Sponsored Links

Sponsored Links

PS3 Metldr / Per Console Key0 Update, LV0 Bootloader Decrypted?

Sponsored Links
172w ago - A few weeks back details and payloads for Dumping PS3 Per Console Keys surfaced followed by news of a PS3 Metldr Exploit, and today PlayStation 3 developer xx404xx on IRC has shared his PS3 Metldr / Per Console Key0 findings thus far.

Included below are a PS3 EID Rootkey Dumper (SELF) which is loaded through lv2patcher, an EID Decrypter Script, the required EID Static Keys and more, as follows:

[xx404xx] lol wtf you can write to metldr!!!!!!
[xx404xx] 0x17014 - Write eEID/Write metldr Holy crap, it writes passed data to the region of FLASH memory where eEID or metldr data is stored !!! And GameOS is allowed to use this service !!! Do not experiment with this service if you don't know what it does or else your PS3 will not work anymore !!!
[xx404xx] http://img841.imageshack.us/img841/1617/newbitmapimage3en.png
[xx404xx] http://img824.imageshack.us/img824/5747/newbitmapimage3f.png I highly recommend you all go look at that
[xx404xx] Is anyone taking a look at that paste bin? http://pastebin.com/rFD5ASJa (via http://pastie.org/private/qwndjafrtkvhe9cikbxhg from lunuxx)
[xx404xx] Here's a pic from this leaked doc i found
[xx404xx] http://img684.imageshack.us/img684/7951/newbitmapimage6k.png
[xx404xx] http://pastebin.com/rFD5ASJa there's no per console key 0 in the guide
[xx404xx] and you need this leaked doc
[xx404xx] ill go upload it
[xx404xx] the per console key0 is only for my console......
[xx404xx] but you can obtain your own lv0
[xx404xx] im upploading the doc now
[xx404xx] i was hesitant about leaking this
[xx404xx] but here you go, you will need this info
[xx404xx] http://uppit.com/caofvtbovo2y/Cell_Broadband_Engine.doc
[xx404xx] it has doc on the spu's
[stronzolo] what do you think about the picture who math posted on the twitter ?
[xx404xx] real
[xx404xx] he already told us how he does it....
[stronzolo] us = who ?
[branan] everybody. His thing about metldr from a couple days ago applies to bootldr just as well
[xx404xx] it's no secret
[stronzolo] so why math can do it... and others can't ? what's wrong ?
[xx404xx] lol if he didnt want other's knowing about it mabye he shouldnt tweet so many hint's.......
[xx404xx] we can do it
[xx404xx] read the docs
[xx404xx] he talk's about how we dump the local storage from the spu's
[stronzolo] 404 when do we know if your key is key 0 ?
[xx404xx] when someone prep's a step by step guide to dump bootldr
[xx404xx] Patent[How to dump lv0 with HW ;] that's all im going to say for know....there will be more later, and this is not a complete guide, but math gave you eveything else you need....
[xx404xx] http://server250.uppit.com/files/7/3pwes08br3bp7m/WHATEVER.pdf
[XX404XX] Ik how math does the bootldr exploit
[antikhris] do tell...
[XX404XX] http://pastebin.com/xkXxk8fM

On the PS3 True Blue Dongle:

[xx404xx] True blue is stupid
[xx404xx] it's the fselfs
[eussNL] its more than / just / fself, try unself one and you see what it is
[eussNL] its DRM'ed fself
[xx404xx] ps3 crunch is trying to make money on the new dongles......
[eussNL] well not surprising as GaryOPA is reseller
[xx404xx] where do you think
[xx404xx] it came from
[xx404xx] i dont mean drm
[eussNL] what?
[xx404xx] i mean the fself
[eussNL] there are plural items
[xx404xx] debug servers obv
[eussNL] well, they only have limited titles so there is your clue

From pastebin.com/rFD5ASJa: (img573.imageshack.us/img573/5026/newbitmapimage4z.png)

BootOrder explained (Thank's wiki) VERY IMPORTANT (per_console_key_0 is not the key which will be derived, but is the key which has derived per_console_key_1) We have pck1 using the dumper, in order to obtain pck you need to dump it out of ls. In order to do that with hardware you should look into math's comment's about dumping a shared lsa.

In order to do this with software you should either use math's bootldr exploit or you need to exploit the spe secure runtime.... (Not all that hard with the two recent exploit's)

With Runtime Secure Boot feature, an application can run a check on itself before it is executed to verify that it has not be modified and compromised.Secure Boot is normally done only at power-on time, but the Cell BE processor can Secure Boot an application thread multiple times during runtime. (PS3'S doesn't do this right as you can see in the failoverflow vid)

Passing execution: (img508.imageshack.us/img508/8544/eib.gif)

Spe execution control diagram: (imageshack.us/photo/my-images/835/newbitmapimage3a.png/)

Error Reporting: (imageshack.us/photo/my-images/193/newbitmapimage5us.png/)

A Debug support flag set in SC EEPROM at address 0x48C50. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.

