TweetNaehrwert

1.  
2.  
3.  
4. *********************************************************************************
5.  
6.  
7.  
8. dump bootldr how to exploit
9.  
10. Must have a dex 3.55 real or made dex 3.55 ps3 also duel nand/nor installed chip base. In a 3.55 dex console, prepare a lv0.self with the metadata exploit. reboot. lv0 will hang since lv0.self will not run properly. bootldr will send info to lv0 before it hangs, after it decrypts it, running dex with certain switches set up like boot in dev mode Will allow this hang dump of bootldr to be saved to the local store. But, essentially you will have a bricked ps3 so recovery of the local store wont happen. This is where the duel nand/nor comes in handy and allows you to recover from this and replace your messed up lv0.self with the original to boot up and recover the local store dump and the decrypted bootldr. This will allow the keys to bootldr these keys cannot be changed with any update. We can then exploit lv0. The exploit of bootldr/lv0 will allow the ability to change the way private keys are made or give us the ability to reset up the private key fail and resign packages with any new firmwares.
11.  
12. this although is just a "well tested Theory" of course
13.  
14.  
15. *********************************************************************************
16.  
17.  
18. #include <stdio.h>/*FILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFI*/
19. #include <string.h>/*FILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLF*/
20. #define U "\x00"/*FILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFI*/"\x00"
21. #define F C/*FILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFIL*/->
22. #define G(o) *((u##o*)/*FILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILL*/(F m+y+k))
23. #define q(v,c) if((v&c)/*FILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLF*/==c)
24. #define o ;break;/*FILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFIL*/case
25. #define H(n) o n:/*FILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLF*/F r[s]
26. typedef unsigned char u8;typedef unsigned int u32;typedef struct{u32 n,p,s[256],
27. r[64];u8*m;}T;typedef unsigned short u16;void __(T*C,u8*m){memset(C,0,1292);F m=
28. m;}u32 _(T*C){u32 r,u,i=*(u32*)(F m+F n),s=(i&63<<16)>>16,k=i&255,l=i&65535,x =F
29. r[s],y=F r[(i&63<<8)>>8],z=F r[i&63];F n+=r=4;switch(i>>24){H(1)=y+z H(2)++H(3)=
30. y-z H(4)--H(5)=y*z H(6)=y/z H(7)=y%z H(8)=y&z H(9)=y|z H(10)=y^z H(11)=~y H(12)=
31. y<<z H(13)=y<<k H(14)=y>>z H(15)=y>>k H(16)=G(8)H(17)=G(16)H(18)=G(32)o 19:G(8)=
32. x o 20:G(16)=x o 21:G(32)=x H(22)=l H(23)=l<<16 H(24)|=l H(25)=y o 26:F s[F p]=x
33. ;F p++o 27:F p--;F r[s]=F s[F p]o 28:u=y==z?1:y!=z?2:0;u|=y<z?4:y>z?8:0;F r[s]=u
