Exploit for Dumping LV0 From 3.60 Revealed - Will Lead to 3.60 Keys

Published on 03-28-2011 07:04 PM

58 Comments

Some very exciting news has been revealed today by Mathieulh. He has recently exploited and dumped LV0 on 3.60 firmwares. However, unlike some of his past exploits where he has kept the details rather closely guarded, this time around he is rather candid on how to reproduce his method.

Attachment 1057

One user on twitter, by the name of Ps3WeOwnYoU, is already claiming to have reproduced Mathieulh's trick. He is stating that he currently possesses the decrypted LV0 from 3.60 after using the trick. However, Ps3WeOwnYoU's claims have not yet been substantiated and this should still be considered a rumor.

So for the less technically inclined what exactly does Mathieulh's exploit mean for the average user? Well, it will provide access to the 3.60 keys, which in turn would lead to everything we're accustomed to on 3.55 and 3.41 (ie. jailbreak/homebrew on 3.60).

Mathieulh's Tweets:

@xShadow125 You can update from your pwn pup only from 3.55 or lower, unless you have an exploit.

@xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)

@xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.

@xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.

@xShadow125 You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.

@xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.

To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.

The new 3.56+ values for tarballs are the following: owner_id, “0000764″ group_id, “0000764″ owner, “tetsu” group, “tetsu” ustar, “ustar “

You can use fix_tar to use those new values. Use with caution.

By comparison, those are the pre-3.56 values. owner_id, “0001752″ group_id, “0001274″ owner, “pup_tool” group, “psnes” ustar, “ustar “

@Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.

So, to decrypt this LV0 thing, we need to get to know it better. In the latest blog post by rms, he has explained briefly what LV0 is in the console’s security.

Anyway, let’s really discuss something PS3 instead of my PC xD, let’s start with Lv0, the most unknown level of the PS3. Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the “Cell OS Bootloader”. In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader. Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary. All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.

So, unless you can decrypt Lv0, no 3.60 “CFW” for you . Is there any need for it anyway?

Mathieulh also has some facts to clarify about LV0.

1. lv0 isn’t a loader it’s a ppu binary

2. Lv0 isn’t encrypted per console and can be updated with the rest of the coreos

3. Lv0 is decrypted by the bootloader, there is no such thing as a lv0ldr.

4. The bootloader keys cannot be updated/modified on EXISTING hardware

5. lv0.2 is NOT a binary, it’s a new metadata for lv0 which is to be decrypted and verified by a new bootloader (which is to be available on future ps3s), it is NOT used by the current bootloader (and thus in current playstation 3 consoles)

But wait, messing with this thing could lead to the YLOD tragedy, unless you have those expensive NOR flasher you might want to proceed, and that’s according to rms again.

Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then “YLOD”, and you’d need a flasher for your PS3 to recover .

There you go, with all the information available out there i just wonder why didn’t anyone found the solution to the exploit that Mathieulh (and maybe some people we didn’t know) discovered weeks ago. Maybe instead of *****ing why the guy did not release anything, try listening to what he said this time.

Source: PS3Crunch

Share
- Share this post on
- Digg
- Del.icio.us
- Technorati
- Twitter

Categories:

PS3 Dev

56 Comments

cmptrblder-PSG - 03-28-2011, 07:37 PM
- Reply
.......ditto and if your on a modded console just accept not using PSN. There are WAY too many benifits that far out weigh PSN access. You want access that bad? buy a second console used so your not feeding the sony machine.

Blasler - 03-28-2011, 07:38 PM
- Reply
new´s CFW will be jus to connect to psn or to the games that ask for them...anyway for that games just mod the EBOOT... so new´s cfw just will be to PSN nothing more

Darkman-PSG - 03-28-2011, 07:40 PM
- Reply
exactly.... there is no point! just buy another console Sony is just gunna update it and go sue happy

Darkman-PSG - 03-28-2011, 07:45 PM
- Reply
Originally Posted by Turkish

Hooray, why would you try to hack OFW 3.60? Why waste your time on a cat and mouse game with Sony? To please some people who were (sorry for harsh words) dumb enough to update? The people that wanted CFW were wise enough to not update. And no don't come here and say "bu bu but... I didnt know 3.60 was unhackable", we got the same arguments back in september when people updated to 3.42.

