3w did lose some personal files and also the community lost the huge collection of NoPSN Apps for the PS3. But don't cancel those subscription service's just yet, as esc0rtd3w is in the process of re-uploading the collection, you can follow the progress here .

    Also, I have been personally told by the team that some of the details being reported elsewhere are not 100% accurate, but rest assured we have first-hand information about this upcoming exploit and we will set the record straight and keep you flowing with the facts as they become available. bguerville has provided us with some details about this release and also tells us about what they plan to release first and that is coming in the next 24 hours in the form of a IDPS Dumper for 4.81 (All PS3 Models). (UPDATE >> Released)

    Additional details via @bguerville
    (NOTICE - Please Read ALL TABS contains IMPORTANT Details about the project !!! )

    • I started investigating the ps3 webkit about 6/7 months, but at the time, it was only to gather information, I had no idea I would eventually be the one working on it!

      End of August, I gave the information I had to esc0rtd3w & expected he would work on it alone. However, he knew nothing about webkit exploitation & he started to collaborate with W. By hijacking webkit, we inherit its privileges which means we are root & we get access to lv2 syscalls. However the ps3 OS is protected by NX (No eXecute is the bsd/linux equivalent of DEP on Windows), no address randomisation though. Executing our own payload is made impossible by NX but we can still execute code despite NX using ROP (Return Oriented Programming).

      The principle is simple, select snippets from the system code (snippets like these are called gadgets) & assemble them so execution jumps from one gadget to the next until the task we planned is done. It requires providing values/parameters & offsetting to each gadget instruction as well...

      First week of September, I joined their effort & 2 weeks later we had ROP execution.
      From that moment, I have been doing all the ROP development work alone while the other 2 helped with testing & researching (and debugging for esc0rtd3w).

      Right now I have 2 ROP chains ready, one for idps dumping & the other for flash memory dumping.

      The next part of the job is to modify the flash dumper into a flash writer.
      When that is done & released, ps3 hardware flashers will have become mostly obsolete.

      FYI, the idps dumper should work on any nor/nand model of ps3. Same goes for the flash memory dumper.

      It was tested ok on superslim.

      Once the ROP work above is finished , there is much more to be done & hopefully more releases to come...

      Stay tuned.....

    • The Current Status

      For now the main project we are working on will not jailbreak all consoles.

      It will enable flash dumps from all consoles but flash write only to all consoles up to 25xx so consoles that are are not cfw compatible will not really benefit just yet, except for dumping flash & idps but not for JB.

      For those with cfw compatible consoles on ofw, once flash is overwritten with a db ofw copy, a user can reboot then install the cfw of their choice. Hardware flashers being then obsolete.. You could also overwrite the flash memory in more recent consoles but that would result in a brick due to metldr2.

      It's only after that flash management project is done, in hopefully March that we will begin working on exploiting lv2. If we get the results we wish, we should be able to make a TaiHEN type of hack for all consoles including superslims.

      Once lv2 is exploited, I am not sure yet how far I will take it, whether I will also try to take on lv1.. Or leave it for someone else to build on by releasing a fully commented & dev friendly version... We will see how things go, ......

      However, even without lv1, direct access to lv2 functions using the right parameters would allow us to run homebrews (except those needing lv1 peek/poke) & backups without problems along with many other things.

    • I figured i would add this (tab) to add some news and thread related to this project, that has arisen after this article.​

    Stay tuned to as this story develops, we have the inside scoop on all the details as they flow. This is a huge breakthrough for the PS3 Community and will only progress from here on out!!!

    (Please Note - You should not update your PS3 firmware past 4.81 if a Software Update goes Live)

    Last edited: Nov 29, 2017


Discussion in 'PS3 News' started by STLcardsWS, Nov 9, 2017.

