Sponsored Links

Sponsored Links

PS3 Glitch Finder v1.0 VHDL Design for Spartan-3 FPGAs Arrives


Sponsored Links
242w ago - Today modrobert has released PS3 Glitch Finder v1.0, which is a VHDL design for Spartan-3 (eg. xc3s400) FPGAs with the purpose of easily creating a custom pulse which can be used to glitch various hardware like the PS3 memory bus.

Download: PS3 Glitch Finder v1.0 VHDL Design for Spartan-3 FPGAs

From the ReadMe file: The pulse LOW and HIGH multipliers have a resolution of 255 (X"FF") and can be set independently.

Features:

• Cycle exact pulse generator process tested with logic analyzer
• Digital Clock Manager (DCM) primitive @ 200MHz (5ns) with lock handling
• Continuous pulse or one-shot mode selectable via switch
• Debounce handling for push buttons to prevent erratic behavior
• Set the LOW and HIGH pulse length multipliers via buttons
• 7-seg LED display support showing HIGH and LOW pulse multipliers
• Open source release under GPL v2

Requirements:

The target device is a Spartan-3 fitted on an FPGA board (eg. Spartan-3 Starter Kit, Basys, Nexys, or similar). You need 5 push buttons (3 is ok also), a four digit "seven-segment" LED display, a dip switch, two regular LEDs, an external crystal/clock at 25MHz or 50Mhz, and a free I/O port.

Notes: This design is probably overkill for the purpose intended, but I had fun creating it, so one thing led to another. After the pulses are sent the output port drives "Z" (instead if HIGH), thought that might be a good idea to keep the PS3 linux kernel from crashing.

I've only tested PS3 Glitch Finder with a logic analyzer, not a scope yet, so the tri-state function has not been properly tested. By driving the pulse low and switch to "Z" I did notice that there can sometimes be roughly 300ns delay before high impedance occur, so to prevent the pulse generator from sending an invalid long low pulse I made sure the output is high before driving "Z".

If you want to start out in the footsteps of geohot, switch to one-shot mode and then set the low pulse multiplier to 8 (8 x 5ns = 40ns) and the high can be 8 as well (don't think it matter much since only one pulse is sent).







Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 14 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

Denbo44's Avatar
#14 - Denbo44 - 241w ago
Quote Originally Posted by Denbo44 View Post
This Glitch Finder is little over the top, the demo board cost alone must be in the range of $1 k USD. Gezzz. I think a 555 timer would do the same thing.

But the question is where does one tie the Glitch Finder too on the ps3 main (mother) board? Which device and what is the pin number?

I found the answer to my question , in xorloser’s blog under PS3 Exploit: Hardware.

wickedpenguinbo's Avatar
#13 - wickedpenguinbo - 242w ago
Hi,

Nice work on the design, nice board. Do you have a Circuit diagram for this ?

Denbo44's Avatar
#12 - Denbo44 - 242w ago
This Glitch Finder is little over the top, the demo board cost alone must be in the range of $1 k USD. Gezzz. I think a 555 timer would do the same thing.

But the question is where does one tie the Glitch Finder too on the ps3 main (mother) board? Which device and what is the pin number?

SenorPickle's Avatar
#11 - SenorPickle - 242w ago
Quote Originally Posted by hunterrr View Post
Ok i got a complete noob question for you guys.. What exacly are you guys trying to do with all this hardware stuff or trying to find? Is anything being tested with software or what? i don't understand anything that has been going on since George released the exploit.

From what I understand (at least according to the posts i've followed) people are trying to recreate loading metldr to decrypt .pkg's and .self's. I'm not completely solid on why but people are also trying to dump LV2 (possibly the two goals are related?). Ultimately the goal is to use the decrypted information to run unsigned code.

I understand the importance of finding out and understanding all of the system calls, but is the intention to use this information to find an additional (easier to achieve) exploit and then use that to run unsigned code? Or is the intention to use the current exploit? If I had to guess i'd think the intention would be to just run unsigned code, and keep a lookout if an easier exploit pops up along the way (after everything is properly dumped and mapped).

PS3 News's Avatar
#10 - PS3 News - 242w ago
Quote Originally Posted by hunterrr View Post
What exacly are you guys trying to do with all this hardware stuff or trying to find?

This is basically an alternative to trigger the PS3 glitch exploit that some (who haven't done it yet) may find easier, less expensive or just more convenient if they have the parts on hand.

The main issue with the previous attempts, athough they all do work, is timing... to trigger the glitch it takes a lot of patience and very accurate timing. This method aims to reduce the precision needed to generate the required pulse.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News