108w ago - A few weeks back details and payloads for Dumping PS3 Per Console Keys surfaced followed by news of a PS3 Metldr Exploit, and today PlayStation 3 developer xx404xx on IRC has shared his PS3 Metldr / Per Console Key0 findings thus far.
[xx404xx] lol wtf you can write to metldr!!!!!!
[xx404xx] 0x17014 - Write eEID/Write metldr Holy crap, it writes passed data to the region of FLASH memory where eEID or metldr data is stored !!! And GameOS is allowed to use this service !!! Do not experiment with this service if you don't know what it does or else your PS3 will not work anymore !!!
[xx404xx] http://img824.imageshack.us/img824/5747/newbitmapimage3f.png I highly recommend...
167w ago - Nintendo Wii developer Marcan has been sharing updates via Twitter on his progress with a PS3 Linux bootloader, one that is currently working on PlayStation 3 Firmware 3.41 (including on the PS3 Slim) and now named AsbestOS.
199w ago - Just a few days after kakarotoksreleased a kernel module to dump out the PS3 Hypervisor and Bootloader someone named Ps3 Memory Dump from GeoHot's blog did just that, and has leaked it publically as pictured below.
The included ReadMe file acknowledges is0mick's recent Atmega8 port, however, it curiously attempts to flame other PS3 News Devs despite using their code to make the HV dump... go figure, eh?
Preliminary examination of the leaked dump is currently underway by both Devs and end-users alike, with a few noteworthy findings thus far as follows:
199w ago - Hi guys, I used an Atmega8 running at 16Mhz (I had a couple lying about from the BT Vision project I was working on) and knocked up a small prog to do the same as the other chips and dump out the PS3 Hypervisor and Bootloader.
I was quite surprised, It actually worked fairly straight away! I only had one pulse going everytime I pressed the button at first but not a lot was happening.
So I did what xorloser did, and modded it so it pulsed every 100ms while the switch is pressed.
After about 30-40 seconds... I got a hit with the exploit code posted here. Then I used the dumper (posted here) to dump the 10mb bin.
Just having a look through the dump, lots of strings in there.. I haven't dropped it into IDA yet tho...
This is the source and hex (for those who dont want to compile it) for the Atmega8 which I glitched my PS3 with. The Chip I used was the Atmega8-16pu....
199w ago - We are happy to report that the PS3 Hypervisor LV1 and Bootloader LV0 are dumped from the PlayStation 3's RAM after getting our SX28 Hardware a few days ago, utilizing code for glitching and mashing buttons for hours - the exploit eventually will get triggered!
We tried a few different ways to dump out the real memory - the biggest "problem" was the fact that you can't just simply use File I/O code in a kernel module. Furthermore, you can't call the lv1_peek function from user mode either.
Luckily, resident DEV kakarotoks was up to the challenge. After some trial and error (and too many PS3 crashes!) he made a kernel module which maps the "real" PS3 memory to a device in /proc. The /proc area lets the kernel and userland interact some.
Basically, the device /proc/ps3_hv_mem is created when the kernel module is inserted. Once it is inserted, you can use dd to read the device. By doing this, the device gets passed arguments, which is...