PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

September 9, 2010 // 12:38 am - Earlier today we reported on a preliminary PS3 flash and registry entry analysis from DemonHades and RichDevX, and now SKFU (linked above) has shared his input thus far.

To quote: Since PS3News released their PS3 FTP application I did some research on the PS3's registry.

The registry and it's backup are stored on dev_flash2 as xRegistry.sys.

The header

BC AD AD BC 00 00 00 90 00 00 00 02 BC AD AD BC

The entries

Every entry has a fronttag which is 5 bytes long. I'll describe:

56 41 00 11 01

This is an example value:


Behind the value theres a 1 byte close mark:


The 5 bytes

The first 4 bytes are a unique but random number. Every value has it to be identified and found by the system as there is no special pattern. An sprx(?) finds every value by this 4 bytes.

56 41 00 11

The 5th byte can be 00, 01 or 02. 00 tagged values are actually activated/used by the VSH, 01 ones not. The 02 seems to mean "DO NEVER UNLOCK". For example the QA Mode is tagged with 02.

00 == unlocked/used/activated
01 == locked/unused/inactive
02 == never ment to be unlocked

Stop footer

The registry has a


after the last value. Here the system stops to search for values.

Single values without tag

Some values are behind the stop tag spreaded randomly in the file it seems. I have no clue how the system finds those yet but here are some I found:

- your local username
- your language (f.e. eng for english)
- your PS3 system name
- URL to the information board online stored files
- HDD serial
- Board name
- your PSN username + password
- your WIFI network key
- your local IP
- your PSID
- path to local user pic

You can modify all those values as long as you don't change its size or adress. For example the local user pic is loaded from:


But you can redirect it to load from USB for example:


The Cool Stuff

The retail PS3's registry contains all values to unlock the settings which are possible on a test/debug PS3 and even more like QA mode. We can enable those via the registry, but we won't see any effect in the XMB.

That is because we just UNLOCKED it, but different files on dev_flash handle what we can actually SEE in the XMB. So we need to modify them also to fully use debug options on a retail and more.

This can be done by mounting the dev_flash from USB. We need to do this as we can not write to the original dev_flash. So once we can load our customized dev_flash from USB and have modiified our registry, we have a nice way to load a our custom firmwares.

The Crash Report

The registry can contain an crash report which is seperatly splitted with another registry header as explained above. It contains system error messages, for example if you muck up your registry ;-)

PS3 Live USB CFW Theory

While the Jailbreak just changes mountpoints it should be possible to do the same for other places than the BDD, aswell.

For the JB, the drive is remounted @ HDD. So why not mount the dev_flash from USB?

Surely this is possible and I hope to see some action here soon!

So we would have a good solution to test and run custom firmwares as the brick risk is equal zero, because we can just unplug the USB device and the dev_flash is mounted as common - unchanged.

SKFU on PS3 Registry Research and PS3 USB Custom Firmware

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.

#32 - imtoodvs - September 9, 2010 // 2:17 am
imtoodvs's Avatar
right now the key to development is a way to jailbreak, this is somewhat of the PS3's Pandora battery.

i'm really now throwing out any CFW idea's, since its still too early, but we've got some of the best in the game exploring the idea now.

CJPC has always been the man, while the rest of these guys have been "scared" to share any info, CJ has stepped up and lead the blind.

i'd say by November we should see the first CFW, unless CJ shares something else to further the progress (Remember his ISO loader alpha)

#31 - Kantraz - September 9, 2010 // 1:50 am
Kantraz's Avatar
Quote Originally Posted by jokr2k10 View Post
If the Custom Firmware works like the PSP, you wont' need a JB device to start with.

We don't have write acces to dev_flash, so you would still need a JB device to start the process, of having a CFW on your usb stick and boot it from it

But it's a beginning and this might give us the opportunity to later on, writing directly to dev_flash

#30 - jokr2k10 - September 9, 2010 // 1:18 am
jokr2k10's Avatar
If the Custom Firmware works like the PSP, you wont' need a JB device to start with. The PSP used a software exploit in the beginning (i do believe) and then it turned into needing Pandora's battery then another exploit (TIFF exploit?) and now its using another software exploit.

So, if they can get the PS3 anything like that, just depending on what firmware people are at (and 3.41 would be a good start since that's where the jailbreakers are gonna be). Wouldn't it be nice to have a TIFF exploit on the PS3? where all you need to do is use a USB thumbdrive to install a CFW on the PS3 which allowed you to load games from the XMB w/o even having to use Backup Manager? just have it listed in the list like the PSP does?

Sure, Backup Manager would still be used to dump games to hard drive, but wouldn't it be nice if they were listed in the XMB? Maybe have a 3.15 CFW that allows for OtherOS install. Call it something like 3.41-OtherOS or 3.15.41 or something (meaning OtherOS install, but current firmware... i guess that would be 3.15.42 right now?)

Of course have it where you can install PS1 games like you can the PSP. Also make it where PS3 games could be loaded w/o a disk in the console....of course, I am sure this is all stuff that is wanted by others....but hey, this is what we are going for right?

#29 - garretts228 - September 9, 2010 // 1:14 am
garretts228's Avatar
Freaking Right!! CFW not in the too distant future!! CFW right here right now!!

#28 - SwordOfWar - September 9, 2010 // 12:53 am
SwordOfWar's Avatar
I want to know what this secret is too!

#27 - livpool - September 9, 2010 // 12:37 am
livpool's Avatar
Quote Originally Posted by PS3 News View Post
I'd save that until after his next contribution, which is something much of the scene has been waiting for quite some time and will help unlock the PS3 further.

:O oh dear god stop teasing!

#26 - smarty94 - September 9, 2010 // 12:26 am
smarty94's Avatar
What exactly does the shellcode (in PSgroove) patch? If that data is in dev_flash, then it wouldn't be possible to change the mount point until after it's already mounted.

#25 - SwordOfWar - September 9, 2010 // 12:20 am
SwordOfWar's Avatar
This is getting really exciting, and I still haven't bought any hardware for the exploit yet. I hope those ports keep rolling in quickly.

#24 - Starlight - September 9, 2010 // 12:08 am
Starlight's Avatar
Nice work on the FTP app CJ and keep up the great work you have been doing so far and the scene appreciates it.

#23 - IndyColtsFan84 - September 9, 2010 // 12:03 am
IndyColtsFan84's Avatar
Quote Originally Posted by PS3 News View Post
I assume he meant because the FTP app of CJ's is what was used by SKFU in this research.

ahhh i see! I guess his research never would have happened without CJPC's ftp app! WTG CJ & SKFU, keep up the great work! Please upload decrypted flash dump so folks can begin there own research!

I wonder how likely it is that a decrypted flash will be uploaded for the public & other devs to take a peek at?