Following the PS3 WebKitSploit and PS3 Playground WIP, PlayStation 3 Browser Research and PS3 Webkit PoC today developers @bguerville, @esc0rtd3w and W shared a progress update on their 4.81 OFW Exploit known as PS3Xploit with a target date slated for Q1 2018, a PS3 software downgrader in development and a 4.81 IDPS Dumper that supports all PS3 consoles expected to arrive shortly. 
Download: ps3_481_idps_dumper-PS3XPloit.zip (48 KB) / ps3_idps_dumper-v0.2.1-PS3XPloit.zip (51 KB - with Python and Capstone) / ps3_idps_dumper-v0.2.1a-PS3XPloit.zip (51 KB - with Python and Capstone) / ps3_idps_dumper-v0.2.3-PS3XPloit.zip (17 KB) / ps3_idps_dumper-v0.2.3-PS3XPloit_-_4.82.zip (17 KB) / ps3_idps_dumper-v0.2.3-PS3XPloit.zip (Updated) (17 KB) / ps3_idps_dumper-v0.2.3-PS3XPloit_-_4.82.zip (Updated) (17 KB - with Python and Capstone) / Official PS3Xploit Domains
Since the PS3 OFW PSID Dump Tool Guide and PS3 IDPS Bruteforcer, the upcoming PlayStation 3 software flasher may soon make PS3 downgrading via hardware flashers such as E3, Progskeet and the recent NORwegian Teensy Clip Edition things of the past.
As always, be sure NOT to update your PS3 Firmware should any updates beyond 4.81 OFW get released by Sony following the recent PS3Xploit Team progress!
We'll update this article as things are publicly released, and here are some additional details on their PS3 projects from bguerville via PSX-Place, to quote:
Background
I started investigating the ps3 webkit about 6/7 months, but at the time, it was only to gather information, I had no idea I would eventually be the one working on it!
End of August, I gave the information I had to @esc0rtd3w & expected he would work on it alone. However, he knew nothing about webkit exploitation & he started to collaborate with W. By hijacking webkit, we inherit its privileges which means we are root & we get access to lv2 syscalls.
However the PS3 OS is protected by NX (No eXecute is the BSD/Linux equivalent of DEP on Windows), no address randomisation though. Executing our own payload is made impossible by NX but we can still execute code despite NX using ROP (Return Oriented Programming).
The principle is simple, select snippets from the system code (snippets like these are called gadgets) & assemble them so execution jumps from one gadget to the next until the task we planned is done. It requires providing values/parameters & offsetting to each gadget instruction as well...
First week of September, I joined their effort & 2 weeks later we had ROP execution. From that moment, I have been doing all the ROP development work alone while the other 2 helped with testing & researching (and debugging for esc0rtd3w).
Right now I have 2 ROP chains ready, one for IDPS dumping & the other for flash memory dumping.
FYI, the IDPS dumper should work on any NOR/NAND model of PS3. Same goes for the flash memory dumper. It was tested ok on Superslim. Once the ROP work above is finished, there is much more to be done & hopefully more releases to come... Stay tuned.
The Current Status
For now the main project we are working on will not jailbreak all consoles. It will enable flash dumps from all consoles but flash write only to all consoles up to 25xx so consoles that are are not cfw compatible will not really benefit just yet, except for dumping flash & IDPS but not for JB.
For those with CFW compatible consoles on OFW, once flash is overwritten with a db OFW copy, a user can reboot then install the CFW of their choice. Hardware flashers being then obsolete.. You could also overwrite the flash memory in more recent consoles but that would result in a brick due to metldr2.
It's only after that flash management project is done, in hopefully March that we will begin working on exploiting lv2. If we get the results we wish, we should be able to make a TaiHEN type of hack for all consoles including Superslims.
Once lv2 is exploited, I am not sure yet how far I will take it, whether I will also try to take on lv1.. Or leave it for someone else to build on by releasing a fully commented & dev friendly version... We will see how things go...
However, even without lv1, direct access to lv2 functions using the right parameters would allow us to run homebrews (except those needing lv1 peek/poke) & backups without problems along with many other things.
The IDPS dumper will create a file on usb000 then beep 3 times & shutdown in all cases, even if flash memory read fails. emmc should not make a difference to this. You will get garbage in idps.bin in that case.
Js errors with a black page message on ps3 should not happen. If ever it did, just report & in the meantime keep relaunching the exploit. Nobody has had this issue in dozens of tests though.
And clearing cache or cookies is totally unnecessary with the exploit & the wk js interpreter. Between runs garbage collection will take care of cleaning up what is needed, the job it does is always sufficient.
