PS3 Lv0ldr / Bootldr Exploit - 改機

http://goo.gl/21FLs

PS3 Lv0ldr / Bootldr Exploit Reverse-Engineering Details by Naehrwert
and wololo, today PlayStation 3 hacker naehrwert has shared some details
based on reverse-engineering the exploit used to dump it.

To quote from his blog: The Exploit

As the exploit that was used to dump lv0ldr/bootldr/howeveryouliketocallit is
public now, let's have a closer look at it to understand what's going on.
Here is what I have reversed from lv0 (it shares the syscon portion of the
code with its SPU counterpart):

The syscon library implements some high level functions, e.g. to shutdown the
console on panic or to read certain configuration values. Every of this
functions internally uses another function to exchange packets with syscon
and the exchange function uses the read_cmpl_msg one to get the answer
packet. The top-level function will pass a fixed size buffer to the exchange
function.

So if we are able to control syscon packets, e.g. by emulating MMIO (and
thanks to IBM we are), we can change the packet size between the two packet
readings and overwrite the caller stack. And if we first copy a little stub
to shared LS and let the return address point to it, we can easily dump the
whole 256 kB.

Nothing more left to say now, let's wait and see if this is going to be fixed
in future firmware versions (we just have to check lv0 fortunately).


--

○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
ｏ _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
ｏ

--