It seems that more and more often stuff gets leaked by anonymous persons. It’s still unconfirmed but it looks like that a anonymous person leaked a Metldr exploit to the web.

To quote:

We here at our PS3 Crunching news desk, have been going thru all our emails as we do each morning over our daily large dose of coffee, and suddenly had to take a ‘step-back’ and get our heads in order, as we received an ‘an0nymous email’ from some random one-time dropbox, containing a weird little attachment, with a simple note:

Program: metldr838exploit
Author: Unknown
Usage: Unknown
Reason: Unknown

Before posting we had one our PS3 Crunching Developers look it over, and it seems to be a set of ‘C’ code and headers and an compiled ELF and SELF that exploits the ‘chain of trust’ to dump an ‘unecrypted’ version of your PS3 ‘metldr’.

It’s still unconfirmed if this is a real working Metldr exploit and for now this isn’t very useful for the end user, but might bring us closer to a more open Playstation 3! We will keep you up-to-date as soon some developers have some time to play with it and confirm if it’s usable. But for now exciting new developments!

Thanx to PS3Hax member himshie for the submit!

Source: PS3Crunch
Download: http://bit.ly/tP9myU

(more…)

Your Ad Here

Many people have been talking about the exploit found by Mathielh and some people got too excited about it. His exploit would let us hack all future firmwares which are soon to come.

Whether or not it can be compared with the exploit that geohot used to obtain metldr keys is still not clear, even from Mathieulh himself since geohot has been keeping his mouth shut about it although he did told everyone on IRC, the metldr exploit was done (or use) on a OtherOS enabled 3.15 console.

Now, Mathielh posts:

Actually the revocation list exploit doesn’t allow you to exploit isoldr, you could however sign a revoke list if you had the revocation list keys and knew the sign fail, and use that to dump isoldr. Metldr does not load revocation lists.

@jarmster
Ya well without a disassembly i guess its all speculation isn’t it math

This has been tested, how do you think I could release the lv2ldr and appldr keys ? (about 24hrs before Geohot showed up with metldr keys) This has been tested, how do you think I could release the lv2ldr and appldr keys ? (about 24hrs before Geohot showed up with metldr keys)

You can also dump any loader using a signed metadata (including metldr) though that means you need to have the keys for it in the first place (kinda kills the purpose)

Your entire purpose is to get the isolated process (the code running inside the spu) to jump to your instructions

For exemple the following instructions will dump the isolated LS to the SPU mailbox:
loop:
rdch $3, ch29
lqd $3, 0($3)
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
rotqbyi $3, $3, 4
wrch ch28, $3
up_one:
br loop
br up_one
Of course you’ll need a ppu payload to fetch the mailbox data.
Metldr is trivial to dump now that you can sign your loader, but I wont say anything more on this.

Finally the problem with isoldr and the revoke list exploit isn’t so much that the exploit doesn’t work (it actually does) It’s that the payload from the crafted revoke list overwrites isoldr keys (which kinda kills the whole purpose), You can however get the revoke list keys from lv2ldr or appldr using the revoke list exploit and then sign a revoke list metadata to exploit isoldr later on. (There are other ways to get isoldr though, including the 3.60+ exploit I have (but there is at least another I know of) Again, good luck in your endeavor.

When he was asked about the NPDRM key in the equation. Here’s what he said:

There is more than one npdrm key. It’s not been released because the ones who have the skills to do it do not remotely care about pirating playstation store games (obviously).

[VIA PS3Crunch]

Your Ad Here

Many of you might have heard the tweets of a new 3.56 exploit, well DarkHacker has managed to release just released a PS3 CPU exploit.

