Mathieulh Decrypts lv0 on PS3 Firmware 3.73

Submitted by greg; November 14, 2011

While Mathieulh certainly knows his shit, especially when it comes to hacking the PS3 and boasting about it, but what I guess he hasn't learned is basic, early childhood sharing. Yes, Mathieulh has successfully decrypted firmware 3.73 at the lowest of levels; no, he doesn't plan on sharing it with anyone ... not after this leak. Say what you will of Mathieulh and his narcissistic ways, you still gotta give him props... No one else has managed to decrypt lv0 on 3.73 yet ... or at least no one has bragged about it publicly, revealing their methods. No worries though, sooner or later someone'll figure it out and share it with the rest of us. And that leaked metldr exploit may help too, making it sooner rather than later. - source: @mathieulh

Tags: 3.73, Decrypt, Firmware, lv0, Mathieulh, metldr

You can't really blame him for his mood recently. The scene has taken from him time and time again, and all that he has received (for the most part) are further demands, slander and abuse. Because of the childish actions of the community - (most probably by children - knowing no better - or thinking they are great posting shit) he has now stood back to watch how lost we are without his constant input...

# greg 2011-11-14 09:40

Much respect for sure. There should be "no fending for itself" though... Everyone should share and contribute, making the scene a better place. Of course some scene members are more knowledgea ble than others, but that's how others learn. I think it's fear of Sony suing is why he won't reveal his methods. But so be it.

# Guest 2011-11-14 09:47

More likely, this may eventually lead to a release that literally only enables homebrew on your PS3, rather than pirating games - which is the true goal of most projects.

Hope this is the case. Most of these whiney kids just want to get free PS3 games. When people who really know what they're doing just want to tinker and code up some stuff to have some fun.

# Zeikku 2011-11-14 09:54

That's what I mean by "fending for itself". Math would like people to actually use resources made by both him and Kakaroto (to name a few) - Math has never accepted donations and never will. I don't think Math is afraid of Sony - I see him tweet and follow Sony companies and poke fun at its executives.

Fact is; a lot of people are happy watching Math and a few others do the work. It's simply not how shit flies, hell; even I contributed in the past with various pieces of coding and ASM routines for certain Nintendo emulators for PS3.

Kakarotoks' EFL library is a great example of an easy resource which is never used, you don't even need PS3 knowledge to use it - But yet no one is bothered to learn or to use it.

I'm not picking a fight, I just feel strongly about the PS3 scene more than other communities. It's like my 2nd scene.

# Guest 2011-11-14 09:56

When he releases information he is met with hate and contempt. When he does not he gets also insulted.

He has a perfectly legitimate reason for not releasing anything: the abundance of assholes in and out of the scene.

# Guest 2011-11-14 10:01

OK so assuming this is released either by mathieulh or someone else who figures it out from the exploit, can this lead to homebrew or cfw on 3.73

# Guest 2011-11-14 10:08

Met is a motherfucker. Just saying oh i have done it doesnt make u great, all he want is to show he is better then others. In phychology that is a act of a loser because he want to prove to others. Genius people dont want credits. They know what they are, so fuck u methieull

# Guest 2011-11-14 10:21

he doesnt have what i call honor among the hackers

# greg 2011-11-14 10:21

My bad... I misinterpr eted your fend for itself statement. But yeah, I agree with you.

# Zeikku 2011-11-14 10:25

No problem and yeah, it is a shame. I just wish people opened their eyes and see that Math isn't in the wrong here.

# ToyMachine_ 2011-11-14 10:45

is this like punishing the whole class because one kid stole the teachers chalk?

# xVsQ EDiiTzZ 2011-11-14 10:46

Does this mean that a jailbreak can be made from this?

# xVsQ EDiiTzZ 2011-11-14 10:48

ye its my 2nd scene as welL!

# Guest 2011-11-14 10:53

Get a life...He has the right to do what he wants.... People expect too much for nothing in the world today...

Yes he has a brain on his head..

Yes he is pissed off with the attitude of people like you!!!

If you want it. Do it yourself...

Oh thats right you cant.. SO shut up and get a life!!!!!

# Guest 2011-11-14 10:56

LOOK GUY THIS PERSON HAS THE RIGHT TO DO WHAT HE WANTS WITH HIS OWN WORK!!!!!

Yes it would be good to see what comes from this, but its up to him to release it or not... He is the one that is taking the risk by releasing it, not you guys!!!

