PS3 Lv0ldr / Bootldr Exploit Reverse-Engineering Details by Naehrwert

Category: PS3 Hacks & JailBreak By: PS3 News - (nwert.wordpress.com)
Tags: ps3 lv0ldr exploit ps3 bootldr exploit ps3 reverse-engineering naehrwert ps3 hackers

25w ago - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.

To quote from his blog: The Exploit

As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):

//In .data section.
static u8 tmp_pkt[0x800];

//Get size from sc packet.
#define GET_SIZE(pkt) ((pkt[4] << 8) | pkt[5])

int read_cmpl_msg(/*...*/, u8 *payload_buf /*r5*/, int min_size /*r6*/, /*...*/)
{
    u16 pkt_size;

    //Get packet header.
    memcpy_aligned_64(tmp_pkt, MMIO_SC_PKT, 0x10);

    //Check packet size.
    pkt_size = GET_SIZE(tmp_pkt);
    if(pkt_size - 4 < min_size || pkt_size + 8 > 0x800)
        return ERR;

    //Run first sc_checksum.
    if(!sc_checksum(...))
        return ERR;

    //Read packet again (plus header!).
    pkt_size = GET_SIZE(tmp_pkt);
    memcpy_aligned_64(tmp_pkt, MMIO_SC_PKT, size + 0x1B);

    //Get size again (not checked now).
    //I suspect that this is actually a compiler 'quirk' and not a
    //programmer mistake. The original source probably accesses the
    //packet size through a structure and the compiler noticed the
    //non const access of the packet and generated this read of the
    //size member because it could have changed.
    pkt_size = GET_SIZE(tmp_pkt);

    //Let's have some fun (payload_buf on caller stack).
    memcpy(payload_buf, tmp_pkt + 8, size - 4);

    //Run second sc_checksum.
    if(!sc_checksum(...))
        return ERR;

    //...
}

The syscon library implements some high level functions, e.g. to shutdown the console on panic or to read certain configuration values. Every of this functions internally uses another function to exchange packets with syscon and the exchange function uses the read_cmpl_msg one to get the answer packet. The top-level function will pass a fixed size buffer to the exchange function.

So if we are able to control syscon packets, e.g. by emulating MMIO (and thanks to IBM we are), we can change the packet size between the two packet readings and overwrite the caller stack. And if we first copy a little stub to shared LS and let the return address point to it, we can easily dump the whole 256 kB.

Nothing more left to say now, let's wait and see if this is going to be fixed in future firmware versions (we just have to check lv0 fortunately).

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

230 Comments - Go to Forum Thread »

#225 - yllan - 21w ago

goodnight, here are some file which could be used for development a check

3.60 CEX - LV1 Embedded Files (Twitter: UpSilon_Y)

[360CEX] _lv1.elf: 9D25BE079B50342787746185B2C8DF472E47F0B9
[360CEX] _lv1.self: 3FE00A9A76A7AF93854537E48BD96DC6FE49E9CD
---
pme_init: 149540 bytes
sysmgr_ss.fself: 391,056 bytes
pme_init.conf: 176 bytes
ss_init.fself: 217152 bytes
updater_fontend.fself: 145,904 bytes
ss_server1.fself: 529920 bytes
ss_server2.fself: 306400 bytes
ss_server3.fself: 233257 bytes
---
File: pme_init
RealStart: 0x1D00E8
RealEnd: 0x1F490B

File: sysmgr_ss.fself
RealStart: 0x1F490C
RealEnd: 0x25409B

File: pme_init.conf
RealStart: 0x25409C
RealEnd: 0x25414B

File: ss_init.fself
RealStart: 0x25414C
RealEnd: 0x28918B

File: updater_frontend.fself
ReaStart: 0x28918C
RealEnd: 0x2ACB7B

File: ss_server1.fself
ReaStart: 0X2ACB7C
RealEnd: 0x32E17B

File: ss_server2.fself
RealStart: 0x32E17C
RealEnd: 0x378E5B

File: ss_server3.fself
ReaStart: 0x378E5C
RealEnd: 0x3B1D84

Can you look if it please, thank you: https://anonfiles.com/file/9e345a2bec8c657c330e8c1351cc2e3b

source: logic-sunrise.com

#224 - SammyG0080 - 21w ago

here are actual lv1 lv2 dump from 431/430 if any one wants to browse around...

http://rghost.net/42400635

#223 - xr3b0rn - 22w ago

Here is my official topic about the keys because you have missing keys or because the older version has misstypes. i'm using real legit keys fresh from the ps3 dev wiki 100% working on scetool !!! Thanks all readers

MISSING KEYS !!! CANNOT HAVE THE CFW INSTALLABLE ON 4.XX IF THOSE KEYS ARE MISSING!!!

