200w ago - Today the PS3 hack exploit SX28 hardware arrived, so we can begin work on dumping the PlayStation 3 Hypervisor to examine!
Up to now, both GeoHot and xorloser have successfully performed the PS3 hack while a few others simply obtained GeoHot's PS3 Hypervisor dump to study privately.
Needless to say, the rest of the PS3 scene including most of us here, have been waiting to take a peek at the unencrypted bootloader and Hypervisor lv0 and lv1 dumps.
We started by writing a Ubuntu Guide (as did titanmkdHERE) and attempted to use a 555 timer to obtain the 40ns pulse required to trigger the exploit, but like many others who attempted this we too had no such luck!
Luckily xorloser shared some propered code to trigger a 40ns pulse using an SX28 chip. They are a bit harder to find, and a little more expensive (as you need a programmer) but the method is sound.
That brings us to today, and our SX28 chips and programmer arrived - so we will be recreating the hardware, and giving this a go soon!
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
A snippet from a 2007 IBM doc (https://www-01.ibm.com/chips/techlib/techlib.nsf/techdocs/AEBFE7D58B5C36E90025737200624B33/$file/CBE_Secure_SDK_Guide_v3.0.pdf) that Mathieulh tweeted.. "Some really informative documentation about the playstation3/cell loaders"
Under section 4.2.4 - its describing details about signing packages/verifying signatures.. now to get hands on an SDK
Root CA Key | (Public) Kpub[RootCA] | Verify the (Second-level) | CA certificates | Root CA Embedded in SPE Secure Loader
Stating that the CA (Certification Authority) is stored in the SPE Secure Loader (public key) to verify CA certificates. On the other hand:
Root CA Key | (Private) Kpriv[RootCA] | Sign the (Secondlevel) | CA
certificates | Root CA, Platform Owner Root CA
The Root CA private key for signing packages is embedded in the Root CA
So from what i can gather - it may be impossible for us to get that key to sign our own packages, but we definitely might be able to access the Public key used to verify packages (such as Firmware updates/PSN downloaded content etc) and manipulate to allow packages to pass as valid even with a dodgy signature.
Some more tweets: "The 3.20 update for ps3 is soon to be released, although it is not yet tested, stay away from it until the exploit is known to work with it." "You can use a proxy to bypass the playstation network version checks (at least for now)"