Sponsored Links

Sponsored Links

PS3 Hack Exploit SX28 Hardware Arrives, Bring on the Hypervisor!


Sponsored Links
233w ago - Today the PS3 hack exploit SX28 hardware arrived, so we can begin work on dumping the PlayStation 3 Hypervisor to examine!

Up to now, both GeoHot and xorloser have successfully performed the PS3 hack while a few others simply obtained GeoHot's PS3 Hypervisor dump to study privately.

Needless to say, the rest of the PS3 scene including most of us here, have been waiting to take a peek at the unencrypted bootloader and Hypervisor lv0 and lv1 dumps.

We started by writing a Ubuntu Guide (as did titanmkd HERE) and attempted to use a 555 timer to obtain the 40ns pulse required to trigger the exploit, but like many others who attempted this we too had no such luck!

Luckily xorloser shared some propered code to trigger a 40ns pulse using an SX28 chip. They are a bit harder to find, and a little more expensive (as you need a programmer) but the method is sound.

That brings us to today, and our SX28 chips and programmer arrived - so we will be recreating the hardware, and giving this a go soon!



Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 107 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

ekrboi's Avatar
#107 - ekrboi - 233w ago
Alas not that easy, the calls need to be reversed, and they need to be analyzed - namely, you don't want to run the call, then the unit bricks because it's trying to use different crypto keys.
damn crypto.. i have not read the available docs on the cell/ps3 security.. i suppose i need to.. but why would it matter? we wouldn't personally be messing with encrypted data? just "using" the hypervisor which as far as it.. or the ps3 is concerned is "allowed" to do it.. so it would pass through appropriate channels..

but i do understand wanting to know what the call actually does before just trying it..

CJPC's Avatar
#106 - CJPC - 233w ago
cool.. obviously we can add our own calls for reading/writing memory using the exploit.. and you may already have done/tried it.. can't you just push one of the set flag calls into memory so that the hypervisor executes it? or not that simple?
Alas not that easy, the calls need to be reversed, and they need to be analyzed - namely, you don't want to run the call, then the unit bricks because it's trying to use different crypto keys.

ekrboi's Avatar
#105 - ekrboi - 233w ago
cool.. obviously we can add our own calls for reading/writing memory using the exploit.. and you may already have done/tried it.. can't you just push one of the set flag calls into memory so that the hypervisor executes it? or not that simple?

CJPC's Avatar
#104 - CJPC - 233w ago
ah hah! now thats more like it! Good work! can't wait to see some more!

so i'm assuming what we are hoping to do here is find a way to use those set calls to set say recovery to maybe 1 instead of 0 and hope that when it reboots the bootloader boots to recovery.. vs. needing the "jig" to set that flag?

sorry.. further thought.. i would assume thats all the jig does.. supposedly when used the ps3 boots picks up the jig.. then it reboots again.. so i would assume thats what the jig is doing.. using hopefully the same set call to set the recovery flag then making it reboot and the ps3 system takes over from there.

Pretty much yeah. You boot the PS3, hit reset and eject with the JIG attached. This sends a signal from the System Controller (where the flags are set) to the Southbridge to do some "magic" and read the USB device. If it all checks out, a flag gets set in the System Controller, and the PS3 is automatically powered off.

Upon next power up, its in "manufacturing mode", which allows diagnostic tools (encrypted, of course) to be run.

ekrboi's Avatar
#103 - ekrboi - 233w ago
We are hoping to have something "user friendly" for the weekend, although there is still the whole hardware issue - it's still a pain to trigger the exploit, even with the SX28.

Needless to say, this is a bit better eh, nice and proper!
ah hah! now thats more like it! Good work! can't wait to see some more!

so i'm assuming what we are hoping to do here is find a way to use those set calls to set say recovery to maybe 1 instead of 0 and hope that when it reboots the bootloader boots to recovery.. vs. needing the "jig" to set that flag?

sorry.. further thought.. i would assume thats all the jig does.. supposedly when used the ps3 boots picks up the jig.. then it reboots again.. so i would assume thats what the jig is doing.. using hopefully the same set call to set the recovery flag then making it reboot and the ps3 system takes over from there.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News