Post: Dumping bootldr By JuanNadie
Options
10-27-2012, 05:42 PM
#1
primetime43
Knowledge is power 
PlayStation 3 developer JuanNadie has released a tutorial on dumping the PS3's bootldr. After months on work he explains his findings but the unfortunate side of this news is his departure from the PlayStation 3 scene. What this truly means is that all older PS3's might not be patch-able by Sony since bootldr is per console specific.
You must login or register to view this content.
About Dumping The Bootldr:
The rest of his explanation can be found via the source linked below. I will also take this opportunity to say thanks to JuanNadie for his contributions to the PS3 scene.
You must login or register to view this content.
You must login or register to view this content.
About Dumping The Bootldr:
Originally posted by another user
As you know the bootldr is one of the two loaders that are signed per console and it was the only part of the system that haven't been hacked.
Once you load it the same way as metldr (via SigNotify) it would start requesting different addresses that we don't control. You can take a look on my user page to the dma sequence that it produces.
As you see it access a lot of different addresses and we don't have control of any of them so the first objective was to control the input/output.
The sandbox:
The objective was to redirect the flows of data to our controlled buffers so we know what is written or read. To achieve that a driver was created.
This driver performs two functions:
the first is creating lv1 peek/poke using the patched lv114 that comes with OtherOs++ and other CFW.
the second is reserve a block of consecutive memory that would be used as an HTAB.
The SPU is told to use our HTAB which in turns redirects to our user buffers. To get the physical address... the user pages are locked on memory and then using an old trick found by geohot their real address is retrieved.
At this point we have control of what the SPU reads BUT if consecutive small accesses are done we have no control if we want to change something in between...
Once you load it the same way as metldr (via SigNotify) it would start requesting different addresses that we don't control. You can take a look on my user page to the dma sequence that it produces.
As you see it access a lot of different addresses and we don't have control of any of them so the first objective was to control the input/output.
The sandbox:
The objective was to redirect the flows of data to our controlled buffers so we know what is written or read. To achieve that a driver was created.
This driver performs two functions:
the first is creating lv1 peek/poke using the patched lv114 that comes with OtherOs++ and other CFW.
the second is reserve a block of consecutive memory that would be used as an HTAB.
The SPU is told to use our HTAB which in turns redirects to our user buffers. To get the physical address... the user pages are locked on memory and then using an old trick found by geohot their real address is retrieved.
At this point we have control of what the SPU reads BUT if consecutive small accesses are done we have no control if we want to change something in between...
The rest of his explanation can be found via the source linked below. I will also take this opportunity to say thanks to JuanNadie for his contributions to the PS3 scene.
You must login or register to view this content.
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
