PS3 Devs Begin PlayStation 3 Flash and Registry Entry Analysis

[Ceph]

I will state right off the bat that i am not good at rewriting somone elses post but this has been completely missed here (that ive seen) and it seemed to me that it was something important to the scene, this is directly from ps3news.com (http://www.ps3news.com/PS3-Dev/ps3-d...ntry-analysis/) Pictures are in original thread

With the release of yesterday's PS3 FTP server which enabled easy access to dev_hdd0, dev_flash, dev_flash2, dev_flash3 and dev_bdvd on the PS3, several developers are now examining the PlayStation 3's dev_flash and registry entries.

Forum user diemetal has let us know today that Spanish PS3 developer DemonHades has began to analyze dev_flash from PS3 Firmware version 3.41, stating the following (roughly translated):

"TeamHades has removed the three dev_flash that PS3 has. Thanks to the Homebrew PS3News we needed to extract (PS3 FTP Server).

We begin the analysis with some pictures of their content, we will later file by file documenting that we are not able to do anything and escape in the future a stable CFW."

RichDevX has also tweeted some pictures (below) of the PS3 flash contents and registry entries today.

Included in flash0 he stated that fonts, image, and 3 user modules (prx) files were interesting, however, he went on to say he is working on something else at the moment.

Finally, after a little digging CJPC discovered where Sony stores updates for both Retail and Debug PS3 games, stating that users can simply replace the game's TitleID with the one from any game and be able to obtain the latest update download links.

More details will come once PS3 Devs have had a chance to examine it, but for those who missed it and are interested the PS3 TEST / TOOL Debug Game Backup Guide also discusses this topic.

Stay tuned for more PS3 Hacks news. Also be sure to drop by the PS3 Hacks Forum for updates!


Read more: http://www.ps3news.com/PS3-Dev/ps3-d...#ixzz0z8TDHrgG

and was continued on this thread as well (http://www.ps3news.com/forums/playst...re-112555.html)

Earlier today we reported on a preliminary PS3 flash and registry entry analysis from DemonHades and RichDevX, and now SKFU (linked above) has shared his input thus far.

To quote: Since PS3News released their PS3 FTP application I did some research on the PS3's registry.

The registry and it's backup are stored on dev_flash2 as xRegistry.sys.

The header

BC AD AD BC 00 00 00 90 00 00 00 02 BC AD AD BC

The entries

Every entry has a fronttag which is 5 bytes long. I'll describe:

56 41 00 11 01

This is an example value:

/setting/parental

Behind the value theres a 1 byte close mark:

00

The 5 bytes

The first 4 bytes are a unique but random number. Every value has it to be identified and found by the system as there is no special pattern. An sprx(?) finds every value by this 4 bytes.

56 41 00 11

The 5th byte can be 00, 01 or 02. 00 tagged values are actually activated/used by the VSH, 01 ones not. The 02 seems to mean "DO NEVER UNLOCK". For example the QA Mode is tagged with 02.

00 == unlocked/used/activated
01 == locked/unused/inactive
02 == never ment to be unlocked

Stop footer

The registry has a

AA BB CC DD EE

after the last value. Here the system stops to search for values.

Single values without tag

Some values are behind the stop tag spreaded randomly in the file it seems. I have no clue how the system finds those yet but here are some I found:

- your local username
- your language (f.e. eng for english)
- your PS3 system name
- URL to the information board online stored files
- HDD serial
- Board name
- your PSN username + password
- your WIFI network key
- your local IP
- your PSID
- path to local user pic

You can modify all those values as long as you don't change its size or adress. For example the local user pic is loaded from:

/dev_flash/vsh/resource/explore/user/000.png

But you can redirect it to load from USB for example:

/dev_usb/vsh/resource/explore/user/12345.png

The Cool Stuff

The retail PS3's registry contains all values to unlock the settings which are possible on a test/debug PS3 and even more like QA mode. We can enable those via the registry, but we won't see any effect in the XMB.

That is because we just UNLOCKED it, but different files on dev_flash handle what we can actually SEE in the XMB. So we need to modify them also to fully use debug options on a retail and more.

This can be done by mounting the dev_flash from USB. We need to do this as we can not write to the original dev_flash. So once we can load our customized dev_flash from USB and have modiified our registry, we have a nice way to load a our custom firmwares.

The Crash Report

The registry can contain an crash report which is seperatly splitted with another registry header as explained above. It contains system error messages, for example if you muck up your registry ;-)

PS3 Live USB CFW Theory

While the Jailbreak just changes mountpoints it should be possible to do the same for other places than the BDD, aswell.

For the JB, the drive is remounted @ HDD. So why not mount the dev_flash from USB?

Surely this is possible and I hope to see some action here soon!

So we would have a good solution to test and run custom firmwares as the brick risk is equal zero, because we can just unplug the USB device and the dev_flash is mounted as common - unchanged.


Read more: http://www.ps3news.com/forums/playst...#ixzz0z8TgC9xi

[Xeauron]

Has this group ever released anything note worthy?

[Broomop]

very interesting but doing what he says is what the jailbreak team have done. But we do have a bit of an advantage having the memory scannable. But does anyone know the offsets that jailbreak changes in memory?

[garyopa]

See this thread:

http://psx-scene.com/forums/showthread.php?t=65622 (PS3 Registry Hacking (Collaborators needed))

It being discussed in the PS3 Development forum.

Until there is breakthrough, in able to mount the flash with changes,
right now it is just able to browse and look.

You still have to figure out how to make changes, there is NO WRITE access,
and after changes to make the signing work, as this area is still protected.

Please see that thread for now, once there is an major breakthrough I post the news.