Update #1: From esc0rtd3w on the PS3 4.81 IDPS Dumper v0.2 (linked above), to quote: Ok... the moment all of you have been waiting for..... i assume
File: ps3_481_idps_dumper-PS3XPloit.zip
MD5 Hash: FFDA70AB2D1677886083F99185C54FE3
SHA-256 Hash: 852BDB301753C4F4A7E946188E850D3D325EEAA259B61AE2B5AE31320B2F292B
Enjoy this release from our team
We will be working hard to add EMMC support as soon as possible!!
The documentation will be updated as time goes on. There is a readme.txt file included with basic setup and usage instructions. Please stay tuned for future tools and releases
And once again, THANK YOU to everyone involved bringing this all together, without all of you, none of this would have happened!!!
Update #2: From esc0rtd3w on the PS3 4.81 IDPS Dumper v0.2.1 (linked above), to quote:
We have some more exciting news to bring you!!
We have been working very hard to bring eMMC support for the newest SuperSlims CECH-40xxA, CECH-42xxA , CECH-43xxA and that has happened.
The team would like to present a nice little update to the 4.81 IDPS Dumper now supporting eMMC hardware revision consoles!!
We also updated the instructions in the Readme.txt. Please read it... People who have issues triggering the exploit (>5mn) might have a low wifi connection that would explain the problem, in this case use ethernet or improve your WiFi.
Please report any issues you have while using this new version on any of the flash types, NAND, NOR, and eMMC. Here is an EMMC testing and research thread. Thank You to all
File: ps3_idps_dumper-v0.2.1-PS3XPloit.zip
MD5 Hash: 71268E3829CB78D818E8E0DE890E4140
SHA-256 Hash: BCE1AB277804BE7540286D9106FE58AFA231696F4174053C611DB5A18048CB71
Update #3: From bguerville on the PS3 4.81 IDPS Dumper v0.2.1a (linked above), to quote:
I posted a 0.2.1a version to fix the include file error on index.html in OP.
File: ps3_idps_dumper-v0.2.1a-PS3XPloit.zip
MD5 Hash: 0fbb98452596c56c102e9b2d3b47c654
SHA-256 Hash: 58d049bf429d130556bf2687d445fdbe1c760981f42aa19f38da6e2a6ff70cb9
Update #4: From bguerville on the PS3 4.81 / 4.82 IDPS Dumper v0.2.3 (linked above), to quote:
Project has been updated to 0.2.3. Check the OP... A 4.82 version has been tested on NOR/NAND/eMMC, it will be posted soon.
I updated the OP with a 4.82 release... Enjoy...
File: ps3_idps_dumper-v0.2.3-PS3XPloit.zip
MD5 Hash: 97d8b44f25bbe65e801d00b6ec784ff4
SHA-256 Hash: e7dec93e584bec460fbb932333a2a14e34281bb1658ba291cd8f6dfebc1f9446
File: ps3_idps_dumper-v0-2-3-ps3xploit-4-82-zip
MD5 Hash: e381236f78a7ff9cc31f671d0d09be83
SHA-256 Hash: f96edcf36f94693e4957d9e844a24709edab247147dd468a915896434640ee68
File: ps3_idps_dumper-v0.2.3-PS3XPloit.zip (Updated)
MD5 Hash: 71dd906e585bf470f84f9d4fb10c1f37
SHA-256 Hash: d4bffe2b7d08c1dda275590229f86903f1db487e9a78364d6a025c3734cd8f68
File: ps3_idps_dumper-v0-2-3-ps3xploit-4-82-zip (Updated)
MD5 Hash: 3c2e1582f52e1002a12ad280f426d0c6
SHA-256 Hash: 1c49eabd64275171a60c90f0f06f503b7055f4ff863f87e7960d41464d127443
Changelog:
v0.2.3
PS3 xploid work version 4.81- 4.82 idps extract by sc0rtd3w idps dumper 0.2.3 release!!!
[PS3 Debugging/ROP] System Call Test #1: sys_ss_get_open_psid
From the video caption, to quote: This is the first video in a series of videos I will be uploading demonstrating exploiting the PS3 using the debugger and ROP techniques. Don't get too excited, nothing will be shown here that hinders current private development progress, but this will give other users not familiar with these techniques a chance to play around a bit
Thanks to @B7U3 C50SS in the PSXHAX Shoutbox for the heads-up on this exciting PlayStation 3 scene news!
