- Update (Jan. 30) - @esc0rtd3w has released a new beta, while not the FINAL (yet) it is the first beta HEN with the qCFW installer.
- Update (Jan. 29) - @aomsin2526 has released the first public version of qCFW for the BadWDSD exploit, now we still need PS3HEN 3.4.1 (FINAL) for the qCFW installer to utilize the qCFW release.
- Update (Jan. 15) - @aomsin2526 has provided a new progress report, qCFW is nearing a public release. >>>Link
- Update (Dec. 8) - @aomsin2526 (aka chattrapat_s / kafuu) has provided an update for the project, in the form of a "To-Do" list for the project, with some reported progress like "qCFW is done" see full post >>> Link
- Update (Sept. 11) - New video demonstration and details "qCFW will be based on Evilnat PEX from now on. This means both CEX and DEX features will be available." >>> Link
- Update (Sept. 1) - Another exciting progress update from @aomsin2526 >>> Link
- Update (Aug. 30) - New details and progress from @aomsin2526>> Link
- Update (July 8) - New Video (PS3 Superslim BadWDSD Booting Petitboot and FreeBSD 14.3 from Coldboot Test) / Readme updated w/ new details (see tab below or link) via aomsin2526
- Update (June 30) - The qCFW files released in the wild are not complete (See Post) - They can pose a brick risk beware for advanced user's only.
- Update (June 24) - Installer for qCFW is still being developed by @aomsin2526 (see link)
- Update (June 18) - Added latest Readme (in first tab) from aomsin2526 & Also added a tutorial from WizWiki for the modchip installation
- Update (June 11) - Latest Progress Report from @aomsin2526 (aka kafuu) (See Link) + Wiring Diagrams via @zecoxao (See Link)
- Update (May 20) - New README released for BadWDSD exploit (See link)
- Update (May 18) - New PS3HEN OPEN BETA Builds (from @esc0rtd3w) supports BadWDSD with new options for developer's. (See link )
.
Original Article (May 10) Since the disclosure and release of the BadHTAB (hardware/software) exploit we have seen a number of advancements in the PS3 community. We have seen in recent weeks with PS3HEN (w/ BadHTAB) now have the ability to run PS3 Linux & OverClocking on a nonCFW model's. Thanks to the efforts lead by @aomsin2526 (kafuu) and the BadHTAB release.
Since then we have seen continued progression from @aomsin2526 and other developer's like PS3HEN developer @esc0rtd3w among other's have now confirmed even the ability to downgrade a SuperSlim (NOR) models through this new exploit that has been "superseded by BadWDSD" (replacing BadHTAB). As it also looks like this exploit can replicate a CFW experience with a new qCFW that is being worked on. It does not seems likely, we will be able to downgrade to 3.55 and install a CFW PUP for SuperSlim models (though this theory needs tested to completly rule out) but rather inject the features like PS3HEN on boot, but alot more powerful then PS3HEN without the modchip.
The details are still emegring and deveolopment continiues. We hope to get more details on qCFW as this project advances in both hardware and software tweaks, but it looks like something great is coming to the PS3,.. Kafuu (@aomsin2526) has setup a github with the new BadWDSD exploit, also issuing a warning of "Do Not Use Yet". Stay tuned in the coming days/weeks as this project matures. Below you can find some the answer's to questions asked and information that @esc0rtd3w has provided the forum, also @esc0rtd3w provided us with some preview video's of the exploit general use and also a downgrade of 4.82 to 4.40.
NOTICE: READ-ME BELOW IS OUTDATED
(see links in updates above)
Update: @aomsin2526 has provided additional detail about qCFW & new video.
Since then we have seen continued progression from @aomsin2526 and other developer's like PS3HEN developer @esc0rtd3w among other's have now confirmed even the ability to downgrade a SuperSlim (NOR) models through this new exploit that has been "superseded by BadWDSD" (replacing BadHTAB). As it also looks like this exploit can replicate a CFW experience with a new qCFW that is being worked on. It does not seems likely, we will be able to downgrade to 3.55 and install a CFW PUP for SuperSlim models (though this theory needs tested to completly rule out) but rather inject the features like PS3HEN on boot, but alot more powerful then PS3HEN without the modchip.
The details are still emegring and deveolopment continiues. We hope to get more details on qCFW as this project advances in both hardware and software tweaks, but it looks like something great is coming to the PS3,.. Kafuu (@aomsin2526) has setup a github with the new BadWDSD exploit, also issuing a warning of "Do Not Use Yet". Stay tuned in the coming days/weeks as this project matures. Below you can find some the answer's to questions asked and information that @esc0rtd3w has provided the forum, also @esc0rtd3w provided us with some preview video's of the exploit general use and also a downgrade of 4.82 to 4.40.
NOTICE: READ-ME BELOW IS OUTDATED
(see links in updates above)
Update: @aomsin2526 has provided additional detail about qCFW & new video.
-
via aomsin2526's Readme @ https://github.com/aomsin2526/BadWDSD
.
This is a hardware modchip for Sony Playstation 3. By abusing a "feature" called WDSD serial register inside XDR ram. We can override what data to be written to memory through serial pin (32 bytes max). But not where and when. So if we do it while first boot loader (bootldr/lv0ldr) is decrypting lv0 (second boot loader) and writing decrypted data to memory. In reality, our code will be written to memory instead. If it hit address 0x100 (Reset vector), when PPU core starts our code will get executed instead. Gaining custom code execution very early on.
It is patchable by Sony with new hardware by simply read and verify the data after write. But it is too late for them now since ps3 is no longer made.
