Welcome to PS3Hax, your official PS3 hacks, PS3 Homebrew, and PS3 Downloads scene. Check back daily to keep up with the latest PS3 Hacks and drop by our forums for more PS3 Hacks discussions.
  • Posted by Pirate , on 31/03/2010 , @ 11:26pm


    If you are planning to stay on pre-3.21 firmware on your PS3 you can still connect to PSN on lower firmware via PS3 proxy.

    The method is old but has been working for a while now. You can view the tutorial here.

    UPDATE: A very easy method posted by Aaron can be found here (noob-friendly):
    [Connect To PSN Without Updating (NOOB WAY)]

  • Posted by Pirate , on 31/03/2010 , @ 10:46pm


    PS3 Firmware 3.21 “upgrade” was released today, and as posted earlier, it does block OtherOS support. It is highly recommended that if you have one of the “phat” PS3′s that you do not update at this time as their are rumors of PS3 custom firmware, and potential safe way of upgrading preserving OtherOS.

    [Download PS3 3.21 Firmware Update]

  • Posted by Pirate , on 31/03/2010 , @ 10:31pm


    jaicrab has posted his dumps on his blog for the PS3 hypervisor and bootloader he managed to do via Xorhack toolkit. You can download dumps below.

    Quote from his blog (translated):

    Good. I’ve managed to make the Hyper Dump and BL. :D In the end I pulse generator echo PC using the search and the parallel port.

    Outline LPT1:

    Software: (I AM NOT RESPONSIBLE for damage to the pileup, is a very simple, just polished. Q is unlikely to burn something, but also take into account q LPT1 port is very delicate. Good luck!)

    Advisable to do so under MSDOS. Download the boot disk Windows 98, copy the executable and run it. No conecteis LPT1 port until q do not enter the program. The source was made with Turbo C + +.

    The important thing is to share and not keep anything more if it is for the common good. Do not make bad use of my Mac and my PS3′s own data ;)

    Dumps Download:
    Hypervisor (Dump 1):


    Hypervisor (Dump 2):




    Zip Pass: jaicrab.jaicrab


  • Posted by Pirate , on 29/03/2010 , @ 03:02pm


    If you have not heard by now, Sony plans to block OtherOS on FW 3.21 on April 1st. This seems to have made GeoHot angry and he has posted two new blog posts expressing his anger to Sony and promising PS3 custom firmware.

    Don’t Update
    A note to people interested in the exploit and retaining OtherOS support, DO NOT UPDATE. When 3.21 comes out, I will look into a safe way of updating to retain OtherOS support, perhaps something like Hellcat’s Recovery Flasher. I never intended to touch CFW, but if that’s how you want to play…

    His second post:

    Wait, you are removing a feature?
    First off, I want to apologize to all the people who use Linux on their PS3. Before releasing, I weighed the pros and cons, and considered the possibility of an impact on OtherOS support. My logic was this. OtherOS support had already been removed from the Slim(not for technical reasons; I believe it only existed in the first place to promote the Cell for IBM) The builders had apparently no intention of including it in future products. So for the purposes of openness why not release? Not like anything else has(or probably will be) done on the PS3.

    Now you go and remove a feature that people expected to be included with the expensive device they purchased, citing “security concerns”. What security concerns? It’s not like the exploit can be run even close to without the users knowledge. You have to open the fucking thing up. How could this harm users? Your blog post doesn’t list positive reasons for upgrading like I think most users expect. Instead it lists things you will lose if you don’t upgrade. Seriously?

    The PlayStation 3 is the only product I know that loses features throughout it’s life cycle. Software PS2 emulation, SACD playback, and OtherOS support are all just software switches you can flip. It’s unbelievable you would go and flip one, not just on new boxes you are shipping, but on tens of millions already in the field.

    Again I’m sorry users. Sony, I expected more from you.

    Maybe this was the boost we were waiting for? Time will only tell now in the next few days, and remember not to upgrade your PS3 for the time being.


  • Posted by Pirate , on 28/03/2010 , @ 09:06pm


    Yes you heard it, no its not an April Fools joke. Sony has confirmed and posted on their blog today that FW 3.21 will go live this Thursday, and it will block OtherOS. We highly recommend the hacking scene to stay away from updating their PS3 coming this Thursday. This is in no doubt Sony’s response to GeoHots PS3 hack.

