Editing Dumping Metldr

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
{{Wikify}}
{{Wikify}}


files main: https://web.archive.org/web/*/http://ps3devwiki.com/files/devtools/dump-metldr/
files main: http://www.ps3devwiki.com/files/devtools/dump-metldr/


== source/basis ==
== source/basis ==
[http://www.phrack.org/issues.html?issue=66&id=13&mode=txt archives/66/p66_0x0d_Power cell buffer overflow_by_BSDaemon.txt] [http://www.kernelhacking.com/rodrigo/docs/Cell-phrack.txt]
[http://www.phrack.org/issues.html?issue=66&id=13&mode=txt archives/66/p66_0x0d_Power cell buffer overflow_by_BSDaemon.txt] [http://www.kernelhacking.com/rodrigo/docs/Cell-phrack.txt]


== How to use ==
==Howto use==
 
ohai ill tell you guys howto use mathldr<br/>
ohai I'll tell you guys how to use mathldr<br/>
(i like to call it that, its kinda catchy)<br/>
(I like to call it that, it's kinda catchy)<br/>
this is pretty safe (if you know what you are doing, and do it right)<br/>
this is pretty safe (if you know what you are doing, and do it right)<br/>
just don't go crazy with it, it's possible mess your eid up if you attempt to rehash it and flash or attempt in any way to replace your eid<br/>
just dont go crazy with it, its possible mess your eid up if you attempt to rehash it and flash or attempt in any way to replace your eid<br/>
if you plan on rehashing your EID make sure to have a flasher and a good backup of your flash handy<br/>
if you plan on rehashing your EID make sure to have a flasher and a good backup of your flash handy<br/>
you can decrypt eid with root keys and static keys in the wiki key talk page<br/>
you can decrypt eid with root keys and static keys in the wiki key talk page<br/>
The static keys: http://web.archive.org/web/20150910133656/http://pastie.org/private/qwndjafrtkvhe9cikbxhg
the static keys: http://pastie.org/private/qwndjafrtkvhe9cikbxhg
 
=== Prerequisites ===


===prerequisites===
<ol>
<ol>
<li>otheros++ with ss patches<br/> (yes the ones that cause trophy errors, just update when you wanna play games again and dont complain)</li>
<li>otheros++ with ss patches<br/> (yes the ones that cause trophy errors, just update when you wanna play games again and dont complain)</li>
<li>linux on your ps3 (im using ubuntu 10.10)</li>
<li>linux on your ps3 (im using ubuntu 10.10)</li>
<li>a unpacked copy of your flash (which you can obtain by using glevands [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/Tools/USB%20Flash%20Dump/ dump_flash.pkg]<br/>), you need:
<li>a unpacked copy of your flash (which you can obtain by using glevands [http://www.ps3devwiki.com/files/flash/Tools/USB%20Flash%20Dump/ dump_flash.pkg]<br/>), you need:
<ul>
<ul>
<li>metldr (aka asecure)</li>
<li>metldr (aka asecure)</li>
<li><strike>EID0</strike> (not needed, commented out in run.sh) (if used, you will need to split eid from your flash [[Dev_Tools#dump_EID0.sh|dump_EID0.sh]]; use 'modprobe ps3dmproxy' if needed)</li>
<li><strike>EID0</strike> (not needed, commented out in run.sh) (if used, you will need to split eid from your flash http://www.ps3devwiki.com/index.php?title=Dev_Tools#dump_EID0.sh ; use 'modprobe ps3dmproxy' if needed)</li>
</ul>
</ul>
and an unpacked copy of OFW (e.g. [https://web.archive.org/web/*/http://ps3devwiki.com/files/firmware/OFW-CEX/3.55/ 3.55 OFW-CEX]), you will need the following files from these:
and an unpacked copy of OFW (e.g. [http://www.ps3devwiki.com/files/firmware/OFW-CEX/3.55/ 3.55 OFW-CEX]), you will need the following files from these:
<ul>
<ul>
<li>isoldr</li>
<li>isoldr</li>
Line 34: Line 32:
<li>and obviously appldr-metldrexploit350.self from the files</li></ul>
<li>and obviously appldr-metldrexploit350.self from the files</li></ul>
</li>
</li>
<li>ps3tools [[Dev_Tools#fail0VERFLOW|fail0VERFLOW]] (to unpack your nor and the ofw ie norunpack and pupunpack)</li>
<li>ps3tools http://www.ps3devwiki.com/index.php?title=Dev_Tools#fail0VERFLOW (to unpack your nor and the ofw ie norunpack and pupunpack)</li>
<li>latest gitbrew linux kernel</li>
<li>latest gitbrew linux kernel</li>
<li>a desire to quit *****ing and complaining and get off your ass.</li>
<li>a desire to quit *****ing and complaining and get off your ass.</li>
Line 43: Line 41:


