Post: BluePrints for ps3 exploit. All series for the PS3 (including BD-Drive/PSP/PS3)
Options
04-11-2011, 02:21 AM
#1
Si1entDev
Bounty hunter
MINE AN MATHIEULH's TALK IS AT BOTTOM!
PLEASE DO NOT ASK ME QUESTIONS ABOUT HOW TO DO THIS FOR YOUR PS3. IF YOU DONT KNOW THEN DONT DO IT I RECCOMEND FOR THE PEOPLE WHO HAVE 3 PS3's OR THEY CAN BUY ANOTHER.
Here it is. I am hoping by now the mods have closed my other thread.
I have added more to the blue prints.
1. BD-Drive BluePrint
2. PS3 Model BluePrints: CECHA00, A01, CECHG, CECHC02, C03, C04, C08, CECHE01, E05, E11
3. Also included the PSP-2000 TA-085
Download for BluePrints: You must login or register to view this content.
File Size is 108MB
VIRUS SCAN AT BOTTOM!
Your welcome I hope you guys are happy that I released this but I am sure a few of you have it
Also IF YOU ARE WANTING TO TRY EXPLOITING 3.60 YOURSELF THIS IS REQUIRING 2 PS3's AN KNOWLEDGE OF SOLDERING.
Originally posted by another user
@xShadow125 You can update from your pwn pup only from 3.55 or lower, unless you have an exploit.
@xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
@xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
@xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
@xShadow125 You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.
@xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.
The new 3.56+ values for tarballs are the following: owner_id, “0000764″ group_id, “0000764″ owner, “tetsu” group, “tetsu” ustar, “ustar “
You can use fix_tar to use those new values. Use with caution.
By comparison, those are the pre-3.56 values. owner_id, “0001752″ group_id, “0001274″ owner, “pup_tool” group, “psnes” ustar, “ustar “
@Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.
@xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)
@xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.
@xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.
@xShadow125 You wont get all of lv0 but the part with the loaders shouldn’t be overwritten.
@xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.
To those planning on building a 3.56+ pup for whatever reason, the files attributes changed, the group and user ids for the files as well.
The new 3.56+ values for tarballs are the following: owner_id, “0000764″ group_id, “0000764″ owner, “tetsu” group, “tetsu” ustar, “ustar “
You can use fix_tar to use those new values. Use with caution.
By comparison, those are the pre-3.56 values. owner_id, “0001752″ group_id, “0001274″ owner, “pup_tool” group, “psnes” ustar, “ustar “
@Ps3WeOwnYoU You need to either decrypt or dump lv0, then you can get the encrypted loaders and decrypt them with the metldr key. Good luck.
LV0 Console security by RMS
Originally posted by another user
Anyway, let’s really discuss something PS3 instead of my PC , let’s start with Lv0, the most unknown level of the PS3. Lv0 initializes PS3 base hardware such as PowerPC/PPU portion of Cell/BE, SPU isolation for asecure_loader, and gelic ethernet/WLAN device. Lv0 also proudly proclaims itself as the “Cell OS Bootloader”. In older firmwares, 0.80-ish to 3.56, Lv0 initialized SPU isolation on one of the SPUs, then it loaded and decrypted asecure_loader. Asecure_loader or metldr then decrypts the isolated loader, in this case, lv1ldr, then lv1ldr decrypts lv1.self. In 3.60 this changed. Lv0 now has all of the loaders integrated into it as one large fat binary. All the keys one needs such as Public ECDSA key/AES CBC key and Initialization Vector and ECDSA curve type are in there. Just go ahead and grab them if you can get the ldrs out of the binary.
So, unless you can decrypt Lv0, no 3.60 “CFW” for you . Is there any need for it anyway?
So, unless you can decrypt Lv0, no 3.60 “CFW” for you . Is there any need for it anyway?
Mathieulh's facts about LV0
Originally posted by another user
1. lv0 isn’t a loader it’s a ppu binary
2. Lv0 isn’t encrypted per console and can be updated with the rest of the coreos
3. Lv0 is decrypted by the bootloader, there is no such thing as a lv0ldr.
4. The bootloader keys cannot be updated/modified on EXISTING hardware
5. lv0.2 is NOT a binary, it’s a new metadata for lv0 which is to be decrypted and verified by a new bootloader (which is to be available on future ps3s), it is NOT used by the current bootloader (and thus in current playstation 3 consoles)
But wait, messing with this thing could lead to the YLOD tragedy, unless you have those expensive NOR flasher you might want to proceed, and that’s according to rms again.
