Post: Mathieu Explains 3.60 Exploit - Will Lead to Application Keys and Eventually 3.60 CFW
Options
04-22-2011, 01:53 AM
#1
CLM
[b]They say sorry Mr. West is..[/b]
Source: You must login or register to view this content. // By: ClutchLikeMelo // April 21, 2011
You must login or register to view this content.
Mathieu keeps throwing out more and more hints. This time he explains his exploit and how it will lead to application keys, and...... Drum roll please. 3.60 CFW! (Oh and in case you're wondering, application keys can make current and future 3.60 encrypted games playable!)
Synopsis of Mathieu's explanation of the exploit:
Originally posted by another user
The function that copies the SCE header from the shared LS to the isolated Local Store doesn’t check the header’s size.
[So] you craft a self with a HUGE header so [that] it overwrites ldr code as it gets copied to the isolated LS and you wait [for] the loader to jump to it.
[Then] you can get lv0 decrypted, once you get lv0 decrypted, you get appldr, once you get appldr, you get 3.60 application keys, [and] once you get that, you [get] warez.
[So] you craft a self with a HUGE header so [that] it overwrites ldr code as it gets copied to the isolated LS and you wait [for] the loader to jump to it.
[Then] you can get lv0 decrypted, once you get lv0 decrypted, you get appldr, once you get appldr, you get 3.60 application keys, [and] once you get that, you [get] warez.
Here's Mathieu's full conversation about the exploit:
Originally posted by another user
X nah, not a single line of code, at least not for the implementation
but finding the exploit itself
is EASY
except no one has gone looking
I’ve seen lots of askings and whining, very little looking xD
if someone who remotely knows spu reversing starts looking
he’ll find it
at the very worse in a matter of hours
the bug is ******ly stupid to begin with
LV0, EID0, anything with coreOS imo should not be done without a hardwareflasher. Atleast with that you can undo the mess.
yeah
I am a bit of a red head here xD
you keep saying that, but I suck at SPU assembly
you’d find it even if you fail at it
you just need to know where to look
just look at how selfs are processed by ldrs
and you’ll find it
hell, I’ll help you, it’s about overflowing a certain buffer
yes, that is what defyboy and I tried to document in the ps3devwiki : bootprocess and loader locations etc.
well if you know how selfs are processed by loaders, it’s easy
another hint
it happens before the ecdsa check
my earlier guess btw was that it was a header overflow, which gave access to the local storage
It’s a ******ed exploit
if you want to know what it is, I’ll tell you
the function that copies the SCE header from the shared LS to the isolated Local Store
doesn’t check the header’s size
\o/
it’s just THAT ******ed
implementing it isn’t easy though
cause loaders have failsafes and ****
header size fail
lol
?
but now that you know, you can try it on your own
X1 yes
you craft a self with a HUGE header
so it overwrites ldr code as it gets copied to the isolated LS
and you wait the loader to jump to it
lolol must try heh
X1 it’s a total ***** to implement
but feel free xD
if someone pwns the bl with this and gets the keys, he’ll have my kudos
cause finding the exploit is the easy part
Sony’ll fix it now, but it’s not like I care much
their “unhackable” ps3s are probably already on the way
but finding the exploit itself
is EASY
except no one has gone looking
I’ve seen lots of askings and whining, very little looking xD
if someone who remotely knows spu reversing starts looking
he’ll find it
at the very worse in a matter of hours
the bug is ******ly stupid to begin with
LV0, EID0, anything with coreOS imo should not be done without a hardwareflasher. Atleast with that you can undo the mess.
yeah
I am a bit of a red head here xD
you keep saying that, but I suck at SPU assembly
you’d find it even if you fail at it
you just need to know where to look
just look at how selfs are processed by ldrs
and you’ll find it
hell, I’ll help you, it’s about overflowing a certain buffer
yes, that is what defyboy and I tried to document in the ps3devwiki : bootprocess and loader locations etc.
well if you know how selfs are processed by loaders, it’s easy
another hint
it happens before the ecdsa check
my earlier guess btw was that it was a header overflow, which gave access to the local storage
It’s a ******ed exploit
if you want to know what it is, I’ll tell you
the function that copies the SCE header from the shared LS to the isolated Local Store
doesn’t check the header’s size
\o/
it’s just THAT ******ed
implementing it isn’t easy though
cause loaders have failsafes and ****
header size fail
lol
?
but now that you know, you can try it on your own
X1 yes
you craft a self with a HUGE header
so it overwrites ldr code as it gets copied to the isolated LS
and you wait the loader to jump to it
lolol must try heh
X1 it’s a total ***** to implement
but feel free xD
if someone pwns the bl with this and gets the keys, he’ll have my kudos
cause finding the exploit is the easy part
Sony’ll fix it now, but it’s not like I care much
their “unhackable” ps3s are probably already on the way
He then explained the impact this exploit would have on Sony:
Originally posted by another user
why would they care about bootldr keys?
ps3devnews etc. host metldr keys, appldr keys etc.
