Sponsored Links

Sponsored Links

PS3 Lv0ldr / Bootldr Exploit Reverse-Engineering Details by Naehrwert


Sponsored Links
92w ago - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.

To quote from his blog: The Exploit

As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):

The syscon library implements some high level functions, e.g. to shutdown the console on panic or to read certain configuration values. Every of this functions internally uses another function to exchange packets with syscon and the exchange function uses the read_cmpl_msg one to get the answer packet. The top-level function will pass a fixed size buffer to the exchange function.

So if we are able to control syscon packets, e.g. by emulating MMIO (and thanks to IBM we are), we can change the packet size between the two packet readings and overwrite the caller stack. And if we first copy a little stub to shared LS and let the return address point to it, we can easily dump the whole 256 kB.

Nothing more left to say now, let's wait and see if this is going to be fixed in future firmware versions (we just have to check lv0 fortunately).




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 244 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

ConsoleDev's Avatar
#214 - ConsoleDev - 94w ago
Maybe someone more experienced than me could help to clarify this thing.. It seems that zadow28 managed to find a lv2diag.self file signed with the 3.60/3.61 keys in the ps3tmgui program that was a part of the official SDK.

If possible can someone tell me more about that?

DO NOT TRY THIS!



G Sus's Avatar
#213 - G Sus - 94w ago
i'd keep hope too, theres always some up and coming smartass that looks at things differently or just spots something others have missed. 1 little thing can suddenly change the game completely. the algorithym used to calculate per console keys has to be hidden somewhere within the cfw, and all parts the fw is now readable. so its technically just a case of finding it and undestanding how to exploit it.

sadly that don't just take a clever person, that takes a clever person that is actually interested in doing it, and not afraid of any consequences. for all we know it could have already been done.

Hope is a great thing, its free and you can have as much of it as you want.

UrKoS's Avatar
#212 - UrKoS - 94w ago
I hold hope for a 4.31 installable cfw.

Sent from my GT-I9100 using Tapatalk 2.

G Sus's Avatar
#211 - G Sus - 94w ago
i believe that now all keys are known , it means you could technically make a cfw that could be installed on any ps3 ofw. however. its not really as simple as that. the keys only mean you can decrypt it all. it dont mean you will understand what your seing or even be able to find a flaw or weakness in it. (per console keys)

What it effectively means is now that it can all be decrypted there is the possibility that someone will find out how the fw and ps3 gos about the verification of per console keys etc. and then copy the process, and make a new cfw that will update on ofw above 3.55.

it don't mean it will happen , it just means it could be possible if someone is smart enough to work it out. or at least thats how i understood it, ive been wrong before though. what is more likely is. now you'll just get a 4.31 cfw that installs only on 3.55 or below.

I bet theres a hell of a lot of code to read for devs. look how many files theyve been given access too in just a few months. The PS3s life will have ended before anyone gets round to making cfw install above 3.55 ofw. I reckon the few people that probably could do it aint even working on it, (they have no need) and the rest wouldn't know where to start.

but like i say, I'm often wrong, and this is highly likely to be one of those times.

Blade86's Avatar
#210 - Blade86 - 94w ago
Installable CFW 4.31 on OFW4.30- ? Or did I missunderstood it?

Please could someone enlighten me what you can do with this two? And priv-key is still missing? Or Could we we "just" decrypt the 4.31 update and make a new 4.31cfw installable on 3.55?

Thank you soo much

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News