Sponsored Links

Sponsored Links

Page 1 of 29 12311 ... LastLast
Results 1 to 10 of 290



  1. #1
    Banned User
    Join Date
    Mar 2008
    Posts
    303
    Sponsored Links

    GeoHot Releases PS3 Hack, Exploit Your System and Enjoy!

    Sponsored Links
    As a BIG follow-up to his Sample PS3 Linux Isolated SPU Loader Code, GeoHot has now released his coveted PS3 hack so end-users can exploit their non-Slim PlayStation 3 Entertainment System!

    Essentially what it does is modify the PS3's hypervisor adding two calls for reading/writing to all of the system memory.

    To quote: "In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

    Please document your findings on the [Register or Login to view links]. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

    [Register or Login to view links] is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up [Register or Login to view links] :)

    I've gotten confirmation the exploit works on 3.10. Also I've heard about compile issues on Fedora. I did this in Ubuntu.

    Good luck!"

    Usage Instructions:

    Compile and run the kernel module.

    When the "PRESS THE BUTTON IN THE MIDDLE OF THIS" comes on, pulse the line circled in the picture low for ~40ns.
    Try this multiple times, I rigged an FPGA button to send the pulse.
    Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
    If the module exits, you are now exploited.

    This adds two new HV calls,
    u64 lv1_peek(16)(u64 address)
    void lv1_poke(20)(u64 address, u64 data)
    which allow any access to real memory.

    The PS3 is hacked, its your job to figure out something useful to do with it.

    How it works:

    geohot: well actually it's pretty simple
    geohot: i allocate a piece of memory
    geohot: using map_htab and write_htab, you can figure out the real address of the memory
    geohot: which is a big win, and something the hv shouldn't allow
    geohot: i fill the htab with tons of entries pointing to that piece of memory
    geohot: and since i allocated it, i can map it read/write
    geohot: then, i deallocate the memory
    geohot: all those entries are set to invalid
    geohot: well while it's setting entries invalid, i glitch the memory control bus
    geohot: the cache writeback misses the memory :)
    geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
    geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
    geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
    geohot: switch to virtual segment
    geohot: write to main segment htab a r/w mapping of itself
    geohot: switch back
    geohot: PWNED
    geohot: and would work if memory were encrypted or had ECC
    geohot: the way i actually glitch the memory bus is really funny
    geohot: i have a button on my FPGA board
    geohot: that pulses low for 40ns
    geohot: i set up the htab with the tons of entries
    geohot: and spam press the button
    geohot: right after i send the deallocate call

    On the Isolated SPUs

    Today I verified my theories about running the isolated SPUs as crypto engines. I believe that defeats the last technical argument against the PS3 being hacked.

    In OtherOS, all 7 SPUs are idle. You can command an SPU (which I'll leave as an exercise to the reader) to load metldr, from that load the loader of your choice, and from that decrypt what you choose, everything from pkgs to selfs. Including those from future versions.

    The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

    Ah, but you still didn't get the Cell root key. And I/we never will. But it doesn't matter. For example, we don't have either the iPhone or PSP "root key". But I don't think anyone doubts the hackedness of those systems.

    I wonder if any systems out there are actually secure?

    GeoHot Releases PS3 Hack, Exploit Your System and Enjoy!

    More PlayStation 3 News...
    Attached Files Attached Files

  2. #2
    Banned User brent0r's Avatar
    Join Date
    Mar 2009
    Posts
    19
    Sponsored Links
    Sponsored Links
    lets hope the devs can put time into making something great out of this. I have no doubts they won't. all the best! best news of the year

  3. #3
    Registered User exzile2's Avatar
    Join Date
    Mar 2009
    Posts
    6
    Sponsored Links
    Sponsored Links
    Man,

    This is a mistake.. He should have let the devs look at it first!

  4. #4
    Senior Member SCE's Avatar
    Join Date
    Jan 2009
    Posts
    172
    Boss, could you please merge or close the other topics so that we can focus on one topic and I don't have to go through all other topics when I woke up tomorrow

  5. #5
    Registered User Bakke's Avatar
    Join Date
    Apr 2005
    Posts
    103
    Question: This exploit will be tapped on the next PS3 fw update, right?

  6. #6
    Registered User delmando's Avatar
    Join Date
    Feb 2009
    Posts
    1
    Really... you are great mr. Geohot!

  7. #7
    Registered User Alucard's Avatar
    Join Date
    Apr 2005
    Posts
    382

    Exclamation

    Quote Originally Posted by Bakke View Post
    Question: This exploit will be tapped on the next PS3 fw update, right?
    Most likely, it will, now that it is on the open sony can patch things up!! so for now don't update your system!!

  8. #8
    Registered User xxkrizxx's Avatar
    Join Date
    Jul 2009
    Posts
    31
    Nope, geohot said it will be hard for sony to patch it so don't think so..

    well guess more waitin for me now, cmon devs now its up to you guys to use this hack just so i know what exactly can be done with this ?? homebrew?

  9. #9
    Registered User ZimZi's Avatar
    Join Date
    Sep 2009
    Posts
    5

    Big Grin

    This is great news!!! i'll hope this leads to something awsome!!!

  10. #10
    Registered User Kiriller's Avatar
    Join Date
    Sep 2008
    Posts
    108

    Smile

    Let the games begin!

 

Sponsored Links
Page 1 of 29 12311 ... LastLast
Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News