kakaroto introduces PL3 and 3.01 firmware news - 改機

如果你手上有 3.01, 3.10 或 3.15 韌體版本的 PS3,
而你又想要玩 PSJB 的話或許可以考慮暫時不要更新,
kakaroto 大大在眾多網友捐款贊助下買了一台 3.01 版本的 PS3,
他目前正努力將 PSJB 移植到這些版本上面,
據 Blog 上的描述似乎已經 dump 了 3.01 版的 LV2 memory,
目前正在試著找出正確的偏移位址好觸發漏洞,
同時作者也把 LV2 的 dump image 放到一個名叫 PL3 的專案 repository 中,
PL3 是作者新開的專案,
目的是希望建立一個各種 PSJB 方案的 payload 都能共用的 git repository
(如 PSFreedom 或 PSGroove)

====================================
原文連結 : http://0rz.tw/VSY0p
PL3 git repository: http://github.com/kakaroto/PL3

I'll announce two things, first, let's talk about PL3..
PL3 is a new project I started in order to have a common repository
of payloads that can be used by any 『jailbreak』 implementation.
I got tired of copying payloads from PSGroove, and I had some nice
changes in mine that I thought the PSGroove project could benefit from,
so I thought I'd create a single repository that both projects,
PSFreedom and PSGroove (or any other similar projects) could use.

You can find it in github, so don't hesitate to submodule it and use it.

Second important news… I've bought a new PS3 just for homebrew.
Thanks to all who donated money so I can buy it (I didn't get enough
donations to pay for it, but enough to help me).
I bought this PS3 used and it came with firmware 3.01! This is good and
bad news : I can't use PSFreedom to jailbreak it, so i've put on hold any
improvements for it, however, it will allow me to actually
port PSFreedom to older firmwares! My plan is to get the jailbreak working
on 3.01, then move on to 3.10 and 3.15
(depending on how hard it is, i might skip 3.10).

Another good news is that after 4 days of work, I was finally able
to dump the LV2 memory from the 3.01 firmware, and now all that remains
is to find the right offsets to patch, and port PSFreedom to 3.01,
so all those who are still using this firmware version, you will
soon be able to jailbreak it! Once I'm done with that,
I'll try to do the same with the 3.10/3.15 firmware versions!

To dump LV2, I used a trick and algorithms found by marcan42,
so big thanks goes to him, as well as many other people who helped
me out, RichDevX and Aaron in particular. I used RichDevX's idea
of ignoring the JIG and bruteforcing the address in which the port1
descriptor gets stored until I get a hit, then use that payload to
dump lv2, then find the right JIG offset for that particular
firmware from the dump. Marcan's trick was to send the data through
the ethernet cable by using LV1 only hypercalls, and it worked!

Now the latest git version of PL3 has a new 『dump_lv2』 payload which
you can use, it is firmware independent, and only uses LV1 hypercalls,
so it should just work… It will dump all the lv2 memory through ethernet,
so fire up wireshark, save the dump to a .pcap file,
and use the tool in PL3/tools to extract the memory dump from the .pcap file.

In other news, I will soon upload to Ps3utils an .idc script
that will search and find the syscall table,
and correctly resolve all of its functions and name them properly..
maybe even have it automatically find all functions of a dump in order
to save time creating procs in IDA. I'll let you know once I'm done with it.

--