Mathieulh Claims Ownership of Leaked Metldr Exploit


Submitted by greg; November 09, 2011
Remember that golden, metldr ticket we told you about yesterday? Well it's real and long-time, now pissed off scener, Mathieulh, is claiming ownership of the leaked exploit ... and he obviously ain't happy about it. So because some "ungrateful" person, who I and probably all the other sceners are actually grateful for, has leaked said exploit, Mathieu has posted a little tutorial, detailing his metldr methods for the technically inclined. And I quote from the book of Mathieu:
How to pwn metldr the "easy" way: This is most likely how geohot exploited it in the first place, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work", especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone) I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self generating tool Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the sign fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario. The question is, do you really need keys to get a decrypted signature ? Well the real answer is no, thanks to a nifty fail that sony left in in metldr (and the bootloader), you can have the ldr to decrypt the metadata for you, isn't that neat ? Here's how it works: STEP I) In a self file, at address 0x0C a value is used to calculate where the metadata is going to be decrypted, the "offset" is at self header + 0x0C its the "meta header offset" in the SCE structure, it takes the SCE offset + that value, so what you have to do is to have a calculation that is equal to 0x3E01F0 which happens to be where metldr copies over the shared metadata from the mailbox (which is sent over by the ppu), the trick is to have metldr to decrypt the metadata located at. So basically you have to 1) set the offset += 0x2000 dump shared lsa and keep increasing 0x2000 until somewhere in the shared lsa changes 0x40 byte 2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations 3) then dump shared lsa and we have decrypted header knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E01F0 - 0xECF0 = the value you would patch at SCE header + 0x0C ROM:0000F6C0 D2 68 87 E6 metadata_erk: .int 0xD26887E6 ; DATA XREF: ROM:0000F178o for example in CECHA , the address you want to decrypt it to is 0x3E1F0 so it should be 0x3E1F0 - 0xF6C0 Once you get the decrypted header, you have the key to decrypt the rest of the metadata. Here you go, you have your decrypted signature. So far so good, now what's next ? STEP II) Contrary to popular beliefs, you do not need to know the public key to calculate the private key, you just need two decrypted signature, you now know how to dump these, so let's assume you just did, now all you have to do is to bruteforce the curve type by constantly reloading a self to metldr, the curve type being only 1 byte, that would be 64 possibilities. CONGRATULATION, you just signed a loader ! Now what ? Well Your first reflex would be to sign a loader and use it to dump whatever is in your Isolated Local Store, the first thing you will notice is that you have a bit of metldr's code as a leftover, after a few seconds of disassembly you will figure it's actually some piece of code that clears metldr's code and registers and jumps to some address which is matches your signed loader's entrypoint. This seems like a more than likely candidate to exploit, as in your goal would be to overwrite that piece of code with your own, that way you would have the whole metldr code right before the point where everything gets cleared out. Let's try to do just that, from your previous dump, you obviously know that the clear code is located from 0x400 to 0x630, (0x410 being where metldr jumps when it clears) your first attempt would naturally be to have a loader section to load at 0x400, well not so surprisingly, it fails, because you are not without a brain (at least you aren't supposed to be if you're reading and understanding this), you will assume that it is likely that metldr checks if you aren't loading your loader/self section below a certain address, which considering you know the loaders' entrypoint is most likely to be 0x12C00, this assumption is in fact correct as metldr will make sure you cannot load any loader at 0x12BFF and below, seems like a huge let down... Well, maybe not, because yet again, you are not without a brain, you check out the hardware properties for the Local Store, and you find out that the memory wraps around (memory is a donut as someone once said at some ccc conference). So what happens when you load your loader at let's say from 0x3F000 to 0x40000+some address? (like 0x40410 for example) ? Well, it WORKS! You could put the section at 0x3F000, if you made the length 0x1414 and the last instruction branches "up" to the dump code ROM:000008AC 33 7F 6C 80 brsl lr, cleanup_and_jump_entry ROM:000008B0 32 00 11 80 br loc_93C ROM:00000410 cleanup_and_jump_entry: ; CODE XREF: main+4Cp ROM:00000410 32 7F FF 80 br sub_40C this is what the exploit that got leaked (yeah that's not really their work eh but you figured that much by now did you not? ) does. It overwrites from 0x000 to 0x480 because I originally loaded the section o size 0x880 to 0x3FC00 So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway) Here you go, you have a metldr dump ! Now as a final line, I'd like to say screw leakers, screw the scene, and this is my last contribution to it EVER. It seems I can't even trust fellow developers to keep my work safe and not leaking it. (Not like any of them would have been able to tell you how all this even works in the first place) So long, everyone. Remember, don't ever bite the hands that feed you.
I hope Mathieu's self-aggrandizing ways does not result in Sony lawyers hunting him down ... or in other words -- should've saved the drama for yo mama. Big thanks to Mathieu for his work in the kitchen, and of course the ungrateful one who fed us the leak. Get down. - source: lan.st via pastie


Tags: exploits, Mathieulh, metldr



Related Stories:




Become a Member of Dashhacks!

If you want your comments to go live without waiting for moderation, you need to be logged in. Being logged in has its benefits:
  • Logged in members do not wait for their comments to be approved.
  • Logged in members can sign up for nightly updates.
  • Logged in members can create Profiles to be seen by other users.
So why wait? Create an account or login now! It's easy, quick, and free.

To get started, use the LOGIN boxes, or the REGISTER link at the top right!

Comments 


 
# Guest 2011-11-09 10:18
Thanks leaker and fuck you Mathieulh

Reply
 

 
# Guest 2011-11-09 10:22
I don't really understand why he don't want it to be released. I think it clearly shouldn't be leaked, but I really don't get his idea behind it.  

Reply
 

 
# slvc 2011-11-09 11:04
He shouldn't really get in trouble.. Freedom of press. He's technically not doing anything, and as far as I know there isn't proof he released it, so he's in the clear in America. What exactly does the metldr do? I've looked it up but all I get are people saying WOO ITS HACKED and that it's encryption and are comparing the ps3 to the psp now, but how's that relevant?

Reply
 

 
# samich 2011-11-09 12:09
from what I've heard of/read about, it's one of the major things necessary and used when downgrading. Such as metldr v.2 can't downgrade. That's why some consoles of recent date are secured into whatever FW they update to.

Reply
 

 
# RobinVanPersiew 2011-11-09 13:49

so i suppose this is a final key for the hackers to make a new cfw?


btw, I hate the new comenting system it's screwd up!


Reply
 

 
# Jessie James 2011-11-09 16:05
Sounds like his just a cry baby. If you person figured it out it was only a matter of time before somebody else figured it out. Hell look at the all those chinesse knock offs you see any of them trying to get fame and glory over anything? I might hate to say it but looks like the best bet would be useing that mod chip. Dont think its possable for sony to fix a hardware mod.

Reply
 

 
# wolfpacleader1986 2011-11-09 16:21

Aww, you're leaving? Fuck you. Leave! You want to be a cry baby about it, then we don't WANT your shit. There are others that will do a BETTER JOB THAN YOU! Look at Dark Alex. He was just like you. Helped out and then didn't get his way and then pitched a shit fit and left. Did the PSP scene die? NO! It got BETTER! Now, we can use CFW on STOCK UNITS! We can sign games and emulators. Life is good.


You're like the rich snob who has the newest video game before it comes out and then won't let anyone play it. You're a selfish person. Plain and simple. What were you going to do with the code anyways? Mod your system and rip off OUR RIPS and play to your heart's content, leaving us, the ones who made and uploaded those rips in the cold? 


I WISH Sony finds you, takes all your shit, locks you up, and throws away the key. We don't need people like you in this world. So, go fuck yourself to Dirty Little Sluts 7. We'll find someone else to replace you. Someone who's not an ASSHOLE to people!


Reply
 

 
# quantumsource 2011-11-09 16:32

I respect anyone who has the time and skills to find these exploits, your work makes so many people happy.


I am just sad cause I just bought a ps3 a few days ago, and its gonna come with 3.61 ( I think) and the minimum it could be downgraded to is 3.60 (which is useless)


I wish there was something I could do with the machine I just bought. I thought e3 flasher would work, but apparently not so, do to my system being too new and all. I just wish I had some kind of option to do something with my system besides play games and buy DLC. I want otherOS, homebrew apps and games. Maybe Amazon will let me return it.


Reply
 

 
# MousE0910 2011-11-10 09:26
People, you're such an idiots. Just think for a while WHY wouldn't he
release it. Do you think he would keep the exploit only for himself
forever? Of course not. He probably had some more plans, wanted to use
the exploit for some further hacking and/or developing but somebody
got it into the orbit prematurely. As a result, the PS3 scene lost yet
another scener and there are not many more left. Really, it's a shame
that some idiots are just way too impatient and want their CFW now and
are unable to wait for some while for it to be released properly.

Oh and wolfpacleader1986 - you're a fucking asshole. Until you
actually start contributing something to the scene and not just leeching
stuff for free that others made, you don't have any right to spout such
shit as you did.


Reply
 

 
# 0men 2011-11-10 10:33

for those of you who havent been keeping up with cfw JFW DH supposed to release at 21:00 hours but if you can't wait till 9pm then http://www.mediafire.com/?g8qhpxykoi469ii


P.S Im not the first one to leak this


tested on 120 GB slim

CECH-20xxA


Not tested by me...


Reply
 

 
# francmrjp 2011-11-10 15:43
where did you find this CFW JFW ninguen DH will test it so you posted this supposedcfw forehead and then you tell us if it works

Reply
 

 
# Big Daddy Spence 2011-11-10 17:19
^^^^^ Love this comment, Shows that not everyone on the scene are selfish leechers. Yes he didn't release it to the public, he must of had his reasons. Also why hate on him if it wasn't for him and this exploit, we would all still be looking at our 3.55+ machines and scratching our heads. I do thank the leecher for uploading it to even though its not his work. But if it weren't for this guy you wouldn't be anywhere right now. "END OF STORY"

Reply
 

 
# nerodrago 2011-11-11 05:32

Now now, there are many ways to look at this....


Mathieulh, claimed of not having the know how or talent by many that you see posting over many sites, finally coming to light. Work that finally showed truths of what one was capable of , rightfully credited by the author and news sites making headlines only because of ones attempts and dis loyalties to the ethics. 


What I say to all hackers for the PS3...Leave, Take your information show it if you must to your friends or inner community, have your claim stake, but leave. There is no reason to contribute to the most UNGRATEFUL bunch of half wits I have seen, whom when have proof of ones work do nothing but try to humiliate them. 


Some things I will not touch as MousE0910 made quite the nice post of those areas already...


Sad days are amongst us...





Reply
 

 
# Big Daddy Spence 2011-11-12 06:22

Agreed!!!!!!!


Reply
 

 
# waynecall 2011-11-12 08:12
I've been lurking on this site for over a year and only made an account to comment on this post. All you whiny, little children need to shut up and contribute something yourselves. I haven't added anything to the scene, but at least I'm not making such lame, rude ass comments about the people that have. You people are truly gentlemen and scholars. WOW.

Reply
 

 
# wolfpacleader1986 2011-11-12 16:50
I've uploaded quite a few games THAT I PAID FOR under different names on different sites. Now, go fuck your boyfriend and leave the discussion for the adults!

Reply
 

 
# Guest 2011-11-14 06:36
I think everyones forgetting that there is very little reason for there to be a cfw 3.72. I believe the devs have a hack already but are saving it because it will just get patched by sony quick time. Kakarotos said ages ago just be patient there will be a cfw, maybe not in days, or weeks or even months but once there is a REASON to bring it out. There are a lot of devs probably peeved at sony for whats happened to egohot and we probably wont see a cfw until next year. And I reckon it's gonna be a big one as they'll probably wait until the psvita is out, the ps3 gets new xmb with added functionality. I'm sure the devs want to have some fun with homebrew between the ps3 and vita. Reminds me of the psp hacks they would wait until a new fw came out and would only release a cfw if there was new features.

Reply
 

 
# evilcowboy420 2011-11-14 08:53

There are two valid points to this. One is just as you said he wanted
to try and create something and someone screwed him by releasing it.
But on the other hand why not make it an open source project this is
what made linux work. He also clearly gave his work to someone else and
ignorantly trusted someone with his work so in turn it kind of makes it
his fault. If he didn't want it released he should have kept it to
himself until he was ready for testing.


On a side note I didn't really like the guy too much he seemed to
complain about anything and was a very arrogant person. So much so he
pissed fellow hackers off with his arrogance. So am I sorry to see him
go. Not really this type of scene don't need people who clearly think
they are better than everyone else simply because they have something
everyone else wants. Some people have been a little harsh on the guy but
he kind of brought that on himself. For lack of a better word he is
kind of being a cry baby about it.

Reply
 

 
# evilcowboy420 2011-11-14 09:03
If you were following the scene closely for over a year then you'd know this guy is an ass for the most part. Does anyone not remember his little "I hate it when I'm right" comment way back about the xi passphrase. That ended up irritating drizzt and kakaro with his arrogance. It's sad when he pisses off other sceners. You should follow more than just one site for all the info.

Reply
 

 
# ariveraiv 2011-11-16 08:02
listen up people.  Do you guys really not understand he did not post it.  becuase he whould get in trouble.  what! u want that?  come on look waht happen to geohot.  But your here flaming a well known developer and also bring dax into the mix.  dax was not the first but refined the psp hacking world.  and people leaking info screwws up the scene or let me reprase kinda put it on pause.  instead of u flaming somone who knows his shit. and has help out the scene for years.  why dont you spend thousands of hours developing you own hacks and release them.  then u can gather donations to pay ur lawyer bills.  or spend all that time trying to make somthing work let somone test it.  then tell me how it feels once ur work is leaked.  not good at all.  so finish this off go fuck ur self with a psp-1000 in the ass and tell me if it devolops a new hack for the ps3.  you fucking bird ass nikka

Reply
 

 
# binkie8 2011-11-17 04:11
bored us with things like you do not want to share idiot go fuck yourself

I hope you get caught by sony and is completely stripped down to the last penny you little baby

Reply
 

 
# Guest 2011-12-15 05:58

hey people im from palestine ,gaza and im running a ps3 store
so i need this cfw very damn much pllllllz  mr hacker realse it ^_^

 


Reply
 

 
# Guest 2011-12-27 08:20

Do I see you hacking the console internals? No. I see you only exploiting one guru who might have fucking good reasons to keep this thing closed information like... Well.. NOT LETTING SONY PATCH THOSE THINGS BY DENYING THEM THE INFORMATION ABOUT EXPLOIT.

Basically leakers are doing free work for Sony Security. You can hate Mathieulh because he doesnt appreciate stupid people but you cannot deny he is brilliant on what he is doing, so instead of sending fucks to him, you might allow yourself to use some brain capacity of your own to figure out why he wants to keep some bleeding edge information closed, atleast possible reasons to do so.

That one leak might forbid any upcoming PS3 versions from being cracked this way, simply because leaker leaked this information to public - including Sony designers. Is that what you look up to? Ever considered this? Of course not. You dont have brains to do so. Mathieulh has the brains to hack the console for real, and he has brains to see the reason why to keep stuff secret for long enough. You and your kind are contradicting this goal, dimwit.

So fuck you and your under 75 IQ. You are exploiters without skills, riding on the back of the really brilliant people like Mathieulh. Be man enough to admit it.


Reply
 

Add comment

Security code
Refresh




 
CREATE ACCOUNT NOW TO POST COMMENTS!

Why create an account on the Dashhacks network? Because being logged in has its privileges!

• COMMENTS! Only logged in users comments go live without waiting for moderator approval!
• No video! The video ad in the upper right doesn't interrupt you on all pages!
• Customize your profile! Flaunt your xBox Live & PSN gamertags!
• It's FREE and it's EASY! And one login works for all of the Dashhacks review sites!

So what are you waiting for?

Go to the TOP RIGHT of the page and LOGIN or click REGISTER!