- 精华
- 0
- 帖子
- 113
- 威望
- 0 点
- 积分
- 133 点
- 种子
- 2 点
- 注册时间
- 2005-2-5
- 最后登录
- 2019-12-8
|
楼主 |
发表于 2011-12-6 12:13 · 美国
|
显示全部楼层
此人关于如何dump lv0给出的一些解释:
the bootldr holds the lv0 yes, the lv0 encapsulate the other ldrs (lv1, lv2, appldr, rvkldr, isoldr, ect.); sense 3.56^. But usually the chain of trust would go like metldr>other ldrs, and the metldr would run the loaders. But after 3.55 the lv0 has been copy the ldrs to the Ram then they are given to the metldr to exucute with out ever being held by the metldr. Now if you use a kernal module you can map out the ps3 real memory Using hardware you can dump Ram. By dumping the ram your getting a decrypted version of lv0 with all the ldrs in it. And you got keys.
Concept in boot order.
Cell INIT-> get encrypted bootldr off NAND/NOR flash, then the Ram will Initialises. This is when it will load the bootldr into a isolated spu, secure boot will decrypt the bootldr and verifies and executes. Now this is where the magic happens. Now the bootldr will decrypt the lv0 and it will get copy to the Ram (With loaders) before the Ram will run the loaders to the metldr
The metldr will always have to boot the ldrs too cause it is per console encrypted sony cant go change that out of no where.
Read more: http://www.ps3hax.net/showthread ... 94289#ixzz1fiyVXKEr |
|
楼主: cdjordan
川公网安备 51019002005286号
发表于 2011-12-6 09:22 · 上海
不会就不要吐嘈,LV0 破了, LV1 / LV2 就形同虛設了... 
