KaKaRoTo Kind of ´Jailbreak´: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 68: | Line 68: | ||
=== Current Status === | === Current Status (Major Update: 2/6/2014)>=== | ||
Due to busy schedules, and with the PS3 jailbreaking scene growing beyond our imaginations since 2 years ago, I've handed over my work to new a dev/sort of protege of mine, who goes by the name <b>mm00tz</b>. The "Kind of" Jailbreak project has been officially renewed, and progress? It's been tested and confirmed working on 4.53, and boy I tell you, compared to the scene just 2 years ago, you devs out there have made TREMENDOUS progress. Unfortunately I cannot continue on with this project, but I've handed the tools and skills to mm00tz, and the dev had this to say. <br /> | |||
<b>mm00tz</b>: <i>This is one of the hardest things I've ever done, but I promise I'll get this HEN done, I guarantee it.</i> | |||
Check out his twitter page (Muhammad Burke/@mm00tz) | |||
-- KaKaRoTo | -- KaKaRoTo |
Revision as of 03:20, 6 February 2014
How it all started
Updated my ps3 to 3.73... oh and THEN I jailbroke it! (kind of) :D
1 - I won't share it until it's ready to use (still a bit complicated + some missing components), 2 - don't update if you're on 3.55.
The "kind of" meant I need to fix NPDRM algo for it to run. And no, this will not allow backup managers. And no, it's not a CFW
First Read
You might want to read this first: Clarifications about 3.73 “jailbreak”
In short: It means one wall taken, 2 others still intact:
1) getting in 2) getting access/to run 3) takeover/modify systemfiles
What we call 'jailbreaking is actually more like breaking inside jail to revolt.
Q&A
Q: Will I need special hardware (e.g. flasher, dongle, modchip etc.)?
A: No.
Q: Will homebrew work?
A: With NPDRM fixed, yes. Showtime would certainly be possible.
Q: Will recent games play correct?
A: Yes, its 4.x, sure it plays all 1.00 - 4.x games.
Q: Will PSN work?
A: Yes, its 4.x, sure goes online without problems.
Q: Does it have Peek & Poke?
A: No. Peek & Poke require modifying lv1 and lv2.
Q: Do Backup manangers (e.g. MultiMAN, Rogero etc.) work?
A: No, see previously answer about Peek & Poke.
Q: Will my old homebrew still work?
A: No. All homebrew need the fixed NPDRM. Homebrew that relies on specific other patched functions/syscalls (e.g. Peek&Poke, BDemu etc.) will not work either, see previously answer about Peek & Poke.
Q: Does it gets us keys?
A: No.
Q: Does it gets us "CFW"/MFW?
A: No.
Q: Does OtherOS++ (Linux/FreeBSD) work?
A: No. Sony removed OtherOS feature after 3.15 and OtherOS++ relies on modifying the firmware. See previous "CFW"/MFW question.
Q: Will it allow downgrade?
A: No.
Q: Does it work on all PS3 models?
A: Yes. all current models.
Q: Are there brick risks?
A: No (standard disclaimer: It will be tested rigorously before release as you can expect from anything that KaKaRoTo has put his name on).
Q: Will this only work on 4.x?
A: No. It was pretested on 3.60 and again confirmed on 3.73 before any public Tweet about it.
Q: What if Sony releases 4.x+ before release?
A: In that case it will be pretested on that version.
Q: So why are all the news sites hyping this that it does give CFW?
A: Because they don't read wiki's/blog's xD Besides, every minor news gets 'prolly CFW soon!' tagged by the bad ones.
Q: Is there a release date?
A: No, besides KaKaRoTo not able to work on it for 2 weeks, it also relies on (other people) fixing NPDRM.
Current Status (Major Update: 2/6/2014)>
Due to busy schedules, and with the PS3 jailbreaking scene growing beyond our imaginations since 2 years ago, I've handed over my work to new a dev/sort of protege of mine, who goes by the name mm00tz. The "Kind of" Jailbreak project has been officially renewed, and progress? It's been tested and confirmed working on 4.53, and boy I tell you, compared to the scene just 2 years ago, you devs out there have made TREMENDOUS progress. Unfortunately I cannot continue on with this project, but I've handed the tools and skills to mm00tz, and the dev had this to say.
mm00tz: This is one of the hardest things I've ever done, but I promise I'll get this HEN done, I guarantee it.
Check out his twitter page (Muhammad Burke/@mm00tz)
-- KaKaRoTo
Intermezzo Update
Hello all,
I decided to post here because I needed a poll and I would like to have everyone's opinion.
As you all know, I have had a 'half jailbreak' ready for a few months now, I can install what I want on the ps3, even with the latest firmware version, but I cannot run the apps (unless they are real demos of course)... I started working on a way to find a new exploit in order to run the apps on 4.x but in the past 2 months, I've been very busy with work and with life and I haven't had any time to look into the ps3 hacking at all.
So now, I have a dilemna: I have this tool/code that can be useful to some people, but if I release it, sony might block it in their next version so the jailbreak will not work anymore., On the other hand, I'm not working on it anymore, and I don't want all those months of work to be wasted... And finally, there are some other talented devs that are working on trying to get code execution working... so what to do ? release my stuff as is and that's the end of it ? wait until I have more free time to finish it or until someone finds a way to make it into a full jailbreak ? wait for a few more months until a 'timeout' then release it as is no matter what happens ?
