82w ago - PlayStation 3 developers have been busy recently working on payloads for dumping the PS3 per console keys, as once the per_console_key_0 is obtained with full EID decryption dongles and burned BR-D's may be a thing of the past.
Below are details from sphinxkoma and the PS3 Wiki (ps3devwiki.com/index.php?title=Talk:Per_Console_Keys) on dumping the per_console_key_1 via Kaz... it's only a matter of time for per_console_key_0 which unlocks everything we need.
To quote: PS3 Per Console Keys
EID crypto is very complicated, it is done so on purpose. first of all EID0 isn't decrypted with one key, and one algorithm alone. it is decrypted in several parts which use different algos and keys. the keys are all derivations of a per console key (per_console_key_1) which is stored inside metldr and copied by it to sector 0 and never leaves isolation. that same key is a derivation of the per console key (per_console_key_0) used to encrypt metldr and the bl in the first place as well.
isoldr clears that key from sector 0 before jumping to the isolated module. but before doing so it encrypts it with another keyset and stores it in a buffer so that the isolated module can use the new crafted key. since the operation is AES, if you know that keyset you can decrypt...
83w ago - Today Spanish PlayStation 3 developer DemonHades has shared another video of JFW DH PS3 CFW, this time demonstrating the USB Preloader and Flash dumping without a JIG extracting the backup of the 4 PS3 flash files on the Custom Firmware.
To quote, roughly translated: In this video I show how the preloader already done, we can dump the 4 flashes of the flash, if we make an error to recover.
As you can see the preloader working safely by the combination of the jig, but without the use of jig (never activated if you do not do the combination, and although it does not detect activated if the magic flags or contained in GRID_UPDATER not perform nothing harmful).
Simply putting the usb where we want to save, and flags magic to do what we send in "direct mode".
In the video we can see GRID_UPDATER folder, this folder is the "Direct Modules Installer" unlike the "direct mode" (root pendrive) this only updates from configurations of plugins, modules to plugins or flash.
Direct mode: the configuration of the USB Pilla (in safe mode)
Installer mode: Install the modules to replace dev and let the new configuration observed.
1saludo and thanks as not Jaicrab, Alexander and Maki and the explanatory video kiki...
170w ago - Hi guys, I used an Atmega8 running at 16Mhz (I had a couple lying about from the BT Vision project I was working on) and knocked up a small prog to do the same as the other chips and dump out the PS3 Hypervisor and Bootloader.
I was quite surprised, It actually worked fairly straight away! I only had one pulse going everytime I pressed the button at first but not a lot was happening.
So I did what xorloser did, and modded it so it pulsed every 100ms while the switch is pressed.
After about 30-40 seconds... I got a hit with the exploit code posted here. Then I used the dumper (posted here) to dump the 10mb bin.
Just having a look through the dump, lots of strings in there.. I haven't dropped it into IDA yet tho...
This is the source and hex (for those who dont want to compile it) for the Atmega8 which I glitched my PS3 with. The Chip I used was the Atmega8-16pu....
193w ago - Today SKFU has shared a bug he found in PS3 Firmware 2.8 (although he said it should be present since 2.0 through 3.0) that allows you to dump random data from the PlayStation 3 HDD and RAM.
To quote: There's a little "bug" in the PlayStation3's NAT test which causes that you can dump random data from the HDD and RAM. Why exactly this appears; I don't know, yet. But well, it is interesting.
The way how to do it is pretty simple. Set up Wireshark on the PC and activate ICS (Internet Connection Sharing).
Connect the PS3 with the PC via LAN and start Wireshark's logging/sniffing feature on the LAN device. Now go to Settings on the PS3 and start a Internet Connection Test in the Network option.
When the PS3 starts the NAT testing it will send default STUN packets together with several IP Fragments. Those both packet types will contain random data which the PS3 grabs from the HDD and/or RAM. There you go.