Sponsored Links

Sponsored Links

Page 1 of 10 123 ... LastLast
Results 1 to 10 of 97



  1. #1
    Contributor ionbladez's Avatar
    Join Date
    Apr 2009
    Posts
    225
    Sponsored Links

    New idea for multiple exploits..

    Sponsored Links
    Hi, since this is my first post, I will try to be as clear as possible;;

    I've found 3 things already that have caught my interest, and 2 things I've already mananged to do.
    My PS3 is FW 2.60 - I've managed to use Proxomitron to bypass the firmware check, as well as "hack" the infoboard, I have custom news, links, images, etc., on it.

    I've also found that redirecting the firmware version text file, works as well as the server version does, just changing the hex before the version.

    Possible exploit #1:
    I know that PS3 (since FW 2.42) checks the FILE SIZE of any pkg or pup it begins to download, I've modified a 1.10 FW file to match EXACTLY the size of the 2.70 Firmware, and when I go to NETWORK UPDATE; then CHECK - viola!
    It shows (my custom text file):
    A new software version is available
    Version 4.10 << now this is MY fake version, but I've HEX edited the PUP to have 4.10 inside of it.

    I KNOW for sure that the PS3 does not have SET file sizes for LATER versions of firmwares.

    But it gives me an error before it attemps a download, since I'm downloading it through proxomitron on my laptop HDD.

    What I want to know is that how it checks EXACTLY for headers in the PUP before it begins a download. Before I modified the update, it was I think 98 MB or such, and it would BEGIN THE DOWNLOAD, hit 60%, then say:
    The software is not supported by the system.

    So I'm sure it runs some kind of hash scan, or something close to it.
    I even made it get the header info from the original file.
    I know even if I would get the updater to run, it would most likely brick the PS3, but the fact is, it downloads, regardless.
    No modchip, no special tools (except a proxy program)
    I have a 40GB 2nd gen ps3 - The only mods I have on it are blue LED strips in the front of the case, inside the unit.

    Possible exploit #2:
    Ok I've known about the TIFF exploit originally when it came out for PSP, then I found out about the PS3 version last year as well.
    I thought maybe I can make a PHP script or Javascript to emulate the file download with no prompting, but just for fun I made a script that I thought would crash the PS3 browser with a memory overflow or something close to it.

    Success, I have. It doesn't crash the browser, I let it run for about 10 minutes, after 2 minutes of activity I noticed the HDD indicator was flashing constantly, so the PS3 must be storing some TEMP info on the harddrive.

    All my script does is change the page title, and the page with RANDOM NUMBERS. it fills it on a normal browser but the PS3 just shows the loading icon.

    On attempt to close the browser (circle button), no prompt came up.
    So I went to the browser menu, and hit Close.
    It closed after prompting, but then the XMB froze, while the HDD light was still flashing (Possible memory overflow? or can we fit something in there and run it..)

    The link to my script (be careful it's made to crash ANY browser; regardless of POPUP BLOCKS, WINDOW STOPPERS, ETC,. It's all VERY simple, it just loops and writes random numbers to the page and adds them to the page title.)
    Easy crash? or Ingenious overflow. I'm not sure, I'm not much of a big programmer but I know my principles.

    Possible Exploit #3:
    As I said in #2, the TIFF exploit.
    I think if I get a better idea on what it does, I can re-write it or modify it to work on 2.60. I do know that the XMB will attempt to load a thumbnail for every picture, and I know that's where the TIF exploit comes in (because of the image tags, I'm guessing).

    What I'm trying to do is get a RAW file, kinda like a generic SDK for this TIFF image, I downloaded one already but I am a little clueless on how it works.

    I see no plain-text or anything. I'm guessing it's all coded or something.
    If so, what language? I have many compilers and may be able to re-write this.

    Any help/suggestions? I'd really like to see if any of my stuff would work (possibly)

    Oops, forgot the URL to my crash script.

    View the source, edit this if you like, but it works as is.

    [Register or Login to view links]

    Run with PS3 and about 2 minutes later your HD will flash.
    Again, not sure if we can actually do something with this.

    I've been messing around with proxomitron, and the firmware update (it's 1.10)

    I've hex edited the version inside to 2.70 - and retried to download it to the PS3.

    The size before didn't match, it was 365 bytes SHORT (weird?).

    Anyways I checked and now the SIZE matches EXACTLY.

    The PS3 tries to keep a connection during the EUA Notice, so I killed it off and no error, then set the redirect to my custom FW file on my hdd.

    It started downloading - Instead of 60%, it stopped at 61% this time, and said
    Not supported;;

    So I tried again. This time I have a FW 1.11 file downloaded also.
    It started the download, same settings as before.
    I know this was stupid, but worth a shot.
    I aborted all connections @ 54%, then switched mid-stream from 1.10 to 1.11 - It passed 61%, matter of fact, it went to 75%, so I stopped it again - and set it back to 1.10.

    Success. 100% Downloaded, it must hit SOMETHING in the FW 1.10 file.

    However, after it hit 100%, 2 minutes later, I get:
    "An error has occurred."

    as I know it would double check it, I thought it was worth a shot anyways.

    Maybe there is something like the Mini-windows feature in PS3, like mixing 2 different Windows cds on an old computer.
    But it's just a stupid theory.

    I'll update again if I get something.
    Last edited by ionbladez; 04-25-2009 at 05:22 AM Reason: Automerged Doublepost

  2. #2
    Contributor ionbladez's Avatar
    Join Date
    Apr 2009
    Posts
    225
    Sponsored Links

    Unhappy Update 2:

    Sponsored Links
    Just to triple-check:
    I've started the download of 1.11 ALONE - it also hits 60% and fails.
    anyways here is what I have on proxomitron:

    [Register or Login to view code]

    How does the PS3 know EXACTLY what FILESIZE the new update is, even though I have it re-directed?

