Welcome to PS3Hax, your official PS3 hacks, PS3 Homebrew, and PS3 Downloads scene. Check back daily to keep up with the latest PS3 Hacks and drop by our forums for more PS3 Hacks discussions.
  • Posted by PS3Hax Member News , on 03/02/2012 , @ 12:06am


    PS3 developer Kakaroto, has been hard at work on jailbreaking 4.00 firmware. He has taken the time to explain and talk about the ECDSA algorithm. With the ECDSA being as complex as it is, Kakaroto tries to simplify what the algorithm is. Here is a short quote from his website.

    To popular demand, I have decided to try and explain how the ECDSA algorithm works. I’ve been struggling a bit to understand it properly and while I found a lot of documentation about it, I haven’t really found any “ECDSA for newbies” anywhere. So I thought it would be good to explain in simple terms how it works so others can learn from my research. I have found some websites that explain the basic principles but nowhere near enough to actually understand it, others that explains things without any basics, making it incomprehensible, and others that go way too deep into the the mathematics behind it.

    [VIA kakaroto blog]

  • Posted by GregoryRasputin , on 19/01/2012 , @ 06:12am


    PS3 Developer KaKaRoTo has given a status update regarding his work on getting homebrew running on 3.56 PS3′s, there are quite a few revelations, none of which are a shock, so here is a quote from KaKaRoTo’s blog:

    Here’s a “quick” status update on the 4.00 HEN (Homebrew ENabler) for PS3.

    Following my clarifications from almost 2 months ago here, there has been a lot of progress. We have not been slacking off, we’re a group of about 10 developers working together for the last 2 months, for sometimes 15 hours everyday in order to bring back homebrew support to the latest version of the PS3.

    There are three major parts to the HEN, first, getting the packages to install on the PS3, that part is done, completed, tested, debugged, etc.. the second part is to get the apps to run, that one still has major issues… the last part is something I will not discuss for now (it’s a surprise) but it’s about 60% to 70% done (and it has nothing to do with peek&poke and has nothing to do with backup managers or anything like that. This is and will stay a piracy-free solution for the PS3).

    Now, running apps is the biggest challenge that we’ve been working on for the past 2 months. As some of you know, if you’ve been following me on Twitter, we originally had hoped for Mathieulh to give us the “npdrm hash algorithm” that was necessary to run the apps, but he was reluctant, he kept doing his usual whore so people would kiss his feet (or something else) so he’d feel good about himself. But in the end, he said that he refuses to give us the needed “npdrm hash algorithm” to make it work… So what I initially thought would be “this will be released next week” ended up taking a lot more time than expected, and we’re still nowhere near ready to make it work.

    Mathieulh kept tossing his usual “riddles” which he thinks are “very helpful for those who have a brain”, and which pisses off anyone who actually does… so he told us that the solution to all our problems was to look in appldr of the 3.56 firmware.. and that it was something lv1 was sending appldr which made the “hash check” verified or not… so we spent one month and a lot of sweat and after killing a few of our brain cells out of exhaustion, we finally concluded that it was all bullshit. After one month of reading assembly code and checking and double-checking our results, we finally were able to confirm that that hash algorithm was NOT in the 3.56 firmware like he told us (at all).

    He said that it was an AES OMAC hash, but after tracking all the uses of the OMAC functions in appldr, we found that it was not used for the “hash”… he then said “oh, I meant HMAC“, so we do that again and again come up with the same conclusion, then we’re sure it’s not in appldr, and then he says “ah no, it’s in lv1“.. have a look for yourself to what he decided to write : http://www.ps3devwiki.com/index.php?title=Talk:KaKaRoTo_Kind_of_%C2%B4Jailbreak%C2%B4

    That happened after the huge twitter fight I had with him for being his usual arrogant ass and claiming that he “shared” something (For your information, the code that he shared was not his own, I have proof of that too (can’t show you the proof because even if I don’t respect him, I gave him my word to not share what he gave me, and I respect my word) since he forgot to remove the name of the original developer from one of the files… also it was completely useless and was not used at all, just made me waste a day reading the crappy undocumented code. So why is he still trying to force his “advice” through these riddles even after we had that fight? Well to sabotage us and make us lose all those months of hard work!

    Read The Full Article Here

    This being quite a big story, we had several people submit it, so thanks to all those that posted this news, all your articles have been merged into the one thread.

  • Posted by Pirate , on 21/11/2011 , @ 04:19am


    This morning KaKaRoTo announced on his twitter that he has jailbroken OFW 3.73. There is not much information available yet about this jailbreak but he already stated that this is no CFW and doesn’t allow backup managers to run. But it should allow you to run your favorite homebrew and still play the latest games. For people who are not aware who KaKaRoTo is, he is the person that released the first CFW ever for Playstation 3 and always released his methods and software.

    And it looks like everyone is in luck because KaKaRoTo is planning to release his work and method (as always). But we all have to wait for a while because according to KaKaRoTo it won’t be out in the next two weeks and there is still some work left to do.