Debug support flag is tied to EID which is supposed to be hashed and saves in SC EEPROM

[Register or Login to view code]

A FSELF support flag set in SC EEPROM at address 0x48C06. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.

[Register or Login to view code]

Eid Rootkey(1) Dumper (Load through lv2patcher) (You need this)

Decrypt your eid with this (You need this)

[Register or Login to view code]

Eid static key's (You need these)

1.00 Debug/DEX - aim_spu_module.self

[Register or Login to view code]

3.15 Retail/CEX - aim_spu_module.self

[Register or Login to view code]

3.41 Retail/CEX - aim_spu_module.self

[Register or Login to view code]

3.55 Retail/CEX - aim_spu_module.self

[Register or Login to view code]

3.56 Retail/CEX - aim_spu_module.self

[Register or Login to view code]

1.00 Debug/DEX - appldr

[Register or Login to view code]

3.15 Retail/CEX - appldr

[Register or Login to view code]

3.41 Retail/CEX - appldr

[Register or Login to view code]

3.55 Retail/CEX - appldr

[Register or Login to view code]

3.56 Retail/CEX - appldr

[Register or Login to view code]

1.00 Debug/DEX - isoldr

[Register or Login to view code]

3.15 Retail/CEX - isoldr

[Register or Login to view code]

3.41 Retail/CEX - isoldr

[Register or Login to view code]

3.55 Retail/CEX - isoldr

[Register or Login to view code]

3.56 Retail/CEX - isoldr

[Register or Login to view code]

1.00 Debug/DEX - lv1ldr

[Register or Login to view code]

3.15 Retail/CEX - lv1ldr

[Register or Login to view code]

3.41 Retail/CEX - lv1ldr

[Register or Login to view code]

3.55 Retail/CEX - lv1ldr

[Register or Login to view code]

3.56 Retail/CEX - lv1ldr

[Register or Login to view code]

1.00 Debug/DEX - lv2ldr

[Register or Login to view code]

1.00 Debug/DEX - spu_pkg_rvk_verifier.self

[Register or Login to view code]

1.00 Debug/DEX - spu_token_processor.self

[Register or Login to view code]

3.15 Retail/CEX - spu_token_processor.self

[Register or Login to view code]

3.41 Retail/CEX - spu_token_processor.self

[Register or Login to view code]

3.55 Retail/CEX - spu_token_processor.self

[Register or Login to view code]

3.56 Retail/CEX - spu_token_processor.self

[Register or Login to view code]

3.15 Retail/CEX - spu_utoken_processor.self

[Register or Login to view code]

3.41 Retail/CEX - spu_utoken_processor.self

[Register or Login to view code]

3.55 Retail/CEX - spu_utoken_processor.self

[Register or Login to view code]

3.56 Retail/CEX - spu_utoken_processor.self

[Register or Login to view code]

In related news, Sony PlayStation 3 hacker Mathieulh Tweeted the following comments on what appears to be the PS3 Firmware 3.73 lv0 bootloader decrypted:

Boot Loader SE Version 3.7.3 (Build ID: 4611,48369, Build Date: 2011-10-12_12:31:19) What's taking you so long ? http://twitpic.com/7e0m6w

Boot Loader SE Version 3.6.6 (Build ID: 4534,47762, Build Date: 2011-06-16_13:24:46) I am bored....

Oh ! that's nothing just a little string from the 3.73 lv0....

By the way, I won't be posting keys, I won't be posting dumps and I won't be saying how it was done, time to work gentlemen.

It's a command prompt because I am using my own tool to decrypt selfs to elf and not the buggy unself. Not like an unself prompt couldn't be faked though.

You can't sign lv0 on a cech-3000 sorry. No, the new bootloader uses a new keyset.

The build number should be proof enough, as long as you can get your hands on a decrypted lv0 that is. Posting keys is not an option, posting hashes of the keys wouldn't bring you any additional proof because you have no way of verifying those, besides Sony's lawyers would claim that I'd be posting encrypted forms of the keys like they did in the fail0verflow trial, and I am not posting screenshots because lv0 contains copyrighted code.

So unless you have any other "proof" in mind that I could post legally without fearing prosecutions, feel free to tell me about these.

I am definitely not releasing it anyway, I've already said how I am not releasing anything anymore, EVER. I am a man of my word.

By the way instead of demanding, people should start looking at my "pwning metldr the "easy" way" post where I gave the first steps into exploiting the bootloader and one of the required exploits and start working from that, there is no point in making demands, asking for "proofs", keys and whatnot, I won't be sharing these, so you'd better start working; I've given you a nice starting point.

