[mihakase]

Originally Posted by zecavalo Do you see anyone bashing Deank, the developper of Multiman? I don't think so. Why? Because he contributes to the scene and he's happy to do so. Simple as that.

It's for a very simple reason. You don't see Deank going out of his way to hold back piracy the way other devs (particularly mathieulh) have. Seriously; he maintains a backup manager and releases utilities that pertain to backups. That's practically the cornucopia for most people. He may have the same stance as mathiuelh and co., but he doesn't go out of his way to keep things in private. He does the opposite -- he's an enabler.

Incidentally, you've essentially hit the core issue, and you can see this pattern with people who've contributed in the past (geohot, mathieulh, Kakarato): a no piracy ideology cannot coexist with a community that largely expects to be able to pirate. EVERY developer that has withheld developments for the sake of limiting pirates has received flak for doing so. In mathieulh's case it's clearly become bad enough that he has kept things private no matter what it contributes to the scene. I mean honestly, at this point no one has any clear evidence of what this exploit will even do, but people have already felt free to express their disdain for him.

Someone of insults people, says to everyone he's the supreme master and that no one should have ever seen his work, and also because no one would ever get there without him explaining, is someone who deserves no personal respect. Respect for his work yes, not for who he his.

Again, different side to the same coin. You make it sound like his insults weren't justified, and that his attitude is uncalled for. Sorry, but after having seen the kind of people he deals with on a daily basis it's not at all surprising that he acts the way he does. When you see him talk about how he has the skills to do things no one else can (I assume this is what you mean, because AFAIK he never outwardly said anything like he's "the supreme master"), chances are it's because someone started insulting him to begin with. And if you trace all of this as far back as you can, you'll see that this essentially started with the idea of "maybe it wouldn't be a good idea to release this." The moment this came to fruition is the moment he (and other devs) went at odds with many needlessly angry people.

Or where do you think the world would be if every great mind, medical doctor, scientist, composer, painter, architect and so on that have given their work to the world for free had not done so? You'd still be living in a ****ing cave!

Undoubtedly so, but historically there's been a fair amount of people within those fields (scientists and composers in particular) who've simply ceased work due to public ridicule. And the thing is that, being the purveyors of knowledge, they are completely within their right to do what they want with it. Likewise, the people who seek that knowledge are not entitled to it. Least of all the ones in this scene.

So yeah, thanks for his work but that's that. Now on to doing something about it.

I'd agree. I would've said "Cool. Thanks. So long." but sadly that is not the tone that has guided this thread.

And you can bet that when someone uses Math's work to enable cfw or eboots or whatever to make +3.60 games playable, the scene will appreciate the one who does.

Let the people have their cake and eat it, otherwise prepare to be crucified, essentially.

[GregoryRasputin]

Originally Posted by TheEvolution_PT **** dudes stop the trolling! im very happy , just waiting for the new games and psn, i can´t help the devs because i don´t have skills but i respect them and wait for his work, GOOD LUCK DEVS

I asked this a few posts back, but people are lacking the ability to understand.

The rules are simple:

• NO FLAMING OTHER MEMBERS

• NO INSULTING OTHER MEMBERS

• NO THREAD DERAILMENT

Mathieul is a member of this forum - insulting him = breaking forum rules = breaking rules = infraction = several infractions = ban

[KillerBug]

Originally Posted by GregoryRasputin lol i really don't know why people are delusional and think math is leaving the scene.....

Probably because he said so...and he usually follows through on promises, like his promise not to release the keys.

[GregoryRasputin]

Originally Posted by KillerBug Probably because he said so...and he usually follows through on promises, like his promise not to release the keys.

How many times has he stated that he has "left the scene" and did he leave ?

[H3avyRa1n]

I have a suggestion, what about move this thread to the drama section and start a clean thread regarding this subject with USEFUL information like thoughts and findings about this exploit so we can actually reach somewhere good?

