PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

213w ago - Today PS3 hacker Mathieulh has tweeted some new details on dumping LV0 from PlayStation 3 3.60 Firmware and obtaining the new keys, followed by Ps3WeOwnYoU claiming he has already reproduced it to confirm it works.

Below are all the tweets, as follows:

Mathieulh's Tweets:

  • xShadow125 You can update from your own pup only from 3.55 or lower, unless you have an exploit.
  • xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
  • xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
  • xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
  • xShadow125 You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.
  • xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
  • To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.
  • The new 3.56+ values for tarballs are the following: owner_id, "0000764" group_id, "0000764" owner, "tetsu" group, "tetsu" ustar, "ustar"
  • You can use fix_tar to use those new values. Use with caution.
  • By comparison, those are the pre-3.56 values. owner_id, "0001752" group_id, "0001274" owner, "pup_tool" group, "psnes" ustar, "ustar"
  • Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.

So, to decrypt this LV0 thing, we need to get to know it better. In the latest blog post by rms, he has explained briefly what LV0 is in the console’s security.

Anyway, let’s really discuss something PS3 instead of my PC xD, let’s start with Lv0, the most unknown level of the PS3. Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the "Cell OS Bootloader".

In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader. Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary.

All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.

So, unless you can decrypt Lv0, no 3.60 "CFW" for you . Is there any need for it anyway?

Mathieulh also has some facts to clarify about LV0.

1. lv0 isn’t a loader it’s a ppu binary
2. Lv0 isn’t encrypted per console and can be updated with the rest of the coreos
3. Lv0 is decrypted by the bootloader, there is no such thing as a lv0ldr.
4. The bootloader keys cannot be updated/modified on EXISTING hardware
5. lv0.2 is NOT a binary, it’s a new metadata for lv0 which is to be decrypted and verified by a new bootloader (which is to be available on future ps3s), it is NOT used by the current bootloader (and thus in current playstation 3 consoles)

But wait, messing with this thing could lead to the YLOD tragedy, unless you have those expensive NOR flasher you might want to proceed, and that’s according to rms again.

Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then "YLOD", and you’d need a flasher for your PS3 to recover.

Finally, from rms on lv0: Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the "Cell OS Bootloader". In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader.

Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary. All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.

So, unless you can decrypt Lv0, no 3.60 "CFW" for you. Is there any need for it anyway?

Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then "YLOD", and you’d need a flasher for your PS3 to recover.


PS3 Hacker Mathieulh on 3.60 Firmware LV0 Dump Exploit & Keys

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!


  • Sponsored Links




#381 - PS4 News - 131w ago
PS4 News's Avatar
As this thread is old and closed, I have posted the KaKaRoToKS exploit update in the ongoing LV0 thread here for those interested: http://www.ps4news.com/ps3-hacks-jailbreak/ps3-lv0-keys-leaked-4-21-4-25-and-4-30-cfw-updates-incoming/

#380 - LKJHGFDSA - 158w ago
LKJHGFDSA's Avatar
He didn't. He just wants attention. He's lied many times before, please don't believe what he says.

Even if there were a new 3.56 exploit, it'd be completely useless. (Though progress is always nice)

#379 - lfcaid - 158w ago
lfcaid's Avatar
you guys know this guy is bull right hes such a twat.

1) he never release anything he finds.
2) he was asked by KaKaRoToKS to help him with the 4.00+ jb and he purposely pointed him and his team in the wrong direction and made them study something useless for months and months and then he made KaKaRoToKS jb process really slow and he knew he was doing it on purpose also wen he spoke about it to KaKaRoToKS he then emailed sony and told them what to fix

#378 - Badger1975 - 158w ago
Badger1975's Avatar
You know I believe that when we buy a system, it's ours to do what we want to do with it and as long as we don't use any part of it or it's software to make money for ourselves, then I don't see any reason for a company to sue us for doing something with it.

I am talking about the PS3 for 1. We buy the system and we use it until it seems lame and boring to us and we want to mod it or it's software to add something we like like Hombrew or such and yet we seem to get in trouble because the company feels we messed with something that wasn't supposed to be touch but yet I feel that we bought the machine and technically we should have our way with it as long as we are not selling any part of it that we modded ourselves or anyone modded for a profit for ourselves.

I think if we want to mod the PS3 to use other stuff we made or someone else made then I think we should be able to as long as we don't make money from it and it doesn't allow any piracy to be done.

Sony shouldn't be after us for this and they should be after the ones that are stealing they're firmware and selling them modded.

Don't everyone agree to this. I do.

#377 - thorrenat - 167w ago
thorrenat's Avatar
How to help? As a betatester maybe?

#376 - capostef - 168w ago
capostef's Avatar
Nabnab have you found the source from CrashSerious?

#375 - CS67700 - 168w ago
CS67700's Avatar
Nah, Gehot proved that he was reliable in the Apple scene, can't doubt about that. The kid has talent, but he has a huge ego too (who wouldn't ? you're an hypocrite if you say you wouldn't do the same with his talent).

The lamers of this scene are mathieulh and his little friends. He keeps stealing work from others and pretending he did it (we never saw him release something once, never, just pretend it's his work when something got leaked).

Stabbing Geohot in the back after everything he brought to the scene, i find it pretty pathetic. At least he brought results and wasn't playing drama "i will release ... i won't release... oh i may release ... finally i wont, LOL"

This kid also had balls to go in court with Sony, say anything you want but i doubt you have even half of his courage and couldn't do the same (i dare you to say the contrary).

He fought for the scene against a huge company that could have whipped him with a finger. 90% of peoples blame him, but in his situation they would run under their mom's skirt like cowards.

At least he released something, half of devs in this scene are either drama queens with small tool or big mouthed kids who think computer engineering can be mastered for breakfast.

#374 - hawkY - 168w ago
hawkY's Avatar
hahahaha good one even though i don't get it , sorry i'm stupid when it comes to developing...

#373 - Nabnab - 168w ago
Nabnab's Avatar
Actually is not to skip, it's to get

I'm gonna say a bad example

A key = Key -> the PS3 is a door -> you, you are the transport, the person who gonna put the key into your door.

If somebody come behind you, he can take your key and run away, back later to open your door.

I know it's a bad example sorry for that but it's to represent that simply

#372 - hawkY - 168w ago
hawkY's Avatar
Didn't you say that we can skip the ECDSA entirely ?