Graf Chokolo Announces PS3 Hypervisor Exploit & GameOS Dump

126w ago - Update: Estx has now released both a P3KG (Linux) and P3KGWN (Windows) PS3 Dongle ID Key Generator for those interested, winocm has started a PlayStation 3 Dongle Key Generator GIT (compiled binaries with source HERE), and Waninkoko has also shared a PS3 USB Dongle Key Generator JavaScript Version.

Today Graf_Chokolo announced that he has successfully exploited the PS3 hypervisor 3.15 through GameOS and dumped it, and plans to do the same for version 3.41 along with sharing more details soon.

Here is what he had to say on the matter, to quote: "I have just exploited and dumped HV 3.15 from GameOS

I used memory glitching like Geohot to get dangling HTAB entry but 2nd and 3rd stages are quite different. I used my knowledge about HV internals and created a simpler exploit for stage2 and stage3.

I didn’t use second VAS like Geohot. I used lv1_undocumented_function_114 and lv1_undocumented_function_115 to exploit HV after i got a dangling HTAB entry

Now we don't need Linux to exploit and dump HV. Furthermore, HV dump from GameOS is a lot better because when GameOS is running more features are activated in HV So, i can reverse now more C++ objects and understand better how HV works

I will make everything public very soon and i plan to dump HV 3.41 in the next days

Finally i will get access to SYSCON, EPROM, ENCDEC device and more

And now i dumped the real USB Dongle Master Key guys Noone needs it now but here it is. I tested it with HMAC SHA1 and dongle key 0xAAAA and got the same dongle key that was reversed by KaKaRoTo

Just as i said previously, use USB Dongle Authenticator, then dump HV and the decrypted USB Dongle Master Key will be in HV dump I extracted this key from my HV dump after i used USB Dongle Authenticator on GameOS. Then i rebooted GameOS but not HV and the key was still in HV and still decrypted

static u8 master_key[20] = { 46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4 CD B2 C2 };

You still need to do memory glitching like it did Geohot. I used sx28 devboard for this. But software exploit is totally different. I used my HV knowledge and exploited HV quite differently, i didn't use a second VAS like Geohot did.

I did my exploit from exploited GameOS. I used a FAT PS3 but it doesn't matter anymore, you could use a Slim PS3 even. Once exploited, the HV remains exploited as long as PS3 is not powered off, that means you can reboot GameOS as much as you want, HV still remains exploited And you have full read/write access to all RAM and peripheral devices from GameOS except isolated SPUs That means full access to SYSCON, ENCDEC device (which is responsible e.g. for HDD encryption/decryption) and other very interesting stuff

That means, with an exploited GameOS every HV can be dumped and reversed. If GameOS >= 3.42 could be exploited then we could dump the new HV again and reverse SELF decryption again and decrypt new games

And i will dump HV 3.41 soon And look for pure software exploits in it.

I just patched Dispatcher Manager and enabled access to all HV services Dumped SYSCON EPROM

Decrypted USB Dongle Master Key with Virtual TRM Manager and guess what, it's the same i posted yesterday

HV 3.41 exploited and dumped Hehe, found HV call table already Good

Damn $ONY They removed LPM HV calls from HV 3.41 "

We are still yet to know if any hardware is required, I have already asked him this, but i think it is not!