PS3: LV0 Man-in-the-middle attack writing + tools by MikeM64. Is it the full CFW turn for all PS3s?

PS3 Developer MikeM64 Below is a full description of his MITM attack on PS3 Pictures of the attack appeared a few weeks ago. The purpose of this operation is to fully unlock the LV0 (Boot Loader) on newer models of the PS3, and as a result to be able to install Full Personal Programs on the console.

PS3 Exploits – Current status

As we mentioned earlier, breaking the PS3 is quite possible on all models and software today, although you may not be able to install or install Fully Custom software depending on your PS3 device. The difference between what they can use for most people (PS3HEN) and the full personal software is a joke, but the LV0 remains the sacred genius of the PS3 Hacking. The MikeM64 has an excellent summary:

The PlayStation 3 has a very long homebrew story. In the initial release of the PS3, Linux support was launched on the 1st day! People were able to install any PowerPC-based distribution with full kernel support for various system devices. This has provided all sorts of exciting uses, such as super computing clusters and cheap PowerPC development boxes. There have been a number of provocations and stimuli from Linux to the hypervisor, but no one has tried to go too far until other OS support has been removed from thin consoles. After GeoHot’s HTAB operation was released, it was removed from all consoles in OtherOS 3.21. It was the catalyst that opened the floodgates to complete the operation of the console. I have summarized the current status of many of the releases released for the PS3 console below:

Take advantage Version Activated in LV1 Activated in LV2 Notes

GeoHot HTAB Glitching il? R / W Optional HV Memory N / A FPGA memory is used to break address lines

PSJailbreak Dongle 3.41 N / A Homebrew and Piracy, OtherOS support was restored on GameOS Dongles used USB device descriptor analysis to get code execution on the LV2.

fail0verflow Sigfail <= 3.55 Specially signed LV1 Specially signed LV2 Works on all consoles with Minver <= 3.55.

Post 3.55 / Sigfail Era

lv0ldr Syscon Package TOCTOU – Linux Dumping il? N / A N / A The lv0 root keys were dropped to allow all LV0 execution documents to be decrypted and signed on <= 3.55 minver consoles.

Chicken <= 4.89 N / A Homebrew and Piracy on GameOS No otherOS support

lv0ldr Syscon Package TOCTOU – HW Remix il? Individual code in LV1 Special code in LV2 Must work with HW on all consoles. This is the topic of the day!

After the release of Sigfail, Sony tried to re-secure the download chain by migrating all bootloaders to lv0 because it had not yet been discarded or exploited. It was a good break solution until Juan Nadie and the Three Musketeers shot lv0ldr and their operation and keys leaked. Once the LV0 keys were available, it was possible to change and re-sign all codes updated on older consoles. Consoles produced after the release of sigfail were updated with a new lv0 metadata (lv0.2) that is not sensitive to sigfail exploitation.

For all consoles that are not sensitive to Sigfail, GameOS has released HEN, which uses both a built-in web browser and an LV2 kernel to provide both homebrew and piracy. It still does not support OtherOS support or hypervisor modification to date.

Take advantage	Version	Activated in LV1	Activated in LV2	Notes
GeoHot HTAB Glitching	il?	R / W Optional HV Memory	N / A	FPGA memory is used to break address lines
PSJailbreak Dongle	3.41	N / A	Homebrew and Piracy, OtherOS support was restored on GameOS	Dongles used USB device descriptor analysis to get code execution on the LV2.
fail0verflow Sigfail	<= 3.55	Specially signed LV1	Specially signed LV2	Works on all consoles with Minver <= 3.55.
Post 3.55 / Sigfail Era
lv0ldr Syscon Package TOCTOU – Linux Dumping	il?	N / A	N / A	The lv0 root keys were dropped to allow all LV0 execution documents to be decrypted and signed on <= 3.55 minver consoles.
Chicken	<= 4.89	N / A	Homebrew and Piracy on GameOS	No otherOS support
lv0ldr Syscon Package TOCTOU – HW Remix	il?	Individual code in LV1	Special code in LV2	Must work with HW on all consoles. This is the topic of the day!

In other words, it’s important to miss the LV0 to have full control over all models of PS3s, and the MikeM64 is something that has been achieved with a bit of hardware and a lot of trial and error.

Using the PS3 LV0 with the device

The general idea was to recreate a software vulnerability from cycle 3.55 that caused the LV0 switches to be released (“3 Musketeers” leak). MikeM64 writes:

The lv0ldr The operation used to throw lv0ldr targets the processing of system packets between syscon and Cell. This has been discovered lv0 There is a TOCTOU error that re-reads the packet header after confirming the code that controls the reading of the syscon packet.[…]

This issue alone is usually not enough to use lv0ldr. You must be able to time and insert memory entries into the MMIO field, which contains the system packet buffer, to pass the first check amount and then write a new header to use any size memcpy. The time window to use it is extremely small. Fortunately, thanks to the tuning capabilities released by IBM in the Cell, we can expand the window at this time. For both conventional and isolated SPUs, we can burn breaks for any MFC transfers in or outside the SPU. This allows us to stop the execution of lv0ldr at the entrance to any memory, to enable and unload lv0ldr.

The MikeM64 provides extensive details on how to achieve hardware hacking, providing all the necessary tools for other hackers to work on the next steps, including CFW support for all PS3 models. Now it is probably a matter of time before this happens.

The equipment required is “simple” (but not the skills involved), i.e. a Teensy 4.0 and one Arty-S7 50 (Although the MikeM64 states that it can easily transfer it to any Arty A series) and the common cables that accompany it.

You can Check out all the posts here.