How to pwn metldr the "easy" way
Because some ungrateful person leaked my metldr exploit files I will now be explaining how it actually works, see this as my ultimate release of all times for an ungrateful scene (and scenes in the future)
That's about how I am pissed right now, because of course the person that leaked these files has no idea of how they actually work.
How to pwn metldr the "easy" way:
This is most likely how geohot exploited it in the first way, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work, especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone)
I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self generating tool
Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the sign fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario.
The question is, do you really need keys to get a decrypted signature ?
Well the real answer is no, thanks to a nifty fail that sony left in in metldr (and the bootloader), you can have the ldr to decrypt the metadata for you, isn't that neat ?
Here's how it works:
[...]
Here you go, you have a metldr dump !
Now as a final line, I'd like to say screw leakers, screw the scene, and this is my last contribution to it EVER. It seems I can't even trust fellow developers to keep my work safe and not leaking it. (Not like any of them would have been able to tell you how all this even works in the first place)
So long, everyone.
Remember, don't ever bite the hands that feed you.
P.S. Oh! and btw, if you talented enough to make hardware to dump the shared lsa, you can decrypt any lv0 using this technique.