PS3Xploit 4.82 CFW on OFW, NOR / NAND Flash Writer & NOR Dumper

Following their PS3 IDPS Dumper v0.2.3 for 4.82 OFW update, the PS3Xploit Team of @bguerville, @esc0rtd3w, @smhabib and W released both a PlayStation 3 NOR / NAND Software Flash Writer and NOR Dumper to downgrade consoles without the need of a hardware flasher allowing those on Official Firmware (OFW) 4.82 to install Custom Firmware (CFW) finally.

Download: NOR_dumper_release_1.0_PS3Xploit.zip (106 KB) / NOR_NAND_writer_release_1.0_PS3Xploit.zip (3 MB)

To quote from STLcardsWS on the releases: Since this exploit is executed from 4.82 OFW, you can only install to a 4.82 CFW, HOWEVER if you wish to use an earlier firmware such as REBUG 4.81 for example, once on 4.82 CFW you must TOGGLE QA using a toggle tool, which allows CFW user's to freely switch CFW version from past and present.

Read more about this in the Frequently Asked Question (FAQ) and more info in the details provided:

Flash Writer Compatible with these PS3 Models:

• Supports FAT Models Axx/Bxx/Cxx/Exx/Gxx/Hxx/Jxx/Kxx/Lxx/Mxx/Pxx/Qxx

• Supports SLIM Models 2xxx (minver 3.56 or lower ONLY, check with minverchk.pup)

• Flash Dumper / Writer Model Support Chart

PS3 OFW 4.82 NAND/NOR FLASH WRITER v1.0

Important -- AVOIDING A BRICK

• Verify flsh.hex file on a flash drive and in the far right USB slot!
  • 4.82 flsh.hex MD5: 8E156C99101BF36EC3EDB832982AE46D
• DO NOT USE ON CFW (Custom Firmware) (Only Supports OFW)
• DO NOT USE ON PS3 Models 3xxx/4xxx (aka SuperSlims / Late Slim models) you will brick those console.

As noted by esc0rtd3w: YOU NEED TO BE ON OFW 4.82 TO USE WRITER....PERIOD! DO NOT DO THIS!!!!!!!!!!!!!

• DO NOT RENAME THE flsh.hex FILE!!!!
• VERIFY THE MD5 WHILE THE FILE IS ON THE USB STICK BEFORE PROCEEDING!!!
• VERIFY THE USB STICK SHOWS UP UNDER XMB

PLEASE READ FIRST:

• It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically..
• So in short, never use the browser or set a homepage you cancel before running the exploit!
• If you need to, set the homepage to 'blank', close the browser then reopen it to start the flash writer.

v1.0.0 - Initial Release

• Supports Direct OFW to CFW patching for All Phat and 2xxx Slim (minver 3.56 Dec 2010 and lower)
• the NOR/NAND writer will just copy 3Mb of CoreOS data to both ros0 & ros1 in the flash memory.
• There is only one version released for 4.82. The same hex patch file can be used on nor & nand.
• It's as safe as possible, with a check for usb device & patch file making the exploit hang instead of corrupting flash if file is not found.
• In case of corruption (extremely rare but could always happen), it's only a partial brick because no per console info ever gets erased so a hardware flasher could still be used if ever a recovery reboot was impossible.

Usage Tips:

1) Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
2) If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
3) If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.

Steps:

1. Setup a small Web server on pc or smartphone. A custom miniweb application has been created by Aldo, and supplied to host files if you would like to use it. Don't come to us for explanations about how to run a http server though. Google it.

2. Extract the files from release to your http server root folder.

3. Copy the "flsh.hex" file from release folder to root of flash drive.

4. Put a FAT32 USB key in port closest to BD Drive (/dev_usb000).

5. DOUBLE-CHECK your flash drive on XMB to make sure it shows up under Music, Photos, Videos, etc.

6. Open the PS3 browser File Address window, write the IP address of your server (and the port if not 80) & press the Start button.

7. Select the appropriate button for your console and wait for PS3 to power down. DO NOT STOP THE PROCESS ONCE STARTED!!

8. Once PS3 has powered down, reboot console and install CFW matching OFW version. If installing through XMB does not work, boot to recovery and install.

