Sponsored Links

Sponsored Links

PS3 Hacker Mathieulh Finds PlayStation 3 Firmware 3.56 Exploit


Sponsored Links
182w ago - Today PS3 hacker Mathieulh reports finding a PlayStation 3 Firmware 3.56 exploit, although he states he has no plans to give any further details about it.

To quote from PSX-Scene (linked above): Well-known hacker Mathieu Hervais has reportedly found a bug that allows exploiting metldr, the bootloader and firmware version 3.56. Unfortunately, he refuses to release it.

Originally Posted by Mathieulh (via [Register or Login to view links]):

I hesitated a lot before tweeting about it, but a bug allows exploiting metldr, the bootloader and 3.56+. I don't intent to ever unveil it.

So much for "unhackable" PS3s though... I am not giving any further details about it. Sorry.

Actually the revocation list exploit doesn't allow you to exploit isoldr, you could however sign a revoke list if you had the revocation list keys and knew the sign fail, and use that to dump isoldr. Metldr does not load revocation lists.

This has been tested, how do you think I could release the lv2ldr and appldr keys ? (about 24hrs before Geohot showed up with metldr keys) This has been tested, how do you think I could release the lv2ldr and appldr keys ? (about 24hrs before Geohot showed up with metldr keys)

You can also dump any loader using a signed metadata (including metldr) though that means you need to have the keys for it in the first place (kinda kills the purpose)

Your entire purpose is to get the isolated process (the code running inside the spu) to jump to your instructions

For exemple the following instructions will dump the isolated LS to the SPU mailbox:

loop:
rdch $3, ch29
lqd $3, 0($3)
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
up_one:
br loop
br up_one

Of course you'll need a ppu payload to fetch the mailbox data. Metldr is trivial to dump now that you can sign your loader, but I wont say anything more on this.

Finally the problem with isoldr and the revoke list exploit isn't so much that the exploit doesn't work (it actually does) It's that the payload from the crafted revoke list overwrites isoldr keys (which kinda kills the whole purpose), You can however get the revoke list keys from lv2ldr or appldr using the revoke list exploit and then sign a revoke list metadata to exploit isoldr later on. (There are other ways to get isoldr though, including the 3.60+ exploit I have (but there is at least another I know of) Again, good luck in your endeavor.

There is more than one npdrm key. It's not been released because the ones who have the skills to do it do not remotely care about pirating PlayStation store games (obviously).

Finally, in related PS3 homebrew news today a PS3 FW Downloader application has been released which includes Official PS3 Firmware 2.50 - 3.55 and has Geohot, Kmeaw, Wutangraz PS3 Custom Firmware and 3.55 Downgrader support.






Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 381 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

jesterking1's Avatar
#341 - jesterking1 - 134w ago
again... can someone please post some cliff notes for us lazy folks?!

mod632's Avatar
#340 - mod632 - 134w ago
OMG was almost half finished with reading (even tho i didin't understand much) then i scroll'd down to see how much is left i was... shocked

PSPSwampy's Avatar
#339 - PSPSwampy - 134w ago
Ouchy, my head!

Very nice post though, might be one to revisit when the pain subsides

inginear's Avatar
#338 - inginear - 134w ago
i wonder if there is a way to "rip" a valid signature from a game, put that into a modified 4.0 so that no matter what is launched from the game category, that same valid signature gets used every time.

Nabnab's Avatar
#337 - Nabnab - 134w ago
Awesome explanation. I don't know about impossible cfw though. Surely there is another exploit somewhere that can bypass signatures like other consoles.

Also, as neat as ECDSA is to me, I feel like this is something easy for a math expert to come up with. Are there really that many systems that rely on the same model? I guess if it ain't broke...
Actually have a way to bypass this problem but it's too early because it still need some experiment

But Kaka give some good information about ECDSA

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News