• KaKaRoTo und Wololo mit Statements zu den veröffentlichten LV0 Keys

    Während der letzten Tage spitzten ging es drunter und drüber in der eigentlich ziemlich ruhigen PS3 Szene. Zuerst gab es einen Leak der LV0 Keys, dann die dubiose BlueDisk-CFW und schließlich die PS3 Custom Firmware 4.21 von Rogero. Das alles ist in den letzten Tagen aufeinander getroffen, nun stellt sich natürlich die Frage, wie es nach der Veröffentlichung der LV0 Keys und der neuen CFW in der Szene weiter gehen wird. KaKaRoTo hat sich aktuell diesbezüglich zu Wort gemeldet und ein paar Infos veröffentlicht, die speziell für Entwickler interessant ist, die derzeit an einer 4.x Custom Firmware für die PS3 arbeiten.

    Die nachfolgende Changelog zeigt KaKaRoToS Beitrag diesbezüglich:

    Since the LV0 keys have now been leaked, I believe I can now share this info with you, to help out those who are trying to build their own 4.x CFW:

    The NPDRM ECDSA signature in the SELF footer is checked by lv2. It first asks appldr to tell it whether or not the signature is to be checked, and appldr will only set the flag if the SELF is a NPDRM with key revision from 3.56+ (the ones without private keys). This means that the SELF files signed with the new 3.56+ keys still don't have their ecdsa checked (probably to speed up file loading).

    If appldr says the ecdsa signature must be checked, then lv2 will verify it itself, and return an error if it's not correct. There are many ways to patch this check out.


    1. Patch out the check for the key revision in appldr
    2. Patch out the "set flag to 1" in appldr if the key revision is < 0xB
    3. Patch out the code in lv2 that stores the result from appldr
    4. Patch out the actual sigcheck function from lv2.
    5. Ignore the result of the ecdsa from lv2.


    Here is one of the patches (the 4th one, patching out the check function from lv2):

    In memory 0x800000000005A2A8, which corresponds to offset 0x6a2a8 in lv2_kernel.elf,

    Replace:
    e9 22 99 90 7c 08 02 a6

    With:

    38 60 00 00 4e 80 00 20

    This is for the 4.21 kernel (that was the latest one when I investigated this), I will leave it as an exercise to the reader to find the right offsets for the 4.25 and upcoming 4.30 kernel files.

    And here's another bit of info... in 4.21 lv2, at memory address 0x800000000005AA98 (you figure out the file offset yourself), that's where lv2 loads the 'check_signature_flag' result from appldr, so if you prefer implementing method 3 above, just replace the 'ld %r0, flag_result_from_appldr' by 'ld %r0, 0' and you got another method of patching it out. Either solutions should work just the same though.

    Enjoy homebrew back on 4.x CFW....

    p.s: Thanks to flatz and glu0n who helped reversed this bit of info.
    Auch Wololo gab seine Meinung in einem aktuellen Blog Post bekannt und gab auch gleich einige Background Informationen heraus.

