• Official PS3 Toolset is now supporting 4.92 Firmware

    View Official Release Post for additional information HERE

PS3 PS3 Toolset v1.1 Update

aldostools said:
Unfortunately a community like this -with some exceptions- is to get free games = "get without give".
Click to expand...

that's so true! :( .. getting "free games" (piracy) seems to be the only motivation for a ton of users... I still think about a few PS4 homebrew projects I want to build, but you can see that the only ps4-discussion is usually "how can I patch this latest dumped game to run on 5.x 6.x etc?"
 
I personally can't enjoy a pirated game. since I haven't spent any money on it, there's no real obligation to play it. it's kinda boring that way. anyway, I've always been more interested in the exploits. every morning, I make a little project for myself to test something new on any number of systems. I don't play any games except for on the wii u and the switch, and I bought a lot of games on both systems (76 on the wii u and almost 160 on the switch). I don't really care for a scene when things become too easy though, kinda miss the pita nature of early vita exploits and whatnot. it makes owning an exploited system worth something. anyway, there's no real place for me in a scene like that, because I'm more a "teach a man to fish" sort of person. I still do things for people, but I'd rather they learn how to do things themselves or at least do a little reading. right now, I'm on disability, so I don't have a lot of money to spend (only get $529/month), and I spend about $200+ a month for my phone bill and helping with groceries/food. the rest is for games. in that case, I try to respond to help topics, trying to contribute in any way I can. I do have a lot of experience, because I test things on all systems, and I usually have a pretty good memory, so I try to use that to help others. that is my contribution. :)
 
bguerville said:
PS3 Toolset V1.1 Usage

  • The PS3 Toolset v1.1 is finally released.
    It can be accessed at the usual url: ** www.** ** www.ps3xploit.net > D... (NEW URL = http://ps3toolset.com)/bgtoolset

    This new update brings OFW/HFW/CFW 4.80 cex/dex, 4.81 cex/dex & 4.87 cex support to the list of already supported firmwares.

    The biggest & most impacting change of this update is the introduction of a new "worker thread" system to get better performance & flexibility with multithreaded ROP operations. The idea was to introduce a multithreaded ROP system that could cope with the demands of the coming file manager.
    FMM is now benefiting from the new system, all IO operations use the new worker threads, to good effect according to my benchmarks.
    The log tool was updated with a paging system to avoid performance issues that may be caused by tons of log entries flooding the DOM. UDP log broadcasting has been extended & now runs on a worker thread too, the feature is for devs only, regular users should not have any need for it & should keep UDP turned off.

    I will not be around very much in the next few days however don't hesitate to report possible bugs or crashes, that we did not manage to detect during testing.
    Use the dedicated [BG Toolset] User Issues and Dump Submissions thread.
    I will check it when I can.

    @esc0rtd3w joins me to wish you all a good new year.
    BG

    Sorry about the screenshot quality, bloody Tapatalk attachment limitations.. ;-)
    f33ba376f8b99993f2cc9f2eb0c0251d.jpg
    b38cb3a1c8234ac968c2ede97e1df8ba.jpg


    • See usage in original release (v1.0) notes >> HERE
Click to expand...
Can this help spoof to 4.88?
 
Henman said:
is it normal after you get the patches nofsm patch for it to freeze when you try to use bg toolset?
Click to expand...
No freeze is normal, it means that something wrong happened, it is not a desirable outcome, no matter how you look at it.

But I can only do something about an issue if I can reproduce it. Reporting a freeze incident alone is not enough for me to go on, I need specific steps & context so that I can investigate the freeze situation myself. If you can reproduce the freeze situation at will, provide me with the steps to do it & I will definitely fix the problem if it is fixable.

I am only taking tech support questions related to the PS3 Toolset running on OFW, not on CFW or HEN because the Toolset was not meant for those environments & because they add many more unknowns in the investigation process, however I develop the Toolset on CFW anyway.

And remember that with the PS3 Toolset, cookies are used to keep track of memory allocations, thread management etc..
You should never clear cookies unless it's directly after a fresh reboot. If you clear cookies between 2 Toolset sessions within the same ps3 session (no reboot between Toolset sessions), you may experience issues.
You should also avoid closing the browser while the Toolset is busy doing things otherwise Toolset system memory cannot be deallocated & Toolset threads cannot be closed until the Toolset is launched again & at the condition that cookies have not been deleted.
 
