PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

September 8, 2010 // 10:38 pm - Earlier today we reported on a preliminary PS3 flash and registry entry analysis from DemonHades and RichDevX, and now SKFU (linked above) has shared his input thus far.

To quote: Since PS3News released their PS3 FTP application I did some research on the PS3's registry.

The registry and it's backup are stored on dev_flash2 as xRegistry.sys.

The header

BC AD AD BC 00 00 00 90 00 00 00 02 BC AD AD BC

The entries

Every entry has a fronttag which is 5 bytes long. I'll describe:

56 41 00 11 01

This is an example value:


Behind the value theres a 1 byte close mark:


The 5 bytes

The first 4 bytes are a unique but random number. Every value has it to be identified and found by the system as there is no special pattern. An sprx(?) finds every value by this 4 bytes.

56 41 00 11

The 5th byte can be 00, 01 or 02. 00 tagged values are actually activated/used by the VSH, 01 ones not. The 02 seems to mean "DO NEVER UNLOCK". For example the QA Mode is tagged with 02.

00 == unlocked/used/activated
01 == locked/unused/inactive
02 == never ment to be unlocked

Stop footer

The registry has a


after the last value. Here the system stops to search for values.

Single values without tag

Some values are behind the stop tag spreaded randomly in the file it seems. I have no clue how the system finds those yet but here are some I found:

- your local username
- your language (f.e. eng for english)
- your PS3 system name
- URL to the information board online stored files
- HDD serial
- Board name
- your PSN username + password
- your WIFI network key
- your local IP
- your PSID
- path to local user pic

You can modify all those values as long as you don't change its size or adress. For example the local user pic is loaded from:


But you can redirect it to load from USB for example:


The Cool Stuff

The retail PS3's registry contains all values to unlock the settings which are possible on a test/debug PS3 and even more like QA mode. We can enable those via the registry, but we won't see any effect in the XMB.

That is because we just UNLOCKED it, but different files on dev_flash handle what we can actually SEE in the XMB. So we need to modify them also to fully use debug options on a retail and more.

This can be done by mounting the dev_flash from USB. We need to do this as we can not write to the original dev_flash. So once we can load our customized dev_flash from USB and have modiified our registry, we have a nice way to load a our custom firmwares.

The Crash Report

The registry can contain an crash report which is seperatly splitted with another registry header as explained above. It contains system error messages, for example if you muck up your registry ;-)

PS3 Live USB CFW Theory

While the Jailbreak just changes mountpoints it should be possible to do the same for other places than the BDD, aswell.

For the JB, the drive is remounted @ HDD. So why not mount the dev_flash from USB?

Surely this is possible and I hope to see some action here soon!

So we would have a good solution to test and run custom firmwares as the brick risk is equal zero, because we can just unplug the USB device and the dev_flash is mounted as common - unchanged.

SKFU on PS3 Registry Research and PS3 USB Custom Firmware

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#82 - denunes - September 19, 2010 // 10:16 am
denunes's Avatar

people are saying that we don't have access rights to /dev_flash but we can redirect to /usb_flash, is that right? so thinking like Wii, they manage to exploit one ios (ios34 i think) and then have rights to write to another one ios, and restore the previus one so the custom is in place and the exploit one is original.

port this to ps3 scene, is something like redirect to usb, gain rights to write file in the flash, make a custom one and then redirect again to new cflash.

this is my 2cents of dreams

#81 - bgrewar - September 19, 2010 // 8:53 am
bgrewar's Avatar
is it possible then to find registy entry for the IP address for where the system updates come from and inject our own "custom system update" with a jail break hack

If we could only run unsigned code without the jailbreak hack, but at least we can have downloadable custom firmwares that can be updated automatically. I'm gonna look into this Thanks

#80 - GrandpaHomer - September 11, 2010 // 6:17 pm
GrandpaHomer's Avatar
Quote Originally Posted by Darkzero51521 View Post
i don't like having to have the teensy blocking one of my two USB ports lol.

Boo hoo - get a USB hub ...

#79 - TUHTA - September 11, 2010 // 11:13 am
TUHTA's Avatar
Hey guys, just found cool pics from dev_flash\vsh\resource\sysconf\calibration

#78 - EiKii - September 11, 2010 // 10:38 am
EiKii's Avatar
have you tried recovery menu?

#77 - Gunner54 - September 11, 2010 // 9:49 am
Gunner54's Avatar
Yes I'm on 3.41, because it think's the flash is corrupted it want's me to re-install 3.41.

#76 - EiKii - September 11, 2010 // 9:30 am
EiKii's Avatar
can't you boot it normal? well who would imo.. yea thats true, are you on 3.41?

#75 - Gunner54 - September 11, 2010 // 9:27 am
Gunner54's Avatar
Well, It wants me to install 3.41 AGAIN. Now... I don't want to brick my PS3. So It would probably start flashing thing's I don't want it too. Also, after the PS3 gets reset, the mount gets disabled again, so you have to then re-mount by executing the code again.

#74 - EiKii - September 11, 2010 // 9:23 am
EiKii's Avatar
isn't the ps3 doing that to disconnect any files that are about to get configure, if you understand what i mean, like an behavior to have as few files as possible locked, i'm eager to test with my ps3 dont have the hardware still

just a thought, no idea actually.

#73 - Gunner54 - September 11, 2010 // 9:17 am
Gunner54's Avatar
I have been doing some research and I've found out how to mount specific directories '/dev_flash/' as another location '/dev_usb001/'.

To do this, I have modified the jailbreak code '/dev_bdvd/' into '/dev_flash/'.

I then needed to execute the mount, I written a small piece of code to do this. Unfortunately... when mounting '/dev_flash/' while the PS3 is running (bad idea), the PS3 goes into its recovery mode "Connect a controller and press the PS button".

I have also tryed this with '/dev_flash2/'... same result.

So we need to execute the mount BEFORE the PS3 is using them.