Latest PS3 News Forum Updates

**snoekie** · 11-15-2011

It is all about breaking the chain of trust. You need to trick your PS3 to run your code at a sufficient low level. Just as the glitch hack on the XBOX, you can then manipulate the signature comparison (which is a memcmp) to always return true. Decrypting code was never a problem, because you need the public keys to do that (which are in the firmware). It's the private keys that made Firmwares up to 3.55 so interesting. By obtaining the private keys (which were obtainable by the fail of sony) we can make packages that run on OFW.

Having 3.60 or 3.73 public keys won't help you, unless you have a CFW that will unsigned or mal-signed code. Obtaining the 3.60 public keys shouldn't be hard, since they are public.

What I am missing in all of these discussions about keys is the mention whether they are public or private keys. This is a big difference.

**medi01** · 11-15-2011

Originally Posted by snoekie

Decrypting code was never a problem, because you need the public keys to do that (which are in the firmware).

Orly? Go get PUBLIC lv0 keys pretty please.

Originally Posted by snoekie

Having 3.60 or 3.73 public keys won't help you, unless you have a CFW that will unsigned or mal-signed code.

BS. Did we need new firmware to run Uncharted 3? Nope. Guess what, JUST DECRYPTING EBOOT was enough. All we need are the keys to decrypt eboots. Since SDK didn't change, all games will still work. No need of custom FW at all.

Originally Posted by 404

...but trust me breakself is real....

How do you know? Why didn't M... tell us the hash of the keys as undeniable proof, how does decrypting unknown file prove it?

**niwakun** · 11-15-2011

Originally Posted by iscnokia

I understand that PS3 console uses several levels of encryption and in order to unencrypt it

Private key = sign things
Public key = decrypt things

seriously watch the fail0verflow vid again

Originally Posted by iscnokia

Also, that phony DOS windows showing that output is nothing that any program running what you want so I could also write a C program printing:

printf ("I have a 3.60+ CFW \n");

in dos its derived with "ECHO" by the way.

**CS67700** · 11-15-2011

If there's so much noise around it, it probably means they're private...

**elser1** · 11-15-2011

so many smart people on here but the keys are illusive still.. must be hard to get eh.. LOL

surely someone here has what you all want.

**firebuddie** · 11-17-2011

I find it surprising there's not more talk about the zero size self expolit load to HV found by Failoverflow and detailed in xx404xx doc links at start of this thread.

If the HV could be exploited, it could be patched to NOT hide the lvl0 bootloder and therefore use HV to dump the bootloader, even if it is encrypted, it is a start.

Like Maths and xx404xx keep hinting, it's all there on our PS3's. Just getting the sucker to give it up! Like I say, dont know why a known exploit of HV is not being discussed/followed up on, or maybe it is and I ain't on right IRC channels to hear about it?

**PS3 News** · 11-20-2011

Following up on the previous PS3 Metldr news update and Guides, this weekend Spanish PlayStation 3 developer DarkVolt has made available dumpmetldr.bin via http://www.elotrolado.net/hilo_metldr-dump-entra-y-sirvete_1700840#p1727197145 which appears to be a dump of the new PS3 Metldr revision found in PlayStation 3 CECH-2504 consoles (datecode 1b and above) followed by a PS3 Boot Loader SE Version 3.7.3 (lv0 segment) dump and more below.

Download: PS3 Metldr2 DumpMetldr.bin / http://pastebin.com/rk7eib9Y / PS3 Metldr2 Dump (most complete head including)

To quote, roughly translated: Here I come to leave the metldr decryption: http://www.multiupload.com/YN4G8LJJK4 according fence can I go to publish a thing or two more.

Seeks the root key of geohot within the metldr dump I published aver if it sounds the flute.. I am the source and the base is an exploit..

Deneuve image but this time I am not clear. I have work I'll be realeasing more stuff. Saying this is not worthy... hehehe explanation:

We Have a decrypted metldr here, if you see it you will see a little Is An elf Without the normal header. It contains the root keys That geohot publish and a couple of 0x30 addead from 3.50 and ahead, and it STILL USES IT.

HAVING in the elf metldr we can put it the header and upload it in using it as anergistic unselfer for loaders! The metldr is still used in 3.74 (a debug already exists) and 3.73 retail too.

The difference of charge IS that before the metldr used to take the files from CoreOS and now it deliverer LV0 via ram em to us and close the access to the file BUT WE CAN IT DECRYPTED with the keys from the root metldr added if we have the file.

LV0 can be the decrypted if we fix the feat of math to support the bootldr and decrypts the metadata from the header from LV0 and decrypts this with the rest of the spaces with Their loaders.. Worthy is it not? hehe

Edit to add, if you compare a ISOLDR from 3.55 with the metldr you will realize that they are almost the same, I mean the isoldr contains the updates for the metldr (virtual of course)

That in and 3.60 + Also it IS inside of the LV0 so it every time can update the initial metldr boots with the new couple of the keys already have... uploading the metldr in anergistic http://pastie.org/private/2kijry6y7jwoiwsepqqcbq

Code:

