After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line
Hypervisor Exploit Changes
At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.
Kernel Module Changes
In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.
User Library changes
Finally the on outermost levelย I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.
Sample Application Changes
As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.
Here are some examples of what these tools can be used for.
Dumping the hypervisor
This reads 0x10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.
ps3peek 0 -s 0x1000000 -d 8 -b > hvdump.bin
Reading the status register for spu0
ps3peek 0x20000044024 -d 4
Loading metldr..
Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.
Everyone loves pictures
The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…
@graf_chokolo
i modified and fixed the size of port1_config_descriptor to 0xf00, but i do not put dummy data in the port1_config_descriptor array, i.e. i used some code or other data as descriptor dummy data return to ps3. I think those dummy data is not active, right?
Graf, congrats on the decryption of the .self and sprx files. I’m curious to see what can be done from here, I mean decrypting the ps1 emu and ps2 emulator might help homebrew. And the Otheros decryption could lead to otheros on 3.41 and decryption of the updater files could lead to software downgrade and CFW? I currently have two ps3. One sitting at 3.41 and 3.50. The 3.50 model is the original with SD readers and full BC, I’m using it for any “Dangerous” attempts for downgrading, if any crazy ideas appear. I can always use ps jailbreak to downgrade it and do anything from there.
@rockyu
Here is what my descriptor looks like:
const uint8_t PROGMEM port1_config_descriptor[] = {
0x09, 0x02, 0x12, 0x00, 0x01, 0x00, 0x00, 0x80, 0xFA, 0x09, 0x04, 0x00,
0x00, 0x00, 0xFE, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFA, 0xCE, 0xB0, 0x03, 0xAA, 0xBB, 0xCC, 0xDD, 0x60, 0x00, 0x00, 0x00,
#include
———— and here paste dummy bytes ——————-
};
vsh.self and sys_init_osd.self decrypted
Quote:
vsh.self and sys_init_osd.self decrypted
damn dude, you are legendary, there is no reason waiting on anyone else to decrypt the key, it’s painfully obvious you will be the one.
@graf_chokolo
What happened with getting the master key? You haven’t got the sx28 yet?
Good Morning
@graf_chokolo so it won’t be possible to have a free version in 3.50?
Master key is going to provide us conditions to create our own firmware running linux in 3.50 per example? lol
Can Sony make anything against this? Like banning or such?
Thanks
too bad psx-care have the materials but not the knowledge and you have the knowledge but not the material. Graf we will pay you a trip to psx-care ^^. (It’s a joke ๐ )
Is it possible to downgrade PS3? If so, then downgrade to 3.15 (or whatever enables linux) and then replace the linux bootloader installed on ps3 with something that injects exploit that allows to boot gameos with nice patches?
Ok, and linux with 3.42 would be nice too… is it impossible to locate code that has changed between non-linux-friendly gameos and linux-friendly games? and make a patch?
Are you able to decrypt the files from the bdvd firmware?
CprmModule.spu.isoself etc? Or is this decrypted by isoldr? ( judging by the extension “isoself” xD )
@graf_chokolo & Mathieulh
So now can we find an exploit in vsh (thanks to vsh.self decrypted) and other things (maybe otheros.self?
Thanks…
diesel701
@graf_chokolo
Hello, sorry for my language, a translation is “google” I know it’s not terrible …
I find it interesting to be able to decrypt the files module
I have an update debug 3.41.
My project is activation options “debug” on a “retail”.
Do you need an sx28 kit graf? I could provide you with one if so.
heeeeyyyyy IM FONZZYY I HOPE THIS WILL WORK HEYYYYYYYYY
Hi graf_chokolo, I read that you need a sx28..
I have a new sx28, never used and I would like to sell..
You might be interested?
Half price than the official site..