OK here is list: Lv1-priv-431!!! and all spu_pkg_rvk_verifier keys also missing !!! PLZ IF U FOUND OR HAVE THEM , SEND THEM TO ME AND THE CFW WILL BE MADE IN NO TIME!!!

README

I tried to make a beta and got error at the msg.xml so i tried to fix it ... then back on ps3 this time dosen't scans it ... i've been extracting-n-pacting on and off 4 you guys ... till it works

OKAY GUYS DOWNLOAD THIS AND PUT IT IN THE MFW KEYS FOLDER

http://www.mediafire.com/?8dvbtzfl4ob8ibg

FOR MFW TO READ THE KEYS AND WORK

HERE IS THE FAMOUS AND NEWEST MFW MASTER WITH MY LATEST KEYS !!!

link: http://www.mediafire.com/?bxstfqk1jo1h8q6

BEWARE: CANT HACK LV1 WITHOUT PRIV keys

Here is list !!

UPDATED *OK* LIST FOR KEYS

3.60 ok list
app-ctype-360 *OK*
app-key-360 *OK*
app-iv-360 *OK*
app-pub-360 *OK*

iso-key-360 *OK*
iso-iv-360 *OK*
iso-pub-360 *OK*

lv0-ctype-360 *OK*
lv0-iv-360 *OK*
lv0-key-360 *OK*
lv0-priv-360 *OK*
lv0-pub-360 *OK*

lv1-ctype-360 *OK*
lv1-iv-360 *OK*
lv1-key-360 *OK*
lv1-pub-360 *OK*

lv2-ctype-360 *OK*
lv2-iv-360 *OK*
lv2-key-360 *OK*
lv2-pub-360 *OK*

rvk-iv-360 *OK*
rvk-key-360 *OK*
rvk-pub-360 *OK*

spp-iv-360 *OK*
spp-key-360 *OK*
spp-pub-360 *OK*
4.21 ok list
app-key-421 *OK*
app-iv-421 *OK*
app-pub-421 *OK*
app-ctype-421 *OK*

lv0 (all of em same as 4.31)
4.25 ok list

app-ctype-425 *OK*
app-iv-425 *OK*
app-key-425 *OK*
app-pub-425 *OK*

lv0-ctype-425 *OK*
lv0-iv-425 *OK*
lv0-key-425 *OK*
lv0-priv-425 *OK*
lv0-pub-425 *OK*

lv1-ctype-425 *OK*
lv1-iv-425 *OK*
lv1-key-425 *OK*
lv1-pub-425 *OK*

lv2-ctype-425 *OK*
lv2-iv-425 *OK*
lv2-key-425 *OK*
lv2-pub-425 *OK*

SPP-ctype-425 *OK*
SPP-iv-425 *OK*
SPP-key-425 *OK*
SPP-pub-425 *OK*

RVK-ctype-425 *OK*
RVK-iv-425 *OK*
RVK-key-425 *OK*
RVK-pub-425 *OK*

lv0 (all of em)

4.31 ok list iso-ctype-431 *OK*
iso-iv-431 *OK*
iso-key-431 *OK*
iso-pub-431 *OK*

lv1-priv-431 *OK*
lv1-iv-431 *OK*
lv1-key-431 *OK*
lv1-pub-431 *OK*
lv1-ctype-431 *OK*

lv2-pub-431 *OK*
lv2-ctype-431 *OK*
lv2-key-431 *OK*
lv2-iv-431 *OK*

SPP-ctype-431 *OK*
SPP-iv-431 *OK*
SPP-key-431 *OK*
SPP-pub-431 *OK*

RVK-ctype-431 *OK*
RVK-iv-431 *OK*
RVK-key-431 *OK*
RVK-pub-431 *OK*

lv0 (all of em)

link for download: http://www.mediafire.com/?havr53oc4f648w0
signed pkg-pub-retail: http://www.mediafire.com/?v50zr1z0fl0kyw8