34. ;o 29:F n=l o 30:switch((i&12<<20)>>22){o 0:q(x,1)F n=l o 1:q(x,2)F n=l o 2:q(x,
35. 4)F n=l o 3:q(x,8)F n=l;}o 31:F n=x o 32:switch((i&7<<16)>>16){o 0:q(y,1)F n=z o
36. 1:q(y,2)F n=z o 2:q(y,4)F n=z o 3:q(y,8)F n=z o 4:q(y,5)F n=z o 5:q(y,9)F n=z;}o
37. 33:F s[F p]=F n;++F p;F n=l o 34:--F p;F n=F s[F p]o 255:r=0;}return r&&_(C);}u8
38. v[ ]={"\xC8"U"\x21"U"\x00\xFF"U"\x1F\x19"U"\x00\x0A\x20\x00\x21\x16\x00\x1F\x20"
39. "\x10\x21\x20\x20\x1C\x2C\x00\x20\x1E"U"\x1F\x02"U"\x00\x02\x14"U"\x1D"U"\x00"""
40. "\x22"U"\x28\x19\x08"U"\x21"U"\x29\x19"U"\x01\x19"U "\x00\x0A\x1F\x1F\x1F\x0A"""
41. "\x30\x00\x22\x16\x23\x23\x23\x0A\x0A\x00\x24\x16\x23\x29\x20\x1C\x78\x00\x20"""
42. "\x1E"U"\x29\x04\x00\x28\x21\x10"U"\x28\x02\x22\x21\x1F\x03\x24"U"\x05\x1F"U""""
43. "\x01\x54"U"\x1D"U"\x00\x22\x1C\x02\x1F\x16\x20\x02\x20\x16\x04\x00\x21\x16\x00"
44. "\x1F\x22\x12\x20\x22\x22\x01\x00\x22\x00\x15\x00\x1F\x22\x12\x21\x22\x22\x01"""
45. "\x00\x1F\x22\x15"U "\x00\x22\x1C\x02\x1F\x16\x20\x02\x20\x16\x04\x00\x21\x16"""
46. "\x00\x1F\x22\x12\x21\x22\x22\x03\x00\x1F\x22\x15\x20\x22\x22\x01\x00\x22\x00"""
47. "\x12"U"\x00\x22"U"\x1F\x19"U "\x23\x16\x00\x1F\x20\x10\x23\x20\x21\x1C\x14\x02"
48. "\x21\x1E"U "\x1F\x02\x2B\x00\x22\x16\x22\x20\x21\x1C\x2C\x01\x21\x1E\x2D\x00"""
49. "\x22\x16\x22\x20\x21\x1C\x54\x01\x21\x1E\x2A\x00\x22\x16\x22\x20\x21\x1C\x7C"""
50. "\x01\x21\x1E\x2F\x00\x22\x16\x22\x20\x21\x1C\xA4\x01\x21\x1E\x25\x00\x22\x16"""
51. "\x22\x20\x21\x1C\xCC\x01\x21\x1E\x20\x00\x22\x16\x22\x20\x21\x1C\xD0\x00\x21"""
52. "\x1E\xF4\x01\x00\x1D"U"\x1F\x1A\xA4"U"\x21"U"\x22\x19"U"\x22\x1A\xA4"U"\x21"U""
53. "\x22\x1B\x22"U"\x01\x7C"U"\x21"U"\x1F\x1B\xD0"U"\x1D"U "\x1F\x1A\xA4"U"\x21"U""
54. "\x22\x19"U"\x22\x1A\xA4"U"\x21"U"\x22\x1B\x22"U"\x03\x7C"U"\x21"U"\x1F\x1B\xD0"
55. U"\x1D"U"\x1F\x1A\xA4"U"\x21"U"\x22\x19"U"\x22\x1A\xA4"U"\x21"U"\x22\x1B\x22"U""
56. "\x05\x7C"U"\x21"U"\x1F\x1B\xD0"U"\x1D"U"\x1F\x1A\xA4"U"\x21"U "\x22\x19"U"\x22"
57. "\x1A\xA4"U"\x21"U"\x22\x1B\x22"U"\x06\x7C"U"\x21"U"\x1F\x1B\xD0"U"\x1D" U"\x1F"
58. "\x1A\xA4"U"\x21"U"\x22\x19"U"\x22\x1A\xA4"U"\x21"U "\x22\x1B\x22"U"\x07\x7C"U""
59. "\x21"U"\x1F\x1B\xD0"U"\x1D"U"\x1F\x1A\x01\x00\x22\x16\x22\x1F\x00\x03\x30"U""""
60. "\x21\x7C"U"\x21"U"\x1F\x1B\x01\x1F\x1F\x01\xD0"U"\x1D\xA4"U"\x21" U"\x00\x22"};
61. int main(int l, char *a[]){T c;u8 m[1024];if(l!=2)return 1;strcpy((char*)memcpy(
62. memset(m,0,1024),v,540)+688,a[1])[688+strlen(a[1])]=v[16];__(&c,m);*c.r=688;_(&c
63. );printf("%d\n",*c.r);}/*FILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLFILLF*/
64.  
65.  
66.  
67. *********************************************************************************
68.  
69.  
70. #include <stdio.h>
71. #include <polarssl/aes.h>
72.  
