I have been digging through the patches for linux kernel and on the the PS3 Cell source CD. I notice they refer to patching things related to the hypervisor. If the hypervisor is accessible from the kboot prompt, we can run code their to try things? If the system can flash the kboot area, can that program be modified to read/write the XMB area?
Some info that looked interesting:
"[POWERPC] Avoid hypervisor statistics calculation in real mode kexec invokes plpar_hcall hypervisor call in real mode. plpar_hcall refers to per cpu variables for accounting hypervisor statistics.These variables may not be in the RMO region, so accesses to them in real mode may result in a data storage exception.
This fixes this problem by using a new plpar_hcall_raw function which does not update the hypervisor call statistics. Thanks to Anton for suggesting this idea."
"Subject: spufs: wrap mfc sdr access
From: Masato Noguchi <Masato.Noguchi@jp.sony.com>
SPRN_SDR1 and the SPE's MFC SDR are hypervisor resources and are not accessible from a logical partition. This change adds an access wrapper."
Just posting things that might trigger thoughts with somebody else.
Does anybody have GIT installed to look at kernel sources? I am curious about the following section: http://www.kernel.org/pub/scm/linux/kernel/git/ericvh/rhype.git/description
Unfortunately, I am having a difficult time with the programming aspects of trying exploits.... If it is not VB or VC#, I have trouble understanding it all.
Do we have any programmers on here that would be willing to help out on any ideas that we can come up with to try?