If you want to contact:
mrsajan[AT]email[DOT]com
sorry, mrsajan[AT]email[DOT]it
@inspuration
Where do you live ?
ps1emu*.self decrypted
ps2 emu cannot be decrypted by appldr because it’s like GameOS, it’s decrypted by lv2ldr, ps2 emu is not an application that can be run on GameOS.
Pretty all SPRX file can be decrypted now
I will just polish a bit my source code and then upload it, guys
Reversing lv2ldr interface and decrypting lv2_kernel.self is next on my list, guys
psp_emulator.self decrypted
Not too sure about my question graf_chokolo? I would really appreciate your response.
@ good work
you’ll soon be posting a release??
there is a possibility he will soon migrate to a firmware debug???
if you need I can provide a console debug update 3.41
Canada
I can send it to you no charge though. Email me at li5up6@gmail.com if you are still interested.
@ graf_chokolo
So you touched the PS2 problem – what is your oppinion, is it bullshit, that sony told us, we cant run ps2 games on a ps3 (just to sell more games), or is it really a hardware issue and even decryption ps2 emu would help us at all?
And if its bullshit – can you proove it? I guess this would be huge news (even on non hacking sites), if sony had fooled everybody…
Pingback: [Topic Ufficiale] Ps Downgrade - Riprogrammazione ps jailbreak per downgrade a fw3.41 - Pagina 60 - PS3 World
@ModIT
You completely misunderstand what he is saying about PS2 emu.
Sony removed the GS Chip from newer PS3s, this is well known and not “bullshit”, you can see this by just looking at the mobos.
This has absolutely nothing to do with graf_chokolo’s attempts to decrypt the PS2 emu which is for BC on older PS3s which have the GS Chip.
So you saying the GS Chip is really needed for PS2 emulation and the PS3 can’t do it without?
Because there are rumours that PS2 emulation will be possible in the near future (with a new firmware), so i thought the old “its not possible because of hardware issues” argument from sony was just bullshit to sell more ps3 games and now they think about giving this feature back.
Well then i misunderstund graf_chokolos attempt, thought he crossed the problem/possibility “ps2 emu” on this 3.41 (and probable not that old) machine.
@graf_chokolo
Do you got a donation Paypal account or such? I could give you some funding for youre work ;). How much do you need for such an SX28 board.
I saw an SX28 from Parallax which was arround 15 dollars or such.
http://www.hvwtech.com/products_view.asp?ProductID=619
Greetz,
DJXFMA
Hi, i have simple question, you decrypt FW 3.41 and we can play games under SDK 3.50? Yes, or no.
guys the ps2 emu is not close to arrive. For now we’re all waiting for the ps3 master key to allow a lot of people in 3.15 or 3.41 to modding after that may be a lot more of people can make an homebrew for ps2 emu. But if you’re waiting a solution for ps2 emu it’s not for now and I think it will never happen cause sony left this solution behind (they like sell a remix version ๐ )
I hope this to work in 3.50… Can I help with something?
With your source code and a debug unit of 3.50 ps3, we could decrypt the eboot and self file of the newest game ?
here is the link to download the update 3.41 for PS3 test:
http://www.multiupload.com/91PE63N5SX
Password: ds4zadf5g4,g4,4j4a9ra6z4te4tru4f14n4h;m4hljhd4g4ezet7zqe4t4gfbbw44b21dgh1s4hrqy4ery;,;jhku
@mathieul
I’m all heart with you! I do not believe a word that is a bad demonhades developer lol
Good luck;)
what about psp emulator? I what to play GoW)))
@Graf_chokolo
It seems JaicraB would enter in service mode his ps3 without using any dongle.
Check his blog ๐
U know this?
