Viktigt meddelande

**Hansi** · 2010-11-18, 18:17

**caballerial** · 2010-11-18, 22:53

Bra jobbat, du har precis gjort så att man aldrig kommer kunna handla hos nån av era konkurrenter (hur fan stavas det?) =)

**madshaun1984** · 2010-11-19, 00:01

can you dump it again (or a few times more?) so we can compare, please.

**Swizzy** · 2010-11-19, 09:34

Original inlägg av madshaun1984 Visa Inlägg

can you dump it again (or a few times more?) so we can compare, please.

That particular dongel is now dead...

**Pendragon** · 2010-11-19, 10:24

One time shot only, sorry folks... Thats why we got hold of a Beagle USB sniffer that was quite expensive *lol*
Oh yes, we ordered the expensive one just for this....

Remember ( Sharing is Caring! )
Downgrade should be free for all just like the JigKick/Pandora memory on PSP!

**mog** · 2010-11-19, 11:49

This is wonderful news, Hansi and his PSXCare crew makes me proud to be a Swede...well, not that we Swede's need any reason to be proud.

**Hansi** · 2010-11-19, 12:04

Original inlägg av madshaun1984 Visa Inlägg

can you dump it again (or a few times more?) so we can compare, please.

If needed, yes, i can aquire some more psdowngrade license keys. But what needs to be done now is that I have to bring my private 60GB fat ps3 to the office. That particular PS3 is still on version 3.15. A "fat" ps3 on version 3.15 can be "glitched" and used to dump the hypervisor memory after doing a particular system call that will leave the much needed dongle key in hypervisor memory. That key is what is needed to code the correct challenge-response protocol that is used between the ps3 and the dongle to activate service mode.

**Pendragon** · 2010-11-19, 14:02

Actually we should try to dump the data when the JB key is upgraded to a Downgrade key too

After that it seams somewhat complicated

Then when downgrading again of cause

Hansi: I have a 60Gb model that runs 2.60 an another still running 3.15 with Linux installed just in case..
As long as we dont fuck them up and just dump firmware im game too.
2.60 should even be able to tell us something if they changed the Jigmode to another key value before booting in Facctory/Service/Repair mode.

The 2.60 unit i have and the 3.15 are brand new ( got them exchanged from Sony and i havent used them since i got them *apart from booting and testing so they worked*
Some crazy friend of mine offered me 8000 Sek for one of them long before JB was born just so he could have a "perhaps hackable" unit when a solution comes... i refused and he upped the price but i declined again

Im just like you, sentimental and caring *lol* if my Slim 3.41 or my other Fat 3.15 dies i could exchange them... That was my reason for saving those.

**cloned67** · 2010-11-19, 14:13

Hi,

it looks like way too easy to have a psdowngrade for free , anyway,
here's my findings ..

the PSDown looks like it just use directly the fake JIG in order to achieve the goal,
then instead of the device with IDs AAAA C0DE after JIG TASK
a device ID AAAA A2F1 is used

the main difference anyway is the JIG Payload response

PSJB ---------------
//JIG RESPONSE
80 00 00 00 00 3D EE 78 //SHELLCODE_PTR
80 00 00 00 00 3D EE 88 //SHELLCODE_ADDRESS
80 00 00 00 00 33 E7 20 //RTOC_TABLE (v 3.41)
//SHELCODE PAYLOAD
E8 83 FF F0 E8 63 FF F8
E8 A3 00 18 38 63 10 00
7C 04 28 00 40 82 FF F4
38 C3 F0 20 7C C9 03 A6
4E 80 04 20 04 00 00 00
------------------------

PSDOWN ---------------
//JIG RESPONSE
00 00 FF 00 2E 02 02 AA // ??
AA 74 1D 18 EB 2D 39 7B // ??
F5 22 5C 93 B2 1F 72 F7 // ??
//SHELCODE PAYLOAD?
1B 45 23 72 01 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
-----------------------

would be interesting to have more dumps to compare against

**Hansi** · 2010-11-20, 15:54

Ok, I have ordered the hardware needed to glitch the PS3 and use xorlosers files and instructions for dumping the hypervisor. So far I think i have digested all information needed to successfully dump the hypervisor to a file using xorlosers tools.

I have not yet understood exactly how to actually execute the call to 0x24001 - Generate Challenge. Can it be done using xorlosers tools or is it something i have to code and compile in C?

(Its been more than 10 years ago i last did any coding in C, and I have never bothered to look this close at PS3 hacking before...so any hints would be appreciated)

So:

Step 1: Build and install hardware to glitch the memory bus = no problem
Step 2: Install and run Linux on the PS3 = no problem
Step 3: Execute the call to 0x24001 to generate challenge = Clueless!
Step 4: Run dumphv (Dumps the hypervisor to a file in the current directory) or ps3peek 0 -s 0×1000000 -d 8 -b > hvdump.bin (does the same thing?)
Step 5: Upload the file for the real hackers here to play with

**Hansi** · 2010-11-22, 13:29

http://psx-scene.com/forums/597656-post103.html

zAxis:

@ Hansi
do you have teensy 2.0?
if you do then could you do the following:
1- run this hex (as if you were running the jp: power cycle, start then eject)
2- reboot ps3 into linux (NO power cycling!! just do it through GameOS)
3- dumb the HV and post it here (or pm where it is)

if you dont have teensy then what board do you have at hand? (must atmel) I will make the hex

oh, and could you please sniff the usb? it ill help with debugging. ty

@ other ppl
I am just trying something, there is very good chance it wont work, so no flaming please

EDIT: please get psgroove2.zip it has a fix

As soon as I have received my sx28 controller to glitch (using xorlosers files) I will try this. Unless someone else beats me to it :-) It is on its way UPS express so it should arrive tomorrow.

psgroove2.zip

**skystar** · 2010-11-22, 16:22

"Downgrade should be free for all just like the JigKick/Pandora memory on PSP!" why do you make money on free stuff then?=)

**Hansi** · 2010-11-22, 16:42

Original inlägg av skystar Visa Inlägg

"Downgrade should be free for all just like the JigKick/Pandora memory on PSP!" why do you make money on free stuff then?=)

The word "free" can be used in different contexts. Free as in Freedom as in available to everyone. Or Free as in you dont have to pay to receive/use it.

We, as in "psxcare", run a business. We have hired staff that get paid every month. We have expensive web servers running in hired server rack space in secure (expensive!) data centers. We have a physical shop location where our staff work and where customers can come in to buy stuff and/or get stuff repaired/modified.

Just as you cant expect to bring your car with a new clutch in a box to your local mechanic and expect to have it installed for free, you cant expect us to install "free" stuff in our customers computers or game consoles without charging them a fee to cover our expenses and make a profit so we can pay ourself som salary so we can pay our rent and put food on the table for our kids...

**Hansi** · 2010-11-22, 22:41

We would like to thank the PSJAILBREAK team for their policy change regarding psdowngrade!

They promise to release it as a FREE tool for all psjailbreak owners. And it will be for unlimited use. Great news for us distributors/resellers that will actually be able to sell some of our stock now that psjailbreak actually does something that is still not available with any of the clones.

Viktigt meddelande

PSDowngrade / Ps3 jig USB traffic protocol scan

PSDowngrade / Ps3 jig USB traffic protocol scan

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment