KaKaRoTo Kind of ´Jailbreak´: Difference between revisions
m (Reverted edits by 86.17.157.129 (talk) to last revision by Euss) |
m (Protected "KaKaRoTo Kind of ´Jailbreak´": Counter-productive edit warring ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))) |
(No difference)
|
Revision as of 23:13, 18 December 2014
How it all started
Updated my ps3 to 3.73... oh and THEN I jailbroke it! (kind of) :D
1 - I won't share it until it's ready to use (still a bit complicated + some missing components), 2 - don't update if you're on 3.55.
The "kind of" meant I need to fix NPDRM algo for it to run. And no, this will not allow backup managers. And no, it's not a CFW
First Read
You might want to read this first: Clarifications about 3.73 “jailbreak”
In short: It means one wall taken, 2 others still intact:
1) getting in 2) getting access/to run 3) takeover/modify systemfiles
What we call 'jailbreaking is actually more like breaking inside jail to revolt.
Q&A
Q: Will I need special hardware (e.g. flasher, dongle, modchip etc.)?
A: No.
Q: Will homebrew work?
A: With NPDRM fixed, yes. Showtime would certainly be possible.
Q: Will recent games play correct?
A: Yes, its 4.x, sure it plays all 1.00 - 4.x games.
Q: Will PSN work?
A: Yes, its 4.x, sure goes online without problems.
Q: Does it have Peek & Poke?
A: No. Peek & Poke require modifying lv1 and lv2.
Q: Do Backup manangers (e.g. MultiMAN, Rogero etc.) work?
A: No, see previously answer about Peek & Poke.
Q: Will my old homebrew still work?
A: No. All homebrew need the fixed NPDRM. Homebrew that relies on specific other patched functions/syscalls (e.g. Peek&Poke, BDemu etc.) will not work either, see previously answer about Peek & Poke.
Q: Does it gets us keys?
A: No.
Q: Does it gets us "CFW"/MFW?
A: No.
Q: Does OtherOS++ (Linux/FreeBSD) work?
A: No. Sony removed OtherOS feature after 3.15 and OtherOS++ relies on modifying the firmware. See previous "CFW"/MFW question.
Q: Will it allow downgrade?
A: No.
Q: Does it work on all PS3 models?
A: Yes. all current models.
Q: Are there brick risks?
A: No (standard disclaimer: It will be tested rigorously before release as you can expect from anything that KaKaRoTo has put his name on).
Q: Will this only work on 4.x?
A: No. It was pretested on 3.60 and again confirmed on 3.73 before any public Tweet about it.
Q: What if Sony releases 4.x+ before release?
A: In that case it will be pretested on that version.
Q: So why are all the newssites hyping this that it does give CFW?
A: Because they don't read wiki's/blog's xD Besides, every minor news gets 'prolly CFW soon!' tagged by the bad ones.
Q: Is there a release date?
A: No, besides KaKaRoTo not able to work on it for 2 weeks, it also relies on (other people) fixing NPDRM.
Current Status
I'm sick and tired of people asking me every day "please update the status" or "why didn't you update it in the last 2 hours" or "is the status correct ?" or "what does the letter I mean?" or "Why is that task still at 0%" or "why didn't that task change today?", etc...
I thought I'd give you a status page so you can follow SILENTLY the progress, but all it did was flood me even more with people asking me questions all the time about it, so I'm taking it down, you don't deserve to know wtf is happening or where we are in fixing all the issues (not 'you' specifically, but all those who can't keep their mouth shut and need to fucking annoy me every hour). Sorry for the collateral damage.
The current status is : IT"S BEING WORKED ON!!!! It will be release when it is ready, and asking me all the time about it IS NOT HELPING. I never answered anyone asking me about the status or when it will be released or all of that, so don't try the "maybe he'll answer me", no I won't, I just might block you instead.
-- KaKaRoTo
Intermezzo Update
Hello all,
I decided to post here because I needed a poll and I would like to have everyone's opinion.
As you all know, I have had a 'half jailbreak' ready for a few months now, I can install what I want on the ps3, even with the latest firmware version, but I cannot run the apps (unless they are real demos of course)... I started working on a way to find a new exploit in order to run the apps on 4.x but in the past 2 months, I've been very busy with work and with life and I haven't had any time to look into the ps3 hacking at all.
So now, I have a dilemna: I have this tool/code that can be useful to some people, but if I release it, sony might block it in their next version so the jailbreak will not work anymore., On the other hand, I'm not working on it anymore, and I don't want all those months of work to be wasted... And finally, there are some other talented devs that are working on trying to get code execution working... so what to do ? release my stuff as is and that's the end of it ? wait until I have more free time to finish it or until someone finds a way to make it into a full jailbreak ? wait for a few more months until a 'timeout' then release it as is no matter what happens ?
I'd like to point out that if I release it now, the most probable result is that: no one will use it, most will consider this completely useless, and sony will prevent it from being used on future firmwares. But at least, people will stop annoying me on twitter asking for a release (I wish! I bet that won't stop them!), and I'll stop being treated as a 'fake' (even though I don't care about that). Mostly I want to fulfill my promise of "I will release it" even though I wouldn't be fulfilling the "when it's ready" promise. So.. what do you think ?
p.s: Note that the poll is just to better understand what the community wants, the results of the poll will not necessarily dictate what I will do, so even if 100% say release it now, it doesn't mean that I will release it now, I will simply take that into consideration before making a decision. p.p.s: Other than voting in the poll, of course, you can also give your opinion as a comment to this thread.