# Guest 2011-11-14 11:04

You can do pretty much anything if you have access to lv0

# beavis5706 2011-11-14 11:11

"NaNaNa if figured out how to crack lv0 and im not going to share, haha" Seriously Mathieilh what the hell are you doing here bragging about this if you not going to share it. If thats the way you want to be then keep it to yourself and stop getting peoples hopes up.

# Guest 2011-11-14 11:16

He deserves to have credit for breaking it first, credit for his skills and ability. He doesnt have to release it if he doesnt want to, however sharing is nice and maybe one day he will take a few under his wing and teach them how to code...

# Guest 2011-11-14 12:16

Excellent job. Sony blabla

# Guest 2011-11-14 13:04

It could be that he didn't crack lv0

# juniorchup 2011-11-14 14:53

Hey Mathieulh take a look at this IMAGE I Just MADE.... JUST LIKE YOU in PHOTOSHOP..... JAJAJAJA and for thus who believe him go to his twitter site save the image to your desktop RIGHT click on the image properties once the window pops up click on the tap that says origins it says PHOTOSHOP....

Direct link to image

http://img707.imageshack.us/img707/6084/mathieulhbull.jpg

PS: Greetings from COSTA RICA.... PURA VIDA PS3 Scener and thus who really help....

# nerodrago 2011-11-14 15:30

ok you need to work on that analogy.

One if the teacher was the only one that really knew how to use the chalk.

Two the teacher worked on making the chalk them self.

Three it was stolen by lets say...another teacher and then told to the population of how to make their own.

Then yes, every right to punish the WHOLE instead of a part.

Because he is not punishing the class per say, if you had your hands on this or 90% of the end users guess what? They wont know what the hell to do with the stuff!

This is directed to those who back stabbed him released things that were not meant to be released so he one upped his game to say, you know what....fuck you.

# nerodrago 2011-11-14 15:32

Go direct your tears to another community that supports cry babies.

# juniorchup 2011-11-14 15:34

Just open a notepad paste this inside....

@echo breakself.exe v1.0.1

@echo.

@echo Self Type: Lv0

@echo SDK Version: 3.73

@echo.

@echo File successfully decrypted!.

pause

save it as what ever name you want .bat

ex: NAME.bat

make sure under the name you select "All Files"

you are done double click on that file and see it for your self... after that follow Mathieulh steps be a dishonest crook and take a screenshot paste it on photoshop and erase the last part.... wala you got your command line that decrypts firmware 3.73....

# Jessie James 2011-11-14 17:29

haha ya i agree with some of these ppl. Shareing is careing. IF you wonna be a big baby about something GTFO

# xaotix 2011-11-14 18:17

this guy is just a child crying because they stole his bottle.

print this screen does not say anything.

I want to see happen.

total fake.

idiot

# beavis5706 2011-11-14 18:21

He is an attention whore and nothing more. Why the hell would you put something on a ps3 news site that you have no intention of releasing. That would be like Sony announcing new games but saying that they aren't going to release them. There is absolutely no logic behind it. If you don't want to release it then DON'T ANNOUNCE IT.

# evilcowboy420 2011-11-14 23:06

He claimed that last leak was his final contribution to the scene. So in turn he said "I'm out" So why the hell is he showing he can decrypt lv0? Just to be a prick about it. The tutorial on how his exploit worked by his own admission should have been his last post. So I have to agree now he is just being a dick about it.

Second no one stole shit from this guy he obviously ignorantly trusted someone and showed it to them and they handed it out.

Third did you not read this part:

"This is most likely how geohot exploited it in the first way, this takes
(give or take) about 10 minutes to be performed. (yeah, not so much of
a “I hacked the ps3 all on my own work, especially not when it
partially relies on Segher’s work, one of the reason geohot never
shared the way he exploited metldr to anyone)"

hmmm seems to me this motherfucker took from someone elses work the same as gehot. Not saying he don't know his shit but obviously it was never fully his work to begin with by his own admission.

Thus this is why he is a complete bag of shit for using someone elses work to figure out how to exploit the ps3 and then bitching when someone hands it out. I wonder how much bitching he did when Segher's work got handed out or when gehot's work was handed out.

Besides open source would be the way to go on something like this since it relies heavily on a community. So my point being is no one back stabbed this sack of shit he just gets a kick out of being a dick about what he can do. Plain and simple.

