- Hi guys, I used an Atmega8 running at 16Mhz (I had a couple lying about from the BT Vision project I was working on) and knocked up a small prog to do the same as the other chips and dump out the PS3 Hypervisor and Bootloader.
I was quite surprised, It actually worked fairly straight away! I only had one pulse going everytime I pressed the button at first but not a lot was happening.
So I did what xorloser
did, and modded it so it pulsed every 100ms while the switch is pressed.
After about 30-40 seconds... I got a hit with the exploit code posted here
. Then I used the dumper (posted here
) to dump the 10mb bin.
Just having a look through the dump, lots of strings in there.. I haven't dropped it into IDA
This is the source and hex
(for those who dont want to compile it) for the Atmega8 which I glitched my PS3 with. The Chip I used was the Atmega8-16pu
. You will also need a 16mhz Crystal, and 2 x 22pf Capacitors.
Grounding pin 14 on the chip will produce a pulse on Pins 2 of the chip (infact it does all of PORTD) This should then go to the memory bus point on the ps3. See Circuit diagram (below).
I used ponyprog
to program my chip, with CKOPT ticked in the fuse settings, everything else was unticked.