Last edited:
ok i'll see if it happens again but what happend was i search in ps3 web browser **ps3xploit.com >Domain no Longer owned by team** (ps3xploit.me =new) and click bg toolset and it freezes
 
Hello everyone!
I finaly managed to fix my ntsc-j ceche06 ps3.
Today i tried to do jailbreak, but i cant open bgtoolset from ps3xploit site. It gives me error 80710092. What could be problem?
Just to mention, cookies and javascript are enabled.
 
nidzo031 said:
Hello everyone!
I finaly managed to fix my ntsc-j ceche06 ps3.
Today i tried to do jailbreak, but i cant open bgtoolset from ps3xploit site. It gives me error 80710092. What could be problem?
Just to mention, cookies and javascript are enabled.
Click to expand...
It's a timeout issue:
CELL_HTTP_ERROR_NET_CONNECT_TIMEOUT 0x80710092

The problem is at your end though.
Make sure to use the full URL so as to avoid automatic redirections:
** www.** ** www.ps3xploit.net > D... = http://ps3toolset.com)/bgtoolset/index.php
If the problem persists, check your Internet connection & your LAN settings.
 
I tried to connect over lan, wifi, and wifi hotspot from my smarthone. Every time i get same error. Other sites are working from my ps3 browser, i can opet google, news, youtube... Even **ps3xploit.com >Domain no Longer owned by team** (ps3xploit.me =new) is working, but when i click on bgtoolset i get error.
I opened new user profile, same problem...
Soooo, what now?
Sorry for bad english

Edit:
Tryed to type full url, i cant type all characters, not enough space, .php is missing.
 
nidzo031 said:
I tried to connect over lan, wifi, and wifi hotspot from my smarthone. Every time i get same error. Other sites are working from my ps3 browser, i can opet google, news, youtube... Even **ps3xploit.com >Domain no Longer owned by team** (ps3xploit.me =new) is working, but when i click on bgtoolset i get error.
I opened new user profile, same problem...
Soooo, what now?
Sorry for bad english

Edit:
Tryed to type full url, i cant type all characters, not enough space, .php is missing.
Click to expand...
You are the only person reporting this problem so the issue is local, either setup based or network based & there is nothing else I can do for you as there is no bug on the server side.

And I dunno what you mean, you should be able to type many more characters than what you need in the url field, the Toolset urls is relatively short.
Anyway ** www.** ** www.ps3xploit.net > D... (NEW URL = http://ps3toolset.com)/bgtoolset should suffice in theory, just avoid shorthand urls like ** ** www.ps3xploit.net > Domain no Longer owned by team** (NEW URL = http://ps3toolset.com) > Domain no Longer owned by team** (NEW URL = http://ps3toolset.com or http://** ** www.ps3xploit.net > D... (NEW URL = http://ps3toolset.com/bgtoolset etc..
Don't use proxies or vpn etc..

And remember that all prerequisites need to be met for the Toolset to work, refer to the list of prerequisites in the home tab/Minimum Requirements section.
 
Last edited:
Its working now, dont know what was problem i managed to do jailbreak, but my console died again...
Thank you for help and for this tool, its realy easy to do jailbreak now
 
I finished writing & testing the new automatic vsh export library hookup code.
28 libraries hooked up, providing access to over 4400 vsh exports from js objects without requiring any hardcoded offset list.
It works like a charm.. ;-)

At the bottom of the attached screenshot, you can see logs for successful malloc/free calls using the newly created "allocator" js object hooking up the allocator library exports from vsh.
Here is the malloc/free js code that's being executed:
Code: 
var offset = allocator.malloc(0x20);
var ret = allocator.free(offset);
In the same way, you could call other libraries like stdc (standard C library also referred to as libc), for instance you could execute something like this to initialize the allocated memory
Code: 
var offset = allocator.malloc(0x20);
var mret = stdc.memset(offset, 0,0x20);
var ret = allocator.free(offset);
 