MetLDR -3.55-

[metldr]
type=SELF
revision=00
self_type=LDR
erk=C0CEFE84C227F75BD07A7EB846509F93B238E770DACB9FF4A388F812482BE21B
riv=47EE7454E4774CC9B8960C7B59F4C14D
pub=C2D4AAF319355019AF99D44E2B58CA29252C89123D11D6218F40B138CAB29B7101F3AEB72A975019
priv=00C5B2BFA1A413DD16F26D31C0F2ED4720DCFB0670
ctype=20

Update: OKAY GUYS DOWNLOAD THIS AND PUT IT IN THE MFW KEYS FOLDER: http://www.mediafire.com/?8dvbtzfl4ob8ibg

FOR MFW TO READ THE KEYS AND WORK

HERE IS THE FAMOUS AND NEWEST MFW MASTER WITH MY LATEST KEYS [UPDATE3] !!!

Link : http://www.mediafire.com/?m82bq7mz42i872h

BEWARE : CANT HACK PS3 WITHOUT PRIV keys

Here is list !! UPDATED *OK* LIST FOR KEYS

3.60 ok list
Click here to see full text
app-ctype-360 *OK*
app-key-360 *OK*
app-iv-360 *OK*
app-pub-360 *OK*

iso-key-360 *OK*
iso-iv-360 *OK*
iso-pub-360 *OK*

lv0-ctype-360 *OK*
lv0-iv-360 *OK*
lv0-key-360 *OK*
lv0-priv-360 *OK*
lv0-pub-360 *OK*

lv1-ctype-360 *OK*
lv1-iv-360 *OK*
lv1-key-360 *OK*
lv1-pub-360 *OK*

lv2-ctype-360 *OK*
lv2-iv-360 *OK*
lv2-key-360 *OK*
lv2-pub-360 *OK*

rvk-iv-360 *OK*
rvk-key-360 *OK*
rvk-pub-360 *OK*

spp-iv-360 *OK*
spp-key-360 *OK*
spp-pub-360 *OK*

4.21 ok list

app-key-421 *OK*
app-iv-421 *OK*
app-pub-421 *OK*
app-ctype-421 *OK*

lv0 (all of em same as 4.31 and sht)

4.25 ok list
Click here to see full text
app-ctype-425 *OK*
app-iv-425 *OK*
app-key-425 *OK*
app-pub-425 *OK*

lv0-ctype-425 *OK*
lv0-iv-425 *OK*
lv0-key-425 *OK*
lv0-priv-425 *OK*
lv0-pub-425 *OK*

lv1-ctype-425 *OK*
lv1-iv-425 *OK*
lv1-key-425 *OK*
lv1-pub-425 *OK*

lv2-ctype-425 *OK*
lv2-iv-425 *OK*
lv2-key-425 *OK*
lv2-pub-425 *OK*

SPP-ctype-425 *OK*
SPP-iv-425 *OK*
SPP-key-425 *OK*
SPP-pub-425 *OK*

RVK-ctype-425 *OK*
RVK-iv-425 *OK*
RVK-key-425 *OK*
RVK-pub-425 *OK*

drm-ctype-425 *OK*
drm-iv-425 *OK*
drm-key-425 *OK*
drm-pub-425 *OK*

lv0 (all of em)

