How to Load METLDR in SPU Isolation Mode on PlayStation 3

[PS3 News]

Just over a month ago the PS3 Hypervisor lv2 (GameOS) was dumped and GeoHot hinted that it was accomplished by commanding an SPU to load METLDR.

Today dondolo let us know that simone has detailed how to load METLDR in SPU isolation mode on the PlayStation 3 and included some http://www.piemontewireless.net/images/3/32/Spuisolation.tgz.

While this is definitely a step forward, he still doesn't specify what the read/write u32 functions are... or which functions to add to the recent XorHack release.

Those interested can check it out below, and to quote:

"After some experiment I succeded to load METLDR in spu isolation.

You need geohot's exploit to do this, because you need to turn spu relocation off (MFC_SR1[R]=0) and not let know the HV you are using a SPU (so no calls to lv1_construct_logical_spe or similar). For some strange conf, it doesn't work in HV way."

Code:

// Turn relocation OFF
  printf("<TURN RELOCATION OFF>\n");
  write_u64(SPU_P1(SPU_CURR)+0x0000, (read_u64(SPU_P1(SPU_CURR)+0x0000) & 0xFFFFFFFFFFFFFFEF�;
  printf("MFC_SR1 = %llx\n", read_u64(SPU_P1(SPU_CURR)+0x0000�;

  // no accesses are to be considered well behaved and cacheable
  write_u64(SPU_P1(SPU_CURR)+0x0900, (u64)0x0);

  // set overwrite mode for signal notification 1/2
  write_u64(SPU_P2(SPU_CURR)+0x4078, (u64)0x0);

  // set signal_notify1 = high metldr real address
  write_u32(SPU_PS(SPU_CURR)+0x1400C, (u32)0x0);

  // set signal_notify2 = low metldr real address
  write_u32(SPU_PS(SPU_CURR)+0x1C00C, (u32)0x11000);


  printf("---> START SPU IN ISOLATION MODE\n");

  // set SPU_PRIVCNTL[LE]=1
  write_u64(SPU_P2(SPU_CURR)+0x4040, (u64)0x4);

  // set SPU_RUNCNTL[Run] = '11'
  write_u32(SPU_PS(SPU_CURR)+0x401C, (u32)0x3);


  for (cx=0; cx<3; cx++)
  {
    // Print SPU_STATUS
    print__spu_status(read_u32(SPU_PS(SPU_CURR)+0x4024�;

    sleep(5);
  }

More PlayStation 3 News...

[sananth]

This is absolutely awesome! Thanks for the amazing discovery and all your hard work simone! I just wish I had a fat PS3 to try this out .. sigh ... I'll wait!

[factions]

Nice to see things are moving forward but it looks like a usable hack is still a while away for the average user. Anyone care to share any information/theories about what loading METLDR will accomplish?

[Warrorar]

nice one, lets see if this will face the direction in the right way.

[laggmaster]

Nice to see things are moving forward but it looks like a usable hack is still a while away for the average user. Anyone care to share any information/theories about what loading METLDR will accomplish?

well we could accomplish a multitude of things by running the METLDR such as mapping more of the cells architecture and i personally hope we can someday unlock RSX support for Linux so that i can run games in Linux... but right now its all still just a pipe dream

[PS3 News]

Anyone care to share any information/theories about what loading METLDR will accomplish?

Basically the Devs would just be able to dump lv2 to examine, and I'm sure if CJPC did it he would "leak" it (assuming nobody beats him to it) for others without the required hardware to check out as well.

For end-users and non-Devs I'd say just to remain patient... the more people working on this the better of course.

[wilkinsonjohn99]

now I'm not saying a hack is impossible but guessing that the encryption is based on mathematical prime numbers, and there are "quite a few" of those and since they never leave the chips they are built into a proper hack may never be found, but i hope to good god I'm wrong!!! and a homebrew hack is in the pipeline....

in the end i guess the only question we really need to be thinking about (long term) is what business model will win, will the Microsoft "we make money on every console so feck the software makers and loose on software licensing" or will sony "sell the console at a near loss but make a killing on software sold for our box" win out, this is the battle we really need to keep an eye on.... but will anyone at M$ or S0NY read any of these posts??

[factions]

For end-users and non-Devs I'd say just to remain patient... the more people working on this the better of course.

Indeed, am in no rush here. PS2 emulation is the holy grail for me.

[yellowsnow]

Nice to see things are moving forward but it looks like a usable hack is still a while away for the average user. Anyone care to share any information/theories about what loading METLDR will accomplish?

metloader=meatloader ie in the middle loader, metaloader loads all the other loaders lv2ldr (gameos), isoldr (isolation mode spu NOT iso9660 pirated games etc.), appldr etc basically we can also decrypt things with metldr too.

[cenoxdj]

It was a while from a real progress till some time, nice to see that we are going ahead! Yeah ps3 is going down! At this time i hope that Sony cannot mess up all this work with software patches or can they?