PS3 Metldrpwn

From EurAsiaWiki

Jump to: navigation, search

Source: Rnd @ http://wiki.gitbrew.org/wiki/index.php?title=Metldrpwn


Dear all,

Many of you may have heard about Metldrpwn which allows to obtain Perconsole Key set.

I bet some of you have not gone for it because of many things to install and do, like linux and etc.

Well, since now, you won't have to do all that, the only thing you will need to have/install is Otheros (Petitboot) and that's it, the image of the FULL LINUX distro with glevand's kernel patches and all is in this tutorial.

So, let me tell what you have to do in order to pwn your metldr and get you perconsole keys faster:


1. Install Petitboot

Only these steps from the orginial glevand's tutorial are needed:

    1. Install my latest CFW
    2. When installation is finished, reboot in Recovery Mode (not the Backup/Restore in XMB) and choose "Restore PS3 System"
    3. Now your GameOS should use only the half of your HDD
       (Currently working on a better approach)
    4. Run setup_flash_for_otheros.pkg (for all PS3 models)
    5. Reboot (It's important to shut down and turn on your PS3)
    6. Store dtbImage.ps3.bin on USB drive, plug it in and run install_otheros.pkg
       (NAND owners should use dtbImage.ps3.bin.minimal, rename it to dtbImage.ps3.bin).
       Try different USB ports if you don't get any beeps.
    7. Run boot_otheros.pkg
    8. Run reboot.pkg (use the package, not manually reboot!)
    9. You should be in petitboot now.


3.15 stock firmware (OFW) users:

  • Put petitboot on a memory stick
mkdir -p /media/usbstick/PS3/otheros/
wget http://www.kernel.org/pub/linux/kernel/people/geoff/cell/ps3-petitboot/ps3-petitboot-09.11.30-cui.bld
ren ps3-petitboot-09.11.30-cui.bld otheros.bld
cp ./otheros.bld /media/usbstick/PS3/otheros/otheros.bld

2. Boot Linux

    1. Download my distro of Linux
    2. Unpack in the root of your USB stick/or burn the image to a DVD
    3. Plug in your USB/Insert the disc in your PS3 and you should see 2 different boot options, boot the first one

Login details (there are 2 of them, ps3 and root):

    Username: root
    Password: root
    Username: ps3
    Password: ps3


If you need to mount a usb stick, I made a dir for that /dev/usb

Here is the mount command:

    mount /dev/disk/by-label/NAMEOFYOURUSB /dev/usb/

So now you can access your USB by going here /dev/usb/

3. Metldrpwn part:

original source http://www.ps3devwiki.com/index.php?title=Dumping_Metldr


Step by Step instuctions

Precompiled metldrpwn : Here

you can do this over ssh or on console.

Note: don't forget to provide EID0 and RL_FOR_PROGRAM.img if you do manually, instead of the run.sh file where they are commented out

  1. ssh into the ps3
  2. download the files:
  3.     wget http://www.ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip
    
  4. untar the files:
  5.     unzip metldrpwn.zip
    
  6. enter the directory and compile:
  7.     cd metldrpwn && make
    
  8. run the following commands now:
  9.     insmod ./metldrpwn.ko
        cat metldr > /proc/metldrpwn/metldr
        cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr
        cat RL_FOR_PROGRAM.img > /proc/metldrpwn/rvkprg
        cat eid0 > /proc/metldrpwn/eid0
        echo 1 > /proc/metldrpwn/run
        cat /proc/metldrpwn/debug
    
  10. there now you have a dump check it out:
  11.     hd /proc/metldrpwn/dump  | less
    
  12. now copy the dump somewhere or youll lose it:
  13.     cp /proc/metldrpwn/dump /home/username/
    

now you have a copy in your home directory for safe keeping
congrats youve completed about < 10 mins of actual work

there you go keys are in 0x00 to 0x20 (first 3 lines)

So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)

example:

00000000 66 4d ee 51 65 6f 68 28 38 98 83 ea df ea 90 04 |fM.Qeoh(8.......|    // erk/key
00000010 01 f3 79 09 d6 a6 52 d9 ea 6d ef 04 51 69 ec 7b |..y...R..m..Qi.{|    // erk/key
00000020 7d 6a 3a e5 37 ba 48 4c fe bd 26 5c f5 b1 28 1f |}j:.7.HL..&\..(.|    // riv

the first 2 lines are erk the 3rd is riv
and together they are eid0 root key

btw this does not mean you get 3.60 keys etc or newer games but it will help you get some nifty things to do some
new stuff.... also please be advised that if you are on 3.60+ you will need to downgrade with a flasher to
do this, also if you have a unit that shipped from the factory with the metldr.2 (new metldr) your sol at
the moment theres also a nifty program on the dev tools page to turn your hex into key its called hex2key



If you have any further questions don't hesitate to contact me,


Sincerely,

Rnd

Personal tools