To quote:
CPU Exploit – one step closer to METLDR

this is a release of the hidden Cell Exploit found a while ago and one of the step taken to the metldr exploit im going to release the because i fell people should have the right to do as they wish and the information should be free to the public

i know by releasing this exploit ill probably be taken to court or sued but fuck sony they can go to hell all i care for what there doing to us hackers ill fight until the last min i got of my life if i have to for the right of the people

for this exploit your going need a leaked service pdf which is below

Links taken down ( REQUESTED ) – sorry ):
———————————————————————————————————————————————
time to explain this now listen up

i know you all remember the exploit with ram and so on back in 3.15
well your going look for the ‘CELL RESET LINE’ and that going be where the exploit is
you know how the small 60ms or ns i dont remember thing sent to ps3 for the read and write of the ram ?

well use line send that and connect it to the cell reset line. ( FIND IT IN DOC )
and ground on outside of case and the example of what can be done with this is a cold reset which still has acess to the memory from gameos – dont let this die out people im taking a big risk by giving you all this information

- thanks to mitchy my personal hard drive – note i did not upload the documents and if requested ill remove the links

Example of what can be done with this –
untouched memory on cold boot full access to lv2 and all game os memory

Very interesting information coming in regarding a possible exploit within Fifa 09 by using a exploit from savestate or shader. (more…)

It seems someone has slipped up somewhere, Maxconsole has reported that an exploit in the Xbox 360 version of, Call Of Duty: Modern Warfare 2, can unlock those XBLA demos you have downloaded and turn them into the full game, here is what the website had to say.

Oh dear! Certain publishers on XBLA will not be happy. We have it on good authority from L-S that an exploit has been found in Modern Warfare 2 on the Xbox 360 that allows owners to unlock full versions of some XBLA games. The ‘exploit’ works on certain games (especially SNK) including Metal Slug 3, Fatal Fury Special, and Samurai Showdown II. Full details inside. *Update* Multiple users are claiming it really does work and with achievements!

In order to unlock the full versions of these games on XBLA, here’s what you have to do:

- Download the XBLA demo of these games (obviously)
- Launch your MW2 game
- Stay on the main screen (where “press start is present)
- Push “guide” button
- Select “quick start” and select your XBLA game

Done ! There are many games that work with this trick although not all!

Full details will be posted at Logic-Sunrise.com in due course but for now they thought they’d share this with us exclusively!

*Update* L-S claims there is more to it and will reveal more later. However, they are still claiming the above method works

A number of users are claiming it does WORK and even with achievements. Major OOPS for MS!

Full story and updates:
Maxconsole

This will at some stage be patched and there is no telling if this will get your console banned or not, so be careful when attempting.

Haxnetwork member xenno aka malow82 on Youtube, posted the PS3 segment of GeoHot’s speech at the Nuit Du Hack Conference, on IRC a few nights ago, i have been busy so never got round to posting, anyhow, here are the video’s.

Update: This is not an exploit, it will not lead to any actual hombrew.

Esteemed reverse engineer SKFU is at it again, he has released an Exploit Loader and a hello world.

Here is a quote from his blog:

So here is the result of the simple idea. The first code which is 100% PS3 only compatible. No flash, no bd-java or similar.

This is a beta version of the POC as I’m too tired to finish it now but I don’t wanna’ let you wait so long. Here you go:

How 2 Use:

1. Install loader.p3t like a common theme file.
2. Put loadme.fu on an USB stick’s root dir.
3. Insert USB device into any PS3 USB port.
4. Enable the the theme you just installed before.
5. Hello World.

How It Works:

The PS3 theme file is able to load the loadme.fu script from any USB port. The script is executed. The “loader” is for future-use aswell to load any .fu files which I’ll release.

Stay tuned for updates!

- SKFU

Source:
StreetskaterFU’s Blog

DOWNLOAD HERE

It is un clear what SKFU is working on, he posted an image on his blog, stating that he will explain all later.

Alycan has created a thread on this subject, so click here to say what you think it may be.

JaicraB has explained his method of dumping ram on a 60GB PS3

Translated from JaicraB’s Blog:

Hello!
He received a few requests on how to implement all other models.
Here I put it.

Model 60-gigabyte PS3
Keep the RAM after the reboot, so no data loss.

Remove the two resistors.
I do not remember if it was pulled out when the double resistance or if they were single.
Otherwise, you can burn. Yourselves!

Exploit by LPT.

