83w ago - A few weeks back details and payloads for Dumping PS3 Per Console Keys surfaced followed by news of a PS3 Metldr Exploit, and today PlayStation 3 developer xx404xx on IRC has shared his PS3 Metldr / Per Console Key0 findings thus far.

Included below are a PS3 EID Rootkey Dumper (SELF) which is loaded through lv2patcher, an EID Decrypter Script, the required EID Static Keys and more, as follows:

[xx404xx] lol wtf you can write to metldr!!!!!!
[xx404xx] 0x17014 - Write eEID/Write metldr Holy crap, it writes passed data to the region of FLASH memory where eEID or metldr data is stored !!! And GameOS is allowed to use this service !!! Do not experiment with this service if you don't know what it does or else your PS3 will not work anymore !!!
[xx404xx] http://img841.imageshack.us/img841/1617/newbitmapimage3en.png
[xx404xx] http://img824.imageshack.us/img824/5747/newbitmapimage3f.png I highly recommend...

142w ago - Nintendo Wii developer Marcan has been sharing updates via Twitter on his progress with a PS3 Linux bootloader, one that is currently working on PlayStation 3 Firmware 3.41 (including on the PS3 Slim) and now named AsbestOS.

Download: AsbestOS ATMega Port with Software USB (Arduino Mega)

Below are some of his recent Tweets for those curious, to quote:

"AsbestOS port to the ATMega with software USB (Arduino Mega, etc...) http://is.gd/fDg1C

Investigating how RSX access will work. It's definitely possible but it might end up very different from desktop Linux 3D as we know it.

http://is.gd/fCQxW git repo if you want to follow along. No support or docs yet, it's not done, don't ask, but feel free to peek.

Preliminary porting notes: http://is.gd/fCBFd. If you have developed or ported a version of the exploit, please let me know your comments

The device I'm using to test is an IGEPv2 (OMAP3,...

174w ago - Just a few days after kakarotoks released a kernel module to dump out the PS3 Hypervisor and Bootloader someone named Ps3 Memory Dump from GeoHot's blog did just that, and has leaked it publically as pictured below.

The included ReadMe file acknowledges is0mick's recent Atmega8 port, however, it curiously attempts to flame other PS3 News Devs despite using their code to make the HV dump... go figure, eh?

Preliminary examination of the leaked dump is currently underway by both Devs and end-users alike, with a few noteworthy findings thus far as follows:

From sapperlott:

• repos @ 0x2c00 - 0x43ff
• partition table @ 0x6000
• SELFs @ 0x20000, 0x37000, 0x55000, 0x1624bc, 0x6c25b4, 0x6d5470
• FSELFs (?) @ 0xa19a0, 0x12dea0, 0x369720
• other SCE files @ 0x35e100, 0x6c5ed4
• LPAR data @ 0x12a0a0

From Karl69:

• IDA entry point looks like 0x10190 is interesting address.

From ifcaro:

• Code starts at 0x00203000 according to my analysis....

174w ago - Hi guys, I used an Atmega8 running at 16Mhz (I had a couple lying about from the BT Vision project I was working on) and knocked up a small prog to do the same as the other chips and dump out the PS3 Hypervisor and Bootloader.

I was quite surprised, It actually worked fairly straight away! I only had one pulse going everytime I pressed the button at first but not a lot was happening.

So I did what xorloser did, and modded it so it pulsed every 100ms while the switch is pressed.

After about 30-40 seconds... I got a hit with the exploit code posted here. Then I used the dumper (posted here) to dump the 10mb bin.

Just having a look through the dump, lots of strings in there.. I haven't dropped it into IDA yet tho...

This is the source and hex (for those who dont want to compile it) for the Atmega8 which I glitched my PS3 with. The Chip I used was the Atmega8-16pu....

175w ago - We are happy to report that the PS3 Hypervisor LV1 and Bootloader LV0 are dumped from the PlayStation 3's RAM after getting our SX28 Hardware a few days ago, utilizing code for glitching and mashing buttons for hours - the exploit eventually will get triggered!

We tried a few different ways to dump out the real memory - the biggest "problem" was the fact that you can't just simply use File I/O code in a kernel module. Furthermore, you can't call the lv1_peek function from user mode either.

Luckily, resident DEV kakarotoks was up to the challenge. After some trial and error (and too many PS3 crashes!) he made a kernel module which maps the "real" PS3 memory to a device in /proc. The /proc area lets the kernel and userland interact some.

Basically, the device /proc/ps3_hv_mem is created when the kernel module is inserted. Once it is inserted, you can use dd to read the device. By doing this, the device gets passed arguments, which is...