Hola, loading eid_key... Loading dump... Jumping to offset 00000630
done
elf: entry is at 00000890
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e000)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0xdead0000)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0xbeef0000)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000010)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000040)
Local address 0003e000, EA = dead0000:beef0000, Size=00000010, TagID=00000007, Cmd=00000040
MFC_GET (DMA into LS)

round0 loading isoldr CHUNK1 ###########
done
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e000)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000002)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e000, EA = 53434500:00000002, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e000)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000002)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e000, EA = 53434500:00000002, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e001)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000003)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e001, EA = 53434500:00000003, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e002)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000004)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e002, EA = 53434500:00000004, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e003)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000005)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e003, EA = 53434500:00000005, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e004)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000006)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e004, EA = 53434500:00000006, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e005)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000007)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e005, EA = 53434500:00000007, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e006)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000008)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e006, EA = 53434500:00000008, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e007)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000009)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e007, EA = 53434500:00000009, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e008)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x0000000a)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e008, EA = 53434500:0000000a, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e009)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x0000000b)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e009, EA = 53434500:0000000b, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e00a)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x0000000c)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e00a, EA = 53434500:0000000c, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e00b)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x0000000d)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e00b, EA = 53434500:0000000d, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e00c)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x0000000e)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e00c, EA = 53434500:0000000e, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e00d)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x0000000f)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e00d, EA = 53434500:0000000f, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e00e)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000010)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e00e, EA = 53434500:00000010, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e00f)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000011)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e00f, EA = 53434500:00000011, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e000)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000012)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e000, EA = 53434500:00000012, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e001)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000013)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e001, EA = 53434500:00000013, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e002)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000014)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e002, EA = 53434500:00000014, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e003)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000015)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e003, EA = 53434500:00000015, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e004)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000016)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e004, EA = 53434500:00000016, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e005)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000017)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e005, EA = 53434500:00000017, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e006)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000018)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e006, EA = 53434500:00000018, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e007)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x00000019)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e007, EA = 53434500:00000019, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e008)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x0000001a)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e008, EA = 53434500:0000001a, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e009)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x0000001b)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e009, EA = 53434500:0000001b, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e00a)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x0000001c)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e00a, EA = 53434500:0000001c, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e00b)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0x53434500)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0x0000001d)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000001)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000020)
Local address 0003e00b, EA = 53434500:0000001d, Size=00000001, TagID=00000007, Cmd=00000020
MFC_PUT (DMA out of LS)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch16(= MFC_LSA) r10(= 0x0003e000)
CHANNEL: wrch ch17(= MFC_EAH) r5(= 0xdead0000)
CHANNEL: wrch ch18(= MFC_EAL) r10(= 0xbeef0000)
CHANNEL: wrch ch19(= MFC_Size ) r6(= 0x00000020)
CHANNEL: wrch ch20(= MFC_TagID) r7(= 0x00000007)
CHANNEL: wrch ch21(= MFC_Cmd) r5(= 0x00000040)
Local address 0003e000, EA = dead0000:beef0000, Size=00000020, TagID=00000007, Cmd=00000040
MFC_GET (DMA into LS)

round1 loading isoldr CHUNK2 ###########
done
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r2(= 0x00000000)
-> MFC_TAG_UPDATE_IMMEDIATE
CHANNEL: rchcnt ch23(MFC_WrTagUpdate)
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
CHANNEL: wrch ch22(= MFC_WrTagMask) r6(= 0x00000080)
CHANNEL: wrch ch23(= MFC_WrTagUpdate) r3(= 0x00000002)
-> MFC_TAG_UPDATE_ALL
CHANNEL: rdch ch24(= MFC_RdTagStat) r2
####### stop instruction reached: 00000103
emulated() returned, sending SIGSEGV to gdb stub
emulate() returned. we're done!
dumping local store to ls.b

With Metldr have almost total control of the console as we see in the picture above, however also shows that the bootldr is the only part of the PS3 outside the Metldr, but (and I say this in complete ignorance but using a logic low) and you have full access to the console should be much simpler to access bootldr in any case if this is true it would mean a breakthrough.

Code:

erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
  R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
  n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
  K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70

PS3 Boot Loader SE Version 3.7.3: http://pastebin.com/rk7eib9Y (lv0 segment) / http://pastebin.com/hJTFRp5P / http://pastebin.com/xkXxk8fM

From by jon_17_: The loads metldr ldr, ldr but these must be authenticated before a hash that contains internally metldr himself. metldr2 comes in certain consoles not downgrade (dataCode 1b and higher) are the most modern consoles today.

Metldr weighs 60KB (usually in some cases), the spu local store have 256KB. The loaders to load the LV0 be decrypted (always), lv1 (always) and lv2 (only in lpar_ps3). Decrypted the loaders themselves LV0, lv1 and lv2.

The lv2 to be deciphered in the lpar_ps3 saved in the spu local_store isolated the idstorage, this stores the hash idstorage of valid executables.

New PS3 Metldr2 Revision Dumped by DarkVolt as DumpMetldr.bin

More PlayStation 3 News...

**elser1** · 11-20-2011

i wish i knew what they are talking about.. LOL

**Foo** · 11-21-2011

Here's what a good majority of the people don't know:

Math told us how to do this already!!! There was a bit of a puzzle, but once you put it together you understand it. (If you understand this stuff)

And DemonHades was right. It's possible through RAM.

**elser1** · 11-21-2011

its all over my head at this point in time.. if i wasn't so busy playing games i'd try to learn all this stuff.. LOL

Latest PS3 News Forum Updates

New PS3 Metldr2 Revision Dumped by DarkVolt as DumpMetldr.bin