[rickylee6904]

very nice to see guys are hard at work much appreciated thank u guys

[JustThatDude]

Anyone else thinking Factory Service Mode on 4.20 right now?

[enosrasun]

Originally Posted by JustThatDude Anyone else thinking Factory Service Mode on 4.20 right now?

with the right keys ,go get them

[JustThatDude]

Originally Posted by enosrasun with the right keys ,go get them

Like I said in my other post look in data transfer option and you will your way to execute the code. Not really important though cause by the end of the month most likely we will have the lv2 keys.

[Disane]

just an oppinnion:

Since he mentioned that it doesn't work on 4.21, he decided to post it. I don't know if it was a mistake or not. I'm sure that there are already many ways to crash lv2 with user land code.

Now, I haven't seen ps3 payloads for a long time this one here is trying to poke different areas of lv2 mem space using sys_spu_initialize()
something similar to failoverfl0w, thought its definitely not the same. Since he is not trying to overflow the LS but jump a few bytes and exec. the syscall above till the system corrupts its own memory.

I wonder if this is not a simple panic and instant sys reset without actual (unsigned) code execution (think about non executable code areas in lv2). He didn't mention if he could actually make the program counter point to the actual payload he wrote. If so then we could be seeing another fail from Sony's system security team's xD

Sorry I'm only theorizing here, I only took a look at his code, maybe someone who actually works with this stuff could make more sense out of it.

[Protocol_Silence]

Originally Posted by r07f1 Originally Posted by xflarex Interesting thought, but your statement raises a question: how was this executed on 4.20 in the first place. I understand testing it on -3.55 or dex, but to know it works on 4.20 and not 4.21 implies testing on 4.20. Am I ignorant as to how to test elfs on higher firmwares? DEX converted consoles have other uses than warez/backups... they can execute unsigned code... so you can exec you code on 4.20 or whatever peace!

(Kinda off-topic)
Then why can't they find the QA Flag Token for QA Flagging to work on the higher firmwares?

[Disane]

Originally Posted by Protocol_Silence (Kinda off-topic) Then why can't they find the QA Flag Token for QA Flagging to work on the higher firmwares?

I guess this was answered a few times. I thought I might take my turn and answer this one my self.

Yes, you can run your own user land code and dumb the system memory on DEX. The only problem is that when you open it on your computer you won't be seeing any nice PPC/SPU code but a random set of characters with random spaces between them.
And YES, you are right this means there's something wrong with the dump, so you repeat the dump process but it yields the same mish-mash of bytes which don't make sense.

Now, you could actually suspect that the memory is probably encrypted and it can only be decrypted with the current system private keys. This also means that you can not reverse engineer any part of the newer firmwares.

Which brings us to your question, in order to find these tokens you would have to be able to reverse the whole system software, which alone could take a while and use up lots of brain (man) power.

[KDSBest]

Originally Posted by Disane I guess this was answered a few times. I thought I might take my turn and answer this one my self. Yes, you can run your own user land code and dumb the system memory on DEX. The only problem is that when you open it on your computer you won't be seeing any nice PPC/SPU code but a random set of characters with random spaces between them. And YES, you are right this means there's something wrong with the dump, so you repeat the dump process but it yields the same mish-mash of bytes which don't make sense. Now, you could actually suspect that the memory is probably encrypted and it can only be decrypted with the current system private keys. This also means that you can not reverse engineer any part of the newer firmwares. Which brings us to your question, in order to find these tokens you would have to be able to reverse the whole system software. Which alone could take a while and use up lots of brain (man) power.

You can't dump the system memory. Else it would be a catwalk to work around the system. At the moment it is just a big blackbox a very big one let's say 1000 square kilometers and we search with a little candle haha xD. The big guys aren't working anymore on this. They had flashlights xD

[Disane]

Originally Posted by KDSBest You can't dump the system memory. Else it would be a catwalk to work around the system. At the moment it is just a big blackbox a very big one let's say 1000 square kilometers and we search with a little candle haha xD. The big guys aren't working anymore on this. They had flashlights xD

Your right about that, #ps3private is gone for some time xD
Also, they had lots of experience with the system, but this was not their real strength in my opinion, but the fact that they worked as a real team to bring down the system.
Although to my knowledge the memory can be dumped only that it is encrypted and you can't use IDA on chunks of random bytes.

[KDSBest]

Originally Posted by Disane Your right about that, #ps3private is gone for some time xD Although to my knowledge the memory can be dumped only that it is encrypted and you can't use IDA on chunks of random bytes.

That's bull****. You can't dump it that's the point.
What you talk about is from the nand/nor, but not the memory. In memory Lv2 is not encrypted and can not be dumped from userland. If you can dump it from userland you got the power to really search an exploit. I need 2 bytes in lv2 on a syscall i can call and I can pwn the whole lv2.

First patch peek -> dump the real one (if you don't got it)
Then patch a poke -> poke real peek and poke syscalls -> restore overwritten lv2 stuff with the poke syscall -> done

Theory is always as simple as that.
There is no need for complicated payloads if you manage to write to a syscall that is callable from userland. The whole security breaks apart from that on.

Of course such things are patchable.

We should wait for ps4 and checkout what AMD came up with. In my opinion IBM > AMD, but we will see ^^.

The cell has a strong security system, just the implementation lacks.
Biggest mistake was that they said, metldr is not patchable . They just don't use it anymore.

I did enough, most people don't even know what I all did. It's time for a new generation . I am an oldie to the ps3 scene xD and still very underestimated ^^