Hey there.

So... you use an ad blocker. That's cool. Sometimes we do too.

But without ad revenue, we wouldn't even be here. And we might not be here much longer.

Please disable your ad blocker and click to continue.

  1. #1311
    mod632 Guest
    Quote Originally Posted by atko View Post
    Fifa 12 works perfectly apart from no commentary at all during the match. Anyone else got this problem?
    it works fine on my 3.55 kmeaw with commentary, i have only played friendly match

  2. #1312
    atko Guest
    I think its my own fault. I only downloaded 3gb of it without realising its a lot bigger. If your not bothered about the commentary you could get away with just getting the first pkg and still play all the modes without any problems.

  3. #1313
    roccat Guest
    thx for mass effect 2 DLC

  4. #1314
    pr0p0sitionJOE Guest
    OK, this maybe my fault not explaining people FIFA12 PSN parts feature in detail enough.

    So, here is the deal:

    FIXED FULL GAME [Pkg 1]: (Core files)
    FIXED FULL GAME [Pkg 2]: (Core files, en-us, en-uk, ru languages)
    FIXED FULL GAME [Pkg 3]: (other languages)

    Now, if someone downloads only part 1 he will probably get all but commentaries and some fancy additional stuff. Download part 1 and 2 you will get complete game feature with commentaries on mentioned languages. Part 3 are remaining languages which probably means commentaries and sounds. So this is more clear explanation of 3 parts content.

    Enjoy your soccer!

  5. #1315
    Join Date
    Apr 2005


    Here are some more repacks for those interested:




    LANGUAGE: English, German, French, Italian, Spanish, Dutch, Polish, Czech, Portuguese, Swedish, Russian, Hungarian


    Install A,B,C.pkg files in order
    Works on 3.41 and 3.55
    Enjoy and have fun






    IND is pround to present: FIFA 12 PSN - Released on 11 January 2012

    Install Instructions:

    1. Run FIFA12PSNFIXED01.pkg
    2. Run FIFA12PSNFIXED02.pkg
    3. Run FIFA12PSNFIXED03.pkg
    4. That's it (already prepatched!)


    Also from IRC:

    [Xloader] I added a bunch of info to the wiki from Mathieulh if anyone is interested: ps3devwiki.com/index.php?title=User_talk:Xloader
    [Xloader] If anyone cares these are the offsets used for container decoding [For psn]
    [Xloader] 0x90C0000092C 0x94C0000096C 0x98C000009AC 0x9CC000009EC 0xA0C00000A2C 0xA4C00000A6C 0xA8C000008AC 0x8CC000008EC 0xAAC00000ACC 0xAEC00000000 0xDD400004000


    Dump LV0 3.55

    [20:10:59] [Mathieulh] you just need a freaking infectus [20:11:05] [Mathieulh] and coding skills [20:11:21] [Mathieulh] you patch lv1ldr [20:11:26] [Mathieulh] so that when lv0 loads it [20:11:33] [Mathieulh] lol [20:11:42] [Mathieulh] yah I have read 3.55 xD [20:11:49] [Mathieulh] 3.55 lv0 is EASY to dump [20:11:58] [Mathieulh] so anyway lv1ldr is loaded by lv0 [20:12:06] [Mathieulh] and has access to all the xdr memory space [20:12:11] [Mathieulh] at least at the time it gets loaded [20:12:15] [Mathieulh] so you can read and write [20:12:20] [Mathieulh] without messing with lv1 [20:12:25] [Mathieulh] well you get the idea [20:12:38] [Mathieulh] of course you have to sign it [20:12:46] [Mathieulh] but it's not like you don't have the keys [20:13:10] [Mathieulh] and it makes things about 300% easier than using lv1 to do the dump [20:13:23] [Mathieulh] because you don't have to touch the xdr at all


