[Update 2]PS3 Metldr Exploit been leaked - Page 39 - PS3Hax Network

j89 · 11-11-2011

this has been explained in bits and pieces in this thread but here goes:
Up to 3.55:
First thing that's run is the bootldr which is encrypted at factory with your per console key. This means that everyone's bootldr dump will look different because it uses a different key. Before this exploit, there was no
public method to get this key. bootldr then decrypts lv0 using a public key. This means that this key is the same for everyone and thus everyone's lv0 dump will look the same. after the hardware is setup, bootldr and lv0
essentially don't do much else. One important thing to note is the bootldr cannot be updated, while the lv0 is the lowest possible code that can be updated by sony.

After lv0, you have the imfamous metldr that is run. Think of the metldr as a second bootldr as they are similar. They use the same encryption key(per console key) so, like the bootldr, this means two things:
1. It is different for each console
2. Since there was no public method to get this key, it was only able to be decrypted by select few people (e.g. geohot)
After it is decrypted, its job is to load lv1ldr(hypervisor),lv2ldr(gameos),appldr(where the 3.6+ EBOOT keys are

) and isoldr. Of course all of these loaders are encrypted with a public key (one key decrypts all). These keys are stored inside the metldr.

So then what happened?
Well, Geohot found an exploit in metldr which allowed him to obtain the per console key. Instead of releasing how
to obtain your own, he decrypted his own metldr, obtained the public keys for the rest of the loaders and released
them. This allowed complete control over hypervisor(lv1), gameos(lv2) and the EBOOT keys up to 3.55(appldr) which
basically is enough for cfw.

How sony patched it:
Since geohot never released how to obtain the per console key(the key that decrypts metldr and bootldr), or the bootldr public key the bootldr was still not able to be decrypted by the normal person. This means that everything contained inside the bootldr (which is only the lv0) was still secure. so with 3.60+, they moved all the loaders(lv1ldr,lv2ldr,appldr,isoldr) into lv0 (because as i said before lv0 is the very first code that can be updated).

If you haven't figured it out yet:
This leak allows us to get your own per console key. The first thing that needs to be done with this key is actually obtain a bootldr and lv0 dump. This isn't as easy as it sounds because when the hypervisor is loaded, it hides these two from gameos. This would require a full dump of the NOR using a hardware programmer (what math was talking about) containing the bootldr and lv0 (you could also patch the hypervisor to not hide the bootldr, would be easier). Then it's just as simple as decrypting bootldr->lv0>lv1ldr/lv2ldr/appldr->cfw/3.6+ eboot keys. And no sony can't patch this because there's no where else to hide these encrypted loaders as lv0 was the last place that could be updated via firmware update.

raiderscrusade · 11-11-2011

Just thought I'd add it, but in regards to that eussNL key and geohot key, the same values exist in the exact same offsets in the pastebin link to 'root @ alexus hexdump'.

So, this could indeed be epic fail.

Elegant · 11-11-2011

@j89 you can dump lv0 using gameOS or otherOS. In addition I believe gitbrew managed to dump bootldr from otherOS (this was back in July, and most likely done through a hypervisor patch as you said). But since I haven't really found solid proof that it was done through otherOS or an explanation from them other than a post saying it was accomplished.

Waiting game, lets hope someone has some steady hands to solder and enough intelligence to create a custom bootldr.

freshstart · 11-11-2011

i just checked pastebin and i saw something

http://pastebin.com/HwkP0Bfg

<Mathieulh> rms ah! you mean using that bug we found ? (about the elfs)

There it is still a "we found".

baargle · 11-11-2011

Originally Posted by xxxblitzxxx

how can he be wrong can you explain ?? =)

As the guy has (fantastically i must say) explained on this page ^

Everything of use has been taken out of METLDR apart from the per console key.

xxxblitzxxx · 11-11-2011

Originally Posted by freshstart

i just checked pastebin and i saw something

http://pastebin.com/HwkP0Bfg

There it is still a "we found".

i hopre this leads us to something very big =)

baileyscream · 11-11-2011

Originally Posted by freshstart

i just checked pastebin and i saw something

http://pastebin.com/HwkP0Bfg

There it is still a "we found".

reading that pastebin the quote :-
32.[04:46:01] <Mathieulh> now we just have to load them and fetch the data from the shared LS or the mailbox
sounds like you might just need software to get the ls not hardware after all !!

