PS3 Ps3Xploit Tools v2.0 - Improved Flash Writers & Dumpers (Even easier to install CFW on 4.82 OFW )

Discussion in 'PS3 News' started by esc0rtd3w, Jan 24, 2018.

By esc0rtd3w on Jan 24, 2018 at 2:56 AM
  1. 793
    1,775
    247
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    793
    Likes Received:
    1,775
    Trophy Points:
    247
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    UPDATE (OCT. 11 2018) - With the release of OFW 4.83 portions of PS3Xploit have been patched, The team is looking at workarounds, STAY ON 4.82, DO NOT UPDATE TO 4.83 AT THIS TIME:

    I will start this off with NO you can not jailbreak your PS3 SuperSlim Console's (seems to be a popular question), however that does not mean the Ps3Xploit Team, (bguerville, esc0rtd3w, habib & W), has not been hard at work, with this new release of Ps3Xploit v2.0.. In this release all the tools (IDPS Dumper, Flash Dumper & Flash Writer) have seen significant improvements and now performing the task such as installing a Custom Firmware on your 4.82 OFW PS3 (with flash writer) has been made even easier and very stable thanks to the team's new checks implemented and progression of the exploit. The Flash and IDPS dumper are also much improved. All the details are provided below please read all the spoiler and tabs before asking any questions.
    -STLcardsWS​

    PS3Xploit_Tools_v2.jpg

    PS3Xploit 2.0 Tools Now LIVE!!

    • Included Tools
      • 4.XX IDPS DUMPER
      • 4.XX FLASH DUMPER (USB Edition)
      • 4.XX FLASH DUMPER (HDD Edition)
      • 4.82 NOR/NAND WRITER (USB Edition)
      • 4.82 NOR/NAND WRITER (HDD Edition)
      Ps3Xploit Tools Changelogs
      v2.0
      • Freeze issues - Fixed
      • Occasional bad dumps - Fixed
      • No beeps & shutdown. Replaced by a graceful ROP chain exit & return to browser. This gives the opportunity to the user to dump after patching & validate the dump with littlebalup's py checker. As long as the user does not shutdown/restart, it's still possible to recover from bad patching.
      • Support for usb port 0,1,6 + sd/cf/ms cards.
      • Multi firmware support on all dumpers (4.10+) & DEX support on 4.81.
      • HDD editions for all dumpers & flash writer where a picture file placeholder is used for read/write operations.
      • Javascript refactoring for performance & efficiency.
      • ps3xploit.com will host the 2.0 update, no need for 3rd party sites.

      v1.0 (Thanksgiving 2017 Release)
      • Supports Direct OFW to CFW patching for All Phat and 2xxx Slim (minver 3.56 Dec 2010 and lower)
      • the NOR/NAND writer will just copy 3Mb of CoreOS data to both ros0 & ros1 in the flash memory.
      • There is only one version released for 4.82. The same hex patch file can be used on nor & nand.
      • It's as safe as possible, with a check for usb device & patch file making the exploit hang instead of corrupting flash if file is not found.
      • In case of corruption (extremely rare but could always happen), it's only a partial brick because no per console info ever gets erased so a hardware flasher could still be used if ever a recovery reboot was impossible



    • Frequency Asked Questions

      Will this jailbreak my SuperSlim?
      • NO,The Flasher Writer Tool is not Supported on the SuperSlim and a some very late Slim models, Howeever, PS3Xploit has a strong possiablity to eventually evolve into a HEN style exploit (that aspect will take some additional development.)

      Which PS3Xploits Tools are Compatible with my PS3 Console?



      • 9199-7853467153566ba1908c9b32aa331bb5.jpg.png
        Check this sticker on the back of your PS3 to view your PS3 Model.
        Flash Writer Model Compatibility (PHAT):
        • CECH-A01 (NAND)
        • B (NAND)
        • C (NAND)
        • E (NAND)
        • G (NAND)
        • H (NOR)
        • J (NOR)
        • K (NOR)
        • L (NOR)
        • M (NOR)
        • P (NOR)
        • Q (NOR)

        All DUMPER (FLASH/IDPS) & FLASH WRITER TOOLS are Supported for this model.


      • 9200-4361b3a6a7359ffe524f966d4eeca4bc.jpg.png
        Check this sticker on the back of your PS3 to view your PS3 Model.

        ***IMPORTANT***
        You must pay very close attention to your PS3 SLIM Models depending on when the PS3 SLIM was manufactured will determine if your console can install CFW (Flasher Writer Compatibility).