[baargle]

Originally Posted by mihakase It's for a very simple reason. You don't see Deank going out of his way to hold back piracy the way other devs (particularly mathieulh) have. Seriously; he maintains a backup manager and releases utilities that pertain to backups. That's practically the cornucopia for most people. He may have the same stance as mathiuelh and co., but he doesn't go out of his way to keep things in private. He does the opposite -- he's an enabler. Incidentally, you've essentially hit the core issue, and you can see this pattern with people who've contributed in the past (geohot, mathieulh, Kakarato): a no piracy ideology cannot coexist with a community that largely expects to be able to pirate. EVERY developer that has withheld developments for the sake of limiting pirates has received flak for doing so. In mathieulh's case it's clearly become bad enough that he has kept things private no matter what it contributes to the scene. I mean honestly, at this point no one has any clear evidence of what this exploit will even do, but people have already felt free to express their disdain for him. Again, different side to the same coin. You make it sound like his insults weren't justified, and that his attitude is uncalled for. Sorry, but after having seen the kind of people he deals with on a daily basis it's not at all surprising that he acts the way he does. When you see him talk about how he has the skills to do things no one else can (I assume this is what you mean, because AFAIK he never outwardly said anything like he's "the supreme master"), chances are it's because someone started insulting him to begin with. And if you trace all of this as far back as you can, you'll see that this essentially started with the idea of "maybe it wouldn't be a good idea to release this." The moment this came to fruition is the moment he (and other devs) went at odds with many needlessly angry people. Undoubtedly so, but historically there's been a fair amount of people within those fields (scientists and composers in particular) who've simply ceased work due to public ridicule. And the thing is that, being the purveyors of knowledge, they are completely within their right to do what they want with it. Likewise, the people who seek that knowledge are not entitled to it. Least of all the ones in this scene. I'd agree. I would've said "Cool. Thanks. So long." but sadly that is not the tone that has guided this thread. Let the people have their cake and eat it, otherwise prepare to be crucified, essentially.

I think you hit the nail on the head with this but seem to have drawn a different conclusion from your correct analysis.

Basically, Math seems to want to re-write history and put the control of what an end user does back in the hands of the hacker. The exact ethos that hacking is against.

Nobody made a fuss over the Xbox, Xbox 360, Gamecube, PS2, PS1...

But Math seems to think it is his right to enforce his ideals on the end user.

Sorry mate, that's not how it works with the "people". People are leeching good for nothings only interested in piracy - on the whole - BUT they are also the people that buy the consoles, make it so console can be purchased at a reasonable price so you can hack them, drum up hype for a hack and homebrew and so on.

You can't cleanse the "scene". Piracy is what draws the majority into coming to sites like this. Math and all the rest would not be here if it wasn't for them.

What he has attempted to do, reminds me of the Nazi ethos. It's just not realistic or possible to expect the "people" to adhere to his way of thinking because the majority - WANT.

Just the way it is, and overall, it's a good thing. Because piracy doesn't destroy people's civil rights. Maths ideas for the "people" do.

This is how most people see it. The bottom line is that, how most people see it. So in an ideal world, his views might be righteous...But we don't live in that world.

[benedett87]

I don't give a f***!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Even if it was not Mathieulh, he explained how to use that "thing".

DOWN THIS STUPID COMEDY AND NOW ALL AT WORK.....FU**** !!!!!!!!!!!!!!

MODERATORS BAN TO FLAME...PLEASE !!!!!

[mosstopher]

Originally Posted by baargle I think you hit the nail on the head with this but seem to have drawn a different conclusion from your correct analysis. Basically, Math seems to want to re-write history and put the control of what an end user does back in the hands of the hacker. The exact ethos that hacking is against. Nobody made a fuss over the Xbox, Xbox 360, Gamecube, PS2, PS1... But Math seems to think it is his right to enforce his ideals on the end user. Sorry mate, that's not how it works with the "people". People are leeching good for nothings only interested in piracy - on the whole - BUT they are also the people that buy the consoles, make it so console can be purchased at a reasonable price so you can hack them, drum up hype for a hack and homebrew and so on. You can't cleanse the "scene". Piracy is what draws the majority into coming to sites like this. Math and all the rest would not be here if it wasn't for them. What he has attempted to do, reminds me of the Nazi ethos. It's just not realistic or possible to expect the "people" to adhere to his way of thinking because the majority - WANT. Just the way it is, and overall, it's a good thing. Because piracy doesn't destroy people's civil rights. Maths ideas for the "people" do. This is how most people see it. The bottom line is that, how most people see it. So in an ideal world, his views might be righteous...But we don't live in that world.

Godwin's law...Thread is over, move along people, nothing more to see here.

[Sawatis]

" Because some ungrateful person leaked my metldr exploit files I will now be explaining how it actually works, see this as my ultimate release of all times for an ungrateful scene (and scenes in the future)

That's about how I am pissed right now, because of course the person that leaked these files has no idea of how they actually work.

