|
To quote: This post will deal with the hardware required to trigger the PS3 hypervisor memory access exploit. The purpose of the hardware is to stop the PS3 from saving a change to a value that we don’t want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.
The PS3 sends the write command to the RAM over some control lines, so we interfere with these control lines when the write command is sent. The result we want is having the PS3 think it has successfully written the value to RAM, but the RAM didn’t receive the write command due to our interference and so it did not perform the write operation.
The easiest (and moderately safe) way to interfere with these control lines is to ground them. This is done easily enough by connecting a wire between one of the control lines and ground. The tricky part is timing it just right so that it only interferes with the write we want to stop, and not anything that occurs before or after this write. This might be achievable with costly equipment and a lot of work, however geohotz used the simple method of “luck”. This involves repeatedly preparing the situation to best favour the chance of overwriting the correct write command and then continually grounding a control line until either something crashes that shouldn’t or the mark is hit stopping the write operation from occurring. At this point the exploit has been successfully triggered! :)
Now that you know how it works it is time to implement it. A connection is required to the control line that will be grounded as well as a connection to ground. These two wires then need to be connected to each other momentarily. If you were to try and do this manually as fast as you could you might connect them for a millisecond or so, however RAM control lines are very fast so 1ms is going to interfere with way too many commands. Instead these lines need to be connected to some hardware that is able to bridge the connection between then for very small periods of time at once. Geohotz suggests a connection period of 40 nanoseconds.
There are many ways that some hardware can be made to perform this short connection. Geohotz used an FPGA he had on hand in order to do it. Others have suggested using a 555 timer, however I have not heard of anyone having any success with this method. I used a small sx28 microcontroller I had on hand due to using it for a project some years ago. It runs at 50MHz with an instruction cycle of 20 nanoseconds, which means it should be fast enough to provide the 40 nanosecond connection required.
The first step is to take apart your PS3 in order to expose the top side of the motherboard. Once you do so look for one of the following areas on it depending on what version PS3 you have.
This first picture is from an old 60GB PS3 which came with the 4 USB ports and the card readers. You can see I have soldered a wire to the side of a resistor. This is the connection to the PS3 RAM control line that you need to solder on. I suggest you route this wire down and then to the left of the two pronged power plug you can see. My wire continues downward in this picture, but I found that doing so caused interference in the wire that would unintentinally trigger RAM corruptions. To avoid this you should route it to the left underneath the power plug so that it then comes out of the left side of the PS3 case. You can use a long wire during installation, but try to keep it short when you finalise its routing and final positioning. You can see I used a hot glue gun to ensure any stress placed on the wire will not pull at the solder joint.
This second picture is from an 80GB PS3 with 2 USB ports and no card readers. This was the model that was out just before the “fat” PS3s were replaced by the “slim” PS3s, so it is a newer motherboard revision where there are two RAM chips on both sides of the motherboard instead of all four on one side. In this picture I have circled the trace you should solder to for your RAM control line connection. In order to solder to this I used a craft knife to carefully scratch the paint off the top of the trace to expose the copper underneath which I then soldered a wire to. Once connected you should route this wire straight down towards the front of the case to best avoid interference in the wire from other parts of the PS3. Once again try to keep the final wire nice and short.
Next you need to get a ground connection. This is done the same way for both motherboard versions and is very easy. You can just wrap a wire around any of the metal screws that screw into the metal shielding that covers the top of the motherboard. You don’t even need to solder it, just wrap it under the screw head and screw it into place :) This wire should be routed out of the console next to to your other control line wire.
The above two wire connections are common to any implementation of a hardware trigger. The following is specific to how I did my hardware trigger but you may implement your trigger however you want. Note that I initially tried wiring 5 Volts of power out next to these lines but doing so continually resulted in unwanted interference in the control line causing the PS3 to crash while booting.
For my hardware trigger I used an SX28 microcontroller which I bought years ago as part of this programming kit. To use the SX28 you need the SX28 chip, a way of programming the chip (usually an SX-Key or SX-Blitz) and an oscillator to drive the SX28 chip at 50MHz. All of these are included in the above programming kit. Maybe if enough people buy from them and mention xorloser they’ll send me a USB version of the SX-Key instead of my old serial based one :/
Below is a crappy schematic of my circuit which I drew in windows paint. Please note that I am using the programming kit I mentioned above which utilises the SX-Key programmer in place of an oscillator while the SC-Key is attached. I do not have an external oscillator so I’ll leave the hooking up of that to you. Just take note that you do need either an oscillator or SX-Key attached in order to make the chip run.
