Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28



  1. #21
    Senior Member Kraken's Avatar
    Join Date
    Apr 2005
    Posts
    941
    Hopefully we will get a homebrew dashboard soon to replace the XMB, and a payload that auto-boots it. I was never fond of the XMB, and implementing an ftp server into a homebrew dash is much simpler than a background daemon.

  2. #22
    Registered User Roamin's Avatar
    Join Date
    Jan 2010
    Posts
    12
    Well, i'm more attracted to what the end result of patching can achieve.

    Ok, so the way we run unsigned code with psgroove is because the return value for Hypercall 99 was patched.

    Here is a list of Hypercalls that returned the same value as Hypercall 99 when they were called. (LV1_DENIED_BY_POLICY) (wiki.ps2dev.org/?do=search&id=denied):
    ps3:hypervisor:hypervisor_function_return_status: 1 Hits

    ... -1 || LV1_RESOURCE_SHORTAGE | -2 || LV1_NO_PRIVILEGE | -3 || LV1_DENIED_BY_POLICY | -4 || LV1_ACCESS_VIOLATION | -5 || LV1_NO_ENTRY | -6 || ...
    ps3:hypervisor:lv1_undocumented_function_137: 1 Hits

    ... ^^^^^^ Version ^ Returns R3 ^ R4 ^ R5 ^ R6 ^ R7 ^ R8 ^ R9 ^ R10 ^ Comments ^| PAL 1.7 | -4 (LV1_DENIED_BY_POLICY) | 0 | 0 | 0 | 0 | 0 | 0 | 0 | R3-R10 were passed in the call as 0 | ...
    ps3:hypervisor:lv1_undocumented_function_138: 1 Hits

    ... ^^^^^^ Version ^ Returns R3 ^ R4 ^ R5 ^ R6 ^ R7 ^ R8 ^ R9 ^ R10 ^ Comments ^| PAL 1.7 | -4 (LV1_DENIED_BY_POLICY) | 0 | 0 | 0 | 0 | 0 | 0 | 0 | R3-R10 were passed in the call as 0 | ...
    ps3:hypervisor:lv1_undocumented_function_167: 1 Hits

    ... ^^^^^^ Version ^ Returns R3 ^ R4 ^ R5 ^ R6 ^ R7 ^ R8 ^ R9 ^ R10 ^ Comments ^| PAL 1.7 | -4 (LV1_DENIED_BY_POLICY) | 0 | 0 | 0 | 0 | 0 | 0 | 0 | R3-R10 were passed in the call as 0 | ...
    ps3:hypervisor:lv1_undocumented_function_168: 1 Hits

    ... ^^^^^^ Version ^ Returns R3 ^ R4 ^ R5 ^ R6 ^ R7 ^ R8 ^ R9 ^ R10 ^ Comments ^| PAL 1.7 | -4 (LV1_DENIED_BY_POLICY) | 0 | 0 | 0 | 0 | 0 | 0 | 0 | R3-R10 were passed in the call as 0 | ...
    ps3:hypervisor:lv1_undocumented_function_200: 1 Hits

    ... ^^^^^^ Version ^ Returns R3 ^ R4 ^ R5 ^ R6 ^ R7 ^ R8 ^ R9 ^ R10 ^ Comments ^| PAL 1.7 | -4 (LV1_DENIED_BY_POLICY) | 0 | 0 | 0 | 0 | 0 | 0 | 0 | R3-R10 were passed in the call as 0 | ...
    ps3:hypervisor:lv1_undocumented_function_201: 1 Hits

    ... ^^^^^^ Version ^ Returns R3 ^ R4 ^ R5 ^ R6 ^ R7 ^ R8 ^ R9 ^ R10 ^ Comments ^| PAL 1.7 | -4 (LV1_DENIED_BY_POLICY) | 0 | 0 | 0 | 0 | 0 | 0 | 0 | R3-R10 were passed in the call as 0 | ...
    ps3:hypervisor:lv1_undocumented_function_209: 1 Hits

    ... ^^^^^^ Version ^ Returns R3 ^ R4 ^ R5 ^ R6 ^ R7 ^ R8 ^ R9 ^ R10 ^ Comments ^| PAL 1.7 | -4 (LV1_DENIED_BY_POLICY) | 0 | 0 | 0 | 0 | 0 | 0 | 0 | R3-R10 were passed in the call as 0 | ...
    ps3:hypervisor:lv1_undocumented_function_62: 1 Hits

