Sponsored Links

Sponsored Links

GeoHot Releases PS3 Hack, Exploit Your System and Enjoy!


Sponsored Links
247w ago - As a BIG follow-up to his Sample PS3 Linux Isolated SPU Loader Code, GeoHot has now released his coveted PS3 hack so end-users can exploit their non-Slim PlayStation 3 Entertainment System!

Essentially what it does is modify the PS3's hypervisor adding two calls for reading/writing to all of the system memory.

To quote: "In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the [Register or Login to view links]. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

[Register or Login to view links] is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up [Register or Login to view links]

I've gotten confirmation the exploit works on 3.10. Also I've heard about compile issues on Fedora. I did this in Ubuntu.

Good luck!"

Usage Instructions:

Compile and run the kernel module.

When the "PRESS THE BUTTON IN THE MIDDLE OF THIS" comes on, pulse the line circled in the picture low for ~40ns.
Try this multiple times, I rigged an FPGA button to send the pulse.
Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
If the module exits, you are now exploited.

This adds two new HV calls,
u64 lv1_peek(16)(u64 address)
void lv1_poke(20)(u64 address, u64 data)
which allow any access to real memory.

The PS3 is hacked, its your job to figure out something useful to do with it.

How it works:

geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call

On the Isolated SPUs

Today I verified my theories about running the isolated SPUs as crypto engines. I believe that defeats the last technical argument against the PS3 being hacked.

In OtherOS, all 7 SPUs are idle. You can command an SPU (which I'll leave as an exercise to the reader) to load metldr, from that load the loader of your choice, and from that decrypt what you choose, everything from pkgs to selfs. Including those from future versions.

The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

Ah, but you still didn't get the Cell root key. And I/we never will. But it doesn't matter. For example, we don't have either the iPhone or PSP "root key". But I don't think anyone doubts the hackedness of those systems.

I wonder if any systems out there are actually secure?



Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 289 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

PS3 News's Avatar
#249 - PS3 News - 246w ago
Quote Originally Posted by waleed View Post
why don't we raise money and get the best solution and save time and effort? i am sure there are many volunteers who can donate a dollar to see the ps3 hacked.

Well, mainly because the SX28 route isn't that pricy for a "one-time use" so CJPC ordered the parts as a back-up in case a cheaper working design takes longer to surface.

The parts should arrive sometime next week, so if all goes well he should be able to dump the HV that way and move forward.

sika's Avatar
#248 - sika - 246w ago
sounds like a good idea, i got 5 on it for anybody who knows what they are doing.

waleed's Avatar
#247 - waleed - 246w ago
Quote Originally Posted by PS3 News View Post
If no reliable alternative is found, the next cheapest way would be via SX28 but please use that thread for discussion of that method, parts needed, etc.

why don't we raise money and get the best solution and save time and effort? i am sure there are many volunteers who can donate a dollar to see the ps3 hacked.

TUHTA's Avatar
#246 - TUHTA - 246w ago
So do you mean Mdivs one is that? I mean... is it work? But we need to use it like you are saying? i mean this one...



and so actually i need just use it like you are saying?

conee's Avatar
#245 - conee - 246w ago
Quote Originally Posted by Mdiv View Post
Pull up resistor is a good idea. But as long as you trigger the 555 timer before hand and don't remove the power supply it will remain at the last state it was?

Digital/Analogue annoy me just as much as the other so have no preference. I think if you can't test the circuit you are making it can get really frustrating. There is something about making a analogue circuit and have it work, pride i think.

the problem with the floating node is that when "open", you don't know what the voltage is tending towards. because it's not grounded nor connected to anything. you know it's the reference voltage when the 555 is connected to Vcc, but once you disengage the pushbutton and the circuit is open, for all you know the trigger pin is still somewhere between 0 and 5v. most of the time it's ok, and it will tend towards ground, but sometimes depending on your schematic complexity, it will float towards Vcc, and this gets bad especially because the 555 triggers on 1/3vcc. with the trigger voltage fluctuating, you get retriggers when you may not want to, or just bad behavior in general.

Quote Originally Posted by yellowsnow View Post
CONEE; you seem to know what you're taliking about.. do you think a 555 in astable mode would make a 40ns pulse? I'm tring to make this circut right now but I have no clue if it will work.


it should, however you'll run into a few problems. if you use mdiv's schematic, the pushbutton is reversed, i.e. you keep the button held down while powering the circuit, and let go when you want the pulse to be sent. if you use mine with an inverter, it may completely corrupt the memory bus while powered, and the exploit probably won't work at all. on top of these two issues, the 555 specification says that the trigger pulse MUST BE shorter than the output pulse. i haven't dealt with a 555 in a while, but if the spec sheet is correct, you're going to have a hard time creating a

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News