PS3 Multiple Updates To webMAN-MOD: Version 1.41.36 Being The Latest

If you have been watching the previous article about webMAN-MOD you will be aware of most of these updates as Aldostools rolled out a few test releases. For those not following closely, be sure to catch up since the plugin has had three updates since last reported. At first glance I see that Aldo has reverted back to his previous method of firmware detection since DEX firmware wasn't playing nice. In changelog 1.41.35 there where a few fixes to game scanning, the Fix Game option and fan control. [break].[/break]Version 1.41.36 has a few tweaks for the way it handles unload plugin and a redirect to prevent accidental official firmware updates for games in ISO and JB folders (I like that one). Be sure to read on for all the details of this amazing plugin.

​

Changelog 1.41.36: (2015-03-29)

• Merged latest changes from NzV about unload plugin
• Redirect /dev_bdvd/PS3_UPDATE to prevent accidental update
• Added buttons to clear IDPS/PSID on /setup.ps3
• PSID now can be set to all zeros.
• Added display of Cobra/Mamba version to /cpursx.ps3 and popup START+SELECT
• Reverted again the firmware detection to the old method
  • (firmware detection using syscalls didn't work well with spoofed IDPS.)
• Added /fixgames.ps3
• Added a wait of 500ms before unload the plugin (to let any pending delay being processed complete)
• Fan control is restored to SYSCON mode when the plugin is unloaded, only if fan control is disabled or PS2 speed is <33%
• Fixed some typos (Thanks to m@tsumot0)
• Fixed issue scanning games on English edition

---

Changelog 1.41.35: (2015-03-26)

• Fixed issue scanning games on English editions
• 'Fix game' now patches the game update if it is installed on hdd0.
• Fixed new firmware detection using syscalls introduced in 1.41.32
• Fan control is restored to SYSCON mode when the plugin is unloaded, only if fan control is disabled or PS2 speed is <33%
• Removed non-working code for custom CD sector size on netiso

---

Changelog 1.41.33: (2015-03-22)

• Reverted firmware detection to the method used in 1.41.31 (and before).
  • New method was not detecting DEX properly.
• Removed ps3mapi syscall when the plugin is unloaded
• libfs.sprx is now external for nonCobra/CCAPI
• Updated Russian language (thanks to Danzel87)

Download & Source: brewology

---

For more info about webMAN-MOD be sure to check out our forum right here at PSX-Place.​

 

peek is not completely disabled for Cobra editions. Only on nonCobra editions.

Maybe [MENTION=600]_NzV_[/MENTION] or [MENTION=161]Matsumot0[/MENTION] can suggest what to do in this case.

BTW 1.41.37 was uploaded.

thank you for your quick reply i was just worried because in older versions of webman lv1/lv2 syscalls was always disabled but nevermind.

 

peek is not completely disabled for Cobra editions. Only on nonCobra editions.

Maybe [MENTION=600]_NzV_[/MENTION] or [MENTION=161]Matsumot0[/MENTION] can suggest what to do in this case.

BTW 1.41.37 was uploaded.

Cobra partially serves lv1 peeking with SYSCALL 8 (for compatibility with almost every tool that access lv1- if this is removed from cobra /mamba, many tools will stop working ! - habib implemented syscall11 for full lv1 peeking but there are still a few tools to use it).

If syscall8 is kept untouched when disabling SYSCALLs, lv1 peeking is kept running. Which is imho a security hole.

My suggested approach is to disable also syscall8 (as psnpatch does). Of course this implies that no more cobra / mamba after "disabling" Syscalls. But nothing a reboot can't handle


Sent from a mobile device using Tapatalk

 

The trick to prevent accidental OFW update via dev_bdvd [ game disc] is confirmed to work..
It now fails to search pups from the original game disc while on both XMB/Recovery.

and also aldo's redirection method to prevent accidental OFW update from game rips mounted by webMAN also works..


change strings in emer_init.self

//Original

/dev_bdvd/PS3_UPDATE/PS3UPDAT.PUP.......
/dev_bdvd/PS3/UPDATE/PS3UPDAT.PUP

//Patched

/dev_bdvd/NOT_UPDATE/PS3UPDAT.PUP.......
/dev_bdvd/NOT/UPDATE/PS3UPDAT.PUP

FYI :
[MENTION=2]STLcardsWS[/MENTION] [MENTION=7]atreyu187[/MENTION]

 

Thanks aldos and joonie so much great stuff and devs in the ps3 scene.

 

[MENTION=89]aldostools[/MENTION] there's a bug in webman 1.41.36 i dont know if happens for anyone else but i use Disable lv1&lv2 peek&poke syscall at startup and i think its not disabling lv1 syscall because i checked in sen enabler the lv2 syscall are disabled but lv1 is still enabled.

my ps3 is a cech-l04 Rebug 4.65.02

Only Lv1_peek (partial one not syscall11) is keeped enabled when WebMAN-MOD remove syscall, because its done with syscall 8 the one who is used by cobra.
But if you have COBRA + PS3M_API WebMAN-MOD will block Lv1_peek too and keep all cobra features working (ps3mapi partial disable syscall 8).

 

The trick to prevent accidental OFW update via dev_bdvd [ game disc] is confirmed to work..
It now fails to search pups from the original game disc while on both XMB/Recovery.

and also aldo's redirection method to prevent accidental OFW update from game rips mounted by webMAN also works..


change strings in emer_init.self

//Original

/dev_bdvd/PS3_UPDATE/PS3UPDAT.PUP.......
/dev_bdvd/PS3/UPDATE/PS3UPDAT.PUP

//Patched

/dev_bdvd/NOT_UPDATE/PS3UPDAT.PUP.......
/dev_bdvd/NOT/UPDATE/PS3UPDAT.PUP

FYI :
[MENTION=2]STLcardsWS[/MENTION] [MENTION=7]atreyu187[/MENTION]

Very good.

 

change strings in emer_init.self

//Original

/dev_bdvd/PS3_UPDATE/PS3UPDAT.PUP.......
/dev_bdvd/PS3/UPDATE/PS3UPDAT.PUP

//Patched

/dev_bdvd/NOT_UPDATE/PS3UPDAT.PUP.......
/dev_bdvd/NOT/UPDATE/PS3UPDAT.PUP

The 2nd patch is not necessary. Indeed webMAN now uses the 2nd for redirection of /dev_bdvd/PS3UPDAT.PUP to /dev_bdvd/PS3/UPDATE/PS3UPDAT.PUP

If that path is patched, then the feature will not work. It is useful to load PUP folder from /net or ntfs[BDFILE].

IMHO only this patch is necessary: /dev_bdvd/NOT_UPDATE/PS3UPDAT.PUP

 

anyone tried using old 3.55 patch from glevand? though, i never have tested the patch working.

emer_init.self
disable update search in game disc
800100742f800000409e0014
380000012f800000409e0014

 

anyone tried using old 3.55 patch from glevand? though, i never have tested the patch working.

emer_init.self
disable update search in game disc
800100742f800000409e0014
380000012f800000409e0014

The method tested by Joonie is much more simple it patches the path to look on another one that is less probable that exist (PS3_UPDATE -> NOT_UPDATE).

I think these should be patched too: emer_init.self, software_update_plugin.sprx and checker_plugin.sprx. They look the path PS3_UPDATE.

 

Excuse me, but how to install the new version: You can over the old one, or you need to uninstall the previous ...

 

The trick to prevent accidental OFW update via dev_bdvd [ game disc] is confirmed to work..
It now fails to search pups from the original game disc while on both XMB/Recovery.

and also aldo's redirection method to prevent accidental OFW update from game rips mounted by webMAN also works..


change strings in emer_init.self

//Original

/dev_bdvd/PS3_UPDATE/PS3UPDAT.PUP.......
/dev_bdvd/PS3/UPDATE/PS3UPDAT.PUP

//Patched

/dev_bdvd/NOT_UPDATE/PS3UPDAT.PUP.......
/dev_bdvd/NOT/UPDATE/PS3UPDAT.PUP

FYI :
[MENTION=2]STLcardsWS[/MENTION] [MENTION=7]atreyu187[/MENTION]

LEGEND!!! Thanks. I hope all #dev creating any CFW will implement this so we don't see more CFW consoles going to the dark side of DRM official firmware Quick question. Can one create a PKG of this method to apply to other CFW's that don't have it?

Excuse me, but how to install the new version: You can over the old one, or you need to uninstall the previous ...

Over the old is fine.

 

LEGEND!!! Thanks. I hope all #dev creating any CFW will implement this so we don't see more CFW consoles going to the dark side of DRM official firmware Quick question. Can one create a PKG of this method to apply to other CFW's that don't have it?

emer_init.self is inside coreOS, and this is the recovery mode program, so it is impossible to make a homebrew for this at the moment. However, currently aldotools's work around with PS3UPDAT.PUP redirection is working well on webMAN, so all cobra users whom using webMAN will not be able to update from game discs or game rips that mounted by webMAN.

