[holita]

I dont know if its true but, tonight, a person named darkvolt put this into EOL.

Here is the link http://www.multiupload.com/YN4G8LJJK4

Here the link of the antivirus http://r.virscan.org/report/468a8837...7253505dc.html

http://www.elotrolado.net/hilo_metld...irvete_1700840

edit: Please dont blame me, I just want to know what developers thinks about this..

[paddyg91]

1 post, newly registered, not suspicious at all.

[holita]

Originally Posted by holita I dont know if its true but, tonight, a person named darkvolt put this into EOL. edit: Please dont blame me, I just want to know what developers thinks about this..

Originally Posted by paddyg91 1 post, newly registered, not suspicious at all.

no words....

[paddyg91]

I'd be wary of downloading it regardless, seeing as anti virus software didn't pick up on the last virus leak.

http://translate.google.com/translat...irvete_1700840

There is some info on it, I'm skeptical, but in a way I'm hoping this isn't another scam. In those forums people are bringing up the name of Dark_Alex, although, somehow I doubt it.

I think in some of the comments on one of the forums they're stating that metldr isn't updatable nor revokable, thus meaning that GeoHot's rootkey

erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19 R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17 n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1 K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70

meaning that due to no updates being able to be done through firmware upgrades, the console will still retain the same factory metldr which it had always been given, meaning that in using the rootkey which Geohot has used you're able to get to lvl0 via the metldr.....?

[devstar]

more than probably http://ps3devwiki.com/index.php?title=Dumping_Metldr was done a couple of weeks ago afaik its btldr/lv0 that a dump of is required which will need to be un encrypted but dumping metldr gives you your per console key which can be used to decrypt btldr again thats afaik

[jesdaking]

A chat on IRC last night, some interesting stuff Math is hinting lol.