I'd like to point out that if I release it now, the most probable result is that: no one will use it, most will consider this completely useless, and sony will prevent it from being used on future firmwares. But at least, people will stop annoying me on twitter asking for a release (I wish! I bet that won't stop them!), and I'll stop being treated as a 'fake' (even though I don't care about that). Mostly I want to fulfill my promise of "I will release it" even though I wouldn't be fulfilling the "when it's ready" promise. So.. what do you think ?
p.s: Note that the poll is just to better understand what the community wants, the results of the poll will not necessarily dictate what I will do, so even if 100% say release it now, it doesn't mean that I will release it now, I will simply take that into consideration before making a decision. p.p.s: Other than voting in the poll, of course, you can also give your opinion as a comment to this thread.
Thanks, KaKaRoTo
Source: http://www.ps3hax.net/showthread.php?t=35721
Poll: http://www.ps3hax.net/poll.php?do=showresults&pollid=305
Update:
wow, thanks everyone who replied, I was busy today again then saw the 16 pages of comments, I do not yet have time to ever read through them, but I promise I will read everyone's comments (but I probably can't reply to everyone). I have read however the first 3 pages, and, along with the poll results, I get the general feeling that people do not want it to be released until it's finished. I saw a lot of "release it privately to trusted devs", my answer to you is : Yes, it is already in the hands of a few devs that I trust and while I have been busy for the past 2 months, they have continued their work on getting code execution working (and they made incredible advances since I left). I am hoping to see them unlocking the missing piece in the coming months, and hopefully by then, I'll be free again to help them and continue working with them!
I am still undecided but I'm very happy to see that many people are patient and believe in the "don't release until it's done", and I didn't see people whining about it taking so long (well I didn't read all the comments yet ) and i believe that my choice now is torn between "release when it's done" and "release in a few months if no new exploit is found", but I will not make any decisions for now, I will give it time and we'll see how it goes.
Thanks again for sharing your opinion with me. I hope that everyone will be happy and nobody gets disappointed when it's released (hopefully with code execution)
3.60 keys Update
Q: recently 3.60 keys surfaced (lv1ldr, lv2ldr, isoldr, appldr), what does this mean for this release and the future?
A: That is actually a multiparted answer:
- now that several binairies (Iso module + CoreOS minus the loaders that are inside lv0) can be decrypted, more investigation can be done in them, which give a new boost in (unrelated to the HeN) other targets, like:
- Hardwareless downgrades : Downgrading with PSgrade Dongle (lv1.self)
- QA Flagging / systemtokens (spu_token_processor.self) and usertokens (spu_utoken_processor.self)
- PS2 compatibility (mc_iso_spu_module.self , me_iso_for_ps2emu.self , sv_iso_for_ps2emu.self)
- Getting per_console_root_key_1 / EID_root_key on 3.56+/slim3K (lv1.self , aim_spu_module.self)
- Backsigning applications for <=3.55 and patch sys_proc_param_version (appldr.self , lv2_kernel.self)
- now that several binairies (Iso module + CoreOS minus the loaders that are inside lv0) can be decrypted, more investigation can be done in them, which give a new boost in (unrelated to the HeN) other targets, like:
- Q: So does this mean a future release would be sooner?
- A: Only God knows ;) But it can also be that because of the above, it would become meaningless/surpassed by better progress. So lets all hope for the best :)
lv0 key Update
Since the LV0 keys have now been leaked, I believe I can now share this info with you, to help out those who are trying to build their own 4.x CFW : The NPDRM ECDSA signature in the SELF footer is checked by lv2. It first asks appldr to tell it whether or not the signature is to be checked, and appldr will only set the flag if the SELF is a NPDRM with key revision from 3.56+ (the ones without private keys). This means that the SELF files signed with the new 3.56+ keys still don't have their ecdsa checked (probably to speed up file loading). If appldr says the ecdsa signature must be checked, then lv2 will verify it itself, and return an error if it's not correct. There are many ways to patch this check out. 1 - Patch out the check for the key revision in appldr 2 - Patch out the "set flag to 1" in appldr if the key revision is < 0xB 3 - Patch out the code in lv2 that stores the result from appldr 4 - Patch out the actual sigcheck function from lv2. 5 - Ignore the result of the ecdsa from lv2. Here is one of the patches (the 4th one, patching out the check function from lv2) : In memory 0x800000000005A2A8, which corresponds to offset 0x6a2a8 in lv2_kernel.elf, replace : e9 22 99 90 7c 08 02 a6 With : 38 60 00 00 4e 80 00 20 This is for the 4.21 kernel (that was the latest one when I investigated this), I will leave it as an exercise to the reader to find the right offsets for the 4.25 and upcoming 4.30 kernel files. And here's another bit of info... in 4.21 lv2, at memory address 0x800000000005AA98 (you figure out the file offset yourself), that's where lv2 loads the 'check_signature_flag' result from appldr, so if you prefer implementing method 3 above, just replace the 'ld %r0, flag_result_from_appldr' by 'ld %r0, 0' and you got another method of patching it out. Either solutions should work just the same though. Enjoy homebrew back on 4.x CFW.... p.s: Thanks to flatz and glu0n who helped reversing this bit of info.
https://twitter.com/KaKaRoToKS/status/260742786972798977
https://github.com/cfwprpht/mfw/blob/master/tasks/patch_cos.tcl
The Road beyond...
(or what can you and others do to expand the useability of it)
What is missing Prerelease (state at first public mention)?
- Fixing NPDRM
- Make PKG's install and run the SELFs.
What is missing after release?
- Peek & Poke
- lv1/lv2 dumping/patching
- Payloader3
- Backup Managers
- Downgrade (already possible with Hardware flashing.
- 3.56+ keys / lv0 decrypted dump
- Modifying firmware files
- OtherOS++
- Modifying firmware files
What is forever missing?
- 3.56 and higher private keys