4.31 ok list
Click here to see full text
iso-ctype-431 *OK*
iso-iv-431 *OK*
iso-key-431 *OK*
iso-pub-431 *OK*

lv1-priv-431 *OK*
lv1-iv-431 *OK*
lv1-key-431 *OK*
lv1-pub-431 *OK*
lv1-ctype-431 *OK*

lv2-pub-431 *OK*
lv2-ctype-431 *OK*
lv2-key-431 *OK*
lv2-iv-431 *OK*

SPP-ctype-431 *OK*
SPP-iv-431 *OK*
SPP-key-431 *OK*
SPP-pub-431 *OK*

RVK-ctype-431 *OK*
RVK-iv-431 *OK*
RVK-key-431 *OK*
RVK-pub-431 *OK*

drm-ctype-431 *OK*
drm-iv-431 *OK*
drm-key-431 *OK*
drm-pub-431 *OK*

lv0 (all of em)

link for download: http://www.mediafire.com/?hehbwdxta4e3oti

signed pkg-pub-retail: http://www.mediafire.com/?v50zr1z0fl0kyw8

MetLDR -3.55-

#222 - LiQUiDxSNaKe - 25w ago

if this is true, could it lead to a 3.60 full cfw without flashers?

#221 - niwakun - 25w ago

Originally Posted by SethPDA

I think this means good news for PS3 Slim 3k users if it is not fake. I really do think there are people who are willing to leak out information just to help people. I have a PS3 Slim 120GB serial CECH-3001A. Originally it came with 3.72 and I accidentally upgraded it to 4.31 which is the current one. I already know that my console cannot be downgraded to 3.55 to use CFW using the current methods.

I hope someone will make some progress with this to help people like me

PS3 3K and 4k series using lv0.2 and this exploit is based on old one which is lv0 (or bootldr as it says)

Page 2 of 46 «‹123 4 5 6 7 8 9 ›LAST »

Related PS3 News and PS3 CFW Hacks or JailBreak Articles

• PSPMinis / PS3Minis / Bite v1.5.1 Update for PS3 is Now Released
• PS3 Fan Control Utility v1.7 for PS3 CFW CEX 3.41 to 4.41 Arrives
• PSPMinis / PS3Minis / Bite v1.5 for PS3 with PSP Homebrew Support
• PS3 Fan Control Utility v1.6 for PS3 CFW CEX 3.41 to 4.40 Arrives
• OpenSCETool (OSCETool) v0.9.2 By SpacemanSpiff for PS3 is Released
• PUAD GUI v1.5 - PS3 PUP Unpacker, Repacker and Decrypter Out

PlayStation 3 Links
• Contact Us E-Mail
• PS3 Affiliates
• PS3 CFW & MFW
• PS3 Debug Firmware
• PS3 Decrypted PSN Links for CFW
• PS3 Downloads
• PS3 EBOOT.BIN Original File Links
• PS3 Firmware
• PS3 Game Releases List
• PS3 Guides & Tutorials
• PS3 Hacking Guides and Tutorials
• PS3 Hacks & JailBreak
• PS3 Help & Support
• PS3 JailBreak Game Compatibility List
• PS3 JB2 / True Blue (TB) Game Links
• PS3 multiMAN Updates
• PS3 News Forums
• PS3 News Site FAQ
• PS3 News Site Advertising FAQ
• PS3 News Site Posting FAQ
• PS3 News Site Privacy FAQ
• PS3 News Site Rules
• PS3 News Site Tag Cloud
• PS3 News Site Terms
• PS3 Resources
• PS3 Reviews
• PS3 Save Files Repository
• PS3 Themes
• PS3 Trophies List
• PS3 Videos
• PS Vita Trophies List

PlayStation 3 News Discussions

Cfw - mfw - ofw ? - 11m ago

CFW: Custom Firmware (made by third parties) MFW: Modified Firmware (not completely custom, but modified OFW. Lighter than the CFW) OFW: Original Firm...

By magnusri with

1 Comment »

PS3 Fan Control Utility v0.3 for 4.31 and 4.40 CFW CEX is Released - 1h ago

My PS3 YLOD when exiting this app,With iris manager its fine btw im using rebug 4.41...

By goncalodoom with

16 Comments »

Cfw - mfw - ofw ? - 2h ago

Hi guys, I am overwhelmed and confused. Please be patient with me for a minute: - What is CFW, MFW, OFW...etc? (any tutorial for newbies) - I wan...

By Ultimabstract with

1 Comment »

ps3 HELP - 3h ago

now u cant use jailbreak key dongle , and plz change the eboot and param iso file of ur all game to original eboot, after that u can play the game , b...

By Yrathore with

1 Comment »

Latest PlayStation 3 Trophies