ΥΓ.Μόλις έσπασε το 6.37 Firmware του PSP η Sony βγάζει νέα αναβάθμιση 6.38....
@xShadow125 You can update from your pwn pup only from 3.55 or lower, unless you have an exploit.
@xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
@xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
@xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
@xShadow125 You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.
@xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.
The new 3.56+ values for tarballs are the following: owner_id, “0000764″ group_id, “0000764″ owner, “tetsu” group, “tetsu” ustar, “ustar “
You can use fix_tar to use those new values. Use with caution.
By comparison, those are the pre-3.56 values. owner_id, “0001752″ group_id, “0001274″ owner, “pup_tool” group, “psnes” ustar, “ustar “
@Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.
Πρόσθετες πληροφορίες για το LV0 console security, ανεβασμένο από τον RMS:
Anyway, let’s really discuss something PS3 instead of my PC , let’s start with Lv0, the most unknown level of the PS3. Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the “Cell OS Bootloader”. In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader. Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary. All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.
So, unless you can decrypt Lv0, no 3.60 “CFW” for you . Is there any need for it anyway?
—
Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then “YLOD”, and you’d need a flasher for your PS3 to recover
There you go, with all the information available out there i just wonder why didn’t anyone found the solution to the exploit that Mathieulh (and maybe some people we didn’t know) discovered weeks ago. Maybe instead of *****ing why the guy did not release anything, try listening to what he said this time.
Mathieulh:
1. lv0 isn’t a loader it’s a ppu binary
2. Lv0 isn’t encrypted per console and can be updated with the rest of the coreos
3. Lv0 is decrypted by the bootloader, there is no such thing as a lv0ldr.
4. The bootloader keys cannot be updated/modified on EXISTING hardware
5. lv0.2 is NOT a binary, it’s a new metadata for lv0 which is to be decrypted and verified by a new bootloader (which is to be available on future ps3s), it is NOT used by the current bootloader (and thus in current playstation 3 consoles)
But wait, messing with this thing could lead to the YLOD tragedy, unless you have those expensive NOR flasher you might want to proceed, and that’s according to rms again.
Ο Si1entDev μιλάει με τον Mathieulh για το “exploit”:
SilentDev> Mathieulh , i’m stucked i read and read your post’s with 3.60+ exploit , and no have idea to first step , i already installed a teensy ++ to flash nor for brick risk , you have any hint to me?
nope
you need dual nor/nand
no hints
lol
the first step
is to clone your existing nor/nand
to another
and solder it with a switch
you also need to solder on the cell reset line
(look at those leaked service docs to see where it’s at)
holy shit
what a exploit
it’s more of a trick
than an exploit
at least to me it is
and all it lets you do is to get 3.60 keys
ah
the interest is quite limited
*** cooled [~cooledef@pool-98-116-134-86.nycmny.fios.verizon.net] has joined #ps3dev
*** mode/#ps3dev [+v cooled] by hyprvisor
so this is for future cfw’s then?
igor242 that’s not the loaders exploit I tweeted about
it’s something else entirely
the loader exploit is actually easier to use xD
then what use are 3.60 keys?
shhhhh. don
but it’s still a mess to implement
ok rms xD
don’t leak our hard work
lol
I even lol more at “hard” xD
lol
*** WiiSpacem [~Spiff@190.50.18.129] has joined #ps3dev
I mean that bug is so stupid xD
yea
rate it
on a scale of one to blueberry
but its painful to implement
i thought your trick was for pulling the keys to sign cfw with
rms it’s still ****ing dumb xD
*** lyntoo [~manitoo@64.235.204.179] has joined #ps3dev
Mathieulh true
im curious
SilentDev> oh , i need another ps3 to extract nor , soldering look easily , ? any schematics to put switch released ?
igor242 of course not, you can’t get 3.60 private keys
bottomline it
*** mode/#ps3dev [+l 404] by NNNnc1
Hey could you send to me? I am getting my 2 other ps3′s in a few days
I cant test?
*** GomGom left #ps3dev [19 01 b2 b3 78 d3 74 5a 10 e0 99 6b 3e c1 12 5d]
dospiedra you need to switch between the 2 nor/nand
at runtime
i see
switch all points????
mathieulh could yoiu?
SilentDev yes
lol ….
40+ switchers
look great
dos that sounds like fub
SilentDev I said it works, I didn’t say it was easy xD
you’d also need to code the ppu dumper
the one you want to replace lv1 with
ok , i now search other nor chip and desolder already installed to put switchers
Ερχετε το νεο cfw 3.60 με δωρο την λαμπαδα !!
ΑπάντησηΔιαγραφή