Ya se que el dumpear el metldr no es nada nuevo, pero aquellos que, como yo, queráis tener las claves de su consola sin instalar un CFW ni enredar con particiones del disco duro interno, podéis seguir este método.
No es complicado, pero requiere conocimientos básicos de Linux.
Lista de ingredientes:
-Red Ribbon Linux. La distribucion de Linux de ro4drunner http://www.elotrolado.net/hilo_red-ribbon-gnu-linux-para-ps3-21-11-2011_1631472
-El script dmpatch.sh que permite parchear el lv1 para usar SS
- Código: Seleccionar todo
#!/bin/sh
#
# Copyright Graf_chokolo
# All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
#
# ram_write_val_32
#
ram_write_val_32()
{
_off=$1
_val=$2
printf $_val | dd of=$PS3RAM_DEV bs=1 count=4 seek=$(($_off)) 2>/dev/null
}
PS3HVC_DEV=/dev/ps3hvc
PS3HVC_HVCALL=ps3hvc_hvcall
PS3RAM_DEV=/dev/ps3ram
# offsets
DISPMGR_SET_LAID_OFFSET=0x16F3BC
DISPMGR_SS_ID_OFFSET=0x16F3E0
DISPMGR_SEND_SPM_REQ_OFFSET=0x16F458
# disable overwriting of LAID
ram_write_val_32 $DISPMGR_SET_LAID_OFFSET '\x60\x00\x00\x00'
# disable SS ID check
ram_write_val_32 $DISPMGR_SS_ID_OFFSET '\x38\x60\x00\x01'
# disable SPM (Security Policy Manager) check
ram_write_val_32 $DISPMGR_SEND_SPM_REQ_OFFSET '\x3B\xE0\x00\x01'
ram_write_val_32 $((DISPMGR_SEND_SPM_REQ_OFFSET + 4)) '\x9B\xE1\x00\x70'
ram_write_val_32 $((DISPMGR_SEND_SPM_REQ_OFFSET + 8)) '\x38\x60\x00\x00'
-El exploit http://gotbrew.org/metldr838exploit.tar.gz
Después de instalar todo, compilar el exploit y añadir los ficheros que necesita el mismo, basta con ejecutar el script dmpatch.sh para parchear lv1 y run.sh para ejecutar el exploit.
Si todo va bien, debe salir algo similar a esto
- Código: Seleccionar todo
PPE id (0x0000000000000001) VAS id (0x0000000000000019)
lv1_construct_logical_spe (0x00000000)
SPE id (0x0000000000000032)
lv1_enable_logical_spe (0x00000000)
lv1_set_spe_interrupt_mask(0) (0x00000000)
lv1_set_spe_interrupt_mask(1) (0x00000000)
lv1_set_spe_interrupt_mask(2) (0x00000000)
lv1_set_spe_privilege_state_area_1_register (0x00000000)
ea (0xc00000000a860000) esid (0xc000000008000000) vsid (0x0000408f92c94500)
lv1_get_spe_interrupt_status(0) (0x00000000)
lv1_get_spe_interrupt_status(1) (0x00000000)
lv1_get_spe_interrupt_status(2) (0x00000000)
sleep
lv1_get_spe_interrupt_status(0) (0x00000000)
lv1_get_spe_interrupt_status(1) (0x00000000)
lv1_get_spe_interrupt_status(2) (0x00000000)
out interrupt mbox (0x0000000000000001)
lv1_clear_spe_interrupt_status(2) (0x00000000)
transferring EID0, ldr args and revoke list to LS
waiting until MFC transfers are finished
MFC transfers done
out mbox (0x00000001)
problem status (0x00000089)
lv1_destruct_logical_spe (0x00000000)
El dump está en memoria, en /proc/metldrpwn/dump, lo copiamos a /home/username y voilá.
Saludos
![[plas]](./images/smilies/aplauso.gif "Aplausos")
