[Elegant]

I wonder who WOULD work on this...

Could the OP or someone possibly upload the decrypted bootldr? It would be interesting to actually view this...

If we actually worked on this, it would go similar to this:
1. Alter bootldr to dump lv0 to a USB stick (you would require code execution at boot up could require a bit of work).
2. Sign bootldr using Mathieulh's metldr exploit (it works for the bootldr).
3. Replace bootldr in current PS3 with newly signed bootldr.
4. Plug in your USB and get your free copy of lv0.

If those 4 steps were done we'd have the console pwn'd forever because Sony cannot update the bootldr.

[Cheesethief]

Originally Posted by Elegant I wonder who WOULD work on this... Could the OP or someone possibly upload the decrypted bootldr? It would be interesting to actually view this... If we actually worked on this, it would go similar to this: 1. Alter bootldr to dump lv0 to a USB stick (you would require code execution at boot up could require a bit of work). 2. Sign bootldr using Mathieulh's metldr exploit (it works for the bootldr). 3. Replace bootldr in current PS3 with newly signed bootldr. 4. Plug in your USB and get your free copy of lv0. If those 4 steps were done we'd have the console pwn'd forever because Sony cannot update the bootldr.

The thing is, this is the 3.55 bootldr and not 3.60+ one. So the lv0 it loads is useless. (Take note of the boot orders on the devwiki for 3.55 and later firmwares).

[munky875821417]

bootldr never changes

[defyboy]

Sorry people,

This script dumps the OtherOS bootloader binary image, Not the bootldr we need to get the lv0 keys. It was written by the 'real' Geoffery Levand. http://dev.man-online.org/man8/ps3-utils/ http://packages.debian.org/sid/admin/ps3-utils

The real bootldr that we want to get will be less than 256kb and not contain a whole heap of kernel strings. Dumping the bootldr will not be this easy.

[Elegant]

@Cheesethief bootldr is encrypted with the console key (how we get it decrypted would require knowing that except for this method which seems to bypass that). As such it's IMPOSSIBLE to EVER update the bootldr as then the console key for each console would be the same. If you write a bootldr that dumps lv0 (which is the only step required here) and sign it then we're done forever. No more updates can ever hide the keys.

We'd get access to lv0 by getting the bootldr to decrypt lv0 (which it already knows how to do as the bootldr is the FIRST link in the chain of trust) and simply telling it "Hey, rather than storing it memory and deleting it after it's done lets also dump it to say my internal hard drive or USB stick after decrypting it". Then we simply fetch the file later.

[Cheesethief]

Originally Posted by Elegant @Cheesethief bootldr is encrypted with the console key (how we get it decrypted would require knowing that except for this method which seems to bypass that). As such it's IMPOSSIBLE to EVER update the bootldr as then the console key for each console would be the same. If you write a bootldr that dumps lv0 (which is the only step required here) and sign it then we're done forever. No more updates can ever hide the keys. We'd get access to lv0 by getting the bootldr to decrypt lv0 (which it already knows how to do as the bootldr is the FIRST link in the chain of trust) and simply telling it "Hey, rather than storing it memory and deleting it after it's done lets also dump it to say my internal hard drive or USB stick after decrypting it". Then we simply fetch the file later.

That's true. What I am saying is Sony updated lv0 in firmwares after 3.55. So we would have to get the current bootldr to decrypt the later lv0 versions. The current lv0 in 3.55 is useless.

[Elegant]

@Cheesethief Nah dude you're not quite getting it all, the "current bootldr" was the one you got from the factory when they made it. If you have a PS3 that originally had like FW 1.00 (lets pretend that was 5 years ago) you've had the same bootldr for 5 years regardless of how many times you upgraded from 1.00-1.50-3.41-3.55-4.11 or what have you. Even if you downgraded you're still using the same bootldr.

You simply CANNOT update the bootldr therefore when Sony changed lv0 it must be compatible with the "old bootldr" (they never change it's all the same bootldr).

However that does not mean we can't alter the bootldr to do other things it simply means Sony can never update it as it's encrypted the per console key. So if we got the bootldr to dump a decrypted lv0 in 3.55. It would HAVE to work in 3.6x+ because the bootldr would never change. It doesn't matter what lv0 does because it's how the bootldr handles lv0!

[snowydew]

Originally Posted by SenorPickle If? The OP led me to believe that bootldr is decrypted. And is that verification coming from you, or based on that tweet from Snowy? Can someone that has otheros++ pastebin that business?

It's a partial dump, mostly kernel stuff. It'll help massively though.

Originally Posted by oPolo I never actually gave Glevand a thanks for all his work... I was very new in the scene back then (And hence passive.....shy :3), and Gitbrew seemed a bit.. scene'isque, in the sense that they didnt't seem like the type of guys you easily could get in contact with... And he's just .. Gone now. Can't remember actually why, and what caused him to disappear.

Sorry, you felt that way... When I was with gitbrew, we tried everything to make the irc and everything else as user friendly as possible and to help whoever we could. Didn't know that was the vibe we were giving off (twitter answered as many questions i could as well as being friendly as possible!)

[defyboy]

I can 100% confirm that this is nothing new. As I expected it dumps the OtherOS bootloader, which in this case is petitboot. The dump I have is identical to the current petitboot image found here: http://gitbrew.org/~glevand/ps3/peti...bImage.ps3.bin

Of course, feel free to replicate the test and compare it with the above file.

[svenmullet]

Originally Posted by defyboy Sorry people, This script dumps the OtherOS bootloader binary image, Not the bootldr we need to get the lv0 keys. It was written by the 'real' Geoffery Levand. http://dev.man-online.org/man8/ps3-utils/ http://packages.debian.org/sid/admin/ps3-utils The real bootldr that we want to get will be less than 256kb and not contain a whole heap of kernel strings. Dumping the bootldr will not be this easy.

Didn't think it would be this easy