Latest PS3 News Forum Updates

  • News
  • Posts
  • PS3 CFW
  • PS3 Files
  • PS3 Hacks
  • PS3 Help
  • PS3 Releases
  • PS3 Themes
  • PS3 Trophies
  • PS Vita Trophies
racer0018 PS3 downgrading problem help? - 12m ago
racer0018 PS3 backup games from internal hdd help? - 15m ago
PS3 News multiMAN - themes, background music and interface modifications - 25m ago
worrorfight PS3 Original EBOOT.BIN / PARAM.SFO Files Repository - 35m ago
worrorfight Paintown 2-D Fighting Game PS3 Homebrew Test Port Arrives - 36m ago
worrorfight Videos: Best of PlayStation Network, Vol. 1 Arrives This June - 38m ago
worrorfight Iris Manager v2.0 PS3 Backup Game Manager By Estwald is Released - 39m ago
PS3 News RockStar Announces The Warriors is Coming Next Week to PSN - 58m ago
PS3 News Kite Fight Takes to the Skies on PlayStation 3 Next Week - 58m ago
PS3 News Sony European PlayStation Game Store Updates for May 22, 2013 - 58m ago
Closed Thread
Page 1 of 5 1 2 3 ... LastLast
  1. 01-26-2010 #1
    Donatello
    Donatello is offline Registered User Donatello will become famous soon enough Donatello will become famous soon enough

    GeoHot Releases Sample PS3 Linux Isolated SPU Loader Code

    Today GeoHot has released sample PS3 Linux isolated SPU loader code for those with OtherOS to experiment with.

    To quote: "Right now, I'm playing with the isolated SPEs, trying to get metldr to load from OtherOS. Interesting thing, I am not using the exploit. I always assumed the enable isolation mode register was hypervisor privileged.

    It's not, it's kernel privileged, which means using hypervisor calls you can all get to it. So, get to hacking. http://pastie.org/795371 is the code I am playing with.

    I'm not that opposed to releasing the exploit, but I think the majority of you are going to be disappointed, even if you do get it working. Unless you have pushed the HV to it's limits, this exploit really isn't going to do much for you... yet.

    So install OtherOS and start playing around. If people start coming up with convincing reasons why they need the exploit to go further, I'll release it. It's just a waste to release if people can't make use of it.

    As far as the GPU goes, I have full access to the GPU memory space 0x2800... But without a driver, it's useless. 3D video card drivers are notoriously hard to write, look at the ATI and NVIDIA ones for linux. The best are still the closed source manufacturer ones.

    I'm not even sure I believe that the HV restricts video card access, just that the OtherOS driver is 2D. If someone skilled in video card driver development comes forward, and they can explain in detail what the HV is restricting, I'll send them the exploit."
    Code:
    volatile int init_module() {
  unsigned long priv2_addr, problem_phys, local_store_phys, context_addr, shadow_addr, spe_id, vas;

  lv1_get_virtual_address_space_id_of_ppe(0, &vas);

  printk(KERN_ERR "die kernel %d\n", lv1_destruct_logical_spe(0xb));

  printk(KERN_ERR "construct SPE: %d\n", lv1_construct_logical_spe(0x10,0x10,0x10,0x10,0x10, vas, 0, &priv2_addr, &problem_phys, &local_store_phys, &context_addr, &shadow_addr, &spe_id));
  boom_lpar(shadow_addr);
  printk(KERN_ERR "make SPE id: %d\n", spe_id);
  printk(KERN_ERR "enable SPE: %d\n", lv1_enable_logical_spe(spe_id, 0));


  unsigned long *problem_mapped, *privileged_mapped, *local_mapped;

  problem_mapped =__ioremap((unsigned long)problem_phys, 0x20000, PAGE_SHARED_X);
  privileged_mapped =__ioremap((unsigned long)priv2_addr, 0x20000, PAGE_SHARED_X);
  local_mapped =__ioremap((unsigned long)local_store_phys, 0x40000, PAGE_SHARED_X);

  printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
  printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);
  privileged_mapped[0x4040/8] |= 4;
  printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);

  struct file* fd;
  mm_segment_t old_fs = get_fs();
  set_fs(KERNEL_DS);
  fd = filp_open("/work/pwned/metldr", O_RDONLY, 0);
  if(!IS_ERR(fd)) {
    printk(KERN_ERR "file is open\n");
    printk(KERN_ERR "read %d\n", fd->f_op->read(fd, local_mapped, 0x40000, &fd->f_pos));
    filp_close(fd, NULL);
  } else {
    printk(KERN_ERR "file open failed!!!!\n");
  }
  set_fs(old_fs);
  printk(KERN_ERR "read in metldr\n");

  problem_mapped[0x4018/8] |= 3;

  int i;
  for(i=0;i<0x20;i++) {
    printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
  }
  printk(KERN_ERR "destruct SPE: %d\n", lv1_destruct_logical_spe(spe_id));

  return 0;
}
    GeoHot Releases Sample PS3 Linux Isolated SPU Loader Code

    More PlayStation 3 News...

