Sponsored Links

Sponsored Links

PS3 LV2_Kernel Exploit Sample Implementation By Naehrwert


Sponsored Links
97w ago - Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.

To quote from his blog: Exploiting (?) lv2

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.

2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

From Mathieulh (via pastebin.com/naxXkv3M):

The footer signature is still not checked upon npdrm self files execution as of 4.21.

Because kakaroto says something that doesn't make it true. Basically he found a check in 3.55 that was not even called and assumed they used it in 3.60+.

Of course they do whitelist npdrm now so even if the footer isn't checked you cannot run your own npdrm selfs signed with keyset lower than 0x0D making the whole debate rather pointless. Aditional checks are now performed on the actual file format as well such as the segment counter flag that needs to be set to 0x01 except for the very last segment.

Finally, from KDSBest (via twitlonger.com/show/jcmh80): Since naehrwert posted an lv2 exploit I will do so too . The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA.

Btw. It just crashes the console for now, since I totally overwrite dump the lv2 or some memory addresses I don't know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^

I didn't managed to make it work on 4.21 so I just did on 4.20






Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 234 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

ps33ps's Avatar
#214 - ps33ps - 59w ago
This tool PS3 EDAT Devklic Bruteforcer v1.1 working? i tried 6 different edats and always i got this same message ''Cannot found DevKlic''

aldostools's Avatar
#213 - aldostools - 59w ago
Awesome work from JjKkYu (as usual)!

Here are 2 tips to find the dev_klic even faster:

1- First try to bruteforce the edat against the list of known: ps3tools.aldostools.org/dev_klics.txt


2- If the key is not found above, open the eboot.bin with scetool and show the info. Then open the ELF with HxD and cut from the offset 0 to the offset of the 3rd section.

Usually this will reduce the "devklic source file" (elf) to about a 50% or less of the original size, saving a lot of time.

PS3 News's Avatar
#212 - PS3 News - 59w ago
Following up on his previous updates, today PlayStation 3 developer JjKkYu has released PS3 EDAT Devklic Bruteforcer v1.0 followed by v1.1 and v1.2 with details below.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links]

To quote: This tool is used to bruteforce devklic for edat files on pc. It supports bruteforcing from binary or text files. It only take minutes to bruteforce in an elf file, no more waiting for hours or days.

This tool is based on BuC's EDAT Devklic Validator, all credit to BuC.

Update to v1.1

  • Fix a bug while bruteforce in text file.

If you meet some issue, please feedback. Thx.

Update to v1.2

Add 2 Modes:

  • Short Mode: Run only 4 rounds for binary source file. This mode doesn't try all the contents from source file. But it is enough in most cases.
  • Line Mode: Run only 1 round for text source file. This mode reads first 32 bytes in each line as devklic. It runs extremely fast for formatted text source file.

More PlayStation 3 News...

JOHNBOI's Avatar
#211 - JOHNBOI - 63w ago
what resigns pkgs from 4.40-4.41? looking for a tool to do this??

PS3 News's Avatar
#210 - PS3 News - 64w ago
Today PlayStation 3 homebrew developer spacemanspiff has released OpenSCETool (OSCETool) v0.9.2 which is an open-source clone of the original SCETool followed by the SCETool source code by naehrwert with details below.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links]

To quote: OpenSCETool is a clone of scetool under an open source license. SCETool was reverse engineered and analized to produce this program, and copied his behaivour.

OpenSCETool (OSCETool) Changelogs:

Version 0.9.2

  • Fixed rap/rif/idps/act.dat management. Now it works fine.

Version 0.9.1

  • Fixed a segfault decrypt some SELFs.
  • Added option -p to patch the sys_process_param when signing an ELF. This is the same as applying FixELF.exe before signing.
  • Added support to klics.txt. If the klicensee is not specified, it is looked up in the data/klics.txt automatically (only for decrypt).

Version 0.9.0

  • First commited version, compatible with SCETool 0.2.9.

Now GNU/Linux users can have a native tool too. If you want an SCETool replacement, remember to add this keys (this were in the code, you can find them in previous revisions of the code, or in flatz's rif/raf tools:

From mind: Seems the keys are:

SCETool Changelog: History:

Version 0.2.9

  • Plaintext sections will now take less space in metadata header keys array.
  • Added option to specifiy a template SELF to take configuration values from.
  • Added option to override the keyset used for en-/decryption.
  • Fixed NP application types.
  • [Firmware Version] will now be written to control info only.
  • [Application Version] will now be written to application info only.

Version 0.2.8 (intermediate release):

  • Fixed minor bugs where scetool would crash.
  • Added SPP parsing.
  • Decrypting RVK/SPP will now write header+data to file.

Version 0.2.7:

  • Added local NP license handling.
  • Added option to override klicensee.
  • Added option to disable section skipping (in SELF generation).

Version 0.2.5:

  • Added option to use provided metadata info for decryption.
  • "PS3" path environment variable will now be searched for keys/ldr_curves/vsh_curves too.

Version 0.2.4:

  • Added option to display raw values.
  • Moved factory Auth-IDs to (as they are on ps3devwiki now).

Version 0.2.2:

  • Added options to override control/capability flags (32 bytes each).
  • Fixed where a false keyset would crash scetool when decrypting a file.
  • Some source level changes and optimizations.

Version 0.2.1:

  • zlib is required to use scetool.
  • 'sdk_type' was changed to 'revision' in data/keys.

Greetings to: you know who you are!

More PlayStation 3 News...

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News