PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

140w ago - Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below.

To quote from his blog: Exploiting (?) lv2

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.

2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

[Register or Login to view code]

From Mathieulh (via pastebin.com/naxXkv3M):

[Register or Login to view code]

The footer signature is still not checked upon npdrm self files execution as of 4.21.

Because kakaroto says something that doesn't make it true. Basically he found a check in 3.55 that was not even called and assumed they used it in 3.60+.

Of course they do whitelist npdrm now so even if the footer isn't checked you cannot run your own npdrm selfs signed with keyset lower than 0x0D making the whole debate rather pointless. Aditional checks are now performed on the actual file format as well such as the segment counter flag that needs to be set to 0x01 except for the very last segment.

Finally, from KDSBest (via twitlonger.com/show/jcmh80): Since naehrwert posted an lv2 exploit I will do so too . The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA.

Btw. It just crashes the console for now, since I totally overwrite dump the lv2 or some memory addresses I don't know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^

[Register or Login to view code]

I didn't managed to make it work on 4.21 so I just did on 4.20


PS3 LV2_Kernel Exploit Sample Implementation By Naehrwert

PS3 LV2_Kernel Exploit Sample Implementation By Naehrwert

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.




#8 - Bartholomy - 181w ago
Bartholomy's Avatar
Eidtool is what we need, rest is useless I think

#7 - PS4 News - 181w ago
PS4 News's Avatar
Below are some more updates from naehrwert for those following..

scetool 0.0.3 http://www.mediafire.com/?ykjil6hn2xai5qw

output for vsh.self pastie.org/2958961

[Register or Login to view code]


Added ELF64 support to scetool!

but I extended eidtool by some new functions

#6 - PS4 News - 182w ago
PS4 News's Avatar
Here is a follow-up from his blog today as well for those following: nwert.wordpress.com/2011/11/29/about-spu-channels-64-72-and-73/

If you are reversing the PS3′s isolated SPU modules, you will eventually notice channels 64, 72 and 73. Here are some C functions, that roughly describe how they work:

About SPU channels 64, 72 and 73


[Register or Login to view code]


It seems that lv1ldr is storing it’s version into a special storage area.

[Register or Login to view code]


And e.g. isoldr reads the version from the storage area and compares it to it’s own version. If the check fails, isoldr will just stop execution.

[Register or Login to view code]


I wonder what else is stored in the area and how long the data in it persists, so my next idea is to code an isolated elf, that allows me to specify the value written to channel 64 and then dumps the data from channel 73.

#5 - Ezio - 182w ago
Ezio's Avatar
Friday is a new legal application developed by naehrwert to remarry bd drive.

Quote Originally Posted by tulla2010 View Post
shame he will never release the eid tool

Yeah, unfortunately he decided to not share his eid tool when it will be ready.

#4 - tulla2010 - 182w ago
tulla2010's Avatar
shame he will never release the eid tool

#3 - Bartholomy - 182w ago
Bartholomy's Avatar
Yep. WE mortals don't do nothing with this stuff. But i suppose it's an advancement about a free solution...

Oh, some news: And no, I won't release eidtool. If you want the algorithms, you'll have to start reversing

Cool, we can close this chapter too

#2 - HAVOK7 - 182w ago
HAVOK7's Avatar
wow i am first lol, ok so what can be actually done with this?

#1 - PS4 News - 182w ago
PS4 News's Avatar
This weekend Sony PlayStation 3 hacker naehrwert has released a PS3 SCETool based on the fail0verflow tools, an Isolated SPU binary POC dubbed Friday and some EIDTool work in progress updates for PlayStation 3 developers interested in remarrying Blu-ray drives, motherboard keys, QA tokens, etc via Twitter.

Download: PS3 SCETool / Friday Isolated SPU Binary POC / PS3 SCETool v0.0.3 and VSH.Self Output / PS3 SCETool v0.0.4

Below are the details from the ReadMe files and Tweets, as follows:

SCETool (C) 2011 by naehrwert - This tool will see more features in the future.

Notice: THIS CAN DO NOTHING NEW, IT'S CURRENTLY JUST A REWRITE OF f0f TOOLS.

Keyfile format:

[Register or Login to view code]

A sample keyfile is included.

Shout-outs: I think they know who I mean

Friday (C) 2011 by naehrwert - This is a POC for a isolated spu binary. Generate a self encrypted+signed with the metldr keys out of friday.elf. Then use friday.h to write a PPU application that loads the self by utilizing metldr and DMAs your console's EID2 to the shared SPU LS. It will generate the P and S block from it, that is used to pair the BD drive to the specific console. Yon can then DMA the blocks out from the LS and send them to the drive to remarry it to the console.

Communication with the SPU is done over in_mbox and out_mbox. MSG_OUT_* is send from the SPU code to out_mbox. MSG_IN_* should be written from the PPU to in_mbox. When MSG_OUT_READY arrives the PPU should DMA the EID2 to EID2_START and send MSG_IN_READY. When MSG_OUT_GEN_DONE arrives the PPU should DMA the blocks out from BLOCKS_START and send MSG_IN_DIE.

Note: this is UNTESTED but should just work

POC http://www.mediafire.com/?u8lvl08h1lai2nb

note: self part is only for spu yet!

scetool http://www.mediafire.com/?31r5482wy28sc9c

veeeery nice http://pastie.org/2928187

[Register or Login to view code]

http://pastie.org/private/4dflpsc66d4gngjvmxwqyq

[Register or Login to view code]


[Register or Login to view code]

which I can generate and yes my eid4 passes the hash check

but one would need to get the aes_omac1 key to be able to check it

hmm eid4 digest is stored unencrypted

seems like there are some hardcoded eid4 fallback bytes - http://pastie.org/private/oxy580s4omh8ofbdfgj3dq

[Register or Login to view code]

scetool/eidtool progress is great

More PlayStation 3 News...