如何讀出主機root key - 改機
By Edwina
at 2011-11-10T11:28
at 2011-11-10T11:28
Table of Contents
http://www.ps3hax.net/2011/11/rumorps3-metldr-exploit-been-leaked/#more-12322
ohai ill tell you guys howto use mathldr (i like to call it that, its
kinda catchy) this is pretty safe just dont go crazy with it, you're
only gonna mess your eid up if you attemp to rehash it and flash or
attempt in any way to replace your eid you can decrypt eid with root
keys and static keys in the wiki key page
呦呵!來教大家怎麼玩弄 mathldr(我個人比較喜歡這樣叫,因為比較潮XD),
操作步驟很安全,如果你沒亂搞的話。除非你去亂搞eid 或是想要重簽或是重新
寫入flash 才會有變磚的危險。
prerequisites: 前置作業:
1.otheros++ with ss patches (yes the ones that cause trophy errors,
just update when you wanna play games again and dont complain)
帶有ss修補的OtherOS 系統,OtherOS++ 可以用,但會讓獎盃列表出錯,所
以要玩遊戲時要刷回來,別抱怨了。
2.linux on your ps3 (im using ubuntu 10.10)
能夠在 PS3主機上執行的 Linux套件(我用Ubuntu 10.10)〔譯註:我用
Debian 6.0〕
3.a unpacked copy of your flash (which you can obtain by using
glevands dumpflash.pkg gitbrew.org/~glevand/ps3/pkgs/dump_flash.pkg)
and an unpacked copy of ofw you will need the following files from
these:
自主機 flash讀出的檔案(就是你用gelvands的dumpflash 工具讀出的那個)
〔譯註:第一個 USB儲存裝置上的flash.bin 檔,依照主機 flash的大小有
256MB 或是16MB兩種可能〕,然後利用工具把3.55-SONY 官方韌體包解開,
你還需要以下檔案。
metldr
isoldr
RL_FOR_PROGRAM.img
EID0 (you will need to split eid from your flash)
http://www.ps3devwiki.com/index.php?title=Dev_Tools#dump_EID0.sh
EID0這個東西必須從 flash.bin裡頭分出來,參考以上連結
spp_verifier.self
default.spp
and obviously appldr-metldrexploit350.self from the files
當然也會需要appldr-metldrexploit350.self這個檔案
http://gotbrew.org/metldr838exploit.tar.gz
4.latest gitbrew linux kernel
gitbrew團隊最新版的 Linux核心〔譯註:自http://goo.gl/sQPw7下載編譯後安裝〕
5.a desire to quit *****ing and complaining and get off your ass.
******************************************************************************
you can do this over ssh or on console I prefer ssh because my
girlfriend likes to watch tv alot.
這些事情可以用 ssh遠端連線到 PS3主機來弄,我喜歡用這個方法,因為我閃光
每次都跟我搶遙控器。
1.ssh into the ps3
用 ssh連入 PS3主機〔譯註:pietty很好用〕
2.download the files
下載檔案
a. hots $ wget http://gotbrew.org/metldr838exploit.tar.gz
3.untar the files
解壓縮檔案
a. host $ tar -xvf metldr838exploit.tar.gz
4.enter the directory and compile
編譯檔案
a. host $ cd metldr838exploit
b. host $ make
5.run the following commands now:
執行以下指令:
a. host $ insmod ./metldrpwn.ko
b. host $ cat metldr > /proc/metldrpwn/metldr
c. host $ cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr
d. host $ cat RL_FOR_PROGRAM.img > /proc/metldrpwn/rvkprg
e. host $ cat eid0 > /proc/metldrpwn/eid0
f. host $ echo 1 > /proc/metldrpwn/run
g. host $ cat /proc/metldrpwn/debug
there now you have a dump check it out:
到此就已經把該讀出來的東西讀出來了,來檢查一下
h. host $ hd /proc/metldrpwn/dump | less
now copy the dump somewhere or you'll lose it:
把讀出來的東西擺到一個安全的地方,不然不小心丟了又要重來一次
i. host cp /proc/metldrpwn/dump /home/username/
〔譯註:如果有視窗介面就不用打指令了〕
now you have a copy in your home directory for safe keeping
congrats youve completed about < 10 mins of actual work
現在東西擺在家目錄裡頭了,犒賞一下自己這10分鐘不到的努力吧!
there you go keys are in 0x00 to 0x20 (first 3 lines)
注意前三列,位址0x00到0x20的東西,就是我們要的主機root key了
So now you get code execution on metldr at the best time possible
because your code executes right after metldr copies the root keys
from 0x00 to 0x30, which means you get to dump these too. (Although
they are hardcoded in metldr's code anyway)
顯然我們已經能夠讓自己的程式在metldr上頭執行了,而且就緊接在metldr
將root key複製到0x00跟0x20之後,所以我們藉此將root key讀了出來。
example: 範例:
erk: #
00000000 66 4d ee 51 65 6f 68 28 38 98 83 ea df ea 90 04 |fM.Qeoh(8.......|
00000010 01 f3 79 09 d6 a6 52 d9 ea 6d ef 04 51 69 ec 7b |..y...R..m..Qi.{|
riv:
00000020 7d 6a 3a e5 37 ba 48 4c fe bd 26 5c f5 b1 28 1f |}j:.7.HL..&..(..|
the first 2 lines are erk the 3rd is riv and together they are eid0
like captain ****in planet
前兩列是金鑰的 erk,第三列則是 riv,這兩者組成EID0
btw this does not mean you get 3.60 keys etc or newer games but it
will help you get some nifty things to do some new stuff.... also
please be advised that if you are on 3.60+ you will need to downgrade
with a flasher to do this, also if you have a unit that shipped from
the factory with the metldr.2 (new metldr) your sol at the moment
oh thanx math thanx anon leaker.
