PS3 Ps3Xploit Tools v2.0 - Improved Flash Writers & Dumpers (Even easier to install CFW on 4.82 OFW )

rmfdemon · Aug 23, 2018

pinky said:
won't work. the flash dump must be restored from the system that made it.

But makes sense.

unseen · Aug 24, 2018

You should give more details. Try installing CFW from safe mode. Also you can dump your fw, and check with PyPS3checker.

Gaslilbithc · Sep 23, 2018

When getting to the miniweb.exe part, my ps3 and laptop should be comnected to WI-FI (same) ?

jonnyjaeger · Oct 29, 2018

nevermind, the answer was clearly written in the first post, just didn't see it at first.. Hope to see an update for 4.83

Walter.C · Oct 30, 2018

awesome work guys, thank you all for you effort and commitment!

currently still gathering information, proceeding very slowly cause it's my first OFW patching on a Ps3 ever and I don't want to screw anything up

minverchk spat out a 1.90 which is awesome hehe

installed 4.82 ofw, about to install it another time as OP suggested, did an OFW dump and tested out with checker.py (all green), dumped IDPS as well just to try out these tools and practice a little, I was saying to myself "meh, as long as it's read-only I can goof around I guess"

just wondering: during the first OFW flash dump the script gave me some 3 or 4 failures (some 30 secs with a percentage) before a success (almost instantly), was using miniweb with NAND dumper (on a CEX CECHGXX), messed around a little with browser homepage, cut the Internet connection out (still using wifi between PS3 and PC miniweb), then fired it up again and success!!

Don't know if actual Internet connection has something to do with this. Or maybe RAM usage as bguerville specified. I thought, "as long as it works once it's fine": don't really know if this is the correct way of thinking. Flash dump was fine (as returned by littlebalup's tool) so all's right with the world I guess.

Also I would like to ask if the 4.82 OFW flash dump can be useful if something goes wrong.

bguerville · Oct 30, 2018

The nand dumper is a special case given the size of the ROP chain, the biggest of all tools released to date.
All releases from v1.0 to v3.0 used a temperamental memory search that had difficulties with big javascript strings where we store the data needed by the ROP chain. Using big strings imply a wider spread of the js data stored in memory which results in the need to rely on a bigger memory search range when the exploit attempts to locate the string.
Increasing the size of the search range too much leads to js engine running out of memory so the search range size is limited & the string doesn't always get located in it.
When the string cannot be found, the whole memory search process is restarted & the exploit keeps looping like this until the string is found.
This issue has been addressed in 4.0.

Keeping a dump of the Flash Memory for safe keeping is always wise. It contains data unique to your console that cannot be restored unless you have a backup. It is unlikely but who knows, you may need it one day.

Walter.C · Oct 30, 2018

bguerville said:
The nand dumper is a special case given the size of the ROP chain, the biggest of all tools released to date.
All releases from v1.0 to v3.0 used a temperamental memory search had difficulties with big strings because their use imply a wider spread of the data & a bigger range to cover.
This issue has been fully addressed in 4.0.

This is awesome. (Actually caught maybe 40% of what you said but I am kinda thrilled to see v4.0 whenever it comes out.)

bguerville said:
Keeping a dump of the Flash Memory for safe keeping is always wise. It contains data unique to your console that cannot be restored unless you have a backup. It is unlikely but who knows, you may need it one day.

Thank you very much for your answer! I'll keep it just in case then.

Walter.C · Oct 31, 2018

quick update: could not install OFW 4.82 on OFW 4.82 from the XMB System Update utility. Had to start the console in recovery mode.

Reinstalling OFW right now, so all's going well so far. I'll check the flash dump right thereafter.

bguerville · Oct 31, 2018

Walter.C said:
This is awesome. (Actually caught maybe 40% of what you said but I am kinda thrilled to see v4.0 whenever it comes out.)
Thank you very much for your answer! I'll keep it just in case then.

I edited my last post.

I hope it is a little easier for you to understand.

Walter.C · Oct 31, 2018

bguerville said:
I edited my last post.
I hope it is a little easier for you to understand.

It is. I have kinda basic programming skills but this much I can grasp, now I can see why these exploitations seem to have some sort of "random success/failure ratio". If I understood it correctly, this also could theoretically make the percentage stop at a random value before giving a success message. Thank you again for your time and patience of explaining out things

another quick update: OFW reinstall was successful via recovery mode, exploit succeeded at the first try and now ROS0=ROS1 (I can see the same md5 in the "Checking CoreOS_region" part). I assume I am good to go. And oh, Internet connection has nothing to do with exploitation success. Did the entire part with Internet disabled and went as smooth as it could ever go.

esc0rtd3w · Oct 31, 2018

Walter.C said:
now I can see why these exploitations seem to have some sort of "random success/failure ratio". If I understood it correctly, this also could theoretically make the percentage stop at a random value before giving a success message.

the "randomness" is because we are looking in memory for specific strings. Each attempt adds a notch to the percentage by 5%, and when it hits 100%, the exploit has failed. It basically loops 20 times and at anytime during the scanning, if the strings are found, it will trigger, regardless of what percentage it is on.