# evilcowboy420 2011-11-14 23:13

I would hope he isn't using windows to decrypt it lmfao. I figured I would get to see some cool decrypting process going on from at least ubuntu but no such luck just a plain ol command prompt in windows with some @ECHO's added for effect.

FAIL

# Jessie James 2011-11-14 23:20

ya its fake until proven other wise. Doesnt matter who you are.

# evilcowboy420 2011-11-14 23:52

At least mine looks real. Just pay no attention to the compiler behind the window. lmfao.

# unegro 2011-11-15 00:09

You all Flaming Math,

This metod is true and have been proved by another user, look at ps3iso foruns!!!!

Math didnt share the keys because he will certanly be processed by sony...

Look at ps3iso foruns and See: There is a NEW CFW 3.56 By Demonhades, nothing with lv0 decript,

And the keys have been shared too by another user....

Open a comand Prompt And Write: I Am an ungrateful, and want everyting for free fast...

Mother*****

l">

# beavis5706 2011-11-15 01:10

You can defend this guy all you want, bottom line if he doesn't want to or can't share it then why is it on this page. Why did he take credit for it if he doesn't want anyone to know he did it. To quote you "Math didnt share the keys because he will certainly be processed by sony..." THEN WHY IS IT ON HERE AS PS3 NEWS. If i killed someone and i didn't want anyone to know i wouldn't post that news all over the internet.

# beavis5706 2011-11-15 01:21

Oh he is french i didn't realize this. This makes total sense now the french are a**holes.

# DashBandicoot 2011-11-15 01:59

well ive never seen this guy mention something that is fake, each time he says something then its not long after when other follow and use his work to do hacks.

this guy actually has a brain and isnt braging to sony unlike egohot then all you dirty pirates start crying and handing this clown your money to pay his court fees.

you faggits are the reason console companies have to act like this, because like egohot you have to take it too far and take the p1ss and name me one console that sits back and does nothing about hackers that allways leads to piracy.

thats the problem there, you people are cheap pirates and think you deserve the right to get every game for free.

math owes you faggits nothing, he is just saying its possible, if you hate him for not releasing or doing anything further with his findings, well how about you spend less time been a lazy bum, get out find a job and move out your parents bed rooms and get a girlfriend.

wake up to the real world you faggits!!

# nerodrago 2011-11-15 05:09

Well that is saying why do hackers hack and show it off? To show they have the skills to do so, not every hacker shares their work, if you call him a prick you need to go off and call each and every hacker who keeps their code or ways a prick.

Now he may of used another persons work as a base but I am sure he added something on further to achieve what we seen or worked as a pair with most of the contribution. Again I can say many many hackers out there use the foundation of other peoples work as a base to start their own way of doing things.

We finally get to the last part even though you are trying to show some part of support of him you still scrutinize him for any little thing you see wrong. I do not recall him ever saying obligations were expected of releases of any kinds of work done, have you? No... What is being done is what hackers have been known to do. They come, they show, they sometimes share their point of view, but its rare you get their entire release.

This is clearly what is wrong with the world and scene today, you expect someone to be obligated to release something so everyone can enjoy it after a community is flooded with people who show no signs thanks. I am sure if it was seen with thanks going out instead of "What too you so long.", "Will this let me play pirated games", "Why did you waste your time and do something constructive like...", "Your a douche, fag, asshole,..." things would be very different right now. Then again...maybe not.

# nerodrago 2011-11-15 05:20

I say lets challenge Dash Hacks as a community from end user to site admin to RID all people who wish to hinder it. If they do not have something constructive to add on or say about the people who contribute, well GET RID OF THEM AND PROTECT THE ONES WHO DESERVE IT.

# gamefanA 2011-11-15 06:15

math is just an asshole don't take anything he does seriously

# miguel_0529 2011-11-15 07:42

keys released! https://twitter.com/#!/naehrwert

74 92 E5 7C...

AB CA AD 17...

B0 D6 55 76...

3E C2 0C 17...

D9 2D 65 DB...

F2 33 6E 25...

52 38 D0 FA...

http://pastie.org/2858016

Mathieulh @naehrwert: I knew you would

naehrwert @mathieulh: I wonder why no one else reversed it, at least no one except you mentioned it.. because it's easy to find if you know what to do!

naehrwert has edited very fast his post. these keys are incompleted

# pixelheart 2011-11-15 09:15

The metadata doesn't mean shit. I printscreen every screenshot I take into Photoshop, but that doesn't mean everything of mine is fake. Jackass...

