Vi riporto l'articolo completo preso da http://psx-scene.com/forums/content/possible-ps3-4-00-exploit-psdev-s-theory-1885/
OK so lets get right to it. This is a theory, nothing more.
There has been information available for quite some time. and I took it, thought about it, researched and experimented and I come out with my theory below to exploit 4.00 part of the way. This is not a random theory to, this is logical stuff and true facts. I'm providing this info for other devs to look at and lets see if this can work. I don't keep my work to my self, I like to share in give other people chances in discovering stuff. It always makes me happy when someone finds something out using my work, it just tells me I did a good job in describing and helping and they did a good job in listening and learning the material in order to trigger the exploit or whatever it might be.
Teoria:
So the lv2ldr verifys decrypts the lv2_kernal.self. we can get the address of this happening. inside Parameters Layout there are arguments, they are used as commands basically to load a function you want to use. they start in the lv2 @ 0x3E800(seems to be same for other ldrs) that address. There is a argument that is called lv2_in and lv2_out (we have know about these) basically we can use lv2_in to map out the address and lv2_out to map out the address for where the lv2ldr decryptes the self file. We can make a program like readself basically and get the offset, u8* means read one byte from the address. use that and we can actually be get the exact offset where it all happens at. once we have the location grabbing this decrypted self should be the easy task. Like I said some info we had and some we did not know about can be obtained like this and used to get keys.
exploiting 4.00 with this method would work most likely because I doubt sony changed all the locations where the loaders do there thing, sure there encapsulated in the bootloader but they still pass over into the ram at one point before being fed over to the metldr which loads ldrs and if all that is still happening then Sony didn't change nothing
Codice:
void *buf; // <- that will get the address of the argument we chose to load
u? buf_size;// <- pretty clear it gets the size. but would you add u64?
} lv2_in;
struct {
u8 result[0x10];//read it by one byte from the address
} lv2_out;
}
Dice anche che questo exploid potrebbe contenere qualche errore e che potrebbe essere risolto facendo varie prove fino a farlo funzionare come si deve.. ricordo che per il momento è solo una teoria ..attendiamo speranzosi!!!
EDIT:
Grazie mariobic per l'aggiornamento
!!