PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

November 20, 2011 // 10:11 pm - Following up on the previous PS3 Metldr news update and Guides, this weekend Spanish PlayStation 3 developer DarkVolt has made available dumpmetldr.bin via which appears to be a dump of the new PS3 Metldr revision found in PlayStation 3 CECH-2504 consoles (datecode 1b and above) followed by a PS3 Boot Loader SE Version 3.7.3 (lv0 segment) dump and more below.

Download: PS3 Metldr2 DumpMetldr.bin / PS3 Boot Loader SE Version 3.7.3 (lv0 segment) / PS3 Metldr2 Dump (most complete head including) / UP0001-CMX000010_00-METDUMPER0000000.pkg / metldr_475-478_fixed.rar / metldr_475-478.7z by CMX via zecoxao / by haxxxen

To quote, roughly translated: Here I come to leave the metldr decryption: according fence can I go to publish a thing or two more.

Seeks the root key of geohot within the metldr dump I published aver if it sounds the flute.. I am the source and the base is an exploit..

Deneuve image but this time I am not clear. I have work I'll be realeasing more stuff. Saying this is not worthy... hehehe explanation:

We Have a decrypted metldr here, if you see it you will see a little Is An elf Without the normal header. It contains the root keys That geohot publish and a couple of 0x30 addead from 3.50 and ahead, and it STILL USES IT.

HAVING in the elf metldr we can put it the header and upload it in using it as anergistic unselfer for loaders! The metldr is still used in 3.74 (a debug already exists) and 3.73 retail too.

The difference of charge IS that before the metldr used to take the files from CoreOS and now it deliverer LV0 via ram em to us and close the access to the file BUT WE CAN IT DECRYPTED with the keys from the root metldr added if we have the file.

LV0 can be the decrypted if we fix the feat of math to support the bootldr and decrypts the metadata from the header from LV0 and decrypts this with the rest of the spaces with Their loaders.. Worthy is it not? hehe

Edit to add, if you compare a ISOLDR from 3.55 with the metldr you will realize that they are almost the same, I mean the isoldr contains the updates for the metldr (virtual of course)

That in and 3.60 + Also it IS inside of the LV0 so it every time can update the initial metldr boots with the new couple of the keys already have... uploading the metldr in anergistic

[Register or Login to view code]

With Metldr have almost total control of the console as we see in the picture above, however also shows that the bootldr is the only part of the PS3 outside the Metldr, but (and I say this in complete ignorance but using a logic low) and you have full access to the console should be much simpler to access bootldr in any case if this is true it would mean a breakthrough.

[Register or Login to view code]

PS3 Boot Loader SE Version 3.7.3: (lv0 segment) / /

From by jon_17_: The loads metldr ldr, ldr but these must be authenticated before a hash that contains internally metldr himself. metldr2 comes in certain consoles not downgrade (dataCode 1b and higher) are the most modern consoles today.

Metldr weighs 60KB (usually in some cases), the spu local store have 256KB. The loaders to load the LV0 be decrypted (always), lv1 (always) and lv2 (only in lpar_ps3). Decrypted the loaders themselves LV0, lv1 and lv2.

The lv2 to be deciphered in the lpar_ps3 saved in the spu local_store isolated the idstorage, this stores the hash idstorage of valid executables.

From zecoxao comes a Metldr LV2 Dumper for PS3 4.75 to 4.78 Retail Consoles by CMX, who states the following:

Today is a special day. This marks an important release. You are now able to dump metldr from a simple pkg install, instead of using linux resources. That's right, thanks to CMX, this awesome bundle allows you to dump metldr without going through red ribbons and debians!

Created by:

Flatz, for the original root key dumper source.
Joon and Mike, for the tests.

