PS3 4.87.1 PS3 HFW (Hybrid Firmware) - HFW is helpful for installing PS3HEN on 4.84/4.85/4.86/4.87 FW

UPDATE (May, 2022) 4.89 HFW Released see here.

---

. Original Article (4.84 HFW - March 2019): Huge News as the PS3 exploit ladder has taken a step up into 4.84 rung, with a new approach to bring back PS3Xploit functionality on 4.84. With a Hybrid Firmware (NOT A CFW) that can be installed on ANY MODEL PS3 over any Official Firmware (OFW) version. .The only thing this modified firmware essentially does is bring back the patched webkit from OFW 4.82 that was an entry point for PS3Xploit, if you recall when 4.84 was released developers @bguerville and @esc0rtd3w stated the exploit was not actually patched but rather only the webkit entry used was removed in 4.83+ which rendered the actual exploit unreachable (not patched and could be restored). Now the webkit is back for 4.84 OFW thanks to this new clever magic that has allowed OFW user's to use and install this slightly modified Firmware.​

So, what does all this mean? Now it will be just like it was back in 4.82 before PS3Xploit was "patched"(some ps3xploit tools need updated still) you will be able to install a CFW (on a CFW compatible model) and for those unfortunate user's that does not have a CFW Compatible model (i.e. SuperSlim/late slims) you have will have access to the HAN exploit . So for new user's or ones that updated, here is your second chances thanks to the efforts of the members of PS3Xploit Team and to @Joonie (waved magic wand on files) and prepared this magically release, @habib (for valuable input on this project) and @esc0rtd3w (work in porting ps3xploit tools to 4.84) ​

It has been an exciting month here at psx-place with so much progress on all fronts of the PS3 . the fuel of this project actually comes from a user simply igniting a spark with an idea as @Doge_Rules did with this thread truly making it a community effort. Updated - to version 4.84.2 (see details below)​

-STLcardsWS​

​

4.91 HFW 4.90 HFW 4.89 HFW 4.88 HFW 4.87.1 HFW 4.86.1 HFW 4.85.1 HFW Original 4.84.2 Release (via Joonie) SPECIAL INSTRUCTIONS

• 
  Joonie is back again with 4.91 HFW
  
  • (March 2024) > HFW 4.91 (Hybrid Firmware)
  
  
• 
  Joonie is back with an update to 4.90 with 4.90 HFW.
  
  • (March 2023) > HFW 4.90.1 (Hybrid Firmware)
• 
  4.89 HFW
  
  • https://www.psx-place.com/threads/hfw-4-89-1-hybrid-firmware-official-release.37319/
• 
  4.88 HFW:
  
  • https://www.psx-place.com/resources/4-88-1-hfw-hybrid-firmware.1249/
• 
  
  UPDATE 4.87.1 RELEASED:​
  via @Joonie:
  It's been a while, saw a new FW dropped today. So here's yet another one for everyone.
  
  https://mega.nz/file/fAJFwSqL#PeQfhVjbGAi69S4Jr369Tly4trG4Y9ALqdlUIBzW8qk
  
  Since there's no change in the kernel, you may see a PS3HEN update anytime soon.
  
  Have fun and stay safe at home.
  
  
  >> Release Post <<​
• 
  Release Post via Joonie

  ---

  .
  4.86.1 (HFW) Hybrid Firmware​
  It's been a while, saw a new FW dropped today. So here's yet another one for everyone.
  
  https://mega.nz/#!zIpFnDjB!PwJVSc15POf0jzFDQuUllxJahdzpnb48TW74hJOgjyc
  
  Since there's no change in the kernel, you should see a PS3HEN update anytime soon.
  
  Have fun and stay safe at home.​
  
  
• 
  Release Post via Joonie

  ---

  .Here's a little gift for everyone who has working PS3 (excluding RSOD or broken BD/BT units)
  
  Here's what we have found.
  

  1. no changes in Kernel
  2. no changes in VSH
  3. no changes in isolated loaders
  4. Stability improved

  
  Enjoy your latest HFW 4.85.1 and stay tuned for more updates coming from various developers.
  
  Download link : https://mega.nz/#!SAYhnYYB!6CmxOz0H_pSuVRb4YZ7-lYvY66hP0LlohgVMWfFut4Q
  
  FYI @STLcardsWS @esc0rtd3w @habib @Zar @aldostools
  
  To devs - PS3HEN can literally be ported in 5 mins. or you could just use PS3HEN 2.3.1 and it should work right out of the box.
  
  To everyone else - Don't rush your update until all the tools get fully ported & released.
  
