PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

March 5, 2011 // 7:51 pm - Today PS3 hacker Mathieulh reports finding a PlayStation 3 Firmware 3.56 exploit, although he states he has no plans to give any further details about it.

To quote from PSX-Scene (linked above): Well-known hacker Mathieu Hervais has reportedly found a bug that allows exploiting metldr, the bootloader and firmware version 3.56. Unfortunately, he refuses to release it.

Originally Posted by Mathieulh (via Twitter):

I hesitated a lot before tweeting about it, but a bug allows exploiting metldr, the bootloader and 3.56+. I don't intent to ever unveil it.

So much for "unhackable" PS3s though... I am not giving any further details about it. Sorry.

Actually the revocation list exploit doesn't allow you to exploit isoldr, you could however sign a revoke list if you had the revocation list keys and knew the sign fail, and use that to dump isoldr. Metldr does not load revocation lists.

This has been tested, how do you think I could release the lv2ldr and appldr keys ? (about 24hrs before Geohot showed up with metldr keys) This has been tested, how do you think I could release the lv2ldr and appldr keys ? (about 24hrs before Geohot showed up with metldr keys)

You can also dump any loader using a signed metadata (including metldr) though that means you need to have the keys for it in the first place (kinda kills the purpose)

Your entire purpose is to get the isolated process (the code running inside the spu) to jump to your instructions

For exemple the following instructions will dump the isolated LS to the SPU mailbox:

loop:
rdch $3, ch29
lqd $3, 0($3)
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
up_one:
br loop
br up_one

Of course you'll need a ppu payload to fetch the mailbox data. Metldr is trivial to dump now that you can sign your loader, but I wont say anything more on this.

Finally the problem with isoldr and the revoke list exploit isn't so much that the exploit doesn't work (it actually does) It's that the payload from the crafted revoke list overwrites isoldr keys (which kinda kills the whole purpose), You can however get the revoke list keys from lv2ldr or appldr using the revoke list exploit and then sign a revoke list metadata to exploit isoldr later on. (There are other ways to get isoldr though, including the 3.60+ exploit I have (but there is at least another I know of) Again, good luck in your endeavor.

There is more than one npdrm key. It's not been released because the ones who have the skills to do it do not remotely care about pirating PlayStation store games (obviously).

Finally, in related PS3 homebrew news today a PS3 FW Downloader application has been released which includes Official PS3 Firmware 2.50 - 3.55 and has Geohot, Kmeaw, Wutangraz PS3 Custom Firmware and 3.55 Downgrader support.


PS3 Hacker Mathieulh Finds PlayStation 3 Firmware 3.56 Exploit

PS3 Hacker Mathieulh Finds PlayStation 3 Firmware 3.56 Exploit

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.



#361 - Bartholomy - February 3, 2012 // 1:17 am
Bartholomy's Avatar
I know what you do, and your spirit, bro. The problem is not your point of view, or mine. Sony is japanese. Japanese looks ps3 hackers/devs as trash who deserve to be digged, deep. Doesn't matter if your work will lead to double Sony's income. Doesn't matter if your work will stop piracy.

Doesn't matter if your work will stop an abuse of some teams. For Sony's eyes, you're using THEIR product and THEIR software (every level of them) and for this reasons, if you release something, you will be sued and called to a particular tribunal, where a funny judge will take care of ruin your life worst than if you was a drug pusher. Sony don't say thanks, neither if you save the CEO's life. You touched THEIR product, you will pay.

It's the truth, bro. And you know i'm right.

#360 - ValoX - February 3, 2012 // 1:15 am
ValoX's Avatar
Thanks for the news.

#359 - cfwprophet - February 3, 2012 // 1:05 am
cfwprophet's Avatar
The only thing what i can say: If sony want to sue some one of us im sure they dono need the help of this so called dev god's. From my point of view they would have more reasons to sue DRM teams then normal scene guys like us.