I avoid calling this modchip a "glitch" because XDR ram itself is working perfectly as intended. Every command we send to it is valid. WDSD register are for initialization purpose. But we "abuse" it to do benefit thing for us.
This modchip replace and unrelated to previous BadHTAB exploit. While both are exploiting XDR ram. Method it uses is completely different.
This modchip then allow full access to lv1 hypervisor and ability to run new variant of persistence CFW called qCFW. Unlock many features of CFW that HEN can't do. It can also used to recover console such as exit FSM, or updating consoles with dead BD/BT module. Downgrading also possible.
With proper solder and wiring, this modchip is very stable (100% success rate) and should get you to XMB within 30 secs.
This exploit contain three major components:
- BadWDSD - Hardware modchip. Raspberry Pi Pico (RP2040) based. It handles WDSD register writing part. 32 bytes long jump code (Stage0.S) to address 0x2401F031000 will be pushed to memory by it.
- Stagex.bin - Main software payload of this modchip. It will be stored at address 0x31000 (NOR flash) / 0x2401F031000 (MMIO)
- BadWDSD-SW - Software utilites, was used for Stagex.bin/CoreOS.bin installation (now legacy). Now only used to boot OtherOS.
Supported models
- All 2500/3000 Slim.
- 4000 Superslim with NOR flash.
- 4000 Superslim with eMMC flash (12GB) is NOT supported.
Operation Mode
.This modchip supports two operation mode: OFW and qCFW
OFW Mode
- This is pretty much HEN + lv1 peek/poke. It is very safe since it doesn't modify any files. So you can just disable modchip and console will work just like before. But feature will be more limited than qCFW. And you will still need HEN to be useful. This mode is required to install qCFW so everyone must start here. You can downgrade/exit FSM/Overclock/OtherOS under this mode.
Supports firmware 4.70 or later. You only need Stagex.bin to run this mode, since
Stagex.bin stay even after firmware update, you only need to install it once.
You can take Stagex.bin from any qCFW releases.
qCFW Mode
- You can't install any existing CFW or any custom PUP, so new variant of CFW must be made. This variant will be called qCFW (quasi-CFW). It is persistence, stable and much more powerful than HEN/OFW Mode. It use fork of Cobra called Cobra-qCFW. Vanilla Cobra won't work here! Installation method also different.
Once installed, modchip must be active at all times until you reinstall OFW again.At its peak, it should be capable of everything CFW can except one thing: Dump eid_root_key.
It's not at its peak yet at current state, but it is powerful and stable enough for daily uses.
Quirks:
- Cobra must be active at all times no matter what, if you lost it by some reason, it can be loaded from USB.
- PS1 Emu can't be modified
- VSH modules (self/sprx) at /dev_flash/vsh/module/ can't be modified, Don't modify these files or you will brick
- If you turn on your console through PS button on your controller, it won't sync until you power cycle the controller by holding PS button until it turn off, then press it to turn on again. This is caused by load Cobra from USB.
qCFW (Petitboot)
- Special variant of qCFW. In this version, lv2 kernel will be replaced with Petitboot bootloader.
So you will be always boot into petitboot right after power on. It is for those who wants to use the console as permanent OtherOS machine. No internal HDD required even on NOR.
To go back to OFW, use BANKSEL pin. -
Explanation of qCFW
Question via @aldostools: I'm guessing that "qCFW" stands for "quasi-CFW". Since quasi- means "resembling," "having some, but not all of the features of,"
via aomsin2526 (kafuu) said:
Question's & Answer's
Question via @NiQ - Any way we can decrypt metldr.2 with this?
.Quotes from this thread
via esc0rtd3w said:This has now been superseded by BadWDSD, for NOR. Even with BadWDSD having lv0 privileges at boot, it is not just as easy as that, from what I understand from much smarter people than me in the chat
I think moving forward, there is now a path to actually accomplishing that though now, thanks to @aomsin2526
Question via @NiQ - I was really hoping that with such early peek/poke access we could maybe just NOP out the firmware signature check, allowing full CFW.
via esc0rtd3w said:
Downgrading a SuperSlim (NOR)
via esc0rtd3w said:Downgrading works with BadWDSD, and its easier than normal once pico modchip is installed anyways
I successfully downgraded my NOR superslim last night from 4.91 to 4.40, and I think @aomsin2526 downgraded his from 4.92 to 4.82.
Currently, from my understanding is this will only work with NOR and not eMMC though.
Another shoutout to kafuu for his awesome work with all of this
We will need a BadWDSD thread soon enough.
Question via @GuilloteTesla- I think that SuperSlims can not go below minVerChk value as has always been the case, right?
via esc0rtd3w said:
Question via @chronoss - Just to know : why downgrade the SuperSlim?
via Aldostools said:
Question via @Rock77 - Is this possible on late slim models? If so, is the process of making it work the same as with super slim models?
via GuilloteTesla said: -
Demostration Video by @aomsin2526 (BadWDSD Modchip with qCFW )
Demostrartion Video's by @esc0rtd3w
BadWDSD Exploit PS3 NOR Superslim Test
BadWDSD PS3 Superslim NOR Downgrade Firmware 4.82 to 4.40
.Tutorial's (Potential Brick RIsk incomplete qCFW is being used)
- Text Tutorial / unofficial Write-up via TheWizWiki > How to Install BADWDSD on PS3 Super Slim (Modchip) qCFW and more
.Project Links ("Do Not Use Yet")
- @aomsin2526 - https://github.com/aomsin2526/BadWDSD
- @zecoxao - https://github.com/zecoxao/BadWDSD_WithREADME
- Note this is not the complete qCFW some features are not complete, qCFW has not been officially released (see post)
Forum Discussion: @ psx-place.com/forum....
Last edited:
