Untitled

[16:41] <xxxxxxxx> I think it works
[16:41] <xxxxxxxx> I mean this is what I think Mathieulh did
[16:42] <xxxxxxxx> in a <= 3.55 console, he prepared a lv0.self with that metadata exploit (STEP I in his "tutorial")
[16:42] <xxxxxxxx> then he rebooted the console, the console will HANG of course since the lv0.self will not run properly
[16:42] <xxxxxxxx> but before it hangs, after it decrypts it, he uses hardware to read the local store
[16:42] <xxxxxxxx> then he gets a bootldr dump
[16:43] <yyyyyyy> now that makes sense
[16:43] <xxxxxxxx> he restores his lv0.self (I wonder how) so he could recover his console and play some games, otherwise the console is bricked
 [16:43] <xxxxxxxx> and with the booldr dump he gets the lv0 key
[16:44] <xxxxxxxx> with the lv0 key you can decrypt any lv0.self, the lv0 is a file in a PUP
 [16:44] <xxxxxxxx> I think that's what he did
 [16:45] <yyyyyyy> yea like you i don't see how he would restore his lvl0.self
[16:45] <xxxxxxxx> service mode
[16:45] <xxxxxxxx> and reinstalling the PUP
[16:45] <yyyyyyy> but even without a restore he gets the dump
[16:45] <yyyyyyy> ah yea
[16:46] <xxxxxxxx> yeah after he gets a bootldr dump, it's game over
 01[16:46] ggggggg> okay we basically could do that but how do you read the local store with hardware?
 [16:47] <yyyyyyy> i'd assume that is the part you need hardware for
[16:47] <xxxxxxxx> that's the tricky part
[16:47] <xxxxxxxx> you need something sniffing directly in the memory bus
 [16:47] <xxxxxxxx> since the PS3 won't even boot, you can't use it
[16:48] <xxxxxxxx> and bootldr has a "runonce" flag so after you boot the PS3 you can't put it in a SPE and run it again
[16:49] <xxxxxxxx> so I think he booted a PS3 destined to fail at boot
[16:49] <xxxxxxxx> but it will dump bootldr.
[16:49] <xxxxxxxx> after that I guess he enters service mode and recover the console
 01[16:49] ggggggg> thats quite amazing to be honest
 [16:49] <xxxxxxxx> but where in the PS3 is lv0?
[16:50] <xxxxxxxx> or:
[16:50] <xxxxxxxx> he put it in a PUP
[16:50] <xxxxxxxx> upgraded the firmware, that installed that badly lv0, reboot it, read bootldr, service mode, recover ?
[16:50] <xxxxxxxx> I think that's easier
[16:50] <yyyyyyy> honestly even if there is no recovery of a ps3 and you get bootldr dump it is a worthy sacrifice lol
[16:50] <xxxxxxxx> no he can't do that since he can't sign lv0
[16:51] <xxxxxxxx> hah and lost a console ?
[16:51] <xxxxxxxx> hehehe
[16:51] <xxxxxxxx> you just sacrificed the PS3
[16:51] <xxxxxxxx> but you got the bootldr dump
[16:51] <xxxxxxxx> now, where is lv0
[16:51] <xxxxxxxx> in the filesystem of the PS3
 01[16:51] ggggggg> you could call it the <martyr ps3>. Will be forever remembered.
[16:52] <yyyyyyy> lol the jesus of ps3's
[16:52] <xxxxxxxx> On /dev/rflash1 you will find lv0, lv1ldr, lv2_lernel.self and all the other important SELFs.
[16:52] <xxxxxxxx> yeah that's what he did
[16:52] <xxxxxxxx> I'm sure
[16:52] <xxxxxxxx> he replaced lv0 in /dev/rflash1, this won't hang the console because lv0 is already running in memory
[16:52] <xxxxxxxx> rebooted it
[16:52] <xxxxxxxx> PS3 hangs
[16:52] <xxxxxxxx> dumps bootldr with hardware
[16:52] <xxxxxxxx> recover the console or sacrifice it, same thing
[16:53] <xxxxxxxx> reverse bootldr, get lv0 keys
[16:53] <yyyyyyy> now these seems quite plausible
[16:54] <xxxxxxxx> metldr is easy because:
[16:54] <xxxxxxxx> 1.- you can run it several times
[16:54] <xxxxxxxx> 2.- you can run it at will from OtherOS
[16:54] <xxxxxxxx> 3.- from OtherOS you can dump local store without hardware
[16:54] <yyyyyyy> you would just need to correctly assemble lvlo.self
[16:54] <xxxxxxxx> but bootldr will only run ONE at boot
[16:54] <xxxxxxxx> ONCE
[16:54] <xxxxxxxx> yeah you need to correctly assemble the header of lv0.self
[16:55] <xxxxxxxx> but I think Math explained how
[16:55] <xxxxxxxx> lv0 doesn't have the .self extension but it's a SELF ok?
[16:55] <xxxxxxxx> Math gave appldr355exploit.self
[16:55] <xxxxxxxx> so you have something to compare with
[16:56] <xxxxxxxx> the problem is, the piece of hardware to dump the local store
<yyyyyyy> and then get sued because they track you through donations lol
 [16:57] <xxxxxxxx> well the PS3 is not totally lost: everytime you turn it on will dump bootldr again hehehe
[16:57] <yyyyyyy> haha true
[16:58] <yyyyyyy> but yes the hardware to dump it is the truly hard part
[16:58] <yyyyyyy> everthing else has been pretty much explained
[16:59] <yyyyyyy> and for me I am no hardware guy so I can't even attempt creating it
 [17:00] <xxxxxxxx> Nevertheless, it's still all speculation
 [17:00] <xxxxxxxx> I'd do it if I have a NOR flasher and maybe another PS3 because if I'm lazy to recover at that very moment and I want play GoW I'd be fucked
[17:01] <xxxxxxxx> well and if I have a single clue about how to assemble the hardware part
 [17:01] <xxxxxxxx> hey yyyyyyy recovery is easier than you think
[17:01] <xxxxxxxx> since lv0 is not in HDD
 [17:01] <xxxxxxxx> lv0 is in flash
[17:01] <xxxxxxxx> if you reflash your NOR you recover
 [17:02] <xxxxxxxx> yeah you’ll need at least  the NOR flasher at least, which is a pain in the ass to solder
+35 cable
 [17:03] <xxxxxxxx> the key part is the hardware Local Store reader, to assemble that hardware takes skill
 [17:06] <xxxxxxxx> yeah you need to read a loooot of the available Cell BE documentation
 [17:06] <xxxxxxxx> there are dozens of leaked PDFs in the wiki
 [17:07] <yyyyyyy> yea that is one of maths "hints"
[17:07] <xxxxxxxx> which one exactly yyyyyyyy?
[17:07] <yyyyyyy> the skill to read it
[17:07] <xxxxxxxx> you mean the patience
[17:07] <xxxxxxxx> to read them all
 [17:07] <yyyyyyy> not too much skill...just time
 01[17:08] ggggggg> math won't help us on that one
 01[17:08] ggggggg> for sure
[17:08] <yyyyyyy> naw he already did it ;)