Jump to content


Super Admin
  • Content count

  • Joined

  • Last visited

  • Days Won


zecoxao last won the day on June 2

zecoxao had the most liked content!

Community Reputation

1,281 Excellent

Social Info

About zecoxao

  • Rank
    Posting Freak
  • Birthday 10/12/1990

Profile Information

  • Gender
    Not Telling
  1. https://www.sendspace.com/file/mx1kjx @3141card has asked me to release this as well. 4.81 netemu with temperature display Enjoy
  2. @3141card has asked me to share this. it is ps2_netemu from 4.81 with full hvcall support, and option to dump lv1 from inside netemu. @mysis this is also for you https://mega.nz/#!FlMQ3SyB!-wtUdxvPEuGBZoB1awY9I5f3zBd_f3qLG7NOZugLE28 instructions on how to dump lv1 are inside. have fun
  3. @Red-EyeX32 asked me to share this with you guys (it's already released but whatever) https://mega.nz/#!h4VnyCxK!n7Sqh9h6_zGT2dnFzue-6_ZUDNh0kfKnuPVmLUWHa-U
  4. How to find TOC in lv1:
  5. @3141card @Joonie @mysis proof of concept scripts: https://www.sendspace.com/file/mv5czq lv2_dump_analyser_before_355.idc <- script for firmwares before 3.55 and after 1.02 (TOC located at segment #7) lv2_dump_analyser_355_plus.idc <- script for firmwares 3.55 and above (TOC located at segment #6) Useful if you want to find everything quick and leave syscall table for later. Just add those two to ps3ida folder and use them according to version. TOC will be automatically found.
  6. Tools Required: * IDA Pro (don't ask where to find it, Google is your friend) * HxD * 7zip * Tools to extract elf from lv2_kernel.self (Unself/Unself2/Scetool/etc) / pup unpack tools Step 1: Extract the elf from lv2_kernel (here i'm using aldos tools) by right clicking lv2 and choosing "SELF Tools->Extract ELF" Step 2: Extract further the elf with 7zip by right clicking the elf and choosing "7zip-> Extract to <name_of_file_without_extension>" It'll create a folder and extract its contents. If a popup box shows up asking to overwrite or not, choose "Rename automatically" Step 3: Open the folder and go to the segment with 46KB/45KB size. Open it with HxD and go from the start position 0x8000 bytes into the file. Example for 1.02 lv2_kernel: Step 4: Copy the first 8 bytes from 0x8000 to the transfer area. Step 5: Open the kernel in IDA Pro and let it load. After it loads search for those bytes. You should see an unknown data structure. That is your TOC PS: Tested on 4.46 REX Cex Kernel, 1.02 CEX Kernel, and 4.60 DECR Kernel, as well as 3.41 CEX Kernel v1, 2.70 CEX Kernel and 2.00 CEX Kernel
  7. PS2 Netemu - Unlock Config Mode and Debug Info Mode

    @mysis needs to see this
  8. Qwertyuiopz Teasing 4.5x hacked on twitter

    BORING! ksploit isn't SAMU. so it's BORING!
  9. 3.56 min praxis on DECH consoles

    they do not exist.
  10. ps3 hdd scripts/vm by picard (relink)

  11. ps3 hdd scripts/vm by picard (relink)

