Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS3 CFW and Hacks       Thread starter PSXHAX       Start date Mar 3, 2019 at 2:55 PM       25      
Status
Not open for further replies.
This must be the weekend for PS3 scene Custom Firmware releases, following the Rebug 4.84 PS3 CFW and 4.84 Ferrox PS3 CFW and proceeding his STARBUCKS CFW and IDPS Bruteforcer PlayStation 3 developer @smhabib has now made available STARBUGGED (aka STARBUGED) 4.84.1 / 4.84.2 PS3 CFW which includes a new Cobra 8.00 / 8.01 Payload making Starbug a Starbucks release alongside Rebug seasoning with details below. :ninja:

Download: STARBUGGED_4.84.1_AIO_FINAL_rev2.zip (198.2 MB) / STARBUGED_4.84.2_CB_8_01.zip (198.2 MB) /
poc_cb_8_01.zip (179 KB) / payload.bin (440 Bytes - Example Payload) / STARBUGED_484.1_COBRA_801_REV3.zip (197.70 MB) / webMAN_MOD_1.47.12_Updater.pkg

Below are the release details from Habib: FEATURES: (Contains Rebug Lite + Cobra v8.00 features)
  • FEATURE – COBRA 8.00 (Enabled by default)
    • Background running plugins at boot time (sprx)
    • ISO Support: PS1/PS2/PS3/PSP/DVD/BluRay (Split ISO support on FAT32 drives)
    • Network Support: PS1/PS3/DVD/BluRay /PKGs
    • Blu Ray Movie region free functionality NTFS HDD Support (prepNTFS, or multiMAN Required to scan contents)
    • PS2 ISO Support for BC (HW) / non-BC (SW) Consoles
    • Syscall 11 – Cobra lv1 Peek
    • Syscall 15 – Allow execution of any LV2 internal function
    • PSNPatch stealth plugin support
      • ISO rips are required to get 100% support, for ex) after disabling syscalls, games like Call of Duty will not be able to play unless you use ISO rips, please DO NOT expect everything to be fully functional when you are disabling the built-in features from COBRA. Folder rips are NOT compatible with PSNPatch’s stealth mode due to its ability to disable COBRA’s disc-less feature for folder JB rips
    • PS3MAPI support, allows you to attach process on both CEX/DEX via its own API app.
    • Backup Protection Removal, Add full PS3 Backup support on all multiMAN/sMAN/webMAN,IRIS manager forks and Managunz.
    • Allow modification on Syscall 6/7/8/9/10/11/15.
    • Burned/Burnt optical media support for PS1/PS3 Games on All models
    • Homebrew blocker – blocks homebrew access while Syscalls are disabled
    • New in v8.00 Run payload with Kernel privileges - Added option to run payload with kernel privileges like ps vita skprx. this is a big thing! one can make hooks, printf to socat, do whatever they feel like they need to do. at the current time only one payload is supported at a time. in the future i might increase this
    • New in v8.00 Boot times speed improved - as there is no stage1.
    • New in v8.00 PS2 bc and semi bc consoles wont load iso when cobra disabled - disable cobra using opcode)
  • FEATURE – Full Polish support for XMB/PS2 Emu (Provide full Polish character support)
  • FEATURE – Cinavia protection fully disabled (Supports optical media/bd iso, AACS must be decrypted)
  • FEATURE – Homebrew store compatibility (Downloading debug signed packages is now available on retail CFW.)
  • FEATURE – PSN/SEN Accessibility (PSN /SEN Accessible , until the next OFW update)
  • FEATURE – XMBM+ Compatibility (XMB Manager Plus developed by Team XMBM now supported via standalone pkgs.)
  • FEATURE – HAN Toolbox Compatibility (HAN Toolbox Support added for testing HAN Signed pkgs on CFW)
  • FEATURE – Enhanced Remote Play (This unlocks the limitation of working apps/games for remote play, by disabling SFO flag check)
