PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

February 4, 2012 // 4:04 am - Following up on the previous update, this weekend Spanish PlayStation 3 developer Calantra has released a homebrew application to find PS3 Keys dubbed Lv0 Assault followed by updated versions below.

Download: PS3 Lv0 Assault v1.0 / PS3 Lv0 Assault v1.1 / PS3 Lv0 Assault v1.2 / qtintf.dll (Required)

To quote, roughly translated: LV0 assault is an application that uses the contents of any file type to search for valid cryptographic keys to decrypt files encrypted with keys LV0 metldr * or *.

What it does:

The operation of this program is not based on the use of the techniques of "brute force" is limited to just keep trying all possible keys of 32 bytes that can be found in a file.

We can get:

If by chance the key LV0 appear in theory you could decrypt the file LV0 content updates and versions higher than 3.56 contain changes which in turn contain the long-awaited keys.

That does not do:

  • It is used to decrypt any file type.
  • It serves to create any CFW.
  • There used to play GT5 and to play for PSN.


If we find the key delv0 ideally, the most dense file-level data as possible, these files are those that are compressed or encrypted. It is also very useful for finding keys if you have memory dumps from the localstore.

It should be clear that it is extremely difficult and unlikely to get the key LV0 by this method, but it's better than sitting in front of the screen waiting for the prophet down the mountain with the solution to your problems. The more people looking the better.

This program is experimental and is based on a complete utility that I used some time to locate and catalog keys. There are more explanations in the file "readme" that comes with the program and contact addresses.

How to use:

Click on menu "search for" select the lv0 to find lv0 key, metldr to find metldr key.

Thanks to:

Al the ps3devwiki contributors, Team Fail0verflow, Kakarotoks, at all of them for share their knowledges

Last of all, execuse me a lot for my bad english.

Regards, Calantra.

Lv0 Assault Homebrew Application to Find PS3 Keys is Released

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#161 - bigo93 - November 21, 2011 // 10:33 am
bigo93's Avatar
So the new "unhackable" console can be hacked, but only if we had the keys, which can be obtained by using math's method, a method he refuses to share. So basically sony only patched a little in the new console so all we know is that it is hackable. But anyone knows anything can be hacked into eventually, so does this news really bring us closer of cfw 3.73?

Would be a nice xmas gift for devs to release such a thing, but we probably have a better chance of finding a lump of coal under the tree.

#160 - NTA - November 21, 2011 // 7:24 am
NTA's Avatar
New CFW = Best Christmas Gift of 2011

#159 - elser1 - November 21, 2011 // 7:13 am
elser1's Avatar
its all over my head at this point in time.. if i wasn't so busy playing games i'd try to learn all this stuff.. LOL

#158 - Foo - November 21, 2011 // 6:11 am
Foo's Avatar
Here's what a good majority of the people don't know:

Math told us how to do this already!!! There was a bit of a puzzle, but once you put it together you understand it. (If you understand this stuff)

And DemonHades was right. It's possible through RAM.

#157 - elser1 - November 21, 2011 // 2:18 am
elser1's Avatar
i wish i knew what they are talking about.. LOL

#156 - PS4 News - November 20, 2011 // 8:48 am
PS4 News's Avatar
Following up on the previous PS3 Metldr news update and Guides, this weekend Spanish PlayStation 3 developer DarkVolt has made available dumpmetldr.bin via which appears to be a dump of the new PS3 Metldr revision found in PlayStation 3 CECH-2504 consoles (datecode 1b and above) followed by a PS3 Boot Loader SE Version 3.7.3 (lv0 segment) dump and more below.

Download: PS3 Metldr2 DumpMetldr.bin / PS3 Boot Loader SE Version 3.7.3 (lv0 segment) / PS3 Metldr2 Dump (most complete head including) / UP0001-CMX000010_00-METDUMPER0000000.pkg / metldr_475-478_fixed.rar / metldr_475-478.7z by CMX via zecoxao / by haxxxen

To quote, roughly translated: Here I come to leave the metldr decryption: according fence can I go to publish a thing or two more.

Seeks the root key of geohot within the metldr dump I published aver if it sounds the flute.. I am the source and the base is an exploit..

Deneuve image but this time I am not clear. I have work I'll be realeasing more stuff. Saying this is not worthy... hehehe explanation:

We Have a decrypted metldr here, if you see it you will see a little Is An elf Without the normal header. It contains the root keys That geohot publish and a couple of 0x30 addead from 3.50 and ahead, and it STILL USES IT.

HAVING in the elf metldr we can put it the header and upload it in using it as anergistic unselfer for loaders! The metldr is still used in 3.74 (a debug already exists) and 3.73 retail too.

