200w ago - Today the PS3 hack exploit SX28 hardware arrived, so we can begin work on dumping the PlayStation 3 Hypervisor to examine!
Up to now, both GeoHot and xorloser have successfully performed the PS3 hack while a few others simply obtained GeoHot's PS3 Hypervisor dump to study privately.
Needless to say, the rest of the PS3 scene including most of us here, have been waiting to take a peek at the unencrypted bootloader and Hypervisor lv0 and lv1 dumps.
We started by writing a Ubuntu Guide (as did titanmkdHERE) and attempted to use a 555 timer to obtain the 40ns pulse required to trigger the exploit, but like many others who attempted this we too had no such luck!
Luckily xorloser shared some propered code to trigger a 40ns pulse using an SX28 chip. They are a bit harder to find, and a little more expensive (as you need a programmer) but the method is sound.
That brings us to today, and our SX28 chips and programmer arrived - so we will be recreating the hardware, and giving this a go soon!
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
damn crypto.. i have not read the available docs on the cell/ps3 security.. i suppose i need to.. but why would it matter? we wouldn't personally be messing with encrypted data? just "using" the hypervisor which as far as it.. or the ps3 is concerned is "allowed" to do it.. so it would pass through appropriate channels..
but i do understand wanting to know what the call actually does before just trying it..
cool.. obviously we can add our own calls for reading/writing memory using the exploit.. and you may already have done/tried it.. can't you just push one of the set flag calls into memory so that the hypervisor executes it? or not that simple?
Pretty much yeah. You boot the PS3, hit reset and eject with the JIG attached. This sends a signal from the System Controller (where the flags are set) to the Southbridge to do some "magic" and read the USB device. If it all checks out, a flag gets set in the System Controller, and the PS3 is automatically powered off.
Upon next power up, its in "manufacturing mode", which allows diagnostic tools (encrypted, of course) to be run.
ah hah! now thats more like it! Good work! can't wait to see some more!
so i'm assuming what we are hoping to do here is find a way to use those set calls to set say recovery to maybe 1 instead of 0 and hope that when it reboots the bootloader boots to recovery.. vs. needing the "jig" to set that flag?
sorry.. further thought.. i would assume thats all the jig does.. supposedly when used the ps3 boots picks up the jig.. then it reboots again.. so i would assume thats what the jig is doing.. using hopefully the same set call to set the recovery flag then making it reboot and the ps3 system takes over from there.