What do u think about?
we all want a lot of things. Be patient but for a psp emulator you’ll need to be very very patient ๐ but stop off subject chitchat please ๐
If I remember correctly Sony already said that ps2 emulation is possible without the GS chip but it sucks ass which is why they are considering some kind of USB addon or something of that nature.
re:
I saw an SX28 from Parallax which was arround 15 dollars or such.
http://www.hvwtech.com/products_view.asp?ProductID=619
I have a similar board with an sx-key(programmer) and an sx chip/crystal (never used) collecting dust…
hit me up if you’re still in need… Whatever you have in mind would probably be a better use for it.
lordcutter (at) gmail …
Grag Hello, I wanted to ask if you know more or less when you have completed the downgrade to 100% open source, you know I can not wait I’m going crazy, please answer: (
there are a new info on jaicrab blog http://jaicrab.blogspot.com/ somebody can tell us more? it’s an advance for psgrade?
According to DemonHades, Mathieulh works for Sony…
http://blog-demonhades.blogspot.com/2010/12/mathieulh-trabaja-para-sonyfoto-pillada.html
There he exposes the proofs he has. Just to warn all of you. I don’t know if it’s true or not, but I would be careful.
Take care. Thanks graf_chokolo for your great contribution!
@graf_chokolo
When you expect the Downgrade will be ready?
graf_chokolo kannst du denn was mit der 3.41 Debug Firmware von Blackpen0 anfangen?
for those who are new to HV reversing like I am.
Here I made a quick IDC script for those interested in tracing the process protection pages to realize the VA and RA address mapping being used by the process.
you must execute the HV_DUMP.IDC from xorloser first, then apply this IDC later because it requires a opd_table to be defined first. and it’s for 3.15 HV only because that’s the only HV dump I have. process 0 is not extractable. there seems some data missing in the process object of process 0.
I am working on a different IDC script to extract the pages to a new file in order to get a file which RA=VA so I can analyze the code more easily.
http://www.megaupload.com/?d=NM0SNO5V
here is the output for process 6 extraction from the dump I have.
opd_addr = 003214d0
rtoc_addr = 00350470
process_table_addr = 0035e850
process_obj_addr = 00368cf0
process_protection_domain_addr = 0036a960
protection_page_addr = 0036ab00, RA=000f4000, VA=80000000, next page addr = 0036ab30
protection_page_addr = 0036ab30, RA=000f5000, VA=80001000, next page addr = 0036ab60
protection_page_addr = 0036ab60, RA=000f6000, VA=80002000, next page addr = 0036ab90
protection_page_addr = 0036ab90, RA=000f7000, VA=80003000, next page addr = 0036abc0
protection_page_addr = 0036abc0, RA=000f8000, VA=80004000, next page addr = 0036abf0
protection_page_addr = 0036abf0, RA=000f9000, VA=80005000, next page addr = 0036ac20
protection_page_addr = 0036ac20, RA=000fa000, VA=80006000, next page addr = 0036ac50
protection_page_addr = 0036ac50, RA=000fb000, VA=80007000, next page addr = 0036ac80
protection_page_addr = 0036ac80, RA=000fc000, VA=80008000, next page addr = 0036acb0
protection_page_addr = 0036acb0, RA=000fd000, VA=80009000, next page addr = 0036ace0
protection_page_addr = 0036ace0, RA=000fe000, VA=8000a000, next page addr = 0036ad10
protection_page_addr = 0036ad10, RA=000ff000, VA=8000b000, next page addr = 0036ad40
protection_page_addr = 0036ad40, RA=00700000, VA=8000c000, next page addr = 0036ad70
protection_page_addr = 0036ad70, RA=00701000, VA=8000d000, next page addr = 0036ada0
