Talk:Patches: Difference between revisions
m (→Conclusion) |
|||
Line 362: | Line 362: | ||
not suitable as debrick dump with hardware flasher. | not suitable as debrick dump with hardware flasher. | ||
Option: use flasher with option to start writing at offset 0x40000 (where Backuprflash.bin 0x0 begins) and thus skip overwriting first bootldr section. | ;Option: | ||
use flasher with option to start writing at offset 0x40000 (where Backuprflash.bin 0x0 begins) and thus skip overwriting first bootldr section. | |||
;Partial extraction: | |||
# Add 0x40000 of 00 bytes at offset 0x0 | |||
# After that, use flowrebuilder to extract part of the data inside the dump (missing bootldr!) | |||
asecure_loader\metldr | |||
ros\[versionstring-ROS0 $]\[coreosfiles $] | |||
ros\[versionstring-ROS1 $]\[coreosfiles $] | |||
cCSD | |||
cISD | |||
creserved_0 | |||
cvtrm | |||
eEID | |||
trvk_pkg | |||
trvk_prg | |||
== OtherOS patches == | == OtherOS patches == |
Revision as of 01:15, 7 September 2012
Shop firmware on Retail console
<patote> i used the same shop.tcl : http://pastie.org/1979531 :
#!/usr/bin/tclsh # # ps3mfw -- PS3 MFW creator # # Copyright (C) Anonymous Developers (Code Monkeys) # # This software is distributed under the terms of the GNU General Public # License ("GPL") version 3, as published by the Free Software Foundation. # # Priority: 2300 # Description: Patch firmware for installation shop/promo unit # Option --patch-promo-flags: Patch promo_flags file # Option --patch-update-flags: Patch update_flags file # Option --patch-version: Append string to build version # Type --patch-promo-flags: boolean # Type --patch-update-flags: boolean # Type --patch-version: string namespace eval ::patch_shop { array set ::patch_shop::options { --patch-promo-flags true --patch-update-flags true --patch-version "Promotional-to-Retail" } proc main {} { if {$::patch_shop::options(--patch-promo-flags)} { debug "Patching [file tail $::CUSTOM_PROMO_FLAGS_TXT]" } if {$::patch_shop::options(--patch-update-flags)} { debug "Patching [file tail $::CUSTOM_UPDATE_FLAGS_TXT]" set fd [open $::CUSTOM_UPDATE_FLAGS_TXT w] puts -nonewline $fd "0000" close $fd } if {$::patch_shop::options(--patch-version) != ""} { append ::options(--build-suffix) "($::patch_shop::options(--patch-version))" } } }
patote succesfully installed the resulting 3.55 PUP on a Retail console. The console is in locked mode after installation of the firmware.
patote 8294 does nothing patote 0168 does nothing patote 5138 does nothing patote 1739 worked fine patote or not ; it didnt said wrong password ; but all is still locked patote 2297 nothing patote the code is................. 0000 patote and now the install package files and app_home are back in game menu patote ohhh ; and in system too ; all the way down patote if you go to security settings and do l1+r1+select+square it goes back to demo without turn the unit off patote thats system settings install packages option only does blind installations patote you cant browse the thumbdrive ; it just starts installing all the pkgs in the drive patote it works ; but fails in geohot signed ones ; the regular ones installs without problems patote theres another extra option patote automatic update patote "sets wheter to update the system software automatically via internet when the ps3 system is turned on"
FSELF patch appldr
MFW does not seem to have (proper) support for fself's.