# Guest 2011-11-15 10:25

Just gotta say love the early childhood sharing joke. Its the best way to describe Mathieuh

# beavis5706 2011-11-15 10:29

OK Sony

# Guest 2011-11-15 10:36

Then why brag about it? If you did something and have no plans on releasing how to do it, keep it to yourself. Him bragging is him just being an asshole.

And most of us can't do it because we lack the knowledge, ever considered that? People have specialties and each rely on one another. So, unless YOU can do this and prove it, YOU shut up and get a life.

# beavis5706 2011-11-15 11:05

Personally I don't care if this guy cracks open the PS3 or not I always play my Xbox. Just like the PSP all the games I have dl'd for my 3.55 PS3 suck so hard I never played them for more than 5 minutes anyway.

But when he say stuff like "Now as a final line, I'd like to say screw leakers, screw the scene, and this is my last contribution to it EVER." and then comes back 2 days later taunting the scene with the fact that he is the only one who can do it, well that deserves some negativity right there.

Look Math if you want to help the scene then help, if you don't then don't but don't be a jerk and flaunt your abilities to a helpless scene. Personally I would rather never see another hack on the PS3 if it means I don't have to hear this guy bitch and moan about how nobody can be trusted. What he is doing does not help this scene at all it only adds negativity.

I would love to see Math continue his work, however if all he wants to do is complain then I will gladly show you the door.

# Guest 2011-11-15 19:00

Let consider what he says is true

If he does not give us the key, what the point tell us key has the key.

what he did is nothing for anyone.

I prefer (want) it is a joke or a lie more than it is true.

# nerodrago 2011-11-16 04:25

So you call someone Sony because they support someone who has brain, contributed their point of view, explained subjects people could not phantom and was pissed works were released that should not of been released. You really come off as another of the little pirate cry babies who are butt hurt not seeing each and every contributor run to your side.

Now people bring up the issue of gloating, smearing it in the face of the public, doing this and that....What hacker DOES NOT do that in some way shape or form via, email message, uploaded file, text file, URL, MIRC, ETC. The list could go on and on Hackers Hack and let the world know to stake their rightful claim.

And beavis5706 this is for your butthurt...

You can receive a free sample of Boudreaux's Butt Paste by sending a 6 x
9 self-addressed envelope stamped with $1.34 to: Boudreaux's Butt
Paste, 1600 Brian Drive, Columbus, IN 47201.

# greg 2011-11-16 12:00

hehe, thanks

# beavis5706 2011-11-17 00:12

Um first off that comment wasn't for you it was for the one above it. You must have posted right before I did. Second what the hell is a "butthurt". I would look it up but im too busy playing my Waninkoko 3.55 PS3. You see im playing it because Waninkoko actually released what he created instead of telling everyone he created it but won't release it.

I don't like Sony and I feel the deserve to be stolen from. I have an Xbox 360 that is not hacked that I buy games for. I buy them because Microsoft unlike Sony is not trying to rape their customers every chance they get.

So have fun re-purchasing your PSP games for your Vita and paying Sony's convenience charge for PSN games. Sony will get nothing from me.

ps. holy shit i think this guy really posted his address, i mapquested it and its real!! What an idiot.

# binkie8 2011-11-17 04:12

bored us with things like you do not want to share idiot go fuck yourself

I hope you get caught by sony and is completely stripped down to the last penny you little baby

# TK-426 2011-11-19 01:48

Actually never read such fucktarded posts as what I'm seeing in these comments. You are all a bunch of wasters.

# Irixion 2011-11-19 23:55

You know, it was leaked because he doesn't share. Now he's not releasing it because it was leaked? I doubt he was going to release it anyway if the previous exploit wasn't leaked. I know that no one's entitled to anyone else's work, but don't be such a moron about it by bragging, urgh. Just wanna sock him in the face. Sony needs to sue bragging douchebags, not geohot who shared his work :V

# Irixion 2011-11-19 23:56

Derp. Double post.

# Guest 2011-11-20 00:55

the problem is this attitude to sharing always seems to happen with this guy. whenever something new hits the scene this guy jumps up "ive alrfeady did this". when ever something comes out, which by the way he has churpped up since the dongle hit the streets, "i can do better" he cries. love me love me math needs to share some love to get the respect he clearly wants!

