Post: How to dump the lv0
Options
12-05-2011, 04:23 AM
#1
Xx--AIDAN--xX
One Man Army
the bootldr holds the lv0 yes, the lv0 encapsulate the other ldrs (lv1, lv2, appldr, rvkldr, isoldr, ect.); sense 3.56^. But usually the chain of trust would go like metldr>other ldrs, and the metldr would run the loaders. But after 3.55 the lv0 has been copy the ldrs to the Ram then they are given to the metldr to exucute with out ever being held by the metldr. Now if you use a kernal module you can map out the ps3 real memory Using hardware you can dump Ram. By dumping the ram your getting a decrypted version of lv0 with all the ldrs in it. And you got keys.
Concept in boot order.
Cell INIT-> get encrypted bootldr off NAND/NOR flash, then the Ram will Initialises. This is when it will load the bootldr into a isolated spu, secure boot will decrypt the bootldr and verifies and executes. Now this is where the magic happens. Now the bootldr will decrypt the lv0 and it will get copy to the Ram (With loaders) before the Ram will run the loaders to the metldr
The metldr will always have to boot the ldrs too cause it is per console encrypted sony cant go change that out of no where.
source You must login or register to view this content.
The following user thanked Xx--AIDAN--xX for this useful post:
The following 2 users groaned at Xx--AIDAN--xX for this awful post:
12-06-2011, 12:33 PM
#12
TheAlmightyShoe
Banned
Originally posted by xX
First i will be explaining this in a way anyone with basic PS3 knowledge will be able to understand, lets get started.(hehe)
the bootldr holds the lv0 yes, the lv0 encapsulate the other ldrs (lv1, lv2, appldr, rvkldr, isoldr, ect.); sense 3.56^. But usually the chain of trust would go like metldr>other ldrs, and the metldr would run the loaders. But after 3.55 the lv0 has been copy the ldrs to the Ram then they are given to the metldr to exucute with out ever being held by the metldr. Now if you use a kernal module you can map out the ps3 real memory Using hardware you can dump Ram. By dumping the ram your getting a decrypted version of lv0 with all the ldrs in it. And you got keys.
Concept in boot order.
Cell INIT-> get encrypted bootldr off NAND/NOR flash, then the Ram will Initialises. This is when it will load the bootldr into a isolated spu, secure boot will decrypt the bootldr and verifies and executes. Now this is where the magic happens. Now the bootldr will decrypt the lv0 and it will get copy to the Ram (With loaders) before the Ram will run the loaders to the metldr
The metldr will always have to boot the ldrs too cause it is per console encrypted sony cant go change that out of no where.
source You must login or register to view this content.
the bootldr holds the lv0 yes, the lv0 encapsulate the other ldrs (lv1, lv2, appldr, rvkldr, isoldr, ect.); sense 3.56^. But usually the chain of trust would go like metldr>other ldrs, and the metldr would run the loaders. But after 3.55 the lv0 has been copy the ldrs to the Ram then they are given to the metldr to exucute with out ever being held by the metldr. Now if you use a kernal module you can map out the ps3 real memory Using hardware you can dump Ram. By dumping the ram your getting a decrypted version of lv0 with all the ldrs in it. And you got keys.
Concept in boot order.
Cell INIT-> get encrypted bootldr off NAND/NOR flash, then the Ram will Initialises. This is when it will load the bootldr into a isolated spu, secure boot will decrypt the bootldr and verifies and executes. Now this is where the magic happens. Now the bootldr will decrypt the lv0 and it will get copy to the Ram (With loaders) before the Ram will run the loaders to the metldr
The metldr will always have to boot the ldrs too cause it is per console encrypted sony cant go change that out of no where.
source You must login or register to view this content.
I don't understand any of this?
12-08-2011, 01:53 AM
#14
Jakeyy
Expect the unexpected!
Originally posted by xShadow69x
wonder what member over there cp this from a dev site this has been released months ago just no one ever tried it cause it requires soldering
Na it came from a respectable Dev who worked on maths method of getting the metldr and all that, he simplified it down to this. He was newish to PS3hax but talked to Math and KaKa on twitter alot
12-08-2011, 02:26 AM
#15
Alexis Rhodes
#get rekt
Originally posted by iP4ckHe4t
Na it came from a respectable Dev who worked on maths method of getting the metldr and all that, he simplified it down to this. He was newish to PS3hax but talked to Math and KaKa on twitter alot
12-08-2011, 10:23 AM
#16
Jakeyy
Expect the unexpected!
Originally posted by xShadow69x
yea lol thats what i meant math told everyone how to do this months ago another reason im sure he doesnt release anything now
Ye I know what you mean even KaKaRoToKS even said Math won't send him the metldr work he's been working on and KaKaRoToKS JB works around that to be able to use and install stuff.
12-08-2011, 09:14 PM
#17
Alexis Rhodes
#get rekt
Originally posted by iP4ckHe4t
Ye I know what you mean even KaKaRoToKS even said Math won't send him the metldr work he's been working on and KaKaRoToKS JB works around that to be able to use and install stuff.
12-08-2011, 09:32 PM
#18
Jakeyy
Expect the unexpected!
Originally posted by xShadow69x
kakarotoks can probably do it but if he doesnt have the ndprm alg im sure he is using to re-sign selfs on 3.55 keys to load into newer fw's then there is something math hasnt told anyone about it yet
Math will end up giving it if KaKa basically shows him how much he needs it for his JB, this is why no-one likes Math he's selfish doesnt share with the rest, KaKaRoToKs shared his JB with him anyway so Math sould repay him
12-08-2011, 11:01 PM
#19
Alexis Rhodes
#get rekt
Originally posted by iP4ckHe4t
Math will end up giving it if KaKa basically shows him how much he needs it for his JB, this is why no-one likes Math he's selfish doesnt share with the rest, KaKaRoToKs shared his JB with him anyway so Math sould repay him
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
