October 18, 2010 // 11:22 pm - Update: Test 2 is now available, with complete details on the changes outlined HERE.

Here is what I call PS3 Acid CFW, an XMB custom firmware XML hack pack for the PlayStation 3 console.

I spend the last days in playing around with PS3 FW files and have modified some of them and hopefully unlocked nearly ALL Debug options.

I mainly have edited the RCO's and their XML's. It's phenomenal what can be done with a simple XML file.

Download: PS3 Acid CFW - XMB Custom Firmware XML Hack Pack

The Wii works on the same way, but anyway we can change the whole XMB via the XML's. It was a childs play to add some paths from one XML to another and add additional download paths for contents that before was only download able into one path. (eg PS3HDD or PS3 only games).

In my country nearly all chips that can be used to make a PSGroove are sold out. I still have some ATmega8 chips at home but I need to modify the source to get the thing running.

The LUFA software USB LIB doesn't support ATmega8 so I'm trying to use a other smaller soft USB but I will need some days more until I can compile the first hex.

Therefore, I am putting out these modified FW files for PS3 to let other guys test if you wish.

Be careful what you're doing and don't UPDATE. I tried to block every update option but as I said it's the first time and it's not sure that every thing works like it should. But together we will find it out.

• First download a PS3 FW Dump first (THIS is the one I used) so you can replace the files with the PS3 Acid CFW file linked above, and put only the folders from "PS3 Hacked FW files" on your USB stick into the dev_flash folder. Make sure to not have any additional files on it !!

• Extract the contents of dev_flash2.rar on your desktop. Use the xRegistry app (or PS3 Multi Tool) to edit the your own one and activate the debug options. I have set a bit flag but don't know if it will work in case that every reg file I have don't include one single bit flag. But as SKFU told us I have set a flag instead of a value.

• After that is done, put the xReg back on your PS3. Now insert the USB stick with our CFW and load the files with USB Firm Loader.

Let me know if it works and play around a bit, tell me what is working and what not. Currently only English and German should display ALL Debug options. Support for other languages will follow soon.

Below are a few things of what would be changed:

PS3 Debug Options activated:

• Hax_Home/PS3_Game/
• Install PKG
• Check
• Lock
• Unlock
• Chancel Purchase
• Delate
• Update via HDD
• Delate Update from HDD
• Title Store Preview (Store)
• Title Store Preview (In Game)
• Import
• Export
• Quick Sign Up
• Performance Bar
• No Memory Limit
• Quick Preview
• Owner Information
• Fake HDD Size
• CORE Dump
• Game Debug

PS3 System Hacks:

• Block Updates
• Block Online Updates
• Block Game Updates
• Unlocked Secret Debug Options
• Unlocked PSP Only (now you can copy PSP only tiles on any media)
• Unlocked Pocketstation
• Unlocked PS2
• Unlocked System Driver Pocketstation
• Unlocked System Driver PS2

I will now continue working on the ATmega8 mod and hope that I can get it small enough.

PS3 Acid CFW - XMB Custom Firmware XML Hack Pack Released

#131 - FMAranda - November 5, 2010 // 8:51 pm
Yes, i know that i can write to the dev_flash thats on my USB, but, i can't write on dev_flash on PS3. It is the start up sound, even if i write to my usb and load it with CFWLoader, it will not work when i turn on my PS3. So, i will not hear the custom sound.

#130 - bitsbubba - November 5, 2010 // 8:41 pm
You can write to the dev_flash thats on your USB stick (just make sure the file you're replacing with have EXACT names) that it how the custom font hack worked, custom font, custom sounds pretty close to the same thing lol.

#129 - FMAranda - November 5, 2010 // 7:31 pm
Hi cfw, i have a question, can we write inside /dev_flash? I'm asking this because i was looking the files of "Acid FW" and i found the startup sound, it's called coldboot_stereo.ac3 and coldboot_multi.ac3 and i want to change this sound with the old sound, before the 3.00 fw.

I have the old sound with the same format (.ac3) ready to change, but i can't write on dev_flash/vsh/resource/.

I know that this is silly, but it would be cool change it. I tried with Awesome Manager, FTP... i only the file on Acid FW on my usb stick.


#128 - Crashdance22 - November 5, 2010 // 2:53 pm
cfw do you know if there will be a way to decrypt retail downloadable games at some point? I noticed you posted a key in the conversion thread but surprisingly activity over there hasn't spiked due to your discovery.

#127 - cfwprophet - November 5, 2010 // 2:41 pm
To use the update methode of the ps3 would need deeper hacking like it was done on the psp.

We first would need to find out the complete process that runs douring installing a update.But i mean the syscalls and that stuff.

After that we could write a app that:
1. Extract a pup
2. Patch files
3. Start the SCE updater
4. Install files

Also a way to dump and decrypt current sprx's to a elf and assembling them would be from great help.

If we can get full debug options running in combination with a payload that patches our Retail System version from Retail to DEX we could use the debuger to maybe accomplish this job

#126 - whinis - November 5, 2010 // 2:29 pm
I guess I misunderstood how the updating process works. I assumed that there was a verification process that could be patched out( in ram using a payload) that if fails stops upating. If so we could, in theory, just unpack a pup, modify the files, repack it and tell the ps3 to update.

#125 - cfwprophet - November 5, 2010 // 1:26 pm
You can not simply patch out because its a encrypted file and patching one single bit would break the encryption.

There for we have to use custome payloads and patch the ps3 ram in reall time.

Ok im not so sure about if the lv1,lv2 will be encrypted.But even if not the are placed on a other chip then dev_flash will be and to time we have no access to it.Dumping the lv2 with hb is to time the best we can do.

Let assume the lv2 is not encrypted and we can patch some strings.Then we still first need a way to write to the chip where lv2 will be stored. Knightsolidus have told us that now the lv2, lv1 among with some other system files are stored in the CXD flash but dont have shared the info how to read the CXD.

We have to wait if some one other can find a other way or knightsolidus will share the info with us.Maybe some one will develope a new gen downgrader chip like the infectus it was based on the new infos of knightsolidus.

We will see.

#124 - whinis - November 5, 2010 // 12:46 pm
Is there anyone actively searching for a section in lvl2 /lvl 1 code that would allow unverified updates? Then we code patch out lvl2.bin outside and package it in a pup file and allow the ps3 to write its own doom.

#123 - cfwprophet - November 5, 2010 // 12:32 pm
To time the debug options in the category systemconfig are not completely unlocked.The first part is done but more changes need to be done.Before you cant see and select the debug options in the category systemconfig.

Allready usable unlocked options in the ACID CFW are:
*Install Package File
*MCutility (ps1/ps2 memory card)
*Quick Sign Up
*Title Store Preview (ingame)
*Title Store Preview (online)

XMB Hacks:
Kicked out PSN Store from the game category

Dont forget that this cfw and the way to load is still a test !!

Goal is that we later have a cfw wich we can put onto our ps3 and replace the files from internal dev_flash with our hacked one.

This doesnt mean that we dont need a JB any more.We still would need the jb.Because the jb make patches to the lv2.bin wich is our game os and stored on a seperated place.Not in dev_flash.

But maybe we can activate the bd emu sometimes.Then we wouldnt need a bm any more and backuploading could be embended into the cfw.

#122 - ravenous1981 - November 5, 2010 // 6:45 am
Ok my Problem is i download the 3.41 Package and make the Patch on it :-) Thx a lot. I load with Hermes v4b and Jaicrabs and it loads the CFW Perfect.

I see Title Store Preview ( in Game) and Title Store Preview (Online) all other Options i can`t see in the Xmb, thats the Problem

I read and i think the Debug Options is not enabled to see it on the XMB right? When its so, I understand why my 2 Options are the Only i can see.

Sorry for my Bad English.. Ok wait for reply and hope my Problem is not a Problem :-)

ThX Great Work in the First way to a real CFW :-)