PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

November 8, 2011 // 1:07 pm - Today an anonymous PlayStation 3 hacker has leaked a PS3 Metldr exploit, followed by a guide from Mathieulh on how to pwn metldr the "easy" way below.

Download: PS3 Metldr Exploit / PS3 Metldr Exploit (Mirror) / PS3 Metldr Exploit Dump / PS3 Metldr Exploit Dump (Binary File) / PS3 Metldr Exploit Layman's Guide by lunuxx

From GaryOPA: We received an 'an0nymous email' from some random one-time dropbox, containing a weird little attachment, with a simple note:

Program: metldr838exploit
Author: Unknown
Usage: Unknown
Reason: Unknown

Before posting we had one our PS3 crunching developers look it over, and it seems to be a set of 'C' code and headers and an compiled ELF and SELF that exploits the 'chain of trust' to dump an 'unecrypted' version of your PS3 'metldr'.

Now of course this is not really 'useful' for the average PS3 Jailbreak end-user, but we think it just might be the long waited for 'golden tickets' in the right hard-working hands of some talented 'developers' that are willing to try to help everyone out by pushing the PS3 'scene' to the next level, that almost everyone here has all have been waiting for!

Seems long-time 'scene' developer Mathieulh is claiming ownership of this 'metldr' exploit, and has now published his 'How-To' tutorial for it:

How to pwn metldr the "easy" way

Because some ungrateful person leaked my metldr exploit files I will now be explaining how it actually works, see this as my ultimate release of all times for an ungrateful scene (and scenes in the future)

That's about how I am pissed right now, because of course the person that leaked these files has no idea of how they actually work.

How to pwn metldr the "easy" way:

This is most likely how geohot exploited it in the first way, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work, especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone)

I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self generating tool

Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the sign fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario.

The question is, do you really need keys to get a decrypted signature ? Well the real answer is no, thanks to a nifty fail that sony left in in metldr (and the bootloader), you can have the ldr to decrypt the metadata for you, isn't that neat ?

Here's how it works:


In a self file, at address 0x0C a value is used to calculate where the metadata is going to be decrypted, the "offset" is at self header + 0x0C its the "meta header offset" in the SCE structure, it takes the SCE offset + that value, so what you have to do is to have a calculation that is equal to 0x3E01F0 which happens to be where metldr copies over the shared metadata from the mailbox (which is sent over by the ppu), the trick is to have metldr to decrypt the metadata located at.

So basically you have to:

1) set the offset += 0x2000 dump shared lsa and keep increasing 0x2000 until somewhere in the shared lsa changes 0x40 byte
2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations
3) then dump shared lsa and we have decrypted header knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E01F0 - 0xECF0 = the value you would patch at SCE header + 0x0C

ROM:0000F6C0 D2 68 87 E6 metadata_erk: .int 0xD26887E6 ; DATA XREF: ROM:0000F178o for example in CECHA , the address you want to decrypt it to is 0x3E1F0 so it should be 0x3E1F0 - 0xF6C0

Once you get the decrypted header, you have the key to decrypt the rest of the metadata. Here you go, you have your decrypted signature.

So far so good, now what's next ?


Contrary to popular beliefs, you do not need to know the public key to calculate the private key, you just need two decrypted signature, you now know how to dump these, so let's assume you just did, now all you have to do is to bruteforce the curve type by constantly reloading a self to metldr, the curve type being only 1 byte, that would be 64 possibilities.

CONGRATULATION, you just signed a loader !

Now what ?

Well Your first reflex would be to sign a loader and use it to dump whatever is in your Isolated Local Store, the first thing you will notice is that you have a bit of metldr's code as a leftover, after a few seconds of disassembly you will figure it's actually some piece of code that clears metldr's code and registers and jumps to some address which is matches your signed loader's entrypoint.

This seems like a more than likely candidate to exploit, as in your goal would be to overwrite that piece of code with your own, that way you would have the whole metldr code right before the point where everything gets cleared out.

Let's try to do just that, from your previous dump, you obviously know that the clear code is located from 0x400 to 0x630, (0x410 being where metldr jumps when it clears) your first attempt would naturally be to have a loader section to load at 0x400, well not so surprisingly, it fails, because you are not without a brain (at least you aren't supposed to be if you're reading and understanding this), you will assume that it is likely that metldr checks if you aren't loading your loader/self section below a certain address, which considering you know the loaders' entrypoint is most likely to be 0x12C00, this assumption is in fact correct as metldr will make sure you cannot load any loader at 0x12BFF and below, seems like a huge let down...