I advise that from the point of welding the transistor is as short as possible.
Transistor to the PC does not matter. Mine is 1 Metro.
If the power transistor exceeds soldier to the yellow light will result, blockades, general instability …

For example:

On the Version 2 software to use, fits any CPU.
Software:
http://www.megaupload.com/?d=QKKNKZJJ

Use:
http://jaicrab.blogspot.com/2010/03/ps3software-generador-de-pulsos-v2.html

To follow JaicraB’s progress, visit his blog here

Team ProjectXX, who where working on a PSP exploit for all models, including PSPgo, seem to have been forced to release their exploit early, due to a leak, all information on that can be viewed in the readme, the exploit needs Splinter Cell Essentials to work.

As stated, this does work with the PSPgo, but Sony will probably end that quick, so try and download the game for your PSPgo, before its pulled of the store.

How to do the exploit:
Set your system language to english,
Put the folder ULES002810int into /PSP/SAVEDATA and h.bin in the root of your ms,
Then run Splinter Cell Essentials and load the save,then press “Continue”,
After a bit you will see a nice Hello World.

All credits goes to:
-Dark_Kendox
-FrEdDy
and special thanks to:
-wololo
-KiNgOfUnIvErS
-psphakerwarrior
-Phantom91

Download

Source:
qj.net
and
pspslimhacks

JaicraB has posted on his blog, releasing his OtherOS base exploit and source code.

To quote form his blog:
PD2:
Here you have a minimum base to build the otheros.bld. The functions are described.

Call table incorporates LV1 and ASM functions. This ready to assemble the mechanism of the exploit. I hope this helps those concerned who did not know where to start. It has been compiled with the toolchain pdaXrom.
BLD:D: http://www.megaupload.com/?d=FUUYJ5B9

Source Code for Base Exploit:http://www.megaupload.com/?d=IY7QBX7Z
<

[VIA]

Geohot has managed to do an RCO file edit on the PS3 using his exploit.

To quote:

As some people in the comments called, it’s an RCO file edit, just like RCO edits on the PSP(almost same format too). RCO files are resource files for VSH plugins, live in the dev_flash, and aren’t signed. To edit them on your system, patch your hypervisor to allow encrypted access to the partition(flash on old systems, hd on new), and mod ps3pf_storage. dev_flash is just a FAT partition, mount it in Linux and change what you’d like.

[VIA]

Xorloser has released the latest update for his PS3 exploit toolkit . To quote:

XorHack v2.0: The Updated PS3 Exploit Toolkit

After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line

Hypervisor Exploit Changes

At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.

Kernel Module Changes

In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.

User Library changes

Finally the on outermost level  I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.

Sample Application Changes

As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.

Here are some examples of what these tools can be used for.

Dumping the hypervisor

This reads 0×10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.

ps3peek 0 -s 0×1000000 -d 8 -b > hvdump.bin

Reading the status register for spu0

ps3peek 0×20000044024 -d 4

Loading metldr..

Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.

Everyone loves pictures

The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…

[Download]
[VIA]

Xorloser has released his complete the PS3 exploit toolkit software called XorHack. XorHack allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program.

To quote:

I finally found the time to complete the PS3 exploit toolkit software I mentioned to in my previous posts. I call it XorHack. It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:

• ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).
• dumphv – Dumps the hypervisor to a file in the current directory.
• dumpbl – Dumps the bootloader to a file in the current directory.
• dumprom – Dumps the system rom to a file in the current directory.

The XorHack package contains full sourcecode for everything including a rewrite of geohot’s exploit sourcecode to make it easier to read and understand (the new file is kmod/exploit.c). The rewrite doesn’t just fix the compilation warnings, it attempts to replace all “magic” values with the algorithms and reasoning as well as tidying up the code and commenting it all. I also added another syscall #21 to allow executing of code in hypvervisor context. Due to the associated complexities it is not available from usermode, it is for advanced users to make use of in kernel space. Some small changes were also made to the timing and the text that gets printed onscreen to make the exploit easier and hopefully more stable to use. I recommend XorHack when both looking into how the exploit works and when actually triggering the exploit.

