Sponsored Links

Sponsored Links

PS3 Hacker Mathieulh on 3.60 Firmware LV0 Dump Exploit & Keys


Sponsored Links
181w ago - Today PS3 hacker [Register or Login to view links] has tweeted some new details on dumping LV0 from PlayStation 3 3.60 Firmware and obtaining the new keys, followed by [Register or Login to view links] claiming he has already reproduced it to confirm it works.

Below are all the tweets, as follows:

Mathieulh's Tweets:

  • xShadow125 You can update from your own pup only from 3.55 or lower, unless you have an exploit.
  • xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
  • xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
  • xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
  • xShadow125 You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.
  • xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
  • To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.
  • The new 3.56+ values for tarballs are the following: owner_id, "0000764" group_id, "0000764" owner, "tetsu" group, "tetsu" ustar, "ustar"
  • You can use fix_tar to use those new values. Use with caution.
  • By comparison, those are the pre-3.56 values. owner_id, "0001752" group_id, "0001274" owner, "pup_tool" group, "psnes" ustar, "ustar"
  • Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.

So, to decrypt this LV0 thing, we need to get to know it better. In the latest blog post by [Register or Login to view links], he has explained briefly what LV0 is in the console’s security.

Anyway, let’s really discuss something PS3 instead of my PC xD, let’s start with Lv0, the most unknown level of the PS3. Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the "Cell OS Bootloader".

In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader. Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary.

All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.

So, unless you can decrypt Lv0, no 3.60 "CFW" for you . Is there any need for it anyway?

Mathieulh also has some facts to clarify about LV0.

1. lv0 isn’t a loader it’s a ppu binary
2. Lv0 isn’t encrypted per console and can be updated with the rest of the coreos
3. Lv0 is decrypted by the bootloader, there is no such thing as a lv0ldr.
4. The bootloader keys cannot be updated/modified on EXISTING hardware
5. lv0.2 is NOT a binary, it’s a new metadata for lv0 which is to be decrypted and verified by a new bootloader (which is to be available on future ps3s), it is NOT used by the current bootloader (and thus in current playstation 3 consoles)

But wait, messing with this thing could lead to the YLOD tragedy, unless you have those expensive NOR flasher you might want to proceed, and that’s according to rms again.

Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then "YLOD", and you’d need a flasher for your PS3 to recover.

Finally, from [Register or Login to view links] on lv0: Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the "Cell OS Bootloader". In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader.

Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary. All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.

So, unless you can decrypt Lv0, no 3.60 "CFW" for you. Is there any need for it anyway?

Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then "YLOD", and you’d need a flasher for your PS3 to recover.




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 381 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

Nabnab's Avatar
#371 - Nabnab - 137w ago
It's more for the dev who want to be more interested by bypassing the ECDSA -> using timing attack
also TLS - > transport layer security, you can see that on PS3swu include TLS for the update of firmware.

LOAD->TLS->LOOS1

hawkY's Avatar
#370 - hawkY - 137w ago
what is the purpose of this ?

I mean i know is some sort of cryptography, but what is the use of it for the scene ?

Nabnab's Avatar
#369 - Nabnab - 137w ago
Just want to add this

[Register or Login to view links]

SanctumSlayer's Avatar
#368 - SanctumSlayer - 137w ago
Yea geohotz should have never showed his face. Should of released it anonymously or something

Nabnab's Avatar
#367 - Nabnab - 137w ago
Apparently you don't want to understand ? if some people keep stuff and just share without put that every on the web, we probably don't see that coming but also keep in mind that the world try to do better and better, today have DMCA, tomorrow have other things, DMCA it's just a moment to take... in the past we didn't have internet, today we have, tomorrow we can have better possibility to share, etc...

Sony didn't fail, it's the scene fail in here, also whatever they send a DMCA to Gary Wayne Bowser (aka GaryOpa) hosting some OFW/CFW so ? i think is more related to the dongle, don't think ?...

Sony never obliged anyone to buy their product and not even Apple, you know that Apple is more strict and more spying you than Sony ?... the iPhone is certainly the baddest phone i ever seen, i prefer a good nokia than i bad Apple

i use personally a iMac because of the resolution and to save some place, for some product it's good for other is bad, look what happen if the people complaining, Apple made bootcamp to support Windows (it's probably because of the help of Microsoft in the past)

I don't think Sony is that bad but it's probably doing what they think is better for the company, how much money they lost ?...

Nothin will happen to me in this way, i don't make real problem for Sony... i was already complaining about the stuff they made, like SDK Open suite that don't support Linux/Mac OS and they don't give any good support to help to the indie dev, etc...

For the PS Vita, it's different we are not obliged to use CMA...

I don't remember anything about the guy who was going to release a PSN Method but it's also doesn't make any sense, you choose like on the XBOX live, you want to keep the PS3/XBOX like that keep but don't ask too much

nobody have a life gone lol.. .and where you saw that the dev was really sued ? all is more theory/fail comment, don't take too seriously all you read on internet, stuff can be true, like they can be lie.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News