Page 1 of 5 123 ... LastLast
Results 1 to 10 of 45



  1. #1
    Banned User
    Join Date
    Dec 2009
    Posts
    9

    GeoHot Releases Sample PS3 Linux Isolated SPU Loader Code


    Today GeoHot has released sample PS3 Linux isolated SPU loader code for those with OtherOS to experiment with.

    To quote: "Right now, I'm playing with the isolated SPEs, trying to get metldr to load from OtherOS. Interesting thing, I am not using the exploit. I always assumed the enable isolation mode register was hypervisor privileged.

    It's not, it's kernel privileged, which means using hypervisor calls you can all get to it. So, get to hacking. http://pastie.org/795371 is the code I am playing with.

    I'm not that opposed to releasing the exploit, but I think the majority of you are going to be disappointed, even if you do get it working. Unless you have pushed the HV to it's limits, this exploit really isn't going to do much for you... yet.

    So install OtherOS and start playing around. If people start coming up with convincing reasons why they need the exploit to go further, I'll release it. It's just a waste to release if people can't make use of it.

    As far as the GPU goes, I have full access to the GPU memory space 0x2800... But without a driver, it's useless. 3D video card drivers are notoriously hard to write, look at the ATI and NVIDIA ones for linux. The best are still the closed source manufacturer ones.

    I'm not even sure I believe that the HV restricts video card access, just that the OtherOS driver is 2D. If someone skilled in video card driver development comes forward, and they can explain in detail what the HV is restricting, I'll send them the exploit."
    Code:
    volatile int init_module() {
      unsigned long priv2_addr, problem_phys, local_store_phys, context_addr, shadow_addr, spe_id, vas;
    
      lv1_get_virtual_address_space_id_of_ppe(0, &vas);
    
      printk(KERN_ERR "die kernel %d\n", lv1_destruct_logical_spe(0xb));
    
      printk(KERN_ERR "construct SPE: %d\n", lv1_construct_logical_spe(0x10,0x10,0x10,0x10,0x10, vas, 0, &priv2_addr, &problem_phys, &local_store_phys, &context_addr, &shadow_addr, &spe_id));
      boom_lpar(shadow_addr);
      printk(KERN_ERR "make SPE id: %d\n", spe_id);
      printk(KERN_ERR "enable SPE: %d\n", lv1_enable_logical_spe(spe_id, 0));
    
    
      unsigned long *problem_mapped, *privileged_mapped, *local_mapped;
    
      problem_mapped =__ioremap((unsigned long)problem_phys, 0x20000, PAGE_SHARED_X);
      privileged_mapped =__ioremap((unsigned long)priv2_addr, 0x20000, PAGE_SHARED_X);
      local_mapped =__ioremap((unsigned long)local_store_phys, 0x40000, PAGE_SHARED_X);
    
      printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
      printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);
      privileged_mapped[0x4040/8] |= 4;
      printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);
    
      struct file* fd;
      mm_segment_t old_fs = get_fs();
      set_fs(KERNEL_DS);
      fd = filp_open("/work/pwned/metldr", O_RDONLY, 0);
      if(!IS_ERR(fd)) {
        printk(KERN_ERR "file is open\n");
        printk(KERN_ERR "read %d\n", fd->f_op->read(fd, local_mapped, 0x40000, &fd->f_pos));
        filp_close(fd, NULL);
      } else {
        printk(KERN_ERR "file open failed!!!!\n");
      }
      set_fs(old_fs);
      printk(KERN_ERR "read in metldr\n");
    
      problem_mapped[0x4018/8] |= 3;
    
      int i;
      for(i=0;i<0x20;i++) {
        printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
      }
      printk(KERN_ERR "destruct SPE: %d\n", lv1_destruct_logical_spe(spe_id));
    
      return 0;
    }
    GeoHot Releases Sample PS3 Linux Isolated SPU Loader Code

    More PlayStation 3 News...

  2. #2
    Junior Member xplozion's Avatar
    Join Date
    Jun 2009
    Posts
    59

    Quote Originally Posted by Donatello View Post
    If people start coming up with convincing reasons why they need the exploit to go further, I'll release it. It's just a waste to release if people can't make use of it.
    The hacking can't start... without the exploit you can't doing nothing

  3. #3
    Registered User Hemp's Avatar
    Join Date
    Sep 2009
    Posts
    20
    Actually if i were rich i would buy the games, but unfortunately i'm not

    If the game developers would sell the games cheaper (lets say 20 euro) then i would also buy alot more games, but as long as they want me to pay 60-70 euro for a game, piracy is the only solution for me (no i dont wanna wait a year for platinum editions and i still buy games that are worth it like MGS4, Uncharted1+2, GTA4...)

  4. #4
    Registered User mekisi's Avatar
    Join Date
    Aug 2009
    Posts
    42
    Quote Originally Posted by xplozion View Post
    The hacking can't start... without the exploit you can't doing nothing
    So do you think geohot will give the exploit? (just wanna ask it to you)

  5. #5
    Banned User Nivdeb's Avatar
    Join Date
    Jan 2010
    Posts
    14
    Quote Originally Posted by mekisi View Post
    So do you think geohot will give the exploit? (just wanna ask it to you)
    Sure he will. He seems waiting for the good time and that it's advanced enough.

  6. #6
    Senior Member Tidusnake666's Avatar
    Join Date
    Sep 2008
    Posts
    789
    In digital signature there is only ONE SPECIFIC pair of Public (decryption) and Private (Encryption and decryption) Keys.

    Encrypting content with private key from one pair of keys and decrypting with public key of other pair is not possible.

  7. #7
    Registered User hellospaceboy's Avatar
    Join Date
    Jan 2009
    Posts
    130
    My guess is he's getting sick of the people invading the blog with piracy comments, and there are few who posts knowledgable answers relating to coding/the exploit etc - although he did say he found some useful.

  8. #8
    Contributor playforfun's Avatar
    Join Date
    Jul 2009
    Posts
    50

    Smile

    i have read now he have access to isolate SPE and RSX memory, wow ! he explain also the access to the SPE is done with no exploit !

    to finish, he say the RSX drivers is coded in 2d and say if someone have knowledges about drivers, he want to know some things about RSX drivers.

    he have explained one important detail about exploit => his exploit is not useful if the HV is not pushed to limits, i think it's the bootloader or a control module to protect the console

  9. #9
    Junior Member XSamurai's Avatar
    Join Date
    Dec 2006
    Posts
    17
    Sounds pretty interesting. Maybe one of the devs want to explain to us what can be done with this code. Seems like George knows that this method is very limited and full access is just possible with his exploit.

    CJPC maybe?

  10. #10
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    26,887
    Quote Originally Posted by XSamurai View Post
    CJPC maybe?
    CJPC is busy with classes and doing his own thing (with his new hardware) so he isn't getting overly involved with the GeoHot stuff like Mathieulh or others are, but I will try to get him to reply.

    I know a few of the Devs on IRC gave this a try so maybe they can also comment on it.

    Here is a snippet from IRC:
    he's recreating SPE 0xb, one already owned by otheros and trying to map it with metldr contents.. well clearly he's putting it in isolation mode by modifying some obscure flags

    printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
    printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);
    privileged_mapped[0x4040/8] |= 4;
    printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);

    well, with a lv1 dump, its easy to see obscure flags :P
    Finally, Donatello I moved your post to a new thread in the Site News since this is the first GeoHot "release" but we won't necessarily start a new thread for all of his updates, only the bigger ones.

 


 
Page 1 of 5 123 ... LastLast