XorHack is made up of three parts. The kernel module, the userspace library file, and lastly the userspace programs themselves. To build all three parts you need to first extract the contents of the XorHack zip file to a directory on your PS3 harddrive. Next you need to navigate on the command line to the directory you extracted the files to. You should be either logged in as root or running as root thanks to the “su” command. Now type “make” to build all parts of XorHack. Then once that completes type “make install” to install all parts of XorHack. If you wish to you can type “make uninstall” in this same directory to remove all of XorHack from your system. When you install XorHack on your system it will always be ready for use, even after rebooting it will be automatically reloaded and ready for use.

To use XorHack to perform the exploit on your PS3 first install it as per the directions above. You then need to switch to a console only mode (no GUI). This is required because it is the only way you can see the printed messages from the kernel module to know when to press the button. Once exploited all other programs can be run normally from a terminal window in GUI mode. To switch to console mode press Ctrl+Alt+F1 on your keyboard. To switch back to the GUI mode press Ctrl+Alt+F7. When you enter console mode you will be greeted with a login screen. Now login with your normal user account and password and type “ps3exploit 100″. This will start the exploit looping 100 times in which you need to successfully glitch the console by pressing the button on your glitch hardware. The idea is the perform the glitch when nothing else is occuring on your PS3. Therefore some things you may want to try when exploiting to help your chances are:

• Only press the button once per loop.
• Try to press the button around the middle of the pause between two concurrent prints of the “press button” message.
• Don’t start pressing the button till after the 10th “press button” message (by this time the system should done loading and preparing the newly running code, so less likely to interfere with processes that occur during these stages)
• Run the ps3exploit software after initially booting up the PS3 and switching to the console login without first logging into the GUI mode.
• After booting the PS3 and switching to the console mode straight away, log in and then wait about a minute before running ps3exploit so that any processes that may occur upon login/startup have completed.
• Don’t use any services that will cause more processes to be running until the exploit is completed. This includes things like accessing your PS3 over samba.
• Once you have successfully exploited, stay in console mode as there is less chance of instabilities causing havoc and crashing your PS3.

The PS3 Exploit Game!

Once you can run the exploit it’s time to turn it into a game. Think of it as a cross between getting the turbo boost at the start of a Mario Kart race and Dance Dance Revolution with a finger pad. The aim of the game is to exploit your PS3 as quickly as possible without it crashing. Below is my highscore table picture showing my highscore of THREE!

You can view and download XorHack and readme here.

[VIA]

xorloser has released his PS3 HV Dump setup script for IDA which “setups function tables including the hypercall (syscall) table, mmcall table, OPD, TOC, GOT. It will find common functions such as puts and printf and very importantly it will fixup all rtoc references which are used to access global variables and strings”. You can download the file below.

I haven’t gotten around to doing an update in a while due to work (and a little relaxation) taking all my time. Rather than wait till I have finished all of the stuff I wanted to before posting again I decided to post some tidbits to tide you over until the rest is ready. Before I do so I’d like to make the following clear as no matter how many times I say it, people believe what they want to believe instead:

THIS PS3 EXPLOIT WILL NOT ENABLE PLAYING OF COPIED OR BACKED UP GAMES. THE EXPLOIT IS FOR RESEARCH PURPOSES ONLY.

It seems someone took some initiative and made some software themselves to dump the hypervisor once they have the correct hardware and software. So for anyone who has used that and dumped their own hypervisor I present this PS3 HV Dump setup script for IDA.This script will setup function tables including the hypercall (syscall) table, mmcall table, OPD, TOC, GOT. It will find common functions such as puts and printf and very importantly it will fixup all rtoc references which are used to access global variables and strings.

To use the script you should extract it somewhere and then from within IDA select “File->IDC File…”, then navigate to where you extracted the file and select it. Please note that this script could overwrite your previous work, so please run backup your idb/i64 file before running it. I recommend running it on a freshly created database by loading your hypervisor dump into IDA as “ppc” at ROM address 0 and then running this script as detailed above before doing anything else.

The other tidbit I wanted to share was the updates to the PPC Altivec plugin source code which I had forgotten to include in the recent releases, but which a few people have since asked for. Here is the PPC Altivec plugin v1.6 for IDA v5.6 with sourcecode. If anyone makes any fixes or adds support for new functions please pass these updates back to me so I can share them on this site.

