[jdtamimi]

Originally Posted by OoZic Or must be a dev/hacker team too, like (my personal guess !!!) Team Rebug....

I would really hate them if they were. I'll take off rebug fw from my ps3.

Sent from my PC36100 using Tapatalk 2

[svenmullet]

Originally Posted by cfwprpht Well some times you all think to complicate. We have no keys to this stage of work and if we some days get hands on new keys we will release them. We get the dump on the same way like Paradox or True Blue i guess. Please understand when i don't want tell you how it works cause i don't want to have it patched by sony in one of the new fw's till it is finished or till we can provide some new 3.6+ games free for all. And maybe even then chances are high that i don't will release till the scene will have something new that sony can't patch with future updates like eg a full working bootloader exploit.

So your method is patchable then? That sucks, but if it's a bug/exploit in the firmware, there's nothing you can do about sony patching it. The dual NOR/NAND method would not be patchable, unless they started putting checks in games to make sure they are not running on lower firmware. I understand your hesitation to reveal anything, but a lot of people will take that as withholding info from the 'scene'. Looking forward to your first "release", and if you need an honest and reliable tester for anything, let me know

[KentaZX]

Originally Posted by svenmullet So your method is patchable then? That sucks, but if it's a bug/exploit in the firmware, there's nothing you can do about sony patching it. The dual NOR/NAND method would not be patchable, unless they started putting checks in games to make sure they are not running on lower firmware. I understand your hesitation to reveal anything, but a lot of people will take that as withholding info from the 'scene'. Looking forward to your first "release", and if you need an honest and reliable tester for anything, let me know

if ya need anyone to test out the eboots or such, im here to help too of course as long its nothing like me ending up losing my hacked ps3...

[Calliope]

Originally Posted by cfwprpht No Team Rebug is not involved as far as i know. And by the way your now on the right way but you don't need a hardware guy or a dual NOR or something like that. But keep going guys ther are always more ways to one goal I attached a litle POC for you all. It's a dump of 3.55 and the used app is BlackBox. I just used a small app to make things to start more easy. We also have a RAM dump of OFW 3.74 and we don't have used any hardware or software moddifications. To time i still hold back some infos i hope for your understanding.

Thank you! This is the sort of thing we were looking for! However, I believe you said in a earlier post that you were in the progress of getting your hands on debug eboots like True Blue?
************* [ - Post Merged - ] *************
What if the True Blue Dongle merely loads a custom firmware from the USB the beginning? As anyone considered that possibility?
************* [ - Post Merged - ] *************
What am I thinking right now is what is the True Blue dongle simply loads a custem payload in the lv1/dev_flash and the eboots are simply redirected to it? By redirecting they are perhaps avoiding the whole security cycle?? Just an idea that I just got while cooking :-D

[Pockets69]

i like what i see here, people brainstorming at least its better than what happens in most threads.

good work

[cfwprpht]

Thank you! This is the sort of thing we were looking for! However, I believe you said in a earlier post that you were in the progress of getting your hands on debug eboots like True Blue? ************* [ - Post Merged - ] ************* What if the True Blue Dongle merely loads a custom firmware from the USB the beginning? As anyone considered that possibility? ************* [ - Post Merged - ] ************* What am I thinking right now is what is the True Blue dongle simply loads a custem payload in the lv1/dev_flash and the eboots are simply redirected to it? By redirecting they are perhaps avoiding the whole security cycle?? Just an idea that I just got while cooking :-D

No not debug eboot's. I do the same like TB at least i think so but they dump the eboot's out of ram and fake sign them with there own npdrm.

So mainly i dumping the RAM to get hands on the EBOOT's of games, Patch them cause some flags and some tables get replaced with files and make them run on lower fw with 3.55 npdrm keys or fself them and release a CFW that can boot debug self's and install debug pkg's. More like that.

[svenmullet]

@cfwprpht do you have a DEX machine?

[DjKlown]

@cfwprpht i believe you are on the right track... i have said this same exact thing in recent posts and to certain people... you know who you are... keep doing what your doing...

"Patch them cause some flags and some tables get replaced with files and make them run on lower fw with 3.55 npdrm keys or fself them and release a CFW that can boot debug self's and install debug pkg's. More like that."

regards

[Calliope]

[QUOTE=Calliope;361228]Thank you! This is the sort of thing we were looking for! However, I believe you said in a earlier post that you were in the progress of getting your hands on debug eboots like True Blue?
************* [ - Post Merged - ] *************
What if the True Blue Dongle merely loads a custom firmware from the USB the beginning? As anyone considered that possibility?

************* [ - Post Merged - ] *************

Originally Posted by cfwprpht No not debug eboot's. I do the same like TB at least i think so but they dump the eboot's out of ram and fake sign them with there own npdrm. So mainly i dumping the RAM to get hands on the EBOOT's of games, Patch them cause some flags and some tables get replaced with files and make them run on lower fw with 3.55 npdrm keys or fself them and release a CFW that can boot debug self's and install debug pkg's. More like that.

Well I just got an idea, but its past midnight and I have to goto bed (Im there with my laptop now), but I had to post this. I will elaborate on it tomorrow! But here it goes (some of the points are from PS3devwiki):

Devkit --> NP-DRM –> Perhaps they are making the PS3 believe that it is a PSN game? If so then they are modifying the eboot.bin into a PSN eboot. Perhaps members of Team Duplex could help?

- Patching of lvl1 to allow RW mapping of RAM via lvl1.self
- File/memory
- Offset(h) 00 01 02 03
- OFW: 000F5A44 39 20 00 00 li r9,0
- TB: 000F5A44 39 20 00 01 li r9,1


lv2_kernel.self --> only 1 function change, and a section added
sub_28fe30 is replaced --> Determines whether to load as OFW or TB. So the actual exploit is executed before loading OFW code!

dev_flash_010.tar.aa.2010_11_27_051337
\dev_flash\vsh\module\nas_plugin.sprx
Offset(h) 00 01 02 03
OFW: 00003250 7C 60 1B 78 mr r0, r3
TB: 00003250 38 00 00 00 li r0, 0
Offset(h) 00 01 02 03
OFW: 00037350 41 9E 00 4C beq- cr7,4c
TB: 00037350 60 00 00 00 nop

I have reasons to believe that they perhaps are using the old USB exploit from PSJailbreak from a different angle. The Dongle modifies files on the dev_flash and I believe does some sort of Cex --> Dex conversion. I will look more into it tomorrow.

[cfwprpht]

@svenmullet No i don't have a DEX to time why you ask ?

@DjKlown Thx for the Flowers

@Calliope

Im guess that the lv2 patches are peek&poke and a additional check to see if tb dongle is connected or not.

The nas_plugin patches are for psydo-retail and debug pkg's.

and no it's not a kind of cex2dex. Forget this thing. For a dex convertion you need to moddifie the EID segments. To be exact EID0,1,2. But first you need to decrypt them, patch data and set flags, encrypt back and flash it to the console. After that you need to start Service Mode and flash a debug fw to the console.

Belive me when i say forget that true blue crap and the trie to reverse it. The step to get the new games running on lower fw have nothing to do with reversing tb.