作者cassine (Savannah)
看板Modchip
标题[PS3 ] 4.0版韧体的破解理论
时间Wed Jan 25 14:06:32 2012
http://goo.gl/VKWGn
So the lv2ldr verifys decrypts the lv2_kernal.self. We can get the
address of this happening. Inside Parameters Layout there are
arguments, they are used as commands basically to load a function you
want to use. They start in the lv2 @ 0x3E800 (seems to be same for
other ldrs) that address. There is a argument that is called lv2_in
and lv2_out (we have know about these) basically we can use lv2_in to
map out the address and lv2_out to map out the address for where the
lv2ldr decryptes the self file. We can make a program like readself
basically and get the offset, u8* means read one byte from the
address. use that and we can actually be get the exact offset where it
all happens at.
既然lv2ldr具备查验并解秘lv2_kernel.self 主程式的能力,我们也许能藉此获
知记忆体的位址。lv2ldr这个函式有三个输入参数,位址从0x3E800 开始(似乎
绝大多数的ldr 的起始位址都在这附近),有一个参数叫lv2_in,参数格式是位
址指标(译注:即pointer ),一个叫lv2_out ,参数格式也是位址,我们可以
理解成lv1 将lv2_kernel.self 载入记忆体中後,将位址指标传给lv2ldr,解秘
後将内容写到 lv2_out所指定的位址。因此我们只要能够捞到lv2_out 位址记载
的东西,事情就单纯了。
Once we have the location grabbing this decrypted self should be the
easy task. Like I said, some info we had and some we did not know
about can be obtained like this and used to get keys.
用这种手法,可以得到一些想知道的东西,比如说存在appldr里头的金钥。
Exploiting 4.00 with this method would work, most likely because I
doubt sony changed all the locations where the loaders do there thing,
sure there encapsulated in the bootloader but they still pass over
into the ram at one point before being fed over to the metldr which
loads ldrs and if all that is still happening then Sony didn't change
nothing.
用这个手法有很高的机会能够成功解秘4.00版韧体,最主要的原因是因为我不相
信SONY会把所有的位址都改过,就算如此,改过的位址也存在bootloader里头,
然後迟早都要传到记忆体中,不然metldr没办法载入其他的东西。
******
个人比较好奇的地方是,就算知道了位址有办法单靠外部电路读出lv2_out 指标
指向位址的内容?如果不是用外部电路,那至少要能破解到有memory dump 权限
,比如说能跑 Linux的程度直接把记忆体映射到某个档案然後去找。如果都能跑
Linux 就根本不用去管lv2_out 到底指向哪里,因为key 的形式很固定,而且在
记忆体中一次会出现一堆,直接写个程式去找就好,256MB 不会花太久时间的。
******
看了原作者的twitter 後,原PO果然给KaKaRoTo打脸了。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
※ 发信站: 批踢踢实业坊(ptt.cc)
◆ From: 122.117.54.160
1F:推 satou20444:最强战斗民族果然 ... 01/25 14:20
2F:推 f1234518456:悟空加油! 01/25 14:22
3F:推 oyuyuyu:好深奥OTZ 01/25 16:05
4F:推 talbot:这个系列文 整个就是未知的领域 不过还是要推原po专业文! 01/25 16:46
5F:推 jsijkl:好奇想问C大,想懂这些东西该深入读什麽科目,计组吗?? 01/25 21:43
6F:→ lwecloud:OS、Kernel吧 01/25 22:40
7F:推 kovenkoven:密码学顺便看看 01/26 00:11
8F:推 f1234518456:建议可以从组合语言开始学起 01/26 00:57
9F:→ Eior:不想懂太深就看计概 01/26 01:12
10F:→ s25g5d4:我相信看了计概也不会懂多少.. 01/26 01:31
11F:→ angusyu:其实是完全不要想学... 没人会想念电子科还看组语跟数逻 01/26 02:22
12F:推 s25g5d4:数萝 (被拖走 01/26 12:04
13F:→ cassine:少来,修过资结、计结、C语言的人都应该知道这在干麽 01/26 12:21
14F:→ jikanson:但是理解跟知道 跟可以自己加进去一起玩还是两码子事0rz 01/27 00:27
15F:→ cassine:噢对,我也一直都是旁观者而已,组语碰过就不想学了>< 01/27 13:15
16F:推 belion:组语可怕,先看计概就大概可能推测这是在做什麽的吧@@ 01/30 16:49