Walter.C · Oct 31, 2018

esc0rtd3w said:
the "randomness" is because we are looking in memory for specific strings. Each attempt adds a notch to the percentage by 5%, and when it hits 100%, the exploit has failed. It basically loops 20 times and at anytime during the scanning, if the strings are found, it will trigger, regardless of what percentage it is on.

Crystal clear. Thanks

Walter.C · Nov 3, 2018

Just patched the NAND. Dumped the flash, all green, 0 warnings, 0 errors. Version number reported was "4.82 CEX Patched (PS3Xploit v2.0)" for both ROS0 and ROS1, md5 matching. System rebooted, up and running smoothly!! I'm gonna install CFW asap.

Used local wifi for both dumping and flashing, Fenix server (as suggested by littlebalup), playing with dumper and writer utilities in separate folders. It's been way easier than I thought. I had a lot of fun actually, plus some edgy moments while flashing. Bricking consoles is not what I want to do in life

As a suggestion, instead of a percentage I would print the attempt number while running the exploitation: something like "Searching through data stored in memory. Attempt 1 of 20..." and so on. A percentage is kind of misleading IMO: someone could wonder, "why when it hits 100% it says that it has failed?" This way, when attempt number reaches 20 of 20, another message could say, "All attempts have failed in this exploit session. Please exit and re-enter the browser and try again..." or something like that.

Thanks again to all the devs for their knowledge and dedication to the project, it was definitely a fun ride! I'll keep lurking around just in case

esc0rtd3w · Nov 3, 2018

Walter.C said:
As a suggestion, instead of a percentage I would print the attempt number while running the exploitation: something like "Searching through data stored in memory. Attempt 1 of 20..." and so on. A percentage is kind of misleading IMO: someone could wonder, "why when it hits 100% it says that it has failed?" This way, when attempt number reaches 20 of 20, another message could say, "All attempts have failed in this exploit session. Please exit and re-enter the browser and try again..." or something like that.

glad to hear things went smooth

its funny you suggested that, i believe that is how the v1 was setup and we changed it to look that way in later revisions to look cleaner and "less confusing"? question mark lol

Walter.C · Nov 3, 2018

esc0rtd3w said:
its funny you suggested that, i believe that is how the v1 was setup and we changed it to look that way in later revisions to look cleaner and "less confusing"? question mark lol

hahah funny nonetheless

Louay · Nov 18, 2018

esc0rtd3w said:
glad to hear things went smooth

its funny you suggested that, i believe that is how the v1 was setup and we changed it to look that way in later revisions to look cleaner and "less confusing"? question mark lol

if i have a ps3 unhackable model on ofw 4.83 can i use a flasher to flash 4.82 OFW CoreOS to the ros0 and ros1 do that think work ?? i mean to get to 4.82 using coreOS just like the case of brick using ps3exploit and then install a fresh 4.82 ofw and use han ? do you think it will work ? this is just idea

bguerville · Nov 18, 2018

Louay said:
if i have a ps3 unhackable model on ofw 4.83 can i use a flasher to flash 4.82 OFW CoreOS to the ros0 and ros1 do that think work ?? i mean to get to 4.82 using coreOS just like the case of brick using ps3exploit and then install a fresh 4.82 ofw and use han ? do you think it will work ? this is just idea

Currently, it's not possible.
You could change CoreOS in the NOR with the HW Flasher or a modded ps3xploit Flash Writer but the syscon (in eeprom) responsible for booting the system keeps track of the last installed fw version (which on ofw is by nature always the highest version the console has ever had installed) & it will not let you boot a lower one. For the moment, we have no way to patch the syscon to make systems downgradeable on OFW 4.xx. But you can safely assume that eventually some future exploit will change all that one day..

Louay · Nov 18, 2018

ohhhh that's a bad luck

baptx · Nov 24, 2018

Hello, where can we safely download the official firmware 4.82? On PlayStation website, we can only download latest version 4.83. Even if a version 4.82 was downloadable from PlayStation website, I would not trust it since it may be a trap to install version 4.83 and prevent jailbreak. By the way, I read it is not possible to do the jailbreak on an older OFW than 4.82, do you know why? (I guess it should technically be possible unless the exploit vulnerability was introduced in version 4.82) Thanks.

DeViL303 · Nov 24, 2018

baptx said:
Hello, where can we safely download the official firmware 4.82? On PlayStation website, we can only download latest version 4.83. Even if a version 4.82 was downloadable from PlayStation website, I would not trust it since it may be a trap to install version 4.83 and prevent jailbreak. By the way, I read it is not possible to do the jailbreak on an older OFW than 4.82, do you know why? (I guess it should technically be possible unless the exploit vulnerability was introduced in version 4.82) Thanks.

You can get it here. http://www.psdevwiki.com/ps3/4.82_CEX any region will do, its the same file, just different servers. It doesn't work on older firmware simply because the xploit would need to be ported for the lower firmware and there is no point.

PS3 Ps3Xploit Tools v2.0 - Improved Flash Writers & Dumpers (Even easier to install CFW on 4.82 OFW )

rmfdemon

unseen

Gaslilbithc

jonnyjaeger

Walter.C

bguerville

Walter.C

Walter.C

bguerville

Walter.C

esc0rtd3w

Walter.C

Walter.C

esc0rtd3w

Walter.C

Louay

bguerville

Louay

baptx

DeViL303

Similar threads

Featured content

Trending content

Latest posts