35w ago - Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.
To quote from his blog: Exploiting (?) lv2
A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:
1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.
2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.
Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel...
68w ago - Following up on the previous update, this weekend PlayStation 3 homebrew development group DexL0ve have made available a PS3 patched DEX LV2_Kernel.Self for CEX consoles followed by a revision below that fixes PS3 crashing issues.
Essentially this PKG release is a patched LV2 DEX (Debug / Test) kernel for CEX (Retail) PS3 consoles based on the recent LV2 Loader release.
To quote: From my limited understanding of PS3 coding and reading the NFO file, that by using the LV2_Loader released by Team Rebug earlier, and by QA flag'ing your CEX machine, this file is basically a patched LV2 DEX kernel that will load fully on your CEX machine and thereby give you some DEX (aka) TEST machine L0VE on your Jailbroken PS3 Console.
129w ago - Following up on the PS3 Master Key news and his previous work, today via xorloser's blog graf_chokolo has confirmed that he has decrypted several PS3 SELF files including LV2_Kernel.self and is currently working on PlayStation 3 Firmware 3.50 decryption now.
To quote: Guys, i was not idle again I'm able now to decrypt lv2_kernel.self, ps2_emu.self, ps2_softemu.self and ps2_gxemu.self from 3.41 firmware by using metldr and lv2ldr directly.
I'm working now on 3.50 decryption $ONY changes something in 3.42 and 3.50
I will make everything public very soon, as usually.