PS3 qCFW - Arrives to Slim (2500-3000) & SuperSlim (4000-NOR) PlayStation 3 Models

Major Updates

Spoiler: See Updates

• UPDATE (Mar. 25) - new uf2 hotfix(Forum Link)
• UPDATE (Mar. 18) - About (qCFW) for 4.93 FIrmware Update (Forum Link)
• UPDATE (Feb. 20) - PS3HEN 3.4.2 Open Beta: Test #1 Released - (Forum Link)
• UPDATE (Feb. 20) - qCFW updated (forum link) -- qcfw-20260220-release (github link)
• UPDATE (Feb. 17) - qCFW and Future potential (Forum Thread) by @aomsin2526 >here<
• UPDATE (Feb. 13) - BadWDSD/qCFW + HW Flasher/NoBT (Forum Thread)
• UPDATE (Feb. 11) - qCFW files have been temporary removed from github by the developer, due to a bug, see @aomsin2526 's post > here < & > also here <
• UPDATE (Feb. 3) - PS3HEN v3.4.1 (STABLE) has now been released by @esc0rtd3w , graduating from the 3.4.1 BETA builds. (Note: v3.4.1+ is required for qCFW)

---

.

Original Article (Jan. 30): The evolution of PlayStation 3 (PS3) exploits rides high in 2026, In early-mid 2025 we seen developer and researcher @aomsin2526 (aka Chattrapat Sangmanee) show us a hardware exploit that provided some additional power to PS3HEN with the disclosure of the BadHTAB hardware exploit. The hardware exploit was soon replaced with another hardware exploit also from @aomsin2526 that we know as BadWDSD. While BadHTAB provided some additional functionality to PS3HEN like OverClocking & Linux Support. BadWDSD would proved to be the better foundation needed for what would become the next phase of the overall project.

Focusing now on the software side, the next phase from @aomsin2526 came in the form of a "qCFW" , this was a CFW that was built using Evilnat 4.92 PEX for the late Slim (2500) / SuperSlim (NOR) model PS3 Console's !!! While PS3HEN provided those once dubbed "nonCFW models" with many CFW like feature's, there were a number of abilities that were restricted to only CFW user's. Now with the release of BadWDSD with qCFW that gap has shrunk considerably to where 99% of CFW task can now be done on a qCFW installation. The process for installation of a qCFW is different then the traditional PUP installation of a Firmware, but you will still be running what is essentially a ("quasi") custom firmware running the cobra payload and based off Evilnat PEX CFW. Allowing for even DEX features on a SuperSlim (NOR) + Slim (2500).

PS3HEN developer @esc0rtd3w also had some work in this project as PS3HEN is essential in the installation/operation of qCFW/BadWDWD. You must be running v 3.4.1 Beta-test #4 or higher for support of the latest qCFW installation. Checkout this hardware/software modification that will supercharge thoseSlim 2500/3000 & Superslim (NOR) models. Take note of your SuperSlim model as the eMMc models are not supported.

​

BadWDSD / qCFW Read Me PS3HEN- 3.4.1 qCFW Updates

• Always view official link for latest updates: https://github.com/aomsin2526/BadWDSD
  

  ---

  .
  
  BadWDSD
  

  ---

  ​
  
  
  
  
  
  
  
  
  
  
  
  
  .​
  This is a hardware modchip for Sony PlayStation 3. By using Raspberry Pi Pico (RP2040), It is possible for non-CFW compatible models to boot qCFW.​
  
  Supported models
  
  • All CECH-2500
  • All CECH-3000
  • CECH-4x00 with NOR flash
  • Spoiler: See image

    
  
  Models not Supported
  
  • CECH-4x00 with eMMC flash is NOT supported
  • Spoiler: See Image

    
  
  Notice:
  
  1. One way to know if your console is eMMC or not is enter safe mode. If you see Change system storage option, It is eMMC.
  2. Other way is try to install Stagex. If it says Flash is not NOR then it is eMMC.
  
  
  qCFW Installation Update qCFW / Uninstall / .. OtherOS / Syscon NoBT & eMMc Support?

  • 
    

    ---

    ​
    
    
    
    
    
    
    
    
    
    
    .What is qCFW?
    

