Sponsored Links

Sponsored Links

Page 9 of 11 FirstFirst ... 7891011 LastLast
Results 81 to 90 of 108



  1. #81
    Banned User r3pek's Avatar
    Join Date
    Feb 2007
    Posts
    54
    Sponsored Links

    Lightbulb

    Sponsored Links
    Quote Originally Posted by PS3 News View Post
    Probably not likely, as reversing the HV dumps is extremely tedious and time-consuming so if anything good comes out of it chances are it will be a ways off... but the more people working on it, the better of course!

    As I mentioned in another thread, one of the areas CJPC is seeking to examine from the dump is the boot flag data, as he is interested in being able to convert his Service Mode PS3 to a Debug one, or better yet Retail PS3 consoles to Debug units optimistically.
    Why don't they export the hypercall to userland? Last time I checked it was easily done on x86 at least. don't know if it's anyway different on ppc...

  2. #82
    Contributor ernvil's Avatar
    Join Date
    Oct 2008
    Posts
    57
    Sponsored Links
    Sponsored Links
    Hopefully this will lead us to the next step.

    Can't wait!

  3. #83
    Senior Member gtxboyracer's Avatar
    Join Date
    Jun 2008
    Posts
    284
    Sponsored Links

    Lightbulb

    Sponsored Links
    A snippet from a 2007 IBM doc (https://www-01.ibm.com/chips/techlib/techlib.nsf/techdocs/AEBFE7D58B5C36E90025737200624B33/$file/CBE_Secure_SDK_Guide_v3.0.pdf) that Mathieulh tweeted.. "Some really informative documentation about the playstation3/cell loaders"

    Under section 4.2.4 - its describing details about signing packages/verifying signatures.. now to get hands on an SDK


    [Register or Login to view code]

    Stating that the CA (Certification Authority) is stored in the SPE Secure Loader (public key) to verify CA certificates. On the other hand:

    [Register or Login to view code]

    The Root CA private key for signing packages is embedded in the Root CA

    So from what i can gather - it may be impossible for us to get that key to sign our own packages, but we definitely might be able to access the Public key used to verify packages (such as Firmware updates/PSN downloaded content etc) and manipulate to allow packages to pass as valid even with a dodgy signature.

    Some more tweets: "The 3.20 update for ps3 is soon to be released, although it is not yet tested, stay away from it until the exploit is known to work with it." "You can use a proxy to bypass the playstation network version checks (at least for now)"
    Attached Files Attached Files

  4. #84
    Contributor crazydude's Avatar
    Join Date
    Jun 2005
    Posts
    2

    Arrow

    Those SX chips seem a little slow at 4MHz... will it be able to make quick enough pulses? That's 250 ns per clock tick.

    Xilinx sells some nice Spartan 3E boards for less than $200 that have a 25 Mhz clockbox on the board, so 40ns is exactly 1 tick from that clock. And they have free synthesis tools on their website.

    I guess I better take this godforsaken ps3 apart...

  5. #85
    Toucan Sam CJPC's Avatar
    Join Date
    Apr 2005
    Posts
    2,174
    Quote Originally Posted by ekrboi View Post
    i'm more of a reader than a poster.. but i had been wondering if this was a one time deal or if it had to be redone every time it reboots.. I assumed by the way it works it had to be redone every time... which i'm sure sucks! Good luck though! I can't wait to see the dumps.. doubt i will find anything with my current limited knowledge but i do know how to work ida and i'm sure i'll waste a few nites staring at stuff i don't understand for the heck of it =P
    It has to be re-done each time the PS3 reboots - it can be quite the pain!

    However, progress was made tonight. After the dumping code was changed from my horrible, horrible way to that of one of our DEV's, things started working (after a bit of debuggery) much, much better!

    Basically, the "real" memory gets mapped to a nice file, in which data can be read out, which makes things very convenient - assuming you run over the amount of real memory, crashing the PS3...

    We are hoping to have something "user friendly" for the weekend, although there is still the whole hardware issue - it's still a pain to trigger the exploit, even with the SX28.

    Needless to say, this is a bit better eh, nice and proper!

