Printable View
The exploit Geohot used to dump Metldr is perhaps the scene's best kept secret, and probaby the most useful exploit of all. Geohot's exploit might allow us to patch the loaders used in all future firmware versions.
Let's start a polite technical discussion on how you think geohot's exploit works, let me hear your theories.
Oh and let's not turn this thread into a flamefest.;)
Here is a bit of help from me: Considering the loaders (including metldr) run isolated, they only have very few "interactions" with the "outside", so the real question you have to ask yourselves is "What kind of data does the loader processes (from external sources that is)" Then considering loaders seemingly share the same codebase, look at other loader's code which you decrypted (that's that part where you reverse spu assembly) and look at the parts that process this external data.
Good luck on your endeavor.
Thank you for your very helpful post.Quote:
Originally Posted by mathieulh
From what I understand (I'm pretty much a layman) there is the possibility of using the fact that the loaders use some sort of external data to some extent. And one of the loaders has a flaw which can be detected by comparing the decrypted data between all of them (which is the same except for that flaw). The flaw resides somewhere in one of those "interactions" with an "external data source".
A question arises:
What data do the loaders process from external sources?
Can anyone shed some light on this?
geo has always hinted you need to command an spu to load metldr, so i had a look around the net & it seems someone has replicated this,
link: How to load METLDR in ps3 - PiemonteWireless
Don't you have to run Linux in order to use that method? Also that doesn't allow to do anything useful since it's incomplete (he doesn't specify what the read/write u32 functions are).Quote:
Originally Posted by tulla
Probably, but we can run linux.
Geohot's original exploit can be executed via asbestos/BootOS just fine, it wasn't actually fixed, the only (at the time) way to access it was removed.
The exploit geohot used to access metldr when failoverflow was just having Lv-2 privileges could possibly be based on his original linux based exploit (I personally doubt so), but we know he didn't use the said hack since he didn't have linux running on 3.15+ at the time.Quote:
Originally Posted by cookie42
Let's focus on Mathieullh's advice.
The only thing he revealed about his metldr exploit was that it was done in OtherOS
It seems people don't understand what exploit is being talked about here.Quote:
Originally Posted by E.coli
We are not talking about his 2010 linux based hack which led to the removal of Other OS. He made that exploit public.
We are talking about the exploit he used to break into metldr, dump the keys and have full access to the ps3, which he never made public. Not even failoverflow knows how he did it.
Again let's focus on the help Mathieullh gave.
NetRPC in AbestOS is your interface with the PS3
28:20 failoverflow video
Geo had Linux in OtherOS and im sure he had something similar to NetRPC
BREAKING LOADERS 33:20 failoverflow video
An exploit in the revocation list parsing, enabling us to dump a bunch of loaders, and thus their decryption keys
A humongous screwup by Sony, enabling us to calculate their private signing keys for all of those loaders, and thus sign anything to be loaded by those loaders
We used these techniques to obtain encryption, public, and private keys for lv2ldr, isoldr, the spp verifier, the pkg verifier, and the revocation lists themselves. We could’ve obtained appldr, (the loader used to load games and apps), but chose not to, since we are not interested in app-level stuff and that just helps piracy. We didn’t have lv1ldr, but due to the way lv1 works, we could gain control of it early in the boot process through isoldr, so effectively we also had lv1 control.
The root of all of the aforementioned loaders is metldr, which remained elusive. Then Geohot announced that he had broken into metldr (with an exploit, analogous to the way we exploited lv2ldr to get its keys) and was thus able to apply our techniques one level higher in the loader chain. He has released the metldr keyset (with the private key calculated using our attack), but not the exploit method that he used.
PowerPC access alows us to use SPE to decrypt anything
NetRPC Python Scripts
[ame="http://www.youtube.com/watch?v=4loZGYqaZ7I"]http://www.youtube.com/watch?v=4loZGYqaZ7I[/ame]
Here is a bit of help from me: Considering the loaders (including metldr) run isolated, they only have very few "interactions" with the "outside", so the real question you have to ask yourselves is "What kind of data does the loader processes (from external sources that is)" Then considering loaders seemingly share the same codebase, look at other loader's code which you decrypted (that's that part where you reverse spu assembly) and look at the parts that process this external data.
The technique used seems obvious.......
It comes down to the skills needed to get it done.