ModIt · 11-11-2011

Originally Posted by j89

this has been explained in bits and pieces in this thread but here goes:
Up to 3.55:
First thing that's run is the bootldr which is encrypted at factory with your per console key. This means that everyone's bootldr dump will look different because it uses a different key. Before this exploit, there was no
public method to get this key. bootldr then decrypts lv0 using a public key. This means that this key is the same for everyone and thus everyone's lv0 dump will look the same. after the hardware is setup, bootldr and lv0
essentially don't do much else. One important thing to note is the bootldr cannot be updated, while the lv0 is the lowest possible code that can be updated by sony.

After lv0, you have the imfamous metldr that is run. Think of the metldr as a second bootldr as they are similar. They use the same encryption key(per console key) so, like the bootldr, this means two things:
1. It is different for each console
2. Since there was no public method to get this key, it was only able to be decrypted by select few people (e.g. geohot)
After it is decrypted, its job is to load lv1ldr(hypervisor),lv2ldr(gameos),appldr(where the 3.6+ EBOOT keys are ) and isoldr. Of course all of these loaders are encrypted with a public key (one key decrypts all). These keys are stored inside the metldr.

So then what happened?
Well, Geohot found an exploit in metldr which allowed him to obtain the per console key. Instead of releasing how
to obtain your own, he decrypted his own metldr, obtained the public keys for the rest of the loaders and released
them. This allowed complete control over hypervisor(lv1), gameos(lv2) and the EBOOT keys up to 3.55(appldr) which
basically is enough for cfw.

How sony patched it:
Since geohot never released how to obtain the per console key(the key that decrypts metldr and bootldr), or the bootldr public key the bootldr was still not able to be decrypted by the normal person. This means that everything contained inside the bootldr (which is only the lv0) was still secure. so with 3.60+, they moved all the loaders(lv1ldr,lv2ldr,appldr,isoldr) into lv0 (because as i said before lv0 is the very first code that can be updated).

If you haven't figured it out yet:
This leak allows us to get your own per console key. The first thing that needs to be done with this key is actually obtain a bootldr and lv0 dump. This isn't as easy as it sounds because when the hypervisor is loaded, it hides these two from gameos. This would require a full dump of the NOR using a hardware programmer (what math was talking about) containing the bootldr and lv0 (you could also patch the hypervisor to not hide the bootldr, would be easier). Then it's just as simple as decrypting bootldr->lv0>lv1ldr/lv2ldr/appldr->cfw/3.6+ eboot keys. And no sony can't patch this because there's no where else to hide these encrypted loaders as lv0 was the last place that could be updated via firmware update.

Thanks you sorting this out into understandble words

So the big questions is , are you able to patch the hypervisior and decrypt the loaders? :D

RickDangerous · 11-11-2011

Great post j89! That cleared up a lot of confusion for a newb like me.

So we need to patch lv1ldr (hypervisor) so that lv2ldr (gameos) is able to read and dump the bootldr and then decrypt them using the per console key.

I see there is loads of information about hypervisor reverse engineering in the wiki:
http://ps3devwiki.com/index.php?titl...se_Engineering

Where can I download a decrypted hypervisor dump? My PS3 is OFW 3.72 so I can't dump my own

lunuxx · 11-11-2011

Originally Posted by raiderscrusade

Just thought I'd add it, but in regards to that eussNL key and geohot key, the same values exist in the exact same offsets in the pastebin link to 'root @ alexus hexdump'.

So, this could indeed be epic fail.

thats my dump and i gave it to eussNL... so its possible eussNL dug thru it a little more i have yet to find out im too busy with work
if anyone else wants to take a look at the physical dump (not the pastie, the binary file)
http://gotbrew.org/dump

11-11-2011	#382
raiderscrusade Member Join Date: Sep 2011 Posts: 47 Likes: 0 Liked 2 Times in 2 Posts Mentioned: 0 Post(s) Tagged: 0 Thread(s)	Just thought I'd add it, but in regards to that eussNL key and geohot key, the same values exist in the exact same offsets in the pastebin link to 'root @ alexus hexdump'. So, this could indeed be epic fail. Last edited by raiderscrusade; 11-11-2011 at 12:12 AM.