PS3 4.81/4.82 NAND/NOR Flash Dumper v1.0

THE CORRECT FIRMWARE VERSION BETWEEN 4.81 and 4.82 IS AUTOMATICALLY SELECTED!

PLEASE READ FIRST:

• It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically....
• So in short, never use the browser or set a homepage you cancel before running the exploit! If you need to, set the homepage to 'blank', close the browser then reopen it to start the flash writer.

v1.0.0 - Initial Release.

• Supports Dumping NOR on both 4.81 & 4.82.
• bguerville tried to produce a release that was easy to port & he succeeded. Anyone able to search for offsets in IDA can add support to any firmware version in the dumper in a matter of minutes.
• For technical reasons, the Full NAND dumper release is postponed. We will now be focusing on self execution & if we succeed there will be no need for the extra ROP work to do the NAND dumper. If we fail, I will finish it in ROP.
• The dumper will be released in a form extremely easy to port so others can tweak it to their heart content with outcomes having to face complicated searches in the big unicode strings
• A lot of time has been invested into making the javascript + UI more efficient, as well as the trigger phase faster & more stable. I hope you enjoy the result.

Usage Tips:

1) Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
2) If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
3) If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.

Steps:

1. Setup a small Web server on pc or smartphone. A custom miniweb application has been created by Aldo, and supplied to host files if you would like to use it. Don't come to us for explanations about how to run a http server though. Google it.

2. Extract the files from release to your http server root folder.

3. Put a FAT32 USB key in port closest to BD Drive (/dev_usb000).

4. DOUBLE-CHECK your flash drive on XMB to make sure it shows up under Music, Photos, Videos, etc.

5. Open the PS3 browser File Address window, write the IP address of your server (and the port if not 80) & press the Start button.

6. The dumper will detect the firmware version of your console automatically & setup the code appropriately so there is only one version for both 4.81 & 4.82. Run until ps3 beeps & shutdown. The flash dump should be a 16MB file on your USB drive as dump.hex.

Frequently Asked Questions & Additional Notes

Will this jailbreak my SuperSlim?

• NO, (PS3Xploit has strong possibility to eventually evolve into a HEN style exploit (that aspect will take some additional development and time, at this time PS3Xploit exploit has not evolved enough)

Can in install a CFW before 4.82, such as Rebug 4.81 or an earlier CFW?

• Yes, however you must Toggle QA Flag. Once the Token is activated you have the ability to then freely jump CFW versions. (see below for details)

How do I Toggle QA Flag?

• When on a CFW download & install QA TOGGLER (Standalone) (Note: Will just show a black screen then reboot the PS3). If you have any issues, try this Habib-QA_Toggle-4.21+(standalone).pkg instead.

How do I know for sure if my PS3 Model is compatible ?

• You must have a PS3 Console that has a Factory Firmware of 3.56 and below.
  
• To check, its easy with this simple tool for OFW, Download minverchk.rar
• Then place the .pup file on a FAT32 USB Flash Drive in a PS3/UPDATE folder (create path if needed)
• Now on the PS3 XMB goto Setting ->> System Update >>> Update via Media Storage
• Once shown on the list select the PUP and install, shortly after there will be a message showing the factory firmware the console was shipped,
  
• For this we want 3.56 and below.
  
• ANYTHING HIGHER THEN 3.56 IS NOT ABLE INSTALL A CFW. Sorry this will not work for your console, but there could be a HEN (Homebrew Enabler) possible for running homebrew, but additional research and time is needed for achievement, additional details can be read here.

From Red to quote: In case anyone is too lazy to host the files themselves I threw the files on my webserver if you would prefer to use it http://redthetrainer.com/ps3/

Like Darthsternie, @EdiTzZ of PS3.EdiTzZ.net via Twitter (video) also made an unofficial mirror that has been confirmed working in around 2 minutes.

There's also a PS3 4.82 Exploit Tutorial and brief Tutorial by LightningMods with a video below, a PS3 CFW on Latest OFW 4.82 Guide by Zer0xFF available, and ask any questions in the comments below if you get stuck and need additional help.