    [07:28:39] <KaKaRoTo> heri, docpaul showtime would work fine
    [07:28:58] <sandungas> kakaroTo, this means new tcl patches for mfw and some changes to manage 3.73 ?
    [07:29:17] <KaKaRoTo> ddoo, and no I didn’t fix the npdrm algo, that’s what I’m missing (hence the “kind of”) but I’m not
    working on that, that’s someone else’s job
    [07:30:05] <middleman> gonna debut it at ccc kakaroto or before?
    [07:30:06] <KaKaRoTo> ddoo, and even if npdrm signing worked.. how do you install your pkg on an OFW 3.73 ? :p
    [07:30:22] <heri> so KaKaRoTo, once the NPDRM algo is fixed, a release will come?
    [07:31:14] <KaKaRoTo> heri, another missing bit, but once that’s fixed, yes
    [07:31:23] <KaKaRoTo> but I’ll probably be off country for the next 2 weeks
    [07:31:30] <KaKaRoTo> so all work will have to be paused :p
    [07:31:52] <heri> oh, fair enough. we can all wait 2 weeks hey :P we have waited months anyways :)
    [07:32:06] <KaKaRoTo> ddoo, that might work.. you could also just install your pkg on 3.55 then upgrade…
    [07:32:20] <KaKaRoTo> ddoo, upgrading doesn’t delete any of your packages :p
    [07:32:37] <KaKaRoTo> ddoo, issue is, you’re lost if you didn’t do it before upgrading
    [07:32:53] <ddoo> but they fail because the npdrm algo is spoted by the checks in 3.56+
    [07:33:13] <KaKaRoTo> heri, also note, I “announced” it because I was excited to see it work as expected
    [07:33:22] <KaKaRoTo> doesn’t mean it’s ready for release
    [07:33:31] <KaKaRoTo> ddoo, exactly
    [07:33:36] <heri> yeh thats what we were saying just before you came :)
    [07:33:43] <KaKaRoTo> so you need : 1 - npdrm algo fixed, 2 - a way to install stuff
    [07:33:53] <heri> you only announce when you are confident it works :)
    [07:33:58] <KaKaRoTo> 1 has been done by someone else (don’t know if he’ll share it), and 2.. well, I just did it :p
    [07:34:37] <KaKaRoTo> heri, well, I was testing on 3.60 and it worked, but yes, I did upgrade to 3.73 to test that it still
    works just to make sure I don’t tweet any false hopes
    [07:34:46] <middleman> but you cant run what you installed until 1 is fixed correct?
    [07:34:59] <KaKaRoTo> middleman, exactly
    [07:36:17] <middleman> interesting
    [07:36:19] <docpaul> nice, thx KaKaRoTo
    [07:36:40] * KaKaRoTo needs to hide now if he wants to get any work done
    [07:36:42] <KaKaRoTo> ttyl

    UPDATE 1:

    It seems as tho developer kakaroto has been flooded with questions regarding his 3.73 jailbreak that he announced late last night. here is a copy and paste from his blog.

    Hi all,

    I’ve been flooded with questions on twitter and I’ve read many posts on news sites and I’ve seen some stuff being said on IRC and I thought I needed to clarify a few things…

    First of all, I didn’t expect to see my tweet front paged on all ps3 hacking news sites.. although I should have expected it.. but anyways, the “jailbreak” is not ready to be used, at all. I only tweeted that because I was excited having it working and I wanted to share my excitement with everyone. But this is a bit equivalent to the day I released that create_cfw.sh script that created the very first CFW/MFW but it still took a couple of months before a real, easy, multiplatform and fully fledged solution was released : PS3MFW.

    We are currently at the same state, I have the proof of concept, it works, but a solution that anyone can use where they just click a button and their PS3 gets jailbroken is still far from ready.

    I’ve seen people say (and even write it in their front page news) that I’ll release it in two weeks after I come back from vacation. That is not true and I never said that. What I said was that for the next 2 weeks, the project is on hold until I get back.. but when I get back, then I will continue working on it, and it will then take some more time before it’s ready and released.

    Some asked if it’s based on what gitbrew was doing/suggesting or if I used someone else’s exploit or work. No, this solution is my own idea and 100% my own implementation. However, the actual solution for the full jailbreak involves some components on which I will not work, and I expect/hope that someone else will provide the solution for that.

    Some speculated it might be what I spoke about back in March which I later said I wasn’t pursuing by lack of motivation.. and yes, you are right. The same hack I had in March is still valid today, I told a few people about it (rms, Mathieulh, an0nym0us, and a couple more), but no one was interested in pursuing it further and actually exploiting that flaw (mainly because it requires a huge amount of work to get a proof of concept working). 10 days ago (I started on the 11th), I got bored and decided to start poking at it again, and yesterday (a lot faster than I thought it would take), I got my first pkg installed on 3.73 firmware.

    On twitter, I said “do not update if you are on 3.55″, I said that in response to someone who said he would update. Because of that, people speculated that you need to be on 3.55 first, and then install something before doing the upgrade. No, that’s not it, that would be useless. The purpose of my solution is to jailbreak a ps3 that is already on 3.73 firmware and which had never been jailbroken before. I told people not to update because, first of all, it’s not yet ready, and second of all, the 3.55 firmware gives you a lot more possibilities than what can be achieved on 3.73.

    So what is this jailbreak? I won’t say because I don’t want Sony to block it in a firmware update (and yes, they potentially could) before it’s even released (and yes, I will release it when it’s ready). But I will explain this to you : in order to run your homebrew apps, you need two things. First, to be able to install them on the ps3, and second to be able to run it once installed. I did only one of these two things.

    Some may say it’s not a real jailbreak, but the way I see it, there are three ‘jails’ on the ps3, I broke the first one which prevents you from installing anything, so now you can install your .pkg, great, but it won’t run, that’s the second jail. The third jail is being able to modify the firmware (peek&poke).

    The second jail (running apps) is something that can be done, but it’s not my area of expertise (npdrm algo), so I will not be working on that. I am waiting for someone else to achieve it (some have succeeded but do not wish to release it, at least not for now) then I will release.

    The third jail (modifying the firmware) is not possible with my method, this means that you will not have a “CFW”, you will run your homebrew applications and games on an official firmware. This also means that without peek&poke support, none of the backup managers will work. So, again, my solution is piracy-free, and as always, I do not plan on working on a way to enable piracy (or even legal backups).

    Overall, the purpose will be to allow people who are on 3.73 firmware to enjoy the homebrew games that were released, to play a bit with Eskiss, and to use Showtime for playing their movies. This should be more than enough for everyone.

    Finally, I will conclude by replying to another question I received : Do you accept donations? The answer is yes. I do accept donations but I do not seek them out. I will include a donate button to the bottom of this post, so if anyone wishes to donate, they can do so, however, I want to make it clear that whether or not you donate does not and will not affect in any way, the release, or the progress of the work I’m doing. If you donate, you would do it as a sign of appreciation of my efforts, and not in exchange of any favors or anything crazy like that.

