Back to waiting. Seems he is leaving this for now as well so we are with the devs again. I wonder why he didn't continue searching for the keys, even if not the root key. Any idea on whether this will be of more use on dev/test/tool systems? Do they use the same keys as the retail ps3s?
geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call
Although anything can happen, I find it somewhat difficult to believe that Sony will patch out a system capability that they advertised when they sold the product to people. I know that plenty of people just few OtherOS as "that feature that might help me get pirated games," but it would be a pretty serious breach of ethics to remove the OtherOS capability from consoles that were sold as being capable of having Linux installed.
This isn't, however, to say that they couldn't simply patch out the exploit and leave OtherOS intact.
So what do you think CJPC... Your opinion counts most
I honestly think its awesome he released his exploit - now the real fun begins. Once the LV0/1 dumps show up, then its on to lots of reversing of the code, figuring out how to load up LV2, dump that, reverse it, etc.
It may be a long process, but a very creative way to get it started - kudos to Geohot on the release!