        For the 25XX series or even if your unsure about any of the models it is reccomnded you run the minverchk PUP >> (DOWNLOAD) & (How to use Minverchk) its a simply utility that show the factory installed firmware on your ps3 and for the CECH-25XX model if the utility shows 3.56 or lower you are compatible but if it shows 3.60 and higher that means your are NOT compatible to use the Flash Writer (CFW enabler for 4.82 CFW)

        • Flash Writer Model Compatibility (SLIM):
          • 20XX NOR
          • 21XX NOR
          • 25XX NOR (3.56 minver. and Lower)
        • NOT COMPATIBLE (SLIM):
          • 25XX NOR (3.60 and Higher)
          • 3XXX NOR


        All DUMPER (FLASH/IDPS) TOOLS are Supported for this model.



      • 9203-5ab5229a0530b0274c59419c8b4f8987.jpg
        Check this sticker on the back of your PS3 to view your PS3 Model.
        • FLASH WRITER NOT COMPATIBLE (SUPERSLIM):
          • 4XXXA EMMC
          • 4XXXB NOR
          • 4XXXC NOR

        All DUMPER (FLASH/IDPS) TOOLS are Supported for this model.


      Where can i find official info and details?
      Warning: Known Limitation
      • Due to the lack of proper checks after exiting the ROP chain, it is possible in some cases to obtain a success message despite an operation failure. For instance, if you choose a path where no device is plugged in, a dumper page will still display a success message despite the fact the dump save could not work. This limitation has already been addressed, the added operation checks will be part of an update to these PS3Xploit tools which will be released in the coming weeks, that update will be final, no more will come after it


    • FLASH Dumper's Help


      • PS3 4.xx NAND/NOR/EMMC FLASH DUMPER v2.0
        All PS3 models supported
        All 4.10+ CEX CFW/OFW supported
        4.81 DEX CFW/OFW supported


        IMPORTANT NOTES:
        • It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically....
        • So in short, never use the browser or use a homepage you cancel before running the exploit!
        • It is recommended to set your homepage temporarily to the exploit page you wish to use to ensure there is no memory flooding messing with the exploit initialization stage.
        Steps:
        1. Open the browser & browse to the ps3xploit.com website, go to the page of the exploit you need. Set the current page as browser homepage. Don't launch the exploit initialization. Close the browser.
        2. Open the browser. The exploit page will load automatically. Choose your dump path option.
        3. Press the exploit initialization button & wait until initialization succeeds. If it fails, follow the refresh/reload instructions on screen.
        4. Trigger the exploit by pressing the dump button.
        5. On success, validate your dump with the py checker tool.

      • PS3 4.xx NAND/NOR/EMMC FLASH DUMPER - HDD EDITION v2.0

        All PS3 models supported
        All 4.10+ CEX CFW/OFW supported
        4.81 DEX CFW/OFW supported


        IMPORTANT NOTES:
        • It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically....
        • So in short, never use the browser or use a homepage you cancel before running the exploit!
        • It is recommended to set your homepage temporarily to the exploit page you wish to use to ensure there is no memory flooding messing with the exploit initialization stage.
        Steps:
        1. Open the browser & browse to the ps3xploit.com website, go to the page of the exploit you need. Set the current page as browser homepage. Don't launch the exploit initialization. Close the browser.
        2. Open the browser. The exploit page will load automatically. Download the dump.jpg placeholder file to your PS3 System Storage using the provided link as instructed on screen.
        3. Press the exploit initialization button & wait until initialization succeeds. If it fails, follow the refresh/reload instructions on screen.
        4. Trigger the exploit by pressing the dump button.
        5. On success, retrieve the dump file from the PS3 XMB Photo section, rename it appropriately to dump.hex or whatever & validate your dump with the py checker tool.


      Usage Tips:
      • Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
      • If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
      • ]If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.