    [19:49:22] [Mathieulh] I figured the algo [19:49:25] [Mathieulh] for metldr/bl [19:49:28] [Mathieulh] the one for the encryption [19:49:34] [Mathieulh] and I even got some of the keys they use [19:49:43] [Mathieulh] I can even "calculate" the per console key now [19:49:46] [Mathieulh] but I lack 2 statics [19:50:00] [Mathieulh] and I know how the header is parsed [19:50:17] [Mathieulh] yah, that's what happens when sony reuse the algo somewhere else [19:50:20] [Mathieulh] along with some of the keys [19:50:31] [Mathieulh] I actually had it reversed before but I failed to notice it was the same [19:51:01] [Mathieulh] I can also decrypt the per console key stored in the metldr/bl header [19:51:05] [Mathieulh] the 12 bytes one [19:51:25] [Mathieulh] well actually it's more than 12 bytes because they only use this as par of the key xD [19:51:28] [Mathieulh] well there are 2 [19:51:34] [Mathieulh] one is used to decypt the second [19:51:41] [Mathieulh] which is stored in the metldr/bl header [19:51:57] [Mathieulh] the encryption uses several steps [19:52:07] [Mathieulh] in the end a 40 bytes key is used to decrypt the remaining data [19:52:13] [Mathieulh] woops [19:52:16] [Mathieulh] 0x40 butes [19:52:19] [Mathieulh] bytes* [19:53:09] [Mathieulh] the problem [19:53:20] [Mathieulh] is that I lack the static used to decrypt the other 12 bytes [19:53:25] [Mathieulh] which is the per revision key [19:53:36] [Mathieulh] also stored in metldr/bl header [19:53:58] [Mathieulh] well actually it's not really 12bytes but you need them to form the key [19:54:17] [Mathieulh] cause it's 12 + 4 bytes [19:55:07] [Mathieulh] anyway I am back to do constructive stuffs [19:55:50] [Mathieulh] oh ! also isoldr actually clears the eid root key [19:55:55] [Mathieulh] from offset 0 [19:56:02] [Mathieulh] before passing execution to isolated modules [19:56:06] [Mathieulh] but I can still calculate it back :P [19:56:12] [Mathieulh] and thus dump it from an isolated module xD [19:56:44] [Mathieulh] eussNL they don't use the 12 bytes as a final key [19:56:51] [Mathieulh] they use 16 bytes total [19:57:15] [Mathieulh] yes, they use 16 bytes key and 16 bytes iv [19:57:18] [Mathieulh] for first step [19:57:23] [Mathieulh] from which 12 bytes [19:57:30] [Mathieulh] are not static [19:57:41] [Mathieulh] and are encrypted [19:57:56] [Mathieulh] by another key/iv [19:58:23] [Mathieulh] (cbc256) [19:58:40] [Mathieulh] I have those for the second 12 bytes [19:59:07] [Mathieulh] they are per console, but I know how to calculate them (kinda) [19:59:26] [Mathieulh] and they are used to decrypt the 12 bytes per console from the metldr/bl header [20:00:48] [Mathieulh] I just lack the keys [20:00:52] [Mathieulh] to decrypt the first 12 bytes [20:00:58] [Mathieulh] used on a per revision [20:01:12] [Mathieulh] otherwise I have the whole algo + header parse + some of the keys [20:04:19] [Mathieulh] kinda [20:04:48] [Mathieulh] it's rather useless anyway [20:04:56] [Mathieulh] because you lack one of the keypair [20:05:07] [Mathieulh] but it's nice to know how the crypto engine works [20:05:18] [Mathieulh] only part of it is there though [20:05:23] [Mathieulh] the header parsing and other crap isn't there [20:05:48] [Mathieulh] and the main 256cbc key isn't there either [20:05:56] [Mathieulh] (the one I got)


    [Mathieulh] btw you can still get homebrews on 3.56 using npdrm and a new pair key but meh... so instead they blacklisted geohot's keypair and added a bunch of other useless checks geohot stuff doesn't generate some of the npdrm specific values those were not checked in 3.55 but they are checked in 3.56 now there is no whitelist for npdrm so it's actually possible to generate valid npdrm self for 3.56+ that tool I made a screenshot of actually does that it's enforced by lv1 though yeah it's a hash but I won't say more everything you need is in the 3.56 fw :P same checks you won't get around crafting valid 3.56+ npdrm selfs without a proper makeself tool though

    Bd Firmware

    [15:48:58] [Mathieulh] uh oh .... I think I may have found a way to dump the decrypted bd firmware from software.... [15:50:36] [Mathieulh] why the heck did sony engineers had to put some fancy useless hidden debug test mode on their drive ? xD [15:51:46] [Mathieulh] well it IS locked with some stupid "password" [15:51:54] [Mathieulh] but they leaked the "pass" "somewhere" [15:51:57] [Mathieulh] so meh.... xD [15:52:44] [Mathieulh] lol so he could grab my work and call it his own ? Yeah right... xD [15:52:59] [Mathieulh] Melfice craploads of undocumented commands I can use [15:53:13] [Mathieulh] looking at figuring out the syntax to dump [15:53:30] [Mathieulh] then I can find the key [15:53:35] [Mathieulh] patch the firmware [15:53:38] [Mathieulh] and flash it to my box [15:53:51] [Mathieulh] and make it recognise all my discs as geniune [15:54:04] [Mathieulh] just for the lulz xD [15:54:36] [Mathieulh] of course I need to flash it from 3.55 [15:54:40] [Mathieulh] at least for now [15:54:51] [Mathieulh] the thing doesn't seem to be signed [15:54:56] [Mathieulh] so.... fail [15:55:03] [Mathieulh] it's just crypto [15:55:05] [Mathieulh] you get the key [15:55:11] [Mathieulh] you can make your own firmware [15:55:21] [Mathieulh] and "update" it from the ps3 [15:55:32] [Mathieulh] nah [15:55:44] [Mathieulh] the "password" is an actual key [15:56:01] [Mathieulh] yah [15:56:07] [Mathieulh] 128 bits [15:56:17] [Mathieulh] I have it :P [15:56:41] [Mathieulh] the command for the test mode is also somewhat hidden [15:56:50] [Mathieulh] but meh.... xD [15:57:19] [Mathieulh] xell you need the drive in the ps3 [15:57:23] [Mathieulh] to use that crap [15:57:26] [Mathieulh] or so I think [15:57:45] [Mathieulh] not sure if it can be used from pc by converting the port to regular sata [15:57:48] [Mathieulh] and I do not plan on doint it [15:57:51] [Mathieulh] doing it * [15:58:16] [Mathieulh] once you get the test mode unlocked you can do fancy crap [15:58:23] [Mathieulh] like read the drive controller ram [15:58:24] [Mathieulh] raw [15:58:27] [Mathieulh] and write to it [15:58:39] [Mathieulh] so I could patch the firmware on the fly for example


