[Asure]

Originally Posted by JonahUK metldrpwn requires isoldr to perform its 'hack' so it should be in the same folder as metldrpwn anyway. Metldrpwn uses isoldr to retrieve the eid root key seed(s) in order to get the eid root key.

Already found isoldr file on the ps3devwiki
http://www.ps3devwiki.com/files/firmware/OFW-CEX/ has subdir with unpacked binaries.

But i'm not at home right now, so i can't test & see what the second exploit dumps. Someone should also try & see if the lspwn pkg from adrianc runs on dex 4.x and what that dumps.. We may be closer to keys than we think

[Gonzakpo]

Have you seend this?

- support for isolation mode if there is demand

It's written on the TODO list of the lspwn. According to my undestanding if you can dump an isolated SPE LS, then you can dump the bootloader decrypted (it is loaded and decrypted in isolation mode).

It would be nice to contact adrianc to see if he can give us a hint (maybe he regrets what he did :P). Anyway, I'm kind of guessing here or more like brainstorming haha.

[ryant001]

Originally Posted by Gonzakpo Have you seend this? It's written on the TODO list of the lspwn. According to my undestanding if you can dump an isolated SPE LS, then you can dump the bootloader decrypted (it is loaded and decrypted in isolation mode). It would be nice to contact adrianc to see if he can give us a hint (maybe he regrets what he did :P). Anyway, I'm kind of guessing here or more like brainstorming haha.

So in the end he has just left out the most important function, just our usual luck!

[hintgiver]

http://www.ps3devwiki.com/index.php?...r_Console_Keys

on that site they talk also about dumping isolated spe ls

i think it links to the source code posted earlier.
And here is another page
http://www.ps3devwiki.com/wiki/SPU_I...se_Engineering

[Gonzakpo]

Originally Posted by hintgiver http://www.ps3devwiki.com/index.php?...r_Console_Keys on that site they talk also about dumping isolated spe ls i think it links to the source code posted earlier. And here is another page http://www.ps3devwiki.com/wiki/SPU_I...se_Engineering

Do you know what happens to the bootloader after it decrypts the LV0? Is it cleared from the LS?

Do we have to reload it if we want to dump it?

[Asure]

Once i get home i'll compile the other code from the pasties i saw before, and see what gets dumped.

[hintgiver]

the code from the pastie is also on the dev wiki.
http://www.ps3devwiki.com/files/devt...erConsoleKeys/


about the bootloader thing, maybe we find some information here:
http://www.ps3devwiki.com/wiki/Boot_Order

[Asure]

Progress:

Unknown pasties
I put together the code from the different pasties, and fixed a few includes Dump_rootkey's main.cpp is a good example of how the second exploit should look.

It now compiles and runs over RPC just like the original eid0 dumper.

However, by default, the actual dumping code is commented out. I uncommented it, but nothing happens, the program just sits there.

This might be because of two things

1. There are provisions for a 'isoldr.patched' in ./data/ folder, also commented.
Uncommenting and using the file from ps3devwiki didn't help.

2. I tried with an original 'isoldr' file from an unpacked 3.41 pup.
Could be we need an unencrypted copy? Not sure at this point.

I have attached the modified source to this post for others to peruse. This is not my work. I'm no C expert!

LSpwn
Runs like a charm on 3.41 CEX and dumps out the local storage (256kb)
Could someone on DEX 4.x confirm if the lspwn pkg runs on it?

[doggie721]

Why not try to use the v0.01 memdump to dump the LV2? ; )

[Asure]

Memdump needs peek/poke. We don't have peek/poke on the higher DEX/CEX firmwares.