• 
  
  4.84.2 HFW (Hybrid Firmware)
  Restores PS3Xploit Flasher/Tools & PS3Xploit HAN for 4.84 OFW user's​
  
  
  Today, we proudly present the very first modified OFW that can be installed on all PS3 models. (NOTE: THIS IS NOT A FULL BLOWN CFW, HOWEVER IT Allows you to run the patched webkit exploit that's ported to 4.84)​
  
  Yes, you didn't hear wrong, it can be installed over
  
  • ALL OFW versions on ALL PS3 models
    • ex) OFW 4.83, 4.84 , CECH-3XXX, CECH-4XXX and etc..
  
  We wanted this to be called "HHHFW" since it was Hybrid, Hack-able, HAN ready also inspired by @habib but let's call it HFW since this is Hybrid FW (Well you can call this MFW).
  
  The idea was reminded by some guy who didn't want to be annoying but actually ended up being helpful: @ psx-place.com
  
  Habib had this idea long time ago but the previous attempt was not successful due to lack of interest and preparation.
  
  As you all know, I recently started messing with my PS3 again and this idea was brought back.
  
  So then I went ahead and tried his magical idea.... after a few hours later... Boom!!, now we have HFW that works on all PS3 models (including 3K and 4K) that allows the previously patched exploit by using old webkit from 4.50 that's been used until 4.83. This method is rather hacky than technical, so I would like to leave this method under the radar for now until it gets patched out (this can easily be patched).
  
  What can you do with this HFW 4.84.1/2?
  
  1. You can use PSN since the FW is the latest.
  2. You can downgrade/Install CFW on your PS3 if your model is downgrade-able/hack-able (excluding CECH-3K and 4K)
  (The same capability as what you had for 4.82 OFW)
  3. You can use HAN and all the tools that worked up to 4.82 with this FW.
  4. You can always go back to the real OFW 4.84 if you wish.​
  
  To all scener's and developers
  
  • Please update the HAN toolbox or any xml that can support 4.84 if anyone's available.
  
  
  
  
  ​
  
  
  Special thanks @habib @bguerville @esc0rtd3w @Doge_Rules @DeViL303 @littlebalup​
  
  

  ---

  .UPDATE 3-22-2019 - 4.84.2 Released

  ---

  .​
  HFW 4.84.2_PS3UPDAT.PUP
  
  • Bugfix : Fixed the installation issue with regions that use following languages
    English (UK), Turkish (Turkey), and Portugal (Brazil) , Thanks to @citra mulia to report the bug
  • 
  

  ---

  ,​
  System Update displaying 4.84.1 HFW
  
  
  
  
  PS3Xploit Tools running on 4.84 HFW
  
  
  
  
  
  
  
• 
  
  DO NOT UPDATE WHEN A NEW OFW FIRMWARE UPDATE IS RELEASED!!!​
  
  -STLcardsWS​
  Here is a video tutorial by @MrMario2011
  
  
  
  
  

Release Thread & Download: HFW 4.87.1

---

.Update May 2022 https://www.psx-place.com/threads/p...-the-ps3-exploit-for-noncfw-ps3-models.37273/

UPDATE JAN. 2023
Mirror's HFW Downlaod's :
LINK

​

 

nvm I just f*king killed my ps3.
I've patched the memory offsets with this:
toc_addr=0x6F5558;
gadget1_addr=0x097604;
gadget2_addr=0x60EFD8;
gadget3_addr=0x0D9684;
gadget4_addr=0x0DB054;
gadget5_addr=0x19D3AC;
gadget6_addr=0x42C778;
gadget7_addr=0x423854;
gadget8_addr=0x2BACB8;

And restarted the ps3 when it showed sucess. IT DIED.
Any plans for me now lol?

Where did you get those offsets from? They aren't the 4.84 offsets.

 

Just FYI, but dev_flash mods are safe.. that is why no one ever bricks when installing HAN files.

CFW patch is for CoreOS which is a different story.

P.S. Not recommending this of course, but i have deleted entire dev_flash before and just rebooting into safe mode and reinstalled CFW, no problems. So do not worry too much about dev_flash mods.. but be very careful with anything beyond that.

But, everything that is dev_flash mods says that "if anything happens it's your fault not mine"
"be careful what you do in dev_flash" "Don't mess around with dev_flash" etc

 

Maaan, Project Phoenix Media is by far the best:

I do not think an 8 minute video can explain this process for someone who has never done it before.

Also i can not vouch for that as i have not used it, there is over an hour and a half in the videos I linked to, it is thorough.