Hey, if you want to straight update to rebug 4.81 REX you can use this pup the syscon version is modified to 4.82 so you can update right away from 4.82 OFW, That way it is not needed to install 4.82CFW & downgrade & then install rebug

Download: Rebug 4.81.2 REX 4.82Syscon Thibobo.PUP (202.5 MB)

PUP MD5: BEABB70067E56DAFCFAE466E1218C1C2

Similar to HENkaku and other Web-based exploits BEWARE OF FAKE EXPLOIT PAGES... legitimate PS3Xploit pages can be found on reputable scene sites, so avoid any found in unconfirmed places such as random blogs or YouTube videos!

Update #1: While noting these are read-only and useful just to those who want a NOR Flash Dump of their current PS3 Firmware prior to updating (everyone else can ignore them) from esc0rtd3w comes some PS3Xploit NOR Dumper ports for lower PS3 Firmware to quote:
Spoiler
Sample From 4.81 CEX (For Advanced Users Only)

For anyone that wants to make their own ports, you can refer to this for an example of what to look for in IDA or other debugging tools.

TOC: 0x6F5520 <-- set in r2

gadget1: seg001:000D9684 sc <-- lands here to make syscall
gadget1: seg001:000D9688 ld r0, 0x80+arg_10(r1) <-- search for this in IDA (easier to find)
gadget2: seg001:00097604 mr r1, r11 <-- initial stack control
gadget3: seg001:0060E59C lwz r11, 0xC0+var_4C(r1) <-- set params
gadget4: seg001:0019D3B0 ld r3, 0xA0+var_20(r1) <-- set params
gadget5: seg001:0042C774 lwz r3, 0(r31) <-- syscall made after here
gadget6: seg001:00423B14 bl _Export_stdc_fopen <-- usb dump actions
gadget7: seg001:00627BF8 addi r9, r1, 0xB0+var_40 <-- set params
gadget8: seg001:000C5234 li r4, 0xA <-- init shutdown request

PS3 Debugging/ROP Porting PS3Xploit NOR Dumper Chain To Lower Firmware

From the video's caption, to quote: This will show you an example of porting the 4.81/4.82 NOR Dumper chain to 4.30 OFW. I am using 2 monitors so I apologize if it's hard to see. The monitor on the right is 4.81 CEX and the left monitor is 4.30 CEX vsh.elf.

Update #2: Esc0rtd3w has now made available both a ps3-4xx-elf.rar (57.61 MB) and a ps3-3xx-elf.rar (25.3 MB) collection for those seeking to save some steps while noting the 3.xx is 3.55 and higher and does not include 3.50 or below.

Also from YouTube comes his latest videos, with the captions below as follows:
Spoiler
Cheers to @B7U3 C50SS, @hyndrid and @Trojaner in the PSXHAX Shoutbox for the heads-up on this PlayStation 3 scene news!

 

[Arch91]

although possibly symlinking the file in flash to another file in a different directory may be possible

Yeah, you uploaded a very interesting files! I wish everyone to wait the result for CEX patiently. Especially, the symlinks. If I knew the way of symlinks creation, I made them like

/dev_usb000/ps3stuff/exdata -> /dev_hdd0/home/000000XX/exdata
/dev_usb000/ps3stuff/game -> /dev_hdd0/game

- that will solve everything. I probably could install any game for my friend's PS3. Any. But what is the purpose of symlinks used by you?

And about ps2emu. @esc0rtd3w, can you spare a time for experiment? Can you replace (not as a symlink but a real .self-file) /dev_flash/ps1emu/ps1_netemu.self with the copied and renamed to the similar /dev_flash/ps2emu/ps2_netemu.self ?

Then, choose the smallest size PS2 game you know - I will prepare it as a PSOne Classics game which is working on OFW and upload for you for testing.

I could do this by myself, but I had the idea of that experiment after my PS3 with CFW goes overheated (can't explain the termins on English; the result is I opened it and scratched the CELL process lines).

And you did not answer me - except as for CFW install - can I at least make dump and restore my SuperSlim's flash dump ??

