Sponsored Links

Sponsored Links

 

GeoHot Resumes Sony PS3 Hacking, Opens PS3 Hacks Blog

1300°
256w ago - This weekend GeoHot, the hacker responsible for several Apple iPhone hacks, has returned to Sony PS3 hacking after his initial announcement a few months back and has opened a PS3 hacks blog (linked above).

He recently made this [Register or Login to view links]:

"I just pulled everything from the USB bus... [Register or Login to view links] the Cell processor SPI bus, PS3 is going down :-)"

These are the latest posts on his new PS3 hacks blog:

Cell SPI

The Cell processor has an SPI port which is used to configure the chip on startup. Well documented [Register or Login to view links]. It also allows hypervisor level MMIO registers to be accessed. In the PS3, the south bridge sets up the cell, and the traces connecting them are on the bottom layer of the board. Cut them and stick an FPGA between.

Quick theoretical attack. Set an SPU's user memory region to overlap with the current HTAB. Change the HTAB to allow read/write to the hypervisor! If that works it's full compromise...
 

Apple iPhone Unlocker GeoHot Begins Hacking Sony's PS3

1300°
274w ago - Over the weekend [Register or Login to view links], famous for unlocking Apple's iPhone, has posted a few tweets on his [Register or Login to view links] account that he has began looking into hacking Sony's PS3 console.

He has also dropped by our Forums to enquire about the PS3 Hypervisor Decryption Keys, and has been in touch with CJPC via IRC as well.

To date, geohot has reported the following via tweets:

"ooo got access to a couple more pages of ram...still no hypervisor there tho. it's hiding in the top 2 MB.

anyone know if the 360 guys had a pt hypervisor to reverse?

my goal is to break out of the hypervisor... then see what my morals will allow.

gotta flip one little bit to hack the ps3. unfortunately the ps3 doesn't want me to flip it.

so, the hypervisor is in the first 0x1000 pages of RAM...think I could just pull an address line down and dump? not from kernel tho

PS3 memory map [Register or Login to view links] ... why did I think this would be useful again? i really want these dumps @ bootloader

it'd be nice if that worked, linux accesses...[/b]
 

A Peek inside a PS3 PKG file!

550°
356w ago - Had a little time over the weekend to play with some PS3 .PKG files.

Here is a peek inside a PS3 Package file, see below!

For reference, some files like executables are still encrypted even when unpacked from a .PKG file, sound files are not. PSARC files are definitely compressed and likely encrypted as well.
 

Revised PS3 Boot Information

250°
362w ago - Our Resident DEVS have revised the PS3 Bootup procedure, with some more interesting information.

asecure_loader is not at start of the NAND. The first 512KB also is skipped, or actually any 512 block of FF is skipped.

Furthermore, the asecure_loader differs per box, possibly encrypted with a per-box key. Files of course are not in clear, that suggests that at every step an encryption/decryption is done.

The boot loader in IDA does not look microcode for IDL, maybe it's encrypted with cpu key (the IBM secure boot/asecure_loader), that can explain also why a NAND dump can be restored only on the PS3 from which it was taken.

asecure_loader ----> lv0 which start lv1ldr or lv2