jock
Inactive User
- Joined
- Apr 5, 2007
- Messages
- 769
- Reaction score
- 11
3.56 MA-1
---------------------
This firmware is the first version of the 3.56 custom,
this custom (its most basic) was ready for about 7 or 8 months, but it was not until
now when I decided to publish it.
It has nothing to do with the exploit of metldr recently published is imminent despite the appearance
of future firmwares superiors, who wants to try, here it is.
First of all thanks:
- Graf_Chokolo, for his great work .
- A Demonhades, for its testing, its great strength.
- A JaiCrab, for your help.
- A Lara, for making me laugh a day.
- People who have tested this 3.56 MA-1 , thank you very much.
- To all that s @ s who donated for a flasher, without ell @ s this firmware so advanced would not exist as such.
- A chickenpox for his selfless help.
- TO BE - A MEM, and do not forget I do not forgive. - Tod @ s @ s that I forget that by mistake, apologize.
As the first version, it only takes the most basic functions of a custom firmware , now I'll explain.
Also Sony will explain the changes performed in the 3.56, and as in its release notes, which is
argued as a simple patch security was not just a patch.
- FUNCTIONS
* Support PEEK / POKE lv2, using the typical SYSCALL 6 and 7 for compatibility with existing homebrew.
* Support PEEK / POKE lv1 native SYSCALL using 10 and 11 respectively. These are used as SYSCALL
than the lv2, the devs just have to use them as you would those of lv1 lv2 but affecting.
* Load unsigned applications, FSELF format natively. That is, a normal application or npdrm
FSELF valid format worked directly. (No touch-memory copy in the lv2).
* Load logically signed applications, both official and unofficial signature valid.
* Support for applications up to version 3.56.
* Use of all SYSCALL the system, provided that they do not verify product later mode, QA, etc.
* No need to modify the PARAM.SFO in the event that hypothetically would use a application that requests
a version higher than 3.56 in either npdrm / normal application / or application running from the bdemu .
* Installation of PKG Retail and Debug option from the Install PKG.
* System settings in the XMB QA hacked. Now you can open the options using the normal combo without
the flag active QA or with a valid token or existing on your machine. Any options changed is maintained
in the system registry settings.
This hack QA system allows any SPRX to call the XMB to check this information
to receive the information hacked nas_plugin.sprx such as that in the case of a DEX would allow
install without any patch of PKG Retail .
As always be careful you do with those options, this is the safest way to have the QA without
being QA, and not have to modify the EEPROM recalculate any aspect or tokens of any kind .
Here I have to thank Sony for making the security of your token only be in one byte and not as they
should be.
- LV2
* FIX: Patch to allow loading of applications for (avoids errors 0x80010009)
* FIX: Patch to avoid checking the version of firmware of the application against the version of firmware
stored in the memory of lv2 (avoid the error 0x80010019)
* FIX: Patch to avoid the error 0x8001003C (allows loading of applications that request more internally than the current version)
* FIX: Patch to avoid the error 0x8001003D
* FIX: Patch to avoid the error 0x8001003E (using hdd patch and have disc inserted)
* FIX: Enables the use of all SYSCALL, avoiding generic error 0x80010003.
- CHANGES IN THE LV2 356:
* FIX: Patching a new security check that prevents updater mode, it could launch an application
with the key unsigned 0xD minimum (3.56), avoiding the error 0x80010009. NOTE: See NOTE AT THE END OF THIS README
* FIX: otherwise is used to integrate the new SYSCALL 6, 7, 10, 11 at lv2.
- LV1
* Added support for PEEK / POKE NATIVE at lv1. The method used to integrate these new hypercalls not use
an existing hypercall, but really any hypercall not used in the system is a peek or poke
depending on the case.
To interact with the PEEK / POKE, lv2 use SYSCALL of 10 and 11, respectively.
* Changes in the hypercall mmap (114). In the 3.56 Sony made significant changes in this hypercall to avoid
the use was being given to the lv1 to lv2 mapping.
Now this hypercall checks that the key argument has not been modified, the ranges are checked mapping
(someone who understands this you will realize how dangerous it is that you map the critical thing, and do not speak of lv1),
the hypercall code is divided into pieces rolling into subfunctions the analysis.
In this version of this hypercall 3.56 MA has not been touched, but having the support of PEEK / POKE in lv1
mapping is no longer necessary.
In a later version is not ruled out such check hypercall it's not complicated really, just
that it was not necessary for this version.
* Changes in the hypercall unmap (115), similar to mmap, its code shared between subfunctions.
* FIX: Added some patches to avoid integrity checks lv1 / LV0.
* FIX: Added patches in the SPM and the DM to enable the use of any service. The patch is different,
smaller, existing the SS patch (this is no longer compatible with 3.56), in my testings my patch does not produce any kind of problem with trophies or saved games, etc..
* TODO: Delete the problem of not being able to downgrade to a version lower than 3.56. Currently not possible
once 3.56 off the upgrade to the.
- LV0 APPLDR
* FIX: Patch to override the check ECDSA digital signature. Now an application with an invalid signature
signed will be considered valid.
For example, "sign" an application without having the proper private key to generate a proper signature.
* FIX: Patch that removes the hash check of the application segments. An invalid hash will be considered
valid.
* FIX: Patch to override that you can not use consoles FSELF retail . This patch is different from that
in ps3devwiki, the patch is on that page about this subject brickea machines has a problem
metadata to decrypt the executables retail encrypted.
* FIX: Patch to override the protection added in 3.55 (for applications npdrm / normal, just before
the load was RVK) which prevents applications can be used than the version shown on the firmware
present. That is, in a hypothetical case, a game trying to throw in a 3.60 3.56.
* FIX: Patch to override the protection auth check the applications (added in 3.56), this check
detects programs created as public tools always put the same auth, auth superior one.
* FIX: Patch to remove the protection from the white list of authorized programs, added in 3.56. Now you can
use all applications as 3.55 and below.
- NOTES
* The lv2 is protected by a hash in lv1, in case you want to play that encompassed an offset
in the range of protection, this would produce a panic check off the system.
To avoid this problem, use the tool that will Attached to this package before modifying the lv2 using poke.
The reason of not implementing this patch directly is because not everyone is dev, and you can not touch
the lv2 is safe for the user.
Of course the source code this program is included, so a dev can see how using the POKE
of lv1 patched this problem.
* You can now enter service mode, and use the lv2diag as before, but this has a potential danger.
The current 3.56 makes it impossible to make a downgrade to less than 3.56, meaning that if you are in the 3.56 in him are ,
if you have time you tried to cancel out a version that checks the update manager.
The problem is a programming error that allows updating Lv2Diag.self, the bug is that
NO Check that the update is in the usb or to verify that this is valid, the program formats the flash 1.2 and 3.
This means that if then fails, your system would not have died partially flashes, still work
the active ros can use a lv2diag again, but who Forewarned is forearmed . Lv2diag Beware!
* Attached to this package is an updated application to extract the nodes of a dump of lv1 is an update
of the application made by Graf Chokolo, now has support for versions 3.15, 3.41, 3.55 and 3.56 in a single
program. Useful to display the nodes extracted from your dump.
* The firmware finished graphic will be added when finished JFW 3.41 itself.
* In the package adds an application, I do not think there publicly, to put the mode
from the XMB directly acts as a toggle, in If you can use that product in the way just
so you remove the product.
As a final note to remember that this is the first version of the firmware, so constructive criticism are welcome.
As you have to root for this publication where patches are appldr, many variants will come out of it,
just remember that the first publication was this.
Mordais not the hand that feeds you, today is like tomorrow is a 3.56 higher, or maybe not,: violin:
: Violin: (Please log in. or REGISTER HERE to see this LINK): violin:
Source: demonhades.org
Read more: http://www.ps3hax.net/showthread.php?t=30130&page=2#ixzz1dhfuVToj
---------------------
This firmware is the first version of the 3.56 custom,
this custom (its most basic) was ready for about 7 or 8 months, but it was not until
now when I decided to publish it.