 

[k9mo]

Checking those files i realized that you are about to finish it for ofw so i hope people stop asking because he is more than half way there.

 

[esc0rtd3w]

But what is the purpose of symlinks used by you?

purely experimental for getting as many syscall templates working as possible!

And you did not answer me - except as for CFW install - can I at least make dump and restore my SuperSlim's flash dump ??

yes you can dump compatible model SuperSlims Flash....in the current state of the chain for writer, you CANNOT write back a full flash! this can of course be edited to do so....however, if you make a mistake, the ONLY way to restore is hardware flasher!!

 

[DanielGames10]

Anyone has a dumped writer? Im not good at this

 

[esc0rtd3w]

what?? you are very confused, my friend!

 

[BOLNICHKA39]

afaik the PS3 superslim can already run PS1 backups?? yes ?? with swap trick

Do I understand correctly? You can run the ps2 / 1 / psp emulator in the SELF format without using the required keys on the not hacked consoles, but you can not fully implement it in view of the small knowledge in this aspect it so?

Do not you throw this branch, on starting SELF without the need for signature keys? Entrust it to someone else? Have you developed this project branch into development?

 

[grim321]

hey can u explain this process how we can run ps2 and psp games on ps3 ofw super slim ???

 

[koyi]

I think you can't. The PS1 games work only because the PS3 reads the part of the disc where it stores the region information to confirm that it's a retail disc. PS1 discs were pressed in a factory and this information is stored in a part of the disc that normal CD burners cannot access.

After the PS3 gets the region info you can swap the disc since it has the region info already in it's RAM and the system would load the game files afterwards. (I'm sorry if the last part isn't completely correct i don't know exactly how the PS3's emulation work so i'm just speculating by the things i know.)

 

[Piper2603]

Isn't it a little bit off topic with the PS1 and PS2 games?

Cause on every alert I am happy to read more of the HDD-Writer or maybe the HEN and then there is the 1000. post (feeling) if it is possible to play PS1 and/or PS2 games on OFW

 

[Arch91]

yes you can dump compatible model SuperSlims Flash....in the current state of the chain for writer, you CANNOT write back a full flash!

Got it, thanks for the explanation. I am too scary to write the dump back anyway))

I am sorry for the emulators discussion triggered by me in this dumper thread. Let I describe the situation with them on OFW and will over on this stage.

Nowadays, every PS3 firmware have the official PS1, PS2 and PSP emulators injected. Sony made the things like this: you are buying the games in PS Store, download and automatically install them. But we know the tricks how to make the things for free.

PS1. Since some firmware version, you can play the disc backups of the same region as your console you are launching them on. That means that knowing your console region (PAL/NTSC) you can download the PAL/NTSC image of the PS1 game, burn it to the CD-R, insert to the PS3 and play. I did not tried that - only saw an information.

On the earlier < 4.8X firmwares we were (>>you were<<, me - on 4.50 ) able to customly make PSOne Classics game from the PS1 disc bin/cue image. But currently, the customly created .edats - in this case, ISO.BIN.EDAT - are not restoring from the system backups because that was some way fixed. But it gonna be changed after HDD Writer release for CEX.

PS2. Currently, it is not possible to launch some way customly prepared PS2 games. Only PS3 backward compatibility consoles are able to launch PS2 license discs of the console region they are launching on.

Except the experiment with the ps1emu replacement I described above, I had some another idea long time ago. We have the links for the PKGs containing an official PS2 Classics games. And the links to the .rap-files to "cure" them from the buying. If someone have: act.dat which was officially gotten from the PSN;

ConsoleID aka IDPS of the console - then it might that it is possible to make the .rif-file of that PS2 Classics game using rap2rif program (included in aldo's ps3tools). Placing it to the exdata folder action should fix that game.

Even the soldered ODE board owners have no such ability as to launch PS2 games on PS3. However, "CFW with Cobra abilities" have the PS2 emulator injected which is launching ANY PS2 ISOs! Probably, this emulator could be ported for the ODE owners... by some clever guy who is interested in.

...about PSP in next post...