[sbmotoracer]

How exactly would you inject the code? The first thing that loads on the ps3 other then the syscon code is the cell bootloader.

Although I doubt it, has anyone actually looked at the code that verifies the SPU's authenticity? IE the code the Hardware processor uses inside the Cell.

I briefly looked at decapping a space cell chip a while back but after talking to a few people on irc and looking at the cost of an electron microscope. I never went through with it.


Edit - if the syscon is the first thing that loads then has anyone dumped the full syscon epprom?

Originally Posted by JustThatDude OkAy can we get back on topic. So far all we need to do i to dump the local storage of the SPU? There is always a way to slow down the CPU and if we can do that while its either booting up or slowing down it would be plausible to make a code to inject in it kind of like a NOP Slide or a buffer overflow of some sort to then dump the local storage and obtain the keys.

[zecoxao]

so, what's the right offset for the decrypted metadata WE want? if we're attempting this by tries, we'll take ages and precious minutes of bricking our consoles, since bootldr has to load the right offset out of lv0. because we can do the same with metldr on a safe environment (linux/gameOS) we don't brick when we get the eid_root_key. how about bootldr? it'll brick, no?

[cfwprpht]

Guys im sry but im out now. You don't listen what some one trie to tell's you with a good aim. You miss so much aknowledge about the PS3 and think every one is betraying you. Good Luck with "Slowing Down" the Cell or with Dumping "LocalStorage" from HDD or the embended Flash -.-

[sbmotoracer]

The reason I mentioned Spu's verification code and the syscon is those are 2 avenues of attack that(at least from what I've seen) haven't been looked at.

Originally Posted by cfwprpht Guys im sry but im out now. You don't listen what some one trie to tell's you with a good aim. You miss so much aknowledge about the PS3 and think every one is betraying you. Good Luck with "Slowing Down" the Cell or with Dumping "LocalStorage" from HDD or the embended Flash -.-

[master737373]

Originally Posted by JustThatDude I didn't say that I said per console key

Lol that wasn't meant towards you.
************* [ - Post Merged - ] *************
No, you can't just take syscon eeprom mainly because no one has a flasher for it. Plus it's encrypted per console. Sycon doesn't even pull bootldr, the cell does. Decapping would be expensive if you want pck0 that way.

[sbmotoracer]

Not that it would surprise me if it was but what makes you think that the syscon is encrypted inside the eeprom?

As for not having a flasher/dumper (correct me if im wrong since I had trouble finding any information about decapping eeproms)I would imagine once the bond wires are exposed they can be traced back to the vias at the bottom of the chip.


As for attacking the bootloader I really don't see a way around either not having a properly signed lv0 or taping the bus lines from memory to the cell.

Originally Posted by master737373 Lol that wasn't meant towards you. ************* [ - Post Merged - ] ************* No, you can't just take syscon eeprom mainly because no one has a flasher for it. Plus it's encrypted per console. Sycon doesn't even pull bootldr, the cell does. Decapping would be expensive if you want pck0 that way.

[master737373]

Syscon is encrypted per console. Without your syscon key, you can't do anything with it. lv0 isn't the only way to get bootldr.

[sbmotoracer]

To keep from derailing the topic with my questions, mind listing the source where you learned that the syscon is encrypted per console?

Not disagreeing with you I just would like to learn more about the syscon and how its stores its data beyond whats listed in the dev wiki.


- On topic - what other methods do you have in mind? Does the bootloader take any inputs after the console has loaded?

Originally Posted by master737373 Syscon is encrypted per console. Without your syscon key, you can't do anything with it. lv0 isn't the only way to get bootldr.

[jarmster]

Well master...its game over now. so why not stop with the hints and explain in some detail how it works....Not like it matters now anyway and to be honest,
i wanna know...

[master737373]

The wiki doesn't have much about syscon because the main people who add to the wiki son know about syscon. They think syscon is signed with the same keys as bootldr. But guess what? Now you don't need bootldr. The ps3 has been almost busted wide open software-wise. Though there's still a lot left to learn.