PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

September 8, 2010 // 10:38 pm - Earlier today we reported on a preliminary PS3 flash and registry entry analysis from DemonHades and RichDevX, and now SKFU (linked above) has shared his input thus far.

To quote: Since PS3News released their PS3 FTP application I did some research on the PS3's registry.

The registry and it's backup are stored on dev_flash2 as xRegistry.sys.

The header

BC AD AD BC 00 00 00 90 00 00 00 02 BC AD AD BC

The entries

Every entry has a fronttag which is 5 bytes long. I'll describe:

56 41 00 11 01

This is an example value:


Behind the value theres a 1 byte close mark:


The 5 bytes

The first 4 bytes are a unique but random number. Every value has it to be identified and found by the system as there is no special pattern. An sprx(?) finds every value by this 4 bytes.

56 41 00 11

The 5th byte can be 00, 01 or 02. 00 tagged values are actually activated/used by the VSH, 01 ones not. The 02 seems to mean "DO NEVER UNLOCK". For example the QA Mode is tagged with 02.

00 == unlocked/used/activated
01 == locked/unused/inactive
02 == never ment to be unlocked

Stop footer

The registry has a


after the last value. Here the system stops to search for values.

Single values without tag

Some values are behind the stop tag spreaded randomly in the file it seems. I have no clue how the system finds those yet but here are some I found:

- your local username
- your language (f.e. eng for english)
- your PS3 system name
- URL to the information board online stored files
- HDD serial
- Board name
- your PSN username + password
- your WIFI network key
- your local IP
- your PSID
- path to local user pic

You can modify all those values as long as you don't change its size or adress. For example the local user pic is loaded from:


But you can redirect it to load from USB for example:


The Cool Stuff

The retail PS3's registry contains all values to unlock the settings which are possible on a test/debug PS3 and even more like QA mode. We can enable those via the registry, but we won't see any effect in the XMB.

That is because we just UNLOCKED it, but different files on dev_flash handle what we can actually SEE in the XMB. So we need to modify them also to fully use debug options on a retail and more.

This can be done by mounting the dev_flash from USB. We need to do this as we can not write to the original dev_flash. So once we can load our customized dev_flash from USB and have modiified our registry, we have a nice way to load a our custom firmwares.

The Crash Report

The registry can contain an crash report which is seperatly splitted with another registry header as explained above. It contains system error messages, for example if you muck up your registry ;-)

PS3 Live USB CFW Theory

While the Jailbreak just changes mountpoints it should be possible to do the same for other places than the BDD, aswell.

For the JB, the drive is remounted @ HDD. So why not mount the dev_flash from USB?

Surely this is possible and I hope to see some action here soon!

So we would have a good solution to test and run custom firmwares as the brick risk is equal zero, because we can just unplug the USB device and the dev_flash is mounted as common - unchanged.

SKFU on PS3 Registry Research and PS3 USB Custom Firmware

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew.

#52 - Darkzero51521 - September 9, 2010 // 7:24 pm
Darkzero51521's Avatar
There's so many different things that can be done from this point, so many modification and revisions. I personally could care less about emulators and old shit. I'm looking forward to CFW with a preloaders. I don't like having to power cycle every time, and i don't like having to have the teensy blocking one of my two USB ports lol.

I like the idea of MKV support, and I like the idea of USB support for PS3 games that are downloaded as ISOs. The addition of a built-in cheat engine is awesome, too. Installing retail PKGs, or being able to convert retail PKG's to debug would be the best thing that could possibly happen, in my opinion.

#51 - coobot - September 9, 2010 // 7:18 pm
coobot's Avatar
With a custom FW, it will eliminate the need to update to 3.42+ for online gameplay correct?

#50 - nhojyelbom - September 9, 2010 // 7:00 pm
nhojyelbom's Avatar
awesome news indeed, I can't wait...

#49 - austindriver13 - September 9, 2010 // 5:21 pm
austindriver13's Avatar
This is awesome news. No chance of even bricking the thing--wow. The slight "inconvenience" of having to power cycle it every time is way more convenient than dropping $300 on a new ps3.

This scene is about to explode in the coming weeks... I'm pins and needles

#48 - dawes - September 9, 2010 // 1:51 pm
dawes's Avatar
The guy who is writing a PSP port said he was going to write an emulator of the Teensy which seems to be a massively over complex way of executing some basically simple code (which is very timing dependant more than anything)..

A dedicated usb dongle seems a far more practical method.

#47 - DanielSV - September 9, 2010 // 1:29 pm
DanielSV's Avatar
The original code is in C, written for AVR specifically. The problem with the PSP is that the mechanisms one need to overflow the descriptors is not in place, if I understand it correctly.

Also, this is not weird at all, because there is no "normal", sensible uses for overflowing USB-descriptors.

#46 - MustMunMoji - September 9, 2010 // 1:14 pm
MustMunMoji's Avatar
this is brilliant, i don't know much about it but it sounds cool..

#45 - DeadlyFoez - September 9, 2010 // 1:00 pm
DeadlyFoez's Avatar
Quote Originally Posted by biotechhh View Post
i suppose this registry can be written via linux-jailbreak or with a nand flasher (like infectus) but sony can't fix this?

The nand is encrypted, so it would not be possible to just write one file using an infectus. And quite frankly, the infectus probably can't write to the nand on most ps3's because they updated the chip to a newer type and the infectus can only write data in one type of way. Chances are it wont happen, at least not with an infectus.

#44 - biotechhh - September 9, 2010 // 11:57 am
biotechhh's Avatar

The retail PS3's registry contains all values to unlock the settings which are possible on a test/debug PS3 and even more like QA mode. We can enable those via the registry

i suppose this registry can be written via linux-jailbreak or with a nand flasher (like infectus) but sony can't fix this?

#43 - saviour07 - September 9, 2010 // 11:27 am
saviour07's Avatar
Quote Originally Posted by Neo Cyrus View Post
and there is no PSP port of the jailbreak yet. It's already been ported to a god damn toaster along with 80 hojillion esoteric phones no one has ever heard of, yet there has only been a peep so far about the possibility of a PSP version.

I think it's more to do with the original exploit code being ported to something which the psp can understand - which isn't something as simple as a "google translate linux to lua"!

The original exploit (AFAIK) was designed for linux environments, and i believe that the psp uses lua/c. So the code would have to be ported from whatever it's native language is to lua or c to work on a psp.

However, i say this without having seen the exploit code and without having coded for the psp, so please correct if wrong!