Mathieulh why do all those emu devs actually use geohot's tool on their selfs, I wonder xD Mathieulh the proper format to use is fself Mathieulh there are existing patches for fself on 3.41 Mathieulh but those guys who make those so called cfw didn't port many patches at all Mathieulh if not any Mathieulh and the memory patcher one for fself isn't there eussNL ehm, including MFW Mathieulh ? Mathieulh you should just patch appldr Mathieulh and make the function that detects the model return true for debug Mathieulh and you get native fself + edata Mathieulh it's an easy patch Mathieulh you can also patch the sign check along with it Mathieulh 4 bytes to patch eussNL I dont see a mention of appldr patch in MFW or I am overlooking it Mathieulh yeah MFW doesn't do that Mathieulh but there is a lv2 patch for fself too Mathieulh (memory patcher) Mathieulh at least in 3.41 there is Mathieulh it's in psgroove Mathieulh but it doesn't work for compressed fself Mathieulh it's better to patch appldr Mathieulh besides I use compressed fself on all my shit now xD Mathieulh saves some room :P Mathieulh people should just use fself anyway Mathieulh that way you don't need to sign or encrypt Mathieulh and it's future proof Mathieulh the geohot signed shit doesn't work with 3.56+ cause of the whitelistù Mathieulh so you have to patch the whitelist check in the ldr to get them to run eussNL some people are having trouble with ps3load/ps3loadx with launching it fselfs on CFWs eussNL and with makeself for the same reason I suppose irssi_ devs won't support it if the CFW doesn't run it Mathieulh if the cfw doesn't run fself, it's not complete Mathieulh at least not to me Mathieulh all my personal cfw all run fself natively eussNL hmmm, seems a thing to add to MFW then... appldr patch for fselfs - if it isnt working now
the 4 byte patch he speaks of is: < 00001360 40 80 0e 0c 20 00 57 83 32 00 04 80 32 80 80 8e |@... .W.2...2...| --- > 00001360 40 80 0e 0c 20 00 57 83 32 11 73 00 32 80 80 8e |@... .W.2.s.2...|
Experimental
Patch Appldr task
patch_appldr.tcl
#!/usr/bin/tclsh # # ps3mfw -- PS3 MFW creator # # Copyright (C) Anonymous Developers (Code Monkeys) # # This software is distributed under the terms of the GNU General Public # License ("GPL") version 3, as published by the Free Software Foundation. # # Priority: 300 # Description: Patch Appldr # Option --patch-appldr-fself: Patch Appldr to allow Fself (set debug true) # Type --patch-appldr: boolean namespace eval ::patch_appldr { array set ::patch_appldr::options { --patch-appldr-fself true } proc main { } { set self "appldr" ::modify_coreos_file $self ::patch_appldr::patch_self } proc patch_self {self} { if {!$::patch_appldr::options(--patch-appldr-fself)} { log "WARNING: Enabled task has no enabled option" 1 } else { ::modify_self_file $self ::patch_appldr::patch_elf } } proc patch_elf {elf} { if {$::patch_appldr::options(--patch-appldr-fself)} { log "Patching Appldr to allow Fself" set search "\x40\x80\x0e\x0c\x20\x00\x57\x83\x32\x00\x04\x80\x32\x80\x80" set replace "\x40\x80\x0e\x0c\x20\x00\x57\x83\x32\x11\x73\x00\x32\x80\x80" catch_die {::patch_elf $elf $search 7 $replace} \ "Unable to patch self [file tail $elf]" } } }
Errorlog
Patching Appldr to allow Fself Executing command ::patch_elf $elf $search 7 $replace offset: 4967 Rebuilding self file appldr.self Executing command makeself $in $out $original Executing shell self_rebuilder {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr.elf} {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr.self} {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr} FATAL ERROR: Could not rebuild file appldr.self : child process exited abnormally See Temp/PS3MFW/ps3mfw.log for more info Last lines of log : ***************** auth id: 1ff000000c000001 vendor id: 00000000ff000000 app version: 3.55.0 version suffix: 355 SDK type: Retail (Type 0) app type: secure loader file suffix: 355 (rev 0x0a) key file: ps3keys\/ldr-key-355 (ERROR) key_get failed FATAL ERROR: Could not rebuild file appldr.self : child process exited abnormally Error running script: Could not rebuild file appldr.self : child process exited abnormally
available LDR @ ps3keys: ldr-pub-retail, ldr-priv-retail, ldr-key-retail, ldr-iv-retail, ldr-ctype-retail
Just add those keys to the ps3keys folder to make the task work : ps3keys in RAR sfx (107.37 KB)
Offsets
3.55 : offset: 4967 3.50 : offset: 3459 3.42 : offset: 3395 3.41 : offset: 3395 3.40 : offset: 3395 3.30 or lower: FATAL ERROR: Unable to patch self appldr.elf : Could not find pattern to patch 3.30 offset: 2299 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" ) 3.21 offset: 3064 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" ) 3.20 DEBUG offset: 3064 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" ) 3.15 offset: 3071 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" ) 3.10 offset: 3071 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
Conclusion / Status
Although it is possible to add as a task, it is not recommended in general. There is brick risk (on 3.55 reported blackscreen brick -> seems to be related to self_rebuilder bug).
<mall0ry> eussNL, that appldr fself patch is risky because it is patching a branch target
JFW MA-1 3.56 "bad idea"
http://www.multiupload.com/WO4UYJIJ6T
SHA1: 9FDC74F0BB4244EF37DEFD20E7CF9E5B08BD4DD3 MD5: EFE066E4836393C8BF60A5CC6804DDC3 CRC32: 735B21DC CRC16: 4766 HMAC_SHA1: 1D4382A5EB811859192DF75BB3284E284EF70601
Patches (compared to OFW 3.56) : http://pastie.org/private/z0evad6frsdlbntk2suqa
shortlist changed files:
- lv1ldr
- lv1.self
- lv2ldr
- lv2_kernel.self
- appldr
- nas_plugin.sprx
- vsh.self
- explore_category_game.sprx
- explore_plugin.sprx
Request for anyone that installed this FW : lv1 and lv2 dump (can be done e.g. with glevand' PKGs).