  3. 01-26-2010 #2
    xplozion's Avatar
    xplozion
    xplozion is offline Junior Member xplozion is just really nice xplozion is just really nice xplozion is just really nice xplozion is just really nice
    Quote Originally Posted by Donatello View Post
    If people start coming up with convincing reasons why they need the exploit to go further, I'll release it. It's just a waste to release if people can't make use of it.
    The hacking can't start... without the exploit you can't doing nothing

  4. 01-26-2010 #3
    Hemp's Avatar
    Hemp
    Hemp is offline Registered User Hemp is on a distinguished road
    Actually if i were rich i would buy the games, but unfortunately i'm not

    If the game developers would sell the games cheaper (lets say 20 euro) then i would also buy alot more games, but as long as they want me to pay 60-70 euro for a game, piracy is the only solution for me (no i dont wanna wait a year for platinum editions and i still buy games that are worth it like MGS4, Uncharted1+2, GTA4...)

  5. 01-26-2010 #4
    mekisi's Avatar
    mekisi
    mekisi is offline Registered User mekisi is on a distinguished road
    Quote Originally Posted by xplozion View Post
    The hacking can't start... without the exploit you can't doing nothing
    So do you think geohot will give the exploit? (just wanna ask it to you)

  6. 01-26-2010 #5
    Nivdeb's Avatar
    Nivdeb
    Nivdeb is offline Registered User Nivdeb is infamous around these parts
    Quote Originally Posted by mekisi View Post
    So do you think geohot will give the exploit? (just wanna ask it to you)
    Sure he will. He seems waiting for the good time and that it's advanced enough.

  7. 01-26-2010 #6
    Tidusnake666's Avatar
    Tidusnake666
    Tidusnake666 is online now Forum Moderator Tidusnake666 has much to be proud of Tidusnake666 has much to be proud of Tidusnake666 has much to be proud of Tidusnake666 has much to be proud of Tidusnake666 has much to be proud of Tidusnake666 has much to be proud of Tidusnake666 has much to be proud of Tidusnake666 has much to be proud of Tidusnake666 has much to be proud of Tidusnake666 has much to be proud of Tidusnake666 has much to be proud of
    In digital signature there is only ONE SPECIFIC pair of Public (decryption) and Private (Encryption and decryption) Keys.

    Encrypting content with private key from one pair of keys and decrypting with public key of other pair is not possible.

  8. 01-26-2010 #7
    hellospaceboy's Avatar
    hellospaceboy
    hellospaceboy is offline Registered User hellospaceboy is on a distinguished road
    My guess is he's getting sick of the people invading the blog with piracy comments, and there are few who posts knowledgable answers relating to coding/the exploit etc - although he did say he found some useful.

  9. 01-26-2010 #8
    playforfun's Avatar
    playforfun
    playforfun is offline Contributor playforfun has a spectacular aura about playforfun has a spectacular aura about

    Smile

    i have read now he have access to isolate SPE and RSX memory, wow ! he explain also the access to the SPE is done with no exploit !

    to finish, he say the RSX drivers is coded in 2d and say if someone have knowledges about drivers, he want to know some things about RSX drivers.

    he have explained one important detail about exploit => his exploit is not useful if the HV is not pushed to limits, i think it's the bootloader or a control module to protect the console

  10. 01-26-2010 #9
    XSamurai's Avatar
    XSamurai
    XSamurai is offline Junior Member XSamurai is just really nice XSamurai is just really nice XSamurai is just really nice XSamurai is just really nice
    Sounds pretty interesting. Maybe one of the devs want to explain to us what can be done with this code. Seems like George knows that this method is very limited and full access is just possible with his exploit.

    CJPC maybe?

  11. 01-26-2010 #10
    PS3 News's Avatar
    PS3 News
    PS3 News is online now Forum Moderator PS3 News has much to be proud of PS3 News has much to be proud of PS3 News has much to be proud of PS3 News has much to be proud of PS3 News has much to be proud of PS3 News has much to be proud of PS3 News has much to be proud of PS3 News has much to be proud of PS3 News has much to be proud of PS3 News has much to be proud of PS3 News has much to be proud of
    Quote Originally Posted by XSamurai View Post
    CJPC maybe?
    CJPC is busy with classes and doing his own thing (with his new hardware) so he isn't getting overly involved with the GeoHot stuff like Mathieulh or others are, but I will try to get him to reply.

    I know a few of the Devs on IRC gave this a try so maybe they can also comment on it.

    Here is a snippet from IRC:
    he's recreating SPE 0xb, one already owned by otheros and trying to map it with metldr contents.. well clearly he's putting it in isolation mode by modifying some obscure flags

    printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
    printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);
    privileged_mapped[0x4040/8] |= 4;
    printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);

    well, with a lv1 dump, its easy to see obscure flags :P
    Finally, Donatello I moved your post to a new thread in the Site News since this is the first GeoHot "release" but we won't necessarily start a new thread for all of his updates, only the bigger ones.

Closed Thread
Page 1 of 5 1 2 3 ... LastLast