  • FEATURE – In Game Screenshot (Allows taking screenshots in Game
  • FEATURE – QA Token compatibility
  • FEATURE – OtherOS++ support enabled (Use Rebug Toolbox to Boot OtherOS with different LV1 patches)
  • FEATURE – Package Manager (Replacement for the standard ‘Install Package Files’ option)
  • FEATURE – FSELF compatibility (Fake Signed ELF is supported)
  • FEATURE (Optional) Toolbox 02.03.00
    • TOGGLE XMB CFW SETTINGS Enable or Disable mysis’s XMB CFW settings plugin v0.1. The feature is available via Network Column on XMB after Enabled.
    • TOGGLE COBRA MODE: COBRA mode ACTIVE by default, this option can toggle COBRA mode to enable COBRA 8.00 payload on boot
    • TOGGLE QA: Enable/Disable QA flag. Enable for easy downgrade and other extra features on all 3.55-4.84 CFW.
    • TOGGLE RECOVERY MODE: Enable/Disable Recover Mode flag. When enabled your PS3 will reboot into Recovery Mode.
    • LOAD LV2 KERNEL: Load lv2_kernel.self.[KERNEL_NAME] from USB or /dev_hdd0
    • BACKUP/RESTORE XREGISTRY: Backup or Restore the PS3 system settings from USB
    • RESIZE VFLASH/NAND REGIONS: Resize VFLASH/NAND Region 5 to allow install of OtherOS.
    • INSTALL PETITBOOT: Install Petitboot to VFLASH/NAND Region 5 from USB.
    • SET GAMEOS BOOT FLAG: Sets the GameOS boot flag. Use this if your PS3 is having trouble booting PS2 titles after running OtherOS or is accidentally sending you back to OtherOS when trying to enter recovery mode.
    • CREATE PACKAGES FOLDER ON PS3: Create /dev_hdd0/packages folder or your PS3 to be used with Package Manager.
    • EXPORT HYPERVISOR LV1 MEMORY: Save LV1 memory to dev_usb000 or dev_usb006 or dev_hdd0 if usb is not found.
    • EXPORT GAMEOS LV2 MEMORY: Save LV2 memory to dev_usb000 or dev_usb006 or dev_hdd0 if usb is not found.
    • EXPORT FLASH TO FILE: Backup your current NOR/NAND to file on dev_usb000. Takes about 45secs for NAND
    • DUMP EID ROOT KEY: Dump your eid root key.
  • FEATURE – XMB CFW settings v0.1a (Optional)
    • XMB Icons for various CFW tasks, available in Network Column (on XMB) Simply select and the task is executed!
    • Settings – Toggle COBRA
    • Dump Tools – Klicense, File Secure ID, IDPS, Disc Hash keyService Tools – Display Minimum Downgrade FW Version, Rebuild Database, Check File System, Entering Recovery Mode (NOR Models Only)
    • Advanced Service Tools – Entering FSM (!!!DO NOT Install FW while on FSM that may lead RSOD!!!), Remarry BD drive and RSOD fix
  • PATCHED – Appldr: LV2 memory hash check is disabled (Memory protection on LV2 is disabled in higher level)
  • PATCHED – LV1: Disable System Integrity Check (Safe to use with mismatched COREOS/SYSCON versions or if PS3 is not QA enabled)
  • PATCHED – LV1: Undocumented function 114 (Allow mapping of protected memory)
  • PATCHED – LV1: Skip all ACL Checks (Needed to allow booting of OtherOS)
  • PATCHED – LV1: Peek and Poke support (Unused LV1 call 182 and 183)
  • PATCHED – LV2: Peek and Poke support (LV2 Syscall 6 and 7)
  • PATCHED – LV2: Peek and Poke support for LV1 (LV2 Syscall 8 and 9)
  • PATCHED – LV2: LV1 CALL System call (LV2 Syscall 10)
  • PATCHED – LV2: Allow execution of any LV2 internal function (LV2 Syscall 15)
  • PATCHED – Recovery: Prevent accidental OFW update while on Recovery mode
  • PATCHED – VSH: Allow Unsigned act.dat and *.rif files
  • PATCHED – VSH: Disable NEW PSP DRM Check (Allowing unsigned PSP pkg contents on 4.75 or higher CFW)
  • PATCHED – VSH: Disable Epilepsy Warning for Faster Boot-Up Speed
:arrow: Also from Habib comes an example payload, as follows:

with the toolchain already provided, you can access lv1 calls in the payload, hook on the kernel functions, make conditions and the likes. think of ps vita skprx TAIHOOK this is what it does. use internal functions to control the kernel. run arbitary code in kernel.

i made it easy, you can code in c, i built asm part already so its very easy for any of you to code. you can also release the hooks and run another payload for example to change kernel conditions. check test_payload in the src, thats the dev environment. any questions, feel free to ask.

oh and they can be recalled with syscall 15 WITH ACTUAL ARGUMENTS!
Code:
0x80000000007f0000
this address is where the payload will reside. so yes you can indeed recall with arguments as well

example payload: payload.bin

will write usb000/test_payload_in with 4 bytes. nothing special but shows potential, internal libraries used with c.

:arrow: Another update to 4.84.2 with COBRA 8.01 from Habib below:
  • small version increment, massive overhaul
  • added support for dynamic memory payloads, 5 of them can be started from "/dev_hdd0/boot_plugins_kernel.txt"
  • toolchain updated to support dynamic address loading.
for applications, you can also mount em, and unmount em separately
this poc will read payload.bin from usb000, execute it and write memory residence location in file in hdd0/residence and then unloads the plugin.

alternatively you can copy payload.bin and boot_plugins_kernel.txt in hdd0, restart and voila!

this is true dynamic loading, just like prx! src of payload.bin is included with the cfw download

ofcourse safety features are included, plugins wont load till vsh appear, you can go to recovery mode, rebuild database to remove the boot_plugins_kernel.txt

in a program, with residence memory location acquired, one can send arguments to the payload using syscall 15

4.84.2:
Code:
#define SYSCALL8_OPCODE_RUN_PAYLOAD_DYNAMIC 0x6CE1
#define SYSCALL8_OPCODE_UNLOAD_PAYLOAD_DYNAMIC 0x6CE3
int plugin_kernel_dynamic(uint8_t *payload, int size, uint64_t *residence)
{
lv2syscall4(8, SYSCALL8_OPCODE_RUN_PAYLOAD_DYNAMIC, (uint64_t)payload, size, (uint64_t)residence);
return_to_user_prog(uint32_t);
}
int plugin_kernel_dynamic_unload(uint64_t residence)
{
lv2syscall2(8, SYSCALL8_OPCODE_UNLOAD_PAYLOAD_DYNAMIC, residence);
return_to_user_prog(uint32_t);
}
int main()
{
sysFSStat stat;
int fd;
uint64_t nread;
sysLv2FsStat("/dev_usb000/payload.bin", &stat);
uint64_t size=stat.st_size;
uint8_t *buf=(uint8_t *)malloc(size);
sysFsOpen("/dev_usb000/payload.bin", SYS_O_RDONLY, &fd, NULL, 0);
sysFsRead(fd, buf, size, &nread);
sysFsClose(fd);
uint64_t residence;
plugin_kernel_dynamic(buf,size,&residence);
FILE *fp=fopen("/dev_hdd0/residence","wb");
fwrite(&residence,8,1,fp);
fclose(fp);
plugin_kernel_dynamic_unload(residence);
return 0;
}
4.84.3:
What's New in 4.84.3?

