i'm developing on Cell since the my jap PS3 arrived here in europe and achieved some knowledge on ppu/spu data transfer. Well, there is very useful function called spu_mfcdma32 !
The parameters are pretty easy:
spu_mfcdma32((void *)(&ctx), (unsigned int)parm, sizeof(context), tag_id, MFC_GET_CMD);
ctx: pointer to address in LocalStore (256 KB limit!!)
param: pointer to address in MainStore (256mb limit :P)
sizeof(context): i think, this is the tricky and most important part to generate an exploit. YOU decide how many bytes will be transfered from MS to LS. So if you transfer more than ~256kb (cause there is no limit check), you should get a buffer overrun, put data/code from you MS into the SPUs register and mabye change the return addresse :??
To get familiar with this topic, you should read the "Cell B.E. Programming Tutorial 2.0". Take a look at SPE registers on page 61 and page 86 for the MFC commands.
Well this is just my idea how this it COULD works.
Good night and good luck