It has nothing to do with the exploit of metldr recently published is imminent despite the appearance
of future firmwares superiors, who wants to try, here it is.
First of all thanks:
- Graf_Chokolo, for his great work .
- A Demonhades, for its testing, its great strength.
- A JaiCrab, for your help.
- A Lara, for making me laugh a day.
- People who have tested this 3.56 MA-1 , thank you very much.
- To all that s @ s who donated for a flasher, without ell @ s this firmware so advanced would not exist as such.
- A chickenpox for his selfless help.
- TO BE - A MEM, and do not forget I do not forgive. - Tod @ s @ s that I forget that by mistake, apologize.
As the first version, it only takes the most basic functions of a custom firmware , now I'll explain.
Also Sony will explain the changes performed in the 3.56, and as in its release notes, which is
argued as a simple patch security was not just a patch.
- FUNCTIONS
* Support PEEK / POKE lv2, using the typical SYSCALL 6 and 7 for compatibility with existing homebrew.
* Support PEEK / POKE lv1 native SYSCALL using 10 and 11 respectively. These are used as SYSCALL
than the lv2, the devs just have to use them as you would those of lv1 lv2 but affecting.
* Load unsigned applications, FSELF format natively. That is, a normal application or npdrm
FSELF valid format worked directly. (No touch-memory copy in the lv2).
* Load logically signed applications, both official and unofficial signature valid.
* Support for applications up to version 3.56.
* Use of all SYSCALL the system, provided that they do not verify product later mode, QA, etc.
* No need to modify the PARAM.SFO in the event that hypothetically would use a application that requests
a version higher than 3.56 in either npdrm / normal application / or application running from the bdemu .
* Installation of PKG Retail and Debug option from the Install PKG.
* System settings in the XMB QA hacked. Now you can open the options using the normal combo without
the flag active QA or with a valid token or existing on your machine. Any options changed is maintained
in the system registry settings.
This hack QA system allows any SPRX to call the XMB to check this information
to receive the information hacked nas_plugin.sprx such as that in the case of a DEX would allow
install without any patch of PKG Retail .
As always be careful you do with those options, this is the safest way to have the QA without
being QA, and not have to modify the EEPROM recalculate any aspect or tokens of any kind .
Here I have to thank Sony for making the security of your token only be in one byte and not as they
should be.
- LV2
* FIX: Patch to allow loading of applications for (avoids errors 0x80010009)
* FIX: Patch to avoid checking the version of firmware of the application against the version of firmware
stored in the memory of lv2 (avoid the error 0x80010019)
* FIX: Patch to avoid the error 0x8001003C (allows loading of applications that request more internally than the current version)
* FIX: Patch to avoid the error 0x8001003D
* FIX: Patch to avoid the error 0x8001003E (using hdd patch and have disc inserted)
* FIX: Enables the use of all SYSCALL, avoiding generic error 0x80010003.
- CHANGES IN THE LV2 356:
* FIX: Patching a new security check that prevents updater mode, it could launch an application
with the key unsigned 0xD minimum (3.56), avoiding the error 0x80010009. NOTE: See NOTE AT THE END OF THIS README
* FIX: otherwise is used to integrate the new SYSCALL 6, 7, 10, 11 at lv2.
- LV1
* Added support for PEEK / POKE NATIVE at lv1. The method used to integrate these new hypercalls not use
an existing hypercall, but really any hypercall not used in the system is a peek or poke
depending on the case.
To interact with the PEEK / POKE, lv2 use SYSCALL of 10 and 11, respectively.
* Changes in the hypercall mmap (114). In the 3.56 Sony made significant changes in this hypercall to avoid
the use was being given to the lv1 to lv2 mapping.
