Sponsored Links

Sponsored Links

Video: PS3 Unbanning IDPS Proj3ct by Labuse and Raymanvtwo


Sponsored Links
76w ago - Following up on the PS3 IDPS Viewer, PS3 Request IDPS Generator and PS Unban, today French PlayStation 3 homebrew developers Labuse and Raymanvtwo have shared a video introducing their latest PS3 unbanning IDPS Proj3ct.

To quote, roughly translated:

This process deals with modification in the flash memory of your PS3. So beware of the risk involved. As you will be the one responsible for any damages.

1 - It’s free.
2 - It does not provide for IDPS.
3 - 1 change per member (archiving R_K to control all business)
4 - no requirement to have an ODE or another to benefit from this service.
5 - Do not buy IDPS! , but get it by your own means. It does not provide a repair service or any failure or brick If you do not have access to PSN / SEN after our intervention, you you probably have stolen your IDPS, we test the validity of IDPS before making the change.
6 - You do not store the IDPS valid for use and even less for
resale.
7 - No, not the service sony unbanned person a simple phone call, this is totally false.
8 - No, it is not a simple change with a hex editor, and it does not
change enough to IDPS only on known offsets.

To start here are the essential conditions to be fulfilled before you make the final change of IDPS:

1 - Have their console banned from PSN
2 - console already be hacked (CFW)
3 - have a valid IDPS to provide for replacement

If you do not meet any of these conditions, then it is no need to go further... however if all conditions are met then we will be able to do something for you, but before that take the time to read all the explanations below!

PS3 IDPS FAQ:

What is to Proj3ct IDPS?

To de-ban your console SEN / PSN actually modifying the flash memory of it.

How do I know if it is my PSN account or if my console ID that is banned?

If you get this message to the PSN sign: “Access denied or temporarily suspended for this system,” is that your console ID banned.

To which PS3 models are targeted modification of ID with IDPS Proj3ct?

For all models Fat and Slim CFW (before 3000 series).

Who is this service free of IDPS change?

Everyone has provided to meet the three key points above, nor any ODE Flasher is asked to make the change.

Why Does not provide you IDPS?

Just for 2 reasons: The first is that for the time being we do not yet generate non-original identifiers so they must find true and valid they are rare and valuable, however we work in progress to try to remedy this problem... and the second, CFW consoles connecting to PSN are too easily spotted and can not afford to lose identifiers for a few hours / days of games online.

Why Proj3ct IDPS is not distributed freely?

Because the conversion of the dump is difficult and requires a good knowledge in this field, any approximation leads directly onto a brick your console, but also to avoid unscrupulous pharmacies that will make their business to make money with our work, we hope that it is Free for the community and we will offer you this service. s

Secondly, because this change make public console could seriously undermine all users PS3 OFW, and it is only this reason that motivated the choice of delivery method!





How it’s gonna happen to change definitely IDPS?

1) Visit in [APPLICATION] IDPS PROJ3CT (ps-addict.fr/forum/post96895.html#p96895) to put your formal request for change of IDPS, stating:

PS3 Slim 320 GB / Fat 40 gb, etc. ...
Model: CECH .....
CFW up:
Level of knowledge PS3 (beginner - expert - expert)

2) Wait for an consideration answer of your request.

3) After acceptance of your application to the post in question, you can send your items BUT only in MP to Labuseor Raymanvtwo the following files:

  • Your Root_Key
  • Dump Your conducted with MM
  • Your IDPS (HS recovered on a console, for example)
  • A picture of your system properties in Multiman

Note: you will find the method and tools to recover these different elements in the [TUTORIAL] IDPS PROJ3CT (ps-addict.fr/forum/post96894.html#p96894).

4) We check first the actual validity of your IDPS then proceed to the actual change of the IDPS in your dump. We send it back within 2 to 4 days max MP.

5) You re-flash your PS3 with Multiman to the dump you have recovered.

6) You still have to format your PS3 to erase all traces using a CFW and you can now enter the OFW update, your console is banned from de-SEN / PSN! attention: any use of PSN CFW after the de-banning your console to deliver in the same situation a few hours / days later... and I recall that we do not make one final change by console! Enjoy!






Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 40 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

PS3 News's Avatar
#35 - PS3 News - 50w ago
Following up on the previous PS3 IDPS Changer and ChangePSID, today PlayStation 3 developer zecoxao has released an updated PS3 IDPS / PSID Changer with details below.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2)

To quote: Ok guys, so here's something I have for you. This is an idps/psid changer.

This changes the idps in section 0 or section 6 and the psid in section B (not A sorry, i corrected that on the wiki) PERMANENTLY on flash. so, you know the drill. be VERY careful when using this tool and always take precautions with a flasher.

You're going to need 5 things: root_key, a backup of your nor flash (only nor is supported at the moment but you can easily make it compatible for nand consoles by changing the offsets at merge_section as well as change the name to whatever you wish to call your flash), a back up of eid (you can obtain this with flow rebuilder or using memdump) and, obviously, the idps and the psid you want to use on your console.

As for the final hash in each section, the libeeid creator was kind enough to take care of that, so don't worry about that but PLEASE use valid idps and psid files!!!

Any questions, please ask. and yes, that handles cex2dex too.

[Register or Login to view code]


9th byte list (from wiki): pastie.org/private/lqwgs1qzh1jd14kmbea8a

[Register or Login to view code]

10th byte list (from wiki): pastie.org/private/ftr9f5yw164jhndy3ieoa

[Register or Login to view code]

Notes: if you notice, cechgs appear in almost all possibilities of the 9th byte list, except in the static idps 9th byte.

Banned idps list from "Free IDPS" thread: pastie.org/private/mk0ipzwuo9woejakc45sa

[Register or Login to view code]

Buffer Overflow on Save Games

This comes back from the psp era. usually, you'd insert a disc, load a certain save and it'd load a data that'd have a very long string. at the end or the middle of that string you'd see a binary loader (hbl.bin) that would load the main menu of HBL. In the case of the ps3, before the crypto fail was publically announced, little to nothing was possible in regards to load a binary of a savegame. now, thanks to that and thanks to flatz 's amazing tools, it might be a possibility in the near future

Since there isn't a tool that handles savegame crashes (yet), so far we can only manage ourselves with a DEX/Convert and eth debug to know what happens at the time of the crash/freeze.. in my case, i don't have access to such tools, but there are people who do

So, you can try this for yourselves.. this was made in fifa 09. i turned auto-save off (so it didn't overwrite the crafted save i made), made a savegame profile, and loaded the disc. The result was that it crashed while loading the save.

The only thing i changed was SYS-DATA. i opened it in HxD, and filled my name (zecoxao) with o's until it matched Ronaldo's string entry. that caused the game to crash.

Theoretically, you can most likely load a disc-bind 3.55 and below signed self from a register that returns an address and it'll just load the self (i think) although i didn't try this myself yet, because i can't debug it properly on a superslim. Anyone who wishes to give it a go is welcome to do so.

Printing Things to the Screen

As you all know, neither the sdk nor the psl1ght environment allow you to print things natively to the screen , at least not without using rsx. fortunately, inside the cobra sources of their usb, there is something that enables that, making debug output MUCH easier.

The specified functions are debug_install and debug_printf. debug_install patches the necessary offsets and redirects tty output to the screen, and then debug_printf simply prints the thing you want. this might not sound much but it's a VERY useful feature, specially when you want to debug code and you like to visually see what is happening. also, this could turn things such as memory patching and dumping much easier to look at.

I'd like to compile it myself and test for results but i don't have a working hackable console. so i'd like to ask any of you devs to test it and check if it works or not. as i was told it does seem to work, so i hope that this gets adapted to PSL1GHT very soon.

U$er , i'd like you to be the first person to test this, since you have understood the plugin loading and adapted it for ourselves.

Buffer Overflow on Save Games

This comes back from the psp era. usually, you'd insert a disc, load a certain save and it'd load a data that'd have a very long string. at the end or the middle of that string you'd see a binary loader (hbl.bin) that would load the main menu of HBL.

In the case of the ps3, before the crypto fail was publically announced, little to nothing was possible in regards to load a binary of a savegame. now, thanks to that and thanks to flatz 's amazing tools, it might be a possibility in the near future.

Since there isn't a tool that handles savegame crashes (yet), so far we can only manage ourselves with a DEX/Convert and eth debug to know what happens at the time of the crash/freeze.

In my case, i don't have access to such tools, but there are people who do

So, you can try this for yourselves.. this was made in fifa 09. i turned auto-save off (so it didn't overwrite the crafted save i made), made a savegame profile, and loaded the disc.

The result was that it crashed while loading the save.. the only thing i changed was SYS-DATA. i opened it in HxD, and filled my name (zecoxao) with o's until it matched Ronaldo's string entry. that caused the game to crash.

