Thread: New idea for multiple exploits..
New idea for multiple exploits..
Hi, since this is my first post, I will try to be as clear as possible;;
I've found 3 things already that have caught my interest, and 2 things I've already mananged to do.
My PS3 is FW 2.60 - I've managed to use Proxomitron to bypass the firmware check, as well as "hack" the infoboard, I have custom news, links, images, etc., on it.
I've also found that redirecting the firmware version text file, works as well as the server version does, just changing the hex before the version.
Possible exploit #1:
I know that PS3 (since FW 2.42) checks the FILE SIZE of any pkg or pup it begins to download, I've modified a 1.10 FW file to match EXACTLY the size of the 2.70 Firmware, and when I go to NETWORK UPDATE; then CHECK - viola!
It shows (my custom text file):
A new software version is available
Version 4.10 << now this is MY fake version, but I've HEX edited the PUP to have 4.10 inside of it.
I KNOW for sure that the PS3 does not have SET file sizes for LATER versions of firmwares.
But it gives me an error before it attemps a download, since I'm downloading it through proxomitron on my laptop HDD.
What I want to know is that how it checks EXACTLY for headers in the PUP before it begins a download. Before I modified the update, it was I think 98 MB or such, and it would BEGIN THE DOWNLOAD, hit 60%, then say:
The software is not supported by the system.
So I'm sure it runs some kind of hash scan, or something close to it.
I even made it get the header info from the original file.
I know even if I would get the updater to run, it would most likely brick the PS3, but the fact is, it downloads, regardless.
No modchip, no special tools (except a proxy program)
I have a 40GB 2nd gen ps3 - The only mods I have on it are blue LED strips in the front of the case, inside the unit.
Possible exploit #2:
Ok I've known about the TIFF exploit originally when it came out for PSP, then I found out about the PS3 version last year as well.
Success, I have. It doesn't crash the browser, I let it run for about 10 minutes, after 2 minutes of activity I noticed the HDD indicator was flashing constantly, so the PS3 must be storing some TEMP info on the harddrive.
All my script does is change the page title, and the page with RANDOM NUMBERS. it fills it on a normal browser but the PS3 just shows the loading icon.
On attempt to close the browser (circle button), no prompt came up.
So I went to the browser menu, and hit Close.
It closed after prompting, but then the XMB froze, while the HDD light was still flashing (Possible memory overflow? or can we fit something in there and run it..)
The link to my script (be careful it's made to crash ANY browser; regardless of POPUP BLOCKS, WINDOW STOPPERS, ETC,. It's all VERY simple, it just loops and writes random numbers to the page and adds them to the page title.)
Easy crash? or Ingenious overflow. I'm not sure, I'm not much of a big programmer but I know my principles.
Possible Exploit #3:
As I said in #2, the TIFF exploit.
I think if I get a better idea on what it does, I can re-write it or modify it to work on 2.60. I do know that the XMB will attempt to load a thumbnail for every picture, and I know that's where the TIF exploit comes in (because of the image tags, I'm guessing).
What I'm trying to do is get a RAW file, kinda like a generic SDK for this TIFF image, I downloaded one already but I am a little clueless on how it works.
I see no plain-text or anything. I'm guessing it's all coded or something.
If so, what language? I have many compilers and may be able to re-write this.
Any help/suggestions? I'd really like to see if any of my stuff would work (possibly)
Oops, forgot the URL to my crash script.
View the source, edit this if you like, but it works as is.
Run with PS3 and about 2 minutes later your HD will flash.
Again, not sure if we can actually do something with this.
I've been messing around with proxomitron, and the firmware update (it's 1.10)
I've hex edited the version inside to 2.70 - and retried to download it to the PS3.
The size before didn't match, it was 365 bytes SHORT (weird?).
Anyways I checked and now the SIZE matches EXACTLY.
The PS3 tries to keep a connection during the EUA Notice, so I killed it off and no error, then set the redirect to my custom FW file on my hdd.
It started downloading - Instead of 60%, it stopped at 61% this time, and said
So I tried again. This time I have a FW 1.11 file downloaded also.
It started the download, same settings as before.
I know this was stupid, but worth a shot.
I aborted all connections @ 54%, then switched mid-stream from 1.10 to 1.11 - It passed 61%, matter of fact, it went to 75%, so I stopped it again - and set it back to 1.10.