[Download HV Dump script for IDA]
[VIA]

Now this is a nasty rumor to be awoken to, just as the scene finally broke down the hypervisor security, we now hear rumors that Sony is planning to block OtherOS support via next PS3 firmware update.

Owen Stampflee Linux Product Manager for Fixstars Corporation made the following post in the yellowdog-boards:

Everyone,

I’ve caught a rumor from a reputable source that the next firmware update for old PS3s will remove the OtherOS feature…

I’m not sure if it’s true or not but it’s in the best interest of the YDL community to spread the word.

Cheers,
Owen

This indeed is an unexpected move on Sony’s part if indeed this rumor is real, but of course we all know the solution and that is to not update .

[VIA]

SKFU has stumbled across a new patent for a method to protect against encrypted section attacks

To quote from SKFU blog and patent below:

Recently a new patent by a SONY employee was published on the patent site at faqs.org. It seems it is SONY’s answer for Geohot’s progress. Take a look here:

“A method, system, and computer-usable medium are disclosed for controlling unauthorized access to encrypted application program code. Predetermined program code is encrypted with a first key. The hash value of an application verification certificate associated with a second key is calculated by performing a one-way hash function. Binding operations are then performed with the first key and the calculated hash value to generate a third key, which is a binding key. The binding key is encrypted with a fourth key to generate an encrypted binding key, which is then embedded in the application. The application is digitally signed with a fifth key to generate an encrypted and signed program code image. To decrypt the encrypted program code, the application verification key certificate is verified and in turn is used to verify the authenticity of the encrypted and signed program code image. The encrypted binding key is then decrypted with a sixth key to extract the binding key. The hash value of the application verification certificate associated with the second key is then calculated and used with the extracted binding key to extract the first key. The extracted first key is then used to decrypt the encrypted application code.”

You can read the full patent here.

[VIA]

PS3 Hacker CJPC has managed to dump the PS3 hypervisor and LV1 and Bootloader LV0 via PS3 RAM. He has provided a brief explanation of what he did and a download file to the exploit can be found in the VIA link:

We are happy to report that the PS3 Hypervisor LV1 and Bootloader LV0 are dumped from the PlayStation 3′s RAM after getting our SX28 Hardware a few days ago, utilizing code for glitching and mashing buttons for hours – the exploit eventually will get triggered!

We tried a few different ways to dump out the real memory – the biggest “problem” was the fact that you can’t just simply use File I/O code in a kernel module. Furthermore, you can’t call the lv1_peek function from user mode either.

Luckily, resident DEV kakarotoks was up to the challenge. After some trial and error (and too many PS3 crashes!) he made a kernel module which maps the “real” PS3 memory to a device in /proc. The /proc area lets the kernel and userland interact some.

Basically, the device /proc/ps3_hv_mem is created when the kernel module is inserted. Once it is inserted, you can use dd to read the device. By doing this, the device gets passed arguments, which is passed along to lv1_peek – which in turns reads out the real memory.

Be advised, don’t go beyond the PS3′s upper memory limit. At around 260MB, the PS3 tends to crash – it does not like trying to read beyond RAM limits! So, for usage:

First, run the exploit, and get it triggered and working – that’s the hard part!

Next, download the attached file, inside are three files, a Makefile, the ps3_hv_mem.c and a pre-compiled version. Stick these in a folder, and run make. It will then compile a kernel module for you (ps3_hv_mem.ko, or use the pre-compiled one). Then simply type: sudo insmod ps3_hv_mem.ko

Enter your password and check /proc for a ps3_hv_mem entry, or your dmesg. If it is there – let the dumping begin!

You can dump out the PS3 Hypervisor and Bootloader (and the rest of the real memory) via dd. You can use the command:

dd if=/proc/ps3_hv_mem of=PS3_Memory_Dump.bin bs=1024 count=10K

That command will dump out 10485760 bytes, or about 10MB – which nicely includes the goodies like LV0 and LV1. Finally, you can also increase the count, which will increase the amount dumped (multiply by blocksize).

[VIA]