A9VG电玩部落论坛

 找回密码
 注册
搜索
查看: 6005|回复: 18

[硬件] Metldr !!!!!!!!!!貌似有关3.6cfw,请大大研读

[复制链接]

精华
0
帖子
38
威望
0 点
积分
41 点
种子
0 点
注册时间
2011-8-6
最后登录
2012-11-11
 楼主| 发表于 2011-11-20 19:02  ·  云南 | 显示全部楼层 |阅读模式
本帖最后由 head_yzb 于 2011-11-20 19:20 编辑

具体看不大明白是什么东西,请大大们研究下!
是不是一个新的破解方式,今天晚上可能要发布,先搬运过来给大家了。。
感兴趣的仔细研读,小弟英文太弱.



原帖:http://www.ps3hax.net/showthread.php?t=30380


Metldr dump地址:
http://ps3devwiki.com/index.php?title=Dumping_Metldr

最后附一段采访:
A chat on IRC last night, some interesting stuff Math is hinting lol.

[22:18:29] <Mathieulh> though I am totally not interested in pwning it
[22:18:37] <Apocalyps> @TECHSend it to me
[22:18:42] <zecoxao> Mathieulh, quick question
[22:18:47] <zecoxao> syscon, owned or not?
[22:18:51] <Mathieulh> luis353, does it look like I code for the money ?
[22:19:00] <Apocalyps> Yes...
[22:19:03] <luis353> no math just asking
[22:19:07] <Mathieulh> zecoxao, yah I pwned that
[22:19:11] <zecoxao> kk
[22:19:20] <zecoxao> i asked Pockets69 to ask you that
[22:19:29] <zecoxao> but he didn't tell me so...
[22:19:32] <Apocalyps> One question
[22:19:35] <randuev> Mathieulh: i undestand why you feel so about this whole ps3 thing, with people like that
[22:19:36] <Mathieulh> easy when sony leave their sc fw key lying around
[22:19:42] <Apocalyps> Can we switch Meta loader with Boot loader?
[22:19:44] <zecoxao> :P
[22:19:51] <zecoxao> thanks for the hint
[22:20:02] <Mathieulh> Apocalyps, not if you want to brick
[22:20:07] <Apocalyps> damn
[22:20:11] <Mathieulh> not if you don't want to brick *
[22:20:27] <randuev> Mathieulh: is HW key stored in e-fuses unique in each console?
[22:21:03] <TechnoDon> only xbox has e-fuses
[22:21:25] <Apocalyps> I wish the PS3 scene was as fast and progressing as the 360 scene
[22:21:29] <Mathieulh> randuev, obviously yes
[22:21:42] <Mathieulh> TechnoDon, the ps3 has some too
[22:21:47] <Mathieulh> but they can only be programmed once
[22:21:50] <randuev> Mathieulh: but it's only 48 bits
[22:22:07] <randuev> 2^48 is enough?
[22:22:10] <Mathieulh> randuev, what makes you say that ?
[22:22:25] <randuev> well, i've read in cell docs
[22:22:39] <Mathieulh> it's more than that
[22:22:51] <Mathieulh> and cell docs does not reference everything
[22:22:56] <Mathieulh> that part is NDAed
[22:23:15] <Apocalyps> Wouldn't cell docks only reference the proccessor itself?
[22:23:27] <randuev> that's unfortunate
[22:23:59] <TechnoDon> i have sony 3.73 ofw if that helps..
[22:24:10] <TechnoDon> at Xbo
[22:24:11] <Apocalyps> It doesn't
[22:24:16] <TechnoDon> meh
[22:24:33] <randuev> Mathieulh: did you end up making that hw device to read local storage or 3 exploits were pure software?
[22:24:34] <luis353> math LV2Diag/ObjectiveSuite leaked lead to 3.73 CFW ?
[22:24:39] <randuev> luis353: no
[22:24:51] <Mathieulh> seriously wtf with the noobish questions?
[22:24:55] <Apocalyps> objectivesuite useless without jig
[22:24:56] <TechnoDon> how many times has that been asked now?
[22:25:02] <Mathieulh> randuev, softwate
[22:25:06] <Mathieulh> software*
[22:25:23] <zecoxao> i was more interested in the syscon key
[22:25:26] <Mathieulh> though randuev I suggest you to go the hardware root
[22:25:31] <zecoxao> since i know it's hanging around
[22:25:42] <randuev> Mathieulh: yeah, i am more keen on that as well
[22:25:43] <Mathieulh> zecoxao, then look for it xD
[22:25:54] <randuev> Mathieulh: i like soldering
[22:25:57] <zecoxao> nah, i'm stupid and mentally ill xD
[22:26:00] <Mathieulh> randuev, the sw approach is not easy