    That’s about it I think… If you have any more questions, please refrain from asking them, I get enough as it is already.. I also said everything I needed to say and I don’t want to give any more information than that (for now).


    UPDATE 2:

    A small F.A.Q created by euss.

    Q: Will I need special hardware?
    A: No.
    Q: Will homebrew work?
    A: With NPDRM fixed, yes. Showtime would certainly be possible.
    Q: Will recent games play correct
    A: Yes, its 3.7x, sure it plays all 1.00 - 3.7x games.
    Q: Does it have Peek& Poke?
    A: No.
    Q: Do Backup manangers work?
    A: No, see previous answer.
    Q: Does it gets us keys
    A: No.
    Q: Does it gets us “CFW”/MFW?
    A: No.
    Q: Will it allow downgrade?
    A: No.
    Q: So why are all the newssites hyping this that it does?
    A: Because they don’t read wiki’s/blog’s xD Besides, every minor news gets ‘prolly CFW soon!’ tagged by the bad ones.
    Q: Is there a release date?
    A: No, besides KaKaRoTo not able to work on it for 2 weeks, it also relies on (other people?) fixing NPDRM.

    Source PSDev Wiki <— A real source for PS3 information, created by real developers
    Hopefully that will clear a lot of misunderstandings by people.

  • Posted by PS3Hax Member News , on 01/10/2011 , @ 06:00pm


    A couple of weeks ago, PS3 and software developer KaKaRoTo released a Homebrew game called Eskiss, in which you moved a ball to a a goal/destination, you could either use your control pad or a mouse, today KaKaRoTo updated the game to support the PS Move, here is a quote from the devs personal blog:

    Hi all,

    I’m releasing Eskiss with Move support and I think the instructions on how to use it require a bit more than what twitter allows (from my usual small updates).

    The instructions are simple, you can still play with a normal mouse if you want, or use the controller to emulate the mouse, just like before. But, if you have a PS Eye camera plugged in, then it will also be ready to handle the Move.

    If it detects a move controller, the ball on the controller will be white, at that point, you must press the Action button while pointing the controller to the camera (there’s no image feedback on the screen, so just point and press the action button). This will calibrate the controller and the ball will change color. At this point, moving the controller will also move the cursor on screen.

    You can press the Action button at any time to recalibrate the controller (useful if the tracking stops working correctly, or camera falls off), and you can press the Start button at anytime to center the cursor on screen. Pressing the T button trigger will emulate a click.

    You have the choice between two tracking modes, the first one (the one selected by default) is the 3D coordinate system, which means the cursor appears on screen with 1 to 1 precision (kind of) with where the controller is located in the room, so you have to move the whole controller to move the cursor (and even maybe stretch your arms to get to the corners), the second tracking mode is using the internal gyroscope of the controller, in other words, you can move the cursor just by pointing or rotating the controller without moving the whole controller in 3D space.

    You can switch from one tracking mode to another at any time by pressing the Select button. Try them both and see which one you like best.

    P.s: When you press the Action button to calibrate, the ball will change colors a few times, you must not move the controller while it’s doing that, do not move until it becomes a solid, stable color. If the ball becomes white again, it means you moved and the calibration failed… in that case, try again.

    P.p.s: In this release, I have also fixed the crash that you might have had in the previous version, so the game should be a lot more stable. While it still might crash, it is now very rare and shouldn’t break the gameplay like it did before.

    And here’s a video demo of the game running with the Move controller, courtesy of fungos

    Download 3.55
    Download 3.41

    Source Blog
    Source Twitter

  • Posted by PS3Hax Member News , on 14/09/2011 , @ 07:11am


    Kakarotoks, famous for creating PSFreedom, PL3 and the FIRST Custom Firmware, today ported the game, Eskiss to the PS3!

    The Eskiss game using the EFL (Enlightenment Foundation Libraries) running on a PS3.

    Smooth framerate at 1080p resolution.

    The game can be played with a mouse or with a controller, this video was done using a mouse.

    Download: Megaupload.com

    Source: KaKaRoToKs’ Twitter

  • Posted by PS3Hax Member News , on 06/06/2011 , @ 03:04pm


    KaKaRoTo, a very talented Developer has released a port of Free Heros 2 (Heroes of Might and Magic II clone) for the PS3.

    Free Heroes 2 is now available to download from http://humblehomebrew.com ! I know the site sucks, deal with it (or help improve it!)

    Next version will add selection of free map packs for FHeroes2, and hopefully get that pink background fixed too.

    Note: make sure you connected your ps3 to the internet for the first run, it needs to download the game data (licensing issue).

    Download at http://humblehomebrew.com/

    Source Twitter

  • Posted by GregoryRasputin , on 22/05/2011 , @ 07:07pm


    Esteemed PS3 Developer KaKaRoTo, has been working hard for two months on a little project, which he has just released to day, it is a professional Homebrew game, there is also a petition in the form of a letter addressed to Sony and if you chose, there is an option to donate, here is a quote from the Source:

    The Humble Homebrew Collection is an initiative that aims to convince Sony to provide us with a legitimate and official way to create homebrew applications for the consoles that we own.

    We are providing you with a free homebrew game that aims to be polished and look professionally made which includes 33 very good and addictive puzzle games. We’ve tried to make this homebrew games collection as good as possible so that even the anti-homebrew purists will be jealous of it.

    Homebrew does not equal piracy, and this is proof of it. These games are all free and are released under the MIT license.

    You are free to download these games for the platform of your choice, whether it’s on a jailbroken PS3, Linux, Windows, Mac or Android.

    This Homebrew game collection is a port of Simon Tatham’s Portagle Puzzle Collection to the Playstation 3 system and it includes 33 puzzle games. More games are being written and this collection will only increase with time.

    This is one of the first homebrew games that are released on the PS3 which are above the “proof of concept” status and is not yet another backup manager, FTP server or a port of an existing emulator.

    This homebrew game is still in active development and will continue to receive regular updates. The TODO list has many items on it and it will continue to improve for your enjoyment.