73. int main(int argc, char **argv)
74. {
75.     u8 key[0x10] = {/* insert key.*/};
76.     u8 iv[0x10] = {/* insert iv */};
77.     u8 msg[] =
78.     {
79.         0xA4, 0xF9, 0x6C, 0x1E, 0x00, 0x06, 0x3F, 0x11, 0x7E, 0x9B, 0xA4, 0x66, 0xBE, 0xA8, 0x11, 0x6A,
80.         0xDA, 0x44, 0x8B, 0xEB, 0x41, 0x6B, 0xD0, 0xA7, 0x15, 0x16, 0x85, 0xD6, 0x41, 0xEE, 0xD0, 0x72,
81.         0xDB, 0xE1, 0x8B, 0x85, 0xB1, 0x2A, 0xFD, 0x59, 0x34, 0xAC, 0xDD, 0xB8, 0x0B, 0x64, 0x04, 0xA7,
82.         0xBA, 0xF1, 0x72, 0x80, 0xAC, 0xAB, 0x64, 0x45, 0xF8, 0x1B, 0x6F, 0xDF, 0x26, 0x63, 0x0E, 0x56,
83.         0xA5, 0xD3, 0x63, 0xF6, 0x41, 0x2D, 0x31, 0x36, 0x9D, 0xAF, 0x7B, 0x81, 0xB9, 0x06, 0xCF, 0xAD,
84.         0x85, 0x13, 0x2B, 0x26, 0xCA, 0xB4, 0xBB, 0x0E, 0x4E, 0xD6, 0xAF, 0x72, 0x25, 0x62, 0xD6, 0xD0,
85.         0x46, 0x11, 0x68, 0x2E, 0xF8, 0x3D, 0xFC, 0x8D, 0xDA, 0x57, 0x9F, 0x96, 0x15, 0xDB, 0x10, 0x70,
86.         0x3A, 0x11, 0x2D, 0xE6, 0xBA, 0x55, 0x6F, 0x77, 0xA3, 0x8F, 0x81, 0x9F, 0x55, 0xE4, 0x66, 0x08,
87.         0x4F, 0x34, 0xAA, 0x27, 0xD3, 0x02, 0x0C, 0xD7, 0x25, 0x95, 0x3B, 0x3F, 0x0A, 0xEB, 0x15, 0x86,
88.         0x42, 0x88, 0x46, 0xF0, 0xD0, 0x54, 0x4C, 0x9F, 0xBC, 0xF1, 0x86, 0xEC, 0xD7, 0x34, 0xE4, 0xC4,
89.         0x6B, 0x03, 0xA9, 0x29, 0xE6, 0xBA, 0x59, 0x09, 0x71, 0xF1, 0xD4, 0x1D, 0x8F, 0x54, 0x8A, 0x78,
90.         0x94, 0xC4, 0x1C, 0x56, 0x8C, 0xFF, 0xBB, 0xF9, 0x49, 0xEC, 0x24, 0xB7, 0xC9, 0x7D, 0xCA, 0x73,
91.         0x9E, 0x03, 0x66, 0xA6, 0xE9, 0x91, 0x01, 0x8E, 0xFE, 0x13, 0x76, 0x09, 0x99, 0xEF, 0x33, 0x10,
92.         0x9F, 0xF5, 0x9C, 0x2F, 0x41, 0x23, 0x29, 0x8D, 0x4F, 0x10, 0x5F, 0x29, 0x12, 0x91, 0xBB, 0x9F,
93.         0x16, 0xDC, 0xDA, 0x83, 0x97, 0xD6, 0x14, 0x72, 0xD4, 0xD5, 0x2F, 0xFD, 0xB7, 0x99, 0x9E, 0x95,
94.         0x38, 0x6C, 0x30, 0x39, 0x42, 0xF6, 0xFD, 0x65, 0xB8, 0x81, 0xAC, 0x3B, 0x00, 0xFE, 0x92, 0x52,
95.         0x9D, 0xD6, 0x1E, 0xA7, 0x73, 0xBE, 0xE4, 0xA6, 0x9E, 0x70, 0xD6, 0xE1, 0x9B, 0xDE, 0x05, 0x79,
96.         0x65, 0x7C, 0x10, 0x05, 0xAD, 0x52, 0xC9, 0x94, 0x12, 0xFD, 0xB6, 0xB9, 0x24, 0xDF, 0xA5, 0xC8,
97.         0x74, 0x51, 0x12, 0x82, 0x22, 0x9E, 0x52, 0x4D, 0x3E, 0x9B, 0x6F, 0x0F, 0x1C, 0xEA, 0x8B, 0x31
98.     };
99.     aes_context aes_ctxt;
100.     aes_setkey_dec(&aes_ctxt, key, 0x10*8);
101.     aes_crypt_cbc(&aes_ctxt, AES_DECRYPT, sizeof(msg), iv, msg, msg);
102.     printf("%s", msg);
103.     return 0;
104. }
105.  
106.  
107.  
108. *********************************************************************************