[defyboy]

Originally Posted by Gonzakpo Well, for some time I wanted to try to dump the RAM of the PS3. I have the tools and the knowledge but the truth is, I don't want to put my only PS3 in risk (it is not a foolproof process) and it takes too much time! If you visit ps3devwiki, in the XDR RAM section, you'll find all the datasheets. There's one that talks about the XDR Clock generator. In it you'll find a PIN called /BYPASS that disables the PLL thus slowing down the processor + XDR ram. Also, you could even slow down the PS3 oscillator. But I have yet to figure it out. If you slow down the XDR and processor, you would be able to "snoop" on the bus with a relatively cheap hardware (I was thinking in a basic logic analyzer implemented in an FPGA) and dump the memory contents as it get written during boot up. Of course, if you have access to a logic analyzer that can snoop on the bus without slowing it down, then the it will be much easier. But I bet that logic analyzer would cost above $15K. I'm not sure about this. But maybe the decrypted lv0 gets copied to RAM during boot up. With that you could be able to get all the needed keys EXCEPT for the lv0 keys and the bootloader keys of course. So, you won't be able to make a CFW but if you have total access to a decrypted lv0, probably a software hacker could find new exploits. But well, as I said before, I really don't have enough time to through this and also I don't have a spare PS3s to test with. It is not a simple task and I don't even sure if the PS3 will boot up with the clock slowed down. Only a person fully dedicated to this would have the time to do it.

I have looked into the possibility of dumping RAM via hardware. I have entertained the idea of snooping the XDR bus briefly but that requires extensive hardware knowledge and rather large implementation cost - Such hardware just doesn't exist commercially.

I have also looked into the possibility of bus mastering the PCI bus to read memory but that too, would require a rather large implementation.

The most viable process for dumping RAM at the moment is via software, but as stated, just dumping LV0 - while it is progress and interesting, It is not enough for progression past the 3.60 firmware barrier. We need to dump the bootldr/lv0ldr to get the lv0 keys, Which in turn allow us to decrypt the entire firmware chain.

[fuRh7]

I didn't say we need to decrypt the bootloader as is practicaly impossible. I said the PCK0 is the key that was used to encrypt the metldr and bootldr, so because of the security flaw of ps3, that gives us the decrypted metldr, there should be somewhere the PCK0 as only this key is able to decrypt the metldr. If this wasn't true, how come the metldr gets decrypted in the first place... when we know the key that has decrypted the metldr, we know practically everything we have to know...

[master737373]

Originally Posted by fuRh7 I didn't say we need to decrypt the bootloader as is practicaly impossible. I said the PCK0 is the key that was used to encrypt the metldr and bootldr, so because of the security flaw of ps3, that gives us the decrypted metldr, there should be somewhere the PCK0 as only this key is able to decrypt the metldr. If this wasn't true, how come the metldr gets decrypted in the first place... when we know the key that has decrypted the metldr, we know practically everything we have to know...

PCK0 still decryptes bootldr. That's the first thing that gets decrypted. You can, in theory, get a decrypted mtldr, that same metldr, but encrypted, and encrypted bootldr and sort of use a dictionary-style decryption, though it will take forever.

[Noli]

Hi, just wanted to leave this here, a short interview with naehrwert, also some talk about lv0. English Version starts somewhere in the middle of the page. http://monkeydesk.at/content/exklusi...aehrwert-1198/

[calo]

Originally Posted by Noli Hi, just wanted to leave this here, a short interview with naehrwert, also some talk about lv0. English Version starts somewhere in the middle of the page. http://monkeydesk.at/content/exklusi...aehrwert-1198/

cheers, good read.

[munky875821417]

so this means lv0 is exploited through lv0ldr??

[master737373]

Originally Posted by munky875821417 so this means lv0 is exploited through lv0ldr??

There's no such thing as lv0ldr. It's called bootldr, which you can't decrypt without the PCK_0.

[munky875821417]

perconsole key 0

[darkness137]

Exactly how many encryption levels are we talking here before reaching the bootldr key?

[svenmullet]

Originally Posted by darkness137 Exactly how many encryption levels are we talking here before reaching the bootldr key?

Lets just say that if there were no levels of encryption at all, the PS3 would probably be twice as fast as it is