PS3 [UPDATE] IDPS Dumper (PS3 NAND / NOR ) - 4.81/4.82 OFW Compatible by Team PS3Xploit

{UPDATE v0.2.3 Released(See tab)}
Following the official announcement of the PS3Xploit news (4.81 OFW Exploit), the devs behind the project have fulfilled the promises of releasing the IDPS Dumper for OFW 4.81/4.82 as this release is ready for the public. Now there is many more things being worked surrounding the overall project but this IDPS Dumper works on all models of the PS3 (NOR and NAND, note 12 GB EMMC will be supported soon in an updated release) and no reason not to release this tool. Since PS3 firmware 4.70 Sony had blocked flatz IDPS extracting tool (IDPS Stealer) and there has not been a known way to obtain the IDPS on OFW (4.70 +) consoles , but now this tool can now obtain your PS3's ID, which can have various uses, the tool has been confirmed to work on SuperSlim models by the team. . If you have not read the previous details about the PS3Xploit project, then checkout this official thread to get the firsthand information about this ambitious PS3 project.
​

(UPDATE v0.2.3)

​

UPDATE v0.2.3 - 4.82 UPDATE v0.2.3 - 4.81 UPDATE v0.2.1a IDPS Dumper Release (v0.2 After Leak Release)

• 
  
  UPDATE v0.2.3- IDPS Dumper for 4.82 OFW​
  • Added 4.82 Support
  • Removed all extra requirements like JQuery..
  • Removed the need for string relocations to improve the initial memory search process & overall trigger times.
• 
  
  UPDATE v0.2.3- IDPS Dumper for 4.81 OFW​
  
  
  • Removed all extra requirements like JQuery..
  • Removed the need for string relocations to improve the initial memory search process & overall trigger times.
  
  
• 
  
  
  UPDATE v0.2.1a- IDPS Dumper for 4.81 OFW​
  
  we have some more exciting news to bring you!!
  
  We have been working very hard to bring eMMC support for the newest SuperSlims CECH-40xxA, CECH-42xxA , CECH-43xxA and that has happened.
  
  The team would like to present a nice little update to the 4.81 IDPS Dumper now supporting eMMC hardware revision consoles!!
  
  Please report any issues you have while using this new version on any of the flash types, NAND, NOR, and eMMC.
  
  Thank You to all
  
  ​
  v0.2.1a
  
  • Added eMMC SuperSlim Support (CECH-40xxA, CECH-42xxA , CECH-43xxA)
  • Misc Tweaks To Exploit
  • Small typo on index.html pointed out by @Turranius - Fixed
  
  
  How to use this:
  *** MAKE SURE TO RUN AS ADMINISTRATOR ***
  install python to use server.py or another HTTP server of your choosing on both Windows and Linux!​
  
  On windows - Install any of these optional HTTP servers:
  
  • MiniWeb: https://sourceforge.net/projects/miniweb/files/latest/download
  • Python (for server.py): https://www.python.org/ftp/python/2.7.14/python-2.7.14.msi
  • XAMPP: https://downloadsapachefriends.glob....1.11/xampp-win32-7.1.11-0-VC14-installer.exe
  
  On linux:
  
  • install python for your distribution using apt-get, yum, and similar commands.
  • make script executable using "chmod a+x server.py" or "chmod 775 server.py" or "chmod 777 server.py"
  • execute python script using "/usr/bin/python $exploitFolder/server.py" or "./server.py"
  
  Update on Android: (instructions from @No0bZiLLa)
  
  • I can confirm this does work if using an http server on Android. what i did was downloaded the zip (on my phone) and extracted it and then download something like Simple HTTP Server and point the server to the folder that contains index.html. once you do that just reload the server and make a note of what the ip:port is. then just go to ps3, type in ip:port (eg 192.168.2.7:12345) as specified in simple http server and then select the appropriate button for your system.
  
  
  Then run (for python):
  
  • On windows - windows.bat
  • On linux - linux.sh
  
  
  Usage Tips:
  
  1) Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
  2) If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
  3) If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.​
  
  
• 
  
  
  IDPS Dumper Release (v0.2 - After Leak Release)
  ​
  ok....the moment all of you have been waiting for......i assume
  
  • File: ps3_481_idps_dumper-PS3XPloit.zip
  • MD5 Hash: FFDA70AB2D1677886083F99185C54FE3
  • SHA-256 Hash: 852BDB301753C4F4A7E946188E850D3D325EEAA259B61AE2B5AE31320B2F292B
  
  enjoy this release from our team we will be working hard to add eMMC support as soon as possible!!
  
  
  The documentation will be updated as time goes on. There is a readme.txt file included with basic setup and usage instructions.
  
  Please stay tuned for future tools and releases
  
  and once again, THANK YOU to everyone involved bringing this all together, without all of you, none of this would have happened!!!
  
  Additional details from @bguerville
  "The idps dumper will create a file on usb000 then beep 3 times & shutdown in all cases, even if flash memory read fails. emmc should not make a difference to this. You will get garbage in idps.bin in that case.
  
  Js errors with a black page message on ps3 should not happen. If ever it did, just report & in the meantime keep relaunching the exploit. Nobody has had this issue in dozens of tests though.
  
  And clearing cache or cookies is totally unnecessary with the exploit & the wk js interpreter. Between runs garbage collection will take care of cleaning up what is needed, the job it does is always sufficient".
  

It's essential not to flood the browser memory with junk before running the exploit. The reason for this is that due to javascript core memory usage limitations we are scanning several times a small range of browser memory (a few Mb) to find some essential data in RAM, if the memory is flooded then the range to scan becomes much larger & the probabilities that our data is found in the smaller range decrease dramatically....

So in short, never use the browser or set a homepage you cancel before running the exploit!
If you need to, set the homepage to 'blank', close the browser then reopen it to start the idps dumper.​

Set-up Steps:​

1. Setup a small Web server on pc or smartphone. The Python http server is not required for most users, it was provided for developers. Since v0.2.3, all other extra requirements have been removed. Don't come to us for explanations about how to run a http server though. Google it.​
2. Extract the files in your http server root folder.​
3. Put a fat32 USB key in port closest to BD Drive (/dev_usb000).​
4. Open the ps3 browser & write the ip address of your server (and the port if not 80).​
5. Run until ps3 beeps & shutdown. The idps should be on your USB drive as idps.bin.​

​

- Downloads - ​

Download: (4.82) ps3_idps_dumper-v0-2-3-ps3xploit-4-82-zip​

• MD5 Hash: 3c2e1582f52e1002a12ad280f426d0c6
• SHA-256 Hash: 1c49eabd64275171a60c90f0f06f503b7055f4ff863f87e7960d41464d127443

Download: (4.81) ps3_idps_dumper-v0.2.3-PS3XPloit.zip​

• MD5 Hash: 71dd906e585bf470f84f9d4fb10c1f37
• SHA-256 Hash: d4bffe2b7d08c1dda275590229f86903f1db487e9a78364d6a025c3734cd8f68

 

bguerville, I found all the gadgets except gadget 6 with the address 0x423B14 (for 4.81)

I tried escape(hexh2bin("0x423B14")) but it only outputs "%u3B14" could you point out what I'm doing wrong or a place that explains about unicode escaping in js when is out of bounds?

EDIT: Used your functions and firefox console...