[22:18:29] <Mathieulh> though I am totally not interested in pwning it
[22:18:37] <Apocalyps> @TECH Send it to me
[22:18:42] <zecoxao> Mathieulh, quick question
[22:18:47] <zecoxao> syscon, owned or not?
[22:18:51] <Mathieulh> luis353, does it look like I code for the money ?
[22:19:00] <Apocalyps> Yes...
[22:19:03] <luis353> no math just asking
[22:19:07] <Mathieulh> zecoxao, yah I pwned that
[22:19:11] <zecoxao> kk
[22:19:20] <zecoxao> i asked Pockets69 to ask you that
[22:19:29] <zecoxao> but he didn't tell me so...
[22:19:32] <Apocalyps> One question
[22:19:35] <randuev> Mathieulh: i undestand why you feel so about this whole ps3 thing, with people like that
[22:19:36] <Mathieulh> easy when sony leave their sc fw key lying around
[22:19:42] <Apocalyps> Can we switch Meta loader with Boot loader?
[22:19:44] <zecoxao> :P
[22:19:51] <zecoxao> thanks for the hint
[22:20:02] <Mathieulh> Apocalyps, not if you want to brick
[22:20:07] <Apocalyps> damn
[22:20:11] <Mathieulh> not if you don't want to brick *
[22:20:27] <randuev> Mathieulh: is HW key stored in e-fuses unique in each console?
[22:21:03] <TechnoDon> only xbox has e-fuses
[22:21:25] <Apocalyps> I wish the PS3 scene was as fast and progressing as the 360 scene
[22:21:29] <Mathieulh> randuev, obviously yes
[22:21:42] <Mathieulh> TechnoDon, the ps3 has some too
[22:21:47] <Mathieulh> but they can only be programmed once
[22:21:50] <randuev> Mathieulh: but it's only 48 bits
[22:22:07] <randuev> 2^48 is enough?
[22:22:10] <Mathieulh> randuev, what makes you say that ?
[22:22:25] <randuev> well, i've read in cell docs
[22:22:39] <Mathieulh> it's more than that
[22:22:51] <Mathieulh> and cell docs does not reference everything
[22:22:56] <Mathieulh> that part is NDAed
[22:23:15] <Apocalyps> Wouldn't cell docks only reference the proccessor itself?
[22:23:27] <randuev> that's unfortunate
[22:23:59] <TechnoDon> i have sony 3.73 ofw if that helps..
[22:24:10] <TechnoDon> at Xbo
[22:24:11] <Apocalyps> It doesn't
[22:24:16] <TechnoDon> meh
[22:24:33] <randuev> Mathieulh: did you end up making that hw device to read local storage or 3 exploits were pure software?
[22:24:34] <luis353> math LV2Diag/ObjectiveSuite leaked lead to 3.73 CFW ?
[22:24:39] <randuev> luis353: no
[22:24:51] <Mathieulh> seriously wtf with the noobish questions?
[22:24:55] <Apocalyps> objectivesuite useless without jig
[22:24:56] <TechnoDon> how many times has that been asked now?
[22:25:02] <Mathieulh> randuev, softwate
[22:25:06] <Mathieulh> software*
[22:25:23] <zecoxao> i was more interested in the syscon key
[22:25:26] <Mathieulh> though randuev I suggest you to go the hardware root
[22:25:31] <zecoxao> since i know it's hanging around
[22:25:42] <randuev> Mathieulh: yeah, i am more keen on that as well
[22:25:43] <Mathieulh> zecoxao, then look for it xD
[22:25:54] <randuev> Mathieulh: i like soldering
[22:25:57] <zecoxao> nah, i'm stupid and mentally ill xD
[22:26:00] <Mathieulh> randuev, the sw approach is not easy
[22:26:17] <Mathieulh> it relies on tricking the bl to load more than once
[22:26:31] <zecoxao> that's what xxxxxx said
[22:26:35] <randuev> Mathieulh: no doubt. i was hoping to spy on the bus, but clock is bit too fast for me
[22:26:39] <Mathieulh> xxxxxx ?
[22:26:49] <zecoxao> http://pastebin.com/xkXxk8fM
[22:26:57] <zecoxao> but it wasn't for hw
[22:27:01] <zecoxao> it was for bootldr
[22:27:02] <Mathieulh> randuev, which bus are you looking at
[22:27:04] <Mathieulh> ? *
[22:27:19] <zecoxao> so he's probably wrong
[22:27:37] <randuev> Mathieulh: ram/cell
[22:27:48] <Mathieulh> rofl no wonder then
[22:27:56] <Apocalyps> Another Stupid Question: What exactly is Runtime Secure Boot?
[22:28:01] <Mathieulh> you are messing with the wrong bus
[22:28:09] <Mathieulh> also the xdr clock speed can be descreased
[22:28:12] <Apocalyps> Not really asking for an explanation, but what will it give us
[22:28:33] <Mathieulh> Apocalyps, it allows to load metldr at runtime
[22:28:39] <Mathieulh> it gets decrypted by the crypto engin
[22:28:42] <Mathieulh> and authenticated
[22:28:47] <Mathieulh> and then runs in a secure context
[22:28:50] <Mathieulh> in isolation mode
[22:28:53] <Apocalyps> So we still need to exploit that also, amirite?
[22:28:56] <randuev> heh, i don't have sufficient docage for syscon
[22:29:00] <zecoxao> so, underclock xdr...
[22:29:08] <Mathieulh> Apocalyps, you need to exploit the isolated process
[22:29:21] <Mathieulh> zecoxao, that's a way
[22:29:23] <Mathieulh> there are others
[22:29:36] <DarukBot> (title) [16:41] I think it works [16:41] I mean this is what I th - Pastebin.com
[22:30:07] <Apocalyps> After exploiting the isolated process, we follow up to the authenticatation and decryption of the crypto engine?
[22:30:48] <Apocalyps> In other words, would we need to exploit the process before the isolation?
[22:30:58] <randuev> TechnoDon: you are wasting your time with this dh crap
[22:31:01] <Mathieulh> if you want to go the hw route
[22:31:10] <Mathieulh> do not try to read the shared LS directly
[22:31:56] <randuev> Mathieulh: i am kinda confused about getting reliable readings out of cell cpu especially if local storage indeed is local
[22:32:19] <Apocalyps> but shouldn't hardware authentication step go before it can execute on an isolated SPE? Why not just exploit the hardware unthentication?
[22:32:21] <randuev> without removing covers off the cpu )
[22:32:28] <Mathieulh> randev the LS is only interconnected to the EIB
