Sponsored Links

Sponsored Links

Page 1 of 2 12 LastLast
Results 1 to 10 of 18



  1. #1
    Junior Member xrayglasses's Avatar
    Join Date
    May 2010
    Posts
    63
    Sponsored Links

    Lightbulb Metldr/asecure interface?

    Sponsored Links
    Is there any work being done to figure out what needs to be setup to get metldr to load the rest of the loaders?

    Also when Geohot was originally working on it there was an obscure doc from IBM that showed some memory on SPE that could still be accessed while it was in isolation, it was something like utililty RAM or something. I don't have any of the stuff to try anything including a PS3 right now. Am just curious.

  2. #2
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    28,679
    Sponsored Links
    Sponsored Links
    I believe the first step would be to dump one's own METLDR file to use as GeoHot mentioned in the Nuit Du Hack Conference video it's tied to the PS3 so those found on the Internet won't work.

    If you are seeking a specific IBM doc I may be able to dig up a link to it in older threads here... if I have time this week I will give it a try, unless someone beats me to it here.

  3. #3
    Senior Member CodeKiller's Avatar
    Join Date
    Nov 2009
    Posts
    130
    Sponsored Links
    Sponsored Links
    Quote Originally Posted by xrayglasses View Post
    Is there any work being done to figure out what needs to be setup to get metldr to load the rest of the loaders?

    Also when Geohot was originally working on it there was an obscure doc from IBM that showed some memory on SPE that could still be accessed while it was in isolation, it was something like utililty RAM or something. I don't have any of the stuff to try anything including a PS3 right now. Am just curious.
    The memory you may think of is the "mailbox" (SPU channel) used to communicate with the process in isolation mode. /cell_arcitecture_v102/
    More docs here: [Register or Login to view links]

    As for the own metldr, i'm trying to map out and patch the default limitations of the linux flash-access.. but don't hold your breath.
    Till that, dump with infectus or other flash-dumper.

    Simone has managed to load it: http://www.ps3news.com/ps3-hacks-jai...playstation-3/ (i suppose those write and read function names need to adjust to the actual xorhack names)

  4. #4
    Junior Member xrayglasses's Avatar
    Join Date
    May 2010
    Posts
    63

    Lightbulb

    From the way people describe it, metldr is dynamically built using a generic encryption wrapper based on PKI from ROM based key-ring. There probably isn't even signing in these loaders, they just decrypt into memory and if headers don't checkout it's the equivalent to a checksum fail.

    It'd be cool to get a thread going on PPU to see what metldr does like in terms of register modification and/or access, and check if it does read access on main memory. I'm guessing this is how you'd reverse it so you could tool a generic solution for interfacing with it.

    Also has anyone ever looked for any type of keygen in any of the binaries? I'm curious to if they unpack themselves in local stores or if their is something that gets preloaded. ROM may even be loading the decryption routine per request via some setup sequence.

  5. #5
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    28,679

    Arrow

    I had a little time this afternoon and ran a database query for IBM-related PDF attachments with these results, if it helps:

    libspe-v2.0.pdf: http://www.ps3news.com/forums/attach...achmentid=9634
    Cell BE_Security_SDK_Guide_v3.0.pdf: http://www.ps3news.com/forums/attach...chmentid=11049
    intro-cell-be-pt_BR.pdf http://www.ps3news.com/forums/attach...chmentid=16482
    CBE_Secure_SDK_Guide_v3.0.pdf: http://www.ps3news.com/forums/attach...chmentid=19855
    Cell Instructions to ISDF.pdf: http://www.ps3news.com/forums/attach...chmentid=19912
    CellBE_HIG_65nm_v1.01_8Jun2007.pdf: http://www.ps3news.com/forums/attach...chmentid=19973
    PowerISA_203.Public.pdf: http://www.ps3news.com/forums/attach...chmentid=19925
    SPU_ISA_v1.2_27Jan2007_pub.pdf: http://www.ps3news.com/forums/attach...chmentid=20492

    If it isn't in there, I would probably need to know the name of the specific PDF file you are seeking.

  6. #6
    Banned User
    Join Date
    Nov 2008
    Posts
    67
    in two word = great crap

    first,that conference is a insult a real hackers and developers....geo that info is incomplete..u and me know

    is incredible how cut and paste info jump steps at boot sequence for dont next the devs.

    that guy only make hype,only info incomplete(how lululombard aka MistycHades) or only show data but nothing share for comprovation(math&Richdevx). The sceners know now is all a great crap,only wars,only secrets and only believe gods.

    The lvl2 dont put load for a reason needed step isoldr(image system operative loader) dont comment at conference geohype,for what geohype??.

    For it never the devs put mount lv2 whith the info pdf "night of Hype" is incomplete.

    Geohype no want share the real method for next at wikipedia how "hacker ps3",nothing put make how him....nothing put discovered the fake and the true.

    Ps3 dont is hacked,need replace the TRM,is the real security for convert target[CEX/DEX]that is the real hack for unlock all machine.

