PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

March 28, 2011 // 6:57 pm - Today PS3 hacker Mathieulh has tweeted some new details on dumping LV0 from PlayStation 3 3.60 Firmware and obtaining the new keys, followed by Ps3WeOwnYoU claiming he has already reproduced it to confirm it works.

Below are all the tweets, as follows:

Mathieulh's Tweets:

  • xShadow125 You can update from your own pup only from 3.55 or lower, unless you have an exploit.
  • xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
  • xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
  • xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
  • xShadow125 You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.
  • xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
  • To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.
  • The new 3.56+ values for tarballs are the following: owner_id, "0000764" group_id, "0000764" owner, "tetsu" group, "tetsu" ustar, "ustar"
  • You can use fix_tar to use those new values. Use with caution.
  • By comparison, those are the pre-3.56 values. owner_id, "0001752" group_id, "0001274" owner, "pup_tool" group, "psnes" ustar, "ustar"
  • Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.

So, to decrypt this LV0 thing, we need to get to know it better. In the latest blog post by rms, he has explained briefly what LV0 is in the console’s security.

Anyway, let’s really discuss something PS3 instead of my PC xD, let’s start with Lv0, the most unknown level of the PS3. Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the "Cell OS Bootloader".

In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader. Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary.

All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.

So, unless you can decrypt Lv0, no 3.60 "CFW" for you . Is there any need for it anyway?

Mathieulh also has some facts to clarify about LV0.

1. lv0 isn’t a loader it’s a ppu binary
2. Lv0 isn’t encrypted per console and can be updated with the rest of the coreos
3. Lv0 is decrypted by the bootloader, there is no such thing as a lv0ldr.
4. The bootloader keys cannot be updated/modified on EXISTING hardware
5. lv0.2 is NOT a binary, it’s a new metadata for lv0 which is to be decrypted and verified by a new bootloader (which is to be available on future ps3s), it is NOT used by the current bootloader (and thus in current playstation 3 consoles)

But wait, messing with this thing could lead to the YLOD tragedy, unless you have those expensive NOR flasher you might want to proceed, and that’s according to rms again.

Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then "YLOD", and you’d need a flasher for your PS3 to recover.

Finally, from rms on lv0: Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the "Cell OS Bootloader". In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader.

Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary. All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.

So, unless you can decrypt Lv0, no 3.60 "CFW" for you. Is there any need for it anyway?

Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then "YLOD", and you’d need a flasher for your PS3 to recover.


PS3 Hacker Mathieulh on 3.60 Firmware LV0 Dump Exploit & Keys

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.



#311 - LKJHGFDSA - January 19, 2012 // 12:23 pm
LKJHGFDSA's Avatar
Hopefully this discredits Methloser once and for all.

& KaKaRoTo, if you're reading this, well done. Thanks for your efforts. Don't give up - anything is possible.

#310 - jesterking1 - January 19, 2012 // 11:57 am
jesterking1's Avatar
Cliffnotes (summary in shorter words).

I went through and read it: Mathieulh is a lying drama queen who is dumber than a box of rocks and trying to derail actual progress.

the number needed to generate the signature to sign packages in 4.00 HEN is near impossible to figure out. Nothing is 100% impossible, but without massive computing power (think enigma) it would take a very very long time to decrypt.

That's pretty much what I got from this.

Quote Originally Posted by MimmoD360 View Post
That's true! someone else will make backup managers running on this cfw.


If they can figure out how to get peek and poke working... goodluck

#309 - br4insick - January 19, 2012 // 11:36 am
br4insick's Avatar
At the end of the day, you gotta give it up to $ony for holding it down as long as they have. I love my ps3 way more but i love the xbox scene way more too.

is it because the xbox scene have better devs that work better together or is it because the xbox was easier to hack or both?

#308 - NTA - January 19, 2012 // 11:35 am
NTA's Avatar
lol?

#307 - jesterking1 - January 19, 2012 // 11:32 am
jesterking1's Avatar
cliffnotes?

#306 - NTA - January 19, 2012 // 11:09 am
NTA's Avatar
But full compatibility with roms for DC and N64 emulators are very much something that I look forward too if it becomes possible along with custom button mapping of course although I wouldn't mind having the best of both worlds >_>

Really looking forward to playing new games

#305 - dbraganti - January 19, 2012 // 11:00 am
dbraganti's Avatar
I agree with you, never said i was not interested in run backups and i also think the same as you. Everyone who wants a CFW to rub their SNES emulator is nothing more than an liar.

The main point i was trying to expose is that there are plenty of games here and everyone who owns a ps3 can buy some. The choice of buy or not is of each one and that i will never argue against...

#304 - Xyth - January 19, 2012 // 10:55 am
Xyth's Avatar
There is a misunderstanding here. We'll able to run applications means we can run backup managers but backup managers won't be able to run backups unless there's a payload/peek&poak solution.

And no you can't make eboots for 3.41 that's a different thing.

#303 - daveribz - January 19, 2012 // 10:55 am
daveribz's Avatar
If Kakarato really has a way of installing custom PKGs, backups are possible. You just make PKGs off retail games, which is already possible. All these new games will work since the HEN is for 4.00!

#302 - muny21 - January 19, 2012 // 10:51 am
muny21's Avatar
I think everyone needs to stop the bs. The ONLY reason anyone wants any of their game consoles or handhelds hacked IS for the ability to play back ups. I do not care if anyone wants to be 'PC", politically correct, in forums and say they do not use back up managers for anything but their legally owned games. They are liars and hypocrites.

I am sure even kakaroto uses back ups but yet wants to be against them. Just silly. He even talks about cracking the securities in games in his whole rant but then at the end says that he will not enable piracy on his release. Bet the one he keeps for himself allows piracy. Just hate hypocrites. Rant over, back on topic.

This does not prove Math wrong, not that I like the guy or am sticking up for him. Just a bunch of words writing on a forum page. Until there is tangible evidence for all to see then I believe none of these devs. Just wait and watch. But I believe that the ps3 scene is dead and we got all we could out of it.