This SX28 sourcecode is the last piece of the puzzle. Program this to your SX28 chip using the free SX-Key Editor software from the Parallax. Once this is all hooked up to your PS3 you should be able to send a “pulse” (grounding of the control line) to the PS3 by pressing the switch. You should use a temporary-on push button switch to do so since it will keep sending pulses every 100ms if the switch stays connected. The LED on the right side of the schematic is just there to give the operator some feedback. It will light up when a pulse is sent to let you know that the circuit is working as it should.
I should mention that if you look at my SX28 sourcecode you will see that it appears as if I am sending a 360 nanosecond long pulse. I do not know how long the pulse is that actually gets sent as I do not have any hardware that I can measure the pulse with (yet). Possibly there are hardware induced delays that occur when changing the direction of the port which means that although I am waiting 360 ns, it still only sends a pulse that is about 4o ns. To arrive at the 360 ns value I tried many values making the pulse as short as I could until it didn’t trigger anymore, then I increased it just a little bit to get the shortest pulse that still works.
Phew, this is finally the end of this post. My next post will tie it all together along with some software I have written to dump your own hypervisor and more. Cya.
Stay tuned for more PS3 Hacks news. Also be sure to drop by the PS3 Hacks Forum for updates!
Post a Reply
Comments
wow, I can't really try it, but this seems like amazing news! not to mention that the scene is really moving these days.
OK now can some one answer what is that:
Righ part of picture... what is that "black arrow to the right"
How 11 and 17 legs must be connected?
what is the top of the picture touches, what do they mean?, and where to take from 6 to 9 volts?
and can he show his one... how its looks like?
and he just wired to PS3 Resistor? to line on the board.. how?
Righ part of picture... what is that "black arrow to the right"
How 11 and 17 legs must be connected?
what is the top of the picture touches, what do they mean?, and where to take from 6 to 9 volts?
and can he show his one... how its looks like?
and he just wired to PS3 Resistor? to line on the board.. how?
Here is a pic xorloser posted of his PS3 Exploit setup:
Quote:
|
Just a quick pic of it all working together cos everyone loves pictures!
This is the PS3 with the newer motherboard where the socket I installed in the front actually looks nice, the other one was a bit of a hack job  |
Quote:
|
Originally Posted by TUHTA
OK now can some one answer what is that:
Righ part of picture... what is that "black arrow to the right" How 11 and 17 legs must be connected? what is the top of the picture touches, what do they mean?, and where to take from 6 to 9 volts? and can he show his one... how its looks like? and he just wired to PS3 Resistor? to line on the board.. how? |
The "thing" at the top that is connected to pin 4 and 17 and the tail end of 11 goes to ground. As for 6-9V, I'm sure there is a source in the PS3, if not you could probably rig something up (like perhaps even an external power source).
Quote:
|
Originally Posted by Mbb
What can you guys do with this info?
 |
Then the PS3 Devs can begin to examine them and post any interesting findings, and of course share the dumps so others (who don't want to spend their time or money on doing the hack themselves) can also study them.
Quote:
|
Originally Posted by CJPC
Leg 11 is connected to a switch, that is then wired into the line coming off of line 17. Coming off of line 17 is a LED.
The "thing" at the top that is connected to pin 4 and 17 and the tail end of 11 goes to ground. As for 6-9V, I'm sure there is a source in the PS3, if not you could probably rig something up (like perhaps even an external power source). |
And PS3News you just uploaded pic... is it SX28 Method? Well and we need to but like sx28 board? Or what? and can i use SX28AC/SS-G??
You need to read the post, it's self-explanatory so there is nothing more I can say about the pic.
very impressive work xorloser. You've done great work in ps3 hacking. The method is easier than Geohot's original hack. The soldering part is only two wires, I believe one has to solder to the trace for the controller line and the other is just ground wire(any ground on the motherboard will work).
The microcontroller part is very simple too. I wish I knew more about reverse engineering. Otherwise, I could really lend my hand to help analyze the lv0/lv1hyperviser dumps. Good luck xorloser, CJPC and the DEVS. Find an exploit and let's hack this "unhackable" beast.
The microcontroller part is very simple too. I wish I knew more about reverse engineering. Otherwise, I could really lend my hand to help analyze the lv0/lv1hyperviser dumps. Good luck xorloser, CJPC and the DEVS. Find an exploit and let's hack this "unhackable" beast.
He wrote that 5 volts will crash ps3 at boot... so where to get 6-9 volts? i don't have an a tester... to test where i can find voltage that i need... so please help? So and we need to program it?? So i think its more difficult that 555 one? ha? Please help... i will buy it tomorrow and assemble it and go to test it !
Well i just need:
SX28AC/SS-G
10ohm resistor
Led (but wich one??)
Button
Is that it? And i still cant understand what is "thing" that on top of picture near to 6-9volts... so i just do not need to do that? or its part of something? (led or and e.t.c)
Well i just need:
SX28AC/SS-G
10ohm resistor
Led (but wich one??)
Button
Is that it? And i still cant understand what is "thing" that on top of picture near to 6-9volts... so i just do not need to do that? or its part of something? (led or and e.t.c)
The "thing" at the top is ground, connect that to the PS3's ground.
You will also need a programmer for the SX28, as well as a 50mhz resonator to set the clock speed of the chip. xorloser did not use one as he used the SX28 development kit, which has one built in (essentially).
As for 6-9 volts, you "might" be able to use a 9V battery (maybe), or any external 6-9V DC source!
You will also need a programmer for the SX28, as well as a 50mhz resonator to set the clock speed of the chip. xorloser did not use one as he used the SX28 development kit, which has one built in (essentially).
As for 6-9 volts, you "might" be able to use a 9V battery (maybe), or any external 6-9V DC source!
well... on his pic its like 2 wires that must be wired to ps3's grounds? I say like on top one must be connected to ps3 ground... and left one too?
And well to program it i have to know programming? And where i must to wire 50mhz resonator? And which led i have to use?
And well to program it i have to know programming? And where i must to wire 50mhz resonator? And which led i have to use?
this helps a lot.. thanks, lots of good progress now. very excited to see what else is gonna happen soon with the scene.
Quote:
|
Originally Posted by TUHTA
well... on his pic its like 2 wires that must be wired to ps3's grounds? I say like on top one must be connected to ps3 ground... and left one too?
And well to program it i have to know programming? And where i must to wire 50mhz resonator? And which led i have to use? |
The LED should not matter too much - you could probably get away without it if you really wanted to. The 50mhz resonator needs to get wired into pins 26 and 27 I believe (check the datasheet).
To program it - no , you dont need to know programming. xorloser was nice enough to give the full source code, you can just compile it and flash it onto the SX28.
Quote:
|
Originally Posted by CJPC
To program it - no , you dont need to know programming. xorloser was nice enough to give the full source code, you can just compile it and flash it onto the SX28.
|
And so actually i can go by easy way so i can just place 50ghz resonator and just do not worry about program sx28? so actually it is so expensive it cost like 90$!! this is not much cheaper... so.. well xorloser just used led to see how its working or something?
Quote:
|
Originally Posted by TUHTA
well and where to get this code?
|
Go back, take your time, and read it... searching for the hyperlinked words "SX28 sourcecode" in it near the bottom.
As I mentioned the other day, it's cheaper than the GeoHot FPGA way ($150-200 range) as this only costs $50-100 for the parts.
Based on the chart here (http://www.parallax.com/tabid/248/Default.aspx) it's the same as the SX28AC/DP-G (except for the rail tray quantity) so the SX28AC/SS-G will be fine.
However, if you don't own an SX Tech Board you will have to find another way to program the chip... and no, don't ask how, because common sense tells you if you are trying to replicate what xorloser did you should buy the required programmer in the first place.
CJPC bought the listed programmer, as will most others who do this... but honestly, if you just want the PS3 HV dump to examine I'd wait until someone dumps it and shares it instead of buying the materials and equipment to do it.
However, if you don't own an SX Tech Board you will have to find another way to program the chip... and no, don't ask how, because common sense tells you if you are trying to replicate what xorloser did you should buy the required programmer in the first place.
CJPC bought the listed programmer, as will most others who do this... but honestly, if you just want the PS3 HV dump to examine I'd wait until someone dumps it and shares it instead of buying the materials and equipment to do it.