protection_page_addr = 0036ada0, RA=00702000, VA=8000e000, next page addr = 0036add0
protection_page_addr = 0036add0, RA=00703000, VA=8000f000, next page addr = 0036ae00
protection_page_addr = 0036ae00, RA=00704000, VA=80010000, next page addr = 0036ae30
protection_page_addr = 0036ae30, RA=00705000, VA=80011000, next page addr = 0036ae60
protection_page_addr = 0036ae60, RA=00706000, VA=80012000, next page addr = 0036ae90
protection_page_addr = 0036ae90, RA=00707000, VA=80013000, next page addr = 0036aec0
protection_page_addr = 0036aec0, RA=00708000, VA=80014000, next page addr = 0036aef0
protection_page_addr = 0036aef0, RA=00709000, VA=80015000, next page addr = 0036af20
protection_page_addr = 0036af20, RA=0070a000, VA=80016000, next page addr = 0036af50
protection_page_addr = 0036af50, RA=0070b000, VA=80017000, next page addr = 0036af80
protection_page_addr = 0036af80, RA=0070c000, VA=80018000, next page addr = 0036afb0
protection_page_addr = 0036afb0, RA=0070d000, VA=80019000, next page addr = 0036afe0
protection_page_addr = 0036afe0, RA=0070e000, VA=8001a000, next page addr = 0036b010
protection_page_addr = 0036b010, RA=0070f000, VA=8001b000, next page addr = 0036b040
protection_page_addr = 0036b040, RA=00710000, VA=8001c000, next page addr = 0036b070
protection_page_addr = 0036b070, RA=00711000, VA=8001d000, next page addr = 0036b0a0
protection_page_addr = 0036b0a0, RA=00712000, VA=8001e000, next page addr = 0036b0d0
protection_page_addr = 0036b0d0, RA=00713000, VA=8001f000, next page addr = 0036b100
protection_page_addr = 0036b100, RA=00714000, VA=80020000, next page addr = 0036b130
protection_page_addr = 0036b130, RA=00715000, VA=80021000, next page addr = 0036b160
protection_page_addr = 0036b160, RA=00716000, VA=80022000, next page addr = 0036b190
protection_page_addr = 0036b190, RA=00717000, VA=80023000, next page addr = 0036b1c0
protection_page_addr = 0036b1c0, RA=00718000, VA=80024000, next page addr = 0036b1f0
protection_page_addr = 0036b1f0, RA=00719000, VA=80025000, next page addr = 0036b220
protection_page_addr = 0036b220, RA=0071a000, VA=80026000, next page addr = 0036b250
protection_page_addr = 0036b250, RA=0071b000, VA=80027000, next page addr = 0036b280
protection_page_addr = 0036b280, RA=0071c000, VA=80028000, next page addr = 0036b2b0
protection_page_addr = 0036b2b0, RA=0071d000, VA=80029000, next page addr = 0036b2e0
protection_page_addr = 0036b2e0, RA=0071e000, VA=8002a000, next page addr = 0036b310
protection_page_addr = 0036b310, RA=0071f000, VA=8002b000, next page addr = 0036b340
protection_page_addr = 0036b340, RA=00720000, VA=8002c000, next page addr = 0036b370
protection_page_addr = 0036b370, RA=00721000, VA=8002d000, next page addr = 0036b3a0
protection_page_addr = 0036b3a0, RA=00722000, VA=8002e000, next page addr = 0036b3d0
protection_page_addr = 0036b3d0, RA=00723000, VA=8002f000, next page addr = 0036b400
protection_page_addr = 0036b400, RA=00724000, VA=80030000, next page addr = 0036b430
protection_page_addr = 0036b430, RA=00725000, VA=80031000, next page addr = 0036b460
protection_page_addr = 0036b460, RA=00726000, VA=80032000, next page addr = 0036b490
protection_page_addr = 0036b490, RA=00727000, VA=80033000, next page addr = 0036b4c0
protection_page_addr = 0036b4c0, RA=00728000, VA=80034000, next page addr = 0036b4f0
protection_page_addr = 0036b4f0, RA=00729000, VA=80035000, next page addr = 0036b520
protection_page_addr = 0036b520, RA=0072a000, VA=80036000, next page addr = 0036b550
protection_page_addr = 0036b550, RA=0072b000, VA=80037000, next page addr = 0036b580
