[greyestest]

Originally Posted by macphreak4evr the exploit is trivial, you need a Pre 3.56 console to have OtherOS++ and linux on it, you only get your UNIQUE key

And what it gives?

[lunuxx]

ohai ill tell you guys howto use mathldr
(i like to call it that, its kinda catchy)
this is pretty safe
just dont go crazy with it, your only gonna mess your eid up if you attemp to rehash it and flash or attempt in any way to replace your eid
you can decrypt eid with root keys and static keys in the wiki key page

prerequisites:
1. otheros++ with ss patches (yes the ones that cause trophy errors, just update when you wanna play games again and dont complain)
2. linux on your ps3 (im using ubuntu 10.10)
3. a unpacked copy of your flash (which you can obtain by using glevands dumpflash.pkg gitbrew.org/~glevand/ps3/pkgs/dump_flash.pkg) and an unpacked copy of ofw you will need the following files from these:
metldr
isoldr
RL_FOR_PROGRAM.img
EID0 (you will need to split eid from your flash http://www.ps3devwiki.com/index.php?...s#dump_EID0.sh)
spp_verifier.self
default.spp
and obviously appldr-metldrexploit350.self from the files
3. ps3tools (latest stuff that was for npdrm should work)
4. latest gitbrew linux kernel
5. a desire to quit *****ing and complaining and get off your ass.
6. motivation (see prerequisite #5)
************************************************************************************************************

you can do this over ssh or on console I prefer ssh because my girlfriend likes to watch tv alot.

1. ssh into the ps3
2. download the files
a. wget http://gotbrew.org/metldr838exploit.tar.gz
3. untar the files
a. tar -xvf metldr838exploit.tar.gz
4. enter the directory and compile
a. cd metldr838exploit.tar.gz; make
5 run the following commands now:
insmod ./metldrpwn.ko
cat metldr > /proc/metldrpwn/metldr
cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr
cat RL_FOR_PROGRAM.img > /proc/metldrpwn/rvkprg
cat eid0 > /proc/metldrpwn/eid0
echo 1 > /proc/metldrpwn/run
cat /proc/metldrpwn/debug
there now you have a dump check it out:
hd /proc/metldrpwn/dump | less
now copy the dump somewhere or youll lose it:
cp /proc/metldrpwn/dump /home/username/
now you have a copy in your home directory for safe keeping
congrats youve completed about < 10 mins of actual work

there you go keys are in 0x00 to 0x20 (first 3 lines)

So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)

example:
erk: #
00000000 66 4d ee 51 65 6f 68 28 38 98 83 ea df ea 90 04 |fM.Qeoh(8.......|
00000010 01 f3 79 09 d6 a6 52 d9 ea 6d ef 04 51 69 ec 7b |..y...R..m..Qi.{|
riv:
00000020 7d 6a 3a e5 37 ba 48 4c fe bd 26 5c f5 b1 28 1f |}j:.7.HL..&\..(.|
the first 2 lines are erk the 3rd is riv
and together they are eid0 like captain ****in planet

btw this does not mean you get 3.60 keys etc or newer games but it will help you get some nifty things to do some new stuff.... also please be advised that if you are on 3.60+ you will need to downgrade with a flasher to do this, also if you have a unit that shipped from the factory with the metldr.2 (new metldr) your sol at the moment
oh thanx math
thanx anon leaker

some good reading on the subject:

http://www.ps3devwiki.com/index.php?title=Boot_Order
http://www.ps3devwiki.com/index.php?title=Dev_Tools
http://www.ps3devwiki.com/index.php?title=Flash
http://www.ps3devwiki.com/index.php?title=Talk:Flash
http://www.ps3devwiki.com/index.php?title=IDPS
http://www.ps3devwiki.com/index.php?title=Talk:IDPS
http://www.ps3devwiki.com/index.php?...r_Console_Keys
http://www.ps3devwiki.com/index.php?...r_Console_Keys
http://www.ps3devwiki.com/index.php?...se_Engineering
http://www.ps3devwiki.com/index.php?title=Talk:Keys
http://www.ps3devwiki.com/index.php?...Unit_%28SPU%29
http://www.ps3devwiki.com/index.php?...Unit_%28SPU%29
http://www.ps3devwiki.com/index.php?...se_Engineering
http://www.ps3devwiki.com/index.php?...se_Engineering

[AstarothX]

amazing...:3

[alienkid]

WOW...what a thread!

