PROJECT: PL3 Payload that spoofs version to 3.50

[ecosystem_mod]

I have made a payload that spoofs version to 3.50!

It works by capturing VSH code in the moment after it decrypts INDEX.DAT.

Unluckily, it is not enough to connect to the PSN, it still refuses to connect. I have only faked the version but there are other numbers, such as release numbers. I don't know what these numbers would be on v3.50. You can try by modifying the payload with an hex-editor and maybe someone finds the proper numbers.

Technical info for geeks:

INDEX.DAT is the encrypted version of VERSION.TXT. After decryption, INDEX.DAT is a 20 bytes SHA1 followed by 12 bytes of PADDING, followed by a content identical to that of VERSION.TXT.

My payload works by hooking the MEMCMP that the VSH performs with the SHA1 to a syscall, the SYSCALL 10, which is implemented in the payload to fill the buffer with other data.

The payload is just a PL3 default payload with that syscall 10 added and two additional patches added to memory_patch_table_1 (PATCH_INST(0x190C90, li %r11, 10) and PATCH_INST(0x190C94, sc)), and converted to the port1_config_descriptor.bin format.

Only for v3.41. Have fun!

UPDATE: second version

Now it also fakes the auth/revision code from 45039 to 46135, which is the supposed one for v3.50. This value was also hard-coded in VSH.SELF, so two additional patches are done to change that string in VSH.SELF too. If you are gonna change the auth number, remember that you must update that patch too, or you will get a beautiful red screen.

Also it now patches a syscall that gets the SDK version of a process, the patch only fakes the one for vsh. Vsh calls this function before entering the PSN. Despite all of this, PSN still doesn't connect, but now there is a different behavior: before it told you to update and if you answered yes, you could go through the update process. Now it still tells you to update, but i you click yes, then it tells you that you are on latest version and doesn't let you to update.

I post binary and the three source files that must replace/add to the PL3 one.

Update: 2.01, small bug-fix (cmpwi != cmpw), still no luck with psn.

[iLLNESS]

any chance we could get the .S?

is there any benefit currently with this payload for spoofing to 3.50 firmware? ie: does it allow games to actually run without having their manager patch the sfo/etc?

[ecosystem_mod]

Didn't want to release source because i've commited some lazyness.
But anyways, here you have the only two files modified by latest, as downloaded some hours ago, PL3.

You can see the two additional patches in memory_patching.h.S. I used direct offsets instead of putting symbols in firmware_symbols.h because I was damn lazy. To complete the payload you need to put the firmware version data here (in default_payload.S):

version_str:
.space 0x2D0, 0x99

Replacing the space 0x2D0, 0x99 with the data, which should be 0x2D0 size.

I was lazy again and I just pasted the proper content after compilation with an hex editor.

[ecosystem_mod]

As for the other question, dunno if games with higher version work without sfo editing, but i think they should work. Anyways, real purpose of this is to at least allow tests to be done.

[barnhilltrckn]

This is cool but what does it offer?? Does it allow going on psn, playing new games that require 3.50, ect?

Im not saying that is isnt a good contribution, im just wondering and im sure everyone here reading this is wondering the same thing.

edit: you just answered as i was typing it in .

[ecosystem_mod]

It serves the purpose of faking version. It is a matter of time to check if it leads to more things.

[Mathematician]

This is cool but what does it offer?? Does it allow going on psn, playing new games that require 3.50, ect?

Im not saying that is isnt a good contribution, im just wondering and im sure everyone here reading this is wondering the same thing.

edit: you just answered as i was typing it in .

By the sounds of it, it won't allow to decrypt 3.50 eboots, if you want a 3.50 game to work on 3.41 you still have to find a 3.41 eboot for the same game (maybe from a demo or debug package).

It sounds like it is some progress to bypassing psn checks. However, I think sony put more thought into just a 3.50 check, they have put a type of file check that only 3.50 users have embedded deep in the firmware.

It may be a way of preventing updates to the PS3.

[remainnameless]

I tested the payload using a TI-84+ and a retail disc of Call of Duty: Black Ops

When loading from the retail disc, it black screens.

When loading from a backup (using Gaia 1.02 or Backup Manager) it black screens. Also, there is no option to Mem Patch the games.

If you go into System info, it shows that the firmware is 3.50 though.


So far, nothing has been implemented that will allow us to play 3.50 without issues. I am looking forward to seeing if anything good comes from this.

Have you submitted your changes to the PL3 GitHub? They may be able to help a little more.

EDIT:
I may have come off like I wasn't impressed... I am very impressed. Great work so far!

[mikerock98]

I tested the payload using a TI-84+ and a retail disc of Call of Duty: Black Ops

When loading from the retail disc, it black screens.

When loading from a backup (using Gaia 1.02 or Backup Manager) it black screens. Also, there is no option to Mem Patch the games.

If you go into System info, it shows that the firmware is 3.50 though.


So far, nothing has been implemented that will allow us to play 3.50 without issues. I am looking forward to seeing if anything good comes from this.

Have you submitted your changes to the PL3 GitHub? They may be able to help a little more.

EDIT:
I may have come off like I wasn't impressed... I am very impressed. Great work so far!

That does sound like a start......at least were moving in the right direction.....keep up the good work Eco....That is one impressive first post!

[chesh]

No kidding, eco. Awesome work! Where the hell did you come from?? You program for any of the other scenes?