Sponsored Links

Sponsored Links

PS3 Lv0ldr / Bootldr Exploit Reverse-Engineering Details by Naehrwert

Sponsored Links
109w ago - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.

To quote from his blog: The Exploit

As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):

[Register or Login to view code]

The syscon library implements some high level functions, e.g. to shutdown the console on panic or to read certain configuration values. Every of this functions internally uses another function to exchange packets with syscon and the exchange function uses the read_cmpl_msg one to get the answer packet. The top-level function will pass a fixed size buffer to the exchange function.

So if we are able to control syscon packets, e.g. by emulating MMIO (and thanks to IBM we are), we can change the packet size between the two packet readings and overwrite the caller stack. And if we first copy a little stub to shared LS and let the return address point to it, we can easily dump the whole 256 kB.

Nothing more left to say now, let's wait and see if this is going to be fixed in future firmware versions (we just have to check lv0 fortunately).

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew releases!

Comments 252 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
#27 - nathanr3269 - 113w ago
nathanr3269's Avatar
I can't say that is fake, probably is legit that erk key, but the other two are missing, so without the other two can't say that key is fake


#26 - palkounairina - 113w ago
palkounairina's Avatar
Hi do you have any good link for a documentation explaining the notion of erk / riv / pub and curve type and how it works with the spu. Thanks

#25 - Hernaner28 - 113w ago
Hernaner28's Avatar
Oh well, but are you saying that F4 A4 24 EF 99 A9 E3 3D 01 B5 B6 8F 81 9E F0 A3 0F 5C FD CD 2B C6 54 D3 47 F0 5B 32 C3 24 99 36 is not fake?

#24 - nathanr3269 - 113w ago
nathanr3269's Avatar
Need more keys for test if is real or not, this key is the erk, need two more, riv and pub

With only one can't test it


#23 - technodon - 113w ago
technodon's Avatar
if you can decrypt lv0 all the keys should be in there, sony made changes in firmware 3.60 they took appldr and other loaders and placed them inside lv0. so decrypt that and we should beable to get keys to decrypt everything


Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links

Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News