PS3 [UPDATE] IDPS Dumper (PS3 NAND / NOR ) - 4.81/4.82 OFW Compatible by Team PS3Xploit

Discussion in 'PS3 News' started by STLcardsWS, Nov 11, 2017.

By STLcardsWS on Nov 11, 2017 at 10:41 AM
  1. 9,399

    STLcardsWS Administrator

    Sep 18, 2014
    Likes Received:
    Trophy Points:
    {UPDATE v0.2.3 Released(See tab)}
    Following the official announcement of the PS3Xploit news (4.81 OFW Exploit), the devs behind the project have fulfilled the promises of releasing the IDPS Dumper for OFW 4.81/4.82 as this release is ready for the public. Now there is many more things being worked surrounding the overall project but this IDPS Dumper works on all models of the PS3 (NOR and NAND, note 12 GB EMMC will be supported soon in an updated release) and no reason not to release this tool. Since PS3 firmware 4.70 Sony had blocked flatz IDPS extracting tool (IDPS Stealer) and there has not been a known way to obtain the IDPS on OFW (4.70 +) consoles , but now this tool can now obtain your PS3's ID, which can have various uses, the tool has been confirmed to work on SuperSlim models by the team. . If you have not read the previous details about the PS3Xploit project, then checkout this official thread to get the firsthand information about this ambitious PS3 project.

    (UPDATE v0.2.3)

    • UPDATE v0.2.3- IDPS Dumper for 4.82 OFW
      • Added 4.82 Support
      • Removed all extra requirements like JQuery..
      • Removed the need for string relocations to improve the initial memory search process & overall trigger times.

    • UPDATE v0.2.3- IDPS Dumper for 4.81 OFW

      • Removed all extra requirements like JQuery..
      • Removed the need for string relocations to improve the initial memory search process & overall trigger times.

    • UPDATE v0.2.1a- IDPS Dumper for 4.81 OFW

      we have some more exciting news to bring you!! :cheerful:

      We have been working very hard to bring eMMC support for the newest SuperSlims CECH-40xxA, CECH-42xxA , CECH-43xxA and that has happened. :D

      The team would like to present a nice little update to the 4.81 IDPS Dumper now supporting eMMC hardware revision consoles!!

      Please report any issues you have while using this new version on any of the flash types, NAND, NOR, and eMMC.

      Thank You to all :cool:

      • Added eMMC SuperSlim Support (CECH-40xxA, CECH-42xxA , CECH-43xxA)
      • Misc Tweaks To Exploit
      • Small typo on index.html pointed out by @Turranius - Fixed

      How to use this:
      install python to use or another HTTP server of your choosing on both Windows and Linux!​

      On windows - Install any of these optional HTTP servers:

      On linux:
      • install python for your distribution using apt-get, yum, and similar commands.
      • make script executable using "chmod a+x" or "chmod 775" or "chmod 777"
      • execute python script using "/usr/bin/python $exploitFolder/" or "./"

      on Android: (
      instructions from @No0bZiLLa)
      • I can confirm this does work if using an http server on Android. what i did was downloaded the zip (on my phone) and extracted it and then download something like Simple HTTP Server and point the server to the folder that contains index.html. once you do that just reload the server and make a note of what the ip:port is. then just go to ps3, type in ip:port (eg as specified in simple http server and then select the appropriate button for your system.

      Then run (for python):

      • On windows - windows.bat
      • On linux -

      Usage Tips:

      1) Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
      2) If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
      3) If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.​

    • IDPS Dumper Release (v0.2 - After Leak Release)
      ok....the moment all of you have been waiting for......i assume :cheerful:
      • File:
      • MD5 Hash: FFDA70AB2D1677886083F99185C54FE3
      • SHA-256 Hash: 852BDB301753C4F4A7E946188E850D3D325EEAA259B61AE2B5AE31320B2F292B

      enjoy this release from our team :victorious: we will be working hard to add eMMC support as soon as possible!!

      The documentation will be updated as time goes on. There is a readme.txt file included with basic setup and usage instructions.

      Please stay tuned for future tools and releases :D

      and once again, THANK YOU to everyone involved bringing this all together, without all of you, none of this would have happened!!!

      Additional details from @bguerville
      "The idps dumper will create a file on usb000 then beep 3 times & shutdown in all cases, even if flash memory read fails. emmc should not make a difference to this. You will get garbage in idps.bin in that case.

      Js errors with a black page message on ps3 should not happen. If ever it did, just report & in the meantime keep relaunching the exploit. Nobody has had this issue in dozens of tests though.

      And clearing cache or cookies is totally unnecessary with the exploit & the wk js interpreter. Between runs garbage collection will take care of cleaning up what is needed, the job it does is always sufficient".

    It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically....

    So in short, never use the browser or set a homepage you cancel before running the exploit!
    If you need to, set the homepage to 'blank', close the browser then reopen it to start the idps dumper.

    Set-up Steps:
    1. Setup a small Web server on pc or smartphone. The Python http server is not required for most users, it was provided for developers. Since v0.2.3, all other extra requirements have been removed. Don't come to us for explanations about how to run a http server though. Google it.
    2. Extract the files in your http server root folder.
    3. Put a fat32 USB key in port closest to BD Drive (/dev_usb000).
    4. Open the ps3 browser & write the ip address of your server (and the port if not 80).
    5. Run until ps3 beeps & shutdown. The idps should be on your USB drive as idps.bin.
    - Downloads -
    • MD5 Hash: 3c2e1582f52e1002a12ad280f426d0c6
    • SHA-256 Hash: 1c49eabd64275171a60c90f0f06f503b7055f4ff863f87e7960d41464d127443
    • MD5 Hash: 71dd906e585bf470f84f9d4fb10c1f37
    • SHA-256 Hash: d4bffe2b7d08c1dda275590229f86903f1db487e9a78364d6a025c3734cd8f68

    Attached Files:

    Last edited: Nov 19, 2017


Discussion in 'PS3 News' started by STLcardsWS, Nov 11, 2017.