Download: ps3_481_idps_dumper-PS3XPloit.zip (48 KB) / ps3_idps_dumper-v0.2.1-PS3XPloit.zip (51 KB - with Python and Capstone) / ps3_idps_dumper-v0.2.1a-PS3XPloit.zip (51 KB - with Python and Capstone) / ps3_idps_dumper-v0.2.3-PS3XPloit.zip (17 KB) / ps3_idps_dumper-v0.2.3-PS3XPloit_-_4.82.zip (17 KB) / ps3_idps_dumper-v0.2.3-PS3XPloit.zip (Updated) (17 KB) / ps3_idps_dumper-v0.2.3-PS3XPloit_-_4.82.zip (Updated) (17 KB - with Python and Capstone) / Official PS3Xploit Domains
Since the PS3 OFW PSID Dump Tool Guide and PS3 IDPS Bruteforcer, the upcoming PlayStation 3 software flasher may soon make PS3 downgrading via hardware flashers such as E3, Progskeet and the recent NORwegian Teensy Clip Edition things of the past.
As always, be sure NOT to update your PS3 Firmware should any updates beyond 4.81 OFW get released by Sony following the recent PS3Xploit Team progress! We'll update this article as things are publicly released, and here are some additional details on their PS3 projects from bguerville via PSX-Place, to quote:
Background
I started investigating the ps3 webkit about 6/7 months, but at the time, it was only to gather information, I had no idea I would eventually be the one working on it!
End of August, I gave the information I had to @esc0rtd3w & expected he would work on it alone. However, he knew nothing about webkit exploitation & he started to collaborate with W. By hijacking webkit, we inherit its privileges which means we are root & we get access to lv2 syscalls.
However the PS3 OS is protected by NX (No eXecute is the BSD/Linux equivalent of DEP on Windows), no address randomisation though. Executing our own payload is made impossible by NX but we can still execute code despite NX using ROP (Return Oriented Programming).
The principle is simple, select snippets from the system code (snippets like these are called gadgets) & assemble them so execution jumps from one gadget to the next until the task we planned is done. It requires providing values/parameters & offsetting to each gadget instruction as well...
First week of September, I joined their effort & 2 weeks later we had ROP execution. From that moment, I have been doing all the ROP development work alone while the other 2 helped with testing & researching (and debugging for esc0rtd3w).
Right now I have 2 ROP chains ready, one for IDPS dumping & the other for flash memory dumping.
- The IDPS dumper is about to get released.
- The flash dumper will be released later.
FYI, the IDPS dumper should work on any NOR/NAND model of PS3. Same goes for the flash memory dumper. It was tested ok on Superslim. Once the ROP work above is finished, there is much more to be done & hopefully more releases to come... Stay tuned.
The Current Status
For now the main project we are working on will not jailbreak all consoles. It will enable flash dumps from all consoles but flash write only to all consoles up to 25xx so consoles that are are not cfw compatible will not really benefit just yet, except for dumping flash & IDPS but not for JB.
For those with CFW compatible consoles on OFW, once flash is overwritten with a db OFW copy, a user can reboot then install the CFW of their choice. Hardware flashers being then obsolete.. You could also overwrite the flash memory in more recent consoles but that would result in a brick due to metldr2.
It's only after that flash management project is done, in hopefully March that we will begin working on exploiting lv2. If we get the results we wish, we should be able to make a TaiHEN type of hack for all consoles including Superslims.
Once lv2 is exploited, I am not sure yet how far I will take it, whether I will also try to take on lv1.. Or leave it for someone else to build on by releasing a fully commented & dev friendly version... We will see how things go...
However, even without lv1, direct access to lv2 functions using the right parameters would allow us to run homebrews (except those needing lv1 peek/poke) & backups without problems along with many other things.
The IDPS dumper will create a file on usb000 then beep 3 times & shutdown in all cases, even if flash memory read fails. emmc should not make a difference to this. You will get garbage in idps.bin in that case.
Js errors with a black page message on ps3 should not happen. If ever it did, just report & in the meantime keep relaunching the exploit. Nobody has had this issue in dozens of tests though.
And clearing cache or cookies is totally unnecessary with the exploit & the wk js interpreter. Between runs garbage collection will take care of cleaning up what is needed, the job it does is always sufficient.
Update #1: From esc0rtd3w on the PS3 4.81 IDPS Dumper v0.2 (linked above), to quote: Ok... the moment all of you have been waiting for..... i assume File: ps3_481_idps_dumper-PS3XPloit.zip
MD5 Hash: FFDA70AB2D1677886083F99185C54FE3
SHA-256 Hash: 852BDB301753C4F4A7E946188E850D3D325EEAA259B61AE2B5AE31320B2F292B
Enjoy this release from our team
We will be working hard to add EMMC support as soon as possible!!
