PS3 Hacker Mathieulh on 3.60 Firmware LV0 Dump Exploit & Keys


160w ago - Today PS3 hacker Mathieulh has tweeted some new details on dumping LV0 from PlayStation 3 3.60 Firmware and obtaining the new keys, followed by Ps3WeOwnYoU claiming he has already reproduced it to confirm it works.

Below are all the tweets, as follows:

Mathieulh's Tweets:

  • xShadow125 You can update from your own pup only from 3.55 or lower, unless you have an exploit.
  • xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
  • xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
  • xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
  • xShadow125 You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.
  • xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
  • To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.
  • The new 3.56+ values for tarballs are the following: owner_id, "0000764" group_id, "0000764" owner, "tetsu" group, "tetsu" ustar, "ustar"
  • You can use fix_tar to use those new values. Use with caution.
  • By comparison, those are the pre-3.56 values. owner_id, "0001752" group_id, "0001274" owner, "pup_tool" group, "psnes" ustar, "ustar"
  • Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.

So, to decrypt this LV0 thing, we need to get to know it better. In the latest blog post by rms, he has explained briefly what LV0 is in the console’s security.

Anyway, let’s really discuss something PS3 instead of my PC xD, let’s start with Lv0, the most unknown level of the PS3. Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the "Cell OS Bootloader".

In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader. Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary.

All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.

So, unless you can decrypt Lv0, no 3.60 "CFW" for you . Is there any need for it anyway?

Mathieulh also has some facts to clarify about LV0.

1. lv0 isn’t a loader it’s a ppu binary
2. Lv0 isn’t encrypted per console and can be updated with the rest of the coreos
3. Lv0 is decrypted by the bootloader, there is no such thing as a lv0ldr.
4. The bootloader keys cannot be updated/modified on EXISTING hardware
5. lv0.2 is NOT a binary, it’s a new metadata for lv0 which is to be decrypted and verified by a new bootloader (which is to be available on future ps3s), it is NOT used by the current bootloader (and thus in current playstation 3 consoles)

But wait, messing with this thing could lead to the YLOD tragedy, unless you have those expensive NOR flasher you might want to proceed, and that’s according to rms again.

Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then "YLOD", and you’d need a flasher for your PS3 to recover.

Finally, from rms on lv0: Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the "Cell OS Bootloader". In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader.

Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary. All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.

So, unless you can decrypt Lv0, no 3.60 "CFW" for you. Is there any need for it anyway?

Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then "YLOD", and you’d need a flasher for your PS3 to recover.




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 381 Comments - Go to Forum Thread »

Quick Reply Quick Reply

cfwprophet's Avatar
#351 - cfwprophet - 115w ago
The scene isn't dead it is stuck. I know from some underground dev on what they are working on but i have no permission to call it here. One big problem the ps3 scene have is to hint information. Nabnab talked to kaka via twitter about turning a 4.0 ps3 into a full debug one and guess what ? Kakaroto knows that !!!

Yea sure and what about the 360 scene ? Is C4E (hail to you man) not working on piracy stuff ? Or all others they have made backups and a hacked con eg via gligli possible not working on piracy ?

The so called dev's in ps3 scene seems to have the EGO HOT syndrome. Hinting infos for them an not give out to the scene. Some one said they are afraid of that sony will patch the possibility of using the debugger as a mode for games and among other stuff when they release. Does the average user really believe this ?

Hell sony have developed this sys and know better then some one else in this stuck scene how it make those games work. So why hinting this infos ? = EGO HOT syndrome. Just to have it for them self and laughing about the scene or just for them self and how good they are.

I can't really say whats the reason for but for sure not in case of being afraid off that sony will patch it. If they want to patch then they do and not in case of it gets public released.

They patched things in past without something useable was released. Also nabnab got a message from some one not to be called here that he should stop his work. Yea sure we will stop only in case of this person tell us/him to do so.

On some points a lot of dev's in the ps3 scene think they are god's or better then the average user. We are all the same it's not a matter of the color of your skin and also it's not a matter if you're a normal user or a hacker or a coder, scriptor, modder or what ever.

We all deserve the same and no one have the right's to milk some one other with stuff that should be free.

Hail to grafchockolo and shame to the one that use his work to milk the average user and also shame to all others that hinting informations.

Bartholomy's Avatar
#350 - Bartholomy - 115w ago
Hail.. Was it useful for a progress? Culturally talking, amazing to read. But.... So? What he meant is "scene is dead, if you're a dev feel free to go M$" or what?

sharks's Avatar
#349 - sharks - 115w ago
Great effort by KaKaRoToKS to write this guide for everyone! The scene seriously needs more people like him!! All Hail KaKaRoToKS!!

huseen9's Avatar
#348 - huseen9 - 115w ago
thanks for the update.

Nabnab's Avatar
#347 - Nabnab - 115w ago
I didn't judge KaKaRoToKS, i said maybe that he have the own reason to stop, i don't want to judge him or anyone else but too much PS3 users want to see the new keys etc... and it's not the only way to exploit the PS3 and have also better alternative and more interesting when you know that we don't need this keys... the PS3 Scene have more tools and more information about the PS3 than the XBOX/Wii Scene...

I know that i repeat many times Graf offer big stuff about the PS3, the only one who was thinking release public the work (a person recently contact me to tell me some interesting stuff about PS3dev wiki and other dev on the PS3 scene, that they like to keep secret or share work from other), even Sony offer the best door to exploit the PS3 but it look like that some devs prefer to make business with free stuff and after we ask why Sony make some bad action (actually i didn't see anyone going to the jail and it would never happen for that)

I know it's so annoying to wait something you are waiting for a long time but unfortunately some dev don't know the definition share and like to make business with that, also they make crappy code or steal code from other dev that share for free and put on a dongle with stupid drm to hide the crappy work and scared to see the PS3 users complaining about that.

You know i stop some my work not related to the PS3, just to come give help and i saw the last few weeks many insult from the PS3 users and even the PS Vita users lol, also see some dev good lie to distract the PS3 users and said don't trust him to hide the real information from different website of the PS3 hack, i saw some website respectful and other website that judge a person they don't even know and try to make some fire for nothing...

The Truth Behind the Lie

I always try to do my best to help people on the PC community, i make alternative driver, patch for games, mods... many of this work was released for free and i was working alone on it, i received so many thanks than i didn't expected that much and also some good insult... but the world is like that and you can't change it, you can make it better but don't change it .

I keep working and let you know all what i'm trying to do.













Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News