    [23:30:13] [Mathieulh] well so far it's "I am using a lower firmware I can sign on" [23:30:16] [Mathieulh] so meh... [23:31:44] [Mathieulh] if that can change your mood, I actually know how I do it ! :P [23:32:33] [Mathieulh] good luck exploiting something you can't load [23:35:45] [Mathieulh] you can pwn the ppu through spi bus easily [23:35:56] [Mathieulh] and run code even on cech3000 [23:36:06] [Mathieulh] requires hw though [23:36:09] [Mathieulh] obviously [23:36:18] [Mathieulh] you can use that to pwn the bl [23:36:23] [Mathieulh] if you dunno how to reload it [23:41:30] [Mathieulh] phiren, you can write to xdr [23:41:32] [Mathieulh] through spi [23:41:35] [Mathieulh] not read though [23:41:39] [Mathieulh] but who needs read right? [23:41:43] [Mathieulh] you can allocate ram too [23:41:53] [Mathieulh] you can do nice things basically [23:42:01] [Mathieulh] all through a 50mhz bus [23:42:16] [Mathieulh] they should have a sticker with "insert modchip here" [23:42:27] [Mathieulh] it's still in cech3000 [23:42:34] [Mathieulh] so you can patch ram on the fly [23:42:40] [Mathieulh] and gain control freaking early [23:42:57] [Mathieulh] btw the meta exploit still works on the new bl for what it's worth [23:43:14] [Mathieulh] so you can in theory get it to decrypt lv0.2 for you althouhg that is quite useless [23:43:21] [Mathieulh] you cannot gain code execution though [23:43:28] [Mathieulh] at least I haven't succeeded in it [23:43:52] [Mathieulh] yeah [23:44:04] [Mathieulh] you can do ram patches though [23:44:07] [Mathieulh] if you know the offsets [23:44:18] [Mathieulh] and kill checks [23:44:25] [Mathieulh] the xdr one? [23:44:26] [Mathieulh] nope [23:45:20] [Mathieulh] there is another nice hack phiren [23:45:27] [Mathieulh] there is a test mode pin [23:45:32] [Mathieulh] on the xdr bus [23:45:43] [Mathieulh] which sets the clock to any value you want [23:45:50] [Mathieulh] so you can slow down the xdr [23:46:00] [Mathieulh] and have something attached to it [23:46:03] [Mathieulh] let's say a fpga [23:46:06] [Mathieulh] well you get the idea [23:46:16] [Mathieulh] hw wise the mobo security fails [23:46:26] [Mathieulh] I just fail wit hw [23:46:29] [Mathieulh] with* [23:46:37] [Mathieulh] so I cannot build it mysekf [23:46:39] [Mathieulh] myself* [23:46:58] [Mathieulh] yeah cause that is cpu related [23:47:10] [Mathieulh] but 1. the ldr binaries have bugs [23:47:23] [Mathieulh] 2. There is a hw design flaw [23:47:28] [Mathieulh] which allows through software [23:47:35] [Mathieulh] using lv2 privs or higher [23:47:44] [Mathieulh] to write data at random addresses [23:47:51] [Mathieulh] anywere in the LS of a given spu [23:47:59] [Mathieulh] including the isolated LS [23:48:18] [Mathieulh] the only variable is that you do not control the LS address you hit [23:48:23] [Mathieulh] no [23:48:30] [Mathieulh] that is something I found by mistake [23:48:35] [Mathieulh] and shouldn't even have found [23:48:46] [Mathieulh] it's a pain to use to exploit anything [23:48:49] [Mathieulh] but it can [23:48:56] [Mathieulh] given patience and the right circumstances [23:49:06] [Mathieulh] you can pwn the new metldr with that for exapmle [23:49:35] [Mathieulh] of course some criterias have to be met as well [23:49:38] [Mathieulh] the isolated process [23:49:43] [Mathieulh] has to use a specific function [23:49:52] [Mathieulh] one that sadly is used a lot by loaders [23:49:56] [Mathieulh] or usual spu binaries [23:50:04] [Mathieulh] the more it's used [23:50:14] [Mathieulh] the more often the bug can be triggered [23:50:39] [Mathieulh] zecoxao, which one? [23:50:48] [Mathieulh] the spi fail can be used on current consoles [23:50:58] [Mathieulh] as in cech3k and whatnot [23:51:02] [Mathieulh] ah ! [23:51:04] [Mathieulh] yeah it can [23:51:12] [Mathieulh] works on 3.74 [23:51:24] [Mathieulh] well 4.00 too