    The next system software update for the PlayStation 3 (PS3) system will be released on April 1, 2010 (JST), and will disable the “Install Other OS” feature that was available on the PS3 systems prior to the current slimmer models, launched in September 2009. This feature enabled users to install an operating system, but due to security concerns, Sony Computer Entertainment will remove the functionality through the 3.21 system software update.

    In addition, disabling the “Other OS” feature will help ensure that PS3 owners will continue to have access to the broad range of gaming and entertainment content from SCE and its content partners on a more secure system.

    Consumers and organizations that currently use the “Other OS” feature can choose not to upgrade their PS3 systems, although the following features will no longer be available;

    * Ability to sign in to PlayStation Network and use network features that require signing in to PlayStation Network, such as online features of PS3 games and chat
    * Playback of PS3 software titles or Blu-ray Disc videos that require PS3 system software version 3.21 or later
    * Playback of copyright-protected videos that are stored on a media server (when DTCP-IP is enabled under Settings)
    * Use of new features and improvements that are available on PS3 system software 3.21 or later

    For those PS3 users who are currently using the “Other OS” feature but choose to install the system software update, to avoid data loss they first need to back-up any data stored within the hard drive partition used by the “Other OS,” as they will not be able to access that data following the update.

    Additional information about PS3 firmware updates, including v3.21 (once it becomes available), can be found here:


    PS3 owners who have further questions should contact Consumer Services:


    800-345-7669 (800-345-SONY)

    Definitely a shocking move on Sony’s part, dropping entire Linux support on PS3 (not to mention many people/companies who use the PS3 Linux/otheros feature).

    What is your take/opinion on this? Post and let us know.


  • Posted by Pirate , on 26/03/2010 , @ 01:42pm


    The newest update for DivX Plus now supports the conversion of MKV (H.264) files that work on the PS3 and Xbox 360. Its very easy to convert, and is basically “drag and drop”. The program copies the converted file to a USB/disc. Remember, files larger than 4gb need to be split or transferred via media server to PS3/360 (can’t upload a 4gb+ file to USB stick)

    You can download the converter here.

    More information available here.

  • Posted by Pirate , on 21/03/2010 , @ 07:47pm


    JungleFlasher v0.1.73 for Xbox 360 has been released.

    What’s new/fixed:

    • Lite-On, Benq LT ver 1.1 Support.
    • General Support

    Better support for 125% / 120dpi in win 7
    Bad DevID trap, Message to disable MRA mod and continue.
    Links in IRC browser tab will load to default browser rather than IE

    • DVDKey32(info)

    Reg setting Delay32 adjustable from GUI, right click DVDkey32 button.
    This will delay key extract to allow time to position probe.
    See ver 0.1.59 nfo.

    • LO-Erase

    ESC to cancel failing intro after LO-Erase

    • Bad Sammy-Un-Lock Key fix

    Will launch automatically on see symptoms… CTRL + SHIFt + F10 still works
    Dummy from IX
    Trap added to fail if key appears as regular inquiry data 05 80 00 32…….


  • Posted by Pirate , on 19/03/2010 , @ 11:20am


    Geohot has managed to do an RCO file edit on the PS3 using his exploit.

    To quote:

    As some people in the comments called, it’s an RCO file edit, just like RCO edits on the PSP(almost same format too). RCO files are resource files for VSH plugins, live in the dev_flash, and aren’t signed. To edit them on your system, patch your hypervisor to allow encrypted access to the partition(flash on old systems, hd on new), and mod ps3pf_storage. dev_flash is just a FAT partition, mount it in Linux and change what you’d like.


  • Posted by Pirate , on 18/03/2010 , @ 11:22am


    Xorloser has released the latest update for his PS3 exploit toolkit . To quote:

    XorHack v2.0: The Updated PS3 Exploit Toolkit

    After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line :)

    Hypervisor Exploit Changes

    At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.

    Kernel Module Changes

    In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.

    User Library changes

    Finally the on outermost level  I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.

    Sample Application Changes

    As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.

    Here are some examples of what these tools can be used for.

    Dumping the hypervisor

    This reads 0×10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.

    ps3peek 0 -s 0×1000000 -d 8 -b > hvdump.bin

    Reading the status register for spu0

    ps3peek 0×20000044024 -d 4

    Loading metldr..

    Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.