2. Lv0 isn’t encrypted per console and can be updated with the rest of the coreos
3. Lv0 is decrypted by the bootloader, there is no such thing as a lv0ldr.
4. The bootloader keys cannot be updated/modified on EXISTING hardware
5. lv0.2 is NOT a binary, it’s a new metadata for lv0 which is to be decrypted and verified by a new bootloader (which is to be available on future ps3s), it is NOT used by the current bootloader (and thus in current playstation 3 consoles)
But wait, messing with this thing could lead to the YLOD tragedy, unless you have those expensive NOR flasher you might want to proceed, and that’s according to rms again.
RMS
Originally posted by another user
Lv0 also does some more interesting stuff such as SPU mailbox handling, and eEID integrity checks. Lv0 also used to check for QA flag and proper token, that is now in a spu isolated self in Core OS. Now, if you did tamper with eEID, lv0 will panic out, and your console will then “YLOD”, and you’d need a flasher for your PS3 to recover
There you go, with all the information available out there i just wonder why didn’t anyone found the solution to the exploit that Mathieulh (and maybe some people we didn’t know) discovered weeks ago. Maybe instead of *****ing why the guy did not release anything, try listening to what he said this time.
There you go, with all the information available out there i just wonder why didn’t anyone found the solution to the exploit that Mathieulh (and maybe some people we didn’t know) discovered weeks ago. Maybe instead of *****ing why the guy did not release anything, try listening to what he said this time.
MINE AN MATHIEULH's TALK!
Originally posted by another user
SilentDev> Mathieulh , i'm stucked i read and read your post's with 3.60+ exploit , and no have idea to first step , i already installed a teensy ++ to flash nor for brick risk , you have any hint to me? :-D
<rms> nope
<Mathieulh> you need dual nor/nand
<rms> no hints
<Mathieulh> lol
<Mathieulh> the first step
<Mathieulh> is to clone your existing nor/nand
<Mathieulh> to another
<Mathieulh> and solder it with a switch
<Mathieulh> you also need to solder on the cell reset line
<Mathieulh> (look at those leaked service docs to see where it's at)
<igor242> holy shit
<igor242> what a exploit
<Mathieulh> it's more of a trick
<Mathieulh> than an exploit
<Mathieulh> at least to me it is
<Mathieulh> and all it lets you do is to get 3.60 keys
<igor242> ah
<Mathieulh> the interest is quite limited
*** cooled [[email protected]] has joined #ps3dev
*** mode/#ps3dev [+v cooled] by hyprvisor
<igor242> so this is for future cfw's then?
<Mathieulh> igor242 that's not the loaders exploit I tweeted about
<Mathieulh> it's something else entirely
<Mathieulh> the loader exploit is actually easier to use xD
<igor242> then what use are 3.60 keys?
<rms> shhhhh. don
<Mathieulh> but it's still a mess to implement
<Mathieulh> ok rms xD
<rms> don't leak our hard work
<Mathieulh> lol
<rms> </windows8>
<Mathieulh> I even lol more at "hard" xD
<rms> lol
*** WiiSpacem [[email protected]] has joined #ps3dev
<Mathieulh> I mean that bug is so stupid xD
<rms> yea
<Link0> rate it
<Link0> on a scale of one to blueberry
<rms> but its painful to implement
<igor242> i thought your trick was for pulling the keys to sign cfw with
<Mathieulh> rms it's still ****ing dumb xD
*** lyntoo [[email protected]] has joined #ps3dev
<rms> Mathieulh true
<Link0> im curious
SilentDev> oh , i need another ps3 to extract nor , soldering look easily , ? any schematics to put switch released ?
<Mathieulh> igor242 of course not, you can't get 3.60 private keys
<Link0> bottomline it
*** mode/#ps3dev [+l 404] by NNNnc1
<GayMan> Hey could you send to me? I am getting my 2 other ps3's in a few days
<GayMan> I cant test?
*** GomGom left #ps3dev [19 01 b2 b3 78 d3 74 5a 10 e0 99 6b 3e c1 12 5d]
<Mathieulh> SilentDev you need to switch between the 2 nor/nand
<Mathieulh> at runtime
<igor242> i see
<dospiedra> switch all points????
<GayMan> mathieulh could yoiu?
<Mathieulh> SilentDev yes
<SilentDev> lol ....
