Welcome to PS3Hax, your official PS3 hacks, PS3 Homebrew, and PS3 Downloads scene. Check back daily to keep up with the latest PS3 Hacks and drop by our forums for more PS3 Hacks discussions.
  • Posted by Pirate , on 28/02/2010 , @ 10:16pm


    A widespread crash has occured today for “phat”  PS3 users resulting in a “8001050F” error.

    Here are the symptoms to this problem:

    • Can not connect to PSN
    • Hardware failure. Cannot update Firmware or connect to Internet”
    • Cannot enter any BR games (Trophy errors, kicks you out; “Can’t register trophy information. The game will now quit”)
    • Cant play downloaded titles (demos work).
    • Trophy information deleted
    • PS3 date/setting set to December 31, 1999

    This is most likely a firmware related bug but there are also rumors that this may be a PSN hack as a page on Sony PS3 website has a small memo from someone not too happy:


    “get flash and/or enable javascript and stop wasting my time.”

    Sony has tweeted with the following on the matter:

    “We’re aware that many of you are having problems connecting to PSN, and yes, we’re looking into it. Stay tuned for updates.”

    We will keep you updated on the latest progress

  • Posted by Pirate , on 24/02/2010 , @ 01:44pm


    xorloser has released his PS3 HV Dump setup script for IDA which “setups function tables including the hypercall (syscall) table, mmcall table, OPD, TOC, GOT. It will find common functions such as puts and printf and very importantly it will fixup all rtoc references which are used to access global variables and strings”. You can download the file below.

    To quote from xorloser’s blog:

    I haven’t gotten around to doing an update in a while due to work (and a little relaxation) taking all my time. Rather than wait till I have finished all of the stuff I wanted to before posting again I decided to post some tidbits to tide you over until the rest is ready. Before I do so I’d like to make the following clear as no matter how many times I say it, people believe what they want to believe instead:


    It seems someone took some initiative and made some software themselves to dump the hypervisor once they have the correct hardware and software. So for anyone who has used that and dumped their own hypervisor I present this PS3 HV Dump setup script for IDA.This script will setup function tables including the hypercall (syscall) table, mmcall table, OPD, TOC, GOT. It will find common functions such as puts and printf and very importantly it will fixup all rtoc references which are used to access global variables and strings.

    To use the script you should extract it somewhere and then from within IDA select “File->IDC File…”, then navigate to where you extracted the file and select it. Please note that this script could overwrite your previous work, so please run backup your idb/i64 file before running it. I recommend running it on a freshly created database by loading your hypervisor dump into IDA as “ppc” at ROM address 0 and then running this script as detailed above before doing anything else.

    The other tidbit I wanted to share was the updates to the PPC Altivec plugin source code which I had forgotten to include in the recent releases, but which a few people have since asked for. Here is the PPC Altivec plugin v1.6 for IDA v5.6 with sourcecode. If anyone makes any fixes or adds support for new functions please pass these updates back to me so I can share them on this site.

    [Download HV Dump script for IDA]

  • Posted by Pirate , on 19/02/2010 , @ 11:39am


    Now this is a nasty rumor to be awoken to, just as the scene finally broke down the hypervisor security, we now hear rumors that Sony is planning to block OtherOS support via next PS3 firmware update.

    Owen Stampflee Linux Product Manager for Fixstars Corporation made the following post in the yellowdog-boards:


    I’ve caught a rumor from a reputable source that the next firmware update for old PS3s will remove the OtherOS feature…

    I’m not sure if it’s true or not but it’s in the best interest of the YDL community to spread the word.


    This indeed is an unexpected move on Sony’s part if indeed this rumor is real, but of course we all know the solution and that is to not update :) .


  • Posted by budro , on 16/02/2010 , @ 05:32pm


    A Genesis/Megadrive emulator was made for homebrewed xbox 360′s:

    - Graphics/Sound
    - Achievements (don’t be a dumbass and use this on live, your console will be banned)
    - Favorites Support
    - XUI user interface
    - SRAM save support linked to a user profile
    - SaveState support (currently 1 per rom)
    - Regular and Enhanced Graphics Filters
    - Sound filters
    - Threaded Audio
    - Aspect Ratio/Stretch Mode support
    - Previews

    Not Implemented (Yet):
    - Input Button Mapping
    - Pixel Shaders to replace Software filters (speed)
    - Cheat support
    - Six button support
    - Other misc stuff

    This is still an early beta. There are bugs…
    More of your favorite emulators/homebrew to come..no donations required…

  • Posted by Pirate , on 15/02/2010 , @ 11:46pm


    SKFU has stumbled across a new patent for a method to protect against encrypted section attacks

    To quote from SKFU blog and patent below:

    Recently a new patent by a SONY employee was published on the patent site at faqs.org. It seems it is SONY’s answer for Geohot’s progress. Take a look here:

    A method, system, and computer-usable medium are disclosed for controlling unauthorized access to encrypted application program code. Predetermined program code is encrypted with a first key. The hash value of an application verification certificate associated with a second key is calculated by performing a one-way hash function. Binding operations are then performed with the first key and the calculated hash value to generate a third key, which is a binding key. The binding key is encrypted with a fourth key to generate an encrypted binding key, which is then embedded in the application. The application is digitally signed with a fifth key to generate an encrypted and signed program code image. To decrypt the encrypted program code, the application verification key certificate is verified and in turn is used to verify the authenticity of the encrypted and signed program code image. The encrypted binding key is then decrypted with a sixth key to extract the binding key. The hash value of the application verification certificate associated with the second key is then calculated and used with the extracted binding key to extract the first key. The extracted first key is then used to decrypt the encrypted application code.”

    You can read the full patent here.


  • Posted by Pirate , on 15/02/2010 , @ 11:34pm


    Used to unlock arcade games and DLC, XM360 is essential to any jtagged xbox

    >> Team XeDev released a bugfix version of XM360.

    What’s new/fixed (since v0.8):
    * fixed bug where Japanese DLC would prevent DLC scene from working (causing a 360 hang) (v0.8b)
    * fixed bug where launching XBLA from the first screen would launch wrong title (v0.8c)
    * fixed scraper for XBLA to include UTF-8 encoded text. This makes them look nicer in xm360, and gets rid of the trailing “a” that was on some titles. (v0.8c)

  • Posted by budro , on 15/02/2010 , @ 11:30pm


    XeXMenu V1.1

    * Added HFS+ drive support

    * Added ip adress information to the configuration

    * Added skin loading verify routine to output errors on the screen while starting XeXMenu
    * Added some user skins
    * Improved ftp upload speed
    * Loads nxebg.dds and icon.dds even if nxeart isn’t present
    * Some other bugs fixed

    Press “BACK” for detailed help pages!

    Note: If you only get a black screen on startup try to delete the XeXMenu
    savegame known as “Unknown Xbox Game” using system tab in dash

  • Posted by Pirate , on 13/02/2010 , @ 12:47pm


    PS3 Hacker CJPC has managed to dump the PS3 hypervisor and LV1 and Bootloader LV0 via PS3 RAM. He has provided a brief explanation of what he did and a download file to the exploit can be found in the VIA link:

    We are happy to report that the PS3 Hypervisor LV1 and Bootloader LV0 are dumped from the PlayStation 3′s RAM after getting our SX28 Hardware a few days ago, utilizing code for glitching and mashing buttons for hours - the exploit eventually will get triggered!

    We tried a few different ways to dump out the real memory - the biggest “problem” was the fact that you can’t just simply use File I/O code in a kernel module. Furthermore, you can’t call the lv1_peek function from user mode either.

    Luckily, resident DEV kakarotoks was up to the challenge. After some trial and error (and too many PS3 crashes!) he made a kernel module which maps the “real” PS3 memory to a device in /proc. The /proc area lets the kernel and userland interact some.

    Basically, the device /proc/ps3_hv_mem is created when the kernel module is inserted. Once it is inserted, you can use dd to read the device. By doing this, the device gets passed arguments, which is passed along to lv1_peek - which in turns reads out the real memory.

    Be advised, don’t go beyond the PS3′s upper memory limit. At around 260MB, the PS3 tends to crash - it does not like trying to read beyond RAM limits! So, for usage:

    First, run the exploit, and get it triggered and working - that’s the hard part!

    Next, download the attached file, inside are three files, a Makefile, the ps3_hv_mem.c and a pre-compiled version. Stick these in a folder, and run make. It will then compile a kernel module for you (ps3_hv_mem.ko, or use the pre-compiled one). Then simply type: sudo insmod ps3_hv_mem.ko

    Enter your password and check /proc for a ps3_hv_mem entry, or your dmesg. If it is there - let the dumping begin!

    You can dump out the PS3 Hypervisor and Bootloader (and the rest of the real memory) via dd. You can use the command:

    dd if=/proc/ps3_hv_mem of=PS3_Memory_Dump.bin bs=1024 count=10K

    That command will dump out 10485760 bytes, or about 10MB - which nicely includes the goodies like LV0 and LV1. Finally, you can also increase the count, which will increase the amount dumped (multiply by blocksize).


  • Posted by Pirate , on 13/02/2010 , @ 12:41pm


    Today GeoHot brings more updates from his blog and twitter about his PS3 work, to quote:

    Today I verified my theories about running the isolated SPUs as crypto engines. I believe that defeats the last technical argument against the PS3 being hacked.

