Hi, since this is my first post, I will try to be as clear as possible;;Sponsored Links
I've found 3 things already that have caught my interest, and 2 things I've already mananged to do.
My PS3 is FW 2.60 - I've managed to use Proxomitron to bypass the firmware check, as well as "hack" the infoboard, I have custom news, links, images, etc., on it.
I've also found that redirecting the firmware version text file, works as well as the server version does, just changing the hex before the version.
Possible exploit #1:
I know that PS3 (since FW 2.42) checks the FILE SIZE of any pkg or pup it begins to download, I've modified a 1.10 FW file to match EXACTLY the size of the 2.70 Firmware, and when I go to NETWORK UPDATE; then CHECK - viola!
It shows (my custom text file):
A new software version is available
Version 4.10 << now this is MY fake version, but I've HEX edited the PUP to have 4.10 inside of it.
I KNOW for sure that the PS3 does not have SET file sizes for LATER versions of firmwares.
But it gives me an error before it attemps a download, since I'm downloading it through proxomitron on my laptop HDD.
What I want to know is that how it checks EXACTLY for headers in the PUP before it begins a download. Before I modified the update, it was I think 98 MB or such, and it would BEGIN THE DOWNLOAD, hit 60%, then say:
The software is not supported by the system.
So I'm sure it runs some kind of hash scan, or something close to it.
I even made it get the header info from the original file.
I know even if I would get the updater to run, it would most likely brick the PS3, but the fact is, it downloads, regardless.
No modchip, no special tools (except a proxy program)
I have a 40GB 2nd gen ps3 - The only mods I have on it are blue LED strips in the front of the case, inside the unit.
Possible exploit #2:
Ok I've known about the TIFF exploit originally when it came out for PSP, then I found out about the PS3 version last year as well.
Success, I have. It doesn't crash the browser, I let it run for about 10 minutes, after 2 minutes of activity I noticed the HDD indicator was flashing constantly, so the PS3 must be storing some TEMP info on the harddrive.
All my script does is change the page title, and the page with RANDOM NUMBERS. it fills it on a normal browser but the PS3 just shows the loading icon.
On attempt to close the browser (circle button), no prompt came up.
So I went to the browser menu, and hit Close.
It closed after prompting, but then the XMB froze, while the HDD light was still flashing (Possible memory overflow? or can we fit something in there and run it..)
The link to my script (be careful it's made to crash ANY browser; regardless of POPUP BLOCKS, WINDOW STOPPERS, ETC,. It's all VERY simple, it just loops and writes random numbers to the page and adds them to the page title.)
Easy crash? or Ingenious overflow. I'm not sure, I'm not much of a big programmer but I know my principles.
Possible Exploit #3:
As I said in #2, the TIFF exploit.
I think if I get a better idea on what it does, I can re-write it or modify it to work on 2.60. I do know that the XMB will attempt to load a thumbnail for every picture, and I know that's where the TIF exploit comes in (because of the image tags, I'm guessing).
What I'm trying to do is get a RAW file, kinda like a generic SDK for this TIFF image, I downloaded one already but I am a little clueless on how it works.
I see no plain-text or anything. I'm guessing it's all coded or something.
If so, what language? I have many compilers and may be able to re-write this.
Any help/suggestions? I'd really like to see if any of my stuff would work (possibly)
Oops, forgot the URL to my crash script.
View the source, edit this if you like, but it works as is.
Run with PS3 and about 2 minutes later your HD will flash.
Again, not sure if we can actually do something with this.
I've been messing around with proxomitron, and the firmware update (it's 1.10)
I've hex edited the version inside to 2.70 - and retried to download it to the PS3.
The size before didn't match, it was 365 bytes SHORT (weird?).
Anyways I checked and now the SIZE matches EXACTLY.
The PS3 tries to keep a connection during the EUA Notice, so I killed it off and no error, then set the redirect to my custom FW file on my hdd.
It started downloading - Instead of 60%, it stopped at 61% this time, and said
So I tried again. This time I have a FW 1.11 file downloaded also.
It started the download, same settings as before.
I know this was stupid, but worth a shot.
I aborted all connections @ 54%, then switched mid-stream from 1.10 to 1.11 - It passed 61%, matter of fact, it went to 75%, so I stopped it again - and set it back to 1.10.
Success. 100% Downloaded, it must hit SOMETHING in the FW 1.10 file.
However, after it hit 100%, 2 minutes later, I get:
"An error has occurred."
as I know it would double check it, I thought it was worth a shot anyways.
Maybe there is something like the Mini-windows feature in PS3, like mixing 2 different Windows cds on an old computer.
But it's just a stupid theory.
I'll update again if I get something.