      • PS3 OFW 4.82 NAND/NOR FLASH WRITER v2.0
        ***** IMPORTANT DETAILS BELOW -- AVOIDING A BRICK *****
        WARNING: USE ONLY THE PROVIDED flash_482.hex AS IS. DON'T PATCH IT OR MODIFY IT OR YOU WILL BRICK *****
        • Verify flash_482.hex file on a flash drive and in the selected USB slot!
          • flash_482.hex MD5: d05be52f8d21700052fbd1fc0174acae
        • DO NOT USE ON CFW (Custom Firmware) (Only Supports OFW)
        • DO NOT USE ON PS3 Models 3xxx/4xxx (aka late Slim or Superslim models), you would brick those consoles.
        • ON SLIM 2xxx Consoles, always use MinVerChck PUP to ensure that the minimum installable firmware version is < 3.60, if ever the minimum version is >3.56, using the flash writer would partially brick your console!
        • USE ONLY ON 4.82 OFW

        IMPORTANT NOTES:
        • It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to ps3 javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded due to previous browsing then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically..
        • So in short, never use the browser or use a homepage you cancel before running the exploit!
        • It is recommended to set your homepage temporarily to the exploit page you wish to use to ensure there is no memory flooding messing with the exploit initialization stage.

        Steps:
        For best results with flash writer, here are the recommended steps.
        1. Install OFW 4.82 twice on the console you wish to flash to avoid the potential corruption error during CFW installation.
        2. Open the browser & browse to the ps3xploit.com website, go to the page of the exploit you need. Set the current page as browser homepage. Don't launch the exploit initialization. Close the browser.
        3. Open the browser. The exploit page will load automatically. Choose your path option.
        4. Press the exploit initialization button & wait until initialization succeeds. If it fails, follow the refresh/reload instructions on screen.
        5. Trigger the exploit by pressing the patch button.
        6. On success, load the ps3xploit.com flash dumper, dump the flash memory & validate it with py checker tool. Do NOT restart the console if ever the validation tool gives you errors/warnings on both ros0 & ros1 or you risk to partially brick your console. Report your problem instead.
        7. When you are satisfied with the dump validation, restart your console & install a 4.82 CFW.


      • PS3 OFW 4.82 NAND/NOR FLASH WRITER - HDD EDITION v2.0
        ***** IMPORTANT DETAILS BELOW -- AVOIDING A BRICK *****
        WARNING: USE ONLY THE PROVIDED flash_482.jpg AS IS. DON'T PATCH IT OR MODIFY IT OR WILL BRICK *****
        • YOU
        • Download flash_482.jpg file to PS3 System Storage!
          • flash_482.jpg MD5: d05be52f8d21700052fbd1fc0174acae
        • DO NOT USE ON CFW (Custom Firmware) (Only Supports OFW)
        • DO NOT USE ON PS3 Models 3xxx/4xxx (aka SuperSlims / Late Slim models), you would brick those consoles.
        • ON SLIM 2xxx Consoles, always use MinVerChck PUP to ensure that the minimum installable firmware version is < 3.60, if ever the minimum version is >3.56, using the flash writer would partially brick your console!
        • USE ONLY ON 4.82 OFW

        IMPORTANT NOTES:
        • It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to ps3 javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded due to previous browsing then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically..
        • So in short, never use the browser or use a homepage you cancel before running the exploit!
        • It is recommended to set your homepage temporarily to the exploit page you wish to use to ensure there is no memory flooding messing with the exploit initialization stage.
        Steps:
        For best results with flash writer, here are the recommended steps.
        1. Install OFW 4.82 twice on the console you wish to flash to avoid the potential corruption error during CFW installation.
        2. Open the browser & browse to the ps3xploit.com website, go to the page of the exploit you need. Set the current page as browser homepage. Don't launch the exploit initialization. Close the browser.
        3. Open the browser. The exploit page will load automatically. Download the patch file flash_482.jpg to your PS3 System Storage using the provided link on screen.
        4. Press the exploit initialization button & wait until initialization succeeds. If it fails, follow the refresh/reload instructions on screen.
        5. Trigger the exploit by pressing the patch button.
        6. On success, load the ps3xploit.com flash dumper, dump the flash memory & validate it with py checker tool. Do NOT restart the console if ever the validation tool gives you errors/warnings on both ros0 & ros1 or you risk to partially brick your console. Report your problem instead.
        7. When you are satisfied with the dump validation, restart your console & install a 4.82 CFW.

      Usage Tips:
      • Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
      • If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
      • ]If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.

    • PS3 4.xx IDPS DUMPER v2.0

      All PS3 models supported
      All 4.10+ CEX CFW/OFW supported
      4.81 DEX CFW/OFW supported

      IMPORTANT NOTES:
      • It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically....
      • So in short, never use the browser or use a homepage you cancel before running the exploit!
      • It is recommended to set your homepage temporarily to the exploit page you wish to use to ensure there is no memory flooding messing with the exploit initialization stage.
      Steps:
      1. Open the browser & browse to the ps3xploit.com website, go to the page of the exploit you need. Set the current page as browser homepage. Don't launch the exploit initialization. Close the browser.
      2. Open the browser. The exploit page will load automatically. Choose your dump path option.
      3. Press the exploit initialization button & wait until initialization succeeds. If it fails, follow the refresh/reload instructions on screen.
      4. Trigger the exploit by pressing the dump button.
      5. On success, check your idps dump with an hex editor.

