207w ago - This weekend GeoHot, the hacker responsible for several Apple iPhone hacks, has returned to Sony PS3 hacking after his initial announcement a few months back and has opened a PS3 hacks blog (linked above).
"I just pulled everything from the USB bus... http://pastie.org/757313 the Cell processor SPI bus, PS3 is going down :-)"
These are the latest posts on his new PS3 hacks blog:
The Cell processor has an SPI port which is used to configure the chip on startup. Well documented here. It also allows hypervisor level MMIO registers to be accessed. In the PS3, the south bridge sets up the cell, and the traces connecting them are on the bottom layer of the board. Cut them and stick an FPGA between.
Quick theoretical attack. Set an SPU's user memory region to overlap with the current HTAB. Change the HTAB to allow read/write to the hypervisor! If that works it's full compromise of the PPU.
A Real Challenge
The PS3 has been on the market for over three years now, and it is yet to be hacked. It's time for that to change.
I spent three weeks in Boston working software only, but now I'm home and have hardware. My end goal is to enable unsigned code execution, making every unit into a test and opening up a third party development community, either through software or hardware (with a mod chip). The PS3 is a prime example of how security should be done, very open docs wise, and the thing even runs Linux. But it isn't unbreakable :-)
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
"cool, the PS3 reset vector isn't locked down to ROM, it's 0x2401FC00000 in the system controller, $10,000 logic analyzer anyone? bunnie?"
New update on his blog...
"The MMIO over SPI stuff doesn't appear to work, probably an efuse to disable it since the System Controller(or the bridge as I was calling it) doesn't need to use any of them.
A quick memory map:
IOIF0 = GPU = 0x28000000000(4 bytes wide)
IOIF1 = SC = 0x24000000000(2 bytes wide)
MMIO in cell = 0x20000500000
CELL ROM = 0x100(from datasheet, not seen in PS3)
XDR RAM = 0x0ish-0x10000000
On power up, the system controller downloads the configuration ring over SPI and calibrates the IOIF1 interface using the FlexIO registers. Then, according to the config ring, the reset vector is 0x2401FC00000, an address in the mapped System Controller memory. So the LV0 is sent(I can't imagine encrypted) over the FlexIO between the SC and the CELL.
So, how about this attack? Find some way to keep something resident somewhere in the memory space across powerups(does XDR go away? liquid nitrogen?). Move the reset vector there and write a little program to dump 0x2401FC00000 and somehow leak it to the outside world. Or sniff the FlexIO bus, any ideas?
I already know more about the Cell processor then I ever wanted to. "
For anyone who doesnt read Geohotz's PS3 Blog comments:
I would have put a write only protect bit in there... config only once after reset.
Did you get a trace of the registers written through the SPI and decode it yet? Sure would be interesting if all it takes is to flip a few bits in the stream on the fly... a mod chip would be trivial just using a CPLD if so.
George Hotz said...
Yep, I have a full dump and that would make a mod chip super simple. The only possibly exploitable thing is the configuration ring, and I've looked over that a bunch of times, don't see anything that quickly leads to unsigned. And the config ring is only once after reset.
But theres a whole set of MMIO you can R/W too, which is why I built this injection rig. Just watched two episodes of Jersey Shore, we'll know in like an hour if the MMIO is locked down or not.
MMIO over SPI doesn't appear to work
I have control over the BIC(Bus Interface Controller) through the FlexIO interface though. Now I just have to figure out what these things are.