    1. Amaan Khan
      Amaan Khan
      I am extremely excited about jailbreak :D
      esc0rtd3w likes this.
    2. Beastmod
      Thank you for all the hard work! I am a noob when it comes to python. I have python running but keep getting PS3 not compatible message...I am on 4.81 OFW. Is there step by step instructions for a beginner? I feel like I'm missing something
      esc0rtd3w likes this.
    3. Louay
      so can we inject games without second jailbroken one using IDPS Dumper *??? TABR Protected Area ??
    4. BenomegaWNetwrk
      Will there be a way for people who updated to 4.82 to downgrade?
      esc0rtd3w likes this.
    5. TOM1211
      Mine is still going launch day bought from a supermarket only owned the one.
    6. bitsbubba
      idps dumper was updated to support 4.82 so that probably won't be a problem as $0Ny didn't patch the exploit but higher firmwares probably
      esc0rtd3w likes this.
    7. Amaan Khan
      Amaan Khan
      Wow It worked in my superslim emmc :)
      esc0rtd3w, Zoilus and bitsbubba like this.
    8. Amaan Khan
      Amaan Khan
      Wow man I loved it :)
      esc0rtd3w, Zoilus and ShadowShadyLee like this.
    9. ShadowShadyLee
      so, how is the progress of the exploit?
      exited to try that on ps3 super slim with ofw, i dont know a shit about jailbreak a ps3, never done that, but did on ps2, miss old times, keep good work dudes, thanks for everythin
      esc0rtd3w likes this.
    10. Zoilus
      PATIENTS guys -- let the devs do their thing. So many people are asking , and i know this is a BIG deal, but bombarding them with the same ?'s wont get them to finish any faster... just be calm, ...Relax, Chillax and grab some snacks .... when its done and tested ..this is the place that will of course post it FIRST!
    11. Jyrr
      Hey guys I'm kinda new to the whole PS3 jailbreaking thing and I just read this thread. I really want to know what the idps dumper and the flash dumper & flash writer do?
      I'm on a PS3 Slim CECH-2004a so I should be able to downgrade once released?
      ShadowShadyLee likes this.
    12. lord3490
      Idps dumper: reads idps from flash and saves to USB thumb drive (to view use hex editor). Useful in many ways (google it).
      Flash dumper: reading whole flash and saving to USB thumb drive
      Flash writer: now this will be interesting for downgrading/jail breaking. It will be able to write your edited dump back to flash and will enable cfw on your ps3.

      Reading/writing the whole flash was/is only possible with hardware flasher before ;)

      Reading idps was possible before on fw <= 4.76 (iirc) using backup method, took quite a while though ;)

      At least that's how I understand it, haven't even tried dumping idps yet since I have no bootable ps3 with ofw ATM ;)
      esc0rtd3w likes this.
    13. esc0rtd3w
      @lord3490 you can switch to CEX and use IDPS Dumper if you wanted to test it out
    14. TimoZx
      Hello, I’m new to modding and I really want to jailbreak my ps3. I have a Cech-3000A. my question is, is it possible to jailbreak my ps3 with the exploit?
    15. oneohthree
      Not yet... Let devs do their job.
      esc0rtd3w and kozarovv like this.
    16. Med27
      Hi, thinks for all developpers, i tested idps in ofw 4,82 cech210... And he work perfectly i have idps, when a exploutps3 can be releazed?, anyway for inject games in ofw 4,82 i tested with idps and i have error 80060001
      esc0rtd3w likes this.
    17. lord3490
      I know i could do that, but i wasn't that interrested in finding the idps i already know ;)
      However, you are right. I should have tried it since this is really big (or getting big as soon as the flash writer is finished).

      Anyway, i found a PS3 Slim CECH-2004A for 20€ on ebay and picked it up today.
      IDPS dumper was working flawlessly after deleting cache AND rebooting it took about 5-10s.

      I've never had any slim model before, only a superslim (not anymore) and my beloved fat CECHC :smile new:

      edit: My slim has a broken BD, that's why it was so cheap ;)
      (Just in case anyone wondering)
      Yugonibblit and esc0rtd3w like this.
    18. esc0rtd3w
      from my understanding, this is because license files are removed upon restore. we may be able to leverage the exploit to write files from USB back to HDD, but this is not yet tested :-p
      Last edited: Nov 18, 2017
      ed89 and Yugonibblit like this.
    19. pinky
      you may be able to inject games that use edat files. those are games that are trials which can be unlocked to full games. rif license are a no go though. with edat files, they typically have a 3 at the beginning of the alphanumeric title id (NPUB3xxxx). you can even create a generic one using an app. it will create a pkg with the edat. it only requires the title id, so no idps or act.dat. I don't know if this generic edat would work on ofw though. however, you should have the edat of games you bought anyway. :)

      edit: I forgot to mention that most of those edat games have a C00 folder. ;)
      Last edited: Nov 18, 2017
      esc0rtd3w likes this.
    20. esc0rtd3w
      yes, the ability to copy files still means you should not abuse this unless unforeseeable issues arise and you cannot get online to restore a license. The DB Rebuilder and other HDD related tools may also be handy to have and call soft reboot instead of shutdown.
      ed89 and pinky like this.

Share This Page