PS3 PlayStation 3 Thread Gerüchte/News/Rund Um Jailbreak

[lange2000]

AW: PlayStation 3 Thread Gerüchte/News/Rund Um Jailbreak

Gerücht:

Angeblich neuer METLDR Exploit geleaked worden(METLDR= Public Keys). Wer sich erinnert: Geohot veröffentlicht den METLDR der das ganze Jailbreak und CFW erst möglich machte.
Zunächst ist es auch nur für Dev´s interressant, aber wenn wirklich was wahres dran ist, ist ein Schritt getan um der PS3 wieder die Türchen zu öffnen.

Aber: Echtheit ist noch nicht Bestätigt!

Quelle: PS3 Crunch

 

[lange2000]

AW: PlayStation 3 Thread Gerüchte/News/Rund Um Jailbreak

Scheinbar ist doch was wahres dran! Mathieulh der den METLDR zwar angekündigt aber nie veröffentlichte, hat die Echtheit bestätigt und ziemlich sauer in seinem Forum reagiert, das irgendwer seinen Exploit veröffentlicht hat.

Spoiler

Zitat Mathieulh: Because some ungrateful person leaked my metldr exploit files I will now be explaining how it actually works, see this as my ultimate release of all times for an ungrateful scene (and scenes in the future)

That's about how I am pissed off right now, because of course the person that leaked these files has no idea of how they actually work.

How to pwn metldr the "easy" way:
This is most likely how geohot exploited it in the first place, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work", especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone)

I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self generating tool

Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the sign fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario.

The question is, do you really need keys to get a decrypted signature ?
Well the real answer is no, thanks to a nifty fail that sony left in in metldr (and the bootloader), you can have the ldr to decrypt the metadata for you, isn't that neat ?

Here's how it works:

STEP I)


In a self file, at address 0x0C a value is used to calculate where the metadata is going to be decrypted, the "offset" is at self header + 0x0C
its the "meta header offset" in the SCE structure, it takes the SCE offset + that value, so what you have to do is to have a calculation that is equal to 0x3E01F0 which happens to be where metldr copies over the shared metadata from the mailbox (which is sent over by the ppu), the trick is to have metldr to decrypt the metadata located at.
So basically you have to
1) set the offset += 0x2000
dump shared lsa
and keep increasing 0x2000
until somewhere in the shared lsa changes 0x40 byte
2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations
3) then dump shared lsa and we have decrypted header
knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E01F0 - 0xECF0 = the value you would patch at SCE header + 0x0C

ROM:0000F6C0 D2 68 87 E6 metadata_erk: .int 0xD26887E6 ; DATA XREF: ROM:0000F178o
for example in CECHA , the address you want to decrypt it to is 0x3E1F0
so it should be 0x3E1F0 - 0xF6C0


Once you get the decrypted header, you have the key to decrypt the rest of the metadata. Here you go, you have your decrypted signature.

So far so good, now what's next ?

STEP II)

Contrary to popular beliefs, you do not need to know the public key to calculate the private key, you just need two decrypted signature, you now know how to dump these, so let's assume you just did, now all you have to do is to bruteforce the curve type by constantly reloading a self to metldr, the curve type being only 1 byte, that would be 64 possibilities.

CONGRATULATION, you just signed a loader !

Now what ?

Well Your first reflex would be to sign a loader and use it to dump whatever is in your Isolated Local Store, the first thing you will notice is that you have a bit of metldr's code as a leftover, after a few seconds of disassembly you will figure it's actually some piece of code that clears metldr's code and registers and jumps to some address which is matches your signed loader's entrypoint.

This seems like a more than likely candidate to exploit, as in your goal would be to overwrite that piece of code with your own, that way you would have the whole metldr code right before the point where everything gets cleared out.

Let's try to do just that, from your previous dump, you obviously know that the clear code is located from 0x400 to 0x630, (0x410 being where metldr jumps when it clears) your first attempt would naturally be to have a loader section to load at 0x400, well not so surprisingly, it fails, because you are not without a brain (at least you aren't supposed to be if you're reading and understanding this), you will assume that it is likely that metldr checks if you aren't loading your loader/self section below a certain address, which considering you know the loaders' entrypoint is most likely to be 0x12C00, this assumption is in fact correct as metldr will make sure you cannot load any loader at 0x12BFF and below, seems like a huge let down...

Well, maybe not, because yet again, you are not without a brain, you check out the hardware properties for the Local Store, and you find out that the memory wraps around (memory is a donut as someone once said at some ccc conference).

So what happens when you load your loader at let's say from 0x3F000 to 0x40000+some address? (like 0x40410 for example) ?

Well, it WORKS!
You could put the section at 0x3F000, if you made the length 0x1414 and the last instruction branches "up" to the dump code

ROM:000008AC 33 7F 6C 80 brsl lr, cleanup_and_jump_entry
ROM:000008B0 32 00 11 80 br loc_93C
ROM:00000410 cleanup_and_jump_entry: ; CODE XREF: main+4Cp
ROM:00000410 32 7F FF 80 br sub_40C
this is what the exploit that got leaked (yeah that's not really their work eh but you figured that much by now did you not? ) does.
It overwrites from 0x000 to 0x480 because I originally loaded the section o size 0x880 to 0x3FC00

So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)


Here you go, you have a metldr dump !

