Editing Dumping Metldr
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
{{Wikify}} | {{Wikify}} | ||
files main: | files main: http://www.ps3devwiki.com/files/devtools/dump-metldr/ | ||
== source/basis == | == source/basis == | ||
[http://www.phrack.org/issues.html?issue=66&id=13&mode=txt archives/66/p66_0x0d_Power cell buffer overflow_by_BSDaemon.txt] [http://www.kernelhacking.com/rodrigo/docs/Cell-phrack.txt] | [http://www.phrack.org/issues.html?issue=66&id=13&mode=txt archives/66/p66_0x0d_Power cell buffer overflow_by_BSDaemon.txt] [http://www.kernelhacking.com/rodrigo/docs/Cell-phrack.txt] | ||
== | ==Howto use== | ||
ohai ill tell you guys howto use mathldr<br/> | |||
ohai | (i like to call it that, its kinda catchy)<br/> | ||
( | |||
this is pretty safe (if you know what you are doing, and do it right)<br/> | this is pretty safe (if you know what you are doing, and do it right)<br/> | ||
just | just dont go crazy with it, its possible mess your eid up if you attempt to rehash it and flash or attempt in any way to replace your eid<br/> | ||
if you plan on rehashing your EID make sure to have a flasher and a good backup of your flash handy<br/> | if you plan on rehashing your EID make sure to have a flasher and a good backup of your flash handy<br/> | ||
you can decrypt eid with root keys and static keys in the wiki key talk page<br/> | you can decrypt eid with root keys and static keys in the wiki key talk page<br/> | ||
the static keys: http://pastie.org/private/qwndjafrtkvhe9cikbxhg | |||
===prerequisites=== | |||
<ol> | <ol> | ||
<li>otheros++ with ss patches<br/> (yes the ones that cause trophy errors, just update when you wanna play games again and dont complain)</li> | <li>otheros++ with ss patches<br/> (yes the ones that cause trophy errors, just update when you wanna play games again and dont complain)</li> | ||
<li>linux on your ps3 (im using ubuntu 10.10)</li> | <li>linux on your ps3 (im using ubuntu 10.10)</li> | ||
<li>a unpacked copy of your flash (which you can obtain by using glevands [ | <li>a unpacked copy of your flash (which you can obtain by using glevands [http://www.ps3devwiki.com/files/flash/Tools/USB%20Flash%20Dump/ dump_flash.pkg]<br/>), you need: | ||
<ul> | <ul> | ||
<li>metldr (aka asecure)</li> | <li>metldr (aka asecure)</li> | ||
<li><strike>EID0</strike> (not needed, commented out in run.sh) (if used, you will need to split eid from your flash [[Dev_Tools#dump_EID0.sh|dump_EID0.sh]]; use 'modprobe ps3dmproxy' if needed)</li> | <li><strike>EID0</strike> (not needed, commented out in run.sh) (if used, you will need to split eid from your flash [[Dev_Tools#dump_EID0.sh|dump_EID0.sh]]; use 'modprobe ps3dmproxy' if needed)</li> | ||
</ul> | </ul> | ||
and an unpacked copy of OFW (e.g. [ | and an unpacked copy of OFW (e.g. [http://www.ps3devwiki.com/files/firmware/OFW-CEX/3.55/ 3.55 OFW-CEX]), you will need the following files from these: | ||
<ul> | <ul> | ||
<li>isoldr</li> | <li>isoldr</li> | ||
Line 43: | Line 41: | ||
=== Step by Step instuctions === | === Step by Step instuctions === | ||
Precompiled metldrpwn : http://www.ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip | |||
Precompiled metldrpwn : | |||
you can do this over ssh or on console.<br/> | you can do this over ssh or on console.<br/> | ||
Note: don't forget to provide EID0 and RL_FOR_PROGRAM.img if you do manually, instead of the run.sh file where they are commented out | Note: don't forget to provide EID0 and RL_FOR_PROGRAM.img if you do manually, instead of the run.sh file where they are commented out | ||
<ol> | <ol> | ||
<li>ssh into the ps3</li> | <li>ssh into the ps3</li> | ||
<li>download the files: | <li>download the files: | ||
{{keyboard|content= | {{keyboard|content=wget http://www.ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip}}</li> | ||
<li>untar the files: | <li>untar the files: | ||
{{keyboard|content= | {{keyboard|content=unzip metldrpwn.zip}}</li> | ||
<li>enter the directory and compile: | <li>enter the directory and compile: | ||
{{keyboard|content= | {{keyboard|content=cd metldrpwn && make}}</li> | ||
<li>run the following commands now: | <li>run the following commands now: | ||
{{keyboard|content= | {{keyboard|content=insmod ./metldrpwn.ko | ||
insmod ./metldrpwn.ko | |||
cat metldr > /proc/metldrpwn/metldr | cat metldr > /proc/metldrpwn/metldr | ||
cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr | cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr | ||