    i still have the sources. wait
  12. First of all, a note. this is for testkit and devkit consoles ONLY! We are working on a way to bring debug functionality to retail consoles, but it might take a while. These are the patches: *(uint16_t *)0xFFFFFFFF82607E56 = 0x9090; //retail - testkit (doesn't work on retail yet, but offsets are the same) *(uint16_t *)0xFFFFFFFF82607E71 = 0x9090; //retail - testkit (doesn't work on retail yet, but offsets are the same) *(uint16_t *)0xFFFFFFFF825FCFE6 = 0x9090; //devkit *(uint16_t *)0xFFFFFFFF825FD001 = 0x9090; //devkit Due to the nature of devkits, only hitodama's payloads work on them, so i'll provide one payload for CTurt (for testkit) and one for hito (for devkit) testkit payload devkit payload Since people should already know by detail how to send these payloads i won't go through much detail. Testkit payload follows the CTurt procedure. Devkit payload follows the Hitodama procedure. The end result will be this: Good luck! If you do not feel confident on trying the payloads, just implement those patches yourself in your own custom payload PS: Even though it's in the tags, credits to zil0g80 and @wildcard for the sauces and patches
  13. First, as always, the credits(included in README): nmount ps4 payload developed by wildcard Thanks to Zer0xFF(@Zer0xFF) for ps4sdk.mk linker flags, and BigBoss(@psxdev) for directory printing from ps4link! In order to compile for nmount you need to add 2 flags to /ps4sdk/make/ps4sdk.mk Replace this line: LinkerFlags = -O3 -Wall -m64 $(LibraryPath) $(Debug) With this line: LinkerFlags = -O3 -Wall -m64 $(LibraryPath) $(Debug) -lPs4SystemCall_stub -lPs4SystemCallAdaptive_stub Enjoy! Now, for the tutorial! Requirements: -> PS4 in 1.76 -> Hitodama's PS4SDK -> nmount payload -> elf loader or extreme-modding's elf loader -> the table (included in payload): Partition mounting table Partition | Directory | fstype | mount flag md0 / msdosfs? MNT_UPDATE da0x0.crypt /preinst msdosfs MNT_UPDATE da0x1.crypt /preinst2 msdosfs MNT_UPDATE da0x2.crypt ???????? da0x3.crypt /eap_vsh msdosfs MNT_FORCE da0x4.crypt /system msdosfs MNT_UPDATE da0x4b.crypt ??????? da0x5.crypt /system_ex msdosfs MNT_UPDATE da0x5b.crypt some exfat? exfat? da0x6.crypt ?????? da0x6x0.crypt ?????? da0x6x1.crypt SCE EVENT da0x6x2.crypt SCE EVENT da0x8.crypt ?????? da0x9.crypt /system_data msdosfs MNT_FORCE da0x12.crypt /update msdosfs MNT_UPDATE da0x13.crypt /user ufs MNT_FORCE da0x14.crypt /eap_user msdosfs MNT_FORCE da0x15.crypt ???? /user/data /data nullfs MNT_FORCE -> Information about the mount fs type(also included in source) Steps: 0. Specify your options in the payload source. fstype is the type of fs you wish your partition to have. some are not valid and will return an error. check table for more information. fspath is the path where you want to mount your partition. finally, from is the location of your crypt partition. 1. Compile the payload. Make sure the flags on your ps4sdk are properly set! (check readme or this post for more information). 2. Load elf loader. 3. Let it stabilize on stage 5. 4. Start the listener and run the payload: #listener socat - TCP:my.ps4.ip:5052 #sender socat -u FILE:path/to/nmount TCP:my.ps4.ip:5053 Where my.ps4.ip is your local ps4 ip and path/to/nmount is the absolute or relative path to mounting payload 5. You should have your crypt partition mounted. PS: This does exactly the same thing as tomtomdu's partition remounter! Be very careful when using this payload! you may softbrick or even brick your device!
  14. Credits to: z80 (https://twitter.com/ZiL0G80 ) for finding the patches to enable more UART | /dev/klog logs on his console You will need: *Retail Payload * elfldr/extreme-modding.de playground's elf loader * UART Soldering Skills / FTP Server (to grab logs from /dev/klog) * Ps4 on 1.76 Steps: * Fire up your own elfldr or extreme-modding.de one (it needs to go all the way to step 5 without out of memory!) * Listen to the payload: #listener socat - TCP:my.ps4.ip:5052 * Send the payload: #sender socat -u FILE:path/to/mempatch_retail.elf TCP:my.ps4.ip:5053 * Launch a game or a system app * [Extra UART] If you have UART connected, listen to the logs while the game or app is being loaded * [Extra klog] If you're not a soldering guy, just grab the content from /dev/klog On your ftp root server. WARNING! Logs will delete themselves once every a couple of minutes or so! * You should have some extra logs.
  15. [Released] Rebuild Database PS3 - PS3

    inject what? that just rebuilds database. it's the source code to the package lol. webman and rebug toolbox do the same