Sponsored Links

Sponsored Links

Page 1 of 6 123 ... LastLast
Results 1 to 10 of 56



  1. #1
    Registered User is0mick's Avatar
    Join Date
    Jan 2010
    Posts
    27
    Sponsored Links

    Dumping PS3 Hypervisor and Bootloader with Atmega8 at 16Mhz

    Sponsored Links
    Hi guys, I used an Atmega8 running at 16Mhz (I had a couple lying about from the BT Vision project I was working on) and knocked up a small prog to do the same as the other chips and dump out the PS3 Hypervisor and Bootloader.

    I was quite surprised, It actually worked fairly straight away! I only had one pulse going everytime I pressed the button at first but not a lot was happening.

    So I did what xorloser did, and modded it so it pulsed every 100ms while the switch is pressed.

    After about 30-40 seconds... I got a hit with the exploit code posted [Register or Login to view links]. Then I used the dumper (posted here) to dump the 10mb bin.

    Just having a look through the dump, lots of strings in there.. I haven't dropped it into [Register or Login to view links] yet tho...

    This is the source and hex (for those who dont want to compile it) for the Atmega8 which I glitched my PS3 with. The Chip I used was the Atmega8-16pu. You will also need a 16mhz Crystal, and 2 x 22pf Capacitors.

    Grounding pin 14 on the chip will produce a pulse on Pins 2 of the chip (infact it does all of PORTD) This should then go to the memory bus point on the ps3. See Circuit diagram (below).

    I used [Register or Login to view links] to program my chip, with CKOPT ticked in the fuse settings, everything else was unticked.

    Code Below..
    Code:
    #define F_CPU	16000000UL //CPU Frequency in Hz
    
    #include <stdio.h>
    #include <avr/io.h>
    #include <util/delay.h>
    
    
    int main(void)
    {
    
    	DDRB = 0x00;
    	PORTB = 0xFF; 
    	PINB = 0xFF;
    
    	PORTD = 0x00;
    	DDRD = 0x00;
    
    	PORTD = 0x0;
    	DDRD = 0xFF;  //set PORTD as output port
    	DDRD = 0x0;  //set PORTD as input port
    
    	for(;;)
    	{
    		_delay_ms (100);
    
    
        	if (~PINB & 0x01) // If anything pressed do the following
        	{
    
    		PORTD = 0x0;
    		DDRD = 0xFF;  //set PORTD as output port
    
    		//_delay_ms (100); //for testing
    
    		DDRD = 0x0;  //set PORTD as input port
    		//_delay_ms (2000);
    
    		}
    	}
    
    }
    Part of the result
    Code:
         sys.rom.addr                      @  sys.wake_source                        lv1.heap.rfill                          sys.lv1.iosys.pci.d.thread              sys.lv1.iosys.storage                  be.0.ref_clk                        Amu.1.size                              sys.ac.misc                             plat.id                         CokC12  sys.mmio.map_allow                      be.0.fir.biu_ee                        be.0.fir.ciu_ee                 ?      be.0.fir.ioc_em                         sys.syscon.protocol_version            sys.lv1.rsxdebug                        sys.lv0.address                         be.0.fir.ras_ee                     be.0.fir.biu_em                         be.0.fir.ciu_em                         be.0.fir.ioc_ee                 ?sys.lv1.emuioif0irq                     lv1.ram.tkm_cr                       ssys.lv1.be_ras                          sys.lv1.iosys.errorhandler             sys.lv0.revision                3729    lv1.ram.tkm_pr                                                                                                                                                                                     be.0.tb_clk                                                                 be.0.spu.faultbm                      sys.platform.mode                                                                                                                                                                                      sys.cellos.flags                                                              sys.lv1.iosys.pciex                                                                                                                                                                                     lv1.ram.ioc_ioif0_quethshld          gg lv1.ram.ioc_ioif1_quethshld
    Mick

    Dumping PS3 Hypervisor and Bootloader with Atmega8 at 16Mhz

    More PlayStation 3 News...
    Attached Files Attached Files

  2. #2
    Toucan Sam CJPC's Avatar
    Join Date
    Apr 2005
    Posts
    2,174
    Sponsored Links
    Sponsored Links
    Awesome work and +Rep!

    Great job on reusing the Atmega to send the pulse. Just proves there is yet another (cheaper) way to get it done! I take it there was still quite a bit of trial and error to get the exploit triggered?

    Did you end up making your own app to dump the memory out, or did you use kakarotoks kernel module to take care of it?

  3. #3
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,501
    Sponsored Links
    Sponsored Links
    Very nice job is0mick and THANKS for sharing. +Rep also!

    It's refreshing to know that there are people beyond the small group of "Site Devs" who are willing to invest their time and money into projects like this to help out the community.

    I truly hope you will inspire others as well, and I may move this thread to the Site News shortly just so others can check it out... as it's easy to miss when it is in the Forums alone.

  4. #4
    Registered User is0mick's Avatar
    Join Date
    Jan 2010
    Posts
    27
    Sponsored Links
    Sponsored Links
    I was quite suprised, It actually worked fairly straight away!

    I only had one pulse going everytime I pressed the button at first but not a lot was happening.

    So I did what xorloser did, and modded it so it pulsed every 100ms while the switch is pressed.

    After about 30-40 seconds... I got a hit with the exploit code posted here.
    Then I used the dumper (posted here) to dump the 10mb bin.

    Just having a look through the dump, lots of strings in there..
    I haven't dropped it into IDA yet tho...

    Mick

  5. #5
    Registered User Ihatecompvir's Avatar
    Join Date
    Aug 2007
    Posts
    75

    Thumbs Up

    Good job on this!

    How cheap is the hardware you're using?

  6. #6
    Senior Member gtxboyracer's Avatar
    Join Date
    Jun 2008
    Posts
    284
    Awesome stuff coming out.. Hopefully we get something out of it all

    +REP also

  7. #7
    Registered User is0mick's Avatar
    Join Date
    Jan 2010
    Posts
    27
    Attached in the first post HERE is the code, compiled hex, circuit diagram I quickly chucked together, and a small readme.

    Hope I didnt miss anything.. (apologies if I have, its Waaaay past my bedtime )

    Mick

    Edited By Admin: Moved Attachment to First Post for Site News and linked it.

  8. #8
    Registered User wallace80's Avatar
    Join Date
    Aug 2009
    Posts
    10
    hey mick fancy seeing you here

    great work on the coding mate, nice to see the btvision project is still helping ;D

  9. #9
    Junior Member aries2k6's Avatar
    Join Date
    Mar 2006
    Posts
    334
    Great Job.

    Im glad more ways are popping up for achieving this and more people are looking into the dumps. The ps3 scene is starting to look hopeful.

  10. #10
    Registered User Poopsqueege's Avatar
    Join Date
    Nov 2009
    Posts
    75

    Smile

    Cool, I was going to buy an Arduino anyway. Now I have another reason to get one.

 

Sponsored Links

Page 1 of 6 123 ... LastLast
Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News