PS3 LV2_Kernel Exploit Sample Implementation By Naehrwert


82w ago - Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.

To quote from his blog: Exploiting (?) lv2

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.

2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

From Mathieulh (via pastebin.com/naxXkv3M):

The footer signature is still not checked upon npdrm self files execution as of 4.21.

Because kakaroto says something that doesn't make it true. Basically he found a check in 3.55 that was not even called and assumed they used it in 3.60+.

Of course they do whitelist npdrm now so even if the footer isn't checked you cannot run your own npdrm selfs signed with keyset lower than 0x0D making the whole debate rather pointless. Aditional checks are now performed on the actual file format as well such as the segment counter flag that needs to be set to 0x01 except for the very last segment.

Finally, from KDSBest (via twitlonger.com/show/jcmh80): Since naehrwert posted an lv2 exploit I will do so too . The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA.

Btw. It just crashes the console for now, since I totally overwrite dump the lv2 or some memory addresses I don't know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^

I didn't managed to make it work on 4.21 so I just did on 4.20






Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 231 Comments - Go to Forum Thread »

Quick Reply Quick Reply

miandad's Avatar
#11 - miandad - 120w ago
thx for info , when they release it .. !

and i'm noob dont know about reverse the eid.. can you ask them about Lv2diag.self signed for 3.60 or 3.70+ for downgrade?

PS3 News's Avatar
#10 - PS3 News - 121w ago
Here are a few quick updates from naehrwert (twitter.com/naehrwert) for those following:

  • haha just figured the eid3 algo, nice!
  • KaKaRoToKS and I added basic NPDRM support to scetool
  • SELF generation works now for SPU and PPU, except for compressing the data and NPDRM
  • added SPU SELF generation to scetool

Also from his site: nwert.wordpress.com/2011/12/24/individual-infos/

Individual Infos

One of the PS3′s console specific cryptography works as follows:

At factory time there is a console specific key generated, probably from a private constant value and a console specific seed. Maybe that’s the key used for encrypting bootldr and metldr. Fact is, that metldr stores another console specific keyset (key/iv) to LS offset 000000. That keyset is probably calculated from the first one. At factory time the isolated root keyset (how I call it) is used to encrypt the console’s “Individual Infos”, like eEID.

But not the whole eEID is encrypted the same way, special seeds are used to calculate key/iv pairs for the different sections. And not even that is true for every eEID section, because for e.g. EID0 another step is needed to generate the final section key(set). Each of the isolated modules using such an “Individual Info” has a special section that isoldr uses to generate the derived key(set)s.

But the generation works in a way, that the section data is encrypted with aes-cbc using the isolated root keyset, so it is not possible to calculate the isolated root keyset back from the derived key(set)s, because aes shouldn’t allow a known plaintext attack. So far I can decrypt some of EID0′s sections, EID1, EID2 and EID4. EID5 encryption should be similar to EID0′s but I lack the generation keys for that one.

PS3 News's Avatar
#9 - PS3 News - 122w ago
Today Naehrwert has released PS3 SCETool v0.0.4 for those interested.

Download: PS3 SCETool v0.0.4

From his Tweet (twitter.com/#!/naehrwert/status/145481343411830784) the changes are as follows:

scetool 0.0.4 http://www.mediafire.com/?c10cwi77n7h4o3o

(added 32 bit ELF "unselfing")

isoldr_emulate http://pastie.org/3001424


Bartholomy's Avatar
#8 - Bartholomy - 123w ago
Eidtool is what we need, rest is useless I think

PS3 News's Avatar
#7 - PS3 News - 124w ago
Below are some more updates from naehrwert for those following..

scetool 0.0.3 http://www.mediafire.com/?ykjil6hn2xai5qw

output for vsh.self pastie.org/2958961


Added ELF64 support to scetool!

but I extended eidtool by some new functions













Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News