164w ago - Yesterday JaicraB shared a PS3 Hypervisor 3.15 he dumped via Parallel/LPT1 Port with XorHack along with a redump done for comparison purposes and the PS3 Pulse Generator code.

red8316 has also posted a Dump Comparison from 010 Hex Editor in TXT and CSV formats for those interested.

Today JaicraB has updated his blog again with PS3 Pulse Generator V2- compiled and with source code included.

Download: PS3 Pulse Generator V2 with Source Code

To quote, roughly translated: The pulse generator which was put very little refined and theoretically ill-posed. I really worked, but it is true that there was always the first. So I miss a second version, more refined and controlled by cycles. Because in cycles? Each computer is different, CPU, BUS, etc etc.

That is why every computer will have its own cycle which is ascertained to start from the smallest to find it. In my case is 3, MSDOS running under a VMware...

168w ago - Today xorloser has shared his XorHack: The PS3 Exploit Toolkit which allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program and run the software required when triggering the PS3 exploit from a normal userspace program.

To quote: I finally found the time to complete the PS3 exploit toolkit software I mentioned to in my previous posts. I call it XorHack.

It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:

ps3exploit - Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the "button pressing", it will not exploit the PS3 via software alone).
dumphv - Dumps the hypervisor to a file in the current directory.
dumpbl - Dumps the bootloader to a file in the current directory.
dumprom - Dumps the system rom to a file in the current directory.

The XorHack package contains full sourcecode...

172w ago - A few days ago xorloser propered the GeoHot PS3 Hack Exploit for all PlayStation 3 Firmware versions, and today he has detailed the required SX28 microcontroller hardware and shared the source code.

To quote: This post will deal with the hardware required to trigger the PS3 hypervisor memory access exploit. The purpose of the hardware is to stop the PS3 from saving a change to a value that we don't want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.

The PS3 sends the write command to the RAM over some control lines, so we interfere with these control lines when the write command is sent. The result we want is having the PS3 think it has successfully written the value to RAM, but the RAM didn't receive the write command due to our interference and so it did not perform the write operation.

The easiest (and moderately safe) way to interfere with these control lines is to ground them. This is done easily enough by connecting a wire between one of the control lines and ground. The tricky part is timing it just right so that it only interferes with the write...

172w ago - Today xorloser has 'propered' the recently released GeoHot PS3 Hack in attempt to accomodate all PlayStation 3 Firmware versions with the exploit.

Download: PS3 Exploit Fixed

To quote: As I'm sure everybody heard, the memory access exploit for the PS3 hypervisor was released recently by geohotz. I was finally able to replicate his hack so I thought I'd take the time to help out others who may also have trouble due to being linux n00bs like me.

If I were to post everything at once it would be too much work and I'd never get around to it, so I'll post bits at a time to ensure I actually do post it heh. Today's post will talk about the software side of the exploit.

Please note that the geohotz exploit software was hardcoded for the v2.42 firmware, I have made a small fix that attempts to dynamically support all firmware versions. I have only tested and used it on v3.15 however.

The first step is to install Linux on your PS3 which means of course that this will not work on a slim PS3. I tried a few different Linux distros and after various different issues I settled on using...

173w ago - As a BIG follow-up to his Sample PS3 Linux Isolated SPU Loader Code, GeoHot has now released his coveted PS3 hack so end-users can exploit their non-Slim PlayStation 3 Entertainment System!

Essentially what it does is modify the PS3's hypervisor adding two calls for reading/writing to all of the system memory.

To quote: "In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor...