PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

November 20, 2012 // 11:23 pm - Following up on the previous PS3 Lv0ldr / Bootldr clarifications by marcan42 and wololo, today PlayStation 3 hacker naehrwert has shared some details based on reverse-engineering the exploit used to dump it.

To quote from his blog: The Exploit

As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is public now, let's have a closer look at it to understand what's going on. Here is what I have reversed from lv0 (it shares the syscon portion of the code with its SPU counterpart):

[Register or Login to view code]

The syscon library implements some high level functions, e.g. to shutdown the console on panic or to read certain configuration values. Every of this functions internally uses another function to exchange packets with syscon and the exchange function uses the read_cmpl_msg one to get the answer packet. The top-level function will pass a fixed size buffer to the exchange function.

So if we are able to control syscon packets, e.g. by emulating MMIO (and thanks to IBM we are), we can change the packet size between the two packet readings and overwrite the caller stack. And if we first copy a little stub to shared LS and let the return address point to it, we can easily dump the whole 256 kB.

Nothing more left to say now, let's wait and see if this is going to be fixed in future firmware versions (we just have to check lv0 fortunately).

PS3 Lv0ldr / Bootldr Exploit Reverse-Engineering Details by Naehrwert

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.

#245 - johnluke197863 - October 16, 2014 // 7:44 pm
johnluke197863's Avatar

#244 - PS4 News - July 11, 2013 // 3:32 pm
PS4 News's Avatar
I have also added it to the main article for those keeping track. Thanks and +Rep Gunner54.

#243 - Gunner54 - July 11, 2013 // 3:19 pm
Gunner54's Avatar
I decided I would make a tool to extract and inject the loaders of lv0. Should be useful for some people.

Download:!ONV0yAib!PW1SMQ6xq6JjO8m14Zv9qxs4Pfk0XisuQEFRSKM4DEc /

Here's the source:

[Register or Login to view code]

#242 - Rhynodry - July 1, 2013 // 2:40 am
Rhynodry's Avatar
Good morning, I think it failed on the slim. We are working on this, or else it has stopped working? Rumor has it takes a private key that is not in the console

#241 - yllan - June 30, 2013 // 1:30 pm
yllan's Avatar
thank you aldostools

[Register or Login to view code]

#240 - ripplar - June 29, 2013 // 6:28 am
ripplar's Avatar
Nice. Thank you for this. Now let me play around and see what i can mess up now.

#239 - niwakun - June 27, 2013 // 8:13 am
niwakun's Avatar
it will lead to make MFW app to work again like you can create your own PUP CFW. But it won't lead to CFW on PS3 uses lv0.2 (3k/4k PS3 models)

#238 - shummyr - June 27, 2013 // 4:55 am
shummyr's Avatar
This is awesome news, very excited to see where this leads

Also from Abkarino: Also now i confirm that SPU ERK and RIV are found in decrypted lv1ldr file.. see my prove here:

SPU Erk/Riv keys as a Data Xref in IDA pro (4.46 lv1ldr):

SPU appldr keys unscrambling function in IDA pro (4.46 lv1ldr):

#237 - sguerrini97 - June 27, 2013 // 4:27 am
sguerrini97's Avatar
Quote Originally Posted by natex View Post
Hi, i have a PS3 Fat CECHL-01 board VER-001, it is Full Bricked, nor erased...

It is possible to recover the LV2 from HDD with this tool and rebuild the NOR?

You need your eid_root_key do decrypt your HDD.

Anyway I don't think you can fix your NOR with this...

#236 - fantopoulos - June 27, 2013 // 3:22 am
fantopoulos's Avatar
very helpful, thank you.. unbricked my console much app