    Everyone loves pictures

    The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…


  • Posted by Pirate , on 17/03/2010 , @ 04:33pm


    A hacked version of the Xbox1 Backwards Compatibility v5829 (November 2007) has been leaked yesterday. Was originally made for devkits, but should work just fine on jtagged homebrew 360s too:

    I’ve attempted to remove any limits on the emulator, although i left in game ratings checks in case you dont want your little ones to play violent games :)

    This can be toggled in the dashboard anyway. The following hacks were done to the emulator:
    * Xbe signature checks removed (lets you run unsigned code)
    * Xbe section hash checks removed (lets u run hacked xbes)
    * Game region checks removed (region free baby!)
    * Game media checks removed (play games from your hard drive)
    * Debug/Devkit xbes supported (run your own xbox1 code)
    * Attempt to play unsupported games (doesn’t mean it will work hehe)

    To install this, copy the Compatibilty folder to your devkits Y drive.
    You may want to remove any existing files, although this should overwrite all files.

    Note: it will boot (some) Xbox1 homebrew as well, however don’t expect everything to work perfectly. And XBMC will not run fully on it (don’t expect video playback etc).

  • Posted by Pirate , on 14/03/2010 , @ 12:58pm


    From farmboynick:

    I have just launched XBMC [for Xbox1] on my Xbox360, it was so simple … I patched Avalaunch to boot from disk [with a halo title id] and put a XBMC folder on the disk. After Avalaunch booted I went to file manager and copied the XBMC folder to the E-drive, then simply clicked the XBMC XBE file and it worked.

    So far I have been able to launch all XBMC versions that I have tried and can also launch surreal64 and some xbox1 games in file form from HDD. All from selecting the XBE in the Avalaunch file manager.  Some versions of XBMC can run picture files, some can run music files, so far I can’t get AVI movies to play or gain network access.

    You need a JTAGed console, I found that answer elsewhere.  Here are the files needed; the burn instructions are not specific, but if you have a JTAGed unit, you probably know the drill.


  • Posted by Pirate , on 07/03/2010 , @ 02:18am


    C4E’s LT DVD firmware for BENQ drives has been released:

    C4E’s iXtreme Lite Touch (LT) in association with Team Jungle & Team Xecuter

    After a long development and testing process we give you the first official release of the iXtreme LT
    - Supports all BenQ Drives (62430C, 64930C)
    - Supports all Liteon Drives (74850, 83850V1, 83850V2, 93450)
    - Totally re-written code optimised for minimal patching
    - Whole banks of firware now untouched
    - New Drive response timing engine accurately mimics original drive timings
    - Full disc stealth used by default
    - Waveless booting , disc images are assumed to be correct!
    - Split-Vid used as default

    * Warning! Ensure all disc images are checked with abgx as LT assumes all stealth/ss/pfi/dmi is correct. Disc images must also be splitvid and preferred SS v2
    * Warning! Lt will not save you from being banned if console is already flagged by using a previous firmware or non-stealth discs
    * It is also advisable to apply all system updates before flashing with LT. All future console system updates (not game updates) must be applied with caution


    * Thanks go to Team Jungle for their hard work and efforts in the development process.
    * Thanks also go to Te

  • Posted by Pirate , on 03/03/2010 , @ 09:48pm


    Remember the rumor a few days ago that Sony may remove the OtherOS feature on non-slim PS3′s in future firmware update? Well Geoff Levand, PS3-Linux maintainer, has gotten confirmation from SCE that the feature will NOT be removed in future firmware updates, and Sony will continue to support it.

    To quote (read bolded statement):

    Hi All,

    On 02/26/2010 04:30 AM, David Woodhouse wrote:
    > On Fri, 2009-08-21 at 09:58 -0700, geoffrey.levand at am.sony.com wrote:
    >> The feature of “Install Other OS” was removed from the new
    >> “Slim” PS3 model to focus on delivering games and other
    >> entertainment content.
    >> Please be assured that SCE is committed to continue
    >> the support for previously sold models that have the
    >> “Install Other OS” feature and that this feature will
    >> not be disabled in future firmware releases.

    > Although it’s disappointing that Sony have removed the feature from new
    > models, It’s good to have this public assurance from Sony that at least
    > the feature won’t be removed from older models which are already
    > working.

    Please understand that in my position as PS3-Linux maintainer
    I can really only provide users with technical support for
    Linux and the LV1 hcall interface.

    The text above was provided to me by SCE management. If
    you have any questions regarding it or any other feature
    of the PS3 please contact the Playstation Customer Support
    in your country. Using Playstation Customer Support will
    insure your inquiry is processed through the correct
    channels within SCE.


    So everyone can take a breather who thought that geohot’s exploit was going to be patched :)

  • Posted by Pirate , on 03/03/2010 , @ 03:50pm


    Xorloser has released his complete the PS3 exploit toolkit software called XorHack. XorHack allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program.

    To quote:

    I finally found the time to complete the PS3 exploit toolkit software I mentioned to in my previous posts. I call it XorHack. It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:

    • ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).
    • dumphv – Dumps the hypervisor to a file in the current directory.
    • dumpbl – Dumps the bootloader to a file in the current directory.
    • dumprom – Dumps the system rom to a file in the current directory.

    The XorHack package contains full sourcecode for everything including a rewrite of geohot’s exploit sourcecode to make it easier to read and understand (the new file is kmod/exploit.c). The rewrite doesn’t just fix the compilation warnings, it attempts to replace all “magic” values with the algorithms and reasoning as well as tidying up the code and commenting it all. I also added another syscall #21 to allow executing of code in hypvervisor context. Due to the associated complexities it is not available from usermode, it is for advanced users to make use of in kernel space. Some small changes were also made to the timing and the text that gets printed onscreen to make the exploit easier and hopefully more stable to use. I recommend XorHack when both looking into how the exploit works and when actually triggering the exploit.

    XorHack is made up of three parts. The kernel module, the userspace library file, and lastly the userspace programs themselves. To build all three parts you need to first extract the contents of the XorHack zip file to a directory on your PS3 harddrive. Next you need to navigate on the command line to the directory you extracted the files to. You should be either logged in as root or running as root thanks to the “su” command. Now type “make” to build all parts of XorHack. Then once that completes type “make install” to install all parts of XorHack. If you wish to you can type “make uninstall” in this same directory to remove all of XorHack from your system. When you install XorHack on your system it will always be ready for use, even after rebooting it will be automatically reloaded and ready for use.

    To use XorHack to perform the exploit on your PS3 first install it as per the directions above. You then need to switch to a console only mode (no GUI). This is required because it is the only way you can see the printed messages from the kernel module to know when to press the button. Once exploited all other programs can be run normally from a terminal window in GUI mode. To switch to console mode press Ctrl+Alt+F1 on your keyboard. To switch back to the GUI mode press Ctrl+Alt+F7. When you enter console mode you will be greeted with a login screen. Now login with your normal user account and password and type “ps3exploit 100″. This will start the exploit looping 100 times in which you need to successfully glitch the console by pressing the button on your glitch hardware. The idea is the perform the glitch when nothing else is occuring on your PS3. Therefore some things you may want to try when exploiting to help your chances are:

    • Only press the button once per loop.
    • Try to press the button around the middle of the pause between two concurrent prints of the “press button” message.
    • Don’t start pressing the button till after the 10th “press button” message (by this time the system should done loading and preparing the newly running code, so less likely to interfere with processes that occur during these stages)
    • Run the ps3exploit software after initially booting up the PS3 and switching to the console login without first logging into the GUI mode.
    • After booting the PS3 and switching to the console mode straight away, log in and then wait about a minute before running ps3exploit so that any processes that may occur upon login/startup have completed.
    • Don’t use any services that will cause more processes to be running until the exploit is completed. This includes things like accessing your PS3 over samba.
    • Once you have successfully exploited, stay in console mode as there is less chance of instabilities causing havoc and crashing your PS3.

    The PS3 Exploit Game!

    Once you can run the exploit it’s time to turn it into a game. Think of it as a cross between getting the turbo boost at the start of a Mario Kart race and Dance Dance Revolution with a finger pad. The aim of the game is to exploit your PS3 as quickly as possible without it crashing. Below is my highscore table picture showing my highscore of THREE!

    You can view and download XorHack and readme here.


  • Posted by Pirate , on 02/03/2010 , @ 01:36am


    Demonhades has posted today progress/findings of the PS3 hypervisor and boostrap (lvl0/level1).

    To quote:

    For those who bear on our community and this study shall know the hypervisor and bootstrap, but for new and newcomers who want to know about the safety features on ps3, and is protected as it manages the hypervisor (hardware manager) believe that interesting reading this list.

    Then I leave it here hypervisor dump that I have gone and published it to all make a good background paper on the hypervisor and the bootstrap ;)

    Here you will be added all the features you get in a list, if you see that are already discussed here, and exposed them to not only need to copy them from your valleys and fast ;)

    You can view the full (rough English translation) examination at the discuss in forums link, or the more organized version at the VIA link (in Spanish).