195w ago - Just over a month ago the PS3 Hypervisor lv2 (GameOS) was dumped and GeoHothinted that it was accomplished by commanding an SPU to load METLDR.
Today dondolo let us know that simone has detailed how to load METLDR in SPU isolation mode on the PlayStation 3 and included some source code.
While this is definitely a step forward, he still doesn't specify what the read/write u32 functions are... or which functions to add to the recent XorHack release.
Those interested can check it out below, and to quote:
"After some experiment I succeded to load METLDR in spu isolation.
You need geohot's exploit to do this, because you need to turn spu relocation off (MFC_SR1[R]=0) and not let know the HV you are using a SPU (so no calls to lv1_construct_logical_spe or similar). For some strange conf, it doesn't work in HV way."
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
think of it like this !, you're searching for a treasure but you don't have a map, so you now don't know where to begin your search, if you got the map now you know the location of the treasure no one knows for sure if you find it or not but at least you know it's place, this level2 dump is like a map for the ps3 OS, a lot of hidden info will be available for devs after they get it maybe they get lucky and find holes in the system that will lead them to software hacks.
about the modchip, we have geohot's method.. it's already doing a modchip's job.
Well, as we all know, LV2 = our glorious kernel. With the kernel, it can be reversed and holes can be looked for - possibly leading the way to load unsigned code straight from the XMB without any hardware (on any model of PS3, slim included).
Of course, it may only be usermode code (or, perhaps kernel mode), but it would still be a very nice step in the right direction!
Interesting - if I got this right, spu_isolation_ldr_kmod.c assumes that METLDR is located at absolute address 0x11000 (high 0x00000000, low 0x00011000) - at least that's what it passes into channels 3 and 4. When I look at that offset in the leaked HV dump, I see nothing particularly interesting.
Did I miss something or is this address just an offset on top of an (unknown) base address?