Well, maybe not, because yet again, you are not without a brain, you check out the hardware properties for the Local Store, and you find out that the memory wraps around (memory is a donut as someone once said at some ccc conference).

So what happens when you load your loader at let's say from 0x3F000 to 0x40000+some address? (like 0x40410 for example) ?

Well, it WORKS!
You could put the section at 0x3F000, if you made the length 0x1414 and the last instruction branches "up" to the dump code.

[Register or Login to view code]

This is what the exploit that got leaked (yeah that's not really their work eh but you figured that much by now did you not?) does. It overwrites from 0x000 to 0x480 because I originally loaded the section o size 0x880 to 0x3FC00

So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)

Here you go, you have a metldr dump !

Now as a final line, I'd like to say screw leakers, screw the scene, and this is my last contribution to it EVER. It seems I can't even trust fellow developers to keep my work safe and not leaking it. (Not like any of them would have been able to tell you how all this even works in the first place)

So long, everyone. Remember, don't ever bite the hands that feed you.

P.S. Oh! and btw, if you talented enough to make hardware to dump the shared lsa, you can decrypt any lv0 using this technique.

[Register or Login to view code]

From the PS3 Metldr Exploit ReadMe file:

[Register or Login to view code]

Also from Mathieulh attempting to defend himself from PS3 Scene Devs: Oh ! and to people who might doubt it's a leak (As in 2 people who might by some miracle have found the very same exploit), the leaked appldr-metldrexploit350.self file not only bares the same name but the same hash and obviously the same signature as the file I've given out to the few people that had it.

If you don't know about this, because of the rand functions involved, the chances of getting an identical signature on a self file are one to trillions, so yeah, definitely my stuff.

To people still claiming that the leaked files weren't crafted by me, look at "" the "/proc/metldrpwn/mathldr" line is a dead giveaway. IRC Log here:

Oh ! and just so you know, because the "donut fail" requires a signed ldr to work and gain code execution in metldr doesn't mean there is no way to pwn metldr.2 though obviously you can't use that particular exploit for this) Not like you really need to dump a metldr with an updated keyset, a hardcoded 3.60 min ldr version and some useless gcc optimizations though.

By the way, to Sony engineers' credit, they did check if you'd load a ldr at 0x40000+ they just didn't check if you'd load it at 0x3FFFF or below and have it a positive size

I wonder if people noticed the metldr.spu.cecha.elf, metldr.spu.cech2500.elf and the 1.3MB metldr-cecha.idb in my metldr's collection pic

I don't really care about the ps3 anymore anyway. Here is a protip before I am gone, you can load the bl more than once.

From Sony PS3 hacker adrianc: I hate to burst everyone's bubble but this means nothing. The chain of trust was fixed by moving loaders into lv0.

Until lv0 is either dumped or decrypted, the loaders, and therefore the keys will remain just out of reach. Cold boot exploits are not possible because lv0 sets up the loaders table before passing execution to lv1. Decrypting lv0 requires pwning the bootloader_PE, which is very difficult. If you could sniff the flexio you might be able to dump it that way. Or you could use what is known about the CBE secure boot to preempt bootldr. I suggest the IBM docs as reading material.

They are encrypted with the same key, which is burnt into the CBE efuses. This key is never passed along the chain of trust, so neither metldr or bootldr ever sees their own key. Metldr dumps will give you some perspective on how secure loaders work, and possibly stimulate some ideas for how you might be able to pwn bootldr. However, there is no easy 'find a key, use a key' solution to be found inside metldr.

This exploit does not enable you to find the hardware root key, merely a much weaker derivative which exists to prove the secure loader has been authorised by hardware.

Unconfirmed PS3 Bootldr Key:

[Register or Login to view code]

From naehrwert: and

[Register or Login to view code]

From izsh1911

[Register or Login to view code]

Related Tweets: 7492E57C2C7C63F44942268FB41C58ED... I found out a lot more too

94D100BE6E24991D65D93F3DA938858CEC2D133051F47DB4287AC86631719B31573EF7CCE071CA8A (placeholder for the future)

eidtool "eid0_hash_encrypt_section_0"

aes_omac1(section_in + 0xA8, section_in, 0xA8, key, 0x80);

From xorloser: The "metldr exploit" had already been replicated long ago by many ppl who feel no need for public acknowledgement.

