PS3 [UPDATE] - PS3Xploit NOR Dumper - New Ports for lower OFW (4.21/4.41/4.45/4.46 & More)

The NOR Dumper was released alongside the NOR / NAND Flash Writer, which for understandable reason got the bulk of the attention ,but a tool to dump the NOR Flash is always handy and can also be for console's on lower firmware's as well. This release shown by team ps3xploit's @esc0rtd3w are ports to various OFW so far as of writing (4.21 / 4.41 / 4.45) have been ported to go along with the 4.82/4.81 NOR Dumper. For most PS3 User's this will not interest you / be of any use for you. If you have to ask, then its nothing you will be needing. ​

-STLcardsWS​

Release Details

• 
  
  * ALL OF THESE ARE READ-ONLY *
  
  These are going to be USELESS to most people, as it is basically only for those who want a NOR Flash Dump of their current OFW without upgrading the firmware.​
  
  
  These are all going to be based off the v1.0 Dumper as a Base.
  
  Original Dumper and Writer Thread Here
  
  Supports All 4.xx OFW
  [ 4.00, 4.10, 4.11, 4.20, 4.21, 4.25, 4.30, 4.31, 4.40, 4.41, 4.45, 4.46 ]
  [ 4.50, 4.53, 4.55, 4.60, 4.65, 4.66, 4.70, 4.75, 4.76, 4.78, 4.80, 4.81, 4.82 ]
  
  ​
  We have posted some ports to other firmware versions for the NOR Dumper Tool.
  
  Every release is tested on its corresponding Official Firmware and all notes are posted below.
  
  If anyone has any issues, please report them here. Thank You
  
  
  Sample From 4.81 CEX (For Advanced Users Only)
  For anyone that wants to make their own ports, you can refer to this for an example of what to look for in IDA or other debugging tools. For a more detailed gadget list for 4.81 CEX, see here and for a short video demonstration click here. Also, if anyone is interested in finishing the 3.xx chains, please see this.
  
  TOC: 0x6F5520 <-- set in r2
  

  gadget1: seg001:000D9684 sc <-- lands here to make syscall
  gadget1: seg001:000D9688 ld r0, 0x80+arg_10(r1) <-- search for this in IDA (easier to find)
  gadget2: seg001:00097604 mr r1, r11 <-- initial stack control
  gadget3: seg001:0060E59C lwz r11, 0xC0+var_4C(r1) <-- set params
  gadget4: seg001:0019D3B0 ld r3, 0xA0+var_20(r1) <-- set params
  gadget5: seg001:0042C774 lwz r3, 0(r31) <-- syscall made after here
  gadget6: seg001:00423B14 bl _Export_stdc_fopen <-- usb dump actions
  gadget7: seg001:00627BF8 addi r9, r1, 0xB0+var_40 <-- set params
  gadget8: seg001:000C5234 li r4, 0xA <-- init shutdown request

  
  
  
  Update - New Video‏ (by @esc0rtd3w)
  [PS3 Debugging/ROP] Porting PS3Xploit NOR Dumper Chain To Lower Firmware
  
  
  

The Files (For All Users)
* 4.00 uses a non-webkit User Agent string (bypassed) and will return JS error most times. Gadget offsets are correct.
* 4.4x/4.50 dumps tested ok, but had to host at a private server to get past 80710092 and 80710541 errors.
* 4.53/4.55/4.6x displays 80710102 error when trying to run local, and above errors when ran remote.

* Please Check Dumps After Complete To Make Sure Not All 00's *

Multi FW Version (Supports All 4.xx In One Tool)

4.xx Multi OFW Port: NOR_dumper_release_1.0__Multi_4.xx-PS3Xploit.zip
MD5 Hash: E6D5C6581C39914326A9A211BB217D12


Single FW Versions:

4.00 OFW Port: NOR_dumper_release_1.0__4.00_OFW_ONLY-PS3Xploit.zip *see notes*
MD5 Hash: FFECAFD9EC4698466E13D12F1DE2C183

4.10 OFW Port: NOR_dumper_release_1.0__4.10_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 47FFC95F728D99AF02551E52B0EB9B42

4.11 OFW Port: NOR_dumper_release_1.0__4.11_OFW_ONLY-PS3Xploit.zip
MD5 Hash: F5C0FD17548543C7694F434509405B95

4.20 OFW Port: NOR_dumper_release_1.0__4.20_OFW_ONLY-PS3Xploit.zip
MD5 Hash: B9ECCE0A96DEF2EA66B74C0800526229

4.21 OFW Port: NOR_dumper_release_1.0__4.21_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 2B3912AAEB47C3D6D6B0FC9AE2E8E9D0

