PS3 Hacker Mathieulh Finds PlayStation 3 Firmware 3.56 Exploit

[nova12]

Oh for heaven sake if you've got something REAL then release it via a torrent, or take a page out of the SuckBox community and create xbins for PS3!

[y2kkingboy]

I guess the exploit is still not out there.

[kecil]

Anything said by this worthless Mathieulh fool isn't worth a grain of rice.

[PS3 News]

Below is a follow-up to the previous article, to quote: dukio.com/mathieulh-explains-loader-exploit-obtain-360-application-keys.html

Mathieulh Explains The Loader Exploit To Obtain 3.60 Application Keys

Mathieulh probably just let the cat out of the bag with his obvious hint to the much talked bug that practically owned future PS3 firmware updates and also the mass growth of warez leechers with the help of 3.60 app keys. Yes, we’re talking about the unstoppable 3.60+ CFWs, you. Provided that Sony won’t release unhackable PS3 consoles in the near future, of course.

X nah, not a single line of code, at least not for the implementation but finding the exploit itself is EASY except no one has gone looking I’ve seen lots of askings and whining, very little looking

if someone who remotely knows spu reversing starts looking he’ll find it at the very worse in a matter of hours the bug is retardly stupid to begin with LV0, EID0, anything with coreOS imo should not be done without a hardwareflasher. Atleast with that you can undo the mess.

yeah I am a bit of a red head here xD you keep saying that, but I suck at SPU assembly you’d find it even if you fail at it you just need to know where to look just look at how selfs are processed by ldrs and you’ll find it

hell, I’ll help you, it’s about overflowing a certain buffer yes, that is what defyboy and I tried to document in the ps3devwiki : bootprocess and loader locations etc. well if you know how selfs are processed by loaders, it’s easy

another hint it happens before the ecdsa check my earlier guess btw was that it was a header overflow, which gave access to the local storage

It’s a retarded exploit if you want to know what it is, I’ll tell you the function that copies the SCE header from the shared LS to the isolated Local Store doesn’t check the header’s size \o/

it’s just THAT retarded implementing it isn’t easy though cause loaders have failsafes and header size fail lol but now that you know, you can try it on your own

X1 yes you craft a self with a HUGE header so it overwrites ldr code as it gets copied to the isolated LS and you wait the loader to jump to it lolol must try heh

X1 it’s a total to implement but feel free xD if someone pwns the bl with this and gets the keys, he’ll have my kudos cause finding the exploit is the easy part

Sony’ll fix it now, but it’s not like I care much their “unhackable” ps3s are probably already on the way

Some of the tidbits explaining how big the exploit is in the eyes of SONY’s M.I.B. why would they care about bootldr keys? ps3devnews etc. host metldr keys, appldr keys etc.

X1 cause you can get lv0 decrypted once you get lv0 decrypted you get appldr
once you get appldr you get 3.60 application keys once you get that you warez

also, with those keys you can sign your own lv0, no ps3 fw update can beat you then yah you can have your 3.60+ custom firmware then and warez even more and mess with the psn again and so on

Before you bashing out on me, you need to understand that this could help in some way for those who are still trying to pwn the ldrs and eventually sharing the actual hacks in the process. We know how important the keys are to Sony, so expect an anon release in the future. Hopefully, it can be done.

[moja]

Guys, I actually developed a method of blocking all attempts to hack the PS3, closing all available security holes and strengthening the overall integrity of metldr and lv0. I don't plan on releasing it, though, so don't ask. I just want to give Sony a heads up to get working on this.

I also used to hack tests in grade school, and then run down the hall with the answer key while refusing to show it to anyone.

[racer0018]

It is great that he is sharing some information. Now we just have to wait and see if someone will take it to the next level. Keep up the good work. Thanks

[PS3 News]

To follow-up on the previous article where Sony PlayStation 3 hacker KaKaRoToKS stated "A solution for 3.60+ will be available soon, so no worries - people just need to be patient" comes some more Tweets today on JailBreaking 3.73 PS3 Firmware.

Below are some of the recent announcement http://twitter.com/#!/kakarotoks from KaKaRoToKS on JailBreaking PS3 3.73 Firmware, as follows:

• I will reply.. but I didn't read... yes, file managers and FTP should work fine.
• and I'm all for competition, no worries. I do this for fun, not for race or whatever. Also, 3.73 cfw is not possible
• i dont know yet about emulators... All in good time. There s no rush
• yes, that's the point, to run homebrew.. showtime should work fine. not tested yet.
• Nope, completely software based.. I won't say anything more than that for now to avoid them blocking it before release.
• The "kind of" meant I need to fix NPDRM algo for it to run. And no, this will not allow backup managers. And no, it's not a CFW
• 1 - I won't share it until it's ready to use (still a bit complicated + some missing components), 2 - don't update if you're on 3.55.
• Updated my ps3 to 3.73... oh and THEN I jailbroke it! (kind of)

Here is to hoping this is indeed the working solution PS3 scene users have been waiting for, as previously KaKaRoToKS jumped the gun confirming the PS3 Downgrade Success from 3.55 to 3.41 Firmware and then Tweeted "sad news.. downgrade worked, but not reliable, only works with one of Xtse's ps3s, but can't reproduce it.. I'm going to look for another way. nope, it only works on one machine, even if same model, it doesn't work on it. No idea what's different about it..."

