26w ago - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.
To quote from his blog: The Exploit
As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):
35w ago - Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.
To quote from his blog: Exploiting (?) lv2
A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:
1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.
2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.
Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel...
76w ago - Following up on the previous article and update for the 3.73 JailBreak, today Sony PlayStation 3 Hacker KaKaRoToKS has confirmed it is safe to update to PS3 Firmware 4.00 for those planning to use the exploit when it is released.
Below are some recent Tweets from him, as follows:
FYI, tested yesterday and the jailbreak still works on 4.0 so it's safe to upgrade (for those on 3.73)
Just got my progskeet today. Thanks uf6667 for sending it! It's so small!
Not much new to go on at the moment, but keep in mind the upcoming PlayStation 3 exploit will not enable PS3 backup managers such as multiMAN or Rogero as it does not include support for modifying Peek and Poke for lv1 and lv2 as outlined in the FAQ...
Before posting we had one our PS3 crunching developers look it over, and it seems to be a set of 'C' code and headers and an compiled ELF and SELF that exploits the 'chain of trust' to dump an 'unecrypted' version of your PS3 'metldr'.
Now of course this is not really 'useful' for the average PS3 Jailbreak end-user, but we think...
112w ago - Today PS3 hacker Mathieulh has tweeted some new details on dumping LV0 from PlayStation 3 3.60 Firmware and obtaining the new keys, followed by Ps3WeOwnYoU claiming he has already reproduced it to confirm it works.
Below are all the tweets, as follows:
xShadow125 You can update from your own pup only from 3.55 or lower, unless you have an exploit.
xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
xShadow125 You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.
xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.