Reading the chat logs yesterday, i noticed that someone working his ass of to incorporate PL3 payload into the 3.55 firmware (CFW) which eventually permanently patching it into lv2. I don’t know how exactly the PS3 security system works but it does brings music into my ears especially the imagination of backup manager in my minds.
The question is why PL3? Unlike Hermes, KaKaRoTo does a great job making his payload open to all by putting his work in the social coding platform, Github. We had an argument long ago about Hermes reluctantly not sharing his source code for his Hermes payload work.
Flukes1 has a quite of reputation to behold in the iPhone Jailbreaking scene, having his name off an iPhone app, Wi-Fi Sync that sells reached 20,000 worlwide in Cydia. Impressive really. Well, it’s not about numbers now but of how his ability can be put to test in the PS3 console. Let’s just hope he got his excellent finish to his PL3 work so i can taste backuping my PS3 game on 3.55 console.
anyone know where the syscall table is in 3.55 lv2
again, anyone got the TOC location in lv2_kernel.elf yet?
im trying to find the TOC in lv2_kernel.elf
found the syscall table
but cant find the toc
im working on incorporating the jailbreak payload into the lv2_kernel self and other files
flukes1 : did you find what was changed in 3.42 etc to remove jailbreak ?
they just fixed the usb bug
flukes1 : can you not just put the usb bug back in there
well yes but that’s stupid
you’d need a usb device as before
this way is better – the jailbreak is directly incorporated into the firmware update
flukes1 : but isnt it risky cause your messing with lv2 kernel
flukes1, did you test if the makeself’ed lv2_kernel works ? lol
Nicksasa: no its not done yet
sorrowuk: somewhat risky yes but it has to be done
well if you’re doing the same patches as a payload … but there’s always a chance that something fails
all of the changes im making have been done on many other lv2 kernels
this will take me a while
im about 50% done
homebrew can be signed extremely easily now though
im nearly done
I’ll watch as you brick your PS3 flukes1
FoG: not likely
i’m basically taking the payload which we know works
and permanently patching it into lv2
flukes1 : but are you doing it for 3.55 ?
nobody can run this until we have confirmation that lv2 signing works
decibell: i am stuck on the last patch
that dcc exploits a ‘protection’ feature in some routers
netgear i think
sven: you may not know this, but would the TOC be missing from an elf
I’m not sure but its something to do with the syscall table
is anyone able to extract lv2_kernel.self from firmware 3.40 and upload it somewhere
it doesnt just execute the self
it will keep booting from it
ive already ported everything
each patch can be disabled/enabled
I now have everything I need to compile the PL3 payload for 3.55
next step is to add the payload as a section on lv2_kernel and write a jump into it somewhere
so still some stuff to do
i’ve had 5 or 6 people offer to test it though
and i won’t release it to them until i’m pretty sure about it
flukes1: wouldn’t it be easier to just add peek/poke to the kernel, and let an app do the rest of the job?
vidarino: technically its probably better to use a previously tested payload
without making changes to it
flukes1: the peek’n’poke code alone is tiny enough to be hexedited into place. :] vidarino: i know but I wanted to make something more complete
it’s possible, so why not
hmm, just one hash left to find, but it’s not showing itself
i may have a problem though, the PL3 payload uses hashes of 4 different elf/prx files
to patch them
hey math, do you know anything about how PL3 does its elf hashing