Theoretically, you can most likely load a disc-bind 3.55 and below signed self from a register that returns an address and it'll just load the self (i think) although i didn't try this myself yet, because i can't debug it properly on a superslim.. anyone who wishes to give it a go is welcome to do so.

From pastie.org/private/p1mxjrd6xbmv3hrphazxsw (the freeze):

[Register or Login to view code]

LR is what matters to us. it's called Link Register and returns the address of what we want to load.

IT'S A TARP! Thanks flatz for the debugging)

FIFA 08 (props to NiceShot for the logs) (via pastie.org/private/9iqksaxgxpo8kdqxc87g):

[Register or Login to view code]


Register control in GPR0 (0x31) (via pastie.org/private/hqi53jdrhltfvdaezn3png):

[Register or Login to view code]

Controlling r0 is pretty much the same as controlling the link register. if we control r1 we can control the rop.

Here are the core dumps for fifa 08 and 09. r0 is controllable in both games (it's probably hitting the stack)

Download: [Register or Login to view links]

It'll take some minutes to upload them, so please wait.

Lv2diag.self bricking consoles?

I told myself i wasn't going to post any more about ps3s but this is really bugging me so... i was hanging out in skype when suddenly vapour barges in and says a self he created with Objective Suites bricked his ps3.

Naturally, for a person who bricked 7 consoles by flashing ways, i thought he was kidding, since nowhere in the world Sony would do such a thing. then i asked hellsing9 to test it somewhere. he tested the self. it bricked. he tested again, bricked again. then i asked greysmoke. he tested the self. it didn't brick.

My question is this: in which consoles can the brick be caused, what causes the brick to be triggered, and most importantly, can we intercept the process of the command of bricking and replace it with something else?

This is the self (3.42 appldr signed): [Register or Login to view links]

Needless to say flashers can and MUST be used before doing anything. They can unbrick. E3 flasher can be used as any regular flasher. as for the pinouts, i believe they are available on the wiki (NiceShot has the picture).

From NiceShot: Uhm... you should have the original dump before trying this, I'm not sure if dumping it, byte swapping and flashing it back will solve the problem but it is worth trying, I had a broken e3 flasher clip so I had to map the whole points to use e3 linker but if you have an e3 flasher with e3 clip you can do the job the same way, but there you have the pinout for MSX-001:

[Register or Login to view links]

Cheers

PS3 IDA Stuff

So, i was bored and i decided to open ida pro and take a look at things. then, someone told me that i could open idb files in ida. so i went to graf's bible and opened a few. fun. anyways, here are some scripts/updates of scripts.

HV Dump script has "new" function names instead of the usual "undocumented_function" crap and export script prints all the function names to the screen (the ones that don't start with sub_) consider this a release of sorts. i'll try to take care of syscall_names.idh tomorrow for the lv2 dump script.

Download: [Register or Login to view links]
GIT: github.com/zecoxao/ps3ida

Github contains precompiled loaders, plugins, signatures, and the new scripts. i've updated the zip. you should have now two aditional export functions. one for the syscalls, and another for the hvcalls. gonna see if i can take care of syscall_names, idh today.

Edit: taken care of: github.com/zecoxao/ps3ida/blob/master/syscall_names.idh

Kinda piggish but it does the trick

Added some more signatures. had to use a trick. They're on github: github.com/zecoxao/ps3ida/tree/master/sig/ppc

eEID5 Keyseed and Section Keys Found

[Register or Login to view code]

Edit: some corrections: psdevwiki.com/ps3/Keys#KIRK (thanks euss)

KIRK

A68BEDC33418029C1D3CE33B9A321FCCBB9E0F0B

location: in lv2_kernel.self

More KIRK keys

  • github.com/uofw/upspd/wiki/KIRK-13---ECDSA-point-multiplication
  • code.google.com/p/kirk-engine/source/browse/trunk/libkirk/kirk_engine.c
  • wololo.net/talk/viewtopic.php?p=80302#p80302

AES requires a 16 byte multiple message.. i have no idea of what unk_keyseed is.

[Register or Login to view code]

Interesting info on KIRK 0xC, 0xD, 0x10, and 0x11 functions by Proxima

[Register or Login to view code]

Download: [Register or Login to view links]

To quote(from pastie.org/private/hzqhpgaxgdybq3zjudqpva):

[Register or Login to view code]

Finally, from LiquidManZero (via psx-scene.com/forums/f153/new-63886/index28.html#post992654):

Welp. I'm just going to leave these here... Also Rand, I know you're watching.

