We’ve seen countless times that Mathieulh trying to give the scene all the hints he can, but this time, he pretty much telling you peeps the real deal way to the exploit that we’ve been yearning of all this time.
@xShadow125 You can update from your pwn pup only from 3.55 or lower, unless you have an exploit.
@xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
@xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
@xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
@xShadow125 You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.
@xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.
The new 3.56+ values for tarballs are the following: owner_id, “0000764″ group_id, “0000764″ owner, “tetsu” group, “tetsu” ustar, “ustar “
You can use fix_tar to use those new values. Use with caution.
By comparison, those are the pre-3.56 values. owner_id, “0001752″ group_id, “0001274″ owner, “pup_tool” group, “psnes” ustar, “ustar “
@Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.
So, to decrypt this LV0 thing, we need to get to know it better. In the latest blog post by rms, he has explained briefly what LV0 is in the console’s security.
Anyway, let’s really discuss something PS3 instead of my PC xD, let’s start with Lv0, the most unknown level of the PS3. Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the “Cell OS Bootloader”. In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader. Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary. All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.
So, unless you can decrypt Lv0, no 3.60 “CFW” for you
. Is there any need for it anyway?
Mathieulh also has some facts to clarify about LV0.
1. lv0 isn’t a loader it’s a ppu binary
2. Lv0 isn’t encrypted per console and can be updated with the rest of the coreos
3. Lv0 is decrypted by the bootloader, there is no such thing as a lv0ldr.
4. The bootloader keys cannot be updated/modified on EXISTING hardware
5. lv0.2 is NOT a binary, it’s a new metadata for lv0 which is to be decrypted and verified by a new bootloader (which is to be available on future ps3s), it is NOT used by the current bootloader (and thus in current playstation 3 consoles)
But wait, messing with this thing could lead to the YLOD tragedy, unless you have those expensive NOR flasher you might want to proceed, and that’s according to rms again.
Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then “YLOD”, and you’d need a flasher for your PS3 to recover
.
There you go, with all the information available out there i just wonder why didn’t anyone found the solution to the exploit that Mathieulh (and maybe some people we didn’t know) discovered weeks ago. Maybe instead of bitching why the guy did not release anything, try listening to what he said this time.
UPDATE: Apparently, the method that he twitted is how to get the 3.60 keys. But, he does told KaKaRoTo this:
there are two exploits you can use on the bl, one grants you code execution, the other forces the bl to ouput lv0 metadata
Proudly powered by
”
Mathieulh ROFL they claim I reveal partially the exploit
Mathieulh all I told them, is how to get the 3.60 keys
Mathieulh without pwning the bl
Mathieulh that’s not the exploit at all
Mathieulh but looks like news sites can’t read xd
”
”
Mathieulh: For exemple: Mathieu@Mathieu-PC ~ $ scekrit lv0 lv0.1 lv0 Signature Status: OK lv0.1 Signature Status: OK Private Key: REMOVED
KaKaRoToKS: @Mathieulh does this mean that you have the public key and encryption keys of lv0? I thought you were only able to dump it, not decrypt it?
Mathieulh: @KaKaRoToKS there are two exploits you can use on the bl, one grants you code execution, the other forces the bl to ouput lv0 metadata
Mathieulh : @KaKaRoToKS That tweet was just an example on what can be done with lv0 keys though.
Mathieulh : @KaKaRoToKS sadly both these exploits will brick your console without a nor reprogrammer :/
KaKaRoToKS :@Mathieulh oh, that’s cool, so you executed code on the BL to dump the lv0 keys? good job then! no need to dump 3.60 lv0 then, just decrypt?
“
I think mathieulh are a god…
nah, he just happen to have too much free time
mayB he is 4 u when he releases somethin but i wonder who ll risk YLOD 4 CFW3.60 which has no benefit except PSN & i doubt that banned consoleID can B hidden again
where are those who yelled he is a liar and didn’t (or doesn’t) do anything good?
speak up. i dare you!
Thumbs up.
I 100% agree with you.
Where are those kids complaining about Mathieulh
100% thumbs down for math cause you have to read carefully the comment of barrykbarryk cause its not so damn easy to spoof again or to bring out the cfw3.60 oh and by the way if i had the keys and said oh yeah you dummies i am online got a solution but i wont let you know cause i wanna see how long it takes untill you got it sounds to me fake or even better like a job that you are not completely done with and trolling around before you bring it out yourself well i am not a dev and i dont want to be sound silly only this conversation about math is getting ridiciulous well here in greece we have a tell wherever you hear for a cherry tree with manny cherrys on it take the lil shopping bagg not the big one peace out and thanks to the kmeaw cfw & the geohot jailbreak and of course to dean with hes great backup manager cheers!