JFW-DH added custom keys
lv1-iv: 148E7A251EC03A2FA88EFCC13D882D4B lv1-key: 962E952E25236322FE415F6EAC9DEC6BB2AD93CA1FE6B4B82C9A21510BE4B76D lv1-pub: 625D1DF4C3264BBA9FC17A4437BA42591585A5ECCC6F3042DB3A80CBBC0426DAF33549C537AA7782
lv2-iv: 7E90800265795153BAB81C5E74623639 lv2-key: 0829876E2B9BAB777F5710DABB9AFC86510FA598AC98056DCD4F7A17E68CC479 lv2-pub: 625D1DF4C3264BBA9FC17A4437BA42591585A5ECCC6F3042DB3A80CBBC0426DAF33549C537AA7782
app-iv: 20CF5F16EC9ABBD5ECEE9A957B4CD543 app-key: 6DEC0F32E7403B6302122678A8DB1B41EEAB9A8449CFBD241C7FEAFEFD609094 app-pub: 71F46AC33FF89DF589A100A7FB64CEAC244C9A0CBBC1FDCE80FB4BF8A0D2E66293309CB8EE8CFA95 app-priv: 0010818ED8A666051C6198662C3D6DDE2CA4901DDC app-ctype: 0x12
Preloader Advance : Another bad idea?
http://jaicrab.blogspot.com/2011/12/ps3-preloader-advance.html
Backuprflash.bin
missing bootldr at offset 0x0 and 0xF000000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ¾ï 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 00 ..............v.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0F000000 8C A5 FA 66 E4 E1 F4 05 ED 79 5B 90 2D 1B FE C6 Œ¥úfäáô.íy[.-.þÆ 0F000010 23 C8 CD 66 8D 6C F4 76 21 E3 D7 FD 9C 2D FA 37 #ÈÍf.lôv!ã×ýœ-ú7 0F000020 21 3C C7 74 D9 57 B1 AA 97 74 4F F6 0E 73 B6 79 !<ÇtÙW±ª—tOö.s¶y
missing any bootldr header
00 00 2A 3F 00 00 2A 2A 00 00 30 44 00 00 2A 37 00 00 2E 8C 00 00 2F 1C 00 00 2E F4 00 00 2E E3 00 00 2E AB 00 00 2E B3 00 00 2F 13 00 00 2F 3B 00 00 2F 4B 00 00 2F 53 00 00 2F 5B 00 00 2F FB
Conclusion
not suitable as debrick dump with hardware flasher.
- Option
use flasher with option to start writing at offset 0x40000 (where Backuprflash.bin 0x0 begins) and thus skip overwriting first bootldr section.
- Partial extraction
- Add 0x40000 of 00 bytes at offset 0x0
- After that, use flowrebuilder to extract part of the data inside the dump (missing bootldr!)
asecure_loader\metldr ros\[versionstring-ROS0 $]\[coreosfiles $] ros\[versionstring-ROS1 $]\[coreosfiles $] cCSD cISD creserved_0 cvtrm eEID trvk_pkg trvk_prg
OtherOS patches
3.55 LV1 patches
http://pastie.org/private/zvohgrd80htu7s47zqu0yg
3.55 LV2 patches
http://pastie.org/private/qrirgh0qjsoo4acbuiag
3.15 LV1 patches
http://pastie.org/private/imxnatxezislsxjmsci6gg (including 'in hvdump' offsets)
dexl0ve
dexl0ve lv2_kernel
http://pastie.org/private/zbhkmnldresx3cdxfufqkg
Rebug spoofer
Index.dat and Version.txt from to spoof firmware (.dat is always static key, so no need for resigning)
vsh.self patches: http://pastie.org/3495642 (CEX 3.55 OFW vs Rebug Spoofer 4.00)
PSN enabled spoofer
vsh.self patches: http://pastie.org/private/94i2skcva5qvkypdtx4g6w (CEX 3.55 OFW vs Rebug Spoofer 4.11)
PSoN!/PS3ITA rebug based variant
http://www.ps3hax.net/showthread.php?t=39462
vsh.self patches: http://pastie.org/private/lugpsiiaww1upltdlebr5w (CEX 3.55 OFW vs PS3ITA and Rebug Spoofer 4.11)
PS2 on non BC enabler
game_ext_plugin set search "\x88\x1f\x00\x06\x3b\x80\x00\x01" set replace "\x88\x1f\x00\x02\x3b\x80\x00\x01" sysconf_plugin set search "\x88\x1c\x00\x06\x54\x00\x07\xfe" set replace "\x88\x1c\x00\x02\x54\x00\x07\xfe" premo_game_plugin set search "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x00" set replace "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x01" premo_plugin set search "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x00" set replace "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x01"
appldr 3.55 add 3.56/3.60 keys
As used in mfw\tasks\add_360keys_to_appldr355.tcl and Rogero V3.5
appldr.elf 3.55 patches : http://pastie.org/4458799