Success. 100% Downloaded, it must hit SOMETHING in the FW 1.10 file.
However, after it hit 100%, 2 minutes later, I get:
"An error has occurred."
as I know it would double check it, I thought it was worth a shot anyways.
Maybe there is something like the Mini-windows feature in PS3, like mixing 2 different Windows cds on an old computer.
But it's just a stupid theory.
I'll update again if I get something.
Just to triple-check:
I've started the download of 1.11 ALONE - it also hits 60% and fails.
anyways here is what I have on proxomitron:
[Register or Login to view code]
How does the PS3 know EXACTLY what FILESIZE the new update is, even though I have it re-directed?
I mean it checks the file I have it directed to, again like I said before there is no possible way sony has SET file sizes for ALL their new firmwares.
ATTACHED: Proxomitron with ALL of my config files, just load the DEFAULT configs, mess with them a bit - this is the latest version, just set your PS3 to pass to proxomitron on your PC and edit the headers.
I myself worked on trying to rewrite my DEBUG FW on my retail to see if it would increase debug fucntionality, but unfortunatly have erased the nands 1 and 2 and so it just turns off after 10 seconds! So be careful, i would recommend you do this, with a Infectus etc....
Regarding your tricks, i think that is very good, you have managed to achieve up to 100% at one point.
Regarding PUP, 60% is a security check, my i suggest you try the "HD Trick" and remove the HDD, then insert it after a length of time/use a second HDD, both connected to your console both with seperate FW'S extracted, as if you can spurn a PUP Extraction of any FW by making the correct SIZE and changing the header to have an NEWER FW, you could for example extract 2.70 on one HDD, extract 4.20FW - Although id consider basing this on 2.70 so the switch over will work - ie no change in header, Spoof on another, run 4.20 SPOOF, at 60% Remove the HDD, and insert the 2.70 HDD then it should surpase that check, reinsert the 4.20FW Spoof and see how far you get, just don't turn your console off if the progress bar stops moving - just cancel it and it should HOPEFULLY turn back on unlike mine
PS: You could also try the Proxy method, by having a switch in that to use another file/header at a particular time?
I don't think I want to try to screw up my ps3 from booting,
Besides how am I gonna get a 2.70 HDD on my ps3 that is already 2.60.
I don't have any friends with a 2.70 FW PS3, even if did I'm sure they wouldn't let me borrow their hd.
I'll keep you posted.
04-25-2009 #5Banned User
- Join Date
- Jan 2007
You cant put a hard drive from one ps3 to another without having to format it.
04-26-2009 #6Banned User
- Join Date
- Apr 2007
well im not trying to bag on your methods but the pup tricks will not work. the pup files are signed by $ony so chageing just one byte screws up the signature and they will not pass the hash calcualtions that verify the fw as genuine.
I know it checks the download every so often, that's why I kill off the connection to see what it is looking for. It's a little strange it doesn't throw some error..
Anyways I'm trying to get this little "hack" done.
on another thread where you pull out the HD and original PS1 game and swap in the backup, and put the HD back in.
I've had multiple filesystem corruptions and other stuff, but I have YET to get it to work. I've tried timing, pulling HD out before starting the game, etc. nothing works.
100% Tested and NOT WORKING on PS3 FW 2.60 - 40GB.
I'll keep trying, I know there must be a way to do this.
@IDONE the HDD is only paired to the PS3 during FW Install isn't it? I know a format is required but doesn't pair the hdd to the PS3 in normal function just installs the partions for your Hypervisors encryption?
Possibly a miss?
Ok well it seems when some games update, they do not connect to the secure server, instead they connect to dl.playstation.net or something..
Anyways this could be a possible sploit to kick some modified headers into it.
I have a couple games that would need some updates, especially CoD:WaW;
it updated last night but not on a secure connection which was rather odd.
All my other games connect https://.
I can probably throw something in there with luck, but I'd have to download the package on my laptop first.
I'll try this tonight, and that PS1 Swap method DOES NOT WORK.
Anyways it was worth a shot.
Intresting - Problem is the COD WAW Update will probably be a signed PKG or several and so its then just going back to signing modded PKG'S which isn't possible at the present time. Whereas unencrypted game saves, commented in a seperate thread in this forum, are more likely to cause a problem, as they do, ie crash the console than simply downloading a signed PKG from a different Website...