How to Build GeoHot PS3 Exploit Easily from Kernel Build to Exploit Run

[titanmkd]

Tested on Yellow Dog Linux 6.2 (developer install) but should work on any linux distribution. (Yellow Dog Linux 6.2 DVD link: http://ydl.oregonstate.edu/iso/yellowdog-6.2-ppc-DVD_20090629.iso)

Required before before to start this tutorial:

1) Have a working internet connection (to download exploit and kernel source).
2) Have at least 60MB of hard disk free for /boot/ (required to install new kernel).
3) Have at least 1GB of hard disk free for /usr/src/ (required for kernel source build).
4) Have done the PS3 hardware with a push button connected to a PIC/FPGA... to send a pulse of 40ns on the Memory Bus Controller. (else the exploit will run infinitely and lockup everything until hard reset).

Step1 building the kernel and booting on it:

1) Launch a shell and logon as root user using "su -" (required later to install kernel ...)
2) Download Linux Kernel 2.6.25(linux-2.6.25.tar.bz2) and the exploit in /usr/src/
3) Extract kernel and exploit in /usr/src/
4) Change directory to kernel directory source and use PS3 default config for kernel.
5) Build the kernel.
6) Install the kernel in /boot/
7) Install the kernel modules (required to build the exploit).
8) 8) Add new kernel config to kboot config using 720p fullscreen mode (/boot/etc/kboot.conf).
9) Reboot on newly built kernel 2.6.25 (type reboot in shell)
When kboot: appear click on keyboard "Tab" until you see kernel 2.6.25 and click on enter.
If X server cannot be launched click on cancel or NO, in any case use shell with Ctrl+Alt+F1 and logon as root.

Step2 building and launching the exploit:

1) Change directory to Exploit directory and Build it (write make).
2) Run the exploit.
3) When "PRESS THE BUTTON IN THE MIDDLE OF THIS" appear push button connected to a PIC/FPGA... to send a pulse of 40ns on the Memory Bus Controller.

Step1 shell script building the kernel and booting on it:

File step1.sh:

Code:

#!/bin/sh
# 2) Download Linux Kernel 2.6.25(linux-2.6.25.tar.bz2) and the exploit in /usr/src/
cd /usr/src/
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.tar.bz2
wget http://geohot.com/ps3_exploit.zip
# 3) Extract kernel and exploit in /usr/src/
tar -jxvf linux-2.6.25.tar.bz2
mkdir ./ps3_exploit
unzip ps3_exploit.zip -d ./ps3_exploit/
#4) Change directory to kernel directory source and use PS3 default config for kernel.
cd ./linux-2.6.25
make ps3_defconfig
# 5) Build the kernel and wait until build finish.
make
# 6) Install the kernel in /boot/.
make install
# 7) Install the kernel modules (required to build the exploit).
make modules_install
# 8) Add new kernel config to kboot config using 720p fullscreen mode (/boot/etc/kboot.conf).
echo 
"
image=/vmlinux-2.6.25
	label=2.6.25
	read-only
	initrd=/initrd-2.6.25.img
	append=\"video=ps3fb:mode:131 rhgb quiet root=LABEL=/1\"" >> /boot/etc/kboot.conf
# 9) Change directory to Exploit directory and Build it.
cd ../ps3_exploit/
make
echo "Reboot on newly built kernel 2.6.25 (type reboot in shell)"
echo "When kboot: appear click on keyboard "Tab" until you see kernel 2.6.25 and click on enter."
echo "If X server cannot be launched click on cancel or NO, in any case use shell with Ctrl+Alt+F1 and logon as root."

Step2 shell script building and launching the exploit:

File step2.sh

Code:

#!/bin/sh
# 1) Change directory to Exploit directory and Build it (write make).
cd /usr/src/ps3_exploit/
make
# 2) Run the exploit.
echo "When PRESS THE BUTTON IN THE MIDDLE OF THIS appears push button connected to a PIC/FPGA... to send a pulse of 40ns on the Memory Bus Controller."
./run.sh

All scripts can also be downloaded.

[PS3 News]

Thanks for making this handy and detailed guide titanmkd and +Rep to you!

[TUHTA]

Nice handly tutorial!! Rep+ to you! But what about harware part? And what to do when we ran step 2? where it will dump or how?

[titanmkd]

Nice handly tutorial!!Cool!Rep+ to you! But what about harware part?And what to do when we ran step 2? where it will dump or how?and e.t.c.

Yes sorry about hardware part I missed it requires PS3 Fat only because Linux is not anymore supported on PS3 slim

In fact after step2 you can effectively dump what you want but it requires to modify the exploit.c to add full dump of hv for example

It can be done by hand in exploit.c:
at end of void install_hypercall() function after

Code:

printk(KERN_ERR "calling hypercall test got %16.16lx\n", lv1_peek(0x2401FC00000));

add something like:

Code:

hexdump(hv_call_table, 0x10000);

And it should display a dump of a part of Hypervisor Call Table ... (to see the dump launch dmesg) and give feedback

[adrianc1982]

titanmkd so this means you now have a dump and are sharing with the devs? I was following the inter-dev relationships thread but saw this one and by the looks you already runned successfully the exploit. If you have run the exploit congrats and thanks for investing your time/money/console.

[TUHTA]

and... that's ok... but what about hardware that we need to do exploit? i mean SPI flasher or something! And how to do it?

[playforfun]

cool tutorial but i don't really want to open my original 60gb JP

maybe, if one of my friend would like sell me his 40gb blue ray killer, i want try this.

yep, his ps3 have 3 time blue ray drive changed but each time, the drive is dead

[Assignator98]

Wow this is a great guide and +rep.

[titanmkd]

titanmkd so this means you now have a dump and are sharing with the devs? I was following the inter-dev relationships thread but saw this one and by the looks you already runned successfully the exploit. If you have run the exploit congrats and thanks for investing your time/money/console.

No, I have no dump because:

1) My PS3 is an old FAT PS3 still under extended warranty (and i'm sure in 6 month the BlueRay lens will be dead and I could change freely my PS3 for a new one).
2) I have not done the hardware to generate the glitch.

I'm very interested in any dumps (to disassemble it) for those who have done the little hardware and dumped the memory ...

Best Regards

TitanMKD

[TUHTA]

i can't start your step1.sh and step.2 just open up it in console and its so quickly going closed