protection_page_addr = 0036b580, RA=0072c000, VA=80038000, next page addr = 0036b5b0
protection_page_addr = 0036b5b0, RA=0072d000, VA=80039000, next page addr = 0036b5e0
protection_page_addr = 0036b5e0, RA=0072e000, VA=8003a000, next page addr = 0036b610
protection_page_addr = 0036b610, RA=0072f000, VA=8003b000, next page addr = 0036b640
protection_page_addr = 0036b640, RA=00730000, VA=8003c000, next page addr = 0036b670
protection_page_addr = 0036b670, RA=00731000, VA=8003d000, next page addr = 0036b6a0
protection_page_addr = 0036b6a0, RA=00732000, VA=8003e000, next page addr = 0036b6d0
protection_page_addr = 0036b6d0, RA=00733000, VA=8003f000, next page addr = 0036b700
protection_page_addr = 0036b700, RA=00734000, VA=80040000, next page addr = 0036b730
protection_page_addr = 0036b730, RA=00735000, VA=80041000, next page addr = 0036b760
protection_page_addr = 0036b760, RA=00736000, VA=80042000, next page addr = 0036b790
protection_page_addr = 0036b790, RA=00737000, VA=80043000, next page addr = 0036b7c0
protection_page_addr = 0036b7c0, RA=00738000, VA=80044000, next page addr = 0036b7f0
protection_page_addr = 0036b7f0, RA=00739000, VA=80045000, next page addr = 0036b820
protection_page_addr = 0036b820, RA=0073a000, VA=80046000, next page addr = 0036b850
protection_page_addr = 0036b850, RA=0073b000, VA=80047000, next page addr = 0036b880
protection_page_addr = 0036b880, RA=0073c000, VA=80048000, next page addr = 0036b8b0
protection_page_addr = 0036b8b0, RA=0073d000, VA=80049000, next page addr = 0036b8e0
protection_page_addr = 0036b8e0, RA=0073e000, VA=8004a000, next page addr = 0036b910
protection_page_addr = 0036b910, RA=0073f000, VA=8004b000, next page addr = 0036b940
protection_page_addr = 0036b940, RA=00740000, VA=8004c000, next page addr = 0036b970
protection_page_addr = 0036b970, RA=00741000, VA=8004d000, next page addr = 0036b9a0
protection_page_addr = 0036b9a0, RA=00742000, VA=8004e000, next page addr = 0036b9d0
protection_page_addr = 0036b9d0, RA=00743000, VA=8004f000, next page addr = 0036ba00
protection_page_addr = 0036ba00, RA=00744000, VA=80050000, next page addr = 0036ba30
protection_page_addr = 0036ba30, RA=00745000, VA=80051000, next page addr = 0036ba60
protection_page_addr = 0036ba60, RA=00746000, VA=80052000, next page addr = 0036ba90
protection_page_addr = 0036ba90, RA=00747000, VA=80053000, next page addr = 0036bac0
protection_page_addr = 0036bac0, RA=00748000, VA=80054000, next page addr = 0036baf0
protection_page_addr = 0036baf0, RA=00749000, VA=80055000, next page addr = 0036bb20
protection_page_addr = 0036bb20, RA=0074a000, VA=80056000, next page addr = 0036bb50
protection_page_addr = 0036bb50, RA=0074b000, VA=80057000, next page addr = 00127900
protection_page_addr = 00127900, RA=0075d000, VA=a0000000, next page addr = 00369e20
protection_page_addr = 00369e20, RA=0015d000, VA=a0002000, next page addr = 0036bb80
protection_page_addr = 0036bb80, RA=0074c000, VA=c0000000, next page addr = 0036bbd0
protection_page_addr = 0036bbd0, RA=0074d000, VA=c0001000, next page addr = 0036bc00
protection_page_addr = 0036bc00, RA=0074e000, VA=c0002000, next page addr = 0036bc30
protection_page_addr = 0036bc30, RA=0074f000, VA=c0003000, next page addr = 0036bc60
protection_page_addr = 0036bc60, RA=00750000, VA=c0004000, next page addr = 0036bc90
protection_page_addr = 0036bc90, RA=00751000, VA=c0005000, next page addr = 0036bcc0
protection_page_addr = 0036bcc0, RA=00752000, VA=c0006000, next page addr = 0036bcf0
protection_page_addr = 0036bcf0, RA=00753000, VA=c0007000, next page addr = 0036bd20
