PROJECT: PL3 Payload that spoofs version to 3.50

**vcdking** · 11-09-2010,11:14 PM

Not a bad attempt. It could be possible that the other 3.5 checks are just in other memory offsets.

Nice find and keep up the good work eco!

**garyopa** · 11-09-2010,11:34 PM

Moving this thread to PS3 Development, as this a major step forward.

About time we had some new forward thinking on the payload stuff.

Combine this new development with with the also recent "fake model call", see here:

http://psx-scene.com/forums/580126-post16.html (PS3MrEnigma releases PS3 Model Test Tool)

And we might have the latest "hot" thing, better then a pop-up toaster!

Good work, keep it up.

**Belmondo** · 11-10-2010,12:33 AM

wicked, a step in the right direction. Glad sombody is looking into this stuff. Does this stop 3.50 disc games from trying to update?

**Xeauron** · 11-10-2010,12:41 AM

Holy crap, amazing work!

**id10terror** · 11-10-2010,01:11 AM

Originally Posted by garyopa

Moving this thread to PS3 Development, as this a major step forward.

About time we had some new forward thinking on the payload stuff.

Combine this new development with with the also recent "fake model call", see here:

http://psx-scene.com/forums/580126-post16.html (PS3MrEnigma releases PS3 Model Test Tool)

And we might have the latest "hot" thing, better then a pop-up toaster!

Good work, keep it up.

Oh yes.. I was thinking the same thing..

I've been lazy and putting it off, but I think it's time to read up on some PPC assembly language..

**Senaxx** · 11-10-2010,04:16 AM

Awesome work, this is something that moves us forward instead of a new backup manager or update to a emulator. (not that they aren't great!)

Hopefully this will gives us new options in tearing apart the working of the PS3 and modifying it.

**vidarino** · 11-10-2010,05:19 AM

Nice work, there!

Here's just the diff, for those who would like to take a look:

Code:

diff -ur PL3/default_payload.S PL3-eco/default_payload.S
--- PL3/default_payload.S       2010-11-10 11:07:30.163478179 +0100
+++ PL3-eco/default_payload.S   2010-11-10 02:00:18.000000000 +0100
@@ -67,6 +67,7 @@
        std     %r3, 0(%r6)
 
        ADD_SYSCALL (%r30, syscall_map_open_desc, 35)
+       ADD_SYSCALL (%r30, syscall_versiontest_desc, 10);
 
        // Add default /app_home redirection
        addi    %r3, %r31, ADDR_IN_PAGE(path_app_home)
@@ -84,6 +85,20 @@
        addi    %r5, %r5, 8
        b       l_apply_patches_loop
 l_patches_applied:
+
+
+
+       li      %r3, 0x2D0
+       li      %r4, 0x27
+       BRANCH_ABSOLUTE(%r5, alloc)
+       LOAD_LABEL2(%r4, %r30, version_ptr)
+       std     %r3, 0(%r4)
+
+       addi    %r4, %r31, ADDR_IN_PAGE(version_str)
+       li      %r5, 0x2D0
+       bl      pl3_memcpy
+
+
        // prolog
        ld      %r30, 0x90(%r1)
        ld      %r31, 0x98(%r1)
@@ -141,10 +156,36 @@
  * content with our own payload
  *
  */
+
+version_str:
+.space 0x2D0, 0x99
+
 .align 4
 overwritten_kernel_function:
        li      %r3, 1
        blr
+       
+syscall_versiontest_desc:
+
+       QUAD_MEM2(syscall_versiontest)
+       
+syscall_versiontest:
+       stdu    %r1, -0x80(%r1)
+       std     %r31, 0x78(%r1)
+       mflr    %r0
+       std     %r0, 0x90(%r1)
+       MEM_BASE(%r31)
+       addi    %r3, %r3, 0x20
+       LOAD_LABEL2(%r4, %r31, version_ptr)
+       ld      %r4, 0(%r4)
+       li      %r5, 0x2D0
+       bl      ABSOLUTE_MEM2(memcpy)
+       li      %r3, 0
+       ld      %r0, 0x90(%r1)
+       ld      %r31, 0x78(%r1)
+       mtlr    %r0
+       addi    %r1, %r1, 0x80
+       blr
 
 //#include "device6_kmod.h.S"
 //#include "dev_syscalls.h.S"
@@ -152,6 +193,15 @@
 #include "open_hook.h.S"
 #include "memory_patching.h.S"
 
+version_ptr:
+
+.quad 0
+
+
+
 payload_end:
 .org RESIDENT_PAYLOAD_OFFSET + RESIDENT_PAYLOAD_MAXSIZE 
 
+
+
+
diff -ur PL3/memory_patching.h.S PL3-eco/memory_patching.h.S
--- PL3/memory_patching.h.S     2010-11-10 11:07:30.167478179 +0100
+++ PL3-eco/memory_patching.h.S 2010-11-09 23:35:57.000000000 +0100
@@ -178,6 +178,8 @@
        PATCH_INST(elf1_func1 + elf1_func1_offset, li %r3, 1)
        PATCH_INST(elf1_func1 + elf1_func1_offset + 4, blr)
        PATCH_INST(elf1_func2 + elf1_func2_offset, nop)
+       PATCH_INST(0x190C90, li %r11, 10)
+       PATCH_INST(0x190C94, sc)
        .long 0
 memory_patch_table_2:
        PATCH_INST(elf2_func1 + elf2_func1_offset, nop)

**[C*]** · 11-10-2010,05:27 AM

Nice work. I remember in the PSP scene it was a version spoof of the index.dat that allowed 2.00 users to run the 1.50 update and downgrade. I remember how excited I was, the first major hack I performed on any of my consoles.

However they never allowed higher version games to play on 1.50 (since there were calls to files only present in the higher firmwares). The only thing this may allow is that we won't have to edit the PARAM.SFOs.

**szczuru** · 11-10-2010,06:11 AM

I remember in the PSP scene it was a version spoof of the index.dat that allowed 2.00 users to run the 1.50 update and downgrade

Maybe if we can edit this payload to show 2.00 FW then we can run older update? (eg 3.15)

**ModIT** · 11-10-2010,06:44 AM

Lol this would be amazing

But sounds good - if the ps3 thinks it is on e.g. on firmware 3.01
why shouldnt work a update to 3.15...

User Tag List

Thread: PROJECT: PL3 Payload that spoofs version to 3.50

Tweet

LinkBack

Thread Tools

Display


	Would you like to get all the new info from PSX-Scene in your email each day? Subscribe to our Daily Digest! Want to learn more about the team keeping you up to date with the latest scene news? Read about them now! Check out our Developer bios, too!