    Source Code & Downloads:
    NOR/NAND/EMMC/IDPS 4.xx Dumpers v2.0 Update
    NOR/NAND 4.82 Flash Writer v2.0 Update
    flash_482.hex (already included in the Flash Writer 2.0 archive) MD5: d05be52f8d21700052fbd1fc0174acae
    MinVerChck PUP


    Exploits now hosted @ ps3xploit.com
    Official Support Forum: psx-place.com/forums/PS3Xploit/
     
    Last edited by a moderator: Oct 12, 2018
    HIASQ, hurrz, Algol and 38 others like this.

Comments

Discussion in 'PS3 News' started by esc0rtd3w, Jan 24, 2018.

    1. rmfdemon
      rmfdemon
      But makes sense.
    2. unseen
      unseen
      You should give more details. Try installing CFW from safe mode. Also you can dump your fw, and check with PyPS3checker.
    3. Gaslilbithc
      Gaslilbithc
      When getting to the miniweb.exe part, my ps3 and laptop should be comnected to WI-FI (same) ?
    4. jonnyjaeger
      jonnyjaeger
      nevermind, the answer was clearly written in the first post, just didn't see it at first.. Hope to see an update for 4.83
      Last edited: Oct 29, 2018
      esc0rtd3w likes this.
    5. Walter.C
      Walter.C
      awesome work guys, thank you all for you effort and commitment!

      currently still gathering information, proceeding very slowly cause it's my first OFW patching on a Ps3 ever and I don't want to screw anything up ;)

      minverchk spat out a 1.90 which is awesome hehe

      installed 4.82 ofw, about to install it another time as OP suggested, did an OFW dump and tested out with checker.py (all green), dumped IDPS as well just to try out these tools and practice a little, I was saying to myself "meh, as long as it's read-only I can goof around I guess" ;)

      just wondering: during the first OFW flash dump the script gave me some 3 or 4 failures (some 30 secs with a percentage) before a success (almost instantly), was using miniweb with NAND dumper (on a CEX CECHGXX), messed around a little with browser homepage, cut the Internet connection out (still using wifi between PS3 and PC miniweb), then fired it up again and success!!

      Don't know if actual Internet connection has something to do with this. Or maybe RAM usage as bguerville specified. I thought, "as long as it works once it's fine": don't really know if this is the correct way of thinking. Flash dump was fine (as returned by littlebalup's tool) so all's right with the world I guess.

      Also I would like to ask if the 4.82 OFW flash dump can be useful if something goes wrong.
      Last edited: Oct 30, 2018
      esc0rtd3w likes this.
    6. bguerville
      bguerville
      The nand dumper is a special case given the size of the ROP chain, the biggest of all tools released to date.
      All releases from v1.0 to v3.0 used a temperamental memory search that had difficulties with big javascript strings where we store the data needed by the ROP chain. Using big strings imply a wider spread of the js data stored in memory which results in the need to rely on a bigger memory search range when the exploit attempts to locate the string.
      Increasing the size of the search range too much leads to js engine running out of memory so the search range size is limited & the string doesn't always get located in it.
      When the string cannot be found, the whole memory search process is restarted & the exploit keeps looping like this until the string is found.
      This issue has been addressed in 4.0.

      Keeping a dump of the Flash Memory for safe keeping is always wise. It contains data unique to your console that cannot be restored unless you have a backup. It is unlikely but who knows, you may need it one day.
      Last edited: Oct 31, 2018
      Algol and esc0rtd3w like this.
    7. Walter.C
      Walter.C
      This is awesome. (Actually caught maybe 40% of what you said but I am kinda thrilled to see v4.0 whenever it comes out.)

      Thank you very much for your answer! I'll keep it just in case then.
      esc0rtd3w likes this.
    8. Walter.C
      Walter.C
      quick update: could not install OFW 4.82 on OFW 4.82 from the XMB System Update utility. Had to start the console in recovery mode.

