115w ago - Today PS3 hacker
Mathieulh reports finding a PlayStation 3 Firmware 3.56 exploit, although he states he has no plans to give any further details about it.
To quote from PSX-Scene (linked above): Well-known hacker Mathieu Hervais has reportedly found a bug that allows exploiting metldr, the bootloader and firmware version 3.56. Unfortunately, he refuses to release it.
Originally Posted by Mathieulh (via
Twitter):
I hesitated a lot before tweeting about it, but a bug allows exploiting metldr, the bootloader and 3.56+. I don't intent to ever unveil it.
So much for "unhackable" PS3s though... I am not giving any further details about it. Sorry.
Actually the revocation list exploit doesn't allow you to exploit isoldr, you could however sign a revoke list if you had the revocation list keys and knew the sign fail, and use that to dump isoldr. Metldr does not load revocation lists.
This has been tested, how do you think I could release the lv2ldr and appldr keys ? (about 24hrs before Geohot showed up with metldr keys) This has been tested, how do you think I could release the lv2ldr and appldr keys ? (about 24hrs before Geohot showed up with metldr keys)
You can also dump any loader using a signed metadata (including metldr) though that means you need to have the keys for it in the first place (kinda kills the purpose)
Your entire purpose is to get the isolated process (the code running inside the spu) to jump to your instructions
For exemple the following instructions will dump the isolated LS to the SPU mailbox:
loop:
rdch $3, ch29
lqd $3, 0($3)
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
up_one:
br loop
br up_one
Of course you'll need a ppu payload to fetch the mailbox data. Metldr is trivial to dump now that you can sign your loader, but I wont say anything more on this.
Finally the problem with isoldr and the revoke list exploit isn't so much that the exploit doesn't work (it actually does) It's that the payload from the crafted revoke list overwrites isoldr keys (which kinda kills the whole purpose), You can however get the revoke list keys from lv2ldr or appldr using the revoke list exploit and then sign a revoke list metadata to exploit isoldr later on. (There are other ways to get isoldr though, including the 3.60+ exploit I have (but there is at least another I know of) Again, good luck in your endeavor.
There is more than one npdrm key. It's not been released because the ones who have the skills to do it do not remotely care about pirating PlayStation store games (obviously).
Finally, in related PS3 homebrew news today a
PS3 FW Downloader application has been released which includes Official PS3 Firmware 2.50 - 3.55 and has Geohot, Kmeaw, Wutangraz PS3 Custom Firmware and 3.55 Downgrader support.
" is it possible to launch games from a games folder in xmb without using multiman? "
I think there are some programs out there that let yo...
Congrats Cfwprophet and nabnab, I know youre trying hard to make a better place for the scene.
They take the official game selfs from disk and dump out the elf via the sdk, then re-encrypt them as debug selfs and on a special way thats it.
But it takes a bit more work to get this for free for every one done. The keys have nothing to do with it. They use drm just to hide and to be able to milk us all a bit longer till a free version is done.
In cryptography, a timing attack is a side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, an attacker can work backwards to the input.
i wish i bought an xbox when i had the spare cash.. but i love psn too much so ill stick to my ps3 and grin and bare it.. LOL
For what i saw the ECDS encryption only works fine if there is only one or a few machines with the same key. With multiple ps3's its possible to extrapolate, and the higher the number the easier it is.