Finally, from lunuxx via JailBreakScene: Well it works, go get your root key.

[Register or Login to view code]

Well in the first 3 lines of my dump:

[Register or Login to view code]

[Register or Login to view code]

From IRC: [eussNL] that is how you can verify your metldr dump, by looking for

[Register or Login to view code]

[Register or Login to view code]

Now we just need a way to do it ourselves without having to install linux on our PS3. They are different for each PS3 (box-specific key that Metldr is signed with, which has new keys for the rest). Lunuxx was just showing us that it is possible and safe to try. It also gives us reference to what a proper dump should look like. A more detailed guide is now available HERE.

PS3 Metldr Exploit Leaked, PlayStation 3 Metldr Guide Arrives

PS3 Metldr Exploit Leaked, PlayStation 3 Metldr Guide Arrives

PS3 Metldr Exploit Leaked, PlayStation 3 Metldr Guide Arrives

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#161 - bigo93 - November 21, 2011 // 10:33 am
bigo93's Avatar
So the new "unhackable" console can be hacked, but only if we had the keys, which can be obtained by using math's method, a method he refuses to share. So basically sony only patched a little in the new console so all we know is that it is hackable. But anyone knows anything can be hacked into eventually, so does this news really bring us closer of cfw 3.73?

Would be a nice xmas gift for devs to release such a thing, but we probably have a better chance of finding a lump of coal under the tree.

#160 - NTA - November 21, 2011 // 7:24 am
NTA's Avatar
New CFW = Best Christmas Gift of 2011

#159 - elser1 - November 21, 2011 // 7:13 am
elser1's Avatar
its all over my head at this point in time.. if i wasn't so busy playing games i'd try to learn all this stuff.. LOL

#158 - Foo - November 21, 2011 // 6:11 am
Foo's Avatar
Here's what a good majority of the people don't know:

Math told us how to do this already!!! There was a bit of a puzzle, but once you put it together you understand it. (If you understand this stuff)

And DemonHades was right. It's possible through RAM.

#157 - elser1 - November 21, 2011 // 2:18 am
elser1's Avatar
i wish i knew what they are talking about.. LOL

#156 - PS4 News - November 20, 2011 // 8:48 am
PS4 News's Avatar
Following up on the previous PS3 Metldr news update and Guides, this weekend Spanish PlayStation 3 developer DarkVolt has made available dumpmetldr.bin via which appears to be a dump of the new PS3 Metldr revision found in PlayStation 3 CECH-2504 consoles (datecode 1b and above) followed by a PS3 Boot Loader SE Version 3.7.3 (lv0 segment) dump and more below.

Download: PS3 Metldr2 DumpMetldr.bin / PS3 Boot Loader SE Version 3.7.3 (lv0 segment) / PS3 Metldr2 Dump (most complete head including) / UP0001-CMX000010_00-METDUMPER0000000.pkg / metldr_475-478_fixed.rar / metldr_475-478.7z by CMX via zecoxao / by haxxxen

To quote, roughly translated: Here I come to leave the metldr decryption: according fence can I go to publish a thing or two more.

Seeks the root key of geohot within the metldr dump I published aver if it sounds the flute.. I am the source and the base is an exploit..

Deneuve image but this time I am not clear. I have work I'll be realeasing more stuff. Saying this is not worthy... hehehe explanation:

We Have a decrypted metldr here, if you see it you will see a little Is An elf Without the normal header. It contains the root keys That geohot publish and a couple of 0x30 addead from 3.50 and ahead, and it STILL USES IT.

HAVING in the elf metldr we can put it the header and upload it in using it as anergistic unselfer for loaders! The metldr is still used in 3.74 (a debug already exists) and 3.73 retail too.

The difference of charge IS that before the metldr used to take the files from CoreOS and now it deliverer LV0 via ram em to us and close the access to the file BUT WE CAN IT DECRYPTED with the keys from the root metldr added if we have the file.