      Reinstalling OFW right now, so all's going well so far. I'll check the flash dump right thereafter.
    9. bguerville
      bguerville
      I edited my last post. ;)
      I hope it is a little easier for you to understand.
    10. Walter.C
      Walter.C
      It is. I have kinda basic programming skills but this much I can grasp, now I can see why these exploitations seem to have some sort of "random success/failure ratio". If I understood it correctly, this also could theoretically make the percentage stop at a random value before giving a success message. Thank you again for your time and patience of explaining out things ;)

      another quick update: OFW reinstall was successful via recovery mode, exploit succeeded at the first try and now ROS0=ROS1 (I can see the same md5 in the "Checking CoreOS_region" part). I assume I am good to go. And oh, Internet connection has nothing to do with exploitation success. Did the entire part with Internet disabled and went as smooth as it could ever go.
      Last edited: Oct 31, 2018
      sandungas likes this.
    11. esc0rtd3w
      esc0rtd3w
      the "randomness" is because we are looking in memory for specific strings. Each attempt adds a notch to the percentage by 5%, and when it hits 100%, the exploit has failed. It basically loops 20 times and at anytime during the scanning, if the strings are found, it will trigger, regardless of what percentage it is on.
    12. Walter.C
      Walter.C
      Crystal clear. Thanks ;)
      esc0rtd3w likes this.
    13. Walter.C
      Walter.C
      Just patched the NAND. Dumped the flash, all green, 0 warnings, 0 errors. Version number reported was "4.82 CEX Patched (PS3Xploit v2.0)" for both ROS0 and ROS1, md5 matching. System rebooted, up and running smoothly!! I'm gonna install CFW asap.

      Used local wifi for both dumping and flashing, Fenix server (as suggested by littlebalup), playing with dumper and writer utilities in separate folders. It's been way easier than I thought. I had a lot of fun actually, plus some edgy moments while flashing. Bricking consoles is not what I want to do in life :D

      As a suggestion, instead of a percentage I would print the attempt number while running the exploitation: something like "Searching through data stored in memory. Attempt 1 of 20..." and so on. A percentage is kind of misleading IMO: someone could wonder, "why when it hits 100% it says that it has failed?" This way, when attempt number reaches 20 of 20, another message could say, "All attempts have failed in this exploit session. Please exit and re-enter the browser and try again..." or something like that.

      Thanks again to all the devs for their knowledge and dedication to the project, it was definitely a fun ride! I'll keep lurking around just in case :D
      sandungas, littlebalup and esc0rtd3w like this.
    14. esc0rtd3w
      esc0rtd3w
      glad to hear things went smooth :)

      its funny you suggested that, i believe that is how the v1 was setup and we changed it to look that way in later revisions to look cleaner and "less confusing"? question mark lol :)
      Walter.C likes this.
    15. Walter.C
      Walter.C
      hahah funny nonetheless :D
      esc0rtd3w likes this.
    16. Louay
      Louay
      if i have a ps3 unhackable model on ofw 4.83 can i use a flasher to flash 4.82 OFW CoreOS to the ros0 and ros1 do that think work ?? i mean to get to 4.82 using coreOS just like the case of brick using ps3exploit and then install a fresh 4.82 ofw and use han ? do you think it will work ? this is just idea​
    17. bguerville
      bguerville
      Currently, it's not possible.
      You could change CoreOS in the NOR with the HW Flasher or a modded ps3xploit Flash Writer but the syscon (in eeprom) responsible for booting the system keeps track of the last installed fw version (which on ofw is by nature always the highest version the console has ever had installed) & it will not let you boot a lower one. For the moment, we have no way to patch the syscon to make systems downgradeable on OFW 4.xx. But you can safely assume that eventually some future exploit will change all that one day..
      Last edited: Nov 18, 2018
      esc0rtd3w, Yugonibblit and STLcardsWS like this.
    18. Louay
      Louay
      ohhhh that's a bad luck
      Yugonibblit likes this.
    19. baptx
      baptx
      Hello, where can we safely download the official firmware 4.82? On PlayStation website, we can only download latest version 4.83. Even if a version 4.82 was downloadable from PlayStation website, I would not trust it since it may be a trap to install version 4.83 and prevent jailbreak. By the way, I read it is not possible to do the jailbreak on an older OFW than 4.82, do you know why? (I guess it should technically be possible unless the exploit vulnerability was introduced in version 4.82) Thanks.
    20. DeViL303
      DeViL303
      You can get it here. http://www.psdevwiki.com/ps3/4.82_CEX any region will do, its the same file, just different servers. It doesn't work on older firmware simply because the xploit would need to be ported for the lower firmware and there is no point.
      esc0rtd3w likes this.

Share This Page