GeoHot Releases PS3 Hack, Exploit Your System and Enjoy!

[PS3 News]

Here are some more relevant extracts from the latest blog post:

Mathieulh said...
Good job in managing to use the loaders to decrypt your files, this will definitely be useful

Mathieulh said...
The cell is an off the shelves cpu but the hardware root key can only be written once, from my understanding, the secure boot doesn't occur unless the root key is set, but once it is it becomes mandatory. Also although tempering with the XDR at runtime using hardware would allow us to hack the console in a very effective way, the hardware required to match the xdr bus speed is currently way too expensive to be affordable to most people, making it quite an unefficiant broad hack, not to mention parts of the XDR can be checked by the isolated loader which would make it harder for us to go that route when such time comes.

George Hotz said...
Yea, the SPU does check the integrity, but it doesn't matter. 2 options, either predecrypt and patch the binary, or have the SPU decrypt the unaltered version and patch it on the fly before it runs.

And the problem with a direct RAM interface is more the wiring it up than the cost.

George Hotz said...
You can decrypt everything except the loaders themselves. If it's ever in the XDR, you can dump it, so all the bus sniffing equipment is useless at this point. The loader decryption happens all on the die of the cell.

But for all practical goals, you don't need the loaders, and for most, you don't even need the loaders to be runable outside GameOS.

AnonymousR said...
I never expected to see this from IBM, but thanks for mentioning it, I suspect this is the document you were talking about:
http://domino.watson.ibm.com/library/CyberDig.nsf/papers/0019083255E3732C8525747A0068A14D/$File/rc24596.pdf
It actually seems even cheaper than I imagined (250-700$?). I was expecting a FPGA around the range of 2000$.

George Hotz said...
Nah, you'll probably never dump the LS. Hardware security is simple and well understood.

Although, if I was really trying to dump it, I'd try a brownout attack. Lower the power to the chip when the ram is erasing. You only need to get a tiny little part of metldr to get the keys.

George Hotz said...
The builders know how to load metldr in an SPU already.

And some people here don't understand the concept of asymmetric cryptography, no matter if you could manipulate the individual electrons in the processor, you can't create your own valid pkg files.

George Hotz said...
Understanding ISDF files.
The #Change lines are actually commented out (anything beginning with # is a comment) for now they are less important. Focus on the Parsed lines.

This example describes the instruction il

Lines from file:
1. # Immediate Load Word
2. 010000001 iiiiiiiiiiiiiiii ttttttt
3. Parsed "O R, I" il {{t}} {i}
4. Stop

1. A comment for the reader of the file to know the instruction
2. A bitmask to identify it. 0 and 1 must exist in the instruction. i and t are variables created from those regions.
3. Parsed is how to print the disassembled instruction to the user. The first parameter after Parsed is a format string describing the other parameters. O is opcode, R is register, I is immediate. il is the opcode, t is the register), and i is the immediate. Curly braces around i mean value of. Double curly braces around t mean value of register indexed by variable.
4. Stop parsing, this instruction is done.

[Raze1988]

Well, he DID say "Where my homebrew at?". So he basically says it's now possible for him to run unsigned code.

Too bad he'll not work on any homebrew

[PS3 News]

Yea, but he also said the same thing three weeks ago HERE (reposted below) so unless he was only speculating then it doesn't seem to be anything new.

George Hotz said...
Read your last paragraph in your last comment, and you'll see why I'm right.

You can't expect to know everything and dump every piece of code. This hack is enough for homebrew, full linux, and even backups.

[androvsky]

Well, he DID say "Where my homebrew at?". So he basically says it's now possible for him to run unsigned code.

Too bad he'll not work on any homebrew

If I'm reading it right, geohotz is saying it's now possible for him to run unsigned code... in OtherOS. Where it's already possible to run unsigned code. There's a slight possibility of decrypting, patching, and running parts of signed code, but since I doubt GameOS can be run on top of OtherOS, I'm not sure how much previously signed code can run without the correct OS.

Yeah, the PS3 has had homebrew for years, no one bothered. Not having RSX access shouldn't have been that big a detriment, but apparently everyone would rather hack the system than simply use the existing Cell-accelerated 2D SDL libraries IBM provided last year. It's not like we need 3D for most of the stuff people are asking for (XBMC, 90% of emulators). And if you really want 3D, I'm sure Mesa would gladly take any offered patches to their current Cell-accelerated OpenGL driver.

My point is I wonder how many people actually want homebrew. Yes, Slim owners are out of luck with OtherOS, but people that really care about homebrew can still pick up the older systems, usually for less money.

[pinoytechno]

geohot thanks

[tigereye]

Let the games begin!

[elser1]

this is way old news. its not really relevant anymore. big thanks to geohot tho for doing what he did.. if only he was still going hard and releasing all he knows to us end users.

[dyceast]

I guess pinoytechno wanted to finally let out his thanks to Geohot, even though he left the scene along time ago

[elser1]

lmao

[HeyManHRU]

Ha, I'm surprised this thread hasn't been closed yet. Anyway please don't bump old threads unless there is new news or you want some help with something, thanks