We don't sell sonys games hacked and pressed on a debug disk with there debug key. We dono use and sell a dongle with sonys drm stuff to prevent our work. We're also not releated to any release of sonys keys or what ever. We using tools, code and stuff others have written and released and this also includes work of this dev's. So what they want to do with us ?

We're not against sony, we're not against the scene, we're not against other dev's. We're against team's and dev's using sonys sys to make money with it. We're against dev's preventing those teams.

So we're not the BAD guys which upset sony. On special case WE help sony to stop those guys making money with sonys work. If you ask me sony have more reasons to sue those both teams and every dev of the scene involved into it then to sue guys like me or others.

And also we have not found something new that we push now. The theory of our ongoing work is based on them. They put the con into debugger mode to be able to let you play new games and sell this for a lot of money.

If those teams never started to sell there dongles we wouldn't never started to do the work we now do. So if some one of thoes dev's want to sue some one they should start and sue themself.

#358 - kira30 - February 3, 2012 // 12:55 am
kira30's Avatar
exactly, they need to relax a little, like you said "it's only video games".

#357 - Bartholomy - February 3, 2012 // 12:08 am
Bartholomy's Avatar
You don't understand those devs, elser1, because:

A You're not a loser nerd who need youpo for take a look to a girl
B You lost somewhere your teenager brain, the same one who make you feel a god when you complete a game on HARD MODE (I felt to be a god when i finally got my Bachelor, big difference)
C As much you're a dev, willing to help, elite group will start to threat you, with something like : "well done, you found a great exploit" "Hehe thanks. I think i'll publish it on ps3news and other major forums" "No, you don't understand how things works. You will keep it for yourself, thanks for share" "I beg your pardon? I'll release it in an hour"

"You still don't understand. We will send an email with your name and location to Sony and your life will be gone, if you try. Beware, no joke. You will do like us. Enjoy your work, play online with every game. Share it with your faithful friends. But again, if something goes leaked, we will be the first to help Sony to sue ya".

This is the real story. Kinda crap, right?

Thanks cfwprophet and nabnab, to ignore them.

#356 - kreus - February 2, 2012 // 8:46 pm
kreus's Avatar
oh I thought they found a way to decrypt the eboot and unsign. That way it would be possible to reverse engineer. Then all hope is lost hehe

Congrats Cfwprophet and nabnab, I know youre trying hard to make a better place for the scene.

#355 - cfwprophet - February 2, 2012 // 8:42 pm
cfwprophet's Avatar
We know how it works and have explained a lot of times. The dongle puts your con into debugger mode. In this special mode you can debug games and thats what they do. They use the system embended debugger to let you play those games.

They take the official game selfs from disk and dump out the elf via the sdk, then re-encrypt them as debug selfs and on a special way thats it.

But it takes a bit more work to get this for free for every one done. The keys have nothing to do with it. They use drm just to hide and to be able to milk us all a bit longer till a free version is done.

#354 - kreus - February 2, 2012 // 8:41 pm
kreus's Avatar
And if someone finds how it works, it should be possible of doing the same thing comparing the eboots without the keys with the ones with keys.

In cryptography, a timing attack is a side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, an attacker can work backwards to the input.

#353 - elser1 - February 2, 2012 // 8:32 pm
elser1's Avatar
its a shame they all think its such a big deal.. its only video games not cure for cancer.. sure it would be great and mean a lot to alot of us but in reality its not that big of a deal, but the way they act gives them a feeling of power i guess.. i don't really understand such behavior, myself i get most enjoyment out of trying to help others..

i wish i bought an xbox when i had the spare cash.. but i love psn too much so ill stick to my ps3 and grin and bare it.. LOL

#352 - kreus - February 2, 2012 // 8:30 pm
kreus's Avatar
sorry if it sounds stupid, but we seem to already have the equation ecds uses, cant we extrapolate the variables using multiples ps3 on ofw 4.00 and HFW 4.00?

For what i saw the ECDS encryption only works fine if there is only one or a few machines with the same key. With multiple ps3's its possible to extrapolate, and the higher the number the easier it is.