Better work on something more useful, I dont wanna update my ps3 every couple of weeks/months and then get compatibility issues with my signed 3.55 homebrew.

Take not from the psp scene, 5.00m33-6 from 2009 still going strong, no need for new firmwares.

yeah you are right 5.00m33-6 is still the best cfw up to date.... you know the ps3 scene is like the psp scene... seen how DA left and cfw turned to ****... same like the ps3... the cfw out there isnt all that great

TWITDADDY - 03-28-2011, 07:47 PM
- Reply
Untill sony adds some useful features to a new fw what is the point? At this point I'm sure any features added are for security. I know they have the cloud storage, but who really cares lol

mgrimmenator - 03-28-2011, 07:49 PM
- Reply
mmm, maybe if dump 3.60 then can patch 3.55 to make think 3.60. any advances are good.

TWITDADDY - 03-28-2011, 07:50 PM
- Reply
I'm really hoping someone will port xbmc to ps3 with a direct boot option. To me xmb is just too blah. I've messed with themes but the changes are minimal. I would like to be able to write my own scripts to have my machine do what i want

TWITDADDY - 03-28-2011, 07:53 PM
- Reply
Originally Posted by mgrimmenator

mmm, maybe if dump 3.60 then can patch 3.55 to make think 3.60. any advances are good.

I read today that someone took what sony checks on 3.60 and added it to 3.55cfw and was able to return to psn. Im not really sure if that works or not and I didnt read to much in to it since I have no desire to use psn. Ill check my history and try to give a link later

Kingj13-PSG - 03-28-2011, 07:59 PM
- Reply
Some of us would like psn access back, it may be easier to achieve if we are actually on 3.60 rather than 3.55 or below!

ihaxgames-PSG - 03-28-2011, 08:13 PM
- Reply
I want PSN access back, but I can live without it, what I'd rather have newer CFW for is new games and features, but I can live with 3.55

Joaquin Montano - 03-28-2011, 08:14 PM
- Reply
Why is it people are saying buy another console for? A lot of people out their don't have the money to spend $300+ bucks again.. If you don't care about PSN, and your happy about CFW 3.55 or lower. Then you don't have too update too CFW 3.60 then.. I have read a lot of people saying " I don't care about PSN,no point of release CFW3.60" well maybe some of you don't care about it. But many other people would be happy too get CFW 3.60.. I know I be happy to have CFW 3.60.

DGPRodiGY-PSG - 03-28-2011, 08:20 PM
- Reply
Originally Posted by Turkish

Hooray, why would you try to hack OFW 3.60? Why waste your time on a cat and mouse game with Sony? To please some people who were (sorry for harsh words) dumb enough to update? The people that wanted CFW were wise enough to not update. And no don't come here and say "bu bu but... I didnt know 3.60 was unhackable", we got the same arguments back in september when people updated to 3.42.

Better work on something more useful, I dont wanna update my ps3 every couple of weeks/months and then get compatibility issues with my signed 3.55 homebrew.

Take not from the psp scene, 5.00m33-6 from 2009 still going strong, no need for new firmwares.

Why are you so ignorant? Some people are new to the PS3 jailbreaking scene and maybe some people didn't know about 3.55 CFW and they read about it, now they want a 3.60 CFW, simple!

DGPRodiGY-PSG - 03-28-2011, 08:22 PM
- Reply
Originally Posted by TWITDADDY

I'm really hoping someone will port xbmc to ps3 with a direct boot option. To me xmb is just too blah. I've messed with themes but the changes are minimal. I would like to be able to write my own scripts to have my machine do what i want

That's actually a pretty sick idea, I'd love to make my PS3 XMB look like the Xbox Dashboard, that'd be AWESOME!

medalcue - 03-28-2011, 08:33 PM
- Reply
Originally Posted by Turkish

Hooray, why would you try to hack OFW 3.60? Why waste your time on a cat and mouse game with Sony? To please some people who were (sorry for harsh words) dumb enough to update? The people that wanted CFW were wise enough to not update. And no don't come here and say "bu bu but... I didnt know 3.60 was unhackable", we got the same arguments back in september when people updated to 3.42.