CMX (he made it all possible)

(The build script is ready to use, but i was too lazy to upload the modified pkg source in the first link )


Finally, from haxxxen to quote: Since it is easy to port it in a few minutes, i have made now a pkg from erk/met dumper for fws 4.21, 4.46, 4.65, 4.70, 4.75, 4.76, 4.78 (cex or dex)

Btw, you only need 5 symbols, so you can leave and remove the rest: toc, extend_kstack, copy_to_user, memset, memcpy. further it is only syscall table and those 2 gameos lpar thingies needed.

On another note, you should remove/comment new_poke install, since it can mess up with cobra mode. disabled, the dumpers work fine regardless of running cobra or not.

The lv1 patches can be done dynamically with search patterns and only htab and spe patch is needed, since the others are enabled by default (at least on rebug 4.21)

New PS3 Metldr2 Revision Dumped by DarkVolt as DumpMetldr.bin

New PS3 Metldr2 Revision Dumped by DarkVolt as DumpMetldr.bin

New PS3 Metldr2 Revision Dumped by DarkVolt as DumpMetldr.bin

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#201 - jopopo - February 6, 2012 // 7:41 pm
jopopo's Avatar
Hi everyone,

Do you think we can use a precomputed table like the "Rainbow table" to decrypt this key?

#200 - Nabnab - February 6, 2012 // 2:54 pm
Nabnab's Avatar
Forget about CUDA is not flexible and have some restriction (need to respect some specific algo), better to be use ATI Stream

#199 - SCE - February 6, 2012 // 2:46 pm
SCE's Avatar
AMD Stream and CUDA would make this 100 time faster...

#198 - HackSoul - February 5, 2012 // 11:30 am
HackSoul's Avatar
So... He gets a, let's say, 3.7+ EBOOT and tries to decrypt it with every possible key combination possible? I suggested that for PS360 Team a few months ago, but nobody gave attention.

#197 - abzii - February 5, 2012 // 11:25 am
abzii's Avatar
technically the x360 doesn't use a modchip its just a replica pcb, but a blank 1

#196 - moja - February 5, 2012 // 4:50 am
moja's Avatar
Quote Originally Posted by Transient View Post
I don't think anyone who has replied thus far has actually read what the author wrote. He said this does NOT use a bf method. If I understand it correctly, he's using all possible combinations of 32-bytes that can be found in the source file.

That's still seems a bf-ish method to me, but I understand what you are saying.

#195 - antuss - February 4, 2012 // 11:11 pm
antuss's Avatar
The xbox 360 security is a lot less complicated than the ps3. The days of say PS1 where it was so simple as to inject "SCEASCEESCEJ" over and over between the drive and the cpu (one each of the magic letters for each region that the drive read from the subchannel data on original cds), or the ps2 days where it was more complicated but once it was done there was no such thing as firmware upgrades are gone... this is where it is now for ps3...

#194 - young blade - February 4, 2012 // 10:07 pm
young blade's Avatar
this is the dongle era..

#193 - CS67700 - February 4, 2012 // 8:44 pm
CS67700's Avatar
I believe the real hacking has to be done on the hardware, like the good old days of mod chips. Nothing can equal a good mod chip, look at the 360, can run isos from external HD the 360key.

Need someone with some good tech skills and knowledge on the PS3 architecture to release some mod chip, and voila. Why being stubborn about finding keys and making some CFW ?

A bit of soldering and some tools and you might find what you're looking for. I believe the next level of PS3 hacking resides in mod chip, like the 360.

#192 - Transient - February 4, 2012 // 8:34 pm
Transient's Avatar
I don't think anyone who has replied thus far has actually read what the author wrote. He said this does NOT use a bf method. If I understand it correctly, he's using all possible combinations of 32-bytes that can be found in the source file. The time required to calculate that isn't much at all. Of course, this would require the lv0 key to just be sitting there unencrypted, so pretty unlikely, but I guess one can dream. Maybe a good enhancement (for the sake of completeness) would be to first try decrypting using all known keys and then searching for lv0 key.

Either way though, I can't think of any reason lv0 key would be in any file but I guess you never know. Nobody would have expected Sony to use the same "random" key in their signing algorithm either, but as it turned out they did and all someone had to do was look.