Quote:
|
Originally Posted by PS3 News
Based on the chart here (http://www.parallax.com/tabid/248/Default.aspx) it's the same as the SX28AC/DP-G (except for the rail tray quantity) so the SX28AC/SS-G will be fine.
However, if you don't own an SX Tech Board you will have to find another way to program the chip... and no, don't ask how, because common sense tells you if you are trying to replicate what xorloser did you should buy the required programmer in the first place. CJPC bought the listed programmer, as will most others who do this... but honestly, if you just want the PS3 HV dump to examine I'd wait until someone dumps it and shares it instead of buying the materials and equipment to do it. |
SX Tech Tool Kit
10ohm resistor
And thats all??
Quote:
|
Originally Posted by TUHTA
well i think that your 100% right. We just need to wait.. So thank you. Well i just to buy this parts:
SX Tech Tool Kit 10ohm resistor And thats all?? |
That's is a really nice news, i won't buy that controller cause it would be useless to me right now. People were saying that HV stuff was useless for really hacking ps3 but if we are still working on it: something nice can be done with this?
Are we able to find those "fabulous" keys? Hopes are all with you DEVS.
Are we able to find those "fabulous" keys? Hopes are all with you DEVS.
Quote:
|
Originally Posted by cenoxdj
People were saying that HV stuff was useless for really hacking ps3 but if we are still working on it: something nice can be done with this?
|
This whole process of getting the GeoHot exploit to run successfully is just being done to obtain the HV dump... after which the real examination will begin.
For those ones interested on trying it, it will be cheaper if you buy one dsPIC30F4012 microcontroller from Microchip and build a PICKIT2 clone programmer to set it up. Microcontroller $5, build programmer $10, you will find them on any electronics store.
The dsPIC has a 7.37MHz RC internal oscillator and combined with the PLLx16 you will get 117.92MHz, which then, you have to divide by 4 to get the instruction cycle about 33.9ns.
The info for the programmer is on: http://www.forosdeelectronica.com/f24/programador-microcontroladores-pic-memorias-puerto-usb-pickit2-clone-18080/
good luck devs!!!
The dsPIC has a 7.37MHz RC internal oscillator and combined with the PLLx16 you will get 117.92MHz, which then, you have to divide by 4 to get the instruction cycle about 33.9ns.
The info for the programmer is on: http://www.forosdeelectronica.com/f24/programador-microcontroladores-pic-memorias-puerto-usb-pickit2-clone-18080/
good luck devs!!!
Quote:
|
Originally Posted by jorgehef
For those ones interested on trying it, it will be cheaper if you buy one dsPIC30F4012 microcontroller from Microchip and build a PICKIT2 clone programmer to set it up. Microcontroller $5, build programmer $10, you will find them on any electronics store.
The dsPIC has a 7.37MHz RC internal oscillator and combined with the PLLx16 you will get 117.92MHz, which then, you have to divide by 4 to get the instruction cycle about 33.9ns. The info for the programmer is on: http://www.forosdeelectronica.com/f24/programador-microcontroladores-pic-memorias-puerto-usb-pickit2-clone-18080/ good luck devs!!! |
! It's great to see that we're finding more easy and cheaper ways to replicate this exploit. Just a question here: Why didn't Geohot shared lv0/lv1/HV dumps with the devs over here? Wouldn't it have made you guys save some time?
Quote:
|
Originally Posted by daveribz
Just a question here: Why didn't Geohot shared lv0/lv1/HV dumps with the devs over here? Wouldn't it have made you guys save some time?
|
Quote:
|
Originally Posted by B4rtj4h
Hmm... i bet sony will fix it like nintendo did in the Wii...
|
Quote:
|
Originally Posted by B4rtj4h
Hmm... i bet sony will fix it like nintendo did in the Wii...
|
Quote:
|
Originally Posted by Raze1988
Geohot said it can't be fixed, at least not with code. But I bet there will be steady CFW updates once the PS3 is fully hacked.
|
Quote:
|
Originally Posted by Warrorar
what did they fixed? i still have no problems with my wii.
|
Sorry for getting a bit offtopic.
Now, from what I am reading, This setup only purpose is to mod the hypervisor.
Now from what I know mod can mean multiple things, Read/Write/Exploit.
But wouldn't it be easier for one person to dump it and upload it to the community?.. And save people the time of setting this SX28 up.
Now from what I know mod can mean multiple things, Read/Write/Exploit.
But wouldn't it be easier for one person to dump it and upload it to the community?.. And save people the time of setting this SX28 up.
Quote:
|
Originally Posted by Lazy Boy
But wouldn't it be easier for one person to dump it and upload it to the community?.. And save people the time of setting this SX28 up.
|
i'm in uk, could i not just find the correct chip say from maplins then program chip with willem programmer or will this not work? here's a pic of my programmer with xbox360 chip holder.
Soon, very soon, there will be a modchip for the phat one. And that is thanks to you guys, so kudos where deserved..
nice job, but we want to see more easy things!! i dont think everybody knows to do this things and maybe we heart the ps3!!!
Quote:
|
Originally Posted by jd200
i'm in uk, could i not just find the correct chip say from maplins then program chip with willem programmer or will this not work? here's a pic of my programmer with xbox360 chip holder.
|
Just use their software, it's free: http://www.parallax.com/tabid/248/Default.aspx
This is more about homebrew I think. If you mean back up your originals? That would be a good thing sure. I'm more interested in having better codecs for video files, a PS2 emulator, Things like that. 
Just one "technical" note regards the wiring - I'm quite surprised this even works (or would for others) using the (long) UNSHIELDED wire to the RAM control Line .. 
The wire should really be shielded and indeed properly routed far from any sources of interfereces - mainly PSU. You can use a shielded wire from old (or even cheap new ones of course) headphones or rather say earphones - those come with really thin shielded wires and you can just ripp off one of the pair for your need.
The wire should really be shielded and indeed properly routed far from any sources of interfereces - mainly PSU. You can use a shielded wire from old (or even cheap new ones of course) headphones or rather say earphones - those come with really thin shielded wires and you can just ripp off one of the pair for your need.
Quote:
|
Originally Posted by GrandpaHomer
Just one "technical" note regards the wiring - I'm quite surprised this even works (or would for others) using the (long) UNSHIELDED wire to the RAM control Line ..
The wire should really be shielded and indeed properly routed far from any sources of interfereces - mainly PSU. You can use a shielded wire from old (or even cheap new ones of course) headphones or rather say earphones - those come with really thin shielded wires and you can just ripp off one of the pair for your need. |
Related PS3 News and PS3 Hacks Articles
- GeoHot Releases PS3 Hack, Exploit Your System and Enjoy!
- XorHack: The PS3 Exploit Toolkit is Now Available!
- PS3 ELF/SELF/PRX/SPRX PPU Loader v1.1 for IDA v5.2 out!
- PS3 ELF/SELF/PRX/SPRX PPU Loader Update for IDA v5.2 out!
- GeoHot Resumes Sony PS3 Hacking, Opens PS3 Hacks Blog
- Sony Begins Investigating GeoHot PS3 Hack Allegations
- How the PS3 Hypervisor was Hacked and Dumped by GeoHot
- GeoHot PS3 Hack Propered, Exploit for All PlayStation 3 Firmware
- Rumor: Sony to Remove OtherOS in Next PS3 Firmware Update
- GeoHot PS3 Custom Themes Hack Demonstration Arrives
|
|
Sony Adds Cinavia DRM Protection in as Automatic PS3 Download
Posted 2 hours ago by jul644
with 22 Comments
Posted 2 hours ago by jul644
with 22 Comments
Game file encryption using the PS3 Debug/Test console (Development Kit)
Posted 3 hours ago by Darny
with 5 Comments
Posted 3 hours ago by Darny
with 5 Comments
| Dead to Rights Retribution USA PS3-HR Released 07-30-2010 |
| Toy Story 3 EUR PS3-BHTPS3 Released 07-29-2010 |
| Lost Planet 2 EUR PS3-BHTPS3 Released 07-29-2010 |
| Prince of Persia The Forgotten Sands EUR PS3-BHTPS3 Released 07-26-2010 |
| Clash Of The Titans The Videogame EUR PS3-BHTPS3 Released 07-25-2010 |
| Akatsuki HD PS3 Theme Posted 07-31-2010 |
| Red Dead Redemption PS3 Theme Posted 07-20-2010 |
| Ninja Scroll HD PS3 Theme Posted 07-07-2010 |
| Borderlands HD PS3 Theme Posted 07-03-2010 |
 | Prince of Persia The Forgotten Sands (Official QORE) XMB PS3 Theme Posted 07-03-2010 |
