4.0版韌體的破解理論 - 改機
By John
at 2012-01-25T14:06
at 2012-01-25T14:06
Table of Contents
http://goo.gl/VKWGn
So the lv2ldr verifys decrypts the lv2_kernal.self. We can get the
address of this happening. Inside Parameters Layout there are
arguments, they are used as commands basically to load a function you
want to use. They start in the lv2 @ 0x3E800 (seems to be same for
other ldrs) that address. There is a argument that is called lv2_in
and lv2_out (we have know about these) basically we can use lv2_in to
map out the address and lv2_out to map out the address for where the
lv2ldr decryptes the self file. We can make a program like readself
basically and get the offset, u8* means read one byte from the
address. use that and we can actually be get the exact offset where it
all happens at.
既然lv2ldr具備查驗並解秘lv2_kernel.self 主程式的能力,我們也許能藉此獲
知記憶體的位址。lv2ldr這個函式有三個輸入參數,位址從0x3E800 開始(似乎
絕大多數的ldr 的起始位址都在這附近),有一個參數叫lv2_in,參數格式是位
址指標(譯註:即pointer ),一個叫lv2_out ,參數格式也是位址,我們可以
理解成lv1 將lv2_kernel.self 載入記憶體中後,將位址指標傳給lv2ldr,解秘
後將內容寫到 lv2_out所指定的位址。因此我們只要能夠撈到lv2_out 位址記載
的東西,事情就單純了。
Once we have the location grabbing this decrypted self should be the
easy task. Like I said, some info we had and some we did not know
about can be obtained like this and used to get keys.
用這種手法,可以得到一些想知道的東西,比如說存在appldr裡頭的金鑰。
Exploiting 4.00 with this method would work, most likely because I
doubt sony changed all the locations where the loaders do there thing,
sure there encapsulated in the bootloader but they still pass over
into the ram at one point before being fed over to the metldr which
loads ldrs and if all that is still happening then Sony didn't change
nothing.
用這個手法有很高的機會能夠成功解秘4.00版韌體,最主要的原因是因為我不相
信SONY會把所有的位址都改過,就算如此,改過的位址也存在bootloader裡頭,
然後遲早都要傳到記憶體中,不然metldr沒辦法載入其他的東西。
******
個人比較好奇的地方是,就算知道了位址有辦法單靠外部電路讀出lv2_out 指標
指向位址的內容?如果不是用外部電路,那至少要能破解到有memory dump 權限
,比如說能跑 Linux的程度直接把記憶體映射到某個檔案然後去找。如果都能跑
Linux 就根本不用去管lv2_out 到底指向哪裡,因為key 的形式很固定,而且在
記憶體中一次會出現一堆,直接寫個程式去找就好,256MB 不會花太久時間的。
******
看了原作者的twitter 後,原PO果然給KaKaRoTo打臉了。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
So the lv2ldr verifys decrypts the lv2_kernal.self. We can get the
address of this happening. Inside Parameters Layout there are
arguments, they are used as commands basically to load a function you
want to use. They start in the lv2 @ 0x3E800 (seems to be same for
other ldrs) that address. There is a argument that is called lv2_in
and lv2_out (we have know about these) basically we can use lv2_in to
map out the address and lv2_out to map out the address for where the
lv2ldr decryptes the self file. We can make a program like readself
basically and get the offset, u8* means read one byte from the
address. use that and we can actually be get the exact offset where it
all happens at.
既然lv2ldr具備查驗並解秘lv2_kernel.self 主程式的能力,我們也許能藉此獲
知記憶體的位址。lv2ldr這個函式有三個輸入參數,位址從0x3E800 開始(似乎
絕大多數的ldr 的起始位址都在這附近),有一個參數叫lv2_in,參數格式是位
址指標(譯註:即pointer ),一個叫lv2_out ,參數格式也是位址,我們可以
理解成lv1 將lv2_kernel.self 載入記憶體中後,將位址指標傳給lv2ldr,解秘
後將內容寫到 lv2_out所指定的位址。因此我們只要能夠撈到lv2_out 位址記載
的東西,事情就單純了。
Once we have the location grabbing this decrypted self should be the
easy task. Like I said, some info we had and some we did not know
about can be obtained like this and used to get keys.
用這種手法,可以得到一些想知道的東西,比如說存在appldr裡頭的金鑰。
Exploiting 4.00 with this method would work, most likely because I
doubt sony changed all the locations where the loaders do there thing,
sure there encapsulated in the bootloader but they still pass over
into the ram at one point before being fed over to the metldr which
loads ldrs and if all that is still happening then Sony didn't change
nothing.
用這個手法有很高的機會能夠成功解秘4.00版韌體,最主要的原因是因為我不相
信SONY會把所有的位址都改過,就算如此,改過的位址也存在bootloader裡頭,
然後遲早都要傳到記憶體中,不然metldr沒辦法載入其他的東西。
******
個人比較好奇的地方是,就算知道了位址有辦法單靠外部電路讀出lv2_out 指標
指向位址的內容?如果不是用外部電路,那至少要能破解到有memory dump 權限
,比如說能跑 Linux的程度直接把記憶體映射到某個檔案然後去找。如果都能跑
Linux 就根本不用去管lv2_out 到底指向哪裡,因為key 的形式很固定,而且在
記憶體中一次會出現一堆,直接寫個程式去找就好,256MB 不會花太久時間的。
******
看了原作者的twitter 後,原PO果然給KaKaRoTo打臉了。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
Tags:
改機
All Comments
By Rebecca
at 2012-01-27T05:39
at 2012-01-27T05:39
By Agnes
at 2012-01-30T20:15
at 2012-01-30T20:15
By Ethan
at 2012-02-02T01:57
at 2012-02-02T01:57
By Hedy
at 2012-02-04T10:29
at 2012-02-04T10:29
By Hedwig
at 2012-02-05T00:47
at 2012-02-05T00:47
By Jacob
at 2012-02-07T17:47
at 2012-02-07T17:47
By Elizabeth
at 2012-02-12T12:17
at 2012-02-12T12:17
By Madame
at 2012-02-15T20:44
at 2012-02-15T20:44
By Hazel
at 2012-02-18T08:34
at 2012-02-18T08:34
By Delia
at 2012-02-19T15:42
at 2012-02-19T15:42
By Doris
at 2012-02-23T22:38
at 2012-02-23T22:38
By James
at 2012-02-24T13:40
at 2012-02-24T13:40
By Tristan Cohan
at 2012-02-27T03:12
at 2012-02-27T03:12
By Hedwig
at 2012-03-02T10:19
at 2012-03-02T10:19
By Audriana
at 2012-03-04T11:21
at 2012-03-04T11:21
By James
at 2012-03-05T04:25
at 2012-03-05T04:25
Related Posts
請問2.0.13604韌體的問題?
By Sierra Rose
at 2012-01-24T22:57
at 2012-01-24T22:57
硬改後可刷全民脈衝自製嗎
By Hazel
at 2012-01-24T14:52
at 2012-01-24T14:52
Showtime-3.4: Milestone
By Ida
at 2012-01-24T14:19
at 2012-01-24T14:19
有Wii相容的的usb3.0隨身碟嗎?
By Ophelia
at 2012-01-24T03:36
at 2012-01-24T03:36
硬改後自己刷
By Agatha
at 2012-01-23T19:32
at 2012-01-23T19:32