LV0 can be the decrypted if we fix the feat of math to support the bootldr and decrypts the metadata from the header from LV0 and decrypts this with the rest of the spaces with Their loaders.. Worthy is it not? hehe

Edit to add, if you compare a ISOLDR from 3.55 with the metldr you will realize that they are almost the same, I mean the isoldr contains the updates for the metldr (virtual of course)

That in and 3.60 + Also it IS inside of the LV0 so it every time can update the initial metldr boots with the new couple of the keys already have... uploading the metldr in anergistic

[Register or Login to view code]

With Metldr have almost total control of the console as we see in the picture above, however also shows that the bootldr is the only part of the PS3 outside the Metldr, but (and I say this in complete ignorance but using a logic low) and you have full access to the console should be much simpler to access bootldr in any case if this is true it would mean a breakthrough.

[Register or Login to view code]

PS3 Boot Loader SE Version 3.7.3: (lv0 segment) / /

From by jon_17_: The loads metldr ldr, ldr but these must be authenticated before a hash that contains internally metldr himself. metldr2 comes in certain consoles not downgrade (dataCode 1b and higher) are the most modern consoles today.

Metldr weighs 60KB (usually in some cases), the spu local store have 256KB. The loaders to load the LV0 be decrypted (always), lv1 (always) and lv2 (only in lpar_ps3). Decrypted the loaders themselves LV0, lv1 and lv2.

The lv2 to be deciphered in the lpar_ps3 saved in the spu local_store isolated the idstorage, this stores the hash idstorage of valid executables.

From zecoxao comes a Metldr LV2 Dumper for PS3 4.75 to 4.78 Retail Consoles by CMX, who states the following:

Today is a special day. This marks an important release. You are now able to dump metldr from a simple pkg install, instead of using linux resources. That's right, thanks to CMX, this awesome bundle allows you to dump metldr without going through red ribbons and debians!

Created by:

Flatz, for the original root key dumper source.
Joon and Mike, for the tests.

CMX (he made it all possible)

(The build script is ready to use, but i was too lazy to upload the modified pkg source in the first link )


Finally, from haxxxen to quote: Since it is easy to port it in a few minutes, i have made now a pkg from erk/met dumper for fws 4.21, 4.46, 4.65, 4.70, 4.75, 4.76, 4.78 (cex or dex)

Btw, you only need 5 symbols, so you can leave and remove the rest: toc, extend_kstack, copy_to_user, memset, memcpy. further it is only syscall table and those 2 gameos lpar thingies needed.

On another note, you should remove/comment new_poke install, since it can mess up with cobra mode. disabled, the dumpers work fine regardless of running cobra or not.

The lv1 patches can be done dynamically with search patterns and only htab and spe patch is needed, since the others are enabled by default (at least on rebug 4.21)

More PlayStation 3 News...

#155 - firebuddie - November 17, 2011 // 12:40 pm
firebuddie's Avatar
I find it surprising there's not more talk about the zero size self expolit load to HV found by Failoverflow and detailed in xx404xx doc links at start of this thread.

If the HV could be exploited, it could be patched to NOT hide the lvl0 bootloder and therefore use HV to dump the bootloader, even if it is encrypted, it is a start.

Like Maths and xx404xx keep hinting, it's all there on our PS3's. Just getting the sucker to give it up! Like I say, dont know why a known exploit of HV is not being discussed/followed up on, or maybe it is and I ain't on right IRC channels to hear about it?

#154 - elser1 - November 15, 2011 // 3:39 pm
elser1's Avatar
so many smart people on here but the keys are illusive still.. must be hard to get eh.. LOL

surely someone here has what you all want.

#153 - CS67700 - November 15, 2011 // 1:22 pm
CS67700's Avatar
If there's so much noise around it, it probably means they're private...

#152 - niwakun - November 15, 2011 // 11:36 am
niwakun's Avatar
Quote Originally Posted by iscnokia View Post
I understand that PS3 console uses several levels of encryption and in order to unencrypt it

Private key = sign things
Public key = decrypt things

seriously watch the fail0verflow vid again

Quote Originally Posted by iscnokia View Post
Also, that phony DOS windows showing that output is nothing that any program running what you want so I could also write a C program printing:

printf ("I have a 3.60+ CFW \n");

in dos its derived with "ECHO" by the way.