The difference of charge IS that before the metldr used to take the files from CoreOS and now it deliverer LV0 via ram em to us and close the access to the file BUT WE CAN IT DECRYPTED with the keys from the root metldr added if we have the file.

LV0 can be the decrypted if we fix the feat of math to support the bootldr and decrypts the metadata from the header from LV0 and decrypts this with the rest of the spaces with Their loaders.. Worthy is it not? hehe

Edit to add, if you compare a ISOLDR from 3.55 with the metldr you will realize that they are almost the same, I mean the isoldr contains the updates for the metldr (virtual of course)

That in and 3.60 + Also it IS inside of the LV0 so it every time can update the initial metldr boots with the new couple of the keys already have... uploading the metldr in anergistic

[Register or Login to view code]

With Metldr have almost total control of the console as we see in the picture above, however also shows that the bootldr is the only part of the PS3 outside the Metldr, but (and I say this in complete ignorance but using a logic low) and you have full access to the console should be much simpler to access bootldr in any case if this is true it would mean a breakthrough.

[Register or Login to view code]

PS3 Boot Loader SE Version 3.7.3: (lv0 segment) / /

From by jon_17_: The loads metldr ldr, ldr but these must be authenticated before a hash that contains internally metldr himself. metldr2 comes in certain consoles not downgrade (dataCode 1b and higher) are the most modern consoles today.

Metldr weighs 60KB (usually in some cases), the spu local store have 256KB. The loaders to load the LV0 be decrypted (always), lv1 (always) and lv2 (only in lpar_ps3). Decrypted the loaders themselves LV0, lv1 and lv2.

The lv2 to be deciphered in the lpar_ps3 saved in the spu local_store isolated the idstorage, this stores the hash idstorage of valid executables.

From zecoxao comes a Metldr LV2 Dumper for PS3 4.75 to 4.78 Retail Consoles by CMX, who states the following:

Today is a special day. This marks an important release. You are now able to dump metldr from a simple pkg install, instead of using linux resources. That's right, thanks to CMX, this awesome bundle allows you to dump metldr without going through red ribbons and debians!

Created by:

Flatz, for the original root key dumper source.
Joon and Mike, for the tests.

CMX (he made it all possible)

(The build script is ready to use, but i was too lazy to upload the modified pkg source in the first link )


Finally, from haxxxen to quote: Since it is easy to port it in a few minutes, i have made now a pkg from erk/met dumper for fws 4.21, 4.46, 4.65, 4.70, 4.75, 4.76, 4.78 (cex or dex)

Btw, you only need 5 symbols, so you can leave and remove the rest: toc, extend_kstack, copy_to_user, memset, memcpy. further it is only syscall table and those 2 gameos lpar thingies needed.

On another note, you should remove/comment new_poke install, since it can mess up with cobra mode. disabled, the dumpers work fine regardless of running cobra or not.

The lv1 patches can be done dynamically with search patterns and only htab and spe patch is needed, since the others are enabled by default (at least on rebug 4.21)

More PlayStation 3 News...

#155 - firebuddie - November 17, 2011 // 12:40 pm
firebuddie's Avatar
I find it surprising there's not more talk about the zero size self expolit load to HV found by Failoverflow and detailed in xx404xx doc links at start of this thread.

If the HV could be exploited, it could be patched to NOT hide the lvl0 bootloder and therefore use HV to dump the bootloader, even if it is encrypted, it is a start.

Like Maths and xx404xx keep hinting, it's all there on our PS3's. Just getting the sucker to give it up! Like I say, dont know why a known exploit of HV is not being discussed/followed up on, or maybe it is and I ain't on right IRC channels to hear about it?

#154 - elser1 - November 15, 2011 // 3:39 pm
elser1's Avatar
so many smart people on here but the keys are illusive still.. must be hard to get eh.. LOL

surely someone here has what you all want.

#153 - CS67700 - November 15, 2011 // 1:22 pm
CS67700's Avatar
If there's so much noise around it, it probably means they're private...

#152 - niwakun - November 15, 2011 // 11:36 am
niwakun's Avatar
Quote Originally Posted by iscnokia View Post
I understand that PS3 console uses several levels of encryption and in order to unencrypt it

Private key = sign things
Public key = decrypt things

seriously watch the fail0verflow vid again

Quote Originally Posted by iscnokia View Post
Also, that phony DOS windows showing that output is nothing that any program running what you want so I could also write a C program printing:

printf ("I have a 3.60+ CFW \n");

in dos its derived with "ECHO" by the way.