Line 66: | Line 61: | ||
cat eid0 > /proc/metldrpwn/eid0 | cat eid0 > /proc/metldrpwn/eid0 | ||
echo 1 > /proc/metldrpwn/run | echo 1 > /proc/metldrpwn/run | ||
cat /proc/metldrpwn/debug | cat /proc/metldrpwn/debug}}</li> | ||
<li>there now you have a dump check it out: | <li>there now you have a dump check it out: | ||
{{keyboard|content= | {{keyboard|content=hd /proc/metldrpwn/dump | less}}</li> | ||
<li>now copy the dump somewhere or youll lose it: | <li>now copy the dump somewhere or youll lose it: | ||
{{keyboard|content= | {{keyboard|content=cp /proc/metldrpwn/dump /home/username/}}</li> | ||
</ol> | </ol> | ||
now you have a copy in your home directory for safe keeping<br/> | now you have a copy in your home directory for safe keeping<br/> | ||
congrats | congrats youve completed about < 10 mins of actual work<br/> | ||
<br/> | <br/> | ||
there you go | there you go keys are in 0x00 to 0x20 (first 3 lines)<br/> | ||
::'''So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)''' | ::'''So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)''' | ||
==== example ==== | ==== example ==== | ||
00000000 66 4d ee 51 65 6f 68 28 38 98 83 ea df ea 90 04 |fM.Qeoh(8.......| // erk/key | 00000000 66 4d ee 51 65 6f 68 28 38 98 83 ea df ea 90 04 |fM.Qeoh(8.......| // erk/key | ||
00000010 01 f3 79 09 d6 a6 52 d9 ea 6d ef 04 51 69 ec 7b |..y...R..m..Qi.{| // erk/key | 00000010 01 f3 79 09 d6 a6 52 d9 ea 6d ef 04 51 69 ec 7b |..y...R..m..Qi.{| // erk/key | ||
Line 89: | Line 82: | ||
==== example with hardcoded version of minver 3.50+ console ==== | ==== example with hardcoded version of minver 3.50+ console ==== | ||
Rare example of eid_root_key with min version hardcoded into it. Found in some rare <!--// minver 3.50 revisionkey 00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95 //--> 2501A's (believed to possibly be in 3.60+ as well, but unable to verify.) | Rare example of eid_root_key with min version hardcoded into it. Found in some rare <!--// minver 3.50 revisionkey 00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95 //--> 2501A's (believed to possibly be in 3.60+ as well, but unable to verify.) | ||
00000000 F5 CC 0B 7F 4D 00 31 07 F2 BC 57 A4 B5 C3 8B E1 |õÌ..M.1.ò¼W¤µÃ‹á| // erk/key | 00000000 F5 CC 0B 7F 4D 00 31 07 F2 BC 57 A4 B5 C3 8B E1 |õÌ..M.1.ò¼W¤µÃ‹á| // erk/key | ||
Line 106: | Line 98: | ||
00000030 00 03 00 56 00 00 00 00 32 7F FF 80 32 7F FF 80 | 00000030 00 03 00 56 00 00 00 00 32 7F FF 80 32 7F FF 80 | ||
=== | ===some good reading on the subject for further understanding:=== | ||
[[File:Ps3-cryptochain.png|300px|thumb|left|3.56 and older Chain of Trust]] | [[File:Ps3-cryptochain.png|300px|thumb|left|3.56 and older Chain of Trust]] | ||
* [[Boot Order]] | * [[Boot Order]] | ||
Line 129: | Line 120: | ||
This is most likely how geohot exploited it in the first place, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work", especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone) | This is most likely how geohot exploited it in the first place, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work", especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone) | ||
<br><br> | <br><br> | ||
I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self | I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self generating tool | ||
<br><br> | <br><br> | ||
Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the signature fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario. | Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the signature fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario. | ||
Line 144: | Line 135: | ||
So basically you have to <br> | So basically you have to <br> | ||
1) set the offset += 0x2000<br> | 1) set the offset += 0x2000<br> | ||
dump shared lsa | dump shared lsa<br> | ||
and keep increasing 0x2000<br> | and keep increasing 0x2000<br> | ||
until somewhere in the shared lsa | until somewhere in the shared lsa 0x40 byte change<br> | ||
2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations<br> | 2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations<br> | ||
3) then dump | 3) then dump shared lsa and we have decrypted header<br> | ||
knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E1F0 - 0xECF0 = the value you would patch at SCE header + 0x0C<br> | knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E1F0 - 0xECF0 = the value you would patch at SCE header + 0x0C<br> | ||
<br> | <br> |