    ---

    ​
    
    
    
    
    
    
    
    
    
    
    .You still can't install CFW PUP, so new variant of CFW must be made. This is called quasi-CFW.
    It is heavily based on Evilnat PEX CFW. And will support every feature except: Dumping eid_root_key and anything that needed it.​
    
    Note: Cobra must be active at all times or some feature will not work properly.
    
    qCFW quirks
    
    • For some unknown reason, When you turn on the console using wireless controller it won't sync. You must power cycle the controller for it to sync.
    
    Note on DEX mode
    
    • DEX mode is fully supported. But any kind of firmware installation or update is not possible while in this mode.
    • This means if you somehow need to reinstall the firmware such as corrupted HDD, you are stuck.
    • To recover, use BANKSEL pin on the modchip to go back to OFW.
  • 
    Installation (Software)
    

    ---

    .
    
    FOR FIRST INSTALLATION, BACKUP FLASH FIRST!!!.
    
    IF SOMETHING GOES TOO WRONG AND YOU DON'T HAVE BACKUP, YOUR CONSOLE MAY BE PERMANENTLY BRICKED
    ​
    1. Prepare the USB drive by DELETING old qcfw folder if existed, DO NOT OVERWRITE!! then download qCFW and extract it into your drive like this:
    Spoiler: See Image

    
    1. Install PS3HEN 3.4.1 or later
    2. Plug your USB drive into RIGHTMOST USB port of your ps3
    3. On XMB, Enable HEN then use Network -> Hybrid Firmware Tools -> qCFW Options -> Install Stagex option. It must show Success
    4. If not already, Install the modchip by following Installation (Hardware) section
    5. After modchip installed and power plugged in, wait until LED of modchip becomes solid. If it doesn't solid after a while, check SC_RX/SC_TX wire
    6. Turn on the console. modchip LED should flash briefly with triple beep right after. This means exploit is successful. If your console keep turning off and on, check CMD/CLK wire and Stagex
    7. You should be on XMB now. now Enable HEN then use Install qCFW option
    8. If it tell you to reinstall firmware and try again, do it ONCE.
    9. Your screen will appear frozen. it is installing. This process take 10-20 minutes. If something goes wrong during this step, you should be still able to recover by entering safe mode and reinstall firmware normally
    10. Then it will reboot itself. you should be on qCFW and see Evilnat logo now.
    11. Congrats! qCFW installation is complete
    • From now on, modchip will be required to boot the console until you go back to OFW again
    • This can be done by reinstalling OFW/HFW firmware normally. Then after this you can disable or uninstall the modchip
    • If thing goes too bad to the point of not being able to enter safe mode at all, you can use BANKSEL pin instead.
    • If you flashed bad Stagex.bin or CoreOS.bin, see Recover from bad Stagex.bin or CoreOS.bin flash section.
    Installation (Hardware)
    

    ---

    .Currently, Raspberry Pi Pico (RP2040) and RP2040-Zero are supported.
    
    • Only install modchip after Stagex is installed to console flash from above section.Otherwise it won't boot,
      • if you already installed the modchip, You can use HOLD pin to temporary disable the modchip without unsoldering it.
    
    Since I don't have 2500 and 3000 model to test, it must be done by other people. If you know the solder location please tell me. Thanks.
    
    
    Pico
    
    Spoiler: See Image

    
    RP2040-Zero
    
    Spoiler: See Image

    
    3000
    
    Spoiler: See Image

    
    4x00
    Spoiler: See Image

    
    
    
    • To flash .uf2 file (it is included in qCFW zip), simply connect modchip USB port into your PC while pressing BOOTSEL button. Then new drive will appear, simply drag .uf2 file into it.
    • You should see LED blinking. Flash successful and ready to use. You can disconnect it from your PC.
    • Exclude power and ground, you only need to solder 4 wires that marked red (CMD, CLK, SC_RX, SC_TX). Other pin is optional.
    • It is possible to power the modchip using external power as long as it is active during ps3 standby
    
    Pin description
    SIGNAL PIN:
    
    CLK - XDR CLK signal
    CMD - XDR CMD signal
    SC_TX/SC_RX - Syscon UART signal
    DEBUG - Optional modchip UART signal, for debugging and accessing syscon (baud 576000, NOT 57600!)
    CONFIG PIN:
    Short to ground to activate
    HOLD - Disable the modchip without needing to remove power or unsolder
    LITE - TODO
    BANKSEL - Go back to OFW forcefully. It is equal to syscon command w 1224 00. Only use when absolutely needed. You can't turn on the console while this pin is shorted​
  • 
    Update qCFW
    
    • You can't update qCFW while on qCFW. you must go back to OFW first.
    • Simply reinstall firmware normally, then use Install qCFW option with updated files on USB again. No need to do anything else
    • When updating files on USB, delete whole qcfw folder first. Don't overwrite or it may causes problem.
    
    
    Go back to OFW using PUP method (Recommended)
    
    • Always use this method when possible. Simply reinstall firmware as normal. No extra steps required.
    • If you want to uninstall the modchip, you can do so after this
    
    
    Go back to OFW using BANKSEL pin
    Avoid this unless absolutely needed.
    DO NOT GO STRAIGHT TO THIS PIN WITHOUT TRYING TO BOOT THE CONSOLE WITHOUT MODCHIP FIRST!, IF IT SHUT IFSELF OFF, THEN YOU CAN FOLLOW BELOW
    
    1. Unplug your console
    2. Short BANKSEL pin to ground
    3. Plug in your console, wait until modchip LED flashes very fast. Then it is successful. You can't turn on the console while this pin is shorted
    4. Unplug your console and unshort the pin. If necessary remove or use HOLD pin to disable the modchip
    5. Plug in your console again and turn it on, you will likely to get black screen. This is expected since dev_flash is still qCFW but you're on OFW now
    6. Enter safe mode and reinstall firmware normally to get full recovery
    
    Recover from bad Stagex.bin or CoreOS.bin flash
    
    • No worries, your console isn't really bricked.
    • FIRST, disable the modchip then try to boot the console if it boots then all is good.
    • If it shut itself off, Simply follow Go back to OFW using BANKSEL pin section above. But this time disable modchip before boot as well.
    
    Downgrading
    
    • After booting the console with modchip, It is possible to downgrade the firmware up to 4.80. It can't be done in XMB. You must use safe mode.
  • 
    OtherOS
    It is different from CFW. Simply follow these steps.
    
    1. Download dtbImage.ps3.zfself and put it into root of your USB drive
    2. Plug your USB drive into RIGHTMOST USB port of your ps3
    3. On XMB, use Network -> Custom Firmware Tools -> OtherOS Tools -> Install OtherOS (qCFW) option. It should show Success
    4. Use Boot OtherOS (qCFW) option. It should enter petitboot right away
    
    Accessing Syscon
    You can't access syscon the old ways anymore. It must be done through modchip. Simply connect DEBUG pin of modchip into your UART adapter.
    
    Spoiler: See Image

    
  • 
    
    NoBT
    
    • TODO. It requires LITE pin and hardware flasher for first installation if you are already on update loop.
    
    eMMC Support?
    In very short summary, What modchip is doing is writing these code into ram at boot:
    
    Spoiler: View Code

    stage_entry:
        // Jump to 0x2401F031000, aka 0x31000 on NOR flash where Stagex.bin is stored
    
        bl 4
        mflr %r3
        addi %r3, %r3, -4
        ld %r4, 24(%r3)
        mtctr %r4
        bctr
    
        .quad 0x2401F031000

    
    Do we have something like 0x2401F031000 on eMMC? If answer is yes, then eMMC can be supported (with more porting work).
    
  
  
• Always view Official Link for latest updates:
  
  • Stable Releases: https://www.psx-place.com/threads/ps3hen-official-release-thread-homebrew-enabler-for-the-ps3.23955/
  • Beta Releases: psx-place.com/threads/ps3hen-open-beta-testing-for-advanced-users-only.373639
    

    ---

    .
  via esc0rtd3w > PS3HEN 3.4.1 has been released!
  
  If you have Auto Updates turned on, then HEN will automatically update the next time its enabled. If not, use whatever other method of your choosing to update. The ps3xploit.me site has been updated.
  
  CHANGELOG
  HEN Plugin Changes
  
  • Added detection of BadWDSD via LV1 peek check on hen enable (thanks aomsin2526)
  Payload Changes
  
  • Enabled LV1 peek and poke to support BadHTAB and BadWDSD exploits (thanks aomsin2526)
  • Added conditional timer for Retail and NPDRM self to reduce hanging when launching homebrew (thanks Joonie, aomsin2526)
  • Added support for 3k3y/Redump ISOs on-the-fly (thanks Joonie, Evilnat)
  Resource Changes
  
  • Added support for installing qCFW with xai (quasi-CFW for NOR 3000x and SS) (thanks aomsin2526)
  • Added BD Game Disc Fix (thanks LuanTeles)
  • Now using fork of Evilnats xai plugin as base to take advantage of updated features (thanks Evilnat)
• 
  
  qcfw-20260220-release​
  Based on Evilnat 4.92.2 PEX
  
  qCFW Changelog:
  
  • Stagex code improvements
  • Implement controller sync workaround. If you turn on the console using controller while on qCFW it will always power cycle once first (.uf2 must be updated)
  • Fix a loophole that can made BANKSEL useless under certain circumstance
  .uf2/Modchip Changelog:
  
  • Code improvements
  • Better self retry/power cycling
  • Handle controller sync workaround
  • Modchip now runs at stock clock speed (no longer overclocked)
  
  .uf2 update is optional but RECOMMENDED or controller sync workaround may not work properly.
  

​

Project Links

• BadWDSD Project @: github.com/aomsin2526/BadWDSD
• PS3HEN Release Threads: BETA / STABLE
• qCFW Release Page: https://github.com/aomsin2526/BadWDSD/releases/tag/qcfw-20260202-release
• BadWDSD/qCFW + HW Flasher/NoBT Thread - psx-place.com/threads/....
• qCFW and Future potential (Forum Thread) psx-place.com/...

 

@aomsin2526 : A quick question. Is it possible to make the LED on the RP2040-ZERO work instead of soldering an additional diode to the circuit?

In French :
une petite question. Est-il possible de faire fonctionner la LED présente sur le RP2040-ZERO au lieu de souder une diode supplémentaire sur le circuit ?

The LED is working with uf2 for Zero

La LED fonctionne avec l'uf2 pour Zero

 

These are the ones provided by @Galooko in discussion #173. The image in the bottom right corner doesn't match the back of my KTE-001. Could you please provide an image with the correct locations of the CMD and SCK/CLK points? Many thanks in advance.

Ce sont celles fournies par @Galooko dans la discussion #173. C'est l'image en bas à droite qui ne correspond pas à la face arrière de ma KTE-001. Pouvez-vous me donner une image avec la bonne localisation des points CMD et SCK/CLK. Mille merci par avance.

?

I have succesfully populated dev_flash using PS3HDH (though hex-editing the key by copying the syscon logs was a bit annoying), now my slim boots to XMB with evilnat logo and all (haven't tried running anything else though, I didn't have the cooler screwed in).

The odd part is that it still doesn't let me install updates in safe mode, same 8002f2f0 error as before.

Edit: Checking the southbridge log shows that the console throws the error just after entering safe mode, but it's only displayed after selecting system update. The output looks like so:

lv2(2): Available physical SPUs: 6/7
lv2(2): mounting the flash file system : OK
lv2(2):
lv2(2): ###
lv2(2): ### Safe mode
lv2(2): ###
lv2(2):
lv2(2): creating the recover process (for safe mode) : OK
lv2(2): is factory mode ret[f]
lv2(2): ErrorPage[6] Code[-2147290384]

Could it be an RTC issue? I noticed the console always asks for date and time after powering it on, despite having just swapped the RTC battery for a new one.

This part is concerning:
lv2(2): is factory mode ret[f]
lv2(2): ErrorPage[6] Code[-2147290384]

It never printed this for me. I think your syscon is broken somehow. It might be reason why your bricked in the first place (CoreOS hash is stored in syscon SNVS).

Can you install firmware from XMB? Maybe we can patch this in emer_init.self.

 

Merci @aomsin2526 , je te remercie pour cette confirmation. Je commande la filerie et je commence dès réception.

Thank you @aomsin2526, thank you for the confirmation. I'll order the wiring and start as soon as I receive it.

 

?
View attachment 47406



This part is concerning:
lv2(2): is factory mode ret[f]
lv2(2): ErrorPage[6] Code[-2147290384]

It never printed this for me. I think your syscon is broken somehow. It might be reason why your bricked in the first place (CoreOS hash is stored in syscon SNVS).

Can you install firmware from XMB? Maybe we can patch this in emer_init.self.

I've tried it earlier today and it says it can't find applicable updates, I'm guessing because 4.92 HFW i had on the USB is the same version as CoreOS. I'll try again later once I reassemble the console a bit.

Somewhat unrelated but I was checking the CMOS battery lines for issues, the battery is not shorted but I've measured that 3V3_EVER_B gets power from the battery (around 3.2v) when the console is unpowered, and syscon REGC (pin 19) gets only 1.85V. Is this normal or could it be the board has failing passives?

 

I've tried it earlier today and it says it can't find applicable updates, I'm guessing because 4.92 HFW i had on the USB is the same version as CoreOS. I'll try again later once I reassemble the console a bit.

Somewhat unrelated but I was checking the CMOS battery lines for issues, the battery is not shorted but I've measured that 3V3_EVER gets power from the battery (around 3.2v) when the console is unpowered, and syscon REGC (pin 19) gets only 1.85V. Is this normal or could it be the board has failing passives?

No, you can always install firmware even same version.

It very likely that your syscon is damaged somewhat. If everything works on qCFW, stay on it.

If not, use it as linux machine or something.

 

No, you can always install firmware even same version.

It very likely that your syscon is damaged somewhat. If everything works on qCFW, stay on it.

If not, use it as linux machine or something.

Alright I'll do some testing with qCFW and then update my original thread.
Will it be possible to update qCFW without going back to HFW in the future? Just to know if I should leave the flasher soldered to the board.

Regarding the RTC issue, if anyone else with a working SW3 syscon is willing to check the voltage on pin 19 I'd be really glad for the help, this is the pinout

 

Alright I'll do some testing with qCFW and then update my original thread.
Will it be possible to update qCFW without going back to HFW in the future? Just to know if I should leave the flasher soldered to the board.

Regarding the RTC issue, if anyone else with a working SW3 syscon is willing to check the voltage on pin 19 I'd be really glad for the help, this is the pinout

No, can't update qCFW while on qCFW.
So in your case you will need hw flasher + update dev_flash by hand.

Note that your case is very very rare. When this error happen it always unfixable even on CFW console.
Just very lucky that modchip and hdd key dumping came at right time.
Even myself have no idea about manually flash dev_flash by hand. Surprised that it does work.

I think remarry syscon may fix it since it will reinit everything. But I'm not interest in it.

 

Alright I'll do some testing with qCFW and then update my original thread.
Will it be possible to update qCFW without going back to HFW in the future? Just to know if I should leave the flasher soldered to the board.

Regarding the RTC issue, if anyone else with a working SW3 syscon is willing to check the voltage on pin 19 I'd be really glad for the help, this is the pinout

J'ai une carte KTE-001 démontée avec une pile en bon état, je peux t'aider. Où est le point de masse qui sert de référence ?
I have a disassembled KTE-001 board with a working battery; I can help you. Where is the ground point used as a reference?

The LED is working with uf2 for Zero

La LED fonctionne avec l'uf2 pour Zero

Je te remercie beaucoup pour cette information.
Thank you very much for this information.

 

J'ai une carte KTE-001 démontée avec une pile en bon état, je peux t'aider. Où est le point de masse qui sert de référence ?
I have a disassembled KTE-001 board with a working battery; I can help you. Where is the ground point used as a reference?

Any ground at all, I've used the gold plated area on the edge of the board.

 

Alright I'll do some testing with qCFW and then update my original thread.
Will it be possible to update qCFW without going back to HFW in the future? Just to know if I should leave the flasher soldered to the board.

Regarding the RTC issue, if anyone else with a working SW3 syscon is willing to check the voltage on pin 19 I'd be really glad for the help, this is the pinout

Il est situé où ce circuit, quel côté de la CM, dessous ou dessus ?

Where is this circuit located, on which side of the CM, below or above?

 

Il est situé où ce circuit, quel côté de la CM, dessous ou dessus ?

Where is this circuit located, on which side of the CM, below or above?

On the back, it's the chip marked SW3-301

 

Merci, c'est la seule puce carrée sur cette face du circuit. Je prend la valeur et je la communique.
La broche 19 est-elle face à un boîtier noir allongé qui ressemble à relais miniature identifié 32.768k ?

Is pin 19 facing an elongated black box that looks like a miniature relay identified as 32.768k?

 

Le plus simple ça serait de mettre une photo et il te remet la même photo avec des flèches pour t'indiquer où mettre le + et le - du multimètre.

The simplest would be to upload a picture and he gives it back to you with arrows to indicate where you put the + and - of the multimeter.

 

@Algol I'll be continuing this back on https://www.psx-place.com/threads/kte-001-nolod-5fff-after-lv2-2-boot.49600/ because it's getting off-topic for this thread.

 

@aomsin2526 wouldnt it be possible to change the 3 Beeps that indicates good boot with Badwdsd to something else like one short one long one short or something like that because im getting an heart attack because of YLOD Ptsd everytime

 

I keep getting reinstall firmware then try again - Installed hfw 3 times now - Any suggestions?
Hen 3.4.2
Latest .uf2
Latest qcfw

I un installed hen, reflashed pico, redid usb with qcfw, reinstalled hfw again for the 4th time and im now frozen on qcfw install without the message to reinstall firmware - Evilnat installed

 

Using PS3Toolset y
View attachment 47392

Hey Galooko, Thanks for pointing out the TX and RX.

Here's a question about the RP2040 Zero. I connect it to my laptop to load the BadWDSD_SW_x32_Zero.uf2 file. Right after it loads it disconnects as a USB drive and the built in led keeps flashing blue but the add on led on ground and pin 11 does not light up. I installed the chip in the PS3 and in standby mode it still flashes the onboard blue light. When I power on the ps3 there are no 3 beeps and it boots right to the xmb. I'm sure it's the flash not correct on the RP2040 Zero.

Any Ideas??

Thanks.

 

@MannyMania (forum isn't letting me quote because of long response times)
Flashing light means the RP2040 hasn't successfully authenticated to the syscon yet, check your SC_TX/SC_RX wires.

No, you can always install firmware even same version.

It very likely that your syscon is damaged somewhat. If everything works on qCFW, stay on it.

If not, use it as linux machine or something.

Did some testing yesterday, sync time via internet (and eeprom dump from xmb) throws error 8001050F (hardware failure), most games do the same when trying to register trophies so I guess that's bound to syscon too, browser's SSL handshakes fail (because of invalid secure RTC?).
Homebrew runs fine so I could use it as a movian machine for jellyfin.

I also tried running OtherOS (installed dtbImage.ps3.zfself from ps3-petitboot-kexec-patched), I get lv2 shutdown logs from SB UART and then just a black screen, petitboot never comes up and I see no logs.

 

@MannyMania (forum isn't letting me quote because of long response times)
Flashing light means the RP2040 hasn't successfully authenticated to the syscon yet, check your SC_TX/SC_RX wires.

Hey @pstreecco Thanks for the help. It was a short on the SC_RX and SC_TX. I cleaned that up and now when I Plug in the power to the console the Pico blue light flashes once and stays on. When the console is powered on you hear the PS3 beep, and the blue light flashes three times and goes back to steady on. There is no video and a few seconds later the console reboots. It then keeps repeating that cycle. If I disconnect the Pico the console powers on fine and goes to the XMB.

Did that short possibly damage something or am I missing something else?

 

Hey @pstreecco Thanks for the help. It was a short on the SC_RX and SC_TX. I cleaned that up and now when I Plug in the power to the console the Pico blue light flashes once and stays on. When the console is powered on you hear the PS3 beep, and the blue light flashes three times and goes back to steady on. There is no video and a few seconds later the console reboots. It then keeps repeating that cycle. If I disconnect the Pico the console powers on fine and goes to the XMB.

Did that short possibly damage something or am I missing something else?

If it does the triple beep it means the modchip worked and the console is executing stagex, check the modchip's debug log and/or the southbridge log to see if you can find the reason for the reboot.