The documentation will be updated as time goes on. There is a readme.txt file included with basic setup and usage instructions. Please stay tuned for future tools and releases
And once again, THANK YOU to everyone involved bringing this all together, without all of you, none of this would have happened!!!
Update #2: From esc0rtd3w on the PS3 4.81 IDPS Dumper v0.2.1 (linked above), to quote:We have some more exciting news to bring you!!
We have been working very hard to bring eMMC support for the newest SuperSlims CECH-40xxA, CECH-42xxA , CECH-43xxA and that has happened.
The team would like to present a nice little update to the 4.81 IDPS Dumper now supporting eMMC hardware revision consoles!!
We also updated the instructions in the Readme.txt. Please read it... People who have issues triggering the exploit (>5mn) might have a low wifi connection that would explain the problem, in this case use ethernet or improve your WiFi.
Please report any issues you have while using this new version on any of the flash types, NAND, NOR, and eMMC. Here is an EMMC testing and research thread. Thank You to all
File: ps3_idps_dumper-v0.2.1-PS3XPloit.zip
MD5 Hash: 71268E3829CB78D818E8E0DE890E4140
SHA-256 Hash: BCE1AB277804BE7540286D9106FE58AFA231696F4174053C611DB5A18048CB71
Update #3: From bguerville on the PS3 4.81 IDPS Dumper v0.2.1a (linked above), to quote:I posted a 0.2.1a version to fix the include file error on index.html in OP.
File: ps3_idps_dumper-v0.2.1a-PS3XPloit.zip
MD5 Hash: 0fbb98452596c56c102e9b2d3b47c654
SHA-256 Hash: 58d049bf429d130556bf2687d445fdbe1c760981f42aa19f38da6e2a6ff70cb9
Update #4: From bguerville on the PS3 4.81 / 4.82 IDPS Dumper v0.2.3 (linked above), to quote:Project has been updated to 0.2.3. Check the OP... A 4.82 version has been tested on NOR/NAND/eMMC, it will be posted soon.
I updated the OP with a 4.82 release... Enjoy...
File: ps3_idps_dumper-v0.2.3-PS3XPloit.zip
MD5 Hash: 97d8b44f25bbe65e801d00b6ec784ff4
SHA-256 Hash: e7dec93e584bec460fbb932333a2a14e34281bb1658ba291cd8f6dfebc1f9446
File: ps3_idps_dumper-v0-2-3-ps3xploit-4-82-zip
MD5 Hash: e381236f78a7ff9cc31f671d0d09be83
SHA-256 Hash: f96edcf36f94693e4957d9e844a24709edab247147dd468a915896434640ee68
File: ps3_idps_dumper-v0.2.3-PS3XPloit.zip (Updated)
MD5 Hash: 71dd906e585bf470f84f9d4fb10c1f37
SHA-256 Hash: d4bffe2b7d08c1dda275590229f86903f1db487e9a78364d6a025c3734cd8f68
File: ps3_idps_dumper-v0-2-3-ps3xploit-4-82-zip (Updated)
MD5 Hash: 3c2e1582f52e1002a12ad280f426d0c6
SHA-256 Hash: 1c49eabd64275171a60c90f0f06f503b7055f4ff863f87e7960d41464d127443
Changelog:
v0.2.3
- Added 4.82 Support
- Removed all extra requirements like JQuery..
- Removed the need for string relocations to improve the initial memory search process & overall trigger times.
- Added eMMC SuperSlim Support (CECH-40xxA, CECH-42xxA , CECH-43xxA)
- Misc Tweaks To Exploit
- Small typo on index.html pointed out by Turranius - Fixed
- Added eMMC SuperSlim Support (CECH-40xxA, CECH-42xxA , CECH-43xxA)
- Misc Tweaks To Exploit
- The AfterLeak Version
- NOT RELEASED
PS3 xploid work version 4.81- 4.82 idps extract by sc0rtd3w idps dumper 0.2.3 release!!!
[PS3 Debugging/ROP] System Call Test #1: sys_ss_get_open_psid
From the video caption, to quote: This is the first video in a series of videos I will be uploading demonstrating exploiting the PS3 using the debugger and ROP techniques. Don't get too excited, nothing will be shown here that hinders current private development progress, but this will give other users not familiar with these techniques a chance to play around a bit
Thanks to @B7U3 C50SS in the PSXHAX Shoutbox for the heads-up on this exciting PlayStation 3 scene news!