I am done talking about lv0 decryption, feel free to resume this talk once it becomes public and people can verify the strings I posted.

Although unconfirmed, eitjuhh has Tweeted the following: Don't flame ppl!.. lv0 decrypted from my debug console!! http://pic.twitter.com/sVXinzlb

Posted a little preview of the ps3swu.self from 4.00 - http://pastie.org/2980794

Shortly following, he Tweeted (twitter.com/#!/eitjuhh/status/144763029224038400): Found new keys in OFW 4.00 !! doesn't know which keys they are at this moment!.. but i think the new twitter.com/#!/eitjuhh/status/144763029224038400/photo/1

bit i think they are the new klic_dec_key keys sony wrote them twice in other ofw's now 3 times?? http://pastie.org/2985773

60 00 00 00 E8 01 00 80 38 21 00 70 7C 08 03 A6 --- Second new key found!

And he Tweeted (twitter.com/#!/eitjuhh/status/145054115750346752): Yesterday I did a second test! CFW is RUNNING ppl!!.. Tonight I will build in Peek&Poke! Video: soon, Release: Before Christmas !

From Sony PS3 hacker xorloser (CitizenX of scene release group PARADOX) via Twitter:

V3.60 and above have the secrets encrypted inside lv0, and the lv0 keys are not publicly available.

lv0ldr loads lv0 direct from flash rather than from memory, plus nothing else is running at this stage. So trickier, but doable.

From zecoxao comes a brief guide: How to Dump BOOTLDR Unencrypted (Decrypted)

Things you'll need:

  • PS3 on 3.55 OTHEROS++ (this was tested on a slim, but phats are probably achievable aswell)
  • Latest linux kernel (or any of the 3.x.x kernels by glevand precompiled)
  • Knowledge of linux ( such as , creating symlinks (ln -s), editing kboot.conf, sudoing, etc)

In case you don't have the latest kernel, but already have one installed distro: gitbrew.org/~glevand/ps3/linux/linux-3/linux-3.3.3-build.tar.bz2

[Register or Login to view code]

And now for the fun part:
[Register or Login to view code]

PS: Lv0 keys are STILL encrypted, so don't complain, you have your precious bootldr there, have fun with it.

Finally, from anonymous (via pastie.org/pastes/5090091/) comes a PS3 dump bootldr how to exploit:

Must have a dex 3.55 real or made dex 3.55 ps3 also duel nand/nor installed chip base. In a 3.55 dex console, prepare a lv0.self with the metadata exploit. reboot. lv0 will hang since lv0.self will not run properly. bootldr will send info to lv0 before it hangs, after it decrypts it, running dex with certain switches set up like boot in dev mode Will allow this hang dump of bootldr to be saved to the local store.

But, essentially you will have a bricked ps3 so recovery of the local store wont happen. This is where the duel nand/nor comes in handy and allows you to recover from this and replace your messed up lv0.self with the original to boot up and recover the local store dump and the decrypted bootldr. This will allow the keys to bootldr these keys cannot be changed with any update.

We can then exploit lv0. The exploit of bootldr/lv0 will allow the ability to change the way private keys are made or give us the ability to reset up the private key fail and resign packages with any new firmwares.

This although is just a "well tested Theory" of course.

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!
Sponsored Links
Sponsored Links

Comments 201 Comments - Go to Forum Thread »

• Please Register at PS4News.com or Login to make comments on Site News articles.
#161 - bigo93 - 171w ago
bigo93's Avatar
So the new "unhackable" console can be hacked, but only if we had the keys, which can be obtained by using math's method, a method he refuses to share. So basically sony only patched a little in the new console so all we know is that it is hackable. But anyone knows anything can be hacked into eventually, so does this news really bring us closer of cfw 3.73?

Would be a nice xmas gift for devs to release such a thing, but we probably have a better chance of finding a lump of coal under the tree.

#160 - NTA - 171w ago
NTA's Avatar
New CFW = Best Christmas Gift of 2011

#159 - elser1 - 171w ago
elser1's Avatar
its all over my head at this point in time.. if i wasn't so busy playing games i'd try to learn all this stuff.. LOL

#158 - Foo - 171w ago
Foo's Avatar
Here's what a good majority of the people don't know:

Math told us how to do this already!!! There was a bit of a puzzle, but once you put it together you understand it. (If you understand this stuff)

And DemonHades was right. It's possible through RAM.

#157 - elser1 - 171w ago
elser1's Avatar
i wish i knew what they are talking about.. LOL

#156 - PS4 News - 171w ago
PS4 News's Avatar
Following up on the previous PS3 Metldr news update and Guides, this weekend Spanish PlayStation 3 developer DarkVolt has made available dumpmetldr.bin via Elotrolado.net which appears to be a dump of the new PS3 Metldr revision found in PlayStation 3 CECH-2504 consoles (datecode 1b and above) followed by a PS3 Boot Loader SE Version 3.7.3 (lv0 segment) dump and more below.