Now as a final line, I'd like to say screw leakers, screw the scene, and this is my last contribution to it EVER. It seems I can't even trust fellow developers to keep my work safe and not leaking it. (Not like any of them would have been able to tell you how all this even works in the first place)

So long, everyone.
Remember, don't ever bite the hands that feed you.

P.S. Oh! and btw, if you talented enough to make hardware to dump the shared lsa, you can decrypt any lv0 using this technique.

Quelle:Lan.st

 

[kaanzler]

Metldr Exploit wurde geleaked!

Es wurde ein Metldr Exploit geleaked der ursprünglich von Mathieulh stammt dies hat er über Twitter schon bestätigt! Das ganze kommt von einer Anonymen Person

Sie müssen registriert sein, um Links zu sehen.

 

[lange2000]

AW: Metldr Exploit wurde geleaked!

Kurzes Update zum True Blue 2 Dongle!

Die Games laufen jetzt auch von der HDD(Update 2.2)!

Im Netz gibt es z.Z Backups von Rage, Dirt 3, Portal 2, Catherine, Captain America Super Solders, ****** Ball Z Ultimate Tenkaichi. Alles leider US Versionen und funktionieren nur mit True Blue Dongle.



Rebug hat auch einen eigene True Blue CFW herausgebracht!

True Blue Dongle User Guide:

Spoiler

Sie müssen registriert sein, um Links zu sehen.

Im Moment sind die Dongles nur über die USA zu beziehen. Ich würde abwarten ob in nächter Zeit nicht doch einen Alternative( Free CFW) erscheint.

 

[lange2000]

AW: PlayStation 3 Thread Gerüchte/News/Rund Um Jailbreak

Kakarotoks meldet auf Twitter das im ein JB auf 3.73 gelungen ist!

Sie müssen registriert sein, um Links zu sehen.

Noch beteuted es nicht das eine CFW erscheint, bzw das ein Backupmanager startet. Allerdings soll es auf Softwarebasis möglich sein( man braucht keinen Dongle oder ähnliches). Aber Homebrew Apps( Showtime, Eventuell Emulatoren,...) könnten auf 3.73 möglich sein.

 

[lange2000]

AW: PlayStation 3 Thread Gerüchte/News/Rund Um Jailbreak

Tweetermeldung von Kakarotoks!

Sie müssen registriert sein, um Links zu sehen.

Sein JB funktioniert auch auf 4.0! Achtung! Nicht Updaten wenn man auf 3.55(CFW) ist! Siehe Post davor!

 

[lange2000]

AW: PlayStation 3 Thread Gerüchte/News/Rund Um Jailbreak

Demonhades hat eine (Basis)Version der 3.56 CFW herausgebracht.

Im Moment ist die CFW aber nur in Spanisch und hat keine Vorteile gegenüber den 3.55 CFW´s.

Demonhades will aber Versuchen die Funktionen von Cobra-USB und True Blue Dongle einbauen.

Die CFW ist im Moment nur in Spanisch und es läuft nur der Irismanager darauf.

Sobald es irgendwann mal eine überarbeitete Version gibt könnte es eine sehr interressante CFW werden.

Achtung: die CFW kann nur von 3.55 und darunter Installiert werden. Nach installation ist ist ein Downgrade nur über Hardwareflasher möglich.

Quelle: Demonhades

 

[lange2000]

Aus multiman Filemanager wird mmOS!

Das Team um den Corbra USB Dongle wird "mmOS" herausbringen, ein großes Update für den (multiman Cobramanager) mmCM das den mulitman Filemanager ersetzt.

Es wird eine Desktop basierende Plattform sein, mit neuen features:

• supports 8 windows with up to 4096 entries per folder
• double-click to launch video/music/picture/games...
• single-click to multiple-select for copy/move
• desktop icons for fast access to various options/functions
• (shortcuts for showtime, games, themes, user created shortcuts)

mmOS soll, wenn es gut geht noch vor Ende des Monats erscheinen!


Quelle: ps3crunch

 

[lange2000]

Nachdem das E3Team(E3Flasher) einen eigenen Dongle für 3.6+ Games angekündigt hat, gibts hier ein Statement dazu!

Spoiler

Official Statement from E3 TEAM

Few days ago, there was news posted on various websites that we had cloned JB2 (aka) 'True Blue' successfully.

We clarify we did not clone any other product, but we did find the ways on how to allow the newer games to work on CFW v3.55.

Our research has found 3 different ways to allow newer games to work on older firmwares!

A way:

• No need of any new keys, but allows SOME new games to work on CFW v3.55 with a special bypass.
• We think the USB device on market uses this system. (Maybe)
• With this method, most games even v4.11 games can run on CFW v3.55 very easily.
• But there has some games that can't work with this A way.

E3 TEAM knows this A way very well and can modify a newer v3.6+ game in 10 min.