    The main purpose of this website it to serve as a petition against Sony’s unjust behavior towards their customers. You are encouraged to sign the petition, donate to the developers or you can simply download the games. The choice is yours.

    If you wish to do so, you may also donate to the developers of this homebrew application, as well as to the EFF, which helps defend our rights in this digital age.

    It is time to vote with your money, boycott Sony, request your legal homebrew and request your freedom and let them know that they have much to gain by giving us access to the homebrew that we deserve.

    Let Sony know that, as a customer, you want homebrew games, you want to see the real purpose of the Copyright Law used properly: To encourage creativity and innovation. Let them know that, as a customer, you are willing to pay for quality homebrew and that if they wanted to, they can get a share of that money. After all, all they care about is money!

    Thank you

    Source And Download

  • Posted by PS3Hax Member News , on 20/03/2011 , @ 11:42pm


    KaKaRoTo has released PS3IDA. PS3IDA Project is useful *only* for developers! It’s a collection of IDA scripts and plugins, includes PPCJT.

    To quote:

    It’s been a while since my last post! A lot has been happening lately, I’ve mostly kept my followers updated on what’s new through my Twitter account, but I think that this deserves a post of its own!

    I’ve  been reversing some PPC code in IDA and unfortunately, it doesn’t handle the PS3 files very well, so I wrote a lot of scripts in order to make  it parse the files properly! There was one thing missing though that I couldn’t do with an .idc script : handling of jump tables.

    Yesterday, I took on the task of writing an IDA plugin in order to parse the ppc code and find jump tables and define them in IDA’s kernel so the analysis is done properly! It was a very fun and exciting challenge that I enjoyed doing, and I’m happy to say that I succeeded and it works very well (on the files I tried anyways).

    The IDA API is extensive and easy to use, and allows you to do pretty much anything! I also found the IDA Pro Book to be extremely well written and very useful! I would suggest to anyone who likes tinkering to try and write an IDA plugin, because it was a challenging but fun experience!

    I initially wrote the plugin thinking that the jump table instruction patterns was always the same, but when I started testing, I found out that some instructions could have a different order, there might be inserted instructions in the middle of the pattern, or different registers being used, etc.. so I eventually had to rewrite my plugin and ended up using a class that comes from IDA’s SDK which takes care of “instruction rescheduling” and “intermingling of the jump sequence with other instructions”, at least I learned from my first try and it made my second try a lot easier. I also realized that I haven’t done any C++ in maybe 5 or 6 years, and I really forgot all about how to write C++ code. It was a bit embarassing to google “how to derive from a class in C++”, lol!

    Anyways, I am now releasing my scripts and my PPCJT plugin for IDA under a new project : PS3IDA.

    I’ve created the ps3ida repository on git-hacks.com (Thanks again to @dashhacks for providing us with this safe haven for all our legal tools). The repository contains many files, I suggest you read the README file for a description of each, but the most important ones are analyze_self.idc and analyze_sprx.idc. I’ve also ported my lv2_dump_analyzer.idc script to work with IDA 6.0.

    There are two plugins in ps3ida, the first one is the well known PPCAltivec released by xorloser, I’ve decided to add it to the project so the source code stays available for anyone who needs it. I also slightly modified the source code so it compiles correctly on Linux using gcc 4.x. The second plugin is PPCJT that I wrote yesterday, it will find jump tables and define them in IDA’s kernel so the functions get properly analyzed. Just install it, and when you see a switch/case in the code, put the cursor on the ‘bctr’ instruction and press ‘C’ so it can parse the jump sequence and fix it, or just go to  ”Options->General->Analysis->Reanalyze program” and it will fix them for all the file.

    I have built the PPCJT plugin for Windows and Linux for IDA v6.0, you can download it here.

    My personal suggestion, since IDA could screw up the analysis in its initial run, would be to completely undefine the file (Ctrl-PageUp + Alt-L + Ctrl-PageDown + U), then run the analyze_self.idc or analyze_sprx.idc.. it will take some time, but then you’ll get a beautiful file loaded :) Especially with the correctly named imports, this should help a lot any reverse engineer out there!

    p.s.: To every stupid person in the planet : If you have no idea what I’m talking about, then this is not for you, this does not lead to any ‘CFW’ or jailbreaking of 3.60 or whatever else you might hope for.. so shut up and don’t comment if you’re not a user of IDA or if you don’t know what IDA is.

    [Download PPCJT v0.1 for IDA v6.0]
    [VIA KaKaRoTo Blog]

  • Posted by PS3Hax Member News , on 05/02/2011 , @ 12:29pm


    Sony is pushing out more legal actions against all major PS3 hackers/devs including: Cantero, Peter, Bushing, Segher, hermesEOL, kmeaw, Waninkoko, grafchokolo and kakaroto. Sony is planning to subpoena (definition) various internet sites such as; PSX-SCENE, YouTube, Twitter, PayPal and Slashdot inorder to find the hackers.You can grab and see the legal documents below.

    What do you guys think of all this legal action by Sony? Do you think it is feasable to go after these hackers…after all if one goes down we all know 3 other will pop up in his place. Let us know VIA comments below.

    [Download all court documents]

    [VIA PSX-Scene]

  • Posted by Pirate , on 04/01/2011 , @ 10:38pm


    Did someone just say custom firmware? Yep, KaKaRoTo, after all the crazy news the last few days, has pumped out the FIRST PS3 custom firmware! What does this CFW allow? Throw those USB boards and those cheap clones out the door because now we can install PKG files without the need of “jailbreaking” the PS3! KaKaRoTo’s CFW currently does not support booting of backups but it is very possible to do and expect the feature to be available VERY soon.

    To quote from KaKaRoTo’s blog:

    IF SERVER DOWN…here my hard copy… :) )

    PS3: First ‘Custom Firmware’ now working!

    Great news!

    Thanks to the tools made by the fail0verflow team (and thanks to sven in particular for his work on the pkg/unpkg tools), the first “Custom Firmware” is now available for the PS3!