    ... ^^^^^^ Version ^ Returns R3 ^ R4 ^ R5 ^ R6 ^ R7 ^ R8 ^ R9 ^ R10 ^ Comments ^| PAL 1.7 | -4 (LV1_DENIED_BY_POLICY) | 0 | 0 | 0 | 0 | 0 | 0 | 0 | R3-R10 were passed in the call as 0 | ...
    ps3:hypervisor:lv1_undocumented_function_63: 1 Hits

    ... ^^^^^^ Version ^ Returns R3 ^ R4 ^ R5 ^ R6 ^ R7 ^ R8 ^ R9 ^ R10 ^ Comments ^| PAL 1.7 | -4 (LV1_DENIED_BY_POLICY) | 1847h | 0 | 0 | 0 | 0 | 0 | 0 | R3-R10 were passed in the call as 0 || PAL 3.15 | Functi ...
    ps3:hypervisor:lv1_undocumented_function_99: 1 Hits

    ... ^^^^^^ Version ^ Returns R3 ^ R4 ^ R5 ^ R6 ^ R7 ^ R8 ^ R9 ^ R10 ^ Comments ^| PAL 1.7 | -4 (LV1_DENIED_BY_POLICY) | 0 | 0 | 0 | 0 | 0 | 0 | 0 | R3-R10 were passed in the call as 0 | ...
    Hypercalls 62, 63, 99, 137, 138, 167, 168, 200, 201, 209 all returned LV1_DENIED_BY_POLICY , maybe we could benefit from removing the return value of these hypercalls as well ? Maybe it would allow us to do more things, maybe run licensed content ?

    I have looked at the patching system used in the payload (described on the ps3wiki) but i do not understand how we can tell that its hypercall 99 that is patched by looking at this :

    # ld r4,3848(r2) } Patches return from
    # ld r3,32(r28) } Hypercall 99 so that
    # std r3,0(r4) } we can launch unsigned apps

    I understand that it is patched to 0, LV1_SUCCESS return value, but how can we tell that its hypercall 99 that was patched?

    Let's remove all the LV1_DENIED_BY_POLICY returns!

  3. #23
    Banned User DeadlyFoez's Avatar
    Join Date
    Nov 2009
    Posts
    44
    Quote Originally Posted by Roamin View Post
    Let's remove all the LV1_DENIED_BY_POLICY returns!
    Do it. Lets see how quickly we can brick our PS3's

    Well now that marcan has gotten lv1 access via payload we should see some great stuff come soon.

  4. #24
    Registered User lolster's Avatar
    Join Date
    Mar 2009
    Posts
    11
    So what exactly could this do for our games? Patch cheat codes or something like that?

  5. #25
    Registered User jaysingly's Avatar
    Join Date
    Feb 2010
    Posts
    1
    Quote Originally Posted by lolster View Post
    So what exactly could this do for our games? Patch cheat codes or something like that?
    An offline-only cwcheat or nitepr for ps3 would be pretty cool...

  6. #26
    Junior Member hacked2123's Avatar
    Join Date
    Nov 2006
    Posts
    665
    Quote Originally Posted by Kraken View Post
    Hopefully we will get a homebrew dashboard soon to replace the XMB, and a payload that auto-boots it. I was never fond of the XMB, and implementing an ftp server into a homebrew dash is much simpler than a background daemon.
    I program an XMB supplement if and when the means become available. OS improvement is definitely something I like.

  7. #27
    Senior Member tragedy's Avatar
    Join Date
    Mar 2009
    Posts
    135
    Quote Originally Posted by Roamin View Post
    I have looked at the patching system used in the payload (described on the ps3wiki) but i do not understand how we can tell that its hypercall 99 that is patched by looking at this :

    # ld r4,3848(r2) } Patches return from
    # ld r3,32(r28) } Hypercall 99 so that
    # std r3,0(r4) } we can launch unsigned apps

    I understand that it is patched to 0, LV1_SUCCESS return value, but how can we tell that its hypercall 99 that was patched?
    You can't, but the code just before this in the lv2 dump looks like this:
    Code:
       490d8:       39 60 00 63     li      r11,99          # 63
       490dc:       44 00 00 22     sc      1

  8. #28
    Registered User sapperlott's Avatar
    Join Date
    Nov 2009
    Posts
    129
    Quote Originally Posted by Roamin View Post
    Well, i'm more attracted to what the end result of patching can achieve.

    Ok, so the way we run unsigned code with psgroove is because the return value for Hypercall 99 was patched.

    Here is a list of Hypercalls that returned the same value as Hypercall 99 when they were called. (LV1_DENIED_BY_POLICY)
    That only means that Hypercall 99 isn't allowed to be issued from OtherOS. There's no such restriction for GameOS Lv-2.

 


 
Page 3 of 3 FirstFirst 123