提醒一下,拿到root key並不代表你就一定能拿到3.60+ 的金鑰,或是就能
順利執行新版的遊戲,但這能夠讓我們去幹些有趣的事情……。另外還有就
是已經升級到3.56以上版本的人,你必須想辦法去借晶片燒錄器用硬體方式
降級回3.55或以下某個能執行 Linux或是自製成是的版本,如果你是有新版
metldr.2的主機,請繼續等吧,這個方法對你行不通。最後感謝Mathieulh
以及相關人員的貢獻。
******
轉錄前請先徵得本人許可
--
百年國慶晚會改編主題曲《六三三》詞:中立選民/曲:陳志遠 這一篇文章值 53 Ptt幣
六三三 六三三 我們都要六三三 六三三啊六三三 我們都要六三三
投馬騜 投馬騜 含淚都要投馬騜 投馬騜啊投馬騜 含著眼淚都要投馬騜
手握著降價的米酒 看著那白海豚轉彎 無薪假在家又何妨 含著眼淚再投馬騜
無薪假在家又何妨 含著眼淚再投馬騜 手握著降價的米酒 看著那白海豚轉彎
投馬騜 投馬騜 含淚都要投馬騜 投馬騜啊投馬騜 含著眼淚都要投馬騜
--
ohai ill tell you guys howto use mathldr (i like to call it that, its
kinda catchy) this is pretty safe just dont go crazy with it, you're
only gonna mess your eid up if you attemp to rehash it and flash or
attempt in any way to replace your eid you can decrypt eid with root
keys and static keys in the wiki key page
呦呵!來教大家怎麼玩弄 mathldr(我個人比較喜歡這樣叫,因為比較潮XD),
操作步驟很安全,如果你沒亂搞的話。除非你去亂搞eid 或是想要重簽或是重新
寫入flash 才會有變磚的危險。
prerequisites: 前置作業:
1.otheros++ with ss patches (yes the ones that cause trophy errors,
just update when you wanna play games again and dont complain)
帶有ss修補的OtherOS 系統,OtherOS++ 可以用,但會讓獎盃列表出錯,所
以要玩遊戲時要刷回來,別抱怨了。
2.linux on your ps3 (im using ubuntu 10.10)
能夠在 PS3主機上執行的 Linux套件(我用Ubuntu 10.10)〔譯註:我用
Debian 6.0〕
3.a unpacked copy of your flash (which you can obtain by using
glevands dumpflash.pkg gitbrew.org/~glevand/ps3/pkgs/dump_flash.pkg)
and an unpacked copy of ofw you will need the following files from
these:
自主機 flash讀出的檔案(就是你用gelvands的dumpflash 工具讀出的那個)
〔譯註:第一個 USB儲存裝置上的flash.bin 檔,依照主機 flash的大小有
256MB 或是16MB兩種可能〕,然後利用工具把3.55-SONY 官方韌體包解開,
你還需要以下檔案。
metldr
isoldr
RL_FOR_PROGRAM.img
EID0 (you will need to split eid from your flash)
http://www.ps3devwiki.com/index.php?title=Dev_Tools#dump_EID0.sh
EID0這個東西必須從 flash.bin裡頭分出來,參考以上連結
spp_verifier.self
default.spp
and obviously appldr-metldrexploit350.self from the files
當然也會需要appldr-metldrexploit350.self這個檔案
http://gotbrew.org/metldr838exploit.tar.gz
4.latest gitbrew linux kernel
gitbrew團隊最新版的 Linux核心〔譯註:自http://goo.gl/sQPw7下載編譯後安裝〕
5.a desire to quit *****ing and complaining and get off your ass.
******************************************************************************
you can do this over ssh or on console I prefer ssh because my
girlfriend likes to watch tv alot.
