206w ago - This weekend GeoHot, the hacker responsible for several Apple iPhone hacks, has returned to Sony PS3 hacking after his initial announcement a few months back and has opened a PS3 hacks blog (linked above).
"I just pulled everything from the USB bus... http://pastie.org/757313 the Cell processor SPI bus, PS3 is going down :-)"
These are the latest posts on his new PS3 hacks blog:
The Cell processor has an SPI port which is used to configure the chip on startup. Well documented here. It also allows hypervisor level MMIO registers to be accessed. In the PS3, the south bridge sets up the cell, and the traces connecting them are on the bottom layer of the board. Cut them and stick an FPGA between.
Quick theoretical attack. Set an SPU's user memory region to overlap with the current HTAB. Change the HTAB to allow read/write to the hypervisor! If that works it's full compromise of the PPU.
A Real Challenge
The PS3 has been on the market for over three years now, and it is yet to be hacked. It's time for that to change.
I spent three weeks in Boston working software only, but now I'm home and have hardware. My end goal is to enable unsigned code execution, making every unit into a test and opening up a third party development community, either through software or hardware (with a mod chip). The PS3 is a prime example of how security should be done, very open docs wise, and the thing even runs Linux. But it isn't unbreakable :-)
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
Setting 0:0 to 0x0
SPE 1: MC_BASE 0 MC_COMP_EN 4000 IOIF1_COMP_EN 380 BE_MMIO_base 40000 Cell BE node ID 0 SPE ID 1
SPE 3: MC_BASE 0 MC_COMP_EN 4000 IOIF1_COMP_EN 380 BE_MMIO_base 40000 Cell BE node ID 0 SPE ID 3
SPE 5: MC_BASE 0 MC_COMP_EN 4000 IOIF1_COMP_EN 380 BE_MMIO_base 40000 Cell BE node ID 0 SPE ID 5
SPE 7: MC_BASE 0 MC_COMP_EN 4000 IOIF1_COMP_EN 380 BE_MMIO_base 40000 Cell BE node ID 0 SPE ID 7
Cell BE node ID 0
IOIF1 base mask F80
IOIF1 base addr 240000
IOIF0 base mask F80
IOIF0 base addr 280000
AC0 config 2
BIF/IOIF0 RXcfg 4
BIF/IOIF0 TXcfg 4
IOIF0 coherency 1
IOIF0 reorder 4
IOIF1 reorder 4
IOIF1 RXcfg 2
IOIF1 TXcfg 2
FlexIO PLL cfg 100
AC0 livelock 0
Node ID 0
AC1 config 0
AC0 config 1
AC0 cmd credits 2
AC1 livelock 0
SPE 6: MC_BASE 0 MC_COMP_EN 4000 IOIF1_COMP_EN 380 BE_MMIO_base 40000 Cell BE node ID 0 SPE ID 6
SPE 4: MC_BASE 0 MC_COMP_EN 4000 IOIF1_COMP_EN 380 BE_MMIO_base 40000 Cell BE node ID 0 SPE ID 4
SPE 2: MC_BASE 0 MC_COMP_EN 4000 IOIF1_COMP_EN 380 BE_MMIO_base 40000 Cell BE node ID 0 SPE ID 2
SPE 0: MC_BASE 0 MC_COMP_EN 4000 IOIF1_COMP_EN 380 BE_MMIO_base 40000 Cell BE node ID 0 SPE ID 0
MIC Bus Logic Bits
Address start 0
Address end FFFC
PRV BE_MMIO 20000509
MIC BE_MMIO 2000050A
Node ID 0
PowerPC Processor Unit Bits
SReset Vector 2401FC00000
PowerPC Processor Storage Subsystem Bits
L2 livelock 1
SPE disable: 10
I did give suggestions I told him that his approach is the wrong one (mostly one of the worst possible approach you would take in hacking the device). I did so ages ago as well (when he first announced to start working on the ps3) and I wasn't the only one to do so. Yet he chose to ignore and persist on his path, that's his choice, it doesn't make it less pointless and ineffective though.
I am sorry to bring this in but geohot right now makes me feel like if he is trying things while not understanding what he actually is doing, especially without reading prior documentation before his attempts. You want to know what the playstation 3 security is all about ? Don't ask me, read the publicly available IBM docs, then start investigating (though documenting is already a part of it to begin with)
Thank you for clearing that up for me. I understand what you said about how people would think of it that way. I don't see him as trying to shut him down at all. I view it as more of a "Ductape doesn't fix dead people" approach. I think he's just trying to guide geo past what has been prodded before, so that more time is devoted elsewhere instead. (possibly where it matters a lot more )
However, I do believe that this "teaming up" if you can barely call it that is good, because you now have someone (plural where appropriate) who has studied the workings of the system, and someone who wants to poke and mess with it. This gives a much more "successful" approach if you will, because now the devs can be sort of like the "eyes" and geo will be the "hands."
I hope I'm making sense and not sounding too much a fool. Anyways I will be checking this page regularly for more progress between the two of them. Thank you for the update again.
I hope that he achieves something, because he has great potential with his skills, I know he can do it, he has my full support, I will be the first to donate but he must also come out with an untethered jailbreak for Ipod touch 3g