    I see a lot of questions coming up really fast on my Twitter account, so here are the basic things you need to know :

    Because of legal/copyright issues, I will not provide the custom firmware to anyone, however, I’ve made available all the tools necessary to transform an Official firmware update, into a custom one, just grab my ps3utils repository from github, compile, then run :

    ./create_cfw.sh PS3UPDATE.PUP CFW.PUP

    This will take the official firmware, unpack it, modify it, then repack it correctly (requires you to install ps3tools).

    This requires Linux of course, but I’m sure others will do it for the masses and illegally release those files somewhere.

    The advantage here is that you can do it for any firmware, if you want to keep version 3.41, then give it the 3.41 update, if you are on 3.55 already and can’t downgrade, then run the script on the official 3.55 firmware and it will create a modified 3.55 firmware.

    You can put the file in a USB drive under the filename “PS3/UPDATE/PS3UPDAT.PUP” and then go to system update in the XMB, and it will allow you to install the update (even if you’re already on 3.55).

    People are asking what are the features of this firmware, it’s simple, all it does is to add those “Install Package Files” options to the Game section of the XMB. It doesn’t do anything else!

    This firmware will not allow you to run the currently available homebrew application. Once the homebrew developers re-package their files in a ‘retail’ .pkg format with signed executable, then it will work (this should be coming soon thanks to the work of the fail0verflow team).

    Since the kernel is left unmodified, this means that this custom firmware is really meant for future homebrew installation, and it will not allow piracy. I plan on keeping it that way.

    This is just the first attempt at custom firmware, and it only contains a minor modification to allow you to install pkg files directly, eventually we’ll get some more options added to it in the future. This is just starting to get interesting!

    p.s: Thanks to everyone who helped make this possible!

    Enjoy! Smile

    Enjo also from me :) )

    Video of this baby running in action:

    Some updates from his Twitter:

    Thanks to @b3ll for testing and confirming my create_cfw script does create a valid, working cfw update file More to come
    56 minutes ago

    First CFW working. Grab http://bit.ly/hszcH3, then “./create_cfw.sh PS3UPDAT.355.PUP CFW.PUP”. Permanently adds “install pkg files” menu.

    Because of LEGAL and COPYRIGHT issues the compiled download version will not be provided, but you can grab the required files VIA GitHub below (if you jumped down here to see the download link read the blog quote above to see how to compile):

    [Download KaKaRoTo CFW via GitHub]

    [VIA KaKaRoTo Blog]


    UPDATE 1:

    Confirmed working ontop of FW 3.55 - please be patient as updates and progress roles in - don’t rush and do something you will regret in the future!

    Have not tested yet, original source here:

    I created a 3.55-CFW (thanks to KaKaRoTo’s tools) and uploaded it

    More info about this CFW can be read from KaKaRoTo’s blog , check it out here before installing PS3: First ‘Custom Firmware’ now working! « KaKaRoTo's Blog

    Links :
    Link : PS3UPDAT.355Cfw.KaKaRoTo.pup
    Mirror (from freeforall9) : PS3UPDAT.355Cfw.KaKaRoTo.pup

    MD5 : 38BE61D5B4D1E33BA91632994275DA8E

    Note 1: you can install 3.55 signed packages with this without dongles and get on PSN (for now)

    Note 2: I would NOT currently recommend installing this CFW for anyone without the official 3.55 installed, I’d wait for more testing to be done

    Note 3: Only 3.55-signed pkg files will install with this and only 3.55-signed code will run

    UPDATE 2:

    Greg over at PS3-Hacks.com has created a compiled copy for us to enjoy with the newest updates of KaKaRoTo (fixed missing XMBs and PS1/PS2 support for compatible models):

    Quick rundown on how to install this (same as a normal firmware) - you may have to access PS3 reovery mode to install CFW. This is how you would go back to your ORIGINAL PS3 firmware too:

    Depending on your situation you may need to install the CFW PUP from the PS3 Recovery Menu. To do that, follow these steps:

    1. Ensure the PS3UPDAT.PUP is in /PS3/UPDATE/ on your USB device.
    2. Power down the PS3.
    3. Now press and hold the power button, the system will startup and shutdown again.
    4. Release the power button, then press & hold power again, you’ll hear one beep followed by two consecutive beeps.
    5. Release power then follow the on-screen instructions. You’re now in the recovery menu.
    6. Connect the USB device and select “System Update.”
    7. Hope for the best.

    Download: PS3 CFW 3.41 | PS3 CFW 3.55

    More updates as they roll in, stay tuned to PS3Hax for them

  • Posted by GregoryRasputin , on 07/12/2010 , @ 06:00pm


    As the news here stated that the PS3Yes key was released, via some twitters we were left unsure, well it can be cleared up now, KaKaRoTo has successfully reversed the Key and added it to PSFreedom, a few messages from his twitter:

    Dongle key reversed from PS3Yes hex. PSFreedom now enables service mode : “insmod psfreedom.ko jig=1″

    They obfuscated the key, xor-ed it with 0×36 and swapped bytes 11 and 16. Here’s the key : http://bit.ly/f3K1ac

    0xAAAA dongle key: 0×04, 0x4E, 0×61, 0x1B, 0xA6, 0xA6, 0xE3, 0x9A, 0×98, 0xCF, 0×35, 0×81, 0x2C, 0×80, 0×68, 0xC7, 0xFC, 0x5F, 0x7A, 0xE8

  • Posted by PS3Hax Member News , on 27/11/2010 , @ 12:32pm


    KaKaRoTo author of PL3 payloads and PSFreedom ports has been studying a way to capture all the Hypervisor calls, and now he has released his final working payload, so other PS3 Developers can make use of it to study more of the inner-workings of the PS3 system!

    As we reported earlier this week, KaKaRoTo, had successfully dumped LV1 Syscalls, by using an updated PL3 payload. Today, he has kept good on his promise, and has publically released his updated PL3 payload. The new payload can trace all syscalls and hypercalls. What this means to the average user, is an increased knowledge of how the PS3 system works.

    * Released the hypercall tracer payload! Also merged syscall tracer, and a payload that traces hypercalls+syscalls.

