KaKaRoTo Kind of ´Jailbreak´

From PS3 Developer wiki
Jump to: navigation, search

How it all started

  Updated my ps3 to 3.73... oh and THEN I jailbroke it! (kind of) :D
  1 - I won't share it until it's ready to use (still a bit complicated + some missing components), 2 - don't update if you're on 3.55.
  The "kind of" meant I need to fix NPDRM algo for it to run. And no, this will not allow backup managers. And no, it's not a CFW


First Read

You might want to read this first: Clarifications about 3.73 “jailbreak”

In short: It means one wall taken, 2 others still intact:

  1) getting in   2) getting access/to run   3) takeover/modify systemfiles

What we call 'jailbreaking is actually more like breaking inside jail to revolt.


Q: Will I need special hardware (e.g. flasher, dongle, modchip etc.)?
A: No.

Q: Will homebrew work?
A: With NPDRM fixed, yes. Showtime would certainly be possible.

Q: Will recent games play correct?
A: Yes, its 4.x, sure it plays all 1.00 - 4.x games.

Q: Will PSN work?
A: Yes, its 4.x, sure goes online without problems.

Q: Does it have Peek & Poke?
A: No. Peek & Poke require modifying lv1 and lv2.

Q: Do Backup manangers (e.g. MultiMAN, Rogero etc.) work?
A: No, see previously answer about Peek & Poke.

Q: Will my old homebrew still work?
A: No. All homebrew need the fixed NPDRM. Homebrew that relies on specific other patched functions/syscalls (e.g. Peek&Poke, BDemu etc.) will not work either, see previously answer about Peek & Poke.

Q: Does it gets us keys?
A: No.

Q: Does it gets us "CFW"/MFW?
A: No.

Q: Does OtherOS++ (Linux/FreeBSD) work?
A: No. Sony removed OtherOS feature after 3.15 and OtherOS++ relies on modifying the firmware. See previous "CFW"/MFW question.

Q: Will it allow downgrade?
A: No.

Q: Does it work on all PS3 models?
A: Yes. all current models.

Q: Are there brick risks?
A: No (standard disclaimer: It will be tested rigorously before release as you can expect from anything that KaKaRoTo has put his name on).

Q: Will this only work on 4.x?
A: No. It was pretested on 3.60 and again confirmed on 3.73 before any public Tweet about it.

Q: What if Sony releases 4.x+ before release?
A: In that case it will be pretested on that version.

Q: So why are all the newssites hyping this that it does give CFW?
A: Because they don't read wiki's/blog's xD Besides, every minor news gets 'prolly CFW soon!' tagged by the bad ones.

Q: Is there a release date?
A: No, besides KaKaRoTo not able to work on it for 2 weeks, it also relies on (other people) fixing NPDRM.

Current Status

I'm sick and tired of people asking me every day "please update the status" or "why didn't you update it in the last 2 hours" or "is the status correct ?" or "what does the letter I mean?" or "Why is that task still at 0%" or "why didn't that task change today?", etc...

I thought I'd give you a status page so you can follow SILENTLY the progress, but all it did was flood me even more with people asking me questions all the time about it, so I'm taking it down, you don't deserve to know wtf is happening or where we are in fixing all the issues (not 'you' specifically, but all those who can't keep their mouth shut and need to fucking annoy me every hour). Sorry for the collateral damage.

The current status is : IT"S BEING WORKED ON!!!! It will be release when it is ready, and asking me all the time about it IS NOT HELPING. I never answered anyone asking me about the status or when it will be released or all of that, so don't try the "maybe he'll answer me", no I won't, I just might block you instead.

-- KaKaRoTo

Intermezzo Update

Hello all,

I decided to post here because I needed a poll and I would like to have everyone's opinion.

As you all know, I have had a 'half jailbreak' ready for a few months now, I can install what I want on the ps3, even with the latest firmware version, but I cannot run the apps (unless they are real demos of course)... I started working on a way to find a new exploit in order to run the apps on 4.x but in the past 2 months, I've been very busy with work and with life and I haven't had any time to look into the ps3 hacking at all.

So now, I have a dilemna: I have this tool/code that can be useful to some people, but if I release it, sony might block it in their next version so the jailbreak will not work anymore., On the other hand, I'm not working on it anymore, and I don't want all those months of work to be wasted... And finally, there are some other talented devs that are working on trying to get code execution working... so what to do ? release my stuff as is and that's the end of it ? wait until I have more free time to finish it or until someone finds a way to make it into a full jailbreak ? wait for a few more months until a 'timeout' then release it as is no matter what happens ?

I'd like to point out that if I release it now, the most probable result is that: no one will use it, most will consider this completely useless, and sony will prevent it from being used on future firmwares. But at least, people will stop annoying me on twitter asking for a release (I wish! I bet that won't stop them!), and I'll stop being treated as a 'fake' (even though I don't care about that). Mostly I want to fulfill my promise of "I will release it" even though I wouldn't be fulfilling the "when it's ready" promise. So.. what do you think ?

p.s: Note that the poll is just to better understand what the community wants, the results of the poll will not necessarily dictate what I will do, so even if 100% say release it now, it doesn't mean that I will release it now, I will simply take that into consideration before making a decision. p.p.s: Other than voting in the poll, of course, you can also give your opinion as a comment to this thread.

Thanks, KaKaRoTo

Source: http://www.ps3hax.net/showthread.php?t=35721
Poll: http://www.ps3hax.net/poll.php?do=showresults&pollid=305


wow, thanks everyone who replied, I was busy today again then saw the 16 pages of comments, I do not yet have time to ever read through them, but I promise I will read everyone's comments (but I probably can't reply to everyone). I have read however the first 3 pages, and, along with the poll results, I get the general feeling that people do not want it to be released until it's finished. I saw a lot of "release it privately to trusted devs", my answer to you is : Yes, it is already in the hands of a few devs that I trust and while I have been busy for the past 2 months, they have continued their work on getting code execution working (and they made incredible advances since I left). I am hoping to see them unlocking the missing piece in the coming months, and hopefully by then, I'll be free again to help them and continue working with them!

I am still undecided but I'm very happy to see that many people are patient and believe in the "don't release until it's done", and I didn't see people whining about it taking so long (well I didn't read all the comments yet ) and i believe that my choice now is torn between "release when it's done" and "release in a few months if no new exploit is found", but I will not make any decisions for now, I will give it time and we'll see how it goes.

Thanks again for sharing your opinion with me. I hope that everyone will be happy and nobody gets disappointed when it's released (hopefully with code execution)

3.60 keys Update

Q: recently 3.60 keys surfaced (lv1ldr, lv2ldr, isoldr, appldr), what does this mean for this release and the future?
A: That is actually a multiparted answer:

Q: So does this mean a future release would be sooner?
A: Only God knows ;) But it can also be that because of the above, it would become meaningless/surpassed by better progress. So lets all hope for the best :)

lv0 key Update

Since the LV0 keys have now been leaked, I believe I can now share this info with you, to help out those who are trying to build their own 4.x CFW :

The NPDRM ECDSA signature in the SELF footer is checked by lv2. It first asks appldr to tell it whether or not the signature is to be checked, and appldr will only set the flag if the SELF is a NPDRM with key revision from 3.56+ (the ones without private keys). This means that the SELF files signed with the new 3.56+ keys still don't have their ecdsa checked (probably to speed up file loading). If appldr says the ecdsa signature must be checked, then lv2 will verify it itself, and return an error if it's not correct.

There are many ways to patch this check out.

  1. Patch out the check for the key revision in appldr
  2. Patch out the "set flag to 1" in appldr if the key revision is < 0xB
  3. Patch out the code in lv2 that stores the result from appldr
  4. Patch out the actual sigcheck function from lv2.
  5. Ignore the result of the ecdsa from lv2.

