196w ago - Today modrobert has released PS3 Glitch Finder v1.0, which is a VHDL design for Spartan-3 (eg. xc3s400) FPGAs with the purpose of easily creating a custom pulse which can be used to glitch various hardware like the PS3 memory bus.
From the ReadMe file: The pulse LOW and HIGH multipliers have a resolution of 255 (X"FF") and can be set independently.
• Cycle exact pulse generator process tested with logic analyzer
• Digital Clock Manager (DCM) primitive @ 200MHz (5ns) with lock handling
• Continuous pulse or one-shot mode selectable via switch
• Debounce handling for push buttons to prevent erratic behavior
• Set the LOW and HIGH pulse length multipliers via buttons
• 7-seg LED display support showing HIGH and LOW pulse multipliers
• Open source release under GPL v2
The target device is a Spartan-3 fitted on an FPGA board (eg. Spartan-3 Starter Kit, Basys, Nexys, or similar). You need 5 push buttons (3 is ok also), a four digit "seven-segment" LED display, a dip switch, two regular LEDs, an external crystal/clock at 25MHz or 50Mhz, and a free I/O port.
Notes: This design is probably overkill for the purpose intended, but I had fun creating it, so one thing led to another. After the pulses are sent the output port drives "Z" (instead if HIGH), thought that might be a good idea to keep the PS3 linux kernel from crashing.
I've only tested PS3 Glitch Finder with a logic analyzer, not a scope yet, so the tri-state function has not been properly tested. By driving the pulse low and switch to "Z" I did notice that there can sometimes be roughly 300ns delay before high impedance occur, so to prevent the pulse generator from sending an invalid long low pulse I made sure the output is high before driving "Z".
If you want to start out in the footsteps of geohot, switch to one-shot mode and then set the low pulse multiplier to 8 (8 x 5ns = 40ns) and the high can be 8 as well (don't think it matter much since only one pulse is sent).
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
From what I understand (at least according to the posts i've followed) people are trying to recreate loading metldr to decrypt .pkg's and .self's. I'm not completely solid on why but people are also trying to dump LV2 (possibly the two goals are related?). Ultimately the goal is to use the decrypted information to run unsigned code.
I understand the importance of finding out and understanding all of the system calls, but is the intention to use this information to find an additional (easier to achieve) exploit and then use that to run unsigned code? Or is the intention to use the current exploit? If I had to guess i'd think the intention would be to just run unsigned code, and keep a lookout if an easier exploit pops up along the way (after everything is properly dumped and mapped).
This is basically an alternative to trigger the PS3 glitch exploit that some (who haven't done it yet) may find easier, less expensive or just more convenient if they have the parts on hand.
The main issue with the previous attempts, athough they all do work, is timing... to trigger the glitch it takes a lot of patience and very accurate timing. This method aims to reduce the precision needed to generate the required pulse.