    Background Information
    The similarity in events is extremely blatant but its started a little over two years ago when the first piracy-enabled firmware and USB dongle combo named the “PS3Jailbreak” was released. The release nuked a weakness in the PS3′s simple USB protocols. This in return created a hole allowing the OS to be patched that furthermore allowed content to run from the HDD. In the aftermath the group fail0verflow allowed people to encrypt files in a mirror system that replicated Sony s methods. Of course this lead to tons of piracy and eventually Geohot’s public release of the “metldr” root key. Sony got really mad in short and decided to bring the ban hammer down on Geohot who has yet to be heard from recently. Sony found a way to protect their system by fixing everything in the system with the 3.60 firmware update. The jailbreak was patched, the USB exploit patched and left the system somewhat secure, until now in association with the new PS3 4.30 firmware update.
    So what happened?
    The jerks, which is an understatement, that have been behind the PS3 dongle business will always be hated and trashed constantly and the recent stunt from the people behind the BlueDiscCFW team just put a nail in the coffin. A hacking group called “The Three Musketeers,”, in short, had the Lvl0 keys which were leaked. The Three Musketeers were not going to release the keys because of the known outcome of doing so. The Chinese hacking team “BlueDiscCFW,” somehow got a hold of the keys and planned to charge money for users who wanted the exploit. Its disgusting they would do that and The Musketeers realized this. With that in mind, The Three Musketeers tried to immediately stop BlueDiscCFW’s profiting from the LV0 exploit, The Three Musketeers released the LV0 custom firmware free to the public. The funny part is the BDCFW was taken down immedietly. The Three Musketeers released a statement on it saying
    “You can be sure that if it wouldn’t have been for this leak, this key would never have seen the light of day, only the fear of our work being used by others to make money out of it has forced us to release this now.”
    It was a two faced leak and is oddly similar to that Sam Jordam incident or Linux hack. They then released a full announcement and statement on the matter:
    As this was a group effort, we wouldn’t normally have lost a word about it
    ever, but as we’re done with PS3 now anyways, we think it doesn’t matter
    anymore [http://pastie.org/4462324]. Congratulations to the guy that leaked
    stuff, you, sir, are a 1337 haxx0r, jk, you’re an asshole.
    Try this bytes…
    – [erk=CA7A24EC38BDB45B98CCD7D363EA2AF0C326E65081E063 0CB9AB2D215865878A]
    – [riv=F9205F46F6021697E670F13DFA726212]
    – [pub=A8FD6DB24532D094EFA08CB41C9A72287D905C6B27B42B E4AB925AAF4AFFF34D
    41EEB54DD128700D]
    – [priv=001AD976FCDE86F5B8FF3E63EF3A7F94E861975BA3]
    – [ctype=33]
    …and be amazed.
    People should know that crooked personalities are widespread in this so
    called ‘scene’. Some people try to achieve something for fun together and make
    the wrong decision to trust others and share their results with them, but ofc
    there got to be the attention seeking fame wh*** that has to leak stuff to
    feel a little bit better about him-/herself.
    Now the catch is that it works like this in every ‘scene’, just that in
    |others it usually doesn’t come to light.
    The only sad thing is, that the others who worked on this won’t get the
    attention they deserve because they probably want to remain anonymous (also
    they don’t care about E-fame <3).
    PS: This is neither about drama nor E-fame nor ‘OMG WE HAZ BEEN FIRST’, we
    just thought you should know that we’re disappointed in certain people. You
    can be sure that if it wouldn’t have been for this leak, this key would never
    have seen the light of day, only the fear of our work being used by others to
    make money out of it has forced us to release this now.
    [-The Three Musketeers]
    What does this mean?
    With the release of the LV0 keys mean, eventually, having all the keys available. The LV0 is not patchable, which is to say there is nothing at all Sony can do to fix this. The final bullet in the chamber as hit Sony hard. What actions they will take are not known, but if things continue in the scene I can garuntee they will be pushing the date of the PS4 closer as new hardware is really all they can do. Sony already moved all the loaders. The only other option would be to put the loaders inbootldr, but that isn’t possible since bootldr is locked to being console specific and is impossible to update. Behind LV0 is just bootldr, which is encrypted with specific console keys. This leak will in time lead to a 4.25 CFW which can be installed on mostly any PS3 even on Slims and the recent new slim models. Keep in mind thatfail0verflow released metldr private keys like I said above. Well, surprise, metldr is loaded by lv0ldr, even on 3.60+. The leak contains a private key, it’s the string after PRIV=. The greatest part is that the key isn’t tied up to a specific firmware. The problem with 3k model Playstation3 consoles is that they have a new LV0 version named lv0.2, which means new keys for the loader. What this means is that consoles which are able to downgrade to 3.55 can install 4.25 CFW even if they’re on 4.25 OFW. The bad news incorporated with this is that 3K and higher consoles’ LV0 keys are static, they are not console specific. Sony can change LV0 with a new firmware update. But, bootldr is per console and is the way of decryption for LV0. If we have bootldr then the console is wide open and a CFW could be made to work on any console. Bootldr cannot be changed or denied unless there is a hardware change. Even if we had bootldr then anyone with a downgradable console could have a CFW firmware. Whoever has bootldr and wanted to leak it would bring the greatest massacre and ban-hammer of all time by any company ever, I can garuntee whoever releases it will have no where to run or hide so it would of course need to be anonymous to highest level with no traces to be found. Bootldr is something that’s way more protected and valuable than metldr.
    Closing Statement
    This is the beginning of a very long and heavily scheduled future of the PS3 hacking scene. The release of the LV0 key means that any system update released by Sony going forward can be decrypted fully with no effort. Sony has no cards in this game. As of today LV0 is now decrypted for ever until the end of time. There is alot of reverse engineering to get the decrypted loaders from it since Sony had changed a lot of security algorithms to protect these loaders inside LV0 however, rest assure every PS3 developer is hot on the news of everything going on. No one will be able to find 4.XX LV1, LV2_kernel, AppLDR keys inside the decrypted LV0 so there would need to be an investigation regarding how Sony store these keys right now. Already hard at work Multiman and Rogero have released new CFW along with other developers working hard. Rogeros new CEX 4.21 CFW FFA was pulled however due to bricking issues, so be alert to that. With this we may in some vary valuable information, in a way, that’ll help get some much needed help in also hacking the Vita but that’s not something to be confirmed. Although in given time more information and understanding on this will come, so stay tuned.

    Quelle http://wololo.net/2012/10/24/ps3-blo...d-and-working/




    Kommentare 1 Kommentar
    1. Avatar von D!CRA
      D!CRA -
      Wololo meldet sich zu Wort in der Playstation 3 Szene?! Das kann ja interesannt werden... Danke für die News.

    Facebook Kommentare



  • YouTube

  • Werbung

  • Werbung

  • Facebook / Twitter / RSS



  • Werbung