PS3 Lv0ldr / Bootldr Exploit Reverse-Engineering Details by Naehrwert

1300°
73w ago - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.

To quote from his blog: The Exploit

As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):


 

PS3 LV2_Kernel Exploit Sample Implementation By Naehrwert

1300°
82w ago - Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.

To quote from his blog: Exploiting (?) lv2

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.

2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel...
 

PS3 SCETool v0.2.9 by Naehrwert Updated, Adds NP Fix and More

1300°
85w ago - Following up on his previous release, today Sony PlayStation 3 hacker Naehrwert has updated SCETool to version 0.2.9 which now includes an NP application types fix and more followed by an unofficial update from Gamma Argon as detailed in the changes below.

Download: PS3 SCETool v0.2.9 / ZLib1.dll File (Required) / ZLib1.dll File (Mirror) / SCETool.exe v0.2.9 (no zlib1.dll or data folder required) by ben.ss7 / SCE_Encrypt Tool by TheUnkn0w / PS3 SCETool v0.2.9 (4.46 keys) by Smhabib and Naewhert / SCETool v0.3.0 (Unofficial) by Deroad (aka Wargio) / SCETool Linux Binary by SMOKE / GIT / unofficial_update.zip...
 

PS3 SCETool v0.2.8 by Naehrwert Updated, Adds SPP Parsing

1300°
89w ago - Following up on his previous release, this weekend Sony PlayStation 3 hacker Naehrwert has updated SCETool to version 0.2.8 which now includes SPP parsing among the changes outlined below.

Download: PS3 SCETool v0.2.8 / ZLib1.dll File (Required)

For those unaware, SCETool is a PS3 key crypto tool that supports a wide range of binary file types (SELF, RVK, PKG, SPP, OTHER).

To quote via Twitter: SCETool 0.2.8 (intermediate release)

Version 0.2.8 (intermediate release):

  • Fixed minor bugs where scetool would crash.
  • Added SPP parsing.
  • Decrypting RVK/SPP will now write header+data to file.



 

PS3 Dump_Rootkey Code and Brief Guide Arrives from Naehrwert

550°
90w ago - Following up on his Quick PS3 CoreOS Image Tool code release and recent hints, today PlayStation 3 developer Naehrwert has made available PS3 Dump_Rootkey code and a brief guide below so users can dump their own PlayStation 3 root key without Linux.

Download: PS3 Dump_Rootkey Code / PS3 Dump_Rootkey Code (Modified and compiled by Attila for Windows using Cygwin - just provide the IP as parameter after dump_rootkey like this: dump_rootkey.exe 192.168.0.1) / PS3 Resigning Tools by Attila

Naehrwert has also confirmed that Asbestos PKG only works in 3.41. He has posted the AsbestOS and Source Code to change the offset for people to adapt it to other PS3 Firmware versions and tul compiled the ELF to an AsbestOS...
 







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News