Sponsored Links

Sponsored Links

GeoHot Resumes Sony PS3 Hacking, Opens PS3 Hacks Blog

Sponsored Links
251w ago - This weekend GeoHot, the hacker responsible for several Apple iPhone hacks, has returned to Sony PS3 hacking after his initial announcement a few months back and has opened a PS3 hacks blog (linked above).

He recently made this [Register or Login to view links]:

"I just pulled everything from the USB bus... [Register or Login to view links] the Cell processor SPI bus, PS3 is going down :-)"

These are the latest posts on his new PS3 hacks blog:

Cell SPI

The Cell processor has an SPI port which is used to configure the chip on startup. Well documented [Register or Login to view links]. It also allows hypervisor level MMIO registers to be accessed. In the PS3, the south bridge sets up the cell, and the traces connecting them are on the bottom layer of the board. Cut them and stick an FPGA between.

Quick theoretical attack. Set an SPU's user memory region to overlap with the current HTAB. Change the HTAB to allow read/write to the hypervisor! If that works it's full compromise of the PPU.

A Real Challenge

The PS3 has been on the market for over three years now, and it is yet to be hacked. It's time for that to change.

I spent three weeks in Boston working software only, but now I'm home and have hardware. My end goal is to enable unsigned code execution, making every unit into a test and opening up a third party development community, either through software or hardware (with a mod chip). The PS3 is a prime example of how security should be done, very open docs wise, and the thing even runs Linux. But it isn't unbreakable :-)

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 152 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

Raze1988's Avatar
#122 - Raze1988 - 248w ago
What exactly does one gain from such dumps?

PS3 News's Avatar
#121 - PS3 News - 248w ago
Here is the next GeoHot update:
Messing with the Configuration Ring

Tried changing different values in the configuration ring. No good results.

The start vector doesn't matter, I can corrupt it and the system still boots fine. So somehow it's bypassing it, and is probably running the first stage loader in ROM. Therefore it's never on the bus. :-(

Changing almost anything else puts the system in Wait State, bit 20 of POR Status is high, and POR never completes. I was hoping to cleverly move some MMIO around to be able to access something I shouldn't, and strap up to an HTAB write. But change just about anything and the system doesn't boot. And the just about doesn't make me think I'm missing something obvious like a checksum. :-(

The SPI stuff is all documented here (https://www-01.ibm.com/chips/techlib/techlib.nsf/techdocs/AF7832F379790768872572D10047E52B/$file/CellBE_HIG_65nm_v1.01_8Jun2007.pdf). Maybe someone has an idea about what to try. The only SPI MMIO accesses that work are the FlexIO ones, otherwise everything seems to match this document.

Here (below) is a dump of the raw config data and it's parsing.

Looks like I might have to take this up a notch, like glitching the RAM bus to enter a corrupt HTAB entry or something. Although for all I know they read back. Logic analyzer on the RAM XDR bus? That's gotta be a decrypted hypervisor. Or glitching the address pins? I hate these stupid fast buses, reasonable buses make cell phones nice.

[Register or Login to view code]

George Hotz said...
I have the alignment right, I have a little parser and changer. [Register or Login to view links]

SPE3 is disabled on mine, but you can't reenable it because it's hardware disabled as well (bit is ignored in config, figure out by reading partial_good). You can disable the others though, SPE2 is the one it needs to run the isolated code on.

George Hotz said...
Hehe, I wish I had something that could sniff the XDR... gotta be clever with a cheap FPGA if I want to do it... but for now back to football.

[quote]Mathieulh said...
I did give suggestions I told him that his approach is the wrong one (mostly one of the worst possible approach you would take in hacking the device). I did so ages ago as well (when he first announced to start working on the ps3) and I wasn't the only one to do so. Yet he chose to ignore and persist on his path, that's his choice, it doesn't make it less pointless and ineffective though.

I am sorry to bring this in but geohot right now makes me feel like if he is trying things while not understanding what he actually is doing, especially without reading prior documentation before his attempts. You want to know what the playstation 3 security is all about ? Don't ask me, read the publicly available IBM docs, then start investigating (though documenting is already a part of it to begin with)

Here you go a little help from Mr IBM for you:

[Register or Login to view links]

xUb3rn00dlEx's Avatar
#120 - xUb3rn00dlEx - 248w ago
Thank you for clearing that up for me. I understand what you said about how people would think of it that way. I don't see him as trying to shut him down at all. I view it as more of a "Ductape doesn't fix dead people" approach. I think he's just trying to guide geo past what has been prodded before, so that more time is devoted elsewhere instead. (possibly where it matters a lot more )

However, I do believe that this "teaming up" if you can barely call it that is good, because you now have someone (plural where appropriate) who has studied the workings of the system, and someone who wants to poke and mess with it. This gives a much more "successful" approach if you will, because now the devs can be sort of like the "eyes" and geo will be the "hands."

I hope I'm making sense and not sounding too much a fool. Anyways I will be checking this page regularly for more progress between the two of them. Thank you for the update again.

SCE's Avatar
#119 - SCE - 248w ago
New comments on the topic from Geohot:

George Hotz said...
Nice comments, except for the blackberry hack one. Yea, all bluray hacks are off the table, couldn't care less about people playing "backup" games. Didn't know libisolation existed, in fact, none of the cell datasheets seem to mention it. Nice find. I'm working on 2.80 right now, but if I find anything right now it'll be at the lowest hardware level. Definitely be nice to have a Cell Blade, but at $10,000ish thats out of my price range for this. And your magnetic scanning/manipulation device would be amazing, I have another project where I'd pay tons for access to that machine.

As far as legal issues go, we all have to root for the jailbreaking DMCA exception.

George Hotz said...
Cool, SPU2 is the isolated one

George Hotz said...
Nah, iPhone security is a joke compared to this. Just a basic boot chain with easy to dump ROMs. It's also very helpful that Apple rolled out the security in stages, giving us all time to learn. Theres nothing new in the ipt3, they just switched to nand flash, and the nand boot path doesn't have the exploit.

If I had dumps of everything on the PS3, this would be so much easier.

SPE has to be internally locked down, theres probably a dma_copy_lock_and_start function which is just "calls" to hardware.

Anony said...

IBM have published some info on how the security works (and some high level detail on libisolation):

This may be of use to you, but if additional docs are included in the CDA version of the security SDK I'd say its information would probably contain more useful stuff. This document is a good primer none the less.

chipsy's Avatar
#118 - chipsy - 249w ago
I hope that he achieves something, because he has great potential with his skills, I know he can do it, he has my full support, I will be the first to donate but he must also come out with an untethered jailbreak for Ipod touch 3g

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links

Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News