    1. cots
      I suppose this will allow backup injection, but Google isn't cooperating. Anyone have a link on how to inject backups using your IDPS?
    2. pinky
      I'm not exactly sure what sony patched post 4.70 - if it was obtaining your idps or if it has something to do with the backup procedure. there was a way to inject backups without the idps. however, if the idps was no longer needed, I tend to believe the latter is more likely.
      esc0rtd3w likes this.
    3. cots
      Yes, I remember the 4.70 method, but during the discussions I remember reading there was supposed to be a way to add games to 4.81 if you had your IDPS. Do you know anything about that?
    4. pinky
      never heard of that. it might be possible, but I really don't know. I've never had to use the backup injection method, so I can only go based on what I've read. I normally don't like talking about things or dispensing advice if I've never done something before.
      esc0rtd3w likes this.
    5. Zoilus
      This didn't seem to be working on CECH2001A with 4.78 ofw. but in my excitement i didn't notice that indeed it is specific to 4.81. I have other systems i am working on and sure enough the one on 4.81 ofw is working with this. Im just leaving this here in case others have the same issue and just didn't pay attention to the 4.81OFW part :)

      very good job guys
      Last edited: Nov 11, 2017
      ItsCosmicHD and esc0rtd3w like this.
    6. sandungas
      I guess the exploit/s are firmware version dependants... so the first step is to upgrade to ofw 4.81
      Dont do it yet until someone confirms this though
      esc0rtd3w, kozarovv and Zoilus like this.
    7. Zoilus
      Thanks @sandungas it is version specific ... i wasn't paying attention to the title... i got to excited! lol I have like 3 ps3's here i am working on and another 2001A was on 4.81 so i tried it and its working .... thanks again!
      esc0rtd3w, kozarovv and sandungas like this.
    8. Jaroslav_01
      OK, weird, I first used the xampp method to load this exploit on my ps3, and it took me 3minutes to let it do its thing, This time I used the method with capstone that was recommended in the .txt file and it took me 1 minute,
      I have the CECH-2504b 0C model, freaking fast boi, I hear people saying "took me 1 hour"
      jbtheworld and esc0rtd3w like this.
    9. pinky
      could have something to do with the model of ps3.
      jbtheworld and esc0rtd3w like this.
    10. Zoilus
      yepp i got a CECH2001A and its taking the hour apparently. I did this on a 2501A and around at the 50 minute mark I just stopped the browser because I felt it was never going to end...but thats BEFORE i read people were having to wait about an hour.

      So its been like 30 mins already with the 2001A lets see. But dang an hour is looong.
      esc0rtd3w likes this.
    11. Zoilus
      So on the 2 systems - 2501A and 2001A the process just kept going indefinitely. the 2001A I left it for 2 hours, and the 2001A for 1hr, and in my cmd window it keeps showing the process of "restarting POC" then ocassionaly I will see where it finds the offset ...then it goes back to the POC thing again and again but never finishes.

      Im on windows 7 64bit. I installed the 2 .msi files. then I put the HTML folder from the zip file onto root of usb. Then I run windows.bat, on ps3 end I point the browser to the ip in the cmd window along with the :xxxx port

      everything then starts running , but never finishes. is there something im missing?

      in the python folder there is a python.exe and a pythonw.exe both 27kb. should the W one be renamed and used? thanks in advance
      esc0rtd3w likes this.
    12. esc0rtd3w
      from our testing, the mentioned models should work, without issues.

      the reason for the looping is to avoid JS errors, as the exploit will restart after failing to find any correct offset after 38 attempts. The gadget offset must be in a specific area, so many loops may happen until all needed offsets are found in their correct locations.

      As far as i am aware, the python server with capstone is for debugging and is not technically needed for the exploit to work. Any HTTP server should be able to serve the files. If the process does move faster, as @Jaroslav_01 mentioned , then this is good news, although i am not sure why it would be faster!

      @bguerville can correct anything i said wrong :-p
      Jaroslav_01 and pinky like this.
    13. ItsCosmicHD
      this is awesome, if only i had a ofw ps3 i could do this on
      esc0rtd3w likes this.
    14. esc0rtd3w
      also works on CFW CEX :D
      Rommy667 and STLcardsWS like this.
    15. ItsCosmicHD
      I'm not in need of a cid right now, I have a private one im using and the original cid on my cfw isnt banned.
      esc0rtd3w likes this.
    16. ItsCosmicHD
      but when the flash dumper releases I plan to get another ps3 to check it out on, thanks for the releases bro :kiwi fruit:
      esc0rtd3w likes this.
    17. esc0rtd3w
      for anyone having issues with the exploit taking hours to trigger, or even more than 5 minutes for that matter. Just reset the console and try again, it will eventually work :cool:

      if it takes more than 5 minutes, either restart browser, reload exploit page, or restart console.
      Mohammed Akif likes this.
    18. benn
      I will a try later. Thank you for your update
      esc0rtd3w likes this.
    19. bguerville
      The page reloads for the poc to restart, not after 38 attempts, but after search attempts amount to 40Mb worth of memory search! To avoid a js core error, the page must be reloaded, unless someone knows a way to force GC in ps3 webkit js core....
      I have no idea why it may take an hour on some consoles, it never took more than 5mn in all my tests.

      Like I said before, this release was not planned. There is a way to avoid the string relocations & therefore the page reloads but it requires more ROP work so you won't get it until the main project is released....
      sandungas and esc0rtd3w like this.

Share This Page