1.
Hardcoded kernel plugin
2. Whole kernel 8mb is RWX including kernel alloc. you can use sc15 alloc, copy payload and execute like that as well but its better to use opcodes for kernel plugins
3. Fixed minor bug in non cobra sc15

What does it do?
  • it loads plugins from /dev_hdd0/boot_plugins_nocobra.txt and boot_plugins_kernel_nocobra.txt
  • it fixes issue where nocobra and hdd format will make ps2 not work on bc/semi-bc
What plugins can do?
  • load mamba and isolate cobra functions, modify it. e.g ps3mapi without cobra. i hate cobra being bloated with homebrew blockers etc
For devs:
  • for mamba payload hdd0 is already mounted, prefer to load your code in main() instead of using the cellfsutil hook... regardless mamba works 90%
  • also dont forget to remove dev_hdd0/tmp/loadoptical flag for bc and semi-bc ps3
NOTE: cobra plugins will NOT work

CFW 4.84 STARBUGGED COBRA 8.01 by HABIB via donatelo27
:arrow: Update: Also below is PS3 HFW (Hybrid Firmware) 4.84.1 - PS3Xploit HAN & Flash Tools Restored for 4.84 OFW

Download: HFW_4.84.1_PS3UPDAT_03_20_2019.7z (196.1 MB) / HFW_4.84.2_PS3UPDAT_03_22_2019.7z (196.1 MB - Bugfix: Fixed the installation issue with regions that use following languages English (UK), Turkish (Turkey), and Portugal (Brazil), Thanks to citra mulia to report the bug :))
  • HFW 4.84.1_PS3UPDAT.PUP MD5: edb4e74bc6f83b1d767f3db978e0dd86
  • HFW 4.84.2_PS3UPDAT.PUP MD5: 4247362b54fadd2e4d7c09007f720803
Below is a brief summary via Joonie: Today, we proudly present the very first modified OFW that can be installed on all PS3 models. (NOTE: THIS IS NOT A FULL BLOWN CFW, HOWEVER IT Allows you to run the patched webkit exploit that's ported to 4.84)

Yes, you didn't hear wrong, it can be installed over:
  • ALL OFW versions on ALL PS3 models
    • ex) OFW 4.83, 4.84 , CECH-3XXX, CECH-4XXX and etc..
We wanted this to be called "HHHFW" since it was Hybrid, Hack-able, HAN ready also inspired by habib but let's call it HFW since this is Hybrid FW (Well you can call this MFW).

The idea was reminded by some guy who didn't want to be annoying but actually ended up being helpful: Doge_Rules

Habib had this idea long time ago but the previous attempt was not successful due to lack of interest and preparation.

As you all know, I recently started messing with my PS3 again and this idea was brought back.

So then I went ahead and tried his magical idea.... after a few hours later... Boom!!, now we have HFW that works on all PS3 models (including 3K and 4K) that allows the previously patched exploit by using old webkit from 4.50 that's been used until 4.83. This method is rather hacky than technical, so I would like to leave this method under the radar for now until it gets patched out (this can easily be patched).

What can you do with this HFW 4.84.1?

1. You can use PSN since the FW is the latest.
2. You can downgrade/Install CFW on your PS3 if your model is downgrade-able/hack-able (excluding CECH-3K and 4K) (The same capability as what you had for 4.82 OFW)
3. You can use HAN and all the tools that worked up to 4.82 with this FW. ps3_tools-v3.0-HAN484_HFW_release_PS3XPloit.zip: Here's the latest ps3xploit that works on this FW.
4. You can always go back to the real OFW 4.84 if you wish.