[22:26:17] <Mathieulh> it relies on tricking the bl to load more than once
[22:26:31] <zecoxao> that's what xxxxxx said
[22:26:35] <randuev> Mathieulh: no doubt. i was hoping to spy on the bus, but clock is bit too fast for me
[22:26:39] <Mathieulh> xxxxxx ?
[22:26:49] <zecoxao>http://pastebin.com/xkXxk8fM
[22:26:57] <zecoxao> but it wasn't for hw
[22:27:01] <zecoxao> it was for bootldr
[22:27:02] <Mathieulh> randuev, which bus are you looking at
[22:27:04] <Mathieulh> ? *
[22:27:19] <zecoxao> so he's probably wrong
[22:27:37] <randuev> Mathieulh: ram/cell
[22:27:48] <Mathieulh> rofl no wonder then
[22:27:56] <Apocalyps> Another Stupid Question: What exactly is Runtime Secure Boot?
[22:28:01] <Mathieulh> you are messing with the wrong bus
[22:28:09] <Mathieulh> also the xdr clock speed can be descreased
[22:28:12] <Apocalyps> Not really asking for an explanation, but what will it give us
[22:28:33] <Mathieulh> Apocalyps, it allows to load metldr at runtime
[22:28:39] <Mathieulh> it gets decrypted by the crypto engin
[22:28:42] <Mathieulh> and authenticated
[22:28:47] <Mathieulh> and then runs in a secure context
[22:28:50] <Mathieulh> in isolation mode
[22:28:53] <Apocalyps> So we still need to exploit that also, amirite?
[22:28:56] <randuev> heh, i don't have sufficient docage for syscon
[22:29:00] <zecoxao> so, underclock xdr...
[22:29:08] <Mathieulh> Apocalyps, you need to exploit the isolated process
[22:29:21] <Mathieulh> zecoxao, that's a way
[22:29:23] <Mathieulh> there are others
[22:29:36] <DarukBot> (title) [16:41] I think it works [16:41] I mean this is what I th - Pastebin.com
[22:30:07] <Apocalyps> After exploiting the isolated process, we follow up to the authenticatation and decryption of the crypto engine?
[22:30:48] <Apocalyps> In other words, would we need to exploit the process before the isolation?
[22:30:58] <randuev> TechnoDon: you are wasting your time with this dh crap
[22:31:01] <Mathieulh> if you want to go the hw route
[22:31:10] <Mathieulh> do not try to read the shared LS directly
[22:31:56] <randuev> Mathieulh: i am kinda confused about getting reliable readings out of cell cpu especially if local storage indeed is local
[22:32:19] <Apocalyps> but shouldn't hardware authentication step go before it can execute on an isolated SPE? Why not just exploit the hardware unthentication?
[22:32:21] <randuev> without removing covers off the cpu )
[22:32:28] <Mathieulh> randev the LS is only interconnected to the EIB
[22:32:40] <Mathieulh> and the EIB can only be accessed from the ppu
[22:33:07] <randuev> yeah, that's the problem, what to capture if it's all internal
[22:33:08] <Mathieulh> Apocalyps, go for it then
[22:33:21] <Mathieulh> it's not all internal
[22:33:33] <Apocalyps> It would require modifying the hardware. :/
[22:33:37] <Mathieulh> the shared LS can be accessed from the ppu
[22:33:40] <Apocalyps> Useless
[22:33:51] <Mathieulh> but hell, I am saying too much
[22:33:54] <Mathieulh> figure the rest yourselves
[22:34:05] <randuev> Apocalyps: nothing is wrong with hardware tinkering
[22:34:12] <zecoxao> hold on a sec
[22:34:18] <zecoxao> THE Raziel?
[22:34:19] <Apocalyps> Basically the hardware anthentication is just telling the spe that the hardware is tack?
[22:34:23] <randuev> Mathieulh: thanks for tips, i'll try this way
[22:34:29] <Apocalyps> *in tack
[22:34:32] <MajorPSP1> lol
[22:34:34] <_Raziel_> ops
[22:34:41] <_Raziel_> not they but math
[22:34:46] <zecoxao> the one that makes that emu?
[22:34:58] <zecoxao> oh rly?
[22:34:59] <Mathieulh> Apocalyps, there are freaking docs about it written by IBM, I suggest you read them
[22:35:26] <Apocalyps> I'll read them... later
[22:35:47] <MajorPSP1> not jk lol
[22:36:03] <randuev> Mathieulh: about software route, can this all be done from otheros withour reboots of the system?
[22:36:18] <Mathieulh> you need lv1 privs
[22:36:29] <randuev> yeah, that can be patched
[22:36:36] <Mathieulh> not really
[22:36:47] <randuev> i mean in flash with nor flasher
[22:36:54] <Mathieulh> yeah
[22:37:08] <Mathieulh> you can update to a patched lv1
[22:37:10] <zecoxao> nor or nand xD
[22:37:13] <Mathieulh> that is ****ing easy
[22:37:46] <Mathieulh> also the bl fetches lv0 straight from nor
[22:37:49] <Apocalyps>http://www.ibm.com/developerworks/po...y/image002.gif
[22:37:50] <Mathieulh> so you need to write your own
[22:37:57] <Mathieulh> at least on a temporary basis
[22:38:03] <Mathieulh> and the check has to fail
[22:38:05] <randuev> no problem with temporary bricks
[22:38:11] <Mathieulh> otherwise it will overwrite lv1
[22:38:32] <Mathieulh> that is if you get to reload it
[22:38:41] <Mathieulh> which is HARD
[22:39:03] <randuev> yeah, i am not that far into software side unfortunately
[22:39:33] <Apocalyps> So this is secure runtime boot:http://www.ibm.com/developerworks/po...y/image2-3.gif
[22:39:59] <randuev> i was hoping that by malforming lv0 in the right way i could make it write needed info to flash
[22:40:37] <randuev> but if i understand diagrams correctly, everything interesting gets wiped before passing on next lvl
[22:40:53] <Apocalyps> Yes
[22:41:13] <Mathieulh> lv0 "destroys" the spu at some point
[22:41:44] <MajorPSP1> fr rly? lol
[22:42:04] <Mathieulh> well it has to be terminated from ppu side
[22:42:09] <Mathieulh> so err.... yeah
[22:42:16] <Mathieulh> it is done quite early btw
[22:42:43] <Apocalyps> ...
[22:42:52] <randuev> ok, it seems that i have to look at lv0 in ida again
[22:43:08] <Mathieulh> dumped it?
[22:43:09] <randuev> last time it went over head
[22:43:38] <randuev> or maybe it wasn't decrypted
[22:43:58] <Mathieulh> how did you do the dump?
[22:44:17] <Mathieulh> if it's straight from nor, it is encrypted
[22:45:24] <randuev> that must be it
[22:46:11] <zecoxao> TechnoDon, go get the keys lol
[22:46:38] <Apocalyps> Ok?
[22:48:12] <Apocalyps> crack37
[22:48:28] <Mathieulh> CV >>>>>>>>>>> terminate_isolated_spu
[22:48:28] <Mathieulh> CV : error : already normal state
[22:48:28] <Mathieulh> CV : error : stop isolated spu fail
[22:48:28] <Mathieulh> CV >>>>>>>>>>> terminate_isolated_spu finished.
[22:48:28] <Mathieulh>
[22:48:29] <TechnoDon> ?
[22:48:40] <Mathieulh> that's when the bootloader spu is "destroyed"
[22:48:59] <zecoxao> is that on RAM? i believe i saw that on a peek poker once
[22:49:06] <Mathieulh> no way
[22:49:12] <Mathieulh> that's from lv0
[22:49:16] <zecoxao> oh ok
[22:49:24] <zecoxao> i saw something else then
[22:50:22] <Apocalyps> crypto isolation process
[22:51:37] <DarukBot> (title) [C++] #include int main(int argc, char *argv[]){ printf( "n" "break - Pastebin.com
[22:52:31] <Mathieulh> my code had a little more lines (and keys) than that one
[22:52:54] <Apocalyps> How about you post a code? :P
[22:53:46] <Mathieulh> Apocalyps, don't make me look for a hello world
[22:53:55] <Apocalyps> ish dat guy geohotz
[22:54:29] <zecoxao> deroad, Math has posted the lv0 version
[22:54:30] <Apocalyps> Mathieulh, no one is telling you to look for hello world. just something labeled "3.73 keys here"
该用户已被禁言