=== Step by Step instuctions ===
=== Step by Step instuctions ===
 
Precompiled metldrpwn : http://www.ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip
Precompiled metldrpwn : https://web.archive.org/web/*/http://ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip


you can do this over ssh or on console.<br/>
you can do this over ssh or on console.<br/>


Note: don't forget to provide EID0 and RL_FOR_PROGRAM.img if you do manually, instead of the run.sh file where they are commented out
Note: don't forget to provide EID0 and RL_FOR_PROGRAM.img if you do manually, instead of the run.sh file where they are commented out
<ol>
<ol>
<li>ssh into the ps3</li>
<li>ssh into the ps3</li>
<li>download the files:
<li>download the files:
{{keyboard|content=<syntaxhighlight lang="bash">wget https://web.archive.org/web/*/http://ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip</syntaxhighlight>}}</li>
{{keyboard|content=wget http://www.ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip}}</li>
<li>untar the files:
<li>untar the files:
{{keyboard|content=<syntaxhighlight lang="bash">unzip metldrpwn.zip</syntaxhighlight>}}</li>
{{keyboard|content=unzip metldrpwn.zip}}</li>
<li>enter the directory and compile:
<li>enter the directory and compile:
{{keyboard|content=<syntaxhighlight lang="bash">cd metldrpwn && make</syntaxhighlight>}}</li>
{{keyboard|content=cd metldrpwn && make}}</li>
<li>run the following commands now:
<li>run the following commands now:
{{keyboard|content=<syntaxhighlight lang="bash">
{{keyboard|content=insmod ./metldrpwn.ko
insmod ./metldrpwn.ko
cat metldr > /proc/metldrpwn/metldr
cat metldr > /proc/metldrpwn/metldr
cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr
cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr
Line 66: Line 61:
cat eid0 > /proc/metldrpwn/eid0
cat eid0 > /proc/metldrpwn/eid0
echo 1 > /proc/metldrpwn/run
echo 1 > /proc/metldrpwn/run
cat /proc/metldrpwn/debug
cat /proc/metldrpwn/debug}}</li>
</syntaxhighlight>}}</li>
<li>there now you have a dump check it out:
<li>there now you have a dump check it out:
{{keyboard|content=<syntaxhighlight lang="bash">hd /proc/metldrpwn/dump  | less</syntaxhighlight>}}</li>
{{keyboard|content=hd /proc/metldrpwn/dump  | less}}</li>
<li>now copy the dump somewhere or youll lose it:
<li>now copy the dump somewhere or youll lose it:
{{keyboard|content=<syntaxhighlight lang="bash">cp /proc/metldrpwn/dump /home/username/</syntaxhighlight>}}</li>
{{keyboard|content=cp /proc/metldrpwn/dump /home/username/}}</li>
</ol>
</ol>
now you have a copy in your home directory for safe keeping<br/>
now you have a copy in your home directory for safe keeping<br/>
congrats you've completed about < 10 mins of actual work<br/>
congrats youve completed about < 10 mins of actual work<br/>
<br/>
<br/>
there you go: keys are in 0x00 to 0x20 (first 3 lines)<br/>
there you go keys are in 0x00 to 0x20 (first 3 lines)<br/>


::'''So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)'''
::'''So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)'''


==== example ====
==== example ====
  00000000 66 4d ee 51 65 6f 68 28 38 98 83 ea df ea 90 04 |fM.Qeoh(8.......|    // erk/key
  00000000 66 4d ee 51 65 6f 68 28 38 98 83 ea df ea 90 04 |fM.Qeoh(8.......|    // erk/key
  00000010 01 f3 79 09 d6 a6 52 d9 ea 6d ef 04 51 69 ec 7b |..y...R..m..Qi.{|    // erk/key
  00000010 01 f3 79 09 d6 a6 52 d9 ea 6d ef 04 51 69 ec 7b |..y...R..m..Qi.{|    // erk/key
Line 89: Line 82:


==== example with hardcoded version of minver 3.50+ console ====
==== example with hardcoded version of minver 3.50+ console ====
  Rare example of eid_root_key with min version hardcoded into it.  Found in some rare <!--// minver 3.50 revisionkey 00 00 0E 92  C3 26 6E 4B BB 28 2E 76 B7 67 70 95 //--> 2501A's (believed to possibly be in 3.60+ as well, but unable to verify.)
  Rare example of eid_root_key with min version hardcoded into it.  Found in some rare <!--// minver 3.50 revisionkey 00 00 0E 92  C3 26 6E 4B BB 28 2E 76 B7 67 70 95 //--> 2501A's (believed to possibly be in 3.60+ as well, but unable to verify.)
  00000000  F5 CC 0B 7F 4D 00 31 07 F2 BC 57 A4 B5 C3 8B E1  |õÌ..M.1.ò¼W¤µÃ‹á|  // erk/key
  00000000  F5 CC 0B 7F 4D 00 31 07 F2 BC 57 A4 B5 C3 8B E1  |õÌ..M.1.ò¼W¤µÃ‹á|  // erk/key
Line 100: Line 92:
theres also a nifty program on the dev tools page to turn your hex into key its called hex2key<br />
theres also a nifty program on the dev tools page to turn your hex into key its called hex2key<br />