    * Adding a payload to trace all sc calls (syscalls and hypercalls). Use carefully, this generates race conditions easily!!

    * Add a payload to trace all read/writes to the vuart by showing the hypercall and the data buffers sent/received

    Authors Blog: http://kakaroto.homelinux.net/

    Authors Twitter: http://twitter.com/KaKaRoToKS

    KaKaRoTo’s PL3 GIT: https://github.com/kakaroto/PL3

  • Posted by Pirate , on 24/10/2010 , @ 10:16am


    Many of you who use KaKaRoTo PL3 payload may have come across an issue where your existing rips did not work. According to a tweet by KaKaRoTo, the issue lies in if you use the Hermes payload. He says that for some reason if you install a game VIA Hermes payload, it seems that the game becomes “locked” to his payload. The fix is to simply UN-install the game, and re-install it with the PL3 payload, and it will work with all other payloads without issues.

    iLLNESS confirmed to me that if you install a game with hermes payload, then it will only work with his payload. Seems the payload locks it.

    Uninstall games, then reinstall them when using PL3 then they will work with any payload. Don’t know what’s different though with hermes pay

  • Posted by GregoryRasputin , on 17/10/2010 , @ 08:22am


    Yesterday we posted about KaKaRoTo discussing the payload mess here, he has since made a new blog post, explaining why he doesn’t like Hermes payload.

    First things first, the title says “why I don’t like the hermes Payload” so this has nothing to do with Hermes himself. I don’t know him, I never spoke to him, so I don’t know what kind of person he is and so I have no opinion on him personally.

    Now, I want to make some things clear, I’ve seen a lot of people criticize me for ‘bashing Hermes’, and many people seem to think that I’m trying to say “I’m better than him” or something. Also, it looks like I created some confusion with my comments from my previous blog post. So I want to apologize and make sure there is no confusion anymore :

    When I said that the hermes payload is ‘dangerous’, people misunderstood me.. no it is not specifically dangerous for your PS3, it won’t brick it or anything, the only ‘danger’ there is, is that it could (in some situations) crash… then you’d need to reboot, that’s it.. so don’t freak out about his work being harmful or anything, because as far as I know, it’s not!

    Some people also told me “give credit where its due”, and I want to do it, I’ve always given credit to people, every time I achieved something, I gave credit to those who helped me achieve it. I’m not looking for fame here (if I did, I would have announced PL3′s release 3 weeks ago when I created it) I’m just having some fun in my free time doing something that I like. Hermes did contribute some nice things, and I appreciate what he did, mainly he figured out how to fix the controller issues with some games, that was something very difficult to fix and I’m surprised at how fast he came up with a solution and it was a smart solution and all I can say is “good job”. The other stuff he did in his payload, I don’t like that much, and that’s what I want to cover in this post..

    I may have been ‘harsh’, but I don’t see the point in trying to be diplomatic, I’m a programmer, not a politician. I don’t like his code, and I speak my mind, I’m being honest, and I’m not trying to criticize him without any reason, as far as I know, I’ve stayed respectful and that’s all that matters to me.

    To those who don’t want to know about all the technical details, let me ‘conclude’ here by saying that if the hermes payload works for you, then good, use it, I’m not telling people to stop using it, I’m not saying that PL3 works better either, maybe his payload works better in some situations, maybe not, but overall, the user’s choice should always be “whatever works for you”. The PL3 initiative is about having a standard repository for payloads, and having a common code base for everyone to work on, so in the future, PL3 might evolve faster and have more features, or maybe it won’t, the thing to note is that it’s better for payload developers to base their work off PL3. But again, this is meaningless for most users, apart from maybe clearing up the confusion about all these payloads and nobody knows which one to use.

    Also, I talked about PL3, which is a common repository for contributors to work on, people seem to have nicknamed it “kakaroto’s payload” or “kakaroto’s pl3″, but I never said it was my payload, PL3 is PL3, it’s not all my work, and if you look at the commit log, you will see that I’m not the only contributor to it. PL3 itself integrates patches and solutions provided by Hermes, Waninkoko and Mathieulh, I improved some of their patches to make sure it works better for non-3.41 firmwares, but it’s still credited to be their work. PL3 is not my payload, PL3 is a payload repository for everyone. Also, PL3 as a project is a repository containing multiple payloads (default one, development one, dump_lv2, dump_elfs, etc..).

    PL3 is not perfect, nothing in the world is perfect, so it might have bugs, it might not work for some people, who knows what might happen. But I never said that it was perfect, so people should stop thinking that I said that. It’s written more cleanly, it’s better in terms of the infrastructure behind it, but that’s the only thing I can vouch for.

    Also for those complaining about me adding a donate button to the blog post, I don’t see how that’s relevant, I’m not begging people for money (and I haven’t received any donations in the last ~3 weeks just so you know). If you don’t want to donate, then don’t, no reason to bitch about it. I’ve put the button there so that people who appreciate the work and want to donate something have a way of doing it. I asked for donations before because I needed to buy a PS3 for development, I already raised enough money to buy it, so I don’t need any more donations, so I’m not asking people for donation money anymore, as simple as that.

    Anyways, here are the more detailed/technical explanations on the reasons why I don’t like his payload :

    First, the code is not clean, it’s unmaintainable. The fact that he gives his source code in .rar files instead of a git fork is the biggest issue I have with it. And yes, that does not matter for users, it only matters for developers. The problem with his method of delivery is that you have no way of knowing what he based his code off, so it’s hard to figure out what he changed.. also, when you find out his base, and do a diff, you get a huge diff for everything he did, all in one shot, and then you have to reverse engineer it to understand what he patched. That’s complicated and annoying for developers! For those who follow my twitter, you can see how many commits I do, I always like having “small commits” because each commit becomes independent, self explanatory and easy to review. It also makes things easier to integrate, if you want a specific thing, you just merge/cherry-pick that single commit, instead of copy/pasting code, and editing it to remove the clutter. The other reason I like git is that if he used it and I merge a commit from him, then the code stays credited to his name in the commit log, it allows me to have his code without ‘taking ownership’ of his work, it allows everyone to be credited for what they did, and I think it’s the first thing to have for an open source and community project.

