Sponsored Links

Sponsored Links

Page 1 of 2 12 LastLast
Results 1 to 10 of 16



  1. #1
    Senior Member CodeKiller's Avatar
    Join Date
    Nov 2009
    Posts
    130
    Sponsored Links

    Lightbulb Let's open up this console!

    Sponsored Links
    It's been quite a long time since geo opened to the bare metal, but still no real progress in the horizon. So i decided to give it a try, and bought a pal 40g with fw 2.52 (was stucked there, so it was relatively cheap..) to experiment a little bit.

    First thing first: ubuntu 8.10 - don't know why, but now missing from the official site. But if you know where to hunt cd images you can still find it.

    Secound: install/setup -- everything you can find here is available through basic search.. just to cut things short
    -after you login, you can disable gui...just a waste of time/resources: on the top menu/system/administration/services and uncheck the gdm, so you will fallback to cli
    -enable root:
    [Register or Login to view code]

    -install mc.. midnight commander: as root, or with sudo
    [Register or Login to view code]

    (as root you need to 'mkdir .mc' in /root/ to store setting)
    -make fix ip: edit /etc/network/interfaces
    [Register or Login to view code]

    (x, y, z need to replace with corresponding values)
    edit /etc/resolv.rc if necessary add line

    [Register or Login to view code]

    and to make it work
    [Register or Login to view code]

    -install openssh server.. to access from other computer via ssh or putty:
    [Register or Login to view code]

    Now time to some real action
    as the current use of exploits are a little ugly, i thought it would look better, if no components need to install outside the box, so as the most basic interface would work as a trigger-button to the uC: the keyboard-leds! (one of them) It will need to install to one usb-port (thus losing one usb-port.. but if you intsall a hub into another port, you can wire these pre-used ports back to operation)
    _details and the actual how-to later.._

    ok - you said - it's good, but we already have this, what's next?

    as now we need at least dump of the lv2.. but how?
    (!!warning the following theories not based on deep knowladge of the system, so maybe completely wrong!!)

    case 1) we need to mimic/emulate the system reboot so during some special operation, we could kick the isolated spu and retrieve the codes from it (if it's enabled to run code w/o cleaning berfore)

    case 2) somehow "praying" metldr to work and then kick, and get the decrypt-codes as above.. or simply let it do it's job..

    case 3) overrun the ps3-flash-tool to access more than the bootloader

    case 4) run exploit&dumper on tool/test/debug system in gameos mode and then use the result to achieve pervious cases in retail consoles
    as i don't have even acces to any of these, i can't do it myself (nor if i would have, i could do.. but i would try)

    Any help is highly welcomed and acclaimed!

  2. #2
    Contributor sapperlott's Avatar
    Join Date
    Nov 2009
    Posts
    129
    Sponsored Links
    Sponsored Links
    Quote Originally Posted by CodeKiller View Post
    as now we need at least dump of the lv2.. but how?
    (!!warning the following theories not based on deep knowladge of the system, so maybe completely wrong!!)

    case 1) we need to mimic/emulate the system reboot so during some special operation, we could kick the isolated spu and retrieve the codes from it (if it's enabled to run code w/o cleaning berfore)

    case 2) somehow "praying" metldr to work and then kick, and get the decrypt-codes as above.. or simply let it do it's job..

    case 3) overrun the ps3-flash-tool to access more than the bootloader

    case 4) run exploit&dumper on tool/test/debug system in gameos mode and then use the result to achieve pervious cases in retail consoles
    as i don't have even acces to any of these, i can't do it myself (nor if i would have, i could do.. but i would try)

    Any help is highly welcomed and acclaimed!
    1) AFAIK the hardware ensures that the isolated SPE's LS is cleared when exiting isolated mode. Don't know what happens on a hard reset, though. You could enter the XMB, enable OtherOS for the next reboot, then power cycle by using the switch on the back and dump the contents of all the SPE's LS in Linux with an appropriate SPU program. This would basically be a cold boot attack on the LS. But looking at the paranoid levels of security I would expect that the HV clears all the LS before starting OtherOS.

    2) That's the route I would explore since it promises the best results (i.e. decrypting arbitrary NPDRM binaries)

    3) The flash-tool only uses HV calls. You would have to patch these using the exploit. IIRC George did this already as a means to manipulate the RCOs in the flash.

    4) That would be interesting but I think that I read somewhere on the forum that the exploit wouldn't work on TOOL/Test consoles (an explanation why it wouldn't work would be very welcome).

    I'm still working out some wire routing problems on my hack PS3 as I get interference with every routing I've tried up until now.

  3. #3
    Contributor tjay17's Avatar
    Join Date
    Apr 2010
    Posts
    421
    Sponsored Links
    Sponsored Links
    Ok, everything you said pretty much went over my head.