# binkie8 2011-11-20 08:57

you dirty little mother fucker if you do not want to share then go away you little cry baby

There are other people who can and who want to share but so crawl back into your hole you little mother fucker

# samuraixguy 2011-12-05 18:14

matheul...pls dnt refuce to be a hero jst bcos a villian did u wrong..we civilians need u man...help us...please!!..be a hero..

# Guest 2011-12-20 12:11

Hold the phone, so let me get this straight. So Matheiulh, the hacker, had created something that PS3 users had been waiting for months now, and he had just told everyone about it, and now he won't even release it, and now people are flaming him sending him hate messages for it, and Mathieulh and angry about? You know, in some ways, I can understand their reactions , but then I started thinking about this, and figured, why are everyone mad at this guy? I mean, if KaKaRoTo is working on a jailbreak that will work on 4.00 (and yes, he will release it) then why is everyone flaming Math still, you guys are probably just little kids who want to figure out how to hack Call of Duty, and I suggest to you trolls and Call of Duty kids to get off your computer and video game, go outside, get some fresh air, and think about why your lives are such tragic fails, you massive trolls. But still, Matheulh, you yourself are no better than the rest of these trolls, you are just as responsible for the flaming as everyone else is, in fact, if it weren't for your selfish and arrogant attitude, none of this stupid shit would have never existed. Why are you letting the trolls win the battle, honestly I can't stress enough on how much drama and other stupid crap I don't care about that I have to read almost every single day, if you weren't going to release it in the first place, then don't even mention it into the entire scene, that alone is exactly like trolling, and that makes you a troll. And to everyone supporting Mathieulh, are you that much of a dick rider and dumbass that you are too blind to see why everyone is mad at Math in the first place, honestly, why are you sticking up the Math anyway? It's not like being nice to him will change his mind about releasing it or not, and no, no matter how much sucking up and dick riding you do, Mathieulh, that arrogant bastard, will never release his exploit, You know why? It's because Math is just one of those attention whores that have nothing to do with their lives. I really don't care about drama created by you trolls, suck ups, and Math, KaKaRoTo is the only trustworthy hacker I can support right now, because KaKaRoTo, unlike Math, KaKaRoTo actually wants to release his stuff, he actually cares what people think, and he doesn't give in the trolls, unlike Math, who selfishly refuses to release his exploit for self gratification. The next time someone doesn't want to release their stuff, fine by me, I don't care. But kindly don't be a selfish bastard like Math and please don't tell everyone you're not going to release it. Sorry I've wasted your time if you're reading this, but I've wasted much more time supporting Math, but that was before I took a bang in the head and realized the truth, some day Math, you are going to realize what you've done and you are going to pay dearly for it my friend.

# Guest 2011-12-20 16:16

And you are saying that Microsoft doesn't try and screw over their custumers? Thats funny! Look at the releases of Windows, how much is each one? Thats why I switched from Windows to Linux. It is free and there are many options for me. I can make almost all of the things I did in Windows work just as good in Arch Linux. If your going to complain about a company that releases something and then years later releases something new then get mad at every singal video game company. So don't bitch about something. They can do what they want and you can chose to not use what they want, but me personally I like my PS3 more than my other systems. I own a Nintendo, Super Nintendo, DreamCast, Sega Genisis, Playstaion 1, Nintendo 64, Playstation 2, X-box, Gamecube, Playstation 3, X-box 360, Wii, Gameboy, Gameboy Color, Gameboy Pocket, Nintendo DS lite, Nintendo DSI, and a PSP. So as I said it will be each person to chose the systems that they like more. So have some respect and let people make their own choices.

# Guest 2012-03-05 00:20

446">Because some ungrateful person leaked my metldr exploit files I will now be explaining how it actually works, see this as my ultimate release of all times for an ungrateful scene (and scenes in the future)

That's about how I am pissed off right now, because of course the person that leaked these files has no idea of how they actually work.

How to pwn metldr the "easy" way:
This is most likely how geohot exploited it in the first place, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work", especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone)

I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self generating tool

Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the sign fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario.

The question is, do you really need keys to get a decrypted signature ?
Well the real answer is no, thanks to a nifty fail that sony left in in metldr (and the bootloader), you can have the ldr to decrypt the metadata for you, isn't that neat ?