Thanks to @mathieulh for the TUT!
Thanks to @lunuxx for the supplemental TUT!

[Loan]

so lunuux if this doesnt get you 3.xx key at least we can trick (patch) eboots ( for the sake to play newer games) with it ?

this should be the master key too so dev can start do everything they want with the ps3 on 3.55 i guess too ?

[medi01]

In the original post "decrypting lv0" is mentioned:

. Oh! and btw, if you talented enough to make hardware to dump the shared lsa, you can decrypt any lv0 using this technique.

[Rob1980]

Originally Posted by lunuxx ohai ill tell you guys howto use mathldr (i like to call it that, its kinda catchy) prerequisites: 1. otheros++ with ss patches (yes the ones that cause trophy errors, just update when you wanna play games again and dont complain) 2. linux on your ps3 (im using ubuntu 10.10) 3. a unpacked copy of your flash (which you can obtain by using glevands dumpflash.pkg gitbrew.org/~glevand/ps3/pkgs/dump_flash.pkg) and an unpacked copy of ofw you will need the following files: metldr isoldr RL_FOR_PROGRAM.img EID0 (you will need to split eid from your flash http://www.ps3devwiki.com/index.php?...s#dump_EID0.sh) spp_verifier.self default.spp and obviously appldr-metldrexploit350.self from the files 3. latest gitbrew linux kernel 4. a desire to quit *****ing and complaining and get off your ass. ************************************************************************************************************ you can do this over ssh or on console I prefer ssh because my girlfriend likes to watch tv alot. 1. ssh into the ps3 2. download the files a. wget http://gotbrew.org/metldr838exploit.tar.gz 3. untar the files a. tar -xvf metldr838exploit.tar.gz 4. enter the directory and compile a. cd metldr838exploit.tar.gz; make 5 run the following commands now: insmod ./metldrpwn.ko cat metldr > /proc/metldrpwn/metldr cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr cat RL_FOR_PROGRAM.img > /proc/metldrpwn/rvkprg cat eid0 > /proc/metldrpwn/eid0 echo 1 > /proc/metldrpwn/run cat /proc/metldrpwn/debug there now you have a dump check it out: hd/proc/metldrpwn/dump | less now copy the dump somewhere or youll lose it: cp /proc/metldrpwn/dump /home/username/ now you have a copy in your home directory for safe keeping congrats youve completed about < 10 mins of actual work there you go root keys are in 0x00 to 0x20 (first 3 lines) example: root erk: # 00000000 66 4d ee 51 65 6f 68 28 38 98 83 ea df ea 90 04 |fM.Qeoh(8.......| 00000010 01 f3 79 09 d6 a6 52 d9 ea 6d ef 04 51 69 ec 7b |..y...R..m..Qi.{| root riv: 00000020 7d 6a 3a e5 37 ba 48 4c fe bd 26 5c f5 b1 28 1f |}j:.7.HL..&\..(.| btw this does not mean you get 3.60 keys etc or newer games but it will help you get some nifty things to do some new stuff.... also please be advised that if you are on 3.60+ you will need to downgrade with a flasher to do this, also if you have a unit that shipped from the factory with the metldr.2 (new metldr) your sol at the moment oh thanx math

Perfect, thank you!

I am more than happy to have a go at this, in fact, I would Like to have a go at this, as well as other stuff on my ps3 rather than relying on, and pressuring others to do it for me all the time. (although I personally have never asked anyone for anything, just waited until they are ready to release)


Now, I'm obviously not a "Dev", I'm no programmer, I am pretty confident with certain software aspects, very good at following guides, great with hardware, ie soldering etc..

So for the "normal" person like myself, what can I do, once I have followed this guide, and obtained my root keys, myself? can I use these to sign my own games which are meant for 3.60+? I wouldnt know how to yet, but again, eager to learn more so I'm not being spoon fed all the time.
(i see you say it wont allow new games?, what nifty stuff are we talking about?)



