PS3 SCETool, Friday Isolated SPU POC and EIDTool WIP Updates


125w ago - This weekend Sony PlayStation 3 hacker naehrwert has released a PS3 SCETool based on the fail0verflow tools, an Isolated SPU binary POC dubbed Friday and some EIDTool work in progress updates for PlayStation 3 developers interested in remarrying Blu-ray drives, motherboard keys, QA tokens, etc via Twitter.

Download: PS3 SCETool / Friday Isolated SPU Binary POC / PS3 SCETool v0.0.3 and VSH.Self Output / PS3 SCETool v0.0.4

Below are the details from the ReadMe files and Tweets, as follows:

SCETool (C) 2011 by naehrwert - This tool will see more features in the future.

Notice: THIS CAN DO NOTHING NEW, IT'S CURRENTLY JUST A REWRITE OF f0f TOOLS.

Keyfile format:

A sample keyfile is included.

Shout-outs: I think they know who I mean

Friday (C) 2011 by naehrwert - This is a POC for a isolated spu binary. Generate a self encrypted+signed with the metldr keys out of friday.elf. Then use friday.h to write a PPU application that loads the self by utilizing metldr and DMAs your console's EID2 to the shared SPU LS. It will generate the P and S block from it, that is used to pair the BD drive to the specific console. Yon can then DMA the blocks out from the LS and send them to the drive to remarry it to the console.

Communication with the SPU is done over in_mbox and out_mbox. MSG_OUT_* is send from the SPU code to out_mbox. MSG_IN_* should be written from the PPU to in_mbox. When MSG_OUT_READY arrives the PPU should DMA the EID2 to EID2_START and send MSG_IN_READY. When MSG_OUT_GEN_DONE arrives the PPU should DMA the blocks out from BLOCKS_START and send MSG_IN_DIE.

Note: this is UNTESTED but should just work

POC http://www.mediafire.com/?u8lvl08h1lai2nb

note: self part is only for spu yet!

scetool http://www.mediafire.com/?31r5482wy28sc9c

veeeery nice http://pastie.org/2928187

http://pastie.org/private/4dflpsc66d4gngjvmxwqyq


which I can generate and yes my eid4 passes the hash check

but one would need to get the aes_omac1 key to be able to check it

hmm eid4 digest is stored unencrypted

seems like there are some hardcoded eid4 fallback bytes - http://pastie.org/private/oxy580s4omh8ofbdfgj3dq

scetool/eidtool progress is great




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 231 Comments - Go to Forum Thread »

Quick Reply Quick Reply

xrayglasses's Avatar
#46 - xrayglasses - 82w ago
again.. it can write HTAB entries..

One you get a stable execution (hint ROP) you can glitch HTAB entries and do anything except persistent root because bootldr couldn't even be figured out by fa1loverflow team..

If you're looking for a lv1 exploit you'll never get anywhere unless you get a talented RE person with a lot of time, and since it's obvious Linux means less than piracy is PS3 scene that isn't likely to happen..

Tidusnake666's Avatar
#45 - Tidusnake666 - 82w ago
stack overflow... so 199X-th.... but still works!! Haha!

I still prefer to use 0xFACEBOOC instead of 0xABADCAFE lol

technodon's Avatar
#44 - technodon - 82w ago
basically a payload like the one used in the 3.41 jailbreak (hermes) is loaded into stack overflow when the ps3 tries to read this the payload is loaded into memory and you get unsigned code execution. but the problem is that ps3 is using the stack and it copies something to it instead of reading first.

so the payload which has been loaded there is being over written before it has been read and is deleted so if you could somehow make the ps3 read from stack or load the payload just before the stack gets read the payload would be loaded and you have a new jailbreak.

JOshISPoser's Avatar
#43 - JOshISPoser - 82w ago
i'm understanding it a bit more. the higher the lvl, the more security breaches needed because it'll allow it to be more open?

CJPC's Avatar
#42 - CJPC - 82w ago
Generally, assuming that there is already a user mode exploit (think an exploit in a game), using this exploit will allow you to elevate permission to kernel level. The simplest way to think about it is the PSP exploits, and how multiple exploits were needed. Generally, of course!













Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News