  4. #4
    Senior Member CodeKiller's Avatar
    Join Date
    Nov 2009
    Posts
    130
    Quote Originally Posted by sapperlott View Post
    1) AFAIK the hardware ensures that the isolated SPE's LS is cleared when exiting isolated mode. Don't know what happens on a hard reset, though. You could enter the XMB, enable OtherOS for the next reboot, then power cycle by using the switch on the back and dump the contents of all the SPE's LS in Linux with an appropriate SPU program. This would basically be a cold boot attack on the LS. But looking at the paranoid levels of security I would expect that the HV clears all the LS before starting OtherOS.

    2) That's the route I would explore since it promises the best results (i.e. decrypting arbitrary NPDRM binaries)

    3) The flash-tool only uses HV calls. You would have to patch these using the exploit. IIRC George did this already as a means to manipulate the RCOs in the flash.

    4) That would be interesting but I think that I read somewhere on the forum that the exploit wouldn't work on TOOL/Test consoles (an explanation why it wouldn't work would be very welcome).

    I'm still working out some wire routing problems on my hack PS3 as I get interference with every routing I've tried up until now.
    1) who said 'exiting'? i said KICK OUT while in the middle of it's process (granted by HV-level access) the whole point of it is to start loading gameos, while still in otheros

    2) has discovered a while back but still no real process.. maybe a dead-end?

    3) sooo, can't be it good?

    4) as CJPC said it's not impossible, just difficult: http://www.ps3news.com/forums/ps3-ha...tml#post291941

  5. #5
    Contributor sapperlott's Avatar
    Join Date
    Nov 2009
    Posts
    129
    Quote Originally Posted by CodeKiller View Post
    1) who said 'exiting'? i said KICK OUT while in the middle of it's process (granted by HV-level access) the whole point of it is to start loading gameos, while still in otheros
    That's a synonym. What GeoHot calls "kicking out" is basically calling the isolated SPE's exit function.

    Quote Originally Posted by CodeKiller View Post
    2) has discovered a while back but still no real process.. maybe a dead-end?
    I don't think so. The problem is that the hard part isn't really to get METLDR running but figuring out the protocol to make it do something useful

    Quote Originally Posted by CodeKiller View Post
    3) sooo, can't be it good?
    Sure - it will enable easy write access to the flash. BUT that's only one small step since the files inside the flash are encrypted themselves. So this would be rather pointless unless 2) is dealt with.

    Quote Originally Posted by CodeKiller View Post
    4) as CJPC said it's not impossible, just difficult: http://www.ps3news.com/forums/ps3-ha...tml#post291941
    Okay - that was the quote I was looking for. Seems like noone owning a Debug wants to risk a try

  6. #6
    Senior Member CodeKiller's Avatar
    Join Date
    Nov 2009
    Posts
    130
    Quote Originally Posted by sapperlott View Post
    That's a synonym. What GeoHot calls "kicking out" is basically calling the isolated SPE's exit function.
    Not exactly: if you kick out/kill a process, it's forced to terminate/interrupt and wiped out from the execution-pipe (maybe mem wiped out after them or just marked as free), while the exit is graceful termination of a process by calling it's exit-routine then the process clean out/end it's business, then calling the sys's exit routine to completely stop execution.(roughly in windows terminology: kick out = alt+ctrl+del and shut down prg, exit = alt+f4; if alt+f4 not work the alt+ctrl+del (sometimes) can shut down prg)

    Ok, you have the point, i can't find a 'violent-enough' termination of the SPEs in http://ps3hvdoc.wikispaces.com/lv1+calls+offsets
    but maybe some asm-woodoo can do so...

    but as i just finished the hw/sw for easier exploit, i will start experimenting..

  7. #7
    Contributor sapperlott's Avatar
    Join Date
    Nov 2009
    Posts
    129
    Maybe you should read the IBM docs first. Apart from a power-off, calling the exit routine is the only way to get a SPE out of isolation mode. And don't picture it as calling a high level library function but rather as sending the SPE a signal that is then reacted upon on a hardware level since the exit routine is contained within a state machine on the SPE silicon (more exactly in the MFC).

  8. #8
    Senior Member CodeKiller's Avatar
    Join Date
    Nov 2009
    Posts
    130
    Ok, i said i don't know deep enough the system, just trusted on infos what i read (what geohot told). So to start, i found this: [Register or Login to view links] (sorry if it was mentioned before).

    Just to think a bit again: if pwr-off get SPE out of isolation, then do that.. but i'm afraid it'll clean the registers/caches.

  9. #9
    Contributor sapperlott's Avatar
    Join Date
    Nov 2009
    Posts
    129
    Yeah - that Sony link is a good source of information. Here's the IBM link (has about the same documents plus some more):
    [Register or Login to view links]

    I'd start with "Cell Broadband Engine Architecture" and "Cell Broadband Engine Registers" to get you started.

  10. #10
    Senior Member CodeKiller's Avatar
    Join Date
    Nov 2009
    Posts
    130
    In the '..Architecture' there is an interesting section: 'SPE Context Save and Restore' which is available from HV level. But there is a lot of general "chit-chat" in this manual about that this is implementation dependent and also there is a lot of 'this should' or 'that should not be accessed'.

 

Sponsored Links
Page 1 of 2 12 LastLast
Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News