<SilentDev> 40+ switchers
<SilentDev> look great :-D
<GayMan> dos that sounds like fub
<Mathieulh> SilentDev I said it works, I didn't say it was easy xD
<Mathieulh> you'd also need to code the ppu dumper
<Mathieulh> the one you want to replace lv1 with
<SilentDev> ok , i now search other nor chip and desolder already installed to put switchers
<rms> nope
<Mathieulh> you need dual nor/nand
<rms> no hints
<Mathieulh> lol
<Mathieulh> the first step
<Mathieulh> is to clone your existing nor/nand
<Mathieulh> to another
<Mathieulh> and solder it with a switch
<Mathieulh> you also need to solder on the cell reset line
<Mathieulh> (look at those leaked service docs to see where it's at)
<igor242> holy shit
<igor242> what a exploit
<Mathieulh> it's more of a trick
<Mathieulh> than an exploit
<Mathieulh> at least to me it is
<Mathieulh> and all it lets you do is to get 3.60 keys
<igor242> ah
<Mathieulh> the interest is quite limited
*** cooled [[email protected]] has joined #ps3dev
*** mode/#ps3dev [+v cooled] by hyprvisor
<igor242> so this is for future cfw's then?
<Mathieulh> igor242 that's not the loaders exploit I tweeted about
<Mathieulh> it's something else entirely
<Mathieulh> the loader exploit is actually easier to use xD
<igor242> then what use are 3.60 keys?
<rms> shhhhh. don
<Mathieulh> but it's still a mess to implement
<Mathieulh> ok rms xD
<rms> don't leak our hard work
<Mathieulh> lol
<rms> </windows8>
<Mathieulh> I even lol more at "hard" xD
<rms> lol
*** WiiSpacem [[email protected]] has joined #ps3dev
<Mathieulh> I mean that bug is so stupid xD
<rms> yea
<Link0> rate it
<Link0> on a scale of one to blueberry
<rms> but its painful to implement
<igor242> i thought your trick was for pulling the keys to sign cfw with
<Mathieulh> rms it's still ****ing dumb xD
*** lyntoo [[email protected]] has joined #ps3dev
<rms> Mathieulh true
<Link0> im curious
SilentDev> oh , i need another ps3 to extract nor , soldering look easily , ? any schematics to put switch released ?
<Mathieulh> igor242 of course not, you can't get 3.60 private keys
<Link0> bottomline it
*** mode/#ps3dev [+l 404] by NNNnc1
<GayMan> Hey could you send to me? I am getting my 2 other ps3's in a few days
<GayMan> I cant test?
*** GomGom left #ps3dev [19 01 b2 b3 78 d3 74 5a 10 e0 99 6b 3e c1 12 5d]
<Mathieulh> SilentDev you need to switch between the 2 nor/nand
<Mathieulh> at runtime
<igor242> i see
<dospiedra> switch all points????
<GayMan> mathieulh could yoiu?
<Mathieulh> SilentDev yes
<SilentDev> lol ....
<SilentDev> 40+ switchers
<SilentDev> look great :-D
<GayMan> dos that sounds like fub
<Mathieulh> SilentDev I said it works, I didn't say it was easy xD
<Mathieulh> you'd also need to code the ppu dumper
<Mathieulh> the one you want to replace lv1 with
<SilentDev> ok , i now search other nor chip and desolder already installed to put switchers
VIRUS SCAN:
Originally posted by another user
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: index.html
Submission date: 2011-04-11 23:22:24 (UTC)
Current status: finished
Result: 0/ 41 (0.0%)
VT Community
not reviewed
*Safety score: -*
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.04.12.00 2011.04.11 -
