[V6ser]

How to load METLDR in PlayStation 3

After some experiment I succeded to load METLDR in spu isolation. You need geohot's exploit to do this, because you need to turn spu relocation off (MFC_SR1[R]=0) and not let know the HV you are using a SPU (so no calls to lv1_construct_logical_spe or similar). For some strange conf, it doesn't work in HV way.

Here the source code. Enjoy!!!!

Spuisolation.tgz // (27.11 KB)

Download

Thks to TitanMKD, Xorloser and Mathieulh.

Here a paste of an userspace metldr loader using xorhack. You need to patch xorhack tools adding read_u32() and write_u32() functions.
// Turn relocation OFF
printf("<TURN RELOCATION OFF>\n");
write_u64(SPU_P1(SPU_CURR)+0x0000, (read_u64(SPU_P1(SPU_CURR)+0x0000) & 0xFFFFFFFFFFFFFFEF�;
printf("MFC_SR1 = %llx\n", read_u64(SPU_P1(SPU_CURR)+0x0000�;

// no accesses are to be considered well behaved and cacheable
write_u64(SPU_P1(SPU_CURR)+0x0900, (u64)0x0);

// set overwrite mode for signal notification 1/2
write_u64(SPU_P2(SPU_CURR)+0x4078, (u64)0x0);

// set signal_notify1 = high metldr real address
write_u32(SPU_PS(SPU_CURR)+0x1400C, (u32)0x0);

// set signal_notify2 = low metldr real address
write_u32(SPU_PS(SPU_CURR)+0x1C00C, (u32)0x11000);


printf("---> START SPU IN ISOLATION MODE\n");

// set SPU_PRIVCNTL[LE]=1
write_u64(SPU_P2(SPU_CURR)+0x4040, (u64)0x4);

// set SPU_RUNCNTL[Run] = '11'
write_u32(SPU_PS(SPU_CURR)+0x401C, (u32)0x3);:


for (cx=0; cx<3; cx++)
{
// Print SPU_STATUS
print__spu_status(read_u32(SPU_PS(SPU_CURR)+0x4024�;

sleep(5);
}

Source:
http:// http://www.ps3devwiki.com/index.php?...erflow_Exploit

[rizwanalichand]

Originally Posted by hyztname How to load METLDR in PlayStation 3 After some experiment I succeded to load METLDR in spu isolation. You need geohot's exploit to do this, because you need to turn spu relocation off (MFC_SR1[R]=0) and not let know the HV you are using a SPU (so no calls to lv1_construct_logical_spe or similar). For some strange conf, it doesn't work in HV way. Here the source code. Enjoy!!!! Spuisolation.tgz // (27.11 KB) http://www.multiupload.com/UFNIMIG472 Thks to TitanMKD, Xorloser and Mathieulh. Here a paste of an userspace metldr loader using xorhack. You need to patch xorhack tools adding read_u32() and write_u32() functions. // Turn relocation OFF printf("<TURN RELOCATION OFF>\n"); write_u64(SPU_P1(SPU_CURR)+0x0000, (read_u64(SPU_P1(SPU_CURR)+0x0000) & 0xFFFFFFFFFFFFFFEF�; printf("MFC_SR1 = %llx\n", read_u64(SPU_P1(SPU_CURR)+0x0000�; // no accesses are to be considered well behaved and cacheable write_u64(SPU_P1(SPU_CURR)+0x0900, (u64)0x0); // set overwrite mode for signal notification 1/2 write_u64(SPU_P2(SPU_CURR)+0x4078, (u64)0x0); // set signal_notify1 = high metldr real address write_u32(SPU_PS(SPU_CURR)+0x1400C, (u32)0x0); // set signal_notify2 = low metldr real address write_u32(SPU_PS(SPU_CURR)+0x1C00C, (u32)0x11000); printf("---> START SPU IN ISOLATION MODE\n"); // set SPU_PRIVCNTL[LE]=1 write_u64(SPU_P2(SPU_CURR)+0x4040, (u64)0x4); // set SPU_RUNCNTL[Run] = '11' write_u32(SPU_PS(SPU_CURR)+0x401C, (u32)0x3);: for (cx=0; cx<3; cx++) { // Print SPU_STATUS print__spu_status(read_u32(SPU_PS(SPU_CURR)+0x4024�; sleep(5); } Source: http:// http://www.ps3devwiki.com/index.php?...erflow_Exploit

metldr
where can i put this codes

how it use sir

[Goldeneye]

don't even bother taking a look at it if you don't know what it does or how you can use it.

[V6ser]

WOOOOOW, i sent a request to post this tut here about 5 months ago.

[hellsing9]

@hyztname you don't need to send a request in order to post a tutorial, you post it and if it's not good on the view of the mods/admin gets moderated.

[V6ser]

Originally Posted by hellsing9 @hyztname you don't need to send a request in order to post a tutorial, you post it and if it's not good on the view of the mods/admin gets moderated.

pfffff and what do you know about it, you are just a Moderator.

When i posted it(I think january 20 something) it clearly said:

Originally Posted by PS3Hax;Service Your tutorial need to wait our mods and/or admin aprovation. If you are trolling us, prepare to die.

[hellsing9]

Originally Posted by hyztname pfffff and what do you know about it, you are just a Moderator. When i posted it(I think january 20 something) it clearly said:

Well you know the consequences if you were trolling. Nice welcome party from this side

Things have changed since that date that you submited the tut.

[V6ser]

Originally Posted by hellsing9 Well you know the consequences if you were trolling. Nice welcome party from this side Things have changed since that date that you submited the tut.

Actually just some rules and mods have changed in this site.

The scene keeps being a big and public sh1t full of trolls and mathieulh...

[hellsing9]

@hyztname bullseye let's stay on topic.

[iPwnz]

Originally Posted by hyztname Thks to TitanMKD, Xorloser and Mathieulh.

Originally Posted by hyztname The scene keeps being a big and public sh1t full of trolls and mathieulh...