Now this hypercall checks that the key argument has not been modified, the ranges are checked mapping
(someone who understands this you will realize how dangerous it is that you map the critical thing, and do not speak of lv1),
the hypercall code is divided into pieces rolling into subfunctions the analysis.
In this version of this hypercall 3.56 MA has not been touched, but having the support of PEEK / POKE in lv1
mapping is no longer necessary.
In a later version is not ruled out such check hypercall it's not complicated really, just
that it was not necessary for this version.
* Changes in the hypercall unmap (115), similar to mmap, its code shared between subfunctions.
* FIX: Added some patches to avoid integrity checks lv1 / LV0.
* FIX: Added patches in the SPM and the DM to enable the use of any service. The patch is different,
smaller, existing the SS patch (this is no longer compatible with 3.56), in my testings my patch does not produce any kind of problem with trophies or saved games, etc..
* TODO: Delete the problem of not being able to downgrade to a version lower than 3.56. Currently not possible
once 3.56 off the upgrade to the.
- LV0 APPLDR
* FIX: Patch to override the check ECDSA digital signature. Now an application with an invalid signature
signed will be considered valid.
For example, "sign" an application without having the proper private key to generate a proper signature.
* FIX: Patch that removes the hash check of the application segments. An invalid hash will be considered
valid.
* FIX: Patch to override that you can not use consoles FSELF retail . This patch is different from that
in ps3devwiki, the patch is on that page about this subject brickea machines has a problem
metadata to decrypt the executables retail encrypted.
* FIX: Patch to override the protection added in 3.55 (for applications npdrm / normal, just before
the load was RVK) which prevents applications can be used than the version shown on the firmware
present. That is, in a hypothetical case, a game trying to throw in a 3.60 3.56.
* FIX: Patch to override the protection auth check the applications (added in 3.56), this check
detects programs created as public tools always put the same auth, auth superior one.
* FIX: Patch to remove the protection from the white list of authorized programs, added in 3.56. Now you can
use all applications as 3.55 and below.
- NOTES
* The lv2 is protected by a hash in lv1, in case you want to play that encompassed an offset
in the range of protection, this would produce a panic check off the system.
To avoid this problem, use the tool that will Attached to this package before modifying the lv2 using poke.
The reason of not implementing this patch directly is because not everyone is dev, and you can not touch
the lv2 is safe for the user.
Of course the source code this program is included, so a dev can see how using the POKE
of lv1 patched this problem.
* You can now enter service mode, and use the lv2diag as before, but this has a potential danger.
The current 3.56 makes it impossible to make a downgrade to less than 3.56, meaning that if you are in the 3.56 in him are ,
if you have time you tried to cancel out a version that checks the update manager.
The problem is a programming error that allows updating Lv2Diag.self, the bug is that
NO Check that the update is in the usb or to verify that this is valid, the program formats the flash 1.2 and 3.
This means that if then fails, your system would not have died partially flashes, still work
the active ros can use a lv2diag again, but who Forewarned is forearmed . Lv2diag Beware!
* Attached to this package is an updated application to extract the nodes of a dump of lv1 is an update
of the application made by Graf Chokolo, now has support for versions 3.15, 3.41, 3.55 and 3.56 in a single
program. Useful to display the nodes extracted from your dump.
* The firmware finished graphic will be added when finished JFW 3.41 itself.
* In the package adds an application, I do not think there publicly, to put the mode
from the XMB directly acts as a toggle, in If you can use that product in the way just
so you remove the product.
As a final note to remember that this is the first version of the firmware, so constructive criticism are welcome.
As you have to root for this publication where patches are appldr, many variants will come out of it,
just remember that the first publication was this.
Mordais not the hand that feeds you, today is like tomorrow is a 3.56 higher, or maybe not,: violin:
: Violin: (Please log in. or REGISTER HERE to see this LINK): violin:
Source: demonhades.org
Read more: http://www.ps3hax.net/showthread.php?t=30130&page=2#ixzz1dhfuVToj
Thats better than any CFW thats out so far.