B way:

• Decrypt games with it's private key and encrypt with v3.55 key, so game can run on CFW v3.55 successfully.
• For example, you need v3.65 key to decrypt v3.65 game. Need v4.11 key to decrypt v4.11 game.
• E3 Team can successfully get all newer keys up to v4.11.
• We are 100% sure we can get all keys to v4.20 or higher FW with same way, only it takes some more time.
• This means, E3 TEAM can decrypt all newer games with this B way.

As a matter of a fact, we are planning a newer CFW (no more need to be stuck on v3.55) when we have completed our research.

C way:

• Modify Blu-Ray firmware to allow newer games to run on older firmware.
• But only a few of the newer games can work with this C way, so we stopped researching this method.

We are in the progress of developing a new USB device, to allow users to enjoy our work with economical cost. We will release further news and list of its features regarding this new product at a later date.

Finally, to thank all of users whom have supported us in the past with our previous products, like the E3 Card Reader and E3 Flasher, we have decided to release 2 game eboots for free for everyone to enjoy that work directly on any console running CFW v3.55 directly.

Remember our current product, The E3 Flasher is also very useful for Dual-Boot and to downgrade on older consoles, as for now we need to still stay on CFW v3.55.

PS: Unfortunately the latest Slim 3000x consoles can't work currently with downgrade or dual-boot methods mentioned above, as it is fully difference design compared to the older PS3 consoles, but have no fear we are still working hard on solving this puzzle.

Below is links to our proof video and eboots to show off our work. First we run Ninja Gaiden 3 using the A way and then second we run Splinter Cell Trilogy HD with B way, which no matter how hard you have tried the A way it will never run.

Als Vorgeschmack hat das Team um den E3 Flasher 2 Eboots gratis für alle 3.55CFW zum Download freigegeben:

Ninja Gaiden 3 EUR und FIFASTREET 2012 EUR

Die Eboots gibts hier:

Spoiler

https://www.digital-eliteboard.com/showthread.php?135386-3-56-3-6x-3-7x-Game-Fix-Thread-f%C3%BCr-3-55-CFW-!/page15&p=1479969&viewfull=1#post1479969

 

[lange2000]

AW: PlayStation 3 Thread Gerüchte/News/Rund Um Jailbreak

Cobra-USB bringt CFW4.30 für ihren Dongle.

In order to support Cobra USB users better Team Cobra will release in the next few weeks a custom 4.3x+ firmware. All your favourite features will still be supported whilst being able to enjoy the latest titles. Stay tuned for further news soon.

Ist für Besitzer eines solchen Dongles interressant, da sich die Vorteil aller Cobra features und einer CFW4.30 nutzen lassen.

Source:

Sie müssen registriert sein, um Links zu sehen.

 

[lange2000]

AW: PlayStation 3 Thread Gerüchte/News/Rund Um Jailbreak

Cobra USB angeblich gehackt!

Laut einigen Meldungen ist es oct0xor(hat schon den PS3Usercheat Dongle gehackt) gelungen, den Cobra USB Dongle zu hacken.

Unter anderem hat er vor, den Payload CFW fähig zu machen, um die Funktionen auf dieser nutzen zu können.

Sie müssen registriert sein, um Links zu sehen.

 

[lange2000]

AW: PlayStation 3 Thread Gerüchte/News/Rund Um Jailbreak

News von der CobraUSB CFW4.30: Feature um PS2 Games, bei nicht kompitablen Konsolen abzuspielen wurde entfernt!

Spoiler

CCobra users will be pleased to hear that the Cobra USB CFW 4.30+ is currently being BETA tested. We are pleased to confirm that the PS1, PS2, PSP and all other Cobra USB features have already been integrated into our CFW.

Thanks to all Cobra users for their patience and support.

* Please note that PS2 games on non backwards compatible machines is no longer supported, since this functionality was removed in 4.30 OFW.

​

Sie müssen registriert sein, um Links zu sehen.

​

Sie müssen registriert sein, um Links zu sehen.

​

Sie müssen registriert sein, um Links zu sehen.

Sie müssen registriert sein, um Links zu sehen.

 

[lange2000]

AW: PlayStation 3 Thread Gerüchte/News/Rund Um Jailbreak

Team Cobra veröffentlicht CFW 4.30 und FW6.0 für den CobraUSB Dongle!

Spoiler

We're pleased to present Cobra-USB FW V6, available along with the respective CFW 4.30 from the downloads section! After successful Beta testing, we can confirm that Cobra now

We're pleased to present Cobra-USB FW V6, available along with the respective CFW 4.30 from the downloads section! After successful Beta testing, we can confirm that Cobra now operates on 4.30 CFW, allowing you to enjoy the latest releases whilst enjoying Cobra functionality aswell. Thanks to all Cobra USB owners for their patience and support.

Look out for the soon to be released Cobra ODE, bringing freedom and versatility to the scene!

*Please note that region free support for PS1/PS2 titles still needs to be improved in future firmware update.*

​

​

Source:

Sie müssen registriert sein, um Links zu sehen.