    In OtherOS, all 7 SPUs are idle. You can command an SPU(which I’ll leave as an exercise to the reader) to load metldr, from that load the loader of your choice, and from that decrypt what you choose, everything from pkgs to selfs. Including those from future versions.

    The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

    Ah, but you still didn’t get the Cell root key. And I/we never will. But it doesn’t matter. For example, we don’t have either the iPhone or PSP “root key”. But I don’t think anyone doubts the hackedness of those systems.

    I wonder if any systems out there are actually secure?

    And from his twitter:

    Today I validated my theories about running the isolated SPUs on the PS3 as crypto engines. The PS3 is 100% hacked. So where my homebrew at?

    Stay tuned for more updates.


  • Posted by Pirate , on 07/02/2010 , @ 12:37pm


    A few days ago we told you about how to use Geohots exploit via software, today xorloser has posted up his latest tutorial teaching us how to do it via hardware.

    To quote:

    The purpose of the hardware is to stop the PS3 from saving a change to a value that we don’t want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.

    He also promises some code next post to dump the hypervisor and more.

    You can download the fixed version of the exploit here.

    You can view the tutorial here or VIA link below.


  • Posted by Pirate , on 05/02/2010 , @ 11:59am


    PS3 hacker xorloser has released a fix for Geohots PS3 exploit, making it friendly across different firmwares.

    To quote:

    As I’m sure everybody heard, the memory access exploit for the PS3 hypervisor was released recently by geohotz. I was finally able to replicate his hack so I thought I’d take the time to help out others who may also have trouble due to being linux n00bs like me :) If I were to post everything at once it would be too much work and I’d never get around to it, so I’ll post bits at a time to ensure I actually do post it heh. Today’s post will talk about the software side of the exploit.

    Please note that the geohotz exploit software was hardcoded for the v2.42 firmware, I have made a small fix that attempts to dynamically support all firmware versions. I have only tested and used it on v3.15 however.

    You can download the fixed files here.

    xorloser also has posted a tutorial on how to use this exploit, which is now a bit more newb friendly (for those not experienced with linux anyways), and provides some good information/guidance to help you get started using this exploit. You can view the tutorial HERE, or via link below.


  • Posted by Pirate , on 01/02/2010 , @ 03:44pm


    Following on from Team XeDev’s release of NXE2GOD, here’s a new PC app for converting Xbox 360 ISO images straight into Games on Demand containers. While it’s possible to extract ISOs and run them off USB using replacement dashboards, it’s nice to be able to run them as GODs as well. This functionality has only been available through the Xbox 360 SDK until now, so we thought it was about time a legal app was released to perform the same task.

    Thanks go out to Team XeDev/Dstruktiv for NXE2GOD which helped us figure out what was needed for CON->GOD converts. Special thanks to rolly poly for testing and putting up with my endless ramblings about file formats!

    * ISO to Games on Demand container conversion
    * Support for XSF and GDF/XDVDFS ISOs
    * Automatically reads title info from ISO default.xex
    * Multiple I2G conversions can be queued up to run
    - Requires .NET Framework 2.0

    v1.0.6 updates:
    What’s new/fixed:

    + New GDF/XDVDFS code to improve stability and prepare for removing padding sectors in v1.1 release.
    + Taskbar icon now flashes when a conversion finishes
    ~ Fix: Access Denied errors when trying to open ISO on network shares.
    ~ Fix: Crash when locating default.xex on certain ISOs
    ~ Fix: Proper checking of fields in the “Add ISO” GUI
    ~ Fix: Trying to use an Xbox1 ISO won’t throw unhandled errors. (Xbox1 still not supported)
    ~ Fix: Lots of other minor stuff.

  • Posted by Pirate , on 01/02/2010 , @ 03:43pm


    XeX Loader 0.12 is the first public and fully functional XEX loader for homebrew capable Xbox 360 consoles.


    * Launch media-patched XEXs from any storage device
    * Manage the filesystems of all storage devices
    * Rip any inserted game to any storage device (ISO Extraction) - Still requires patching with XexTool or 360 Game Hack to remove the media check.

    Although it should work on all patched kernels, our releases are only tested
    with freeBOOT using Cygnos, not with XBRebooter. Sorry for the inconvenience.

    Installing the LIVE package:

    1) Burned CD/DVD using XeXLoader.iso
    Use the file browser to copy (using the “X” button) the directory “C0DE9999″ to the 360 HDD at: Hdd1://Content/0000000000000000/

    2) Transfer Cable
    Use appropriate software such as Xplorer 360 to copy the directory “C0DE9999″ to 360 hard drive at: Partition3Content