Dumping Bootldr

Requirements

• OtherOS++ with SS Patches
• Linux Kernel with glevand's/graf's patches (red ribbon rc6 will do the trick, since it has the embedded kernel)
• [the exploit] / [version ports]
• NOR console with a NOR dump (the exploit isn't adapted to NAND consoles yet, no MMIO available)

How to

1. Start a normal session from red ribbon (or any other distro you might have)
2. Extract the contents of bootldrexploit to your home folder
3. Open your terminal and type as root:


cd bootldrexploit/ps3peekpoke

4. Compile the lv1 peek poke kernel module:


make

5. Insert the lv1 peek poke kernel module:


insmod ps3peekpoke.ko

6. Change directory to the exploit dir


cd ../btldr8

7. Compile the exploit


make

8. Make a nor dump by typing


dd if=/dev/ps3nflasha of=nor.bin bs=1024

9. Execute the exploit


./lv0Decrypt 0 nor.bin buffer.bin

10. It should show the status as status A0082. This means you've succeeded. check your dump for the keys.


hexdump -C dump.bin > test



nano test

Notes

• for the latest version of red ribbon, don't forget to also change dir to /usr/src/[your linux headers folder]/ and type make modules_prepare

• in the eventual case you get status 89 no matter what you do, replace the function writeResponsePackageChecksum with this one : http://pastie.org/private/fyirapl8w78j462ggxmsyw

v e Reverse engineering General Bluedisk EID0 reDRM · Boot Order · Boot Memory Type · Bugs & Vulnerabilities · Dumping Bootldr · Dumping Metldr · Files on the PS3 · KaKaRoTo_Kind_of_´Jailbreak´ · PS3Cobra Payload Reverse Engineering · PS3UserCheat · QA Flagging · ReDRM / Piracy dongles · Revoke List · RSOD Fix‎ · rtcalarm.dat · Whitelisting · VTRM Hypervisor Hypervisor Reverse Engineering · Repository Nodes Services Appliance Information Manager · AV Manager · Dispatcher Manager · Factory Data Manager · Indi Info Manager · SB Manager · SC Manager · Secure LPAR Loader · Secure Profile Loader · Secure RTC Manager · Security Policy Manager · Storage Manager · Update Manager · Updater Frontend · USB Dongle Authenticator · User Token Manager · Virtual TRM Manager Plugin Interfaces ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin Emulation PS1 Emulation · PS2 Emulation · PSP Emulation Extended features Printer support · Remote Play · String Viewer · Web Browser · XMB In-game background music · PS3 and PSVita Cross Functions · Widgets · Life with PlayStation · PlayView · XMB Manuals Online Consoleban · Environments · Online Connections · PSN · PSN Handshake Signup · X-I-5-Ticket Hardware SC SC Communication · SC EEPROM · Remarry Syscon · Syscon Thermal Configs · Syscon SPI CELL Cell Configuration Ring · CELL Reset Exploit · CellBE Hardware Implementation Registers · Unlocking the 8th SPE · SPU Isolated Modules Reverse Engineering · SPU LS Overflow Exploit RAM XDR Configuration · Rambus Registers SB ENCDEC Device Reverse Engineering HDD HDD Encryption BD Bluray disc · Basic Bluray disc authentication procedure · BD Drive Reverse Engineering · Disc Identification/Serialization Data · ODE · Remarry Bluray Drive Tools IDA pro disassembler and debugger · CCAPI · 0x000EAEB0 · Ps3.xml · Nids.txt · Nids all.txt · Unknown nids.txt · Fnids.idh Strings files emer_init · aim spu module‎ · lv1‎ · hdd_copy · eurus_fw · lv0 · factory data mngr dumps lv2 dump (Rebug 4.46) · lv1 dump (Rebug 4.46) · bootldr dump (2.70) · Network Loading of lv1ldr and above executables Reference Archaic · Drk_notes · Canaries Keys & Seeds Keys · Per Console Keys · Fail Keys · Seeds · ECDSA binaries · AES binaries · DES binaries · Cryptography Tricks