    I mean it checks the file I have it directed to, again like I said before there is no possible way sony has SET file sizes for ALL their new firmwares.

    ATTACHED: Proxomitron with ALL of my config files, just load the DEFAULT configs, mess with them a bit - this is the latest version, just set your PS3 to pass to proxomitron on your PC and edit the headers.
    Attached Files Attached Files

  3. #3
    Contributor footylad's Avatar
    Join Date
    May 2008
    Posts
    56
    Sponsored Links

    Good Job!

    Sponsored Links
    I myself worked on trying to rewrite my DEBUG FW on my retail to see if it would increase debug fucntionality, but unfortunatly have erased the nands 1 and 2 and so it just turns off after 10 seconds! So be careful, i would recommend you do this, with a Infectus etc....

    Regarding your tricks, i think that is very good, you have managed to achieve up to 100% at one point.

    Regarding PUP, 60% is a security check, my i suggest you try the "HD Trick" and remove the HDD, then insert it after a length of time/use a second HDD, both connected to your console both with seperate FW'S extracted, as if you can spurn a PUP Extraction of any FW by making the correct SIZE and changing the header to have an NEWER FW, you could for example extract 2.70 on one HDD, extract 4.20FW - Although id consider basing this on 2.70 so the switch over will work - ie no change in header, Spoof on another, run 4.20 SPOOF, at 60% Remove the HDD, and insert the 2.70 HDD then it should surpase that check, reinsert the 4.20FW Spoof and see how far you get, just don't turn your console off if the progress bar stops moving - just cancel it and it should HOPEFULLY turn back on unlike mine

    Footylad

    PS: You could also try the Proxy method, by having a switch in that to use another file/header at a particular time?

    Footylad

  4. #4
    Contributor ionbladez's Avatar
    Join Date
    Apr 2009
    Posts
    225

    What?

    I don't think I want to try to screw up my ps3 from booting,
    Besides how am I gonna get a 2.70 HDD on my ps3 that is already 2.60.

    I don't have any friends with a 2.70 FW PS3, even if did I'm sure they wouldn't let me borrow their hd.

    I'll keep you posted.

  5. #5
    Banned User
    Join Date
    Jan 2007
    Posts
    414
    You cant put a hard drive from one ps3 to another without having to format it.

  6. #6
    Banned User
    Join Date
    Apr 2007
    Posts
    52
    well im not trying to bag on your methods but the pup tricks will not work. the pup files are signed by $ony so chageing just one byte screws up the signature and they will not pass the hash calcualtions that verify the fw as genuine.

  7. #7
    Contributor ionbladez's Avatar
    Join Date
    Apr 2009
    Posts
    225

    Arrow

    Quote Originally Posted by XVISTAMAN2005 View Post
    well im not trying to bag on your methods but the pup tricks will not work. the pup files are signed by $ony so chageing just one byte screws up the signature and they will not pass the hash calcualtions that verify the fw as genuine.
    Actually I was aware of this the whole time, the point is getting it to download fully.
    I know it checks the download every so often, that's why I kill off the connection to see what it is looking for. It's a little strange it doesn't throw some error..

    Anyways I'm trying to get this little "hack" done.
    on another thread where you pull out the HD and original PS1 game and swap in the backup, and put the HD back in.
    I've had multiple filesystem corruptions and other stuff, but I have YET to get it to work. I've tried timing, pulling HD out before starting the game, etc. nothing works.
    100% Tested and NOT WORKING on PS3 FW 2.60 - 40GB.

    I'll keep trying, I know there must be a way to do this.

  8. #8
    Contributor footylad's Avatar
    Join Date
    May 2008
    Posts
    56
    Quote Originally Posted by ionbladez View Post
    I don't think I want to try to screw up my ps3 from booting,
    Besides how am I gonna get a 2.70 HDD on my ps3 that is already 2.60.

    I don't have any friends with a 2.70 FW PS3, even if did I'm sure they wouldn't let me borrow their hd.

    I'll keep you posted.
    Yer its not good bricking your PS3 i know lol....just be careful, XVISTAMAN is right, so its unlikely to be fully signed and then flashed post 60 ISH % when copying to the nand occurs as up to 60% its security checks and i you get any further you could screw your console up completely, not sure when nand erasion occurs but just don't rewrite your FW Version as it appears to erase backup and live nands well it did for me!

    Footylad

    @IDONE the HDD is only paired to the PS3 during FW Install isn't it? I know a format is required but doesn't pair the hdd to the PS3 in normal function just installs the partions for your Hypervisors encryption?

  9. #9
    Contributor ionbladez's Avatar
    Join Date
    Apr 2009
    Posts
    225

    Possibly a miss?

    Ok well it seems when some games update, they do not connect to the secure server, instead they connect to dl.playstation.net or something..

    Anyways this could be a possible sploit to kick some modified headers into it.

    I have a couple games that would need some updates, especially CoD:WaW;
    it updated last night but not on a secure connection which was rather odd.
    All my other games connect [Register or Login to view links]

    I can probably throw something in there with luck, but I'd have to download the package on my laptop first.

    I'll try this tonight, and that PS1 Swap method DOES NOT WORK.
    Anyways it was worth a shot.

  10. #10
    Contributor footylad's Avatar
    Join Date
    May 2008
    Posts
    56
    Intresting - Problem is the COD WAW Update will probably be a signed PKG or several and so its then just going back to signing modded PKG'S which isn't possible at the present time. Whereas unencrypted game saves, commented in a seperate thread in this forum, are more likely to cause a problem, as they do, ie crash the console than simply downloading a signed PKG from a different Website...

    Footylad

 

Sponsored Links

Page 1 of 10 123 ... LastLast
Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News