26w ago - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.

To quote from his blog: The Exploit

As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):

34w ago - Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.

To quote from his blog: Exploiting (?) lv2

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.

2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel...

37w ago - Following up on his previous release, today Sony PlayStation 3 hacker Naehrwert has updated SCETool to version 0.2.9 which now includes an NP application types fix and more as detailed in the changes below.

Download: PS3 SCETool v0.2.9 / ZLib1.dll File (Required) / ZLib1.dll File (Mirror) / SCETool.exe v0.2.9 (no zlib1.dll or data folder required) by ben.ss7

Version 0.2.9

• Plaintext sections will now take less space in metadata header keys array.
  
• Added option to specifiy a template SELF to take configuration values from.
  
• Added option to override the keyset used for en-/decryption.
  
• Fixed NP application types.
  
• [Firmware Version] will now be written to control info only.
  
• [Application Version] will now be written to application info only.
  

Finally, from ben.ss7: Here is a scetool v0.2.9 which has zlib1.dll and the data folder embedded within the exe, which means it doesn't require...

41w ago - Following up on his previous release, this weekend Sony PlayStation 3 hacker Naehrwert has updated SCETool to version 0.2.8 which now includes SPP parsing among the changes outlined below.

Download: PS3 SCETool v0.2.8 / ZLib1.dll File (Required)

For those unaware, SCETool is a PS3 key crypto tool that supports a wide range of binary file types (SELF, RVK, PKG, SPP, OTHER).

To quote via Twitter: SCETool 0.2.8 (intermediate release)

Version 0.2.8 (intermediate release):

• Fixed minor bugs where scetool would crash.
  
• Added SPP parsing.
  
• Decrypting RVK/SPP will now write header+data to file.
  

43w ago - Following up on his Quick PS3 CoreOS Image Tool code release and recent hints, today PlayStation 3 developer Naehrwert has made available PS3 Dump_Rootkey code and a brief guide below so users can dump their own PlayStation 3 root key without Linux.

Download: PS3 Dump_Rootkey Code / PS3 Dump_Rootkey Code (Modified and compiled by Attila for Windows using Cygwin - just provide the IP as parameter after dump_rootkey like this: dump_rootkey.exe 192.168.0.1) / PS3 Resigning Tools by Attila

Naehrwert has also confirmed that Asbestos PKG only works in 3.41. He has posted the AsbestOS and Source Code to change the offset for people to adapt it to other PS3 Firmware versions and tul compiled the ELF to an AsbestOS...