Here's how it works:

STEP I)

In a self file, at address 0x0C a value is used to calculate where the metadata is going to be decrypted, the "offset" is at self header + 0x0C
its the "meta header offset" in the SCE structure, it takes the SCE offset + that value, so what you have to do is to have a calculation that is equal to 0x3E01F0 which happens to be where metldr copies over the shared metadata from the mailbox (which is sent over by the ppu), the trick is to have metldr to decrypt the metadata located at.
So basically you have to
1) set the offset += 0x2000
dump shared lsa
and keep increasing 0x2000
until somewhere in the shared lsa changes 0x40 byte
2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations
3) then dump shared lsa and we have decrypted header
knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E01F0 - 0xECF0 = the value you would patch at SCE header + 0x0C

ROM:0000F6C0 D2 68 87 E6 metadata_erk: .int 0xD26887E6 ; DATA XREF: ROM:0000F178o
for example in CECHA , the address you want to decrypt it to is 0x3E1F0
so it should be 0x3E1F0 - 0xF6C0

Once you get the decrypted header, you have the key to decrypt the rest of the metadata. Here you go, you have your decrypted signature.

So far so good, now what's next ?

STEP II)

Contrary to popular beliefs, you do not need to know the public key to calculate the private key, you just need two decrypted signature, you now know how to dump these, so let's assume you just did, now all you have to do is to bruteforce the curve type by constantly reloading a self to metldr, the curve type being only 1 byte, that would be 64 possibilities.

CONGRATULATION, you just signed a loader !

Now what ?

Well Your first reflex would be to sign a loader and use it to dump whatever is in your Isolated Local Store, the first thing you will notice is that you have a bit of metldr's code as a leftover, after a few seconds of disassembly you will figure it's actually some piece of code that clears metldr's code and registers and jumps to some address which is matches your signed loader's entrypoint.

This seems like a more than likely candidate to exploit, as in your goal would be to overwrite that piece of code with your own, that way you would have the whole metldr code right before the point where everything gets cleared out.

Let's try to do just that, from your previous dump, you obviously know that the clear code is located from 0x400 to 0x630, (0x410 being where metldr jumps when it clears) your first attempt would naturally be to have a loader section to load at 0x400, well not so surprisingly, it fails, because you are not without a brain (at least you aren't supposed to be if you're reading and understanding this), you will assume that it is likely that metldr checks if you aren't loading your loader/self section below a certain address, which considering you know the loaders' entrypoint is most likely to be 0x12C00, this assumption is in fact correct as metldr will make sure you cannot load any loader at 0x12BFF and below, seems like a huge let down...

Well, maybe not, because yet again, you are not without a brain, you check out the hardware properties for the Local Store, and you find out that the memory wraps around (memory is a donut as someone once said at some ccc conference).

So what happens when you load your loader at let's say from 0x3F000 to 0x40000+some address? (like 0x40410 for example) ?

Well, it WORKS!
You could put the section at 0x3F000, if you made the length 0x1414 and the last instruction branches "up" to the dump code

ROM:000008AC 33 7F 6C 80 brsl lr, cleanup_and_jum p_entry
ROM:000008B0 32 00 11 80 br loc_93C
ROM:00000410 cleanup_and_jum p_entry: ; CODE XREF: main+4Cp
ROM:00000410 32 7F FF 80 br sub_40C
this is what the exploit that got leaked (yeah that's not really their work eh but you figured that much by now did you not? ) does.
It overwrites from 0x000 to 0x480 because I originally loaded the section o size 0x880 to 0x3FC00

So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)

Here you go, you have a metldr dump !

Now as a final line, I'd like to say screw leakers, screw the scene, and this is my last contribution to it EVER. It seems I can't even trust fellow developers to keep my work safe and not leaking it. (Not like any of them would have been able to tell you how all this even works in the first place)

So long, everyone.
Remember, don't ever bite the hands that feed you.

P.S. Oh! and btw, if you talented enough to make hardware to dump the shared lsa, you can decrypt any lv0 using this technique.

By mathieulh 11-08-11

Refresh comments list

Add comment

JComments


	CREATE ACCOUNT NOW TO POST COMMENTS! Why create an account on the Dashhacks network? Because being logged in has its privileges! • COMMENTS! Only logged in users comments go live without waiting for moderator approval! • No video! The video ad in the upper right doesn't interrupt you on all pages! • Customize your profile! Flaunt your xBox Live & PSN gamertags! • It's FREE and it's EASY! And one login works for all of the Dashhacks review sites! So what are you waiting for? Go to the TOP RIGHT of the page and LOGIN or click REGISTER!

Mathieulh Decrypts lv0 on PS3 Firmware 3.73

Related Stories:

Comments

Add comment