XorHack v2.0: The Updated PS3 Exploit Toolkit

After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line :)

Download XorHack v2.0 here

Hypervisor Exploit Changes

At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.

Kernel Module Changes

In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.

User Library changes

Finally the on outermost level  I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.

Sample Application Changes

As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.

Here are some examples of what these tools can be used for.

Dumping the hypervisor

This reads 0×10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.

ps3peek 0 -s 0×1000000 -d 8 -b > hvdump.bin

Reading the status register for spu0

ps3peek 0×20000044024 -d 4

Loading metldr..

Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.

Everyone loves pictures

The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…

918 thoughts on “XorHack v2.0: The Updated PS3 Exploit Toolkit

  1. @graf_chokolo
    i modified and fixed the size of port1_config_descriptor to 0xf00, but i do not put dummy data in the port1_config_descriptor array, i.e. i used some code or other data as descriptor dummy data return to ps3. I think those dummy data is not active, right?

  2. Graf, congrats on the decryption of the .self and sprx files. I’m curious to see what can be done from here, I mean decrypting the ps1 emu and ps2 emulator might help homebrew. And the Otheros decryption could lead to otheros on 3.41 and decryption of the updater files could lead to software downgrade and CFW? I currently have two ps3. One sitting at 3.41 and 3.50. The 3.50 model is the original with SD readers and full BC, I’m using it for any “Dangerous” attempts for downgrading, if any crazy ideas appear. I can always use ps jailbreak to downgrade it and do anything from there.

  3. @rockyu

    Here is what my descriptor looks like:

    const uint8_t PROGMEM port1_config_descriptor[] = {
    0×09, 0×02, 0×12, 0×00, 0×01, 0×00, 0×00, 0×80, 0xFA, 0×09, 0×04, 0×00,
    0×00, 0×00, 0xFE, 0×01, 0×02, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
    0xFA, 0xCE, 0xB0, 0×03, 0xAA, 0xBB, 0xCC, 0xDD, 0×60, 0×00, 0×00, 0×00,

    #include

    ———— and here paste dummy bytes ——————-

    };

  4. Quote:
    vsh.self and sys_init_osd.self decrypted :-)

    damn dude, you are legendary, there is no reason waiting on anyone else to decrypt the key, it’s painfully obvious you will be the one.

  5. Good Morning

    @graf_chokolo so it won’t be possible to have a free version in 3.50?

    Master key is going to provide us conditions to create our own firmware running linux in 3.50 per example? lol

    Can Sony make anything against this? Like banning or such?

    Thanks

  6. too bad psx-care have the materials but not the knowledge and you have the knowledge but not the material. Graf we will pay you a trip to psx-care ^^. (It’s a joke ;) )

  7. Is it possible to downgrade PS3? If so, then downgrade to 3.15 (or whatever enables linux) and then replace the linux bootloader installed on ps3 with something that injects exploit that allows to boot gameos with nice patches?

    Ok, and linux with 3.42 would be nice too… is it impossible to locate code that has changed between non-linux-friendly gameos and linux-friendly games? and make a patch?

  8. Are you able to decrypt the files from the bdvd firmware?
    CprmModule.spu.isoself etc? Or is this decrypted by isoldr? ( judging by the extension “isoself” xD )

  9. @graf_chokolo & Mathieulh

    So now can we find an exploit in vsh (thanks to vsh.self decrypted) and other things (maybe otheros.self?

    Thanks…
    diesel701

  10. @graf_chokolo

    Hello, sorry for my language, a translation is “google” I know it’s not terrible …

    I find it interesting to be able to decrypt the files module
    I have an update debug 3.41.
    My project is activation options “debug” on a “retail”.

  11. Hi graf_chokolo, I read that you need a sx28..
    I have a new sx28, never used and I would like to sell..
    You might be interested?

    Half price than the official site..

    If you want to contact:
    mrsajan[AT]email[DOT]com

  12. @inspuration

    Where do you live ?

    ps1emu*.self decrypted :-)

    ps2 emu cannot be decrypted by appldr because it’s like GameOS, it’s decrypted by lv2ldr, ps2 emu is not an application that can be run on GameOS.

    Pretty all SPRX file can be decrypted now :-)
    I will just polish a bit my source code and then upload it, guys :-)

    Reversing lv2ldr interface and decrypting lv2_kernel.self is next on my list, guys :-)

  13. @ good work :)

    you’ll soon be posting a release??

    there is a possibility he will soon migrate to a firmware debug???

    if you need I can provide a console debug update 3.41

  14. @ graf_chokolo

    So you touched the PS2 problem – what is your oppinion, is it bullshit, that sony told us, we cant run ps2 games on a ps3 (just to sell more games), or is it really a hardware issue and even decryption ps2 emu would help us at all?