4.25 OFW Port: NOR_dumper_release_1.0__4.25_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 9C462179637E0DCC74DA7B5D7ADA7298

4.30 OFW Port: NOR_dumper_release_1.0__4.30_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 1EBE5B039DF766E69F6A5994D7FFC246

4.31 OFW Port: NOR_dumper_release_1.0__4.31_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 503945089BF252553ADB61828F844BC6

4.40 OFW Port: NOR_dumper_release_1.0__4.40_OFW_ONLY-PS3Xploit.zip
MD5 Hash: B277BFCB6292557BB6D6DB808461642A

4.41 OFW Port: NOR_dumper_release_1.0__4.41_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 77F9DBEEC3E849D91A84F436AAE9AE39

4.45 OFW Port: NOR_dumper_release_1.0__4.45_OFW_ONLY-PS3Xploit.zip
MD5 Hash: A5D65C62B8C906DFE44CA536D9767EA2

4.46 OFW Port: NOR_dumper_release_1.0__4.46_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 0D10C9CEE01CD40BC9931AB5FC244949

4.50 OFW Port: NOR_dumper_release_1.0__4.50_OFW_ONLY-PS3Xploit.zip
MD5 Hash: EB202FD65A9B91A5FB9716D36E48DB80

4.53 OFW Port: NOR_dumper_release_1.0__4.53_OFW_ONLY-PS3Xploit.zip
MD5 Hash: E866BACBA9FC1501CFD3CF926B013607

4.55 OFW Port: NOR_dumper_release_1.0__4.55_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 3012A56985352BD2B892CD6AD9D9D5E4

4.60 OFW Port: NOR_dumper_release_1.0__4.60_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 099BA1AA41ABCD63D07016AD34F445B5

4.65 OFW Port: NOR_dumper_release_1.0__4.65_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 670335EEF5586C7AAF4D672853784263

4.66 OFW Port: NOR_dumper_release_1.0__4.66_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 856596111B5DC11CDE5F30B419AB28F3

4.70 OFW Port: NOR_dumper_release_1.0__4.70_OFW_ONLY-PS3Xploit.zip
MD5 Hash: DBAFDD5E66DCC3099F1FCE6F8C31E96F

4.75 OFW Port: NOR_dumper_release_1.0__4.75_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 500976B9054FCCBD8F26B0F3C7B3FB5C

4.76 OFW Port: NOR_dumper_release_1.0__4.76_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 9E1EB1F5349A498A472876414B084B13

4.78 OFW Port: NOR_dumper_release_1.0__4.78_OFW_ONLY-PS3Xploit.zip
MD5 Hash: 3EB9C05F32237FCFBDCBF0436E2EF2FB

4.80 OFW Port: NOR_dumper_release_1.0__4.80_OFW_ONLY-PS3Xploit.zip
MD5 Hash: A799E0DCC3C86353722598F2C4B1C3B1

 

I have tested the 4.41 with @esc0rtd3w and it worked on my 3k and other models tested, BUT it ONLY worked with a specific URL Self hosting will give you an error and trying to go to most websites on that FW (including playstation.con and google) will throw errors even my website throw an error .... so take that into consideration

 

yes 4.41 has some weird issues!! lol

dumps tested ok, but yes, had to host at a private server to get past 80710092 and 80710541 errors

 

Much like the last files they released I uploaded them to my site if anyone would like to use these themselves without having to host the files locally.

http://redthetrainer.com/ps3/norDumper/

It uses the exact same source. Nothing was edited. I simply provided a front end and collected everything on a single page

 

Much like the last files they released I uploaded them to my site if anyone would like to use these themselves without having to host the files locally.

http://redthetrainer.com/ps3/norDumper/

It uses the exact same source. Nothing was edited. I simply provided a front end and collected everything on a single page

I really don't think you know to the extent 4.41 won't let you load websites it won't even let you load PlayStation.com or my site

 

fixed autoload trigger from testing. all trigger from buttons like normal now

 

I really don't think you know to the extent 4.41 won't let you load websites it won't even let you load PlayStation.com or my site

I'd be lying if I said I did. I'm really only familiar with the more recent firmwares. Still can't hurt to have an already hosted mirror however

 

update 4.45 text slightly, was giving 00 dumps after 5 tests. will check out later, but added note

EDIT #1: Fixed 4.45. one of the offsets was off by 4 bytes. OP updated with new file

EDIT #2: Fixed 2 typos not changing version display text on page in 4.45 and 4.46. OP Updated with new files

 

I think the tool performs the same functions as the Flatz developer IDPStealer proxy http://www.psx-place.com/threads/idpstealer-grab-your-consoleid-via-pc-by-flatz.900/

 

ALL PS3 Dumper ports released so far are hosted here

https://psarchive.darksoftware.xyz/dumper

Also New GUI!: https://darksoftware.xyz/dumper

(Google shorted link) https://goo.gl/yuUfX1

PS3 Dumper for 4.21
PS3 Dumper for 4.41
PS3 Dumper for 4.45
PS3 Dumper for 4.46
PS3 Dumper for 4.50
PS3 Dumper for 4.53
PS3 Dumper for 4.55
PS3 Dumper for 4.60
PS3 Dumper for 4.65
PS3 Dumper for 4.66
PS3 Dumper for 4.70
PS3 Dumper for 4.82

 

@esc0rtd3w @bguerville Please, could you fix the part in the readme that says "created by Aldo"? I wasn't who created miniweb,exe. I only *suggested* it to @habib

The text in the readme could be changed to something like:

1. Setup a small Web server on pc or smartphone. A custom miniweb application from http://miniweb.sf.net has been supplied to host files if you would like to use it. Don't come to us for explanations about how to run a http server though. Google it.

I posted about this issue days ago, but I still see the files distributed in this thread and the other still credits that tool to me.

Thanks.

 

I think the tool performs the same functions as the Flatz developer IDPStealer proxy http://www.psx-place.com/threads/idpstealer-grab-your-consoleid-via-pc-by-flatz.900/

The dumper does not copy idpstealer.
It uses the system's classic way to read from the flash memory via syscalls.
It basically dumps into memory a sector of 512 bytes corresponding to the area in EID0 where the idps is stored. Then it saves only the 16 bytes in that flash memory sector that correspond to the idps to file.

 

The dumper does not copy idpstealer.
It uses the system's classic way to read from the flash memory via syscalls.

I think Francesco means is that IDPStealer already does the same as the dumpers in this thread (at least until ofw 4.70), not that you copied flatz's code.

Anyway I believe that always is good to have alternatives, even if both have the same results.

 

@esc0rtd3w @bguerville Please, could you fix the part in the readme that says "created by Aldo"? I wasn't who created miniweb,exe. I only *suggested* it to @habib

The text in the readme could be changed to something like:


I posted about this issue days ago, but I still see the files distributed in this thread and the other still credits that tool to me.

Thanks.

sorry about that lol.

will edit it

 

UPDATED ALL PS3 Dumper ports released are hosted here

https://psarchive.darksoftware.xyz/dumper

Also New GUI!: https://darksoftware.xyz/dumper

(Google shorted link) https://goo.gl/yuUfX1

PS3 Dumper for 4.21
PS3 Dumper for 4.41
PS3 Dumper for 4.45
PS3 Dumper for 4.46
PS3 Dumper for 4.50
PS3 Dumper for 4.53
PS3 Dumper for 4.55
PS3 Dumper for 4.60
PS3 Dumper for 4.65
PS3 Dumper for 4.66
PS3 Dumper for 4.70
PS3 Dumper for 4.75
PS3 Dumper for 4.76
PS3 Dumper for 4.78
PS3 Dumper for 4.80
PS3 Dumper for 4.81/2

 

hi guys
I have the dump with this awesome exploit.
how can I get the console id?
sorry if this has been answered before.

 

hi guys
I have the dump with this awesome exploit.
how can I get the console id?
sorry if this has been answered before.

In NOR is located at absolute offset 0x2F070
http://www.psdevwiki.com/ps3/Flash
http://www.psdevwiki.com/ps3/IDPS

You need to open the dump with a hexeditor, im going to explain how to do it easy with this one: https://mh-nexus.de/en/hxd/
-Open the dump in HxD
-Use the keyboard shorcut ctrl+e (to select a block)
-Fill the fields with "start-offset"=2F070 and "length"=10 and checkmark "hex"
-Right click with the mouse over the selected area and "copy"
-Paste it in another document, clean the spaces in between bytes

 

hi guys
I have the dump with this awesome exploit.
how can I get the console id?
sorry if this has been answered before.

There is also an idps dumper available if you don't want to search in the 16Mb dump...

 

Progress on NAND dumper? Are you guys still working on this? I have an A01 with a Teensy for testing purposes along with my L00 with e3 dual boot too. Let me know

 

Progress on NAND dumper? Are you guys still working on this? I have an A01 with a Teensy for testing purposes along with my L00 with e3 dual boot too. Let me know

Multiple postings of the same question? Have you noobified recently cade? LOL
I just posted an answer to your question in the main ps3xploit support thread...