Here is one of the patches (the 4th one, patching out the check function from lv2) :
In memory 0x800000000005A2A8, which corresponds to offset 0x6a2a8 in lv2_kernel.elf, replace :

 e9 22 99 90 7c 08 02 a6

With :

 38 60 00 00 4e 80 00 20

This is for the 4.21 kernel (that was the latest one when I investigated this), I will leave it as an exercise to the reader to find the right offsets for the 4.25 and upcoming 4.30 kernel files. And here's another bit of info... in 4.21 lv2, at memory address 0x800000000005AA98 (you figure out the file offset yourself), that's where lv2 loads the 'check_signature_flag' result from appldr, so if you prefer implementing method 3 above, just replace the 'ld %r0, flag_result_from_appldr' by 'ld %r0, 0' and you got another method of patching it out. Either solutions should work just the same though. Enjoy homebrew back on 4.x CFW....

p.s: Thanks to flatz and glu0n who helped reversing this bit of info.


MFW Builder related patches


The Road beyond...

(or what can you and others do to expand the useability of it)

What is missing Prerelease (state at first public mention)?

  • Fixing NPDRM
    • Make PKG's install and run the SELFs.

What is missing after release?

  • Peek & Poke
    • lv1/lv2 dumping/patching
    • Payloader3
    • Backup Managers
  • Downgrade (already possible with Hardware flashing.
  • 3.56+ keys / lv0 decrypted dump
    • Modifying firmware files
      • OtherOS++

What is forever missing?

  • 3.56 and higher private keys

Final Release

source: http://kakaroto.homelinux.net/2014/12/ps3xport-released/

Ps3xport released! On December 23, 2014, in Development, PS3, by kakaroto

Hello everyone!

It’s been quite a long time and I’m very happy about that :p Let’s do the boring part first! This is my final release for the scene, I am not “coming back” or anything like that, so don’t get your hopes up, but I needed to release this so I’d be officially done. I have never actually announced that I’m leaving the scene but everyone figured it out. It wasn’t originally done intentionally actually, but life caught up with me, work, family, lack of time, etc.. so I had little time to work on the ps3. Also, my motivation was mostly gone due to not finding anything interesting anymore, a lot of drama and I’m not a huge fan of all the attention this all brings. I got into the scene because I was curious and I wanted to learn, and I have to say I’ve learned a lot of things these past years and it was an incredible journey, but as I had lack of time and started breathing, I realized that I’ve had enough of it so I left and I am very happy with that decision because you have absolutely no idea how much of a time drain and headache this was :p Anyways, there was one thing I did just before I left, but I never got to release it, but today is your lucky day as it’s release O’clock where I am!. This release is a way to say Merry Christmas, Happy Holidays, etc.. to everyone, and a way for me to also say “I’m done for good, I don’t have anything left for you in a drawer somewhere” :). I’ve wanted to release this for a while now, and I even made a poll on ps3hax back in March 2012 asking people if I should (looks like ps3hax is down right now so here’s the google cache version) and the general response was not to release it until it can be useful (when an npdrm workaround is found) with some people saying to release if nothing new happens in the scene.. and I think I’ve waited long enough now to know nothing new on that front will happen.

So.. since I’ve announced the release, I’ve seen a lot of speculation about what it is and what it could be.. a lot of people seem to think (or mostly, want/hope for) a downgrade method, unfortunately that’s not the case. I’ve seen some ridiculous suggestions too, like someone asking if it’s a way to run PS4 and Xbox One games on PS3.. I’m sorry to say, that’s not it either :p As I’ve said in a tweet shortly after, this is nothing groundbreaking, this is code that hasn’t been touched in 3 years, so it’s already 3 years old, but I think it’s still something that can be very useful to the community.

