[jasonp2506]

Ok, so i had another exploit idea as i'm sitting here without a job recently and have alot of time on my hands. Ok, so ur at home downloading the newest fw update (cause u have two ps3's and u get through the checks and such at which the ps3 reboots into recovery and starts installing right after u hit the ps button on the controller. So....my question would be....at what point does the ps3 check the .PUP for control? Would there not be an exploit waiting at that particular moment if u could make the .PUP crash the ps3 then swap usb drives with a cfw on it?? It would have to be extremely well executed....but why wouldn't it work?

[hellsing9]

Swap usb drives will do not good to the console in first place.
That's the problem.

[cfwprpht]

In case of keys. How you want to do a cfw for higher versions without the key to sign ?

[jasonp2506]

Originally Posted by cfwprpht In case of keys. How you want to do a cfw for higher versions without the key to sign ?

My theory would not involve the use of keys...this would be a downgrade/ jb. What i mean is, u update to and ofw 4.10 or .11 that has been modified. This can obviously be done. Nodex and a member of here did it for fun. So with that being said, u modify the fw to crash at which u would swap the .PUP on the usb port with a cfw 3.55. In theory downgrading. My question is really, "what are all the points at which the ps3 checks the .PUP?". If that can be answered the rest could be feasible.

[butnut]

The ps3 knows when you remove the usb drive, so your idea might work if you could some how over write the pup without removing the usbdrive.

Maybe with one of those dual usb/sd memory sticks?




Edit: the syscon of a cex ps3 doesn't downgrade unless you are in service mode or have qa flag working and use recovery mode, so you would need to use a pup that has the checks patched out.

[cfwprpht]

Wont work. Have you ever be gaved a look on new pup's ?

They are diff to the old ones and have some new parts in it. So the ps3 would still check thoes parts and if there are not there it wouldn't work.

But to answer your question. The ps3 reads the pup and first check the version. If the version is valid she would start to unpack all files from the pup to the temporary hdd partition. After that the updater self is startet and ps3 starts in updater mode.

Then again a check is done if everything is ok. If not the con will give you a nice error message.

So no way to go on that idea.

[jasonp2506]

Originally Posted by cfwprpht Wont work. Have you ever be gaved a look on new pup's ? They are diff to the old ones and have some new parts in it. So the ps3 would still check thoes parts and if there are not there it wouldn't work. But to answer your question. The ps3 reads the pup and first check the version. If the version is valid she would start to unpack all files from the pup to the temporary hdd partition. After that the updater self is startet and ps3 starts in updater mode. Then again a check is done if everything is ok. If not the con will give you a nice error message. So no way to go on that idea.

Yea, i took a look at the 4.11 PUP and the very last line is nice little encryption But....(and i don't have my hex open) about three quarter down the page is a call to http://www.scei.co.jp/legal/us/ and an encryption. Of course we might not know what that is but (and i hate to keep giving scenerios cause i prob. sound like i'm reachin, though i swear i'm only tryin to help) what if we were to change that to meet a server requirement of our own through the .PUP? thus causing the crash while maintaining hold of the server? I know i'm reaching but i am kind of an old school hacker with tools like flycrypter, filestealer, snort, kain&able, so on....i just really wanna help u guys. Just don't have the extensive script making knowledge.

[cfwprpht]

Well the hacking of EID segments and writting a app that can decrypt and re-encrypt EID'S would be more of help.

Even the most average user dont know what to do with a debug con we would have a new way of jailbreaking the ps3.

Cause a full converted debug can make use of the special downgrader pup's and you can software wise jump between fw's ase the user want. Also the hombrew can be converted to fake self's and the user could let them run on higher fw's.

Not all HB could run at first stage but it is a start. And a debug can even much more what i cant explain here.

But if you really want to help then let me know and we talk on irc or msn, icq what ever.

[jasonp2506]

Originally Posted by cfwprpht Well the hacking of EID segments and writting a app that can decrypt and re-encrypt EID'S would be more of help. Even the most average user dont know what to do with a debug con we would have a new way of jailbreaking the ps3. Cause a full converted debug can make use of the special downgrader pup's and you can software wise jump between fw's ase the user want. Also the hombrew can be converted to fake self's and the user could let them run on higher fw's. Not all HB could run at first stage but it is a start. And a debug can even much more what i cant explain here. But if you really want to help then let me know and we talk on irc or msn, icq what ever.

kk.. i do have irc app for pc(hand delivered from chatt-chitto ) One of the best pc devs i've seen. But anyway, let me read more about idps cause i have the recent dumps that were converted to hex and back downloaded on my hdd along with linux commands for eid dump and objective suites. Just need to do some investigating. I do recall three files were missing from the objective suites dump. But, thanks....least now i know what to shoot for.

[cfwprpht]

I and my team we are three to time and working on the EID part along with something other nice. I have everything you may need and we also well know the whole EID part.

We could need help to speed up the process and deliver the scene a so called idps-tool. I send you a pm for the irc information.