- Following up on the previous PS3 Lv0ldr / Bootldr clarifications
, today PlayStation 3 hacker naehrwert
has shared some details based on reverse-engineering the exploit used to dump it.
To quote from his blog: The Exploit
As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):
//In .data section.
static u8 tmp_pkt[0x800];
//Get size from sc packet.
#define GET_SIZE(pkt) ((pkt << 8) | pkt)
int read_cmpl_msg(/*...*/, u8 *payload_buf /*r5*/, int min_size /*r6*/, /*...*/)
//Get packet header.
memcpy_aligned_64(tmp_pkt, MMIO_SC_PKT, 0x10);
//Check packet size.
pkt_size = GET_SIZE(tmp_pkt);
if(pkt_size - 4 < min_size || pkt_size + 8 > 0x800)
//Run first sc_checksum.