X1 cause you can get lv0 decrypted
once you get lv0 decrypted
you get appldr
once you get appldr
you get 3.60 application keys
once you get that
you warez
also, with those keys you can sign your own lv0, no ps3 fw update can beat you then
yah
you can have your 3.60+ custom firmware then
and warez even more
and mess with the psn again
and so on
ps3devnews etc. host metldr keys, appldr keys etc.
X1 cause you can get lv0 decrypted
once you get lv0 decrypted
you get appldr
once you get appldr
you get 3.60 application keys
once you get that
you warez
also, with those keys you can sign your own lv0, no ps3 fw update can beat you then
yah
you can have your 3.60+ custom firmware then
and warez even more
and mess with the psn again
and so on
The following 16 users say thank you to CLM for this useful post:
The following user groaned viralhysteria for this awful post:
The following 2 users say thank you to Kylee. for this useful post:
04-22-2011, 02:12 AM
#4
noodles88
Bounty hunter
Originally posted by ClutchLikeCeltics
Mathieu Explains 3.60 Exploit - Will Lead to Application Keys and Eventually 3.60 CFW
Source: You must login or register to view this content. // By: ClutchLikeMelo // April 21, 2011
You must login or register to view this content.
Mathieu keeps throwing out more and more hints. This time he explains his exploit and how it will lead to application keys, and...... Drum roll please. 3.60 CFW! (Oh and in case you're wondering, application keys can make current and future 3.60 encrypted games playable!)
Synopsis of Mathieu's explanation of the exploit:
Here's Mathieu's full conversation about the exploit:
He then explained the impact this exploit would have on Sony:
Source: You must login or register to view this content. // By: ClutchLikeMelo // April 21, 2011
You must login or register to view this content.
Mathieu keeps throwing out more and more hints. This time he explains his exploit and how it will lead to application keys, and...... Drum roll please. 3.60 CFW! (Oh and in case you're wondering, application keys can make current and future 3.60 encrypted games playable!)
Synopsis of Mathieu's explanation of the exploit:
Here's Mathieu's full conversation about the exploit:
He then explained the impact this exploit would have on Sony:
Eventually this might get closed 3rd or 4th time been posted and got moved to general for some reason
You must login or register to view this content.
04-22-2011, 03:16 AM
#7
Nas.
I AM Keep-It-X-Rated
Welp NGU Better get ready for the 11 year olds that are going to RUIN mw2 again. -___-
The following 3 users say thank you to Nas. for this useful post:
04-22-2011, 03:28 AM
#8
Cade
Guest
Originally posted by ClutchLikeCeltics
Mathieu Explains 3.60 Exploit - Will Lead to Application Keys and Eventually 3.60 CFW
Source: You must login or register to view this content. // By: ClutchLikeMelo // April 21, 2011
You must login or register to view this content.
Mathieu keeps throwing out more and more hints. This time he explains his exploit and how it will lead to application keys, and...... Drum roll please. 3.60 CFW! (Oh and in case you're wondering, application keys can make current and future 3.60 encrypted games playable!)
Synopsis of Mathieu's explanation of the exploit:
Here's Mathieu's full conversation about the exploit:
He then explained the impact this exploit would have on Sony:
Source: You must login or register to view this content. // By: ClutchLikeMelo // April 21, 2011
You must login or register to view this content.
Mathieu keeps throwing out more and more hints. This time he explains his exploit and how it will lead to application keys, and...... Drum roll please. 3.60 CFW! (Oh and in case you're wondering, application keys can make current and future 3.60 encrypted games playable!)
Synopsis of Mathieu's explanation of the exploit:
Here's Mathieu's full conversation about the exploit:
He then explained the impact this exploit would have on Sony:
another great thread! thanks!
The following user thanked TheManDavid for this useful post:
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