    And if its bullshit – can you proove it? I guess this would be huge news (even on non hacking sites), if sony had fooled everybody…

  15. Pingback: [Topic Ufficiale] Ps Downgrade - Riprogrammazione ps jailbreak per downgrade a fw3.41 - Pagina 60 - PS3 World

  16. @ModIT

    You completely misunderstand what he is saying about PS2 emu.

    Sony removed the GS Chip from newer PS3s, this is well known and not “bullshit”, you can see this by just looking at the mobos.

    This has absolutely nothing to do with graf_chokolo’s attempts to decrypt the PS2 emu which is for BC on older PS3s which have the GS Chip.

  17. So you saying the GS Chip is really needed for PS2 emulation and the PS3 can’t do it without?
    Because there are rumours that PS2 emulation will be possible in the near future (with a new firmware), so i thought the old “its not possible because of hardware issues” argument from sony was just bullshit to sell more ps3 games and now they think about giving this feature back.

    Well then i misunderstund graf_chokolos attempt, thought he crossed the problem/possibility “ps2 emu” on this 3.41 (and probable not that old) machine.

  18. Hi, i have simple question, you decrypt FW 3.41 and we can play games under SDK 3.50? Yes, or no.

  19. guys the ps2 emu is not close to arrive. For now we’re all waiting for the ps3 master key to allow a lot of people in 3.15 or 3.41 to modding after that may be a lot more of people can make an homebrew for ps2 emu. But if you’re waiting a solution for ps2 emu it’s not for now and I think it will never happen cause sony left this solution behind (they like sell a remix version ;) )

  20. With your source code and a debug unit of 3.50 ps3, we could decrypt the eboot and self file of the newest game ?

  21. here is the link to download the update 3.41 for PS3 test:

    http://www.multiupload.com/91PE63N5SX

    Password: ds4zadf5g4,g4,4j4a9ra6z4te4tru4f14n4h;m4hljhd4g4ezet7zqe4t4gfbbw44b21dgh1s4hrqy4ery;,;jhku

    @mathieul

    I’m all heart with you! I do not believe a word that is a bad demonhades developer lol

    Good luck;)

  22. @Graf_chokolo

    It seems JaicraB would enter in service mode his ps3 without using any dongle.

    Check his blog ;)

    U know this?
    What do u think about?

  23. we all want a lot of things. Be patient but for a psp emulator you’ll need to be very very patient ;) but stop off subject chitchat please ;)

  24. If I remember correctly Sony already said that ps2 emulation is possible without the GS chip but it sucks ass which is why they are considering some kind of USB addon or something of that nature.

  25. re:
    I saw an SX28 from Parallax which was arround 15 dollars or such.
    http://www.hvwtech.com/products_view.asp?ProductID=619

    I have a similar board with an sx-key(programmer) and an sx chip/crystal (never used) collecting dust…

    hit me up if you’re still in need… Whatever you have in mind would probably be a better use for it.

    lordcutter (at) gmail …

  26. Grag Hello, I wanted to ask if you know more or less when you have completed the downgrade to 100% open source, you know I can not wait I’m going crazy, please answer: (

  27. for those who are new to HV reversing like I am.
    Here I made a quick IDC script for those interested in tracing the process protection pages to realize the VA and RA address mapping being used by the process.

    you must execute the HV_DUMP.IDC from xorloser first, then apply this IDC later because it requires a opd_table to be defined first. and it’s for 3.15 HV only because that’s the only HV dump I have. process 0 is not extractable. there seems some data missing in the process object of process 0.

    I am working on a different IDC script to extract the pages to a new file in order to get a file which RA=VA so I can analyze the code more easily.

    http://www.megaupload.com/?d=NM0SNO5V

    here is the output for process 6 extraction from the dump I have.