		PS3Hax Network - Playstation 3 Hacks and Mods > News > PS3 \| Member News
[Update 2]PS3 Metldr Exploit been leaked

11-11-2011	#381
j89 Apprentice Join Date: Nov 2011 Posts: 2 Likes: 0 Liked 20 Times in 2 Posts Mentioned: 1 Post(s) Tagged: 0 Thread(s)	this has been explained in bits and pieces in this thread but here goes: Up to 3.55: First thing that's run is the bootldr which is encrypted at factory with your per console key. This means that everyone's bootldr dump will look different because it uses a different key. Before this exploit, there was no public method to get this key. bootldr then decrypts lv0 using a public key. This means that this key is the same for everyone and thus everyone's lv0 dump will look the same. after the hardware is setup, bootldr and lv0 essentially don't do much else. One important thing to note is the bootldr cannot be updated, while the lv0 is the lowest possible code that can be updated by sony. After lv0, you have the imfamous metldr that is run. Think of the metldr as a second bootldr as they are similar. They use the same encryption key(per console key) so, like the bootldr, this means two things: 1. It is different for each console 2. Since there was no public method to get this key, it was only able to be decrypted by select few people (e.g. geohot) After it is decrypted, its job is to load lv1ldr(hypervisor),lv2ldr(gameos),appldr(where the 3.6+ EBOOT keys are ) and isoldr. Of course all of these loaders are encrypted with a public key (one key decrypts all). These keys are stored inside the metldr. So then what happened? Well, Geohot found an exploit in metldr which allowed him to obtain the per console key. Instead of releasing how to obtain your own, he decrypted his own metldr, obtained the public keys for the rest of the loaders and released them. This allowed complete control over hypervisor(lv1), gameos(lv2) and the EBOOT keys up to 3.55(appldr) which basically is enough for cfw. How sony patched it: Since geohot never released how to obtain the per console key(the key that decrypts metldr and bootldr), or the bootldr public key the bootldr was still not able to be decrypted by the normal person. This means that everything contained inside the bootldr (which is only the lv0) was still secure. so with 3.60+, they moved all the loaders(lv1ldr,lv2ldr,appldr,isoldr) into lv0 (because as i said before lv0 is the very first code that can be updated). If you haven't figured it out yet: This leak allows us to get your own per console key. The first thing that needs to be done with this key is actually obtain a bootldr and lv0 dump. This isn't as easy as it sounds because when the hypervisor is loaded, it hides these two from gameos. This would require a full dump of the NOR using a hardware programmer (what math was talking about) containing the bootldr and lv0 (you could also patch the hypervisor to not hide the bootldr, would be easier). Then it's just as simple as decrypting bootldr->lv0>lv1ldr/lv2ldr/appldr->cfw/3.6+ eboot keys. And no sony can't patch this because there's no where else to hide these encrypted loaders as lv0 was the last place that could be updated via firmware update.

11-11-2011	#383
Elegant Member Join Date: Jan 2008 Posts: 228 Likes: 1 Liked 38 Times in 28 Posts Mentioned: 3 Post(s) Tagged: 0 Thread(s)	@j89 you can dump lv0 using gameOS or otherOS. In addition I believe gitbrew managed to dump bootldr from otherOS (this was back in July, and most likely done through a hypervisor patch as you said). But since I haven't really found solid proof that it was done through otherOS or an explanation from them other than a post saying it was accomplished. Waiting game, lets hope someone has some steady hands to solder and enough intelligence to create a custom bootldr.

11-11-2011	#389
RickDangerous Member Join Date: Nov 2011 Posts: 82 Likes: 118 Liked 22 Times in 15 Posts Mentioned: 1 Post(s) Tagged: 0 Thread(s)	Great post j89! That cleared up a lot of confusion for a newb like me. So we need to patch lv1ldr (hypervisor) so that lv2ldr (gameos) is able to read and dump the bootldr and then decrypt them using the per console key. I see there is loads of information about hypervisor reverse engineering in the wiki: http://ps3devwiki.com/index.php?titl...se_Engineering Where can I download a decrypted hypervisor dump? My PS3 is OFW 3.72 so I can't dump my own

User Name		Remember Me?
Password