wraggster
March 30th, 2011, 13:59
News via http://psx-scene.com/forums/f6/mathieulhs-v3-60-ps3-exploit-revealed-84189/
I don't know if anyone noticed but recently Mathieulh, who's quit the scene more times than we can count, revealed via his Twitter account details on how to get the much needed internal data that you need to figure out his previously rumored v3.60 PS3 exploit!
Check out some of Mathieulh's recent tweets below:
Quote:
@xShadow125 You can't overflow user processes, the NX bit applies here, you can only overflow lv2 or a process with higher privileges.
@xShadow125 You can update from your pwn pup only from 3.55 or lower, unless you have an exploit.
@xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
@xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
@xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
@xShadow125 You wont get all of lv0 but the part with the loaders shouldn't be overwritten.
@xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
@xShadow125 That's from an older lv0, the method to get the data isn't the same, the one I posted was a dump, this one is a decryption
@xShadow125 There is a nice way to dump pre 3.55 lv0 as well by using a small lv1 binary, it's a risky process though.
@xShadow125 Oh! You mean my pm ? congrats, you just figured I have had lv0 dumped/decrypted for quite some time xD
@xShadow125 Reminds me of those stupid lv2 overflows I spotted ages ago in the bdemu code, which are useless now on 3.55+ anyway.
Now it's just of a matter of having the major advanced skills to do it, we talking NOR flasher, super-great soldering, extra PS3's to possible waste in the cracking experience, but is anyone capable here to do so? http://psx-scene.com/forums/images/smilies/chinscratch.gif
If so, more recent tweets from Mathieulh, tell you how to possible build a new v3.60 PUP:
Quote:
To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.
The new 3.56+ values for tarballs are the following: owner_id, "0000764" group_id, "0000764" owner, "tetsu" group, "tetsu" ustar, "ustar "
You can use fix_tar to use those new values. Use with caution.
By comparison, those are the pre-3.56 values. owner_id, "0001752" group_id, "0001274" owner, "pup_tool" group, "psnes" ustar, "ustar"
@davidkont 3.60 isn't "hardcore security" anyway, it's just sony thinking they are safe hiding everything inside lv0...
@Ps3WeOwnYoU You can't decrypt lv0 without the bootloader keys. Your best bet is to look at 3.56, decrypt loaders, look for exploits, profit
@Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.
News Source: Mathieulh's Twitter Account (http://twitter.com/#!/mathieulh)
I don't know if anyone noticed but recently Mathieulh, who's quit the scene more times than we can count, revealed via his Twitter account details on how to get the much needed internal data that you need to figure out his previously rumored v3.60 PS3 exploit!
Check out some of Mathieulh's recent tweets below:
Quote:
@xShadow125 You can't overflow user processes, the NX bit applies here, you can only overflow lv2 or a process with higher privileges.
@xShadow125 You can update from your pwn pup only from 3.55 or lower, unless you have an exploit.
@xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
@xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
@xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
@xShadow125 You wont get all of lv0 but the part with the loaders shouldn't be overwritten.
@xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
@xShadow125 That's from an older lv0, the method to get the data isn't the same, the one I posted was a dump, this one is a decryption
@xShadow125 There is a nice way to dump pre 3.55 lv0 as well by using a small lv1 binary, it's a risky process though.
@xShadow125 Oh! You mean my pm ? congrats, you just figured I have had lv0 dumped/decrypted for quite some time xD
@xShadow125 Reminds me of those stupid lv2 overflows I spotted ages ago in the bdemu code, which are useless now on 3.55+ anyway.
Now it's just of a matter of having the major advanced skills to do it, we talking NOR flasher, super-great soldering, extra PS3's to possible waste in the cracking experience, but is anyone capable here to do so? http://psx-scene.com/forums/images/smilies/chinscratch.gif
If so, more recent tweets from Mathieulh, tell you how to possible build a new v3.60 PUP:
Quote:
To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.
The new 3.56+ values for tarballs are the following: owner_id, "0000764" group_id, "0000764" owner, "tetsu" group, "tetsu" ustar, "ustar "
You can use fix_tar to use those new values. Use with caution.
By comparison, those are the pre-3.56 values. owner_id, "0001752" group_id, "0001274" owner, "pup_tool" group, "psnes" ustar, "ustar"
@davidkont 3.60 isn't "hardcore security" anyway, it's just sony thinking they are safe hiding everything inside lv0...
@Ps3WeOwnYoU You can't decrypt lv0 without the bootloader keys. Your best bet is to look at 3.56, decrypt loaders, look for exploits, profit
@Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.
News Source: Mathieulh's Twitter Account (http://twitter.com/#!/mathieulh)