    7570 6461 7465 5F6D 616E 6167 6572 3A3A
    696E 6974 5F64 6576 6963 655F 7479 7065
    2829 2072 6561 6420 6570 726F 6D20 6661
    696C 7572 6528 2564 290A 6661 6C6C 2062
    6163 6B20 746F 2075 7369 6E67 2073 6166
    6520 7061 7261 6D65 7465 720A 0000 0000
    7570 6461 7465 5F6D 616E 6167 6572 3A3A
    696E 6974 5F73 735F 7061 7261 6D73 5F72
    6570 6F73 6974 6F72 6965 7328 2920 6673
    656C 665F 636F 6E74 726F 6C20 3D20 3078
    2578 0A00 0000 0000 7365 745F 6673 656C
    665F 636F 6E74 726F 6C5F 7265 706F 7369
    746F 7279 2829 2066 6169 6C75 7265 0A00
    7570 6461 7465 5F6D 616E 6167 6572 3A3A
    696E 6974 5F73 735F 7061 7261 6D73 5F72
    6570 6F73 6974 6F72 6965 7328 290A 0000
    7365 745F 6673 656C 665F 636F 6E74 726F
    6C5F 666C 6167 2829 2066 6169 6C75 7265
    203D 2025 640A 0000 7365 745F 7265 636F
    7665 725F 6D6F 6465 5F66 6C61 6728 2920
    6661 696C 7572 6520 3D20 2564 0A00 0000
    7365 745F 6465 6275 675F 7375 7070 6F72
    745F 666C 6167 2829 2066 6169 6C75 7265
    203D 2025 640A 0000 7570 6461 7465 5F6D
    616E 6167 6572 3A3A 7365 745F 7570 6461
    7465 5F73 7461 7475 735F 7265 706F 7369
    746F 7279 2829 206D 6F64 6966 7920 7265
    706F 7369 746F 7279 2066 6169 6C75 7265
    For the lazy (note the nice debug/fself/recover stuff):

    update_manager::init_device_type() read eprom failure(%d)
    fall back to using safe parameter
    update_manager::init_ss_params_repositories() fself_control = 0x%x
    set_fself_control_repository() failure
    update_manager::init_ss_params_repositories()
    set_fself_control_flag() failure = %d
    set_recover_mode_flag() failure = %d
    set_debug_support_flag() failure = %d
    update_manager::set_update_status_repository() modify repository failure

  6. #86
    Contributor zangetsu1's Avatar
    Join Date
    Aug 2009
    Posts
    42

    Cool

    Nice to see you've made some progress..

  7. #87
    Senior Member gtxboyracer's Avatar
    Join Date
    Jun 2008
    Posts
    284
    Congrats on that progress.. looks interesting.. tell me, are you able to change any of those comands coming through... maybe one that any time the debug flag comes through switch it on automated of course..

  8. #88
    Contributor Hortlo's Avatar
    Join Date
    Jan 2010
    Posts
    18
    Please correct me if im wrong, but this hack also allows one to write to the HV?

    I presume it should be a matter of mapping certain flags and just marking them as true etc to go from retail to debug etc?

  9. #89
    Contributor moneymaker's Avatar
    Join Date
    Dec 2009
    Posts
    120
    Quote Originally Posted by Hortlo View Post
    Please correct me if im wrong, but this hack also allows one to write to the HV?

    I presume it should be a matter of mapping certain flags and just marking them as true etc to go from retail to debug etc?
    For the question retail/debug... forget it.. the keys embedded into the SPE which is into the CPU itself are different among the two versions... no way to mess with them, no chance to make a retail unit a debug one.

    For all others occurrencies, maybe there is a chance to open the system so some skillfull team of coders could make an alternate OS capable to run alternate (privately coded) games that's not so exciting as a landscape....

    For sure it could also lead to something more, but's all to be thrown to light ...

  10. #90
    Member AKmania's Avatar
    Join Date
    Jun 2009
    Posts
    59
    you guys are really awesome man, we are one step closer now. great job dev team!

 

Sponsored Links
Page 9 of 11 FirstFirst ... 7891011 LastLast
Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News