To quote: As I'm sure everybody heard, the memory access exploit for the PS3 hypervisor was released recently by geohotz. I was finally able to replicate his hack so I thought I'd take the time to help out others who may also have trouble due to being linux n00bs like me.
If I were to post everything at once it would be too much work and I'd never get around to it, so I'll post bits at a time to ensure I actually do post it heh. Today's post will talk about the software side of the exploit.
Please note that the geohotz exploit software was hardcoded for the v2.42 firmware, I have made a small fix that attempts to dynamically support all firmware versions. I have only tested and used it on v3.15 however.
The first step is to install Linux on your PS3 which means of course that this will not work on a slim PS3. I tried a few different Linux distros and after various different issues I settled on using Ubuntu v8.10 since this is the same version that geohotz used.
I suggest using the "alternate" version since it includes a gui which the "server" version does not. You can download the 636MB image below, I suggest using the legal torrent below to save the bandwith of the Ubuntu servers.
After downloading, burn the image to a CD-R and install as you would any OtherOS install. There are many generic and also Ubuntu specific guides for doing this, so I won't cover that here.
Once you have Linux up and running you should log in using the username you created during install. Now open a terminal (Applications->Accessories->Terminal). You can enable the root account by creating a password for it by typing "sudo passwd". You then enter your current users password once and then the new root password twice. The root account will now be usable.
Now type "su" and then enter the new root password to get root access. Create a dir to put everything in. You could probably create this in your home directory, but I created it in the root of the filesystem so that I can share it between root and my user account as well as setting up access to it via samba from my PC.
To create the dir do "mkdir /ps3share", you can call it anything you want, I call it ps3share because I share it with my PC over samba. Now allow all users to read and write to it by doing "chmod a+rw /ps3share". Finally give ownership of it to your normal user account by doing "chown username:username /ps3share" where username is your username.
Next you need to get the "fixed" exploit software onto your PS3. Using a USB flashdrive is easiest. Copy the extracted files onto it from your PC, then insert it into your PS3. It should automount and bring up an icon on your desktop.
Double click the icon to open the file browser. Right click on the USB drive in the filebrowser and choose to "Open in New Window". Then on the left side of the file browser select "File System" and then "ps3share". Now drag the files from the USB drive into your "ps3share" directory.
I have included a binary of the exploit file for those of you who don't want to build it yourself, but for those who do here is how. First you need to fix the location of the kernel headers so they can be found by the build scripts, so do "mv /usr/src/linux-ports-headers-2.6.25-2/ /usr/src/linux-headers-2.6.25-2/".
Now change to the directory with the exploit source in it "cd /ps3share/ps3_exploit_fixed/src" and then build it by typing "make". There will be a lot of warnings but it should create the file "exploit.ko".
You are now set to run the software side of the exploit. DO NOT run it from this terminal while in the GUI, it should only be run from console mode. If you do run it you will not see anything happening, but your PS3 will suddenly become really slow and you will have to turn it off. More about the running of it in a future post.
A summary of the commands to enter at the terminal is below:
(then enter users password once, then the new password for root twice)
its also nice to know someone else successfully did the exploit, and they seem nice enough to make this guide so hopefully their nice enough to share their lvx dumps.
He won't post the dumps on his page as they are (c) material of course, however, he did mention he plans to detail both the SX28 chip diagram he used and share some code to actually dump the Hypervisor for those who are using the exploit which will be handy indeed!
I like the way things are moving around this. Hopefully, we'll see a very interesting and useful applications any time soon... we just have to wait. I've checked the code, and you sure did a very good modifications.
I wish I could try it by myself, but my PS3 is only one year old so is still under warranty; as soon as it expires, I'll do it with no hesitation just to feel the "power" hehe.
Last edited by JesusFMA; 02-05-2010 at 02:06 AMReason: ¬¬'
This is all very exciting news. I've been waiting for this since I bought my 1st generation console with SACD drive. I wonder if this exploit would lead to tapping of decrypted (if any) raw DSD stream and archiving to hd as .dsf or .dff files before the DSD to PCM conversion is taken place.
Further down the road, there may be a way to emulate the watermark encryption scheme that is only available for those 1st generation consoles with SACD drive (should be same blu-r drive as later generations) in all other consoles so all consoles out there can play SACD discs.
wow, would be nice if exploit is all software. These directions are very clear and easy to understand. But I think there is a hardware solder that has to be done. Sounds very legit. Thanks for all your work.
great start. well the directions are as clear as day. Thanks for the wonderful guide. I'm prob going to give this a shot once all the guides are up. Just hope we will be playing some Backups soon or some iso from the hard drive.
This is all great work by PS3 devs but is there any point in the common man or woman using this hack just yet? Is there a chance of bricking your PS3? I'm all for hacking it but is this hack worth doing just yet because at the moment we don't know how SONY will respond.
This is all great work by PS3 devs but is there any point in the common man or woman using this hack just yet?
Nah, end-users who have no intention of examining the resulting HV dumps should not bother doing this... especially those whose PS3 is still under warranty.
When PS3 Devs get the dumps and examine them they will share any interesting things found (holes, vulnerabilities, etc) so don't worry. For example, I know CJPC plans to examine the flag data to continue work on his Service Mode PS3 project, in hopes of one day being able to convert it to a fully functional Debug PS3 and ultimately being able to convert retail units.