Since then, KaKaRoToKS has released a PS3 Expedite Benchmark Tool and Engine Ports, an Eskiss PS3 Homebrew Game and a PlayStation Move Support update for the Eskiss PS3 homebrew game though.

Finally, from IRC on the PlayStation 3 Firmware 3.73 hacking developments:

[KaKaRoTo] heri, docpaul showtime would work fine
[sandungas] kakaroTo, this means new tcl patches for mfw and some changes to manage 3.73 ?
[KaKaRoTo] ddoo, and no I didn’t fix the npdrm algo, that’s what I’m missing (hence the “kind of”) but I’m not
working on that, that’s someone else’s job
[middleman] gonna debut it at ccc kakaroto or before?
[KaKaRoTo] ddoo, and even if npdrm signing worked.. how do you install your pkg on an OFW 3.73 ?
[heri] so KaKaRoTo, once the NPDRM algo is fixed, a release will come?
[KaKaRoTo] heri, another missing bit, but once that’s fixed, yes
[KaKaRoTo] but I’ll probably be off country for the next 2 weeks
[KaKaRoTo] so all work will have to be paused
[heri] oh, fair enough. we can all wait 2 weeks hey we have waited months anyways
[KaKaRoTo] ddoo, that might work.. you could also just install your pkg on 3.55 then upgrade…
[KaKaRoTo] ddoo, upgrading doesn’t delete any of your packages
[KaKaRoTo] ddoo, issue is, you’re lost if you didn’t do it before upgrading
[ddoo] but they fail because the npdrm algo is spoted by the checks in 3.56+
[KaKaRoTo] heri, also note, I “announced” it because I was excited to see it work as expected
[KaKaRoTo] doesn’t mean it’s ready for release
[KaKaRoTo] ddoo, exactly
[heri] yeh thats what we were saying just before you came
[KaKaRoTo] so you need : 1 – npdrm algo fixed, 2 – a way to install stuff
[heri] you only announce when you are confident it works
[KaKaRoTo] 1 has been done by someone else (don’t know if he’ll share it), and 2.. well, I just did it
[KaKaRoTo] heri, well, I was testing on 3.60 and it worked, but yes, I did upgrade to 3.73 to test that it still
works just to make sure I don’t tweet any false hopes
[middleman] but you cant run what you installed until 1 is fixed correct?
[KaKaRoTo] middleman, exactly
[middleman] interesting
[docpaul] nice, thx KaKaRoTo
* KaKaRoTo needs to hide now if he wants to get any work done
[KaKaRoTo] ttyl

In summary, KaKaRoToKS upcoming PS3 3.73 Firmware JailBreak will be able to install homebrew .PKG files but unfortunately PlayStation 3 backup managers will not work as they require lv1/lv2 patches that won't be included.

From ps3devwiki.com/index.php?title=KaKaRoTo_Kind_of_%C2%B4Jailbreak%C 2%B4#Q.26A:

KaKaRoTo PS3 JailBreak Q&A

Q: Will I need special hardware (e.g. flasher, dongle, modchip etc.)?
A: No.

Q: Will homebrew work?
A: With NPDRM fixed, yes. Showtime would certainly be possible.

Q: Will recent games play correct?
A: Yes, its 3.7x, sure it plays all 1.00 - 3.7x games.

Q: Will PSN work?
A: Yes, its 3.7x, sure goes online without problems.

Q: Does it have Peek & Poke?
A: No. Peek & Poke require modifying lv1 and lv2.

Q: Do Backup manangers (e.g. MultiMAN, Rogero etc.) work?
A: No, see previously answer about Peek & Poke.

Q: Will my old homebrew still work?
A: No. All homebrew need the fixed NPDRM. Homebrew that relies on specific other patched functions/syscalls (e.g. Peek&Poke, BDemu etc.) will not work either, see previously answer about Peek & Poke.

Q: Does it gets us keys?
A: No.

Q: Does it gets us "CFW"/MFW?
A: No.

Q: Does OtherOS++ (Linux/FreeBSD) work?
A: No. Sony removed OtherOS feature after 3.15 and OtherOS++ relies on modifying the firmware. See previous "CFW"/MFW question.

Q: Will it allow downgrade?
A: No.

Q: Does it work on all PS3 models?
A: Yes. all current models.

Q: Are there brick risks?
A: No (standard disclaimer: It will be tested rigorously before release as you can expect from anything that KaKaRoTo has put his name on).

Q: Will this only work on 3.7x?
A: No. It was pretested on 3.60 and again confirmed on 3.73 before any public Tweet about it.

Q: What if Sony releases 3.74/3.80 before release
A: In that case it will be pretested on that version.