Thanks, KaKaRoTo
Source: http://www.ps3hax.net/showthread.php?t=35721
Poll: http://www.ps3hax.net/poll.php?do=showresults&pollid=305
Update:
wow, thanks everyone who replied, I was busy today again then saw the 16 pages of comments, I do not yet have time to ever read through them, but I promise I will read everyone's comments (but I probably can't reply to everyone). I have read however the first 3 pages, and, along with the poll results, I get the general feeling that people do not want it to be released until it's finished. I saw a lot of "release it privately to trusted devs", my answer to you is : Yes, it is already in the hands of a few devs that I trust and while I have been busy for the past 2 months, they have continued their work on getting code execution working (and they made incredible advances since I left). I am hoping to see them unlocking the missing piece in the coming months, and hopefully by then, I'll be free again to help them and continue working with them!
I am still undecided but I'm very happy to see that many people are patient and believe in the "don't release until it's done", and I didn't see people whining about it taking so long (well I didn't read all the comments yet ) and i believe that my choice now is torn between "release when it's done" and "release in a few months if no new exploit is found", but I will not make any decisions for now, I will give it time and we'll see how it goes.
Thanks again for sharing your opinion with me. I hope that everyone will be happy and nobody gets disappointed when it's released (hopefully with code execution)
3.60 keys Update
Q: recently 3.60 keys surfaced (lv1ldr, lv2ldr, isoldr, appldr), what does this mean for this release and the future?
A: That is actually a multiparted answer:
- now that several binairies (Iso module + CoreOS minus the loaders that are inside lv0) can be decrypted, more investigation can be done in them, which give a new boost in (unrelated to the HeN) other targets, like:
- Hardwareless downgrades : Downgrading with PSgrade Dongle (lv1.self)
- QA Flagging / systemtokens (spu_token_processor.self) and usertokens (spu_utoken_processor.self)
- PS2 compatibility (mc_iso_spu_module.self , me_iso_for_ps2emu.self , sv_iso_for_ps2emu.self)
- Getting per_console_root_key_1 / EID_root_key on 3.56+/slim3K (lv1.self , aim_spu_module.self)
- Backsigning applications for <=3.55 and patch sys_proc_param_version (appldr.self , lv2_kernel.self)
- now that several binairies (Iso module + CoreOS minus the loaders that are inside lv0) can be decrypted, more investigation can be done in them, which give a new boost in (unrelated to the HeN) other targets, like:
- Q: So does this mean a future release would be sooner?
- A: Only God knows ;) But it can also be that because of the above, it would become meaningless/surpassed by better progress. So lets all hope for the best :)
lv0 key Update
Since the LV0 keys have now been leaked, I believe I can now share this info with you, to help out those who are trying to build their own 4.x CFW : The NPDRM ECDSA signature in the SELF footer is checked by lv2. It first asks appldr to tell it whether or not the signature is to be checked, and appldr will only set the flag if the SELF is a NPDRM with key revision from 3.56+ (the ones without private keys). This means that the SELF files signed with the new 3.56+ keys still don't have their ecdsa checked (probably to speed up file loading). If appldr says the ecdsa signature must be checked, then lv2 will verify it itself, and return an error if it's not correct. There are many ways to patch this check out. 1 - Patch out the check for the key revision in appldr 2 - Patch out the "set flag to 1" in appldr if the key revision is < 0xB 3 - Patch out the code in lv2 that stores the result from appldr 4 - Patch out the actual sigcheck function from lv2. 5 - Ignore the result of the ecdsa from lv2. Here is one of the patches (the 4th one, patching out the check function from lv2) : In memory 0x800000000005A2A8, which corresponds to offset 0x6a2a8 in lv2_kernel.elf, replace : e9 22 99 90 7c 08 02 a6 With : 38 60 00 00 4e 80 00 20 This is for the 4.21 kernel (that was the latest one when I investigated this), I will leave it as an exercise to the reader to find the right offsets for the 4.25 and upcoming 4.30 kernel files. And here's another bit of info... in 4.21 lv2, at memory address 0x800000000005AA98 (you figure out the file offset yourself), that's where lv2 loads the 'check_signature_flag' result from appldr, so if you prefer implementing method 3 above, just replace the 'ld %r0, flag_result_from_appldr' by 'ld %r0, 0' and you got another method of patching it out. Either solutions should work just the same though. Enjoy homebrew back on 4.x CFW.... p.s: Thanks to flatz and glu0n who helped reversing this bit of info.
https://twitter.com/KaKaRoToKS/status/260742786972798977
https://github.com/cfwprpht/mfw/blob/master/tasks/patch_cos.tcl
The Road beyond...
(or what can you and others do to expand the useability of it)
What is missing Prerelease (state at first public mention)?
- Fixing NPDRM
- Make PKG's install and run the SELFs.
What is missing after release?
- Peek & Poke
- lv1/lv2 dumping/patching
- Payloader3
- Backup Managers
- Downgrade (already possible with Hardware flashing.
- 3.56+ keys / lv0 decrypted dump
- Modifying firmware files
- OtherOS++
- Modifying firmware files
What is forever missing?
- 3.56 and higher private keys