It cannot work like this.
1. hexh2bin or hexw2bin both take an integer parameter, not a string so no "" should be used.
2.
hexh2bin deals with "half word" values which are 16 bit so only 2 bytes.
hexw2bin deals with "word" values ie 32 bit = 4 bytes.
So if you want to insert 0x423B14, you have 3 bytes there which means you must use hexw2bin(0x423B14) which will basically insert unescape("\u0042\u3B14") into the string..
Of course you could also use 2 hexh2bin to do the same thing like:
hexh2bin(0x42)+hexh2bin(0x3B14)
3. You should never escape the hexh2bin/hexw2bin calls. You must insert them between unescape strings. Like this:

unescape("\u4141") + hexh2bin(0x42)+hexh2bin(0x3B14)
+ unescape("\u4242\4343")

 

It cannot work like this.
1. hexh2bin or hexw2bin both take an integer parameter, not a string so no "" should be used.
2.
hexh2bin deals with "half word" values which are 16 bit so only 2 bytes.
hexw2bin deals with "word" values ie 32 bit = 4 bytes.
So if you want to insert 0x423B14, you have 3 bytes there which means you must use hexw2bin(0x423B14) which will basically insert unescape("\u0042\u3B14") into the string..
Of course you could also use 2 hexh2bin to do the same thing like:
hexh2bin(0x42)+hexh2bin(0x3B14)
3. You should never escape the hexh2bin/hexw2bin calls. You must insert them between unescape strings. Like this:

unescape("\u4141") + hexh2bin(0x42)+hexh2bin(0x3B14)
+ unescape("\u4242\4343")

I lost it on 3rd topic, so escape(hexw2bin(0x423B14)) shouldn't output %u0042%u3B14? (at least if those are unicode chars) .

I don't understand why you concatenate them between AA and BBCC

 

why is this file used for besides bypassing psn bans? ps3devwiki doesnt say much

 

why is this file used for besides bypassing psn bans? ps3devwiki doesnt say much

it can be used to decrypt backups made by the ps3.

 

I lost it on 3rd topic, so escape(hexw2bin(0x423B14)) shouldn't output %u0042%u3B14? (at least if those are unicode chars) .

I don't understand why you concatenate them between AA and BBCC

AA & BBCC where just placeholders so I could show you how an example of hexh2bin insertions. Ignore them, all that matters is to insert the hexh2bin/hexw2bin calls before/after or between unescape strings.

And why would you try to complicate the syntax with escape()? No need, no point...

 

AA & BBCC where just placeholders so I could show you how an example of hexh2bin insertions. Ignore them, all that matters is to insert the hexh2bin/hexw2bin calls before/after or between unescape strings.

And why would you try to complicate the syntax with escape()? No need, no point...

I was trying to convert to escaped notation but now I noticed that is the same, although the notation \u or %u is for just 1 word so 423B14 would have to be split into \u0042 + \u3B14 (just returned the unescaped version of the var str from hexh2bin()

All this confusion was because I wasn't finding gadget 6, is it not used in this idps rop? is just necessary for flash dump?

 

on 4.81's idps_emmc.html there're this number I don't what it is:

Addr   value (next 6bytes)
0x2183 \u8A00
0X2834 \u8A00
0X4353 \u8A00
0x5365 \u8A00
0x7005 \u8A00

on 4.82 is h8B00 so 4.80 is h8900?

EDIT: There's also a increasing number after the value I noticed, each line represent each time it appears in the code

\u0000\u0000\u8A00\u0000
\u0000\u0000\u8A00\u0100
\u0000\u0000\u8A00\u0200
\u0000\u0000\u8A00\u0300
\u0000\u0000\u8A00\u0400
\u0000\u0000\u8A00\u0500

 

@MiZAX In the NOR dumper that is the temp_addr. If you look between the last two you'll find gadget 6.
You should watch these videos a few times. I think they will help you get a better understanding about all of this.

 

on 4.81's idps_emmc.html there're this number I don't what it is:

Addr   value (next 6bytes)
0x2183 \u8A00
0X2834 \u8A00
0X4353 \u8A00
0x5365 \u8A00
0x7005 \u8A00

on 4.82 is h8B00 so 4.80 is h8900?