這些事情可以用 ssh遠端連線到 PS3主機來弄,我喜歡用這個方法,因為我閃光
每次都跟我搶遙控器。
1.ssh into the ps3
用 ssh連入 PS3主機〔譯註:pietty很好用〕
2.download the files
下載檔案
a. hots $ wget http://gotbrew.org/metldr838exploit.tar.gz
3.untar the files
解壓縮檔案
a. host $ tar -xvf metldr838exploit.tar.gz
4.enter the directory and compile
編譯檔案
a. host $ cd metldr838exploit
b. host $ make
5.run the following commands now:
執行以下指令:
a. host $ insmod ./metldrpwn.ko
b. host $ cat metldr > /proc/metldrpwn/metldr
c. host $ cat appldr-metldrexploit350.self > /proc/metldrpwn/mathldr
d. host $ cat RL_FOR_PROGRAM.img > /proc/metldrpwn/rvkprg
e. host $ cat eid0 > /proc/metldrpwn/eid0
f. host $ echo 1 > /proc/metldrpwn/run
g. host $ cat /proc/metldrpwn/debug
there now you have a dump check it out:
到此就已經把該讀出來的東西讀出來了,來檢查一下
h. host $ hd /proc/metldrpwn/dump | less
now copy the dump somewhere or you'll lose it:
把讀出來的東西擺到一個安全的地方,不然不小心丟了又要重來一次
i. host cp /proc/metldrpwn/dump /home/username/
〔譯註:如果有視窗介面就不用打指令了〕
now you have a copy in your home directory for safe keeping
congrats youve completed about < 10 mins of actual work
現在東西擺在家目錄裡頭了,犒賞一下自己這10分鐘不到的努力吧!
there you go keys are in 0x00 to 0x20 (first 3 lines)
注意前三列,位址0x00到0x20的東西,就是我們要的主機root key了
So now you get code execution on metldr at the best time possible
because your code executes right after metldr copies the root keys
from 0x00 to 0x30, which means you get to dump these too. (Although
they are hardcoded in metldr's code anyway)
顯然我們已經能夠讓自己的程式在metldr上頭執行了,而且就緊接在metldr
將root key複製到0x00跟0x20之後,所以我們藉此將root key讀了出來。
example: 範例:
erk: #
00000000 66 4d ee 51 65 6f 68 28 38 98 83 ea df ea 90 04 |fM.Qeoh(8.......|
00000010 01 f3 79 09 d6 a6 52 d9 ea 6d ef 04 51 69 ec 7b |..y...R..m..Qi.{|
riv:
00000020 7d 6a 3a e5 37 ba 48 4c fe bd 26 5c f5 b1 28 1f |}j:.7.HL..&..(..|
the first 2 lines are erk the 3rd is riv and together they are eid0
like captain ****in planet
前兩列是金鑰的 erk,第三列則是 riv,這兩者組成EID0
btw this does not mean you get 3.60 keys etc or newer games but it
will help you get some nifty things to do some new stuff.... also
please be advised that if you are on 3.60+ you will need to downgrade
with a flasher to do this, also if you have a unit that shipped from
the factory with the metldr.2 (new metldr) your sol at the moment
oh thanx math thanx anon leaker.
提醒一下,拿到root key並不代表你就一定能拿到3.60+ 的金鑰,或是就能
順利執行新版的遊戲,但這能夠讓我們去幹些有趣的事情……。另外還有就
是已經升級到3.56以上版本的人,你必須想辦法去借晶片燒錄器用硬體方式
降級回3.55或以下某個能執行 Linux或是自製成是的版本,如果你是有新版
metldr.2的主機,請繼續等吧,這個方法對你行不通。最後感謝Mathieulh
以及相關人員的貢獻。
******
轉錄前請先徵得本人許可
--
百年國慶晚會改編主題曲《六三三》詞:中立選民/曲:陳志遠 這一篇文章值 53 Ptt幣
六三三 六三三 我們都要六三三 六三三啊六三三 我們都要六三三
投馬騜 投馬騜 含淚都要投馬騜 投馬騜啊投馬騜 含著眼淚都要投馬騜
手握著降價的米酒 看著那白海豚轉彎 無薪假在家又何妨 含著眼淚再投馬騜
無薪假在家又何妨 含著眼淚再投馬騜 手握著降價的米酒 看著那白海豚轉彎
投馬騜 投馬騜 含淚都要投馬騜 投馬騜啊投馬騜 含著眼淚都要投馬騜
--
Tags:
改機
All Comments
By Erin
at 2011-11-15T08:55
at 2011-11-15T08:55
By Agnes
at 2011-11-17T05:22
at 2011-11-17T05:22
By Belly
at 2011-11-21T13:52
at 2011-11-21T13:52
By Hardy
at 2011-11-21T16:10
at 2011-11-21T16:10
By Lily
at 2011-11-22T16:58
at 2011-11-22T16:58
By Kumar
at 2011-11-26T15:32
at 2011-11-26T15:32
By Faithe
at 2011-11-29T17:13
at 2011-11-29T17:13
By Cara
at 2011-12-02T08:18
at 2011-12-02T08:18
By Cara
at 2011-12-04T12:03
at 2011-12-04T12:03
By Mary
at 2011-12-07T05:21
at 2011-12-07T05:21
Related Posts
老r4跟NDSi LL
By Ivy
at 2011-11-09T17:36
at 2011-11-09T17:36
PS3 全裸了嗎?
By Susan
at 2011-11-09T17:19
at 2011-11-09T17:19
PS3 全裸了嗎?
By Edith
at 2011-11-09T13:15
at 2011-11-09T13:15
PS3 全裸了嗎?
By Necoo
at 2011-11-09T11:21
at 2011-11-09T11:21
PS3 全裸了嗎?
By Vanessa
at 2011-11-09T04:35
at 2011-11-09T04:35