Sponsored Links

Sponsored Links

PS3 Hack Exploit SX28 Hardware Arrives, Bring on the Hypervisor!


Sponsored Links
233w ago - Today the PS3 hack exploit SX28 hardware arrived, so we can begin work on dumping the PlayStation 3 Hypervisor to examine!

Up to now, both GeoHot and xorloser have successfully performed the PS3 hack while a few others simply obtained GeoHot's PS3 Hypervisor dump to study privately.

Needless to say, the rest of the PS3 scene including most of us here, have been waiting to take a peek at the unencrypted bootloader and Hypervisor lv0 and lv1 dumps.

We started by writing a Ubuntu Guide (as did titanmkd HERE) and attempted to use a 555 timer to obtain the 40ns pulse required to trigger the exploit, but like many others who attempted this we too had no such luck!

Luckily xorloser shared some propered code to trigger a 40ns pulse using an SX28 chip. They are a bit harder to find, and a little more expensive (as you need a programmer) but the method is sound.

That brings us to today, and our SX28 chips and programmer arrived - so we will be recreating the hardware, and giving this a go soon!



Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 107 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

gtxboyracer's Avatar
#82 - gtxboyracer - 233w ago
A snippet from a 2007 IBM doc (https://www-01.ibm.com/chips/techlib/techlib.nsf/techdocs/AEBFE7D58B5C36E90025737200624B33/$file/CBE_Secure_SDK_Guide_v3.0.pdf) that Mathieulh tweeted.. "Some really informative documentation about the playstation3/cell loaders"

Under section 4.2.4 - its describing details about signing packages/verifying signatures.. now to get hands on an SDK



Stating that the CA (Certification Authority) is stored in the SPE Secure Loader (public key) to verify CA certificates. On the other hand:



The Root CA private key for signing packages is embedded in the Root CA

So from what i can gather - it may be impossible for us to get that key to sign our own packages, but we definitely might be able to access the Public key used to verify packages (such as Firmware updates/PSN downloaded content etc) and manipulate to allow packages to pass as valid even with a dodgy signature.

Some more tweets: "The 3.20 update for ps3 is soon to be released, although it is not yet tested, stay away from it until the exploit is known to work with it." "You can use a proxy to bypass the playstation network version checks (at least for now)"

ernvil's Avatar
#81 - ernvil - 233w ago
Hopefully this will lead us to the next step.

Can't wait!

r3pek's Avatar
#80 - r3pek - 233w ago
Probably not likely, as reversing the HV dumps is extremely tedious and time-consuming so if anything good comes out of it chances are it will be a ways off... but the more people working on it, the better of course!

As I mentioned in another thread, one of the areas CJPC is seeking to examine from the dump is the boot flag data, as he is interested in being able to convert his Service Mode PS3 to a Debug one, or better yet Retail PS3 consoles to Debug units optimistically.
Why don't they export the hypercall to userland? Last time I checked it was easily done on x86 at least. don't know if it's anyway different on ppc...

Hemanleo's Avatar
#79 - Hemanleo - 233w ago
good luck. Hope we can have something going on the near future!

Tender Phantom's Avatar
#78 - Tender Phantom - 233w ago
This is great, hopefully someone will find something to enable some sweetass homebrew

I was also wondering after you have all snooped around a little and hopefully learnt some new things, would it make it any easier to craft say for example malformed tiff images or saved games etc?

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News