    opd_addr = 003214d0
    rtoc_addr = 00350470
    process_table_addr = 0035e850
    process_obj_addr = 00368cf0
    process_protection_domain_addr = 0036a960
    protection_page_addr = 0036ab00, RA=000f4000, VA=80000000, next page addr = 0036ab30
    protection_page_addr = 0036ab30, RA=000f5000, VA=80001000, next page addr = 0036ab60
    protection_page_addr = 0036ab60, RA=000f6000, VA=80002000, next page addr = 0036ab90
    protection_page_addr = 0036ab90, RA=000f7000, VA=80003000, next page addr = 0036abc0
    protection_page_addr = 0036abc0, RA=000f8000, VA=80004000, next page addr = 0036abf0
    protection_page_addr = 0036abf0, RA=000f9000, VA=80005000, next page addr = 0036ac20
    protection_page_addr = 0036ac20, RA=000fa000, VA=80006000, next page addr = 0036ac50
    protection_page_addr = 0036ac50, RA=000fb000, VA=80007000, next page addr = 0036ac80
    protection_page_addr = 0036ac80, RA=000fc000, VA=80008000, next page addr = 0036acb0
    protection_page_addr = 0036acb0, RA=000fd000, VA=80009000, next page addr = 0036ace0
    protection_page_addr = 0036ace0, RA=000fe000, VA=8000a000, next page addr = 0036ad10
    protection_page_addr = 0036ad10, RA=000ff000, VA=8000b000, next page addr = 0036ad40
    protection_page_addr = 0036ad40, RA=00700000, VA=8000c000, next page addr = 0036ad70
    protection_page_addr = 0036ad70, RA=00701000, VA=8000d000, next page addr = 0036ada0
    protection_page_addr = 0036ada0, RA=00702000, VA=8000e000, next page addr = 0036add0
    protection_page_addr = 0036add0, RA=00703000, VA=8000f000, next page addr = 0036ae00
    protection_page_addr = 0036ae00, RA=00704000, VA=80010000, next page addr = 0036ae30
    protection_page_addr = 0036ae30, RA=00705000, VA=80011000, next page addr = 0036ae60
    protection_page_addr = 0036ae60, RA=00706000, VA=80012000, next page addr = 0036ae90
    protection_page_addr = 0036ae90, RA=00707000, VA=80013000, next page addr = 0036aec0
    protection_page_addr = 0036aec0, RA=00708000, VA=80014000, next page addr = 0036aef0
    protection_page_addr = 0036aef0, RA=00709000, VA=80015000, next page addr = 0036af20
    protection_page_addr = 0036af20, RA=0070a000, VA=80016000, next page addr = 0036af50
    protection_page_addr = 0036af50, RA=0070b000, VA=80017000, next page addr = 0036af80
    protection_page_addr = 0036af80, RA=0070c000, VA=80018000, next page addr = 0036afb0
    protection_page_addr = 0036afb0, RA=0070d000, VA=80019000, next page addr = 0036afe0
    protection_page_addr = 0036afe0, RA=0070e000, VA=8001a000, next page addr = 0036b010
    protection_page_addr = 0036b010, RA=0070f000, VA=8001b000, next page addr = 0036b040
    protection_page_addr = 0036b040, RA=00710000, VA=8001c000, next page addr = 0036b070
    protection_page_addr = 0036b070, RA=00711000, VA=8001d000, next page addr = 0036b0a0
    protection_page_addr = 0036b0a0, RA=00712000, VA=8001e000, next page addr = 0036b0d0
    protection_page_addr = 0036b0d0, RA=00713000, VA=8001f000, next page addr = 0036b100
    protection_page_addr = 0036b100, RA=00714000, VA=80020000, next page addr = 0036b130
    protection_page_addr = 0036b130, RA=00715000, VA=80021000, next page addr = 0036b160
    protection_page_addr = 0036b160, RA=00716000, VA=80022000, next page addr = 0036b190
    protection_page_addr = 0036b190, RA=00717000, VA=80023000, next page addr = 0036b1c0
    protection_page_addr = 0036b1c0, RA=00718000, VA=80024000, next page addr = 0036b1f0
    protection_page_addr = 0036b1f0, RA=00719000, VA=80025000, next page addr = 0036b220
    protection_page_addr = 0036b220, RA=0071a000, VA=80026000, next page addr = 0036b250
    protection_page_addr = 0036b250, RA=0071b000, VA=80027000, next page addr = 0036b280
    protection_page_addr = 0036b280, RA=0071c000, VA=80028000, next page addr = 0036b2b0
    protection_page_addr = 0036b2b0, RA=0071d000, VA=80029000, next page addr = 0036b2e0
    protection_page_addr = 0036b2e0, RA=0071e000, VA=8002a000, next page addr = 0036b310
    protection_page_addr = 0036b310, RA=0071f000, VA=8002b000, next page addr = 0036b340
    protection_page_addr = 0036b340, RA=00720000, VA=8002c000, next page addr = 0036b370
    protection_page_addr = 0036b370, RA=00721000, VA=8002d000, next page addr = 0036b3a0
    protection_page_addr = 0036b3a0, RA=00722000, VA=8002e000, next page addr = 0036b3d0
    protection_page_addr = 0036b3d0, RA=00723000, VA=8002f000, next page addr = 0036b400
    protection_page_addr = 0036b400, RA=00724000, VA=80030000, next page addr = 0036b430
    protection_page_addr = 0036b430, RA=00725000, VA=80031000, next page addr = 0036b460
    protection_page_addr = 0036b460, RA=00726000, VA=80032000, next page addr = 0036b490
    protection_page_addr = 0036b490, RA=00727000, VA=80033000, next page addr = 0036b4c0
    protection_page_addr = 0036b4c0, RA=00728000, VA=80034000, next page addr = 0036b4f0
    protection_page_addr = 0036b4f0, RA=00729000, VA=80035000, next page addr = 0036b520
    protection_page_addr = 0036b520, RA=0072a000, VA=80036000, next page addr = 0036b550
