How to Hook into LV2 Memory!

[Jon Salat]

Very interesting, maybe we can change region for PS1/PS2/DVD/BD with this method.

[mеdi01]

Of course you may want to wait for someone else to try this, could be some bricking problems.

Why on Earth? We are talking about on the fly modifications of the loaded memory, that do not touch flash.

[DeadlyFoez]

Why on Earth? We are talking about on the fly modifications of the loaded memory, that do not touch flash.

Technically, if someone adjusts code the wrong way then it could possibly lead to writing data to the flash memory. Is it likely? Probably not. Is it still possible? Yes.

Luckily we have a bunch of very talented programmers here that know what they are doing.

Trust me, it is very possible to brick a PS3 through software with only lv2 access. Remember the fake PSP Emulator?

[vampirexx]

i would like someone to develop a live cheat system like comparison scan memory to find out cheats for offline games is it possible using this discover?

[jebise]

how about we get whats more important here like retail to debug without a usb dongle linux etc before we start working on game cheats. Like come on dude WTF?

[clik.MEK]

PS3mrengigma has updated his blog with a tutorial on how to hook into LV2.

In this tutorial he utilizes, the undocumented, SYSCALL 867 for his hook.

SYSCALL 867, which he explained previously, controls the PS3′s model information (retail, debug, reference tool etc).

In his tutorial he walks us through the process of making his debug PS3, thinking its a Retail unit (there is no benefit to making it think its a retail, its simply a learning exercise).

tbh this tutorial is way over my head, but it read like the guy does know what he is talking about. I would like to understand a little more of it, so if anybody with more knowledge than me has the patience to answer sth of the *probably* bs I am going to post, then: thanks!
From what I got this is really huge, isn't it?

For this section we should bear in mind that we need to meet the following requirements:

- Take a dump of the entire LV-2, possibly without being modified in any way by a payload.
– Knowledge of assembler to understand the original SYSCALL to create our hooks.
– Understand how the / s SYSCALL we will modify.

So you dump lv2 memory over ethernet using some tools, right? But does this work without jailbreaking? As he says "not modified by a payload"?

For this post we will take the example of a LV-2 3.41 Debug (for it is that I work mostly), but can be applied just as in a LV-2 Retail.

here again, is he talking about a jailbroken unit or not? Or is it like he can dump lv2 memory on his debug unit, but a retail would not be able to do it (without jailbreaking)?

Once copied, you need to install the hook so that when the modules call the SYSCALL call our code, in our case as we know where to start our code (0x54408), proceed to write this direction in the second memory address that points that indicate the SYSCALL_TABLE, ie 0x348FB4.

Once done, any module, homebrew, etc to call that SYSCALL go through our hook, and if the command is 0x19004, we will refund a forced Retail Eur.

ok he dumped lv2 and modified the syscall to be callable by any homebrew.
So any hb could implement that syscall and it would return "I am a debug"?
great! all debug functions would be enabled that way. That surely is why that syscall isn't documented in the sdk
Futher questions: When is this patching happening, is it part of the jailbreaking payload, is the code part of a homebrew app, or is both possible? Once the hook is complete, you would write that in devflash, so this is permanent, right? No need for dongles any more? Can that be done without bricking the console? And what are other possible applications of the "hooking" of syscalls?

[t_jay17]

I wonder if this can lead to a way to get onto psn?

[talmagal]

I need the syscall for increasing my bank balance.

damn staright

[MaX_SLayeR]

I hope somebody can use this to find a way to make the PS3 return the latest FW version to PSN.

[phlak]

I just want something to lead to CFW with no more need for jailbreaking. Just a simple flash and to be on CFW for good. Someday I suppose, as for now way to go on the progress in the homebrew scene.