PS3 [research] SuperSlim 4000 series - hardware flash

There is a rough description here https://www.psdevwiki.com/ps3/Boot_Order
And check the published keys here too https://www.psdevwiki.com/ps3/Keys#Modules

All that modules named with the suffix "ldr" are loaded inmediatly after metldr... actually what metldr does is to take that modules one by one and isolate them inside the SPU to decrypt them (in a secure enviroment) with the key stored inside metldr

What they did to solve the problem was to embed all the "ldr" modules inside the previous stage of the bootchain (lv0) that is safe

-------
Btw, the name "bootldr", "bootloader", or "lv0ldr" are just different names for the same thing
 
Last edited:
sandungas said:
There is a rough description here https://www.psdevwiki.com/ps3/Boot_Order
And check the published keys here too https://www.psdevwiki.com/ps3/Keys#Modules

All that modules named with the suffix "ldr" are loaded inmediatly after metldr... actually what metldr does is to take that modules one by one and isolate them inside the SPU to decrypt them (in a secure enviroment) with the key stored inside metldr

What they did to solve the problem was to embed all the "ldr" modules inside the previous stage of the bootchain (lv0) that is safe

-------
Btw, the name "bootldr", "bootloader", or "lv0ldr" are just different names for the same thing
Click to expand...
Noice that brings more to the table for EvilNat CFW
Any chance that there will be public tools to use on HFW super slims for that? I'm willing to take a risk for my super slim. If not that's fine I request though at least a way for me to patch for CFW super slim on my NOR model on DMs. Or.. just access my files
 
Last edited:
sandungas said:
There is a rough description here https://www.psdevwiki.com/ps3/Boot_Order
And check the published keys here too https://www.psdevwiki.com/ps3/Keys#Modules

All that modules named with the suffix "ldr" are loaded inmediatly after metldr... actually what metldr does is to take that modules one by one and isolate them inside the SPU to decrypt them (in a secure enviroment) with the key stored inside metldr

What they did to solve the problem was to embed all the "ldr" modules inside the previous stage of the bootchain (lv0) that is safe

-------
Btw, the name "bootldr", "bootloader", or "lv0ldr" are just different names for the same thing
Click to expand...
So still, if I understand correctly, CFW does not need to run an exploit every time the console is booted, it's just signed with Sony's cracked keys and one of the loaders loads it thinking it's official.
 
NiQ said:
So still, if I understand correctly, CFW does not need to run an exploit every time the console is booted, it's just signed with Sony's cracked keys and one of the loaders loads it thinking it's official.
Click to expand...
Yes, we are booting with the official bootldr/metldr combo (because we cant modify them), but the files loaded by metldr (lv1ldr, lv2ldr, isoldr, appldr, rvkldr) have some custom patches applyed permanently and are encrypted with a valid key

RoboKing's Cosmos said:
Noice that brings more to the table for EvilNat CFW
Any chance that there will be public tools to use on HFW super slims for that? I'm willing to take a risk for my super slim. If not that's fine I request though at least a way for me to patch for CFW super slim on my NOR model on DMs. Or.. just access my files
Click to expand...
Thx for the offer, but there is not anything to test, i dont know about any progress related with that, the problem is lv0 always was (and still is) fully secured
Think in it this way, originally it was doing something like this: step0--->step1--->step2 at some point they realized there was a security flaw in step1 so they "stepped back" and did this for superslims: step0-->step2
You know... step1 is still there (inside step0) but we cant take a look at it

In some of the posts i wrote in this thread (i realized was years ago, before the syscon was hacked) i was speculating with syscon because there is an abstract concept (composed by software + hardware) named "config ring" mentioned in this wiki page https://www.psdevwiki.com/ps3/Boot_Order that is very important in the boot process
Basically... think in it like a BIOS of a PC, where is needed to configure a lot of hardware components of the motherboard (CELL, RSX, SB, HDMI, DVE, etc...), the frequencies of the data buses in between them, voltages, and tenths of other details
This process happenes before any other "stage" of the bootchain is loaded... and is a bidirectional communication in beteeen CELL and syscon (and flash through SouthBridge to retieve the bootloader data), but is coordinated by syscon
Actually, if you read the wiki page "from top to bottom" you are going to realize the syscon chip is the "boss" of the motherboard, because is responsible of switching a voltage regulator to "feed" CELL, configure and initialize it

Long story short... to hack in the confing ring we have 3 options:
-Find a exploit affecting the CELL arquitecture by IBM (the probability for this to happen is very low, or zero)
-Find another flaw in the lv0 security (something similar to the metldr exploit, but after all this time passed the probablity seems to be low too)
-Use syscon as a weapon !!!

The good thing is syscon was hacked, and its firmwares dumped etc... now there are a bunch of skilled hackers (not me) that are able to take a look at how that "config ring" works.... and (with a bit of luck) eventually someone could find a new hack (the "config ring" is the deepest level of the boot process)
 
Last edited:
RoboKing's Cosmos said:
@sandungas can I send you the dump of my super slim so you could split it into those variants of Metldr2 in the wiki? I will PM you the file btw.
Click to expand...
Im very used to edit wiki but im a noob with crypto and there are many details of the bootchain that i dont understand
I know the wiki page needs to be updated, because the text descriptions are vague (not noob friendly) and the diagram images are not completly correct, but im not confident enought to do it
If i edit it (trying to improve it) most probably im going to introduce some mistake... so my approach to it is to better dont touch it with a 10feeth pole :D
Actually... in the couple of posts i wrote in this thread in the last couple of days probably i made some mistake (if someone with more experience in this can explain it feel free to correct me)

About the flash dumps.. you can ask @littlebalup if there is some missing info from superslims in his pyps3checker tool, that tool is very important :encouragement:
 
Also one has got to ask how many people are actually interested in working on that since the benefits are pretty slim - HEN has all the features that 99% of all users need (the only notable features it lacks afaik are DEX mode for homebrew devs, OtherOS support and the ability to downgrade, but maybe @sandungas can list some more). Also if you truly need CFW finding a 2nd hand phat or 20xx/21xx slim is still super easy and cheap - and you can keep your super slim on OFW so you can play on PSN without having to worry about bans.
 
NiQ said:
Also one has got to ask how many people are actually interested in working on that since the benefits are pretty slim - HEN has all the features that 99% of all users need (the only notable features it lacks afaik are DEX mode for homebrew devs, OtherOS support and the ability to downgrade, but maybe @sandungas can list some more). Also if you truly need CFW finding a 2nd hand phat or 20xx/21xx slim is still super easy and cheap - and you can keep your super slim on OFW so you can play on PSN without having to worry about bans.
Click to expand...
I already have a CECH L NOR Ps3
 
littlebalup said:
Waiting material for deeper tests, I started to draft the tool:

ljWqN9j.png


AzRehHw.png


I don't have a 4k emmc board yet (hope soon). So I'm making my first tests on a 32GB SD card. Search, dump and write fonctions are working.
So, it should work.

P.S.: feel free to comment if you have some commands ideas.
Click to expand...

Hi. Where can i download this dump tool? Thx.
 
Intruder_911 said:
unfortunately there is not present exactly this tool... but i did dump with Win32DiskImager, but cant write it back. It says write protected.
Click to expand...
I never finished that tool, specially the write stuff... I'm not even sure I kept the code somewhere. I'll check.
I don't remember well about the write protection. The protection status should be checked first using CMD31.

upload_2023-11-5_14-4-41.png
 
littlebalup said:
I never finished that tool, specially the write stuff... I'm not even sure I kept the code somewhere. I'll check.
I don't remember well about the write protection. The protection status should be checked first using CMD31.

View attachment 41728
Click to expand...
Well if the data can be read and and patched then most reasonable approach is buying and flashing a new emmc chip with exact protection parameters and replacing with corrupted one a job only hobbyist or repair shops would offer
 
Fallen777 said:
Well if the data can be read and and patched then most reasonable approach is buying and flashing a new emmc chip with exact protection parameters and replacing with corrupted one a job only hobbyist or repair shops would offer
Click to expand...
Sounds like it would be more expensive than just buying a 2nd hand PS3.
 
NiQ said:
Sounds like it would be more expensive than just buying a 2nd hand PS3.
Click to expand...
Assuming you find buying unsold emmc in quantity and making a diy flasher too hard yeah is sound more expensive then used console if you ignore the fact people will to have their consoles revived
 
littlebalup said:
I never finished that tool, specially the write stuff... I'm not even sure I kept the code somewhere. I'll check.
I don't remember well about the write protection. The protection status should be checked first using CMD31.

View attachment 41728
Click to expand...
Hi, I ran into the error 8002f334, checked everything and now I'm sinning on emmc. I received information from the previous owner that they tried to flash the console and it gave this error. the model of the ps3 super slim console, CHEC-4208A 3D. The motherboard model is PQX-001. I would be very grateful if you would share your experience on the emmc firmware..
 
D__l said:
Hi, I ran into the error 8002f334, checked everything and now I'm sinning on emmc. I received information from the previous owner that they tried to flash the console and it gave this error. the model of the ps3 super slim console, CHEC-4208A 3D. The motherboard model is PQX-001. I would be very grateful if you would share your experience on the emmc firmware..
Click to expand...
There's no such thing as eMMC firmware. The eMMC is just the flash storage chip that holds part of the firmware. Unfortunately it's encrypted with a key unique to each unit, which cannot be extracted in any way.
I'm not sure about this exact error (maybe someone else will), but if your PS3 can still boot into recovery mode you can try installing OFW 4.90 from there and if it works then install HFW 4.90.1 (again from recovery mode) and then you can install HEN. It's impossible to install CFW on super-slims.
If the previous owner has attempted to force-install CFW on a super-slim or downgrade it to a lower firmware using a hardware flasher then it would very likely result in a brick. If that's the case the only way to salvage it would be to reflash it using a hardware flasher with the firmware it had before he messed with it - assuming he kept a backup. A file downloaded from the Internet will not help you in any way since, as I said, the firmware is encrypted with a key unique to each console. If he messed with the firmware and did not keep a backup then unfortunately your PS3 is just a fancy doorstop at this point.
 
You must log in or register to reply here.

Similar threads

Back
Top