EDIT: There's also a increasing number after the value I noticed, each line represent each time it appears in the code

\u0000\u0000\u8A00\u0000
\u0000\u0000\u8A00\u0100
\u0000\u0000\u8A00\u0200
\u0000\u0000\u8A00\u0300
\u0000\u0000\u8A00\u0400
\u0000\u0000\u8A00\u0500

Leave all those alone otherwise you will mess up the chain. 0x8A000x00 are temporary addresses to hold data. They remain constant ie they don't change with the fw.

 

@MiZAX In the NOR dumper that is the temp_addr. If you look between the last two you'll find gadget 6.
You should watch these videos a few times. I think they will help you get a better understanding about all of this.

They changed from 4.81 to 4.82 from 8A00 to 8B00.
About gadget 6, I found it, don't know what was happening to not finding it.

Leave all those alone otherwise you will mess up the chain. 0x8A000x00 are temporary addresses to hold data. They remain constant ie they don't change with the fw.

Hi bguerville, they changed from 4.81 to 4.82. But when I use the address 0x8900 on fw4.80 ps3's crashes in about 10secs (no idps in the dev_usb000), using 0x8A00 it doesn't (at least the python server doesn't receive anymore get requests)

could be necessary more code edits besides gadgets addresses for it to properly work on 4.80?

 

They changed from 4.81 to 4.82 from 8A00 to 8B00.
About gadget 6, I found it, don't know what was happening to not finding it.


Hi bguerville, they changed from 4.81 to 4.82. But when I use the address 0x8900 on fw4.80 ps3's crashes in about 10secs (no idps in the dev_usb000), using 0x8A00 it doesn't (at least the python server doesn't receive anymore get requests)

could be necessary more code edits besides gadgets addresses for it to properly work on 4.80?

I should know I wrote this whole chain, so believe me... Don't change any of these values unless you are ready to recalculate all the temp addresses using a base offset you know is safe....
I modified these temporary addresses because I wanted to, not because I had to due to fw differences.

 

is my cech 3001b compatible? also my ps3 is 4.78 so will it work only update via usb?

 

is my cech 3001b compatible? also my ps3 is 4.78 so will it work only update via usb?

edit: wait a sec, I was thinking this was the flasher. yes, you can dump the idps on any console. sorry about that.

 

so jb will work with this console and i just have to upgrade via storage to 4.81?

 

so jb will work with this console and i just have to upgrade via storage to 4.81?

no, currently that's not possible.

 

so jb will work with this console and i just have to upgrade via storage to 4.81?

no this is the thread for the IDPS Dumper, you can on that system dump your IDPS & you can dump your Nor with the Nor Dumper. You cannot I repeat you cannot use the Nor/Nand Writer to install CFW!!! YOU WILL BRICK YOUR PS3!!!!!

 

i mean the ofw xploit then install a cfw? Wrong thread?

 

i mean the ofw xploit then install a cfw? Wrong thread?

Yes, wrong thread...
But anyway, while the dumpers are compatible with all console models, the flash writer is NOT!
Only the flash writer can jailbreak a CFW compatible console but your console is NOT compatible.
Don't use the flash writer on your 3xxx console or you will partially brick it & require a hardware flasher to recover!

 

I should know I wrote this whole chain, so believe me... Don't change any of these values unless you are ready to recalculate all the temp addresses using a base offset you know is safe....
I modified these temporary addresses because I wanted to, not because I had to due to fw differences.

ok, so what you mean is other than bad code, I'm doing it something wrong to not trigger the exploit on fw4.80 with all the gadgets changed? (I waited 20min and the server only loaded all the .js files once)

 

ok, so what you mean is other than bad code, I'm doing it something wrong to not trigger the exploit on fw4.80 with all the gadgets changed? (I waited 20min and the server only loaded all the .js files once)

Did you get this working?
By changing the 8 gadgets & the toc I was able to get it working on DEX.
If you are still trying & would like a hand let me know.