Download: PS3 Metldr2 DumpMetldr.bin / PS3 Boot Loader SE Version 3.7.3 (lv0 segment) / PS3 Metldr2 Dump (most complete head including)

To quote, roughly translated: Here I come to leave the metldr decryption: http://www.multiupload.com/YN4G8LJJK4 according fence can I go to publish a thing or two more.

Seeks the root key of geohot within the metldr dump I published aver if it sounds the flute.. I am the source and the base is an exploit..

s3nint3!Deneuve image but this time I am not clear. I have work I'll be realeasing more stuff. Saying this is not worthy... hehehe explanation:

We Have a decrypted metldr here, if you see it you will see a little Is An elf Without the normal header. It contains the root keys That geohot publish and a couple of 0x30 addead from 3.50 and ahead, and it STILL USES IT.

HAVING in the elf metldr we can put it the header and upload it in using it as anergistic unselfer for loaders! The metldr is still used in 3.74 (a debug already exists) and 3.73 retail too.

The difference of charge IS that before the metldr used to take the files from CoreOS and now it deliverer LV0 via ram em to us and close the access to the file BUT WE CAN IT DECRYPTED with the keys from the root metldr added if we have the file.

LV0 can be the decrypted if we fix the feat of math to support the bootldr and decrypts the metadata from the header from LV0 and decrypts this with the rest of the spaces with Their loaders.. Worthy is it not? hehe

Edit to add, if you compare a ISOLDR from 3.55 with the metldr you will realize that they are almost the same, I mean the isoldr contains the updates for the metldr (virtual of course)

That in and 3.60 + Also it IS inside of the LV0 so it every time can update the initial metldr boots with the new couple of the keys already have... uploading the metldr in anergistic http://pastie.org/private/2kijry6y7jwoiwsepqqcbq

[Register or Login to view code]

s3nint3!With Metldr have almost total control of the console as we see in the picture above, however also shows that the bootldr is the only part of the PS3 outside the Metldr, but (and I say this in complete ignorance but using a logic low) and you have full access to the console should be much simpler to access bootldr in any case if this is true it would mean a breakthrough.

[Register or Login to view code]

PS3 Boot Loader SE Version 3.7.3: http://pastebin.com/rk7eib9Y (lv0 segment) / http://pastebin.com/hJTFRp5P / http://pastebin.com/xkXxk8fM

From by jon_17_: The loads metldr ldr, ldr but these must be authenticated before a hash that contains internally metldr himself. metldr2 comes in certain consoles not downgrade (dataCode 1b and higher) are the most modern consoles today.

Metldr weighs 60KB (usually in some cases), the spu local store have 256KB. The loaders to load the LV0 be decrypted (always), lv1 (always) and lv2 (only in lpar_ps3). Decrypted the loaders themselves LV0, lv1 and lv2.

The lv2 to be deciphered in the lpar_ps3 saved in the spu local_store isolated the idstorage, this stores the hash idstorage of valid executables.

More PlayStation 3 News...

#155 - firebuddie - 171w ago
firebuddie's Avatar
I find it surprising there's not more talk about the zero size self expolit load to HV found by Failoverflow and detailed in xx404xx doc links at start of this thread.

If the HV could be exploited, it could be patched to NOT hide the lvl0 bootloder and therefore use HV to dump the bootloader, even if it is encrypted, it is a start.

Like Maths and xx404xx keep hinting, it's all there on our PS3's. Just getting the sucker to give it up! Like I say, dont know why a known exploit of HV is not being discussed/followed up on, or maybe it is and I ain't on right IRC channels to hear about it?

#154 - elser1 - 172w ago
elser1's Avatar
so many smart people on here but the keys are illusive still.. must be hard to get eh.. LOL

surely someone here has what you all want.

#153 - CS67700 - 172w ago
CS67700's Avatar
If there's so much noise around it, it probably means they're private...

#152 - niwakun - 172w ago
niwakun's Avatar
Quote Originally Posted by iscnokia View Post
I understand that PS3 console uses several levels of encryption and in order to unencrypt it

Private key = sign things
Public key = decrypt things

seriously watch the fail0verflow vid again

Quote Originally Posted by iscnokia View Post
Also, that phony DOS windows showing that output is nothing that any program running what you want so I could also write a C program printing:

printf ("I have a 3.60+ CFW \n");

in dos its derived with "ECHO" by the way.


Sponsored Links

Sponsored Links

Advertising - Affiliates - Contact Us - PS4 Downloads - PS4 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 4 News