Example of eid_root_key with hardcoded version from minver 3.56+ console
===some good reading on the subject for further understanding:===
00000000  BF 85 81 FF 99 E8 CB A8 32 DF 41 00 66 C9 5F C7
[[File:Ps3-cryptochain.png|300px|thumb|left|3.56 and older Chain of Trust]]
00000010  4B A8 EE A8 9A 68 8E 15 81 1E 54 ED A8 EB 06 4C
http://www.ps3devwiki.com/images/e/ed/Ps3-cryptochain.png<br/>
00000020  EB BF C3 41 4A 9E DF B0 ED A0 86 68 03 3D AD 87
http://www.ps3devwiki.com/index.php?title=Boot_Order<br/>
00000030  00 03 00 56 00 00 00 00 32 7F FF 80 32 7F FF 80
http://www.ps3devwiki.com/index.php?title=Dev_Tools<br/>
 
http://www.ps3devwiki.com/index.php?title=Flash<br/>
=== Some good reading on the subject for further understanding ===
http://www.ps3devwiki.com/index.php?title=Talk:Flash<br/>
http://www.ps3devwiki.com/index.php?title=IDPS<br/>
http://www.ps3devwiki.com/index.php?title=Talk:IDPS<br/>
http://www.ps3devwiki.com/index.php?title=Per_Console_Keys<br/>
http://www.ps3devwiki.com/index.php?title=Talk:Per_Console_Keys<br/>
http://www.ps3devwiki.com/index.php?title=Hypervisor_Reverse_Engineering<br/>
http://www.ps3devwiki.com/index.php?title=Talk:Keys<br/>
http://www.ps3devwiki.com/index.php?title=Synergistic_Processing_Unit_%28SPU%29<br/>
http://www.ps3devwiki.com/index.php?title=Talk:Synergistic_Processing_Unit_%28SPU%29<br/>
http://www.ps3devwiki.com/index.php?title=SPU_Isolated_Modules_Reverse_Engineering<br/>
http://www.ps3devwiki.com/index.php?title=Talk:SPU_Isolated_Modules_Reverse_Engineering<br/>


[[File:Ps3-cryptochain.png|300px|thumb|left|3.56 and older Chain of Trust]]
* [[Boot Order]]
* [[Dev Tools]]
* [[Flash]] / [[Talk:Flash]]
* [[IDPS]] / [[Talk:IDPS]]
* [[Per Console Keys]] / [[Talk:Per Console Keys]]
* [[Hypervisor Reverse Engineering]]
* [[Talk:Keys]]
* [[Synergistic Processing Unit %28SPU%29|Synergistic Processing Unit (SPU)]] / [[Talk:Synergistic Processing Unit %28SPU%29|Talk:Synergistic Processing Unit (SPU)]]
* [[SPU Isolated Modules Reverse Engineering]] / [[Talk:SPU Isolated Modules Reverse Engineering]]


== Mathieulh's explaination ==
== Mathieulh's explaination ==
Line 129: Line 121:
This is most likely how geohot exploited it in the first place, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work", especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone)
This is most likely how geohot exploited it in the first place, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work", especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone)
<br><br>
<br><br>
I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self generator tool
I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self generating tool
<br><br>
<br><br>
Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the signature fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario.
Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the signature fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario.
Line 144: Line 136:
So basically you have to <br>
So basically you have to <br>
1) set the offset += 0x2000<br>
1) set the offset += 0x2000<br>
dump shared lsa (located at 0x3E000 in ls)<br>
dump shared lsa<br>
and keep increasing 0x2000<br>
and keep increasing 0x2000<br>
until somewhere in the shared lsa, 0x40 byte change<br>
until somewhere in the shared lsa 0x40 byte change<br>
2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations<br>
2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations<br>
3) then dump the shared lsa and you have a decrypted header<br>
3) then dump shared lsa and we have decrypted header<br>
knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E1F0 - 0xECF0 = the value you would patch at SCE header + 0x0C<br>
knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E1F0 - 0xECF0 = the value you would patch at SCE header + 0x0C<br>
<br>
<br>
Line 200: Line 192:


'''Old partial/incomplete source: http://lan.st/showthread.php?t=4025'''
'''Old partial/incomplete source: http://lan.st/showthread.php?t=4025'''
(Link now deprecated)  
(Link now depreciated)  






{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)