Attachments

  • IMG_20220224_173502_232.jpg
    IMG_20220224_173502_232.jpg
    110.6 KB · Views: 94
Last edited:
Just an anecdote, I woke up the other day after dreaming about something to do with PS3 internals, it was not the first time, laughable I know but that's dreams for you, always reflecting aspects of reality in some way..
Anyway, as I woke up, for some reason (did I work this shit out in my dreams? I am not sure), I started to think about the getNIDFunction found in xai_plugin & many other sprx plugin projects (not sure who to credit here, mysis??), that function is very commonly used in sprx plugins because the official sdk libc library & other libraries depending on it cannot be linked against, vsh uses its own libc library & the sdk can only link (against those official libraries) sprx projects made for custom self projects, not for vsh.self.
The getNIDFunction takes 2 arguments (vsh library name & export function NID) & spits out that vsh export's OPD's offset at runtime, custom code can consume the OPD & execute the function.
There is one limitation in that code, it iterates through an existing vsh list of pointers to each library description, however the list omits the first 6 available libraries including sysPrxForUser.
Am not sure if that limitation was left in getNIDFunction on purpose I haven't yet tested those exports, as you can imagine testing all 4416 exports would be very time consuming lol.

I ported the getNIDFunction code for my framework & it worked first time so I modded it to iterate directly on the library descriptions themselves (all 0x1C bytes & all starting with 1C 00 00 00 00 00 00 01, so I use this as "magic"), that way all libraries are included.
Then I decided to reuse the logic of that ported algorithm to write a new routine for the automatic vsh export library detection & export functions hook up to js objects feature.
At first, the perf was not great, 90+ seconds to process all exports.. But after optimisation for javascript (for some reason js is better at manipulating/parsing strings than numbers), the processing of the 4416 export functions in vsh dex 4.84 now takes approximately 5 to 6 seconds which is acceptable so the (updated) Toolset takes 5 more seconds to initialize..
 
Last edited:
bucanero said:
@bguerville , this looks amazing!
btw, just wondering, could this somehow be ported or used in regular PSL1GHT homebrews?
Click to expand...

It should work in PSL1GHT, the addresses of in-memory VSH export functions are obtained in runtime.

You could try this code to show a popup message calling show_msg()
Code: 
int (*vshtask_notify)(int, const char *) = NULL;

void * getNIDfunc(const char * vsh_module, u32 fnid, s32 offset)
{
  u32 table = (*(u32*)0x1008C) + 0x984; // vsh table address
  while((u32)*(u32*)table)
  {
    u32 *export_stru_ptr = (u32*)*(u32*)table; // ptr to export stub, size 2C
    const char *lib_name_ptr = (const char*)*(u32*)((char*)export_stru_ptr + 0x10);
    if(strcmp(vsh_module, lib_name_ptr) == 0)
    {
      // we got the proper export struct
      u32 lib_fnid_ptr = *(u32*)((char*)export_stru_ptr + 0x14);
      u32 lib_func_ptr = *(u32*)((char*)export_stru_ptr + 0x18);
      u16 count = *(u16*)((char*)export_stru_ptr + 6); // number of exports
      for(int i = 0; i < count; i++)
      {
        if(fnid == *(u32*)((char*)lib_fnid_ptr + (i * 4)))
        {
          // take address from OPD
          return (void**)*((u32*)(lib_func_ptr) + i) + offset;
        }
      }
    }
    table += 4;
  }
  return 0;
}

static void show_msg(const char *msg)
{
  if(!vshtask_notify)
     vshtask_notify = getNIDfunc("vshtask", 0xA02D46E7, 0);
  vshtask_notify(msg);
}
 
bucanero said:
@bguerville , this looks amazing!
btw, just wondering, could this somehow be ported or used in regular PSL1GHT homebrews?
Click to expand...
Yes, check the code Aldo provided.

Basically in vsh in memory.
Get the offset at 0x1008C (vsh elf start + 0x8C).
Add 0x984 to it & you got the address of a vsh table of pointers to library objects.
It's static, it works for every vsh version, cex or dex.

Use the first entry in the table to find the library object for the sys_io library.
From there, you are in the list of library objects, you can iterate each library object (0x1C bytes) containing a pointer to the library name & 2 pointers to 2 linked lists, one is the NID list & the other the list of corresponding pointers to the OPD, an OPD being 8 bytes (ie a function offset + the vsh toc).
For each library, the first pointer to OPD in the OPD pointers list corresponds to the first NID in the NID list, the second pointer to OPD to the second NID etc..
As both lists use 32bit values (NIDs & pointers to OPDs), you can iterate over them both easily.

Check it out in IDA, it is straightforward.
 
Last edited:
You must log in or register to reply here.

Similar threads

Back
Top