Better work on something more useful, I dont wanna update my ps3 every couple of weeks/months and then get compatibility issues with my signed 3.55 homebrew.

Take not from the psp scene, 5.00m33-6 from 2009 still going strong, no need for new firmwares.

You ask why waste your time with a cat and mouse game with Sony? Ask yourself why you hang out at these forums for hours every single day wasting your time whining and making yourself look like a ******. The only diff is, their doing something worth doing. Your doing your trolling because you need the attention.

goblueguy11 - 03-28-2011, 09:16 PM
- Reply
Who cares about CFW for 3.60?
Lets just try to get PSN working on CFW 3.55!

cboushell-PSG - 03-28-2011, 09:17 PM
- Reply
Quote Originally Posted by TWITDADDY View Post
I'm really hoping someone will port xbmc to ps3 with a direct boot option. To me xmb is just too blah. I've messed with themes but the changes are minimal. I would like to be able to write my own scripts to have my machine do what i want

Originally Posted by DGPRodiGY

That's actually a pretty sick idea, I'd love to make my PS3 XMB look like the Xbox Dashboard, that'd be AWESOME!

It wouldn't look like the XBOX dashboard, it would look like the XBMC user interface, since it WOULD BE XBMC. That would be nice if it was to end up on PS3, especially with an autoboot. One can dream. Maybe with Linux.

peeer-PSG - 03-28-2011, 09:22 PM
- Reply
There is no use for a cfw 3.60 really. If you guys wondering for PSN with cfws then you really need to grow up. Sony can and they will patch their PSN/OFWs to block the access from cfws. They can't be blamed either for patching it. You can't go at the store to buy butter and get the butter and the money for the butter. Get real.

Captain Obvious - 03-28-2011, 09:41 PM
- Reply
Originally Posted by Turkish

Hooray, why would you try to hack OFW 3.60? Why waste your time on a cat and mouse game with Sony? To please some people who were (sorry for harsh words) dumb enough to update? The people that wanted CFW were wise enough to not update. And no don't come here and say "bu bu but... I didnt know 3.60 was unhackable", we got the same arguments back in september when people updated to 3.42.

Better work on something more useful, I dont wanna update my ps3 every couple of weeks/months and then get compatibility issues with my signed 3.55 homebrew.

Take not from the psp scene, 5.00m33-6 from 2009 still going strong, no need for new firmwares.

I completely agree with turkish, why would mathieulh risk being sued by the giant enemy crab just for the little nublets who updated their ps3s.

I have 3 ps3s, one on 3.15(for linux), one on 3.55 (perm banned), and one on 3.60(for online)

I'm only 14 and even I know that people my age and younger are stupid. and I don't see why kids cant save their money or beg their parents to buy another PS3 rather than annoying people and pressuring them into risking a lawsuit.

and yes, when I got console-banned I completely deserved it. I disobeyed Sony and went online with fpsn.

Originally Posted by Turkish

Take not from the psp scene, 5.00m33-6 from 2009 still going strong, no need for new firmwares.

is it just me or is anyone else still on 3.80m33-2 ?

Captain Obvious - 03-28-2011, 09:43 PM
- Reply
Originally Posted by peeer

You can't go at the store to buy butter and get the butter and the money for the butter. Get real.

exactly, and the butter company has every right to sue people for for putting butter on bagels rather than on toast...

One2thr456svn - 03-28-2011, 09:44 PM
- Reply
I am sure that someone who is on 3.60 cares about CFW for 3.60,

And I do not think that this is just to get access to the PSN, it is not that great anyway. I think that this is more for the challenge of cracking it, not just for a CFW, just to do it. and it's funny how people a saying that "we don't need a 3.60 CFW, but when they were on 3.42 or 3.50 and the 3.41 was the OFW to have to do anything there was not this much backlash. simply put of you don't need it, don't use it. allow the new noobs that get in on the action have fun just like you.....

And it's a lot new devs apparently cause I see people saying that we don't need this or that, so I can not wait to see what they release?