Graf Chokolo Announces PS3 Hypervisor Exploit & GameOS Dump

[condorstrike]

Update: Estx has now released both a P3KG (Linux) and P3KGWN (Windows) PS3 Dongle ID Key Generator for those interested, winocm has started a PlayStation 3 Dongle Key Generator https://github.com/winocm/ps3-donglegen (compiled binaries with source HERE), and Waninkoko has also shared a PS3 USB Dongle Key Generator http://www.teknoconsolas.es/usbdongle/usbdongle.html.

Today Graf_Chokolo announced that he has successfully exploited the PS3 hypervisor 3.15 through GameOS and dumped it, and plans to do the same for version 3.41 along with sharing more details soon.

Here is what he had to say on the matter, to quote: "I have just exploited and dumped HV 3.15 from GameOS

I used memory glitching like Geohot to get dangling HTAB entry but 2nd and 3rd stages are quite different. I used my knowledge about HV internals and created a simpler exploit for stage2 and stage3.

I didn’t use second VAS like Geohot. I used lv1_undocumented_function_114 and lv1_undocumented_function_115 to exploit HV after i got a dangling HTAB entry

Now we don't need Linux to exploit and dump HV. Furthermore, HV dump from GameOS is a lot better because when GameOS is running more features are activated in HV So, i can reverse now more C++ objects and understand better how HV works

I will make everything public very soon and i plan to dump HV 3.41 in the next days

Finally i will get access to SYSCON, EPROM, ENCDEC device and more

And now i dumped the real USB Dongle Master Key guys Noone needs it now but here it is. I tested it with HMAC SHA1 and dongle key 0xAAAA and got the same dongle key that was reversed by KaKaRoTo

Just as i said previously, use USB Dongle Authenticator, then dump HV and the decrypted USB Dongle Master Key will be in HV dump I extracted this key from my HV dump after i used USB Dongle Authenticator on GameOS. Then i rebooted GameOS but not HV and the key was still in HV and still decrypted

static u8 master_key[20] = { 46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4 CD B2 C2 };

You still need to do memory glitching like it did Geohot. I used sx28 devboard for this. But software exploit is totally different. I used my HV knowledge and exploited HV quite differently, i didn't use a second VAS like Geohot did.

I did my exploit from exploited GameOS. I used a FAT PS3 but it doesn't matter anymore, you could use a Slim PS3 even. Once exploited, the HV remains exploited as long as PS3 is not powered off, that means you can reboot GameOS as much as you want, HV still remains exploited And you have full read/write access to all RAM and peripheral devices from GameOS except isolated SPUs That means full access to SYSCON, ENCDEC device (which is responsible e.g. for HDD encryption/decryption) and other very interesting stuff

That means, with an exploited GameOS every HV can be dumped and reversed. If GameOS >= 3.42 could be exploited then we could dump the new HV again and reverse SELF decryption again and decrypt new games

And i will dump HV 3.41 soon And look for pure software exploits in it.

I just patched Dispatcher Manager and enabled access to all HV services Dumped SYSCON EPROM

Decrypted USB Dongle Master Key with Virtual TRM Manager and guess what, it's the same i posted yesterday

HV 3.41 exploited and dumped Hehe, found HV call table already Good

Damn $ONY They removed LPM HV calls from HV 3.41 "

We are still yet to know if any hardware is required, I have already asked him this, but i think it is not!


More PlayStation 3 News...

[Mbb]

Great news, and there of course more to come on December 29th.

Well we can say this was the best year for PS3 hacking till now, even at the latest days of the year there's exciting news

[moja]

Man, this is great news! I hope the next few days will reveal some exciting things in conjunction with this.

[PS3 News]

Thanks for the news condorstrike and +Rep, moved to the main page now!

[condorstrike]

Thanks boss, We're having a great 12 days of Christmas after-all...

can't wait for him to release more info on this.

[clouduzz]

lol... now we really are getting closer to cfw.

[Rand023]

full control will be great!

[Jes03]

Oh he found an exploit in GameOS... Watch out $ony will now remove it in their next update.

There was no reason to remove OtherOS. Now there is even more reasons why it shouldn't have been removed.

[Moegames]

like i mentioned before.. once they are in, they are in. It was only a matter of time before things with the ps3 scene would kick into full gear. A lot of talk by noobs saying its all over with, etc but it's not true.. it's only begun.

Good work... looking forward to what can be done with the ps3 fully hacked..

[condorstrike]

Oh he found an exploit in GameOS... Watch out $ony will now remove it in their next update.

There was no reason to remove OtherOS. Now there is even more reasons why it shouldn't have been removed.

I think if sony removes GameOS, then we have to become creative and use the PS3 as a basketball...

or maybe they'll remove it and leave us with KolibriOS...