AntiVir 7.11.6.53 2011.04.11 -
Antiy-AVL 2.0.3.7 2011.04.11 -
Avast 4.8.1351.0 2011.04.11 -
Avast5 5.0.677.0 2011.04.11 -
AVG 10.0.0.1190 2011.04.12 -
BitDefender 7.2 2011.04.12 -
CAT-QuickHeal 11.00 2011.04.11 -
ClamAV 0.97.0.0 2011.04.11 -
Commtouch 5.2.11.5 2011.04.06 -
Comodo 8307 2011.04.11 -
DrWeb 5.0.2.03300 2011.04.12 -
eSafe 7.0.17.0 2011.04.12 -
eTrust-Vet 36.1.8266 2011.04.11 -
F-Prot 4.6.2.117 2011.04.12 -
F-Secure 9.0.16440.0 2011.04.12 -
Fortinet 4.2.254.0 2011.04.09 -
GData 22 2011.04.12 -
Ikarus T3.1.1.103.0 2011.04.11 -
Jiangmin 13.0.900 2011.04.09 -
K7AntiVirus 9.96.4360 2011.04.11 -
Kaspersky 7.0.0.125 2011.04.12 -
McAfee 5.400.0.1158 2011.04.12 -
McAfee-GW-Edition 2010.1C 2011.04.11 -
Microsoft 1.6702 2011.04.11 -
NOD32 6034 2011.04.11 -
Norman 6.07.07 2011.04.11 -
Panda 10.0.3.5 2011.04.11 -
PCTools 7.0.3.5 2011.04.11 -
Prevx 3.0 2011.04.12 -
Rising 23.53.00.05 2011.04.11 -
Sophos 4.64.0 2011.04.11 -
SUPERAntiSpyware 4.40.0.1006 2011.04.10 -
Symantec 20101.3.2.89 2011.04.12 -
TheHacker 6.7.0.1.171 2011.04.11 -
TrendMicro 9.200.0.1012 2011.04.11 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.12 -
VBA32 3.12.14.3 2011.04.11 -
VIPRE 8991 2011.04.12 -
ViRobot 2011.4.11.4404 2011.04.11 -
VirusBuster 13.6.299.0 2011.04.11 -
Additional informationShow all
MD5***: 5c874f7963678d5eb2587da118c1294b
SHA1**: 8ab36ab5ea6840b21fc668b0f08fb3c5b0cb240a
SHA256: 0a3cdb0648c032afb4afdac76ec92f874a59152c98cb62d219 0a8dd9fc5893a5
File name: index.html
Submission date: 2011-04-11 23:22:24 (UTC)
Current status: finished
Result: 0/ 41 (0.0%)
VT Community
not reviewed
*Safety score: -*
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.04.12.00 2011.04.11 -
AntiVir 7.11.6.53 2011.04.11 -
Antiy-AVL 2.0.3.7 2011.04.11 -
Avast 4.8.1351.0 2011.04.11 -
Avast5 5.0.677.0 2011.04.11 -
AVG 10.0.0.1190 2011.04.12 -
BitDefender 7.2 2011.04.12 -
CAT-QuickHeal 11.00 2011.04.11 -
ClamAV 0.97.0.0 2011.04.11 -
Commtouch 5.2.11.5 2011.04.06 -
Comodo 8307 2011.04.11 -
DrWeb 5.0.2.03300 2011.04.12 -
eSafe 7.0.17.0 2011.04.12 -
eTrust-Vet 36.1.8266 2011.04.11 -
F-Prot 4.6.2.117 2011.04.12 -
F-Secure 9.0.16440.0 2011.04.12 -
Fortinet 4.2.254.0 2011.04.09 -
GData 22 2011.04.12 -
Ikarus T3.1.1.103.0 2011.04.11 -
Jiangmin 13.0.900 2011.04.09 -
K7AntiVirus 9.96.4360 2011.04.11 -
Kaspersky 7.0.0.125 2011.04.12 -
McAfee 5.400.0.1158 2011.04.12 -
McAfee-GW-Edition 2010.1C 2011.04.11 -
Microsoft 1.6702 2011.04.11 -
NOD32 6034 2011.04.11 -
Norman 6.07.07 2011.04.11 -
Panda 10.0.3.5 2011.04.11 -
PCTools 7.0.3.5 2011.04.11 -
Prevx 3.0 2011.04.12 -
Rising 23.53.00.05 2011.04.11 -
Sophos 4.64.0 2011.04.11 -
SUPERAntiSpyware 4.40.0.1006 2011.04.10 -
Symantec 20101.3.2.89 2011.04.12 -
TheHacker 6.7.0.1.171 2011.04.11 -
TrendMicro 9.200.0.1012 2011.04.11 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.12 -
VBA32 3.12.14.3 2011.04.11 -
VIPRE 8991 2011.04.12 -
ViRobot 2011.4.11.4404 2011.04.11 -
VirusBuster 13.6.299.0 2011.04.11 -
Additional informationShow all
MD5***: 5c874f7963678d5eb2587da118c1294b
SHA1**: 8ab36ab5ea6840b21fc668b0f08fb3c5b0cb240a
SHA256: 0a3cdb0648c032afb4afdac76ec92f874a59152c98cb62d219 0a8dd9fc5893a5
Last edited by
Si1entDev ; 06-05-2011 at 03:55 AM.