    protection_page_addr = 0036b550, RA=0072b000, VA=80037000, next page addr = 0036b580
    protection_page_addr = 0036b580, RA=0072c000, VA=80038000, next page addr = 0036b5b0
    protection_page_addr = 0036b5b0, RA=0072d000, VA=80039000, next page addr = 0036b5e0
    protection_page_addr = 0036b5e0, RA=0072e000, VA=8003a000, next page addr = 0036b610
    protection_page_addr = 0036b610, RA=0072f000, VA=8003b000, next page addr = 0036b640
    protection_page_addr = 0036b640, RA=00730000, VA=8003c000, next page addr = 0036b670
    protection_page_addr = 0036b670, RA=00731000, VA=8003d000, next page addr = 0036b6a0
    protection_page_addr = 0036b6a0, RA=00732000, VA=8003e000, next page addr = 0036b6d0
    protection_page_addr = 0036b6d0, RA=00733000, VA=8003f000, next page addr = 0036b700
    protection_page_addr = 0036b700, RA=00734000, VA=80040000, next page addr = 0036b730
    protection_page_addr = 0036b730, RA=00735000, VA=80041000, next page addr = 0036b760
    protection_page_addr = 0036b760, RA=00736000, VA=80042000, next page addr = 0036b790
    protection_page_addr = 0036b790, RA=00737000, VA=80043000, next page addr = 0036b7c0
    protection_page_addr = 0036b7c0, RA=00738000, VA=80044000, next page addr = 0036b7f0
    protection_page_addr = 0036b7f0, RA=00739000, VA=80045000, next page addr = 0036b820
    protection_page_addr = 0036b820, RA=0073a000, VA=80046000, next page addr = 0036b850
    protection_page_addr = 0036b850, RA=0073b000, VA=80047000, next page addr = 0036b880
    protection_page_addr = 0036b880, RA=0073c000, VA=80048000, next page addr = 0036b8b0
    protection_page_addr = 0036b8b0, RA=0073d000, VA=80049000, next page addr = 0036b8e0
    protection_page_addr = 0036b8e0, RA=0073e000, VA=8004a000, next page addr = 0036b910
    protection_page_addr = 0036b910, RA=0073f000, VA=8004b000, next page addr = 0036b940
    protection_page_addr = 0036b940, RA=00740000, VA=8004c000, next page addr = 0036b970
    protection_page_addr = 0036b970, RA=00741000, VA=8004d000, next page addr = 0036b9a0
    protection_page_addr = 0036b9a0, RA=00742000, VA=8004e000, next page addr = 0036b9d0
    protection_page_addr = 0036b9d0, RA=00743000, VA=8004f000, next page addr = 0036ba00
    protection_page_addr = 0036ba00, RA=00744000, VA=80050000, next page addr = 0036ba30
    protection_page_addr = 0036ba30, RA=00745000, VA=80051000, next page addr = 0036ba60
    protection_page_addr = 0036ba60, RA=00746000, VA=80052000, next page addr = 0036ba90
    protection_page_addr = 0036ba90, RA=00747000, VA=80053000, next page addr = 0036bac0
    protection_page_addr = 0036bac0, RA=00748000, VA=80054000, next page addr = 0036baf0
    protection_page_addr = 0036baf0, RA=00749000, VA=80055000, next page addr = 0036bb20
    protection_page_addr = 0036bb20, RA=0074a000, VA=80056000, next page addr = 0036bb50
    protection_page_addr = 0036bb50, RA=0074b000, VA=80057000, next page addr = 00127900
    protection_page_addr = 00127900, RA=0075d000, VA=a0000000, next page addr = 00369e20
    protection_page_addr = 00369e20, RA=0015d000, VA=a0002000, next page addr = 0036bb80
    protection_page_addr = 0036bb80, RA=0074c000, VA=c0000000, next page addr = 0036bbd0
    protection_page_addr = 0036bbd0, RA=0074d000, VA=c0001000, next page addr = 0036bc00
    protection_page_addr = 0036bc00, RA=0074e000, VA=c0002000, next page addr = 0036bc30
    protection_page_addr = 0036bc30, RA=0074f000, VA=c0003000, next page addr = 0036bc60
    protection_page_addr = 0036bc60, RA=00750000, VA=c0004000, next page addr = 0036bc90
    protection_page_addr = 0036bc90, RA=00751000, VA=c0005000, next page addr = 0036bcc0
    protection_page_addr = 0036bcc0, RA=00752000, VA=c0006000, next page addr = 0036bcf0
    protection_page_addr = 0036bcf0, RA=00753000, VA=c0007000, next page addr = 0036bd20
    protection_page_addr = 0036bd20, RA=00754000, VA=c0008000, next page addr = 0036bd50
    protection_page_addr = 0036bd50, RA=00755000, VA=c0009000, next page addr = 0036bd80
    protection_page_addr = 0036bd80, RA=00756000, VA=c000a000, next page addr = 0036bdb0
    protection_page_addr = 0036bdb0, RA=00757000, VA=c000b000, next page addr = 0036bde0
    protection_page_addr = 0036bde0, RA=00758000, VA=c000c000, next page addr = 0036be10
    protection_page_addr = 0036be10, RA=00759000, VA=c000d000, next page addr = 0036be40
    protection_page_addr = 0036be40, RA=0075a000, VA=c000e000, next page addr = 0036be70
    protection_page_addr = 0036be70, RA=0075b000, VA=c000f000, next page addr = 0036bea0
    protection_page_addr = 0036bea0, RA=0075c000, VA=c0010000, next page addr = 0012fc40
    protection_page_addr = 0012fc40, RA=00768000, VA=ffffd000, next page addr = 00169e90
    protection_page_addr = 00169e90, RA=00769000, VA=ffffe000, next page addr = 00169ec0
    protection_page_addr = 00169ec0, RA=0076a000, VA=fffff000, next page addr = 0036a988
    protection_page_addr = 0036a988, RA=ffffffffffffffff, VA=ffffffff, next page addr = 0036ab00