精华
0
帖子
231
威望
0 点
积分
232 点
种子
0 点
注册时间
2011-4-6
最后登录
2020-4-5
发表于 2011-11-20 19:20  ·  香港 | 显示全部楼层
留名待證
您的帖子长度不符合要求。 当前长度: 8 字节 系统限制: 16 到 1000000 字节

精华
0
帖子
7530
威望
1 点
积分
8191 点
种子
711 点
注册时间
2007-12-14
最后登录
2024-12-2
发表于 2011-11-20 19:32  ·  江苏 | 显示全部楼层
期待下咯~~~该出手了!!

弑神者

潛水者

精华
0
帖子
135987
威望
0 点
积分
146262 点
种子
361 点
注册时间
2008-11-14
最后登录
2024-12-1
发表于 2011-11-20 19:33  ·  辽宁 | 显示全部楼层
3.60真的被破了???

战士

武女神

精华
0
帖子
714
威望
0 点
积分
769 点
种子
12 点
注册时间
2004-12-16
最后登录
2024-2-21
发表于 2011-11-20 20:00  ·  辽宁 | 显示全部楼层
REBUG我就相信,别的我都不信了

精华
0
帖子
2550
威望
0 点
积分
2733 点
种子
12 点
注册时间
2009-5-15
最后登录
2024-12-2
发表于 2011-11-20 20:18  ·  日本 | 显示全部楼层
song8_8 发表于 2011-11-20 20:00
REBUG我就相信,别的我都不信了

+10086                     

精华
0
帖子
154
威望
0 点
积分
166 点
种子
0 点
注册时间
2010-8-18
最后登录
2018-6-13
发表于 2011-11-20 20:53  ·  山东 | 显示全部楼层
破解不远了,放心吧。

精华
0
帖子
559
威望
0 点
积分
589 点
种子
5 点
注册时间
2011-2-15
最后登录
2016-2-9
发表于 2011-11-20 22:25  ·  山东 | 显示全部楼层
1 post, newly registered, not suspicious at all.

精华
0
帖子
1576
威望
0 点
积分
1829 点
种子
14 点
注册时间
2008-12-26
最后登录
2024-10-24
发表于 2011-11-20 23:12  ·  俄罗斯 | 显示全部楼层
key....................................................

精华
0
帖子
1576
威望
0 点
积分
1829 点
种子
14 点
注册时间
2008-12-26
最后登录
2024-10-24
发表于 2011-11-20 23:14  ·  俄罗斯 | 显示全部楼层
PS3的lv0也被干掉了
您需要登录后才可以回帖 登录 | 注册

本版积分规则

Archiver|手机版|A9VG电玩部落 川公网安备 51019002005286号

GMT+8, 2024-12-3 08:38 , Processed in 0.205514 second(s), 20 queries , Redis On.

Powered by Discuz! X3.4

Copyright © 2001-2020, Tencent Cloud.

返回顶部