The following 47 users say thank you to Si1entDev for this useful post:
Alfa, AMNE, ashman788, Asmel, BaNk-R0BbeR-, BriceC, cerj, chickensamw1993, cluckin bell, djfatpickle, Dope., eaglechamp, emersons35, SweatyMidgets, forcer911, gmaxstergmaxste, Grandad Trotter, ibombo, jammerz_95, jannu22, jogeboy, killerFBI123, lildeg8, MajorPSP156, maxrox, MewHD, Mezzid, mikenico0078, ModThatGame, Norman, player82, s0ph0r, SavageRising, sj_7, Starek, Suxh4rd2bu, TEXAS24_ReStEr, The Overdose, TheDeathbat, TheMagicN, THUR_, Ubuntu, x i Su1c1d3 i x, XKevin356, Zer0_PoiZoN, ZoneHD
The following 8 users say thank you to Si1entDev for this useful post:
04-11-2011, 02:48 AM
#5
SilentStorm1011
Do a barrel roll!
The following 6 users say thank you to SilentStorm1011 for this useful post:
04-11-2011, 03:15 AM
#6
Si1entDev
Bounty hunter
Originally posted by SilentStorm1011
sorry didn't think you were capable of doing it with - 7 rep but i looks like your redeeming yourself. negative rep makes people assume alot lol. good job if you really did it by yourself :y:
thx
For trying to cheer me up---------- Post added at 10:15 PM ---------- Previous post was at 10:15 PM ----------
Originally posted by XKevin356
virus scan or dont bother posting with -7 rep
Virus scan of what? the pdf's? How can you even put a virus in a pdf that doesnt make sense?
The following 5 users say thank you to Si1entDev for this useful post:
04-11-2011, 04:00 AM
#9
BriceC
Computer Programmer
Just Scanned the link of the file its safe Source:You must login or register to view this content.
--------- LINK SCAN SUMMARY ---------
URL scanned: You must login or register to view this content.
PhisTank say's: Service not available.
AVG say's: Service not available.
SiteTruth say's: This site is safe.
Google Safe Browsing say's: This site is safe.
Threat Name: No Threat FOUND
Threat Definitions: 941843
Engine Version: 0.97
Host IP: 174.140.154.13
Link Status: Clean
File Size: 21.42 KB
Time Finished: 5.02 secs
Overall result: This site is secure.
--------- LINK SCAN SUMMARY ---------
URL scanned: You must login or register to view this content.
PhisTank say's: Service not available.
AVG say's: Service not available.
SiteTruth say's: This site is safe.
Google Safe Browsing say's: This site is safe.
Threat Name: No Threat FOUND
Threat Definitions: 941843
Engine Version: 0.97
Host IP: 174.140.154.13
Link Status: Clean
File Size: 21.42 KB
Time Finished: 5.02 secs
Overall result: This site is secure.
04-11-2011, 04:01 AM
#10
Curt
Former Staff
Originally posted by Si1entDev
Here it is. I am hoping by now the mods have closed my other thread.
I have added more to the blue prints.
1. BD-Drive BluePrint
2. PS3 Model BluePrints: CECHA00, A01, CECHG, CECHC02, C03, C04, C08, CECHE01, E05, E11
3. Also included the PSP-2000 TA-085
Download for BluePrints: You must login or register to view this content.
File Size is 108MB
Your welcome I hope you guys are happy that I released this but I am sure a few of you have it Also IF YOU ARE WANTING TO TRY EXPLOITING 3.60 YOURSELF THIS IS REQUIRING 2 PS3's AN KNOWLEDGE OF SOLDERING.
LV0 Console security by RMS
Mathieulh's facts about LV0
RMS
I have added more to the blue prints.
1. BD-Drive BluePrint
2. PS3 Model BluePrints: CECHA00, A01, CECHG, CECHC02, C03, C04, C08, CECHE01, E05, E11
3. Also included the PSP-2000 TA-085
Download for BluePrints: You must login or register to view this content.
File Size is 108MB
Your welcome I hope you guys are happy that I released this but I am sure a few of you have it
Also IF YOU ARE WANTING TO TRY EXPLOITING 3.60 YOURSELF THIS IS REQUIRING 2 PS3's AN KNOWLEDGE OF SOLDERING.LV0 Console security by RMS
Mathieulh's facts about LV0
RMS
That's some good sh!t man!, you actually are pretty good with shit like this, you're just new so people don't take you serious....
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