    The reason why I said his code could crash is because his payload got too big and couldn’t fit anymore in the allocated memory we have in the kernel (1296 bytes), so he decided to just move the code to a random position (0x7fff000 I think). This means that his payload will work as long as no application, game or kernel allocates memory which ‘randomly’ ends up in that area.. if it does, then the payload would get overwritten and the kernel will crash. The proper way of doing it (PL3 does that) is to allocate memory during the initialization of the payload, copy the functions we want in that memory that we own, and write those functions to be position independent so they would work no matter where they are placed in RAM.

    Another reason is the way his syscall8 works, I tried to read his assembly and reverse engineer it, and I seriously was lost and couldn’t understand what was happening.. there are no comments (you’ll notice that my payload has a comment on almost every instruction), so how can I integrate his syscall if i don’t even know what it does… if at least it was on git, I could see the commit messages and understand what each chunk of code did, but he doesn’t use git, so…

    The way he fixed the controller issue was also not very good, he patched two offsets to jump to a function that decides on some kind of enum on what response to return and you controlled that with his own system call 8.. why do something like that? it makes the fix dependent on people using this new syscall, and it’s useless when you can just patch it directly to return the right value.

    I also didn’t like the fact that his code became a mess that is 3.41 independent, and it would have taken a huge amount of work just to try to make it work again on 3.15. I already spent time cleaning up the payloads and making them work for older firmwares, so why fork and write code that doesn’t integrate that, it just makes collaboration harder.

    There’s also the whole syscall 35 versus 36 issue, but that has nothing to do with his payload since I added sc35 after he released his payload. It’s not about his payload being bad because it doesn’t support it, it’s simply about PL3 having a ‘superior’ (if I may say so) system call. What it means for users? nothing at the moment, maybe it will be used for doing fancier stuff later on, maybe you can map a game to your bluray and a different game to /app_home, that could be useful for users, but for now, it’s simply more flexible and cleaner code.

    There are many other small things that I didn’t like, but it mostly just summarizes to “the code is not clean and it’s unmaintainable” and “he doesn’t use git”. Like I said, if you don’t care about that, then I see no reason for you not to use his payload. It doesn’t mean either that he’s not skilled, it simply means that he may lack experience in code sharing and experience in open source. But that doesn’t make his work any less valuable.

    I hope this clears things up a bit. I criticized his work, said what I thought of it and people over reacted, I wanted to make sure people didn’t misunderstand me, and didn’t think I don’t respect Hermes for what he’s done already. Everything else is just drama and people trying to get attention.

    If this post stirs up even more trouble, then so be it, I don’t think I have much more to say. I said what I think, people should take it or leave it. I do not however tolerate people insulting me for no reason at all. So please, criticize me all you want, just stay respectful.

    Thank you,



    A word of warning, any stupid posts, flaming either KaKaRoTo or Hermes, will be deleted, if you don’t have the brains to understand either of their work, dont bother posting insults, both these guys have done amazing work in the scene, so show them some respect, it gets a tad boring looking at forums, reading posts from ignorant people flaiming one of the devs.

  • Posted by GregoryRasputin , on 16/10/2010 , @ 01:19pm


    KaKaRoTo the creator of PSFreedom has released some information, via his blog, on the differences between his work and others, here is what he said:

    Hi all,

    I see a lot of people asking me some questions and I notice a lot of ignorance in the net about the different payload and the latest PL3 payload. So I want to make things clear..
    First of all, people should stop talking/requesting/using the hermes v3 payload, I don’t like his work, and the payload is not good, it might crash the system in some cases, it’s not written properly, and hermes doesn’t even seem to understand how git works.
    Also, PL3 already includes (for some time now) all the good stuff from hermes, it already supports installing game updates, or running games without a disc, anything else that Hermes added is useless and dangerous.

    Some might have seen my tweets about my new payload being released, and many are asking me what is the difference between my payload and what is already available.
    PL3 doesn’t support syscall 36 anymore, for multiple reasons, first, it was bad code, it was mapping a path to a single hardcoded value (/dev_bdvd or /app_home or /dev_flash or whatever is hardcoded in the payload) which means that, since we (the PSGroove and PSFreedom developers) don’t want to support running backups, all the official payloads weren’t working with the backup manager without being patched first. The syscall 35 I added in my payload is more generic though, it is the proper way of doing things. You can map any path to another other new path, the prototype looks like this :

    syscall_35 (char *old_path, char *new_path);

    This means that the payload doesn’t need to have a hardcoded /dev_bdvd path in it, or have extra code for mapping /app_home to something else.. or having syscall 36 change both /dev_bdvd and /app_home breaking homebrew when using a discless mode with a backup manager. You also don’t need a special payload to run the ‘firmware usb loader’.. It all just works because the choice of the path mapping is given to the homebrew applications themselves. This means that the backup managers will just map /dev_bdvd to what they want and they will work by default on my payload, there will be no need for a patched version of the payload to make them work.
    This however means that the backup managers that depend on syscall 36 will stop working. For now Gaia Manager is the only backup manager available that is compatible with my payload. But I’m sure more will be ported to use syscall 35.
    People need to understand that this new syscall 35 has to become the new standard, this is what all the payloads should use, nothing else, and this is what everyone should start using, not the old, crappy, backup-manager specific, PSJailbreak written, syscall 36.

    We need to have some form of standardization for all these payloads, I’m tired of seeing about 100 different payloads floating on the internet, it doesn’t make sense. I always believed in a single payload that works for everyone, and that’s why I created PL3, that’s why it’s a project independent of PSFreedom (and PSGroove has been ported to it) and that’s where all the efforts should go. Also, by using PL3, you automatically gain support, and all the same features, for whatever previous firmwares PL3 already supports (3.01, 3.10, 3.15 and 3.41).