    1saludo and sorry for my english

  7. #7
    Junior Member xrayglasses's Avatar
    Join Date
    May 2010
    Posts
    63
    I guess this is what I seen:
    8.1 Data Transfer through Open Area of LS
    As described in the Cell/B.E. Security architecture document (see section 1.5 for references), when an
    SPU is in hardware isolation mode, there is an open area of LS much like a “window”, whereby an
    application can DMA in and out data. The following functions below assist the programmer with this
    programming model. The copyin/copyout functions allow user to transfer data between main memory
    and LS via the open area. The decrypt_in and encrypt_out functions are based on copyin/copyout but
    additionally, applies an XOR mask to the data to mimic encryption.
    There is no need for programmers who intend to only use the emulated isolation mode to use these
    functions. They are only for programmers who eventually want to move up to using the hardware
    isolation mode.
    8.1.1 copyin – Data Transfer Utility Functions
    C specification
    #include <libisolation.h>
    int copyin(uint64_t ea, void *ls, uint32_t size)
    Description
    The copyin subroutine copies data from the main memory into the LS. ea and ls must be 16-byte
    aligned, and size must be a multiple of 16 bytes.. If all data are successfully transferred to the LS,
    this subroutine returns success (value 0). Otherwise, it returns an error (-1).
    Dependencies
    None.
    See also
    copyout
    This is what that TJ guy from the Geohot blog times was talking about. I guess this is how encryption/decryption is done, just gotta find the call in a dump or mess around with it.

    Here is an interesting article too: [Register or Login to view links]
    Last edited by xrayglasses; 06-28-2010 at 09:55 PM Reason: Automerged Doublepost

  8. #8
    Contributor PARDES's Avatar
    Join Date
    Jan 2010
    Posts
    36

    Lightbulb

    i have find this in the i-net maybe a leaked file ?

    [Register or Login to view links]
    volatile int init_module() {
    unsigned long priv2_addr, problem_phys, local_store_phys, context_addr, shadow_addr, spe_id, vas;

    lv1_get_virtual_address_space_id_of_ppe(0, &vas);

    printk(KERN_ERR "die kernel %d\n", lv1_destruct_logical_spe(0xb));

    printk(KERN_ERR "construct SPE: %d\n", lv1_construct_logical_spe(0x10,0x10,0x10,0x10,0x10 , vas, 0, &priv2_addr, &problem_phys, &local_store_phys, &context_addr, &shadow_addr, &spe_id));
    boom_lpar(shadow_addr);
    printk(KERN_ERR "make SPE id: %d\n", spe_id);
    printk(KERN_ERR "enable SPE: %d\n", lv1_enable_logical_spe(spe_id, 0));

    unsigned long *problem_mapped, *privileged_mapped, *local_mapped;

    problem_mapped =__ioremap((unsigned long)problem_phys, 0x20000, PAGE_SHARED_X);
    privileged_mapped =__ioremap((unsigned long)priv2_addr, 0x20000, PAGE_SHARED_X);
    local_mapped =__ioremap((unsigned long)local_store_phys, 0x40000, PAGE_SHARED_X);

    printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
    printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);
    privileged_mapped[0x4040/8] |= 4;
    printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);

    struct file* fd;
    mm_segment_t old_fs = get_fs();
    set_fs(KERNEL_DS);
    fd = filp_open("/work/pwned/metldr", O_RDONLY, 0);
    if(!IS_ERR(fd)) {
    printk(KERN_ERR "file is open\n");
    printk(KERN_ERR "read %d\n", fd->f_op->read(fd, local_mapped, 0x40000, &fd->f_pos));
    filp_close(fd, NULL);
    } else {
    printk(KERN_ERR "file open failed!!!!\n");
    }
    set_fs(old_fs);
    printk(KERN_ERR "read in metldr\n");

    problem_mapped[0x4018/8] |= 3;

    int i;
    for(i=0;i<0x20;i++) {
    printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
    }
    printk(KERN_ERR "destruct SPE: %d\n", lv1_destruct_logical_spe(spe_id));

    return 0;
    }

  9. #9
    Toucan Sam CJPC's Avatar
    Join Date
    Apr 2005
    Posts
    2,174
    Quote Originally Posted by PARDES View Post
    i have find this in the i-net maybe a leaked file ?
    It's not - geohot made it and gave it out, its partially-complete code to load metldr, there is more on it here.

  10. #10
    Junior Member xrayglasses's Avatar
    Join Date
    May 2010
    Posts
    63
    That just sets it up and shows some kernel data collected.

    This is the only way to interface with isolated loaders, and decryption processing is documented in a lot of places(decrypt_in..decrypt_out). There is also a way to use shared keys with it.

    If you wanted to decrypt like he claims, code reversing around this and security libs is the only way. If you don't want to reverse off SDK and dumps then you should focus on drive and ROM Mark emulation, and whatever other security layers.

 
Sponsored Links

Page 1 of 2 12 LastLast
Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News