    Clock Rate

    [23:45:27] [Mathieulh] there is a test mode pin [23:45:32] [Mathieulh] on the xdr bus [23:45:43] [Mathieulh] which sets the clock to any value you want [23:45:50] [Mathieulh] so you can slow down the xdr [23:46:00] [Mathieulh] and have something attached to it [23:46:03] [Mathieulh] let's say a fpga [23:46:06] [Mathieulh] well you get the idea [22:28:09] [Mathieulh] also the xdr clock speed can be descreased [22:28:33] [Mathieulh] Apocalyps, it allows to load metldr at runtime [22:28:39] [Mathieulh] it gets decrypted by the crypto engin [22:28:42] [Mathieulh] and authenticated [22:28:47] [Mathieulh] and then runs in a secure context [22:28:50] [Mathieulh] in isolation mode [22:29:08] [Mathieulh] Apocalyps, you need to exploit the isolated process [22:29:21] [Mathieulh] zecoxao, that's a way [22:29:23] [Mathieulh] there are others [22:31:01] [Mathieulh] if you want to go the hw route [22:31:10] [Mathieulh] do not try to read the shared LS directly [22:32:28] [Mathieulh] randev the LS is only interconnected to the EIB [22:32:40] [Mathieulh] and the EIB can only be accessed from the ppu [22:33:08] [Mathieulh] Apocalyps, go for it then [22:33:21] [Mathieulh] it's not all internal [22:33:37] [Mathieulh] the shared LS can be accessed from the ppu

    Fake Sign

    [14:33:39] [Mathieulh] though I can run code on untouched 3.56 but that's just me :P [14:33:51] [Mathieulh] I have to do something on 3.55 or below first though :/ [14:34:33] [Mathieulh] IceKiller I just get the box to DEX, then I set the fself flag [14:34:39] [Mathieulh] so I can run fself with any control flags [14:34:49] [Mathieulh] no need for signatures

    [21:46:46] [Mathieulh] the exploit I have can make it so I don't need my binaries to be signed for them to run [21:46:56] [Mathieulh] including ldrs [21:46:59] [Mathieulh] or even lv0 //If we can sign are own lv0 we could get at bootloader [21:47:12] [Mathieulh] (and even update packages) [21:47:20] [Mathieulh] it's a stupid bug [21:47:23] [Mathieulh] but it's there [21:47:40] [Mathieulh] though it's a loss less convenient than just signing your binaries [21:47:45] [Mathieulh] but it works [21:48:20] [Mathieulh] it's different [21:48:50] [Mathieulh] the ecdsa code itself is secure [21:48:58] [Mathieulh] it's always been [21:49:19] [Mathieulh] the bug is even more dumb than that [21:49:29] [Mathieulh] but I am giving too many hints right now so I'll stop [21:52:56] [Mathieulh] defyboy if you want to find it, you'll have to reverse a fair amount of spu code [21:53:01] [Mathieulh] that's all I'll tell you xD [21:53:21] [Mathieulh] lol [21:53:26] [Mathieulh] it's not that easy to find though [21:53:33] [Mathieulh] sony revamped the whole appldr in 3.56 [21:53:38] [Mathieulh] and they didn't find it [21:53:47] [Mathieulh] but it's a dumb bug

  6. #1316
    lele0o0o Guest
    FIFA 12 {full-game-fixed-for-3.41-3.55}


    LANGUAGE: English, German, French, Italian, Spanish, Dutch, Polish, Czech, Portuguese, Swedish, Russian, Hungarian





  7. #1317
    macsamilian Guest
    thanks to EXEtrimALL and anybody else that helped in bringing us releases, much appreciated mates thank you very very much.

  8. #1318
    Maajid Guest
    Is anyone else having frame rate issues with Fifa 12? It just isn't as smooth as it should be -- something like running a high end game on a low end PC.

  9. #1319
    RazielSasy Guest
    If you need someone to translate from English to Italian. I am here

  10. #1320
    paintball Guest
    the mass effect 2 links are off line ...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Log in