26w ago - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.
To quote from his blog: The Exploit
As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):
35w ago - Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.
To quote from his blog: Exploiting (?) lv2
A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:
1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.
2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.
Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel...
38w ago - Following up on his previous release, today Sony PlayStation 3 hacker Naehrwert has updated SCETool to version 0.2.9 which now includes an NP application types fix and more as detailed in the changes below.
43w ago - Following up on his Quick PS3 CoreOS Image Tool code release and recent hints, today PlayStation 3 developer Naehrwert has made available PS3 Dump_Rootkey code and a brief guide below so users can dump their own PlayStation 3 root key without Linux.
Naehrwert has also confirmed that Asbestos PKG only works in 3.41. He has posted the AsbestOS and Source Code to change the offset for people to adapt it to other PS3 Firmware versions and tul compiled the ELF to an AsbestOS...