Q: So why are all the newssites hyping this that it does give CFW?
A: Because they don't read wiki's/blog's xD Besides, every minor news gets 'prolly CFW soon!' tagged by the bad ones.

Q: Is there a release date?
A: No, besides KaKaRoTo not able to work on it for 2 weeks, it also relies on (other people) fixing NPDRM.

The Road beyond... (or what can you and others do to expand the useability of it)

What is missing Prerelease (current state)?

Fixing NPDRM

• Make PKG's install and run the SELFs.

What is missing after release?

Peek & Poke

• lv1/lv2 dumping/patching
• Payloader3
• Backup Managers

Downgrade (already possible with Hardware flashing.

• 3.56+ keys / lv0 decrypted dump
• Modifying firmware files
• OtherOS++

Finally, from http://kakaroto.homelinux.net/2011/11/clarifications-about-3-73-jailbreak/ he states the following in attempt to clear things up:

Hi all, I’ve been flooded with questions on twitter and I’ve read many posts on news sites and I’ve seen some stuff being said on IRC and I thought I needed to clarify a few things…

First of all, I didn’t expect to see my tweet front paged on all ps3 hacking news sites.. although I should have expected it.. but anyways, the “jailbreak” is not ready to be used, at all. I only tweeted that because I was excited having it working and I wanted to share my excitement with everyone. But this is a bit equivalent to the day I released that create_cfw.sh script that created the very first CFW/MFW but it still took a couple of months before a real, easy, multiplatform and fully fledged solution was released : PS3MFW.

We are currently at the same state, I have the proof of concept, it works, but a solution that anyone can use where they just click a button and their PS3 gets jailbroken is still far from ready.

I’ve seen people say (and even write it in their front page news) that I’ll release it in two weeks after I come back from vacation. That is not true and I never said that. What I said was that for the next 2 weeks, the project is on hold until I get back.. but when I get back, then I will continue working on it, and it will then take some more time before it’s ready and released.

Some asked if it’s based on what gitbrew was doing/suggesting or if I used someone else’s exploit or work. No, this solution is my own idea and 100% my own implementation. However, the actual solution for the full jailbreak involves some components on which I will not work, and I expect/hope that someone else will provide the solution for that.

Some speculated it might be what I spoke about back in March which I later said I wasn’t pursuing by lack of motivation.. and yes, you are right. The same hack I had in March is still valid today, I told a few people about it (rms, Mathieulh, an0nym0us, and a couple more), but no one was interested in pursuing it further and actually exploiting that flaw (mainly because it requires a huge amount of work to get a proof of concept working). 10 days ago (I started on the 11th), I got bored and decided to start poking at it again, and yesterday (a lot faster than I thought it would take), I got my first pkg installed on 3.73 firmware.

On twitter, I said “do not update if you are on 3.55″, I said that in response to someone who said he would update. Because of that, people speculated that you need to be on 3.55 first, and then install something before doing the upgrade. No, that’s not it, that would be useless. The purpose of my solution is to jailbreak a ps3 that is already on 3.73 firmware and which had never been jailbroken before. I told people not to update because, first of all, it’s not yet ready, and second of all, the 3.55 firmware gives you a lot more possibilities than what can be achieved on 3.73.

So what is this jailbreak? I won’t say because I don’t want Sony to block it in a firmware update (and yes, they potentially could) before it’s even released (and yes, I will release it when it’s ready). But I will explain this to you : in order to run your homebrew apps, you need two things. First, to be able to install them on the ps3, and second to be able to run it once installed. I did only one of these two things.

Some may say it’s not a real jailbreak, but the way I see it, there are three ‘jails’ on the ps3, I broke the first one which prevents you from installing anything, so now you can install your .pkg, great, but it won’t run, that’s the second jail. The third jail is being able to modify the firmware (peek&poke).

The second jail (running apps) is something that can be done, but it’s not my area of expertise (npdrm algo), so I will not be working on that. I am waiting for someone else to achieve it (some have succeeded but do not wish to release it, at least not for now) then I will release.

The third jail (modifying the firmware) is not possible with my method, this means that you will not have a “CFW”, you will run your homebrew applications and games on an official firmware. This also means that without peek&poke support, none of the backup managers will work. So, again, my solution is piracy-free, and as always, I do not plan on working on a way to enable piracy (or even legal backups).

Overall, the purpose will be to allow people who are on 3.73 firmware to enjoy the homebrew games that were released, to play a bit with Eskiss, and to use Showtime for playing their movies. This should be more than enough for everyone.


More PlayStation 3 News...

[NTA]

Sounds like good news to me.

[HeyManHRU]

Well I certainly do hope KaKaRoToKS does eventually release something. Out of all the people claiming to bring us a new CFW or a way to play 3.60+ games I trust KaKaRoToKS the most.

[Ahmadkass]

good work, we need 3.73 cfw theres new games come out please eboot fix 3.55 or 3.73 cfw help us duplex, geohot, KaKaRoTo, kmeaw.. i need 3.55 fix for need for speed the run