    I have just recently seen this new payload that everyone is so happy about that includes “all the good things from 3 worlds”, the one created by Rancid, which includes the stuff from hermes, waninkoko and Mathieulh… and I was shocked to see how much people were happy about this.. people don’t really seem to understand that this wasn’t necessary at all? PL3 has had all those patches for a while now, so why did Rancid even bother making this payload that includes the patches from hermes, waninkoko and Mathieulh? Why would you spend your time doing something that already is available!

    This blog post is meant to stop all this ignorance and let people know that they don’t need to look for a special payload, just use PL3 and you’ll get everything you need. It is also meant to explain to everyone what is different about my payload.

    On a side, I have received a P3Hub device, kindly donated to me by the people from r4king.com, and I have now tried PSGroove for the first time! I’ve also created a fork of jevinskie’s port of PSGroove which is now improved and updated to support the latest PL3 version. This means that the PL3 payload is available for everyone, those using PSFreedom as well as those using PSGroove, so there is no excuse now on not using it or relying on badly written payloads developed by people who barely know how to code (yes, using winrar instead of git is a good indication of that).

    I forgot to rant about peek&poke!!! So let’s do it now… well, the default payload in PL3 has peek and poke disabled, and for a simple reason : Nobody needs them! and more importantly they are misued! I’ve look at the code of the different backup managers, and it looks like all of them use poke to patch the memory to ‘fix something’ because they think that it’s their job to do it.. no it’s not! If you have a working patch, then submit it to PL3 and if people complain, tell them “use the proper payload”, don’t try to take advantage of peek&poke to go and modify the kernel’s instructions! The reason is simple.. you are a homebrew app that does X, then do X, leave the kernel patching to the payloads! Just as PL3 doesn’t map /dev_bdvd to /dev_usb000/I.Like.This.Game/ and locks it out! Also, I’m on firmware 3.15, so when you decide to poke and patch the kernel with a hardcoded offset, you’re just screwing up my kernel because the offset is firmware dependent! it’s not the same depending on the firmware you use, and I don’t want you playing with it. So.. peek&poke are really not useful to anybody, they are not even available on a normal linux pc, so why would you want them in your default payload, right?! The only people who should use a payload with those syscalls enabled are real developers, people who want to analyze and patch the kernel on the fly while they are doing some development of, maybe, a kernel driver! That’s it. Anyways, that’s enough ranting from me for today!

    In my branch of PSGroove, I wrote a script that build the .hex file for every supported device (from the README) for every supported firmware. You can find all the hex files here : PSGroove+PL3 hex files

    Thanks to evilsperm, I’ve updated the archive with hex files for these devices : Blackcat, Xplain, Olimex, UsbTinyMkII, Bentio and OpenKubus.
    Update 2:
    Some people reported crashes with my payload when running backups with installed updates. I figured out the cause and fixed it now in git. The hex files above have also been updated

    Thanks for reading.


  • Posted by Pirate , on 15/10/2010 , @ 03:50pm


    Plenty of new updates in the scene today to keep you busy through the weekend. KaKaRoTo has released an update to his own PSgroove today via github.

    Get my fork of PSGroove at Kakaroto’s PSGroove at master - GitHub then run ./build_hex.sh and you’ll get http://bit.ly/dvTLO7 … easier, no?

    [psgroove] Commit e01abd0da63e45c3a1ee43fab2dc445bb8175551 to kakaroto’s psgroove - GitHub
    Youness Alaoui - Flash the device’s LED during the exploit process less than a minute ago via GitHub Service Hooks

    @r3pek It’s already there.. PL3 got all the patches included, install retail .pkg, and install game updates..

    @GavDavies2010 Well, it uses PL3.. so it has all the latest patches, it’s a bit like jevinskie’s fork but using the latest git of PL3.

    [Download HEX for various USB boards]
    [VIA Twitter]

  • Posted by Pirate , on 02/10/2010 , @ 11:08pm


    Jevin has managed to port Kakaroto’s PL3 to PSGroove.

    So what exactly is PL3?

    To quote from kakaroto’s blog:

    PL3 is a new project I started in order to have a common repository of payloads that can be used by any ‘jailbreak’  implementation. I got tired of copying payloads from PSGroove, and I had some nice changes in mine that I thought the PSGroove project could benefit from, so I thought I’d create a single repository that both projects, PSFreedom and PSGroove (or any other similar projects) could use.

    You can find it in github, so don’t hesitate to submodule it and use it.

    In other words, PSJailbreak is a method to jailbreak the PS3 with a Linux based phone. jevin has ported the PSFreedom payloads to be compatible with the PSGroove jailbreak.

    You can read up more about the projects GitHub page HERE.

    If someone ones to make a easy to follow tutorial, post it in the replies and I will mirror it up here.

  • Posted by GregoryRasputin , on 01/10/2010 , @ 06:59am


    We posted a here a couple of days ago that KaKaRoTo was working on porting PSFreedom to Firmware 3.01, well he has succeeded, this is what he states via his blog:


    I’ve got some great news for those of you who have not updated your PS3 firmware! I have just succeeded in adding Firmware 3.01 support into PSFreedom. I’ve pushed the latest code to github and you can now download the source and compile PSFreedom for 3.01.
    For now, you will need to edit config.h and change the FIRMWARE_3_41 into FIRMWARE_3_01, then recompile. However, I will soon add support for dynamically choosing the target firmware version by simply doing a :
    echo 3.01 > /proc/psfreedom/fw_version

    I will soon add support for firmware 3.10 and 3.15, so be patient, and you will be rewarded. I would like to thank Klutsh as well as Philippe Hub who helped me achieve this port to 3.01.
    The new payload changes are available in the PL3 github and any project/port that is also using PL3 should automatically gain support for the 3.01 firmware.
    You will also be able to enjoy some new ‘tools’ in PL3 that will allow you to dump the LV2 kernel as well as the decrypted ELF files of the XMB and other configuration files it uses. The ethernet dumping is also now compatible with PS3 Slim models.

    I would like to thank, again, those who have donated. For the others, you can still donate, if you appreciate the work I’ve done.


    via PSX Scene
    Thanks for the tip hailfire101