To all sceners and developers
Special thanks habib, bguerville, esc0rtd3w, Doge_Rules, DeViL303, littlebalup


Download: han_supportfiles-484.zip (5.67 MB) / ps3_tools-v3.0-HAN484_HFW_release_PS3XPloit.zip (11.3 MB) / GIT / PS3Xploit Resigner (Latest Version) for HAN

Installing New HAN EXPLOIT 4.84.2 + Renew License And Play PKG Games Works With ALL PS3 Consoles 2019
PS3 CFW Toolbox v1.00 Sneak peek (Very Unfinished)
:arrow: Also from esc0rtd3w comes PS3Xploit 4.84 HFW Flash Writer + IDPS/Flash Dumpers v2.0.1 to install CFW from 4.84 with a summary below:

Download: NOR_NAND_writer_release_2.0.1_PS3Xploit.zip (5.50 MB - flash_484.hex MD5: AB2B3A2E23FA731301260F5702FC4101)

Flash Writer (v2.0.1):

NAND
NOR
Supported Firmware
  • Support 4.84 HFW Firmware ONLY - DO NOT USE ON ANY OTHER FIRMWARE VERSION OR ON CFW YOU WILL BRICK YOUR CONSOLE
Supported Models
  • Supports Phat Models Axx/Bxx/Cxx/Exx/Gxx/Hxx/Jxx/Kxx/Lxx/Mxx/Pxx/Qxx
  • Supports Slim Models Cech-20xx and 21xx
  • Support with some CECH 25xx models, to be sure your console must have a minver of 3.56 (a factory installed firmware 3.56 and lower) to know for sure you can run the minverchk.pup to avoid bricking (semi) this model.
!!! WARNINGS !!!
  • CAUTION: MISHANDLED FIRMWARE FLASHING CAN LEAD TO A BRICK - USE AT YOUR OWN RISK!!!
  • DO NOT USE THIS ON CECH-3xxx/4xxx OR YOU WILL BRICK YOUR CONSOLE!!!
  • DO NOT POWER OFF THE CONSOLE ONCE STARTED. IT MAY RESULT IN A BRICK!
  • MAKE SURE TO USE AN UNMODIFIED & MD5 CHECKED "flash_484.hex" FILE ON USB DEVICE!*
  • THE MD5 OF "flash_484.hex" MUST BE: AB2B3A2E23FA731301260F5702FC4101
  • SOME PS3's HAVE BOARDS SWAPPED (a.k.a. refurbished either by Sony or Sketchy local modders). Checking the minverchk.pup should be highest priority - via Joonie
  • "fish.hex"(v1) or "flash_482.hex" or "flash_484.hex" are not interchangeable with 4.84 and vice versa only use the flash_XXX.hex of that version or you will brick your console
Dumpers (v2.0.1):

IDPS Dumper

NAND Dumper
NOR Dumper
Supported Firmware
  • Supports OFW/CFW/HFW CEX Firmware versions 4.10 to 4.84
  • Supports OFW and CFW DEX Firmware version 4.81 /4.82 /4.84
  • Supports SuperSlim Models
Supported Models
  • Supports Phat Models Axx/Bxx/Cxx/Exx/Gxx/Hxx/Jxx/Kxx/Lxx/Mxx/Pxx/Qxx
  • Support Slim Models 2xxx/3xxx
PS3Xploit PayPal: https://www.paypal.me/ps3xploit

How To Jailbreak NAND And NOR PS3 With 4.84.2 HFW Full Tutorial Step By Step 2019
Zerosense file manager demo for PS3 4.84 HFW. You can look at your file system and copy files to dev_usb000. It's really slow, like 0.25 MB/s max. I'll see if I can speed it up sometime.

Download: zerosense-master.zip (Exploit library for the PlayStation 3 Browser) / Live Demo / GIT / zerosense-ftpd-master.zip (FTP server in the PS3 browser, not ready for public use) / GIT

4.84 STARBUGGED (STARBUGED) PS3 CFW with Cobra 8.00 by Habib.jpg
 

Comments

ya curious as to that comment also @MannyMania (Cobra 8 is PS2 ISO support now working from an external Prepntfs drive or still just the internal??) I think/believe it is still just internal but ya, not sure but if in fact it can play from external.....total game changer!!!

I've always been REBUG since conception... but like I said if Cobra v8 plays ps2 isos from external... that is a game changer. Have to wait to hear back if anyone had luck trying this :)
 
Status
Not open for further replies.
Back
Top