If it leads to a downgrade method for 3.56 or 3.60 consoles it’d be worth it, but a 3.60CFW would be pointless as people would still be unable to use PSN safely as Sony can detect homebrew on PSN connected consoles anyway regardless of FW version.
The PSN security is independent of the PS3′s firmware version, the firmware version was just one of the things that was checked before.
Even with a 3.60CFW PSN access would only last for a few days, if at all, as the security is server side and not on the PS3 itself so it can be updated at anytime to stop access or they might just ban everyone again. But either way no CFW or homebrew app or dongle will ever bring “safe” PSN access back if Sony doesn’t want it to
Pretty sure winocm is the real hero here. I think Mathieulh is just a bit more open to the public.
I hope that he release his cfw 3.60 as soon as possible,
than i can play black ops again with my friends
This is a description on how to get the key not to exploid the bootloader. This is a difference.
I don’t think any CFW shod have psn bypass wait for c4′s blu-ray FW stop a lot off cheating
Mathieulh likes just talk!
Merci beaucoup Monsieur Maths
[...] instead of *****ing why the guy did not release anything, try listening to what he said this time. SOURCE PLEASE THANKS IF I HELPED Reply With Quote + Reply to Thread [...]
[...] [VIA PS3Crunch] var AdBrite_Title_Color = 'e58138'; var AdBrite_Text_Color = '64647e'; var AdBrite_Background_Color = 'f0f0f0'; var AdBrite_Border_Color = 'f0f0f0'; var AdBrite_URL_Color = 'e58138'; try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==''?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe='';var AdBrite_Referrer='';} document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(' src="http://ads.adbrite.com/mb/text_group.php?sid=1429547&zs=3330305f323530&ifr='+AdBrite_Iframe+'&ref='+AdBrite_Referrer+'" type="text/javascript">');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62)); Your Ad Here [...]
This is infact, not the exploit Mathieulh has been going on about. This is a well known exploit, the same as the one darkhacker “released” and it’s only usefull for obtaining the keys for the newer firmware.
It simply involves updating your console to 3.60 lv0, then you write back the old lv0 and our own crafted lv1 or similar to dump ram. Pull the cell reset line and it will dump whats left of lv0 that did not get overridden. This hopefully, should be sufficient to get the keys you so dearly require.
Once we have the keys, this lets us decrypt the loaders and binaries, we still cannot re-encrypt them as we can no longer obtain the private key. It may indeed be possible to unpack and resign the loaders and binaries with older keys, but they would have to be compatable with the older lv0 as we currently cannot sign this.
everyone says no need for CFW, maybe for now.
Here is my questions:
when the ps3s comes with 3.60 fw,
what these new owners do?
will it be cfw then?
or do you suggest not to buy a new ps3 anymore?
i don’t have ps3 now, maybe in a year i’ll buy one. I suppose, I’ll be stuck with OFW
[...] [VIA PS3Crunch] Read more: http://www.ps3hax.net/2011/03/mathieullh-fw-3-60-exploit-lv0-method-revealed-3-60-keys-soon/#ixzz1HyK66Drq polipo86Related Posts:graf_chokoloOpenPS3FTP – open source ftp server for the PlayStation 3ES35's PS3 ToolKit v2.0 Out (latest & final update) [...]
A new CFW 3.60 is more than usefull whta are you talking about…there are thounsands of peoples wich diid the Update 3.60….& in april many new games will require the 3.60 fw so waht you’ll do ??!!! patch , EBOOTs…blablabla, it’s not funny a new 3.60 CFW is more than needed for the futur of the PS3 scene…& what about the nw PS3 wich will come with 3.60 OFW ??§! did you think about it ??§!!!!
hey landon, why don’t you go off and code one then? you numpty
[...] Source: Mathieulh Twitter Source: PS3 Crunch [...]
can Cell OS 3.55 execute SELF (Cell OS) binary compiled for 3.60 ??
[...] [...]
[...] to Kakaroto’s Tar_Fix utility so that it can build 3.56+ PUP firmware based on Mathieulh’s given values in his previous tweets. Should be one step closer to 3.60 CFW, no? Kakaroto’s Tar_Fix utility compiled and adapted [...]
[...] to Kakaroto’s Tar_Fix utility so that it can build 3.56+ PUP firmware based on Mathieulh’s given values in his previous tweets. Should be one step closer to 3.60 CFW, no? Kakaroto’s Tar_Fix utility compiled and adapted for [...]
[...] Originally Posted by Psqwerty Would it not be possible if you connected 2 ps3's together some how, one which has cfw 3.55 and the other with ofw 3.61. And then Somehow get the cfw ps3 to extract data from the ofw ps3 that sounds similar to this. Decrypt Or Dump LV0 For 3.60 CFW+ Exploit – Mathieulh – PS3Crunch [...]