GeoHot Releases PS3 Hack, Exploit Your System and Enjoy!

[int0]

I'm software developer and i'm working on the GeoHot exploit (kernel module).
I'm porting it on latest PS3 Linux Kernel available on my PS3(Fat with FW 3.15) Linux system Yellow Dog 6.2 with kernel 2.6.29.3.

You maybe already know GeoHot has done the exploit on PS3 ubuntu 8.10 with kernel 2.6.25-2.3, but since kernel 2.6.27 the htab is not mapped anymore and the exploit is not anymore working and crash

Thanks for sharing I also spotted this problem and also problem with compilation such as get_irq_chip_data(20) in newer kernel its defined as function and gives you an error ".irq_to_desc not found" I replaced that with: get_irq_desc[20].chip_data;

@titanmkd, can you tell me what did you fix to load HTAB? I'm wating for my FPGA to be delivered on 3rd of Feb. also im not really familiar with linux architecture because i'm windows DEV and RE Thnx.

[mushy409]

Well i know about warrenty i don't use it... so i can solder (i soldered infectus and did dump) so and this is not difficult for me... but i can't understand about hardware part.

Infectus is only for dumping the NAND which is encrypted. This exploit allows you to dump & inject into memory space (RAM) I believe.

Infectus will only be useful once we have:

A) The decryption keys for the NAND (CPU key if you like)
or
B) Some kind of CFW or Rebooter similar to the 360.

[einzwei]

seems like hwmod needed for running geohot's exploit is not very hard to make

let's look at hv intrinsics closer

[TUHTA]

Infectus is only for dumping the NAND which is encrypted. This exploit allows you to dump & inject into memory space (RAM) I believe.

no i just mean that i can solder.. that i'm good in that and i can do anything with ps3... so just neeed to understand.. and how to program... board to 40ns.

[CJPC]

seems like hwmod needed for running geohot's exploit is not very hard to make

let's look at hv intrinsics closer

Hey einzwei, nice to see you around again - its been quite a while. Actually having some issues sourcing parts fast enough - got any ideas?

[Mdiv]

no i just mean that i can solder.. that i'm good in that and i can do anything with ps3... so just neeed to understand.. and how to program... board to 40ns.

You could probably make the circuit for a couple of quid (attached gif) if you don't have access to the components for free. I won't be trying it because tolerances of the components would probably make the pulse time swing wildly and I hate precision oscilloscopes with a passion to test the circuit.

t = R*C*Ln(3)

if t = 40 nS, C = 300 pF then R = 121.21 Ohms

using a 120 Ohm resistor (which is a standard value) gives 39.93 nS.

HEF4016B (Quadruple bilateral switch http://ics.nxp.com/products/hef/datasheet/hef4016b.pdf)

[Poopsqueege]

Does anyone think that a normal wave generator would work for the pulse or would you have to rig something up with a 555 timer ic?

[lavatar]

Whats about Xbox 360´s Hypervisor, is it possible to glitch it with the same method? But without Otheros Linux nearly impossible?

[Mdiv]

The way I see it is you have to connect the point on the PS3 to ground only once and for 40 nS. I don't think a wave generator could do that as it will go from 0V to ±5/10/whatever Volts (unless it has a one shot function which you can trigger) but then I can only see it to be used to trigger an addition circuit.

[titanmkd]

Thanks for sharing I also spotted this problem and also problem with compilation such as get_irq_chip_data(20) in newer kernel its defined as function and gives you an error ".irq_to_desc not found" I replaced that with: get_irq_desc[20].chip_data;

@titanmkd, can you tell me what did you fix to load HTAB? I'm wating for my FPGA to be delivered on 3rd of Feb. also im not really familiar with linux architecture because i'm windows DEV and RE Thnx.

On Kernel 2.6.29.x the HTAB can be only fixed with patch on kernel, i'm working on it to do a clean thing with a kernel module service to retrieve l htab@ and i'm also do a huge cleanup in original GeoHot code with additional comments and removing all hard coded address.

About irq_to_desc problem i fixed it using:

Code:

#define irq_to_desc(irq)	(&irq_desc[irq])
before line #include <linux/irq.h>

I will post the source code of new exploit.c and kernel patch required when all will be clean and working (does anyone know how to post that on this website because i'm new user and I have no right to upload files ...).

Code:

For information kernel patch is done in following files:
source/arch/powerpc/platforms/ps3/device-init.c
source/arch/powerpc/platforms/ps3/htab.c
For information htab is retrieved using
result = lv1_map_htab(0, &htab_addr); 
but it need to be remapped to linux kernel addr ...

I plan also to add services to the exploit to use the kernel module to read/write in memory using user space with fopen() ...

Best Regards

TitanMKD