[22:32:40] <Mathieulh> and the EIB can only be accessed from the ppu
[22:33:07] <randuev> yeah, that's the problem, what to capture if it's all internal
[22:33:08] <Mathieulh> Apocalyps, go for it then
[22:33:21] <Mathieulh> it's not all internal
[22:33:33] <Apocalyps> It would require modifying the hardware. :/
[22:33:37] <Mathieulh> the shared LS can be accessed from the ppu
[22:33:40] <Apocalyps> Useless
[22:33:51] <Mathieulh> but hell, I am saying too much
[22:33:54] <Mathieulh> figure the rest yourselves
[22:34:05] <randuev> Apocalyps: nothing is wrong with hardware tinkering
[22:34:12] <zecoxao> hold on a sec
[22:34:18] <zecoxao> THE Raziel?
[22:34:19] <Apocalyps> Basically the hardware anthentication is just telling the spe that the hardware is tack?
[22:34:23] <randuev> Mathieulh: thanks for tips, i'll try this way
[22:34:29] <Apocalyps> *in tack
[22:34:32] <MajorPSP1> lol
[22:34:34] <_Raziel_> ops
[22:34:41] <_Raziel_> not they but math
[22:34:46] <zecoxao> the one that makes that emu?
[22:34:58] <zecoxao> oh rly?
[22:34:59] <Mathieulh> Apocalyps, there are freaking docs about it written by IBM, I suggest you read them
[22:35:26] <Apocalyps> I'll read them... later
[22:35:47] <MajorPSP1> not jk lol
[22:36:03] <randuev> Mathieulh: about software route, can this all be done from otheros withour reboots of the system?
[22:36:18] <Mathieulh> you need lv1 privs
[22:36:29] <randuev> yeah, that can be patched
[22:36:36] <Mathieulh> not really
[22:36:47] <randuev> i mean in flash with nor flasher
[22:36:54] <Mathieulh> yeah
[22:37:08] <Mathieulh> you can update to a patched lv1
[22:37:10] <zecoxao> nor or nand xD
[22:37:13] <Mathieulh> that is ****ing easy
[22:37:46] <Mathieulh> also the bl fetches lv0 straight from nor
[22:37:49] <Apocalyps> http://www.ibm.com/developerworks/po...y/image002.gif
[22:37:50] <Mathieulh> so you need to write your own
[22:37:57] <Mathieulh> at least on a temporary basis
[22:38:03] <Mathieulh> and the check has to fail
[22:38:05] <randuev> no problem with temporary bricks
[22:38:11] <Mathieulh> otherwise it will overwrite lv1
[22:38:32] <Mathieulh> that is if you get to reload it
[22:38:41] <Mathieulh> which is HARD
[22:39:03] <randuev> yeah, i am not that far into software side unfortunately
[22:39:33] <Apocalyps> So this is secure runtime boot: http://www.ibm.com/developerworks/po...y/image2-3.gif
[22:39:59] <randuev> i was hoping that by malforming lv0 in the right way i could make it write needed info to flash
[22:40:37] <randuev> but if i understand diagrams correctly, everything interesting gets wiped before passing on next lvl
[22:40:53] <Apocalyps> Yes
[22:41:13] <Mathieulh> lv0 "destroys" the spu at some point
[22:41:44] <MajorPSP1> fr rly? lol
[22:42:04] <Mathieulh> well it has to be terminated from ppu side
[22:42:09] <Mathieulh> so err.... yeah
[22:42:16] <Mathieulh> it is done quite early btw
[22:42:43] <Apocalyps> ...
[22:42:52] <randuev> ok, it seems that i have to look at lv0 in ida again
[22:43:08] <Mathieulh> dumped it?
[22:43:09] <randuev> last time it went over head
[22:43:38] <randuev> or maybe it wasn't decrypted
[22:43:58] <Mathieulh> how did you do the dump?
[22:44:17] <Mathieulh> if it's straight from nor, it is encrypted
[22:45:24] <randuev> that must be it
[22:46:11] <zecoxao> TechnoDon, go get the keys lol
[22:46:38] <Apocalyps> Ok?
[22:48:12] <Apocalyps> crack37
[22:48:28] <Mathieulh> CV >>>>>>>>>>> terminate_isolated_spu
[22:48:28] <Mathieulh> CV : error : already normal state
[22:48:28] <Mathieulh> CV : error : stop isolated spu fail
[22:48:28] <Mathieulh> CV >>>>>>>>>>> terminate_isolated_spu finished.
[22:48:28] <Mathieulh>
[22:48:29] <TechnoDon> ?
[22:48:40] <Mathieulh> that's when the bootloader spu is "destroyed"
[22:48:59] <zecoxao> is that on RAM? i believe i saw that on a peek poker once
[22:49:06] <Mathieulh> no way
[22:49:12] <Mathieulh> that's from lv0
[22:49:16] <zecoxao> oh ok
[22:49:24] <zecoxao> i saw something else then
[22:50:22] <Apocalyps> crypto isolation process
[22:51:37] <DarukBot> (title) [C++] #include int main(int argc, char *argv[]){ printf( "n" "break - Pastebin.com
[22:52:31] <Mathieulh> my code had a little more lines (and keys) than that one
[22:52:54] <Apocalyps> How about you post a code? :P
[22:53:46] <Mathieulh> Apocalyps, don't make me look for a hello world
[22:53:55] <Apocalyps> ish dat guy geohotz
[22:54:29] <zecoxao> deroad, Math has posted the lv0 version
[22:54:30] <Apocalyps> Mathieulh, no one is telling you to look for hello world. just something labeled "3.73 keys here"

[

[bost7]

@jesdaking where do you find logs like that?

[Senaxx]

File is clean:
http://virusscan.jotti.org/nl/scanre...7348cfdee2d0c3

And it's not interesting to put a virus in a non executable file.

[Generallee]

More here:

http://translate.google.com/translat...te_1700840_s10
************* [ - Post Merged - ] *************

Originally Posted by Generallee More here: http://translate.google.com/translat...te_1700840_s10

Seems like "darkvolt" is the man in getting 3.6 CFW.

Btw way, the trick using metldr is getting bl to run several times..
************* [ - Post Merged - ] *************
THis is the key in the dumps:

erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70
************* [ - Post Merged - ] *************
My last post..

http://www.ps3sos.com/showthread.php...p-por-Darkvolt

[broknega]

Originally Posted by paddyg91 1 post, newly registered, not suspicious at all.

a good way to be anon is by making a new account so don't rule anything out.