Talk:Dumping Metldr: Difference between revisions
No edit summary |
No edit summary |
||
Line 56: | Line 56: | ||
And of course We need tools that allow us to make the dump. | And of course We need tools that allow us to make the dump. | ||
spp_verifier.self > [http://gotbrew.org/git/spp_verifier_direct.tar.gz] | spp_verifier.self >[http://gotbrew.org/git/spp_verifier_direct.tar.gz] | ||
appldr-metldrexploit350.self > [http://gotbrew.org/metldr838exploit.tar.gz] | |||
appldr-metldrexploit350.self >[http://gotbrew.org/metldr838exploit.tar.gz] | |||
Well, now in the directory where you unpacked metldr838exploit.tar.gz you have to use these commands: | Well, now in the directory where you unpacked metldr838exploit.tar.gz you have to use these commands: | ||
insmod ./metldrpwn.ko ''(Install Mathieulh´s Exploit Module)'' | <code>insmod ./metldrpwn.ko ''(Install Mathieulh´s Exploit Module)'' | ||
cat metldr > /proc/metldrpwn/metldr | cat metldr > /proc/metldrpwn/metldr | ||
cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr | cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr | ||
cat RL_FOR_PROGRAM.img > /proc/metldrpwn/rvkprg | cat RL_FOR_PROGRAM.img > /proc/metldrpwn/rvkprg | ||
cat eid0 > /proc/metldrpwn/eid0 | cat eid0 > /proc/metldrpwn/eid0 | ||
echo 1 > /proc/metldrpwn/run | echo 1 > /proc/metldrpwn/run | ||
cat /proc/metldrpwn/debug | |||
cat /proc/metldrpwn/debug</code> | |||
Congratulations! Now you have a unique dump of your system METLDR. | Congratulations! Now you have a unique dump of your system METLDR. |
Revision as of 10:43, 17 January 2012
The exact steps should work on a CECH250.A shouldn't they? I first did the steps manually, then ran the script but both resulted in seemingly encrypted garbage (no strings found and nor were erk or the riv saved on 0x00-0x20), I'm using the 3.55checkoff.pup from the "Downgrading with NOR flasher" talk page which seemed to have the SS patches because that is how I retrieved my eid0. --Afiser 01:46, 2 January 2012 (CST)
Metldr dump can be achieved without using Otheros++:
- Install Red Ribbon (even on external HD).
- Enable SS patches.
- Follow the rest of steps.
--granberro 00:00 17 January 2012 (GMT)
You need:
1 CFW 3.55 Otheros Special ++ [1]
2 A Linux like Red Ribb0n. [2]
3 Graf Chokolo´s latest kernel.
--DUMP-- 3.1 You can use this app in GAMEOS. Then dump your flash and save in a usb device.
3.2 Unpack the dump, you´ll need ps3tools (NORUNPACK and PUPUNPACK)[3]
When you have compiled only have to run and use (this omitted and assumes that you already have configured the keys):
NORUNPACK TU_DUMP.BIN FOLDER-WHERE-UNPACK
You´ll need a unpacked copy of OFW to extract other files you can use this fw (3.55) [4]
like this: PUPUNPACK PS3UPDATE.PUP FOLDER
3.3 Now you´ve unpack your flash´dump & FW. These are the files you must depart.
NAND/NOR FLASH:
METLDR inside of Asecure Loader. eEID (Need to use the eid splitter to separate the eEID in 0,1,2,3,4,5) and we need the EID0 so also I explain how to do:
First, when you have your eEID it´s time to download "eid splitter"tool from RMS [5] (You´ll need GCC version "gcc eEID-SPLIT.c")
when downloaded and compiled, now you can use to your eEID. "eEID-SPLIT Your_eEID"
At finish you´ve "0,1,2,3,4,5", six files i.e. six files have to rename them respectively EID0,EID1,EID2,EID3,EID4,EID5 and READY!.
I recommend: you must save all your EID in a safe. It´s your insurance as brick.
Now you need:
isoldr RL_FOR_PROGRAM.img default.spp
And of course We need tools that allow us to make the dump. spp_verifier.self >[6]
appldr-metldrexploit350.self >[7]
Well, now in the directory where you unpacked metldr838exploit.tar.gz you have to use these commands:
insmod ./metldrpwn.ko (Install Mathieulh´s Exploit Module)
cat metldr > /proc/metldrpwn/metldr
cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr
cat RL_FOR_PROGRAM.img > /proc/metldrpwn/rvkprg
cat eid0 > /proc/metldrpwn/eid0
echo 1 > /proc/metldrpwn/run
cat /proc/metldrpwn/debug
Congratulations! Now you have a unique dump of your system METLDR.
cp /proc/metldrpwn/dump /home/user/"DUMP´s NAME"
Now yo can find yoy famoys private keys in the first 3 offsets.