 

emer_init.self is inside coreOS, and this is the recovery mode program, so it is impossible to make a homebrew for this at the moment. However, currently aldotools's work around with PS3UPDAT.PUP redirection is working well on webMAN, so all cobra users whom using webMAN will not be able to update from game discs or game rips that mounted by webMAN.

Got it thanks for the explanation.

*** Aldo's workaround is only for JB & ISO game dumps. (which he says in a previous post, I had the article wrong originally.) So discs are still a vulnerability. But anyway, if your method is used by CFW devs going forward then that is good enough. My soul dies a little when I see posts of people accidentally updating who don't have flashers LOL

 

Got it thanks for the explanation.

*** Aldo's workaround is only for JB & ISO game dumps. (which he says in a previous post, I had the article wrong originally.) So discs are still a vulnerability. But anyway, if your method is used by CFW devs going forward then that is good enough. My soul dies a little when I see posts of people accidentally updating who don't have flashers LOL

PROOF OF CONCEPT

DEBUG LOG of PUP INSTALLATION

seach update package in GAME disc
Disc auth: 5004 29 (process: 01000200_main_mer_init.self)
set drive policy success
profile = 0xff71
umount BDVD
umount /dev_bdvd failure = 0x80010002
mount BDVD
cellFsUtilMount: /dev_bdvd
mount /dev_bdvd success
open_path /dev_bdvd/NOT_UPDATE/PS3UPDAT.PUP
open_path /dev_bdvd/PS3/UPDATE/PS3UPDAT.PUP
USB storage: id = 0x10300000000000a
lun = 0x0
info.vendor_id = 0x0
info.device_id = 0x0
info.sector_size = 0x200
info.media_count = 0x1
info.capacity = 0xffffffffe8df8800
lun = 0x0, dev_index = 0xa
index = 0x0, pkg_index = 0x2
mount USB storage 0
mp_name = /dev_usb000
umount /dev_usb000 failure = 0x80010002
mount USB storage 0(LUN=0x0)
dev_name = CELL_FS_IOS:USB_MASS_STORAGE000, mp_name = /dev_usb000
cellFsUtilMount: /dev_usb000
mount /dev_usb000 success
/dev_usb000/PS3/UPDATE/PS3UPDAT.PUP found
verify /dev_usb000/PS3/UPDATE/PS3UPDAT.PUP
open_path /dev_usb000/PS3/UPDATE/PS3UPDAT.PUP
Initializing
taking a while...
start Updating Proccess
Initialize elapsed time = 584 msec
check UPL
Check UPL elapsed time = 137 msec
check Package Size
get package size elapsed time = 25 msec
start Verifying Package only

[MENTION=89]aldostools[/MENTION] says

it's incredible that nobody thought about that easy patch in 4 years

Lmao...

 

*** Aldo's workaround is only for JB & ISO game dumps. (which he says in a previous post, I had the article wrong originally.) So discs are still a vulnerability. But anyway, if your method is used by CFW devs going forward then that is good enough. My soul dies a little when I see posts of people accidentally updating who don't have flashers LOL

The disc update vulnerability should be reduced if software_update_plugin.sprx and checker_plugin.sprx are also patched. But so far the POC only has been tested with emer_init.self.

Another vulnerability is the Automatic Update, but I haven't identified which file should be patched. Maybe xRegistry.sys
At least this one can be disabled easily through the Settings > System Settings option on the XMB.

 

The disc update vulnerability should be reduced if software_update_plugin.sprx and checker_plugin.sprx are also patched. But so far the POC only has been tested with emer_init.self.

Another vulnerability is the Automatic Update, but I haven't identified which file should be patched. Maybe xRegistry.sys
At least this one can be disabled easily through the Settings > System Settings option on the XMB.

Maybe we can also add something like this in cobra (mappath.c) it will always block update from disc from ISO, JB, original game and also from recovery since this hook is also enabled in recovery mode.