protection_page_addr = 0036bd20, RA=00754000, VA=c0008000, next page addr = 0036bd50
protection_page_addr = 0036bd50, RA=00755000, VA=c0009000, next page addr = 0036bd80
protection_page_addr = 0036bd80, RA=00756000, VA=c000a000, next page addr = 0036bdb0
protection_page_addr = 0036bdb0, RA=00757000, VA=c000b000, next page addr = 0036bde0
protection_page_addr = 0036bde0, RA=00758000, VA=c000c000, next page addr = 0036be10
protection_page_addr = 0036be10, RA=00759000, VA=c000d000, next page addr = 0036be40
protection_page_addr = 0036be40, RA=0075a000, VA=c000e000, next page addr = 0036be70
protection_page_addr = 0036be70, RA=0075b000, VA=c000f000, next page addr = 0036bea0
protection_page_addr = 0036bea0, RA=0075c000, VA=c0010000, next page addr = 0012fc40
protection_page_addr = 0012fc40, RA=00768000, VA=ffffd000, next page addr = 00169e90
protection_page_addr = 00169e90, RA=00769000, VA=ffffe000, next page addr = 00169ec0
protection_page_addr = 00169ec0, RA=0076a000, VA=fffff000, next page addr = 0036a988
protection_page_addr = 0036a988, RA=ffffffffffffffff, VA=ffffffff, next page addr = 0036ab00
done
This MUST have been answered somewhere already, but I cannot seem to find it, so maybe one of you would be kind enough to respond. Why the heck does any one go to the bother of obtaining one of these sx boards when 3 dollars at radio shack gets you what you need minus a usb interface. Am I missing something? I bought everything for jaicrab’s lpt1 for virtually nothing at my local radio shack. Wouldn’t graf_chokolo be DONE with everything had he gone this route? What am I missing?
When you expect the DOWNGRADE OPEN SOURCE will be ready??????????????
And what the fuck soon come home, and yet we have no downgrade open source! While those who have the jailbreak ps, are already using it for weeks now!
Please commit to issue as soon as possible downgrade, then, think of other things, but at this moment, there are millions and millions of people who have 3.50, and have waited months to play the jailbreak !!!!! ! please give yourself a move, think of the things most needed, and then the secondary ones, think about who the first to 3.50, and would like to change, think about this.
And what the fuck soon come home, and yet we have no downgrade open source! While those who have the jailbreak ps, are already using it for weeks now!
Please commit to issue as soon as possible downgrade, then, think of other things, but at this moment, there are millions and millions of people who have 3.50, and have waited months to play the jailbreak !!!!! ! please hurry, think of the things most needed, and then the secondary ones, think first of those who have 3.50, and the change would be crazy, think about this.
guys stop that stupid question the open downgrade released when we have the master key. It could be tomorrow or february 2010 … We can’t tell you a date so lets men (or women ๐ ) work and stop the chitchat here thanks.
What the fuck is the christmas soon, and yet we have no downgrade open source! While those who have the jailbreak ps, are already using it for weeks now!
Please commit to issue as soon as possible downgrade, then, think of other things, but at this moment, there are millions and millions of people who have 3.50, and have waited months to play the jailbreak !!!!! ! please hurry, think of the things most needed, and then the secondary ones, think first of those who have 3.50, and the change would be crazy, think about this.
Guys please stop flooding this blog
bdp_BDMV.self
http://pastie.org/1339258