Sponsored Links

Sponsored Links

PS3 Hack Exploit SX28 Hardware Arrives, Bring on the Hypervisor!

Sponsored Links
255w ago - Today the PS3 hack exploit SX28 hardware arrived, so we can begin work on dumping the PlayStation 3 Hypervisor to examine!

Up to now, both GeoHot and xorloser have successfully performed the PS3 hack while a few others simply obtained GeoHot's PS3 Hypervisor dump to study privately.

Needless to say, the rest of the PS3 scene including most of us here, have been waiting to take a peek at the unencrypted bootloader and Hypervisor lv0 and lv1 dumps.

We started by writing a Ubuntu Guide (as did titanmkd HERE) and attempted to use a 555 timer to obtain the 40ns pulse required to trigger the exploit, but like many others who attempted this we too had no such luck!

Luckily xorloser shared some propered code to trigger a 40ns pulse using an SX28 chip. They are a bit harder to find, and a little more expensive (as you need a programmer) but the method is sound.

That brings us to today, and our SX28 chips and programmer arrived - so we will be recreating the hardware, and giving this a go soon!

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew releases!

Comments 107 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
#67 - mushy409 - 255w ago
mushy409's Avatar
I bet he has blisters like walnuts on his fingers!

Good job guys, the PS3 is going to be THE console to own this year. The bank has been broken, now for the safe

#66 - CJPC - 255w ago
CJPC's Avatar
Yeah the biggest problem is really the fact that the exploit itself is well a glitch. I mean, the hardware works perfectly, I can get it to start to exploit the box within 20 seconds of trying , every time.

The problem is, 90/100 times the exploit crashes / locks up the ps3 / errors , resulting in the need to reboot, and restart.

Once the exploit is planted, then we start running our own kernel module to dump out the real memory. The way we we're doing it is well, unreliable and prone to massive corruption (not to mention slow)

[Register or Login to view code]

(it looks better in a Hex Editor!)

But, with dumping memory to a file you run into other issues. You can't just use FileI/O in a kernel module any more, and you can't access lv1_peek from user mode either, so you need to make some additional code to handle it, which is what were working on now - although I'm open to any suggestions to get it done faster, its such a pain after your kernel module crashes, and having to reboot and re-exploit the PS3!

#65 - PS3 News - 255w ago
PS3 News's Avatar
Quote Originally Posted by veggav View Post
You are the most patient guy on earth, boss. It's the third time I see this kind of question this week.

Actually, CJPC gets my vote for that... this PS3 exploit is SUPER annoying to get the timing just right so that it triggers but doesn't crash the PS3 (which means restarting each time).

Even bushing from the Wii hacking scene agrees ([Register or Login to view links]), to quote:
I used an FPGA (Spartan3E starter kit) to do this — but for some reason, I was unable to get 40ns pulses to have any effect whatsoever. I kept stretching the pulse width until it started affecting execution — by the time I had the exploit working, my pulse width was approx 200us — yes, that’s 20,000 times the length of the suggested glitch. Did anyone else run into this problem?

This hack is fairly annoying to get working, in the sense that you spend a lot of time mashing a button. It’s also not horribly great for the hardware — you’re briefly overdriving a bus-driver transistor inside the Cell, and you’re probably doing a little bit of damage each time you do it. It may not matter in the long run, but it just feels wrong.

I’ve been able to also trigger the exploit by pulling the Vref on one of the XDR chips down to ground — on the whole, it seems slightly less reliable than the RQ2 glitch, but it’s a lot easier on the hardware and a slightly easier place to solder to.

I think the biggest issue affecting reliability is the timing of the glitch, so I’m putting my effort into fixing that — I think I’ve found a signal I can abuse for the purpose.

The advantage of using the SX28 is that it can trigger the exploit a lot quicker, however, the patience comes into play when it doesn't actually work most of the time.

For example, the HTAB entries take around [51.748028] time was 0x12afa9, 0x1b per, 0, which is like 1/5 reboots.. most of the time its 0xfc000 so a a bit faster but harder to glitch.

In layman's terms, CJPC has done more button-pushing and PS3-resetting in the last 2-3 days than most people have in the last 2-3 years.

#64 - veggav - 255w ago
veggav's Avatar
Quote Originally Posted by PS3 News View Post

Probably not likely, as reversing the HV dumps is extremely tedious and time-consuming so if anything good comes out of it chances are it will be a ways off... but the more people working on it, the better of course!

As I mentioned in another thread, one of the areas CJPC is seeking to examine from the dump is the boot flag data, as he is interested in being able to convert his Service Mode PS3 to a Debug one, or better yet Retail PS3 consoles to Debug units optimistically.

You are the most patient guy on earth, boss. It's the third time I see this kind of question this week.

#63 - Progeria - 255w ago
Progeria's Avatar
Quote Originally Posted by PS3 News
Yes, you do not need a PS3 once you have the dumps... anyone with the time and talent can use IDA (on their PC) and xorloser's PS3 plug-ins to begin reverse-engineering the code and looking for "interesting" things.

great! with all those talented scene and ind crackers i bet HV will get a hard time..

will be fun to follow when dumps get released

edit: good timing for the ida and ida sdk releases that got released not so soon ago


Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links

Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News