Sponsored Links

Sponsored Links

PS3 Lv0ldr / Bootldr Exploit Reverse-Engineering Details by Naehrwert

Sponsored Links
100w ago - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.

To quote from his blog: The Exploit

As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):

[Register or Login to view code]

The syscon library implements some high level functions, e.g. to shutdown the console on panic or to read certain configuration values. Every of this functions internally uses another function to exchange packets with syscon and the exchange function uses the read_cmpl_msg one to get the answer packet. The top-level function will pass a fixed size buffer to the exchange function.

So if we are able to control syscon packets, e.g. by emulating MMIO (and thanks to IBM we are), we can change the packet size between the two packet readings and overwrite the caller stack. And if we first copy a little stub to shared LS and let the return address point to it, we can easily dump the whole 256 kB.

Nothing more left to say now, let's wait and see if this is going to be fixed in future firmware versions (we just have to check lv0 fortunately).

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 245 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

PS3 News's Avatar
#20 - PS3 News - 105w ago
Not sure if we'll get a response, but for the heck of it I replied to the anonymous e-mail and asked about the others (RIV, PUB, CTYPE, etc) assuming this is the ERK value. We'll see what happens I suppose... all we can do is hope for the best really.

From a Spanish developer here is what appears to be missing:

[Register or Login to view code]

From Jericho417: With PS3Tools, unpackage the 4.25 update. Open update_files.tar with winrar and extract CORE_OS_PACKAGE.pkg. Decrypt CORE_OS_PACKAGE.pkg and then extract. This is where it hangs on me, but I do get a lv1.self. However, I don't know if it's complete. Never had a reason to check file size.

[Register or Login to view links]

From zadow28: here is the Core_os.pkg unpacked

[Register or Login to view links]

smokyyuwe's Avatar
#19 - smokyyuwe - 105w ago
As quiet as it has been, I think these are either it or close. N0DRM has not posted anything new since their "thanks paradox" tweet.

Lando43's Avatar
#18 - Lando43 - 105w ago
anywhere we can get encrypted lv0 file of 4.25fw? that's the only way to check. should be on dev wiki somewhere.

penjejakawan's Avatar
#17 - penjejakawan - 105w ago
I assumed it TRUE/VALID until PROVEN it's FAKE.

Renold's Avatar
#16 - Renold - 105w ago
Finger crossed...

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links

Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News