[Register or Login to view code]

From zecoxao: Euss right next to this (psdevwiki.com/ps3/Seeds#sc_iso_key_seeds) there's a chunk of data, size 0x290, which is loaded twice in two separate functions. i'm guessing that this is some sort of eid1 in disguise? this is on the jig firmware btw.

There is also a third value which i don't recognize (next to be2sc and sc2be keys):

[Register or Login to view code]

More PlayStation 3 News...

mahidi's Avatar
#34 - mahidi - 71w ago
DLL files is missing after downloading the dll it still asking me for ssleay32.dll why they couldn't make this program perfectly??

onik's Avatar
#33 - onik - 72w ago
is there any brick possibilities while reflashing??

s25s's Avatar
#32 - s25s - 75w ago
great work

we need also update for change (psid) because some of ban in psid

PS3 News's Avatar
#31 - PS3 News - 76w ago
Following up on the PS3 IDPS Proj3ct, today PlayStation 3 developer Joris (aka JorisD33) has made available PS3 IDPS Changer version 1.1 followed by v1.3 and IDPSet v0.6 with details below.

Download: [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] / [Register or Login to view links] (Latest Version) / [Register or Login to view links] / [Register or Login to view links] (IDPSTool and IDPSet by Zar to change PS3 IDPS) / [Register or Login to view links] by Zarh

From the ReadMe File:

What do this application do?

This application will change your IDPS and optionally your MAC address into your flash dump.

How can I use it?

Just put a VALID(!) NOR/NAND dump called dump.bin and your eEID Root Key called eid_root_key.bin into the same directory, run the program and enter your new IDPS.

Your modified dump will be created as dump_patched.bin, you just have to flash it back to your console.

How can I dump my eEID Root Key?

[Register or Login to view links]

How can I dump my flash?

  • Hardware flasher (E3, Teensy, Progskeet...)
  • Multiman
  • ...




How can I byte-reverse my dump?

Flowrebuilder: [Register or Login to view links] / [Register or Login to view links] (Mirror)

4.2.3.0 Changelog:

  • added support to manage NAND preloader dumps
  • message user about the type of dump
  • message the user if bootloader are missing
  • auto-recognize if dump is normal or byte swapped and automanage them

If you byte-reverse your dump before using this application, remember to byte-reverse it back after the procedure.

CHANGELOG 1.0:

  • Initial release

From haz367: proper eid0 section/part conversion so the new idps at least has correct values after it (cex2dex offsets 002F090-2F14F//omac hash)

offset 2F077/2F07F (new idps)

offsets/block: 2F090-2F14F - new values calculated/added to have valid idps change? at least better then only changing IDPS line

offset 303D7/303DF (new idps)

offset 3F040-3F045 (new mac)

tested offline and trashed with my own dumps. not needed but people deserve second change right, only need to brick another PS3 to get new idps. great share for that.

Update: PS3 IDPS Changer v1.3 Changelog: Here is the latest version of this sweet little app. I had troubles using all versions prior and now I have permanently installed new IDPS on over 30 systems. Make sure you have openssl installed via cygwin, enable XP SP2 compatibility on openssl.exe. Then grant admin access to openssl.exe as well as IDPS Changer then drop these files in the cygwin directory to ensure all the needed dll files are present.

Name your eEID Root Key - eid_root_key.bin (obtained via FW 3.55)
Name your NOR/NAND dump - dump.bin

Then place these in the cygwin folder as well with the other stuff we just installed/added

Then simply run the IDPS Changer.exe and follow instructions, this also allows changing of your MAC address. After the app is done simply rename the dump_patched.bin to the following depending on your flash type NAND or NOR.

Nor model = CEX-FLASH.FULL.EID0.NORBIN

Nand model = CEX-FLASH.FULL.EID0.NANDBIN

Once you have named the file copy on to a flash drive and open mM and go to mMOS then open the drive with the newly patched dump. Double click on it and wait for it to install. Once done reboot your system and go back to mM and the settings and look at your new MAC/IDPS on your freshly unbanned PS3.

Update: IDPSTool become IDPSet v0.6 is now available (linked above) by Zar from the PS3Gunz French site.

With this new version, you can permanently change your console IDPS (NAND and NOR). You just have to run IDPSet on your CFW (with Eid Root Key and valid IDPS on your USB key).

Finally, Zarh made available IDPSet v0.62 PKG with the following updates:

  • added the default paths of FLATZ's eid_root_key dumpers
  • added a check of eid_root_key
  • and now it's display the region matching with the target ID
  • fix name of dumps

More PlayStation 3 News...

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News