So here it is, I’m introducing to you : PS3xport! I’ve uploaded it to my github account here : https://github.com/kakaroto/ps3xport

What does it do? Well, it’s basically a tool for manipulating the PS3 backup data. When I say “PS3 backup”, I’m not talking about a “backup” of a game, no.. I’m talking about the full PS3 hard drive backup that you can do by going to “System Settings->Backup Utility” on your XMB. That creates an encrypted directory on your FAT32 hard drive which allows you to format your PS3 and then Restore it just like it was before. I’ve reverse engineered the file format and encryption and PS3xport allows you to create new backup data from scratch, or dump existing ones, or delete specific files from a backup or do a whole lot of other things to your backup folders. This gives you total control over your /dev_hdd0 and /dev_flash2 filesystems, which will let you install homebrew on any console, even if it’s the latest OFW version. Unfortunately, just like it was 3 years ago, you wouldn’t be able to run those homebrew apps you install due to the NPDRM ECDSA signature missing. If you have your IDPS though for example, it could let you restore a backup from one PS3 to another PS3 without losing any of your data in the transfer.

So.. what’s this about “your IDPS”? yes, the backup has two sets of files, some can be decrypted right away and some can’t because they are encrypted with your IDPS (your unique ps3 device id) which is why they can’t be restored on a different ps3. If you have a CFW, you can easily get your IDPS (I’ve written a small tool to do that, released on github, but apparently MM and Webman will also give you that information) and that will give you total control over your backup data as you would be able to decrypt and reencrypt it. If you have OFW and can’t get your IDPS, then you will not be able to dump/decode all the files from your backup, but you will still be able to create a backup that can be restored on your PS3 with no limitations (this means for example that you can restore a backup from a CFW into an OFW without any issues). I was told however that someone can get IDPS from OFW consoles and in light of this release, they might release their method soon, I can’t say more than that though, but be patient and good things come to those who wait :)

So my release is in two parts. First, the documentation of the file format was added to Archive.dat so any developer can understand how the backup archive files are created and can create their own tools. Reverse engineering that format took months of work and I won’t go into too much details about what had to be done to figure out the format but it was an incredibly long and difficult task to do that I had a lot of fun in doing. The second part of the release is of course the release of the ps3xport tool. The tool is quite powerful and you can do a lot of things with it, but it’s a command line only tool and I honestly just tested it on Linux, it’s not really my job at this point to make a windows build, or make a GUI around it, etc.. but I’m sure it won’t be long before others in the scene pick it up and make a nice GUI for it and release windows binaries. I’ve written a nice README file so everyone can understand how the tool works and what it can do. I remember though that 3 years ago just before I stopped working on it, I wanted to add a “AddPKG” command to it which would just ‘install’ a pkg into the backup data automatically, unfortunately, I never got to do it, but it should be easy to do. While I’m at it, I’m also releasing a pkg extraction tool which I found in an old directory (cool thing is the -p option in it, try it…) as well which is a PKG extraction tool that uses the PagedFile mechanism (see below) to allow for very fast pkg file access with very little memory usage even for huge pkg files, any dev can probably mix those two together to add the AddPKG feature to ps3xport.

On the software front, ps3xport.c will parse the commands then use the archive_* API which is in archive.c. That will contain all the functions needed to manipulate the archive files. It uses a ChainedList which is my rudimentary implementation of a GList-like ordered list and the archive API also uses PagedFile objects which are pretty cool. PagedFiles are a wrapper around a file which allows you to read/write to a file using pages (I set it to 64KB per page I think) so it limits the hard drive access. The cool thing about it is that it has encryption and hashing built in, so you can just set the encryption key or ask for the file to be hashed, and whenever you read/write, the encryption will be done transparently, and the coolest thing about it is that you can actually seek in the encrypted file and it will still work (it recalculates the required IV whenever you seek). The encryption there works on the stream, so you don’t need to write blocks of 16 bytes every time (thanks to the paging of the data) and it has a cool ‘splice’ method which allows you to copy data from one PagedFile to another easily, so you could in theory re-encrypt a file using a different key using 5 function calls (open *2, set_key*2, splice).

That’s about it.

I’m really happy about this release, and I want to say Merry Christmas/Happy New Year to everyone, and of course..

So long, and thanks for all the fish!