Η αποκάλυψη του 3.60 exploit από τον Mathieulh UPDATE

Τελικά ο εκνευριστικός Mathieulh έδωσε στη δημοσιότητα πριν από λίγο το exploit που είχε βρεί για την 3.60.Βέβαια δεν το αποκάλυψε φόρα παρτίδα αλλά έδωσε σημαντικά στοιχεία τα οποία τώρα πρέπει να τα αξιοποιήσουν αυτοί που μπορούν.Ο Mathieulh τ αποκάλυψε στον Χshadow125 και όλες του οι δηλώσεις ακολουθούν παρακάτω

@xShadow125 You can't overflow user processes, the NX bit applies here, you can only overflow lv2 or a process with higher privileges.


@xShadow125 You can update from your pwn pup only from 3.55 or lower, unless you have an exploit.

@xShadow125 Of course that should be fixed in upcoming lv0 revisions anyway (By moving the ldrs to the top of lv0)

@xShadow125 You run the 3.60 lv0, then you switch the nor, and pull the cell reset line, and you dump the extra KBs where the loaders are.

@xShadow125 Basically you have a nor with 3.55 (or lower) lv0 and your own small lv1 code that does the dump, and 3.60 lv0 on the other.

@xShadow125 You wont get all of lv0 but the part with the loaders shouldn't be overwritten.

@xShadow125 You can actually get all the 3.60 keys/loaders without knowing lv0 keys by dumping lv0 from ram with dual nor and signed lv1.

@xShadow125 That's from an older lv0, the method to get the data isn't the same, the one I posted was a dump, this one is a decryption

@xShadow125 There is a nice way to dump pre 3.55 lv0 as well by using a small lv1 binary, it's a risky process though.

@xShadow125 Oh! You mean my pm ? congrats, you just figured I have had lv0 dumped/decrypted for quite some time xD

@xShadow125 Reminds me of those stupid lv2 overflows I spotted ages ago in the bdemu code, which are useless now on 3.55+ anyway.

Τώρα το ερώτημα είναι ένα:Ποιός έχει τις ικανότητες να αξιοποιήσει τις πληροφορίες αυτές;;;

UPDATED

Πριν λίγο είχαμε και συνομιλία Mathieulh Kakaroto.Διαβάστε τι είπαν

Mathieulh: For exemple: Mathieu@Mathieu-PC ~ $ scekrit lv0 lv0.1 lv0 Signature Status: OK lv0.1 Signature Status: OK Private Key: REMOVED

KaKaRoToKS: @Mathieulh does this mean that you have the public key and encryption keys of lv0? I thought you were only able to dump it, not decrypt it?

Mathieulh: @KaKaRoToKS there are two exploits you can use on the bl, one grants you code execution, the other forces the bl to ouput lv0 metadata

Mathieulh : @KaKaRoToKS That tweet was just an example on what can be done with lv0 keys though.

Mathieulh : @KaKaRoToKS sadly both these exploits will brick your console without a nor reprogrammer :/

KaKaRoToKS :@Mathieulh oh, that’s cool, so you executed code on the BL to dump the lv0 keys? good job then! no need to dump 3.60 lv0 then, just decrypt?