    done

  28. This MUST have been answered somewhere already, but I cannot seem to find it, so maybe one of you would be kind enough to respond. Why the heck does any one go to the bother of obtaining one of these sx boards when 3 dollars at radio shack gets you what you need minus a usb interface. Am I missing something? I bought everything for jaicrab’s lpt1 for virtually nothing at my local radio shack. Wouldn’t graf_chokolo be DONE with everything had he gone this route? What am I missing?

  29. And what the fuck soon come home, and yet we have no downgrade open source! While those who have the jailbreak ps, are already using it for weeks now!
    Please commit to issue as soon as possible downgrade, then, think of other things, but at this moment, there are millions and millions of people who have 3.50, and have waited months to play the jailbreak !!!!! ! please give yourself a move, think of the things most needed, and then the secondary ones, think about who the first to 3.50, and would like to change, think about this.

  30. And what the fuck soon come home, and yet we have no downgrade open source! While those who have the jailbreak ps, are already using it for weeks now!
    Please commit to issue as soon as possible downgrade, then, think of other things, but at this moment, there are millions and millions of people who have 3.50, and have waited months to play the jailbreak !!!!! ! please hurry, think of the things most needed, and then the secondary ones, think first of those who have 3.50, and the change would be crazy, think about this.

  31. guys stop that stupid question the open downgrade released when we have the master key. It could be tomorrow or february 2010 … We can’t tell you a date so lets men (or women ;) ) work and stop the chitchat here thanks.

  32. What the fuck is the christmas soon, and yet we have no downgrade open source! While those who have the jailbreak ps, are already using it for weeks now!
    Please commit to issue as soon as possible downgrade, then, think of other things, but at this moment, there are millions and millions of people who have 3.50, and have waited months to play the jailbreak !!!!! ! please hurry, think of the things most needed, and then the secondary ones, think first of those who have 3.50, and the change would be crazy, think about this.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>