207w ago - This weekend GeoHot, the hacker responsible for several Apple iPhone hacks, has returned to Sony PS3 hacking after his initial announcement a few months back and has opened a PS3 hacks blog (linked above).
"I just pulled everything from the USB bus... http://pastie.org/757313 the Cell processor SPI bus, PS3 is going down :-)"
These are the latest posts on his new PS3 hacks blog:
The Cell processor has an SPI port which is used to configure the chip on startup. Well documented here. It also allows hypervisor level MMIO registers to be accessed. In the PS3, the south bridge sets up the cell, and the traces connecting them are on the bottom layer of the board. Cut them and stick an FPGA between.
Quick theoretical attack. Set an SPU's user memory region to overlap with the current HTAB. Change the HTAB to allow read/write to the hypervisor! If that works it's full compromise of the PPU.
A Real Challenge
The PS3 has been on the market for over three years now, and it is yet to be hacked. It's time for that to change.
I spent three weeks in Boston working software only, but now I'm home and have hardware. My end goal is to enable unsigned code execution, making every unit into a test and opening up a third party development community, either through software or hardware (with a mod chip). The PS3 is a prime example of how security should be done, very open docs wise, and the thing even runs Linux. But it isn't unbreakable :-)
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
I can see how people would think this, but when you devote countless hours like he has to learning the PS3's innerworkings most of what he says, even if not tested by himself, is done with merit.
In layman's terms, Mathieulh is "keeping it real" so that the overanxious people don't place a false sense of hope in something that is potentially leading to another dead end. It's nice to keep the faith (we all are for GeoHot!) but he is just trying to save GeoHot a little time along the way without obviously revealing too much... which I'm sure GeoHot appreciates as he will probably be resuming classes like CJPC in the next few weeks.
That said, below is a condensed summary of GeoHot's and Mathieulh's dialogue thus far from his blog and Twitter updates:
So, that is where it stands... as he posts more updates feel free to add them here as usual!
The Devs have invested more time delving into Sony's resources and learning how everything works to better-familiarize themselves with the system... GeoHot is taking a more "hands-on" approach, which is GREAT as he has the hardware and skills, but the general consensus with the Devs is they don't spend their time (or money) on things that prove improbable through research.
That being said, there is always the chance GeoHot will find something useful through his more direct methods, and if he does every one of the Devs will give him a BIG "congratulations" so it's good he goes against the "norm" way of thinking!
GeoHot hasn't been in touch directly at all in recent months, however, currently Mathieulh is offering him a little guidance through his blog comments. I will spend time extracting and posting it here a little later tonight so that it's viewable in a single, organized post.
Just a question to the devs out there. Geo seems to have a lot of theoretical approaches to this (beautiful imho since I'm planning on going into theoretical physics) but I'm just wondering have any of the devs already developed the same ideas as he is coming up with and have they attempted to exploit them already? (I'm thinking yeah, and gotten nowhere.) I know the information is private, but a simple yes or no will do, or if unavailable, classified
(I just want to figure out whether or not this could possibly be a waste [ meaning that it's already been explored ] of time and different/ new approaches should be mapped. Also, any news on the increase/decrease of cooperation between the dev team and geo?)
Generally speaking - hope he gets somewhere, but alas he won't.
I mean, the buses on the system are well - very fast. Furthermore, from the ground up the system was designed to be secure, they are not going to allow say "0 vs 1" to be sent across the config bus to just magically hack the box.
Do I wish it's that easy? Of course! Will it be - sadly no!