How to pwn metldr the "easy" way:
This is most likely how ****** exploited it in the first way, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work, especially not when it partially relies on Segher's work, one of the reason ****** never shared the way he exploited metldr to anyone)

I will assume here, that you do not have the loader keys that were made readily available by ******. This little tutorial also assumes that you have a working .self generating tool

Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the sign fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario.

The question is, do you really need keys to get a decrypted signature ?
Well the real answer is no, thanks to a nifty fail that sony left in in metldr (and the bootloader), you can have the ldr to decrypt the metadata for you, isn't that neat ?

Here's how it works:

STEP I)

In a self file, at address 0x0C a value is used to calculate where the metadata is going to be decrypted, the "offset" is at self header + 0x0C
its the "meta header offset" in the SCE structure, it takes the SCE offset + that value, so what you have to do is to have a calculation that is equal to 0x3E01F0 which happens to be where metldr copies over the shared metadata from the mailbox (which is sent over by the ppu), the trick is to have metldr to decrypt the metadata located at.
So basically you have to
1) set the offset += 0x2000
dump shared lsa
and keep increasing 0x2000
until somewhere in the shared lsa changes 0x40 byte
2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations
3) then dump shared lsa and we have decrypted header
knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E01F0 - 0xECF0 = the value you would patch at SCE header + 0x0C

ROM:0000F6C0 D2 68 87 E6 metadata_erk: .int 0xD26887E6 ; DATA XREF: ROM:0000F178o
for example in CECHA , the address you want to decrypt it to is 0x3E1F0
so it should be 0x3E1F0 - 0xF6C0

Once you get the decrypted header, you have the key to decrypt the rest of the metadata. Here you go, you have your decrypted signature.

So far so good, now what's next ?

STEP II)

Contrary to popular beliefs, you do not need to know the public key to calculate the private key, you just need two decrypted signature, you now know how to dump these, so let's assume you just did, now all you have to do is to bruteforce the curve type by constantly reloading a self to metldr, the curve type being only 1 byte, that would be 64 possibilities.

CONGRATULATION, you just signed a loader !

Now what ?

Well Your first reflex would be to sign a loader and use it to dump whatever is in your Isolated Local Store, the first thing you will notice is that you have a bit of metldr's code as a leftover, after a few seconds of disassembly you will figure it's actually some piece of code that clears metldr's code and registers and jumps to some address which is matches your signed loader's entrypoint.

This seems like a more than likely candidate to exploit, as in your goal would be to overwrite that piece of code with your own, that way you would have the whole metldr code right before the point where everything gets cleared out.

Let's try to do just that, from your previous dump, you obviously know that the clear code is located from 0x400 to 0x630, (0x410 being where metldr jumps when it clears) your first attempt would naturally be to have a loader section to load at 0x400, well not so surprisingly, it fails, because you are not without a brain (at least you aren't supposed to be if you're reading and understanding this), you will assume that it is likely that metldr checks if you aren't loading your loader/self section below a certain address, which considering you know the loaders' entrypoint is most likely to be 0x12C00, this assumption is in fact correct as metldr will make sure you cannot load any loader at 0x12BFF and below, seems like a huge let down...

Well, maybe not, because yet again, you are not without a brain, you check out the hardware properties for the Local Store, and you find out that the memory wraps around (memory is a donut as someone once said at some ccc conference).

So what happens when you load your loader at let's say from 0x3F000 to 0x40000+some address? (like 0x40410 for example) ?

Well, it WORKS!
You could put the section at 0x3F000, if you made the length 0x1414 and the last instruction branches "up" to the dump code

ROM:000008AC 33 7F 6C 80 brsl lr, cleanup_and_jump_entry
ROM:000008B0 32 00 11 80 br loc_93C
ROM:00000410 cleanup_and_jump_entry: ; CODE XREF: main+4Cp
ROM:00000410 32 7F FF 80 br sub_40C
this is what the exploit that got leaked (yeah that's not really their work eh but you figured that much by now did you not? ) does.
It overwrites from 0x000 to 0x480 because I originally loaded the section o size 0x880 to 0x3FC00

So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)

Here you go, you have a metldr dump !

Now as a final line, I'd like to say screw leakers, screw the scene, and this is my last contribution to it EVER. It seems I can't even trust fellow developers to keep my work safe and not leaking it. (Not like any of them would have been able to tell you how all this even works in the first place)"

Seems long-time 'scene' developer Mathieulh is claiming ownership of this 'metldr' exploit, and has now published his 'How-To' tutorial for it:

[GregoryRasputin]

@Sawatis that has already been front paged