 

Where did you get those offsets from? They aren't the 4.84 offsets.

IIRC it's from the auto-xml dev folder ones.

 

IIRC it's from the auto-xml dev folder ones.

The first address matches, not the rest though. See:

//CEX 4.84
var toc_addr_484 = 0x6F5558;
var default_vsh_pub_toc_484=0x6ED5AC;
var vsh_opd_patch_484=0x96D5C;
var vsh_opd_addr_484=0x6EBB70;
var vsh_toc_addr_screenshot_484=0x72067C;
var vsh_ps3xploit_key_toc_484=0x70786C;
var toc_entry1_addr_484=0x6DA3D0;
var toc_entry2_addr_484=0x725B38;//idps
var toc_entry3_addr_484=0x6DA3C8;
var toc_entry4_addr_484=0x740000;
var toc_entry5_addr_484=0x6EB6C8;
var toc_entry6_addr_484=0x0;
var gadget1_addr_484=0x097604;
var gadget2_addr_484=0x60A0E4;
var gadget3_addr_484=0x0D505C;
var gadget4_addr_484=0x229838;
var gadget5_addr_484=0x12BB1C;
var gadget6_addr_484=0x615CDC;//malloc
var gadget7_addr_484=0x01FFD0;//memset
var gadget8_addr_484=0x020000;//memcpy
var gadget9_addr_484=0x029B08;
var gadget10_addr_484=0x62E024;
var gadget11_addr_484=0x59A4B0;
var gadget12_addr_484=0x0C864C;
var gadget13_addr_484=0x48E5A8;//free
var gadget14_addr_484=0x48C7A0;
var gadget15_addr_484=0x489C88;
var gadget_mod1_addr_484=0x60EFD8;
var gadget_mod2_addr_484=0x013B74;
var gadget_mod3_addr_484=0x0B8E00;
var gadget_mod4a_addr_484=0x0D9684;
var gadget_mod4b_addr_484=0x42C778;
var gadget_mod4c_addr_484=0x054AF0; //load r5 word
var gadget_mod5_addr_484=0x4238DC;
var gadget_mod6_addr_484=0x020C00;
var gadget_mod7_addr_484=0x01A6AC;
var gadget_mod8_addr_484=0x2BACB8;
var gadget_mod9_addr_484=0x010B20;
var gadget_mod10_addr_484=0x1C5794;
var gadget_mod11_addr_484=0x18B144;
var gadget_mod12_addr_484=0x6331FC; //validation gadget
var gadget_mod13_addr_484=0x336870; //store_r3 gadget
var gadget_mod14_addr_484=0x633900; //load r3 dword
var gadget_mod15_addr_484=0x39D038; //load r3 word
var gadget_mod16_addr_484=0x4F732C; //set toc

 

But, everything that is dev_flash mods says that "if anything happens it's your fault not mine"
"be careful what you do in dev_flash" "Don't mess around with dev_flash" etc

Yes..that is just being safe, of course anything you do to your own console is your responsibility, and it is of course easy to soft brick, and then you need to reinstall, then all your previous mods are gone etc, so its still hassle. but its not fatal.

As well, part of reason for that is, PS3s die every day from natural causes, and if you install a mod and then ps3 dies that day, you will blame the mod, when it might be completely unrelated..

Also on NANDs it is riskier, Im more talking about NORs as most of FW is on HDD, a bad cobra payload on dev_flash can brick a NAND so they are a bit different.

 

The first address matches, not the rest though. See:

//CEX 4.84
var toc_addr_484 = 0x6F5558;
var default_vsh_pub_toc_484=0x6ED5AC;
var vsh_opd_patch_484=0x96D5C;
var vsh_opd_addr_484=0x6EBB70;
var vsh_toc_addr_screenshot_484=0x72067C;
var vsh_ps3xploit_key_toc_484=0x70786C;
var toc_entry1_addr_484=0x6DA3D0;
var toc_entry2_addr_484=0x725B38;//idps
var toc_entry3_addr_484=0x6DA3C8;
var toc_entry4_addr_484=0x740000;
var toc_entry5_addr_484=0x6EB6C8;
var toc_entry6_addr_484=0x0;
var gadget1_addr_484=0x097604;
var gadget2_addr_484=0x60A0E4;
var gadget3_addr_484=0x0D505C;
var gadget4_addr_484=0x229838;
var gadget5_addr_484=0x12BB1C;
var gadget6_addr_484=0x615CDC;//malloc
var gadget7_addr_484=0x01FFD0;//memset
var gadget8_addr_484=0x020000;//memcpy
var gadget9_addr_484=0x029B08;
var gadget10_addr_484=0x62E024;
var gadget11_addr_484=0x59A4B0;
var gadget12_addr_484=0x0C864C;
var gadget13_addr_484=0x48E5A8;//free
var gadget14_addr_484=0x48C7A0;
var gadget15_addr_484=0x489C88;
var gadget_mod1_addr_484=0x60EFD8;
var gadget_mod2_addr_484=0x013B74;
var gadget_mod3_addr_484=0x0B8E00;
var gadget_mod4a_addr_484=0x0D9684;
var gadget_mod4b_addr_484=0x42C778;
var gadget_mod4c_addr_484=0x054AF0; //load r5 word
var gadget_mod5_addr_484=0x4238DC;
var gadget_mod6_addr_484=0x020C00;
var gadget_mod7_addr_484=0x01A6AC;
var gadget_mod8_addr_484=0x2BACB8;
var gadget_mod9_addr_484=0x010B20;
var gadget_mod10_addr_484=0x1C5794;
var gadget_mod11_addr_484=0x18B144;
var gadget_mod12_addr_484=0x6331FC; //validation gadget
var gadget_mod13_addr_484=0x336870; //store_r3 gadget
var gadget_mod14_addr_484=0x633900; //load r3 dword
var gadget_mod15_addr_484=0x39D038; //load r3 word
var gadget_mod16_addr_484=0x4F732C; //set toc

I've tried those first ^^. But it just ended up crashing.

Noticed the 4.82 address were picked out in a specific order for the 4.82 flash writer adresses.
Tried the same order and it showed a success message.

 

I do not think an 8 minute video can explain this process for someone who has never done it before.

Also i can not vouch for that as i have not used it, there is over an hour and a half in the videos I linked to, it is thorough.

Ok, here then:

Then Part 2,3 and 4
Easy to find.
100% that this is legit and the best on YT, just look at the rest of his channel. It's not a bunch of useless CoD trash etc

 

Ok, here then:

Then Part 2,3 and 4
Easy to find.
100% that this is legit and the best on YT, just look at the rest of his channel. It's not a bunch of useless CoD trash etc

Well maybe is fine, but i already found perfect videos that i have watched/used/confirmed work and can vouch for, so not looking for new one. Why change something that is not broken...

Also , sound quality is brutal on those... Sounds like he is in shopping centre..

 

I've tried those first ^^. But it just ended up crashing.

Noticed the 4.82 address were picked out in a specific order for the 4.82 flash writer adresses.
Tried the same order and it showed a success message.

If you were using the same HTML files released for 4.82 then you would have to change more than just copy and pasting the addresses, it has checks to see what FW version you're on and 4.84 checks obviously weren't implemented.

 

If you were using the same HTML files released for 4.82 then you would have to change more than just copy and pasting the addresses, it has checks to see what FW version you're on and 4.84 checks obviously weren't implemented.

I did bypass those checks, how else did it initalize and succeed?
Was I missing something?

 

I did bypass those checks, how else did it initalize and succeed?
Was I missing something?

I saw the HTML you were using now yeah you did the right thing except for the addresses, and I'm not even sure the 4.82 hex file can be used on 4.84... someone correct me if I'm wrong please.

 

Well maybe is fine, but i already perfect videos that i have watched/used/confirmed work and can vouch for, so not looking for new one. Why change something that is not broken...

Also , sound quality is brutal on those... Sounds like he is in shopping centre..

Well, Well I like those atleast `\/´

 

i think the cause diffrence of coreOS an eeprom error cause the ps3 is higher then 4.82 and he flash the ps3 with lower coreOS which is 4.82

 

hmmm @DeViL303

is the Teensy enough? These seem waaaaay cheaper than the e3 flasher.

 

great new magic! just love it thanks joonie and friends!

 

and I'm not even sure the 4.82 hex file can be used on 4.84... someone correct me if I'm wrong please.

Different

 

hmmm @DeViL303
View attachment 15520
View attachment 15522

is the Teensy enough? These seem waaaaay cheaper than the e3 flasher.

Yes, but you need to be able to solder small shit.

 

View attachment 15523

Different

Yeah, he was using the 482 file.

 

Yeah, he was using the 482 file.

That was some very risky flashing.. tbh should have known that if everything was the same there would not be so much testing going on and devs saying to wait for new files.

Of course the patch was different, the 4.84 patch has "4.84" in the ROS areas, putting "4.82" in there will not allow downgrade, as QA flag wont be set.