LV2_HOOKED_FUNCTION_POSTCALL_2(void, open_path_hook, (char *path0, int mode))
{
    if (path0[0]=='/')
    {
        char *path=path0;
        if(path[1]=='/') path++; //if(path[1]=='/') path++;
        [COLOR=#FF0000]if (path && strcmp(path, /dev_bdvd/PS3_UPDATE/PS3UPDAT.PUP) == 0)
        {    
            char not_update[32];
            sprintf(not_update, "/dev_bdvd/PS3_NOT_UPDATE/PS3UPDAT.PUP");
            set_patched_func_param(1, (uint64_t)not_update);
        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=ifdef]#ifdef[/URL]  DEBUG
        DPRINTF("Update from disc blocked!");
        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=endif]#endif[/URL] 
        }[/COLOR]
        else
        {
            [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=ifdef]#ifdef[/URL]  DEBUG
            //DPRINTF("?: [%s]\n", path);
            [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=endif]#endif[/URL] 
            for (int i = MAX_TABLE_ENTRIES-1; i >= 0; i--)
            {
                if (map_table[i].oldpath)
                {
                    int len = strlen(map_table[i].oldpath);
            
                    if (path && strncmp(path, map_table[i].oldpath, len) == 0)
                    {
                        strcpy(map_table[i].newpath+map_table[i].newpath_len, path+len);
                        set_patched_func_param(1, (uint64_t)map_table[i].newpath);
                        
                        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=ifdef]#ifdef[/URL]  DEBUG
                        //DPRINTF("=: [%s]\n", map_table[i].newpath);
                        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=endif]#endif[/URL] 
                        break;
                    }
                }
            }
        }
        
        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=ifdef]#ifdef[/URL]  DEBUG
        //DPRINTF("open_path %s\n", path);
        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=endif]#endif[/URL] 
    }
}

 

Maybe we can also add something like this in cobra (mappath.c) it will always block update from disc from ISO, JB, original game and also from recovery since this hook is also enabled in recovery mode.

LV2_HOOKED_FUNCTION_POSTCALL_2(void, open_path_hook, (char *path0, int mode))
{
    if (path0[0]=='/')
    {
        char *path=path0;
        if(path[1]=='/') path++; //if(path[1]=='/') path++;
        [COLOR=#FF0000]if (path && strcmp(path, /dev_bdvd/PS3_UPDATE/PS3UPDAT.PUP) == 0)
        {    
            char not_update[32];
            sprintf(not_update, "/dev_bdvd/PS3_NOT_UPDATE/PS3UPDAT.PUP");
            set_patched_func_param(1, (uint64_t)not_update);
        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=ifdef]#ifdef[/URL]  DEBUG
        DPRINTF("Update from disc blocked!");
        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=endif]#endif[/URL] 
        }[/COLOR]
        else
        {
            [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=ifdef]#ifdef[/URL]  DEBUG
            //DPRINTF("?: [%s]\n", path);
            [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=endif]#endif[/URL] 
            for (int i = MAX_TABLE_ENTRIES-1; i >= 0; i--)
            {
                if (map_table[i].oldpath)
                {
                    int len = strlen(map_table[i].oldpath);
            
                    if (path && strncmp(path, map_table[i].oldpath, len) == 0)
                    {
                        strcpy(map_table[i].newpath+map_table[i].newpath_len, path+len);
                        set_patched_func_param(1, (uint64_t)map_table[i].newpath);
                        
                        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=ifdef]#ifdef[/URL]  DEBUG
                        //DPRINTF("=: [%s]\n", map_table[i].newpath);
                        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=endif]#endif[/URL] 
                        break;
                    }
                }
            }
        }
        
        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=ifdef]#ifdef[/URL]  DEBUG
        //DPRINTF("open_path %s\n", path);
        [URL=http://www.psx-place.com/forum/usertag.php?do=list&action=hash&hash=endif]#endif[/URL] 
    }
}

I like the idea... but change char not_update[32]; to char not_update[40];

 

These are really nice changes.
A real "Columbus egg" (used in a Portuguese saying, I hope it is also applicable in other languages ).
Having all CFW with disk updates blocked is a must from now on.
Should Rebug 4.70 to be the first, [MENTION=29]Joonie[/MENTION] ?
[MENTION=89]aldostools[/MENTION]: webman as an addon to all this is simply fantastic.

Next thing:
home brew execution blocked when connected to the PSN ...

 

A real "Columbus egg" (used in a Portuguese saying, I hope it is also applicable in other languages ).

Indeed it's a funny tale -> Egg of Columbus - Wikipedia, the free encyclopedia

 

I have tested my addition to cobra and it work like as execpted, check this log from recovery mode:

mount BDVD
cellFsUtilMount: /dev_bdvd
mount /dev_bdvd success
mount /dev_bdvd success
Update from disc blocked!
open_path /dev_bdvd/PS3_UPDATE/PS3UPDAT.PUP
open_path /dev_bdvd/PS3/UPDATE/PS3UPDAT.PUP
search update package done
search update package done
emer_init::search_update_package() ERROR 6
emer_init::search_update_package() ERROR 6
ErrorCode [6]
ErrorCode [6]