Thanks to Math for his hard work, his tut, lunuxx with his layman's tut, and everyone else that is constantly tinkering behind closed doors providing me with the required tools, and knowledge I am not capable of obtaining / creating myself yet.

Rob

[Adamsville]

Originally Posted by lunuxx ohai ill tell you guys howto use mathldr (i like to call it that, its kinda catchy) prerequisites: 1. otheros++ with ss patches (yes the ones that cause trophy errors, just update when you wanna play games again and dont complain) 2. linux on your ps3 (im using ubuntu 10.10) 3. a unpacked copy of your flash (which you can obtain by using glevands dumpflash.pkg gitbrew.org/~glevand/ps3/pkgs/dump_flash.pkg) and an unpacked copy of ofw you will need the following files: metldr isoldr RL_FOR_PROGRAM.img EID0 (you will need to split eid from your flash http://www.ps3devwiki.com/index.php?...s#dump_EID0.sh) spp_verifier.self default.spp and obviously appldr-metldrexploit350.self from the files 3. latest gitbrew linux kernel 4. a desire to quit *****ing and complaining and get off your ass. ************************************************************************************************************ you can do this over ssh or on console I prefer ssh because my girlfriend likes to watch tv alot. 1. ssh into the ps3 2. download the files a. wget http://gotbrew.org/metldr838exploit.tar.gz 3. untar the files a. tar -xvf metldr838exploit.tar.gz 4. enter the directory and compile a. cd metldr838exploit.tar.gz; make 5 run the following commands now: insmod ./metldrpwn.ko cat metldr > /proc/metldrpwn/metldr cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr cat RL_FOR_PROGRAM.img > /proc/metldrpwn/rvkprg cat eid0 > /proc/metldrpwn/eid0 echo 1 > /proc/metldrpwn/run cat /proc/metldrpwn/debug there now you have a dump check it out: hd/proc/metldrpwn/dump | less now copy the dump somewhere or youll lose it: cp /proc/metldrpwn/dump /home/username/ now you have a copy in your home directory for safe keeping congrats youve completed about < 10 mins of actual work there you go keys are in 0x00 to 0x20 (first 3 lines) example: erk: # 00000000 66 4d ee 51 65 6f 68 28 38 98 83 ea df ea 90 04 |fM.Qeoh(8.......| 00000010 01 f3 79 09 d6 a6 52 d9 ea 6d ef 04 51 69 ec 7b |..y...R..m..Qi.{| riv: 00000020 7d 6a 3a e5 37 ba 48 4c fe bd 26 5c f5 b1 28 1f |}j:.7.HL..&\..(.| btw this does not mean you get 3.60 keys etc or newer games but it will help you get some nifty things to do some new stuff.... also please be advised that if you are on 3.60+ you will need to downgrade with a flasher to do this, also if you have a unit that shipped from the factory with the metldr.2 (new metldr) your sol at the moment oh thanx math

you lost me at prerequisites

[Cypherous]

So wait, is the only way to get your per console key via otherOS because i really don't want to spend time fighting to try and install linux on this PS3 for a second time, it didn't work the first time and i have little patience for it, is there not just a .pkg to run that can grab it?

[nitr0genics]

Originally Posted by Loan so lunuux if this doesnt get you 3.xx key at least we can trick (patch) eboots ( for the sake to play newer games) with it ? this should be the master key too so dev can start do everything they want with the ps3 on 3.55 i guess too ?

no we cant patch eboots, we can already sign for 3.55, but we cant decrypt 3.6x+ eboots (no public method anyway)

root keys or master keys as you refer to them were made public by geohot at the beggining of the year, 3.55 is about as good as it gets for now hence why we have a multitude of homebrew and backup managers amongst other things like the great CFW from the rebug team etc etc

this is probably the same way geohot pwnd metldr the first time round but he never released the method (which is based off glevands spp_verifier and the work from fail0verflow)

as lunuxx said, if your ps3 shipped with 3.56+ and the metldr.2 your SOL!

lvl0 is the next step! lets see who pwns it!