The Xcellerator getting close to FW downgrade/spoof

[ps3warrior]

TheXcellerator's Blog: PS3 Downgrade/Firmware Spoof Speculation

Well, here it is, some PS3 Downgrade Speculation.


OK, well I got think after SKFU's post when he said "We need to find a way to edit the flash directly..."
so I came up with this.
When the PS3 updates, it follows 2 main steps:
1) It copies data from PS3UPDAT.PUP to the HDD.
2) It then sets a boot flag to an "Update Phase/Mode" and then restarts and updates the flash.
If we copy our own update data to HDD, in the correct spot (I assume, it would be the contents of the PUP file, but this will need further research...), and if we can then get the PS3 to change it's boot flag, we could get it to install any Firmware we like. The spoofing side of things comes from editing the SDKHeader.bin in the PUP contents.


So, how do edit the bootflags, is the main question?
It wouldn't be a kind of PS3 GParted LiveCD...
We know that users 'could' edit bootflags (or certain ones) through the DefaultOS option in Firmwares 3.15 and below. They must be stored in the Registry (xRegistry.sys in /dev_flash2/). I'll need someone with Firmware 3.15 or below to tell me the Registry 'Key', so it can be added to a PS3 registry over 3.15...
If we can get the bootflag setting for this update phase/mode, we could make our PS3 write whatever firmware we wanted to the flash, including 3.41 on top of 3.41 with the firmware ID of 3.50, so the PS3 can go online. Does this mean that we could, in theory make the PS3 boot a OS from External HDD? Possibly boot our own flash from it (already done with JaiCraB's Firmware Loader, but still could have interesting possibilities!)


But how do we know the PS3 uses bootflags?
When I was messing with JaiCraB's Firmware Loader, when it messed up, it gave the HDD error message (anyone who's used it will know what I'm talking about!). Anyway, first time this happened to me, I switched off my PS3 and turned it on. The message still came up! Once I followed it through and restarted how it told me to, the PS3 booted up GameOS normally. At the time I thought nothing of it, but when I started thinking about this method, this makes bootflags of some sort seem like an obvious conclusion...


So, to recap!
I need someone with firmware 3.15 or below with jailbreak abilities, to tell me the 'Key' in xRegistry.sys for the DefaultOS menu, so it can be changed on firmware ABOVE 3.15...


All the best,
Xcellerator

[jamal94]

gd luck dude i think you need to create a group to help you because it is kinda hard to do alone

[OLDCell]

Good theories but thread title is well off!!

"getting close to FW downgrade/spoof"

Not he's not even close yet, this is a theory which may or may not pan out! Sorry but thread title is BS.

It should be

"The Xcellerator's FW downgrade/spoof Theory"

RANT OVER!!

[garyopa]

I moved this thread to "PS3 Development" as it is NOT NEWS at all!

The bootflags are combination of bits stored on the hdd boot partition which is not visible currently by any "lvl2" program, and matching flags stored in the "syscon" ram which is connected to internal battery to hold settings like clock, bootflags, how you power on the system, etc.

Good luck with your ideas, you have a long way's to go.

[RiPPERD]

i think someone with 3.15 jailbroken should take an entire backup of the ps3 directories and post it online

[yifanlu]

I moved this thread to "PS3 Development" as it is NOT NEWS at all!

The bootflags are combination of bits stored on the hdd boot partition which is not visible currently by any "lvl2" program, and matching flags stored in the "syscon" ram which is connected to internal battery to hold settings like clock, bootflags, how you power on the system, etc.

Good luck with your ideas, you have a long way's to go.

Just curious, but IF the updated uses boot flags AND lv2 programs can't modify them, then how does the PS3 updater do it? The updater is just a regular executable, right?

[Stefan330]

Maybe the Hypervisor gives the Updater LV1 level.

[garyopa]

i think someone with 3.15 jailbroken should take an entire backup of the ps3 directories and post it online

The only thing that can give you is their "dev_flash" which is the lvl2 crap.

If you try to run v3.15 on a v3.41 machine you be loading an older XMB into a new COREOS and SYSCON firmware, so the alot of stuff will not work.

Changes like the Hypervisor are stored in the syscon, so if trying to get linux part that does not help, as you need the older syscon to be flashed.

Only way is to trigger an exploit earlier in the chain before the XMB loads up and force a whole new kernal loaded which then boots what you want, so far only "Marcan42" has been able to do that via his "AsBestOs", but he using a whole new kernal, as loading a v3.15 kernal is not possible since we don't have a clean unpacked, decrpyted one to use yet, and with the current limited lvl2 access we have via like FTP, you can dump it out.

For now research should be focused on the PUP KEY FINDER since we now have access to dump all the ram, once the key to fully unpack the PUP files is found, then we can assemble are own custom PUP that can be installed, which will trick the PS3 into flashing itself with what we want it to flash.

That is basically the only true way a complete downgrade will be workable.

[releva]

The only thing that can give you is their "dev_flash" which is the lvl2 crap.

If you try to run v3.15 on a v3.41 machine you be loading an older XMB into a new COREOS and SYSCON firmware, so the alot of stuff will not work.

Changes like the Hypervisor are stored in the syscon, so if trying to get linux part that does not help, as you need the older syscon to be flashed.

Only way is to trigger an exploit earlier in the chain before the XMB loads up and force a whole new kernal loaded which then boots what you want, so far only "Marcan42" has been able to do that via his "AsBestOs", but he using a whole new kernal, as loading a v3.15 kernal is not possible since we don't have a clean unpacked, decrpyted one to use yet, and with the current limited lvl2 access we have via like FTP, you can dump it out.

For now research should be focused on the PUP KEY FINDER since we now have access to dump all the ram, once the key to fully unpack the PUP files is found, then we can assemble are own custom PUP that can be installed, which will trick the PS3 into flashing itself with what we want it to flash.

That is basically the only true way a complete downgrade will be workable.

Is it possible to start a BOINC project to harness the power of the ps3 to find the key?

[stoker25]

For now research should be focused on the PUP KEY FINDER since we now have access to dump all the ram

agreed, although i don't think its stored in the ram, AFAIK the isolated SPU handles decrypting the update PKG files. there are people who probably have this already done, but of course since "they" did it, "they" keep it.

once the key to fully unpack the PUP files is found, then we can assemble are own custom PUP that can be installed, which will trick the PS3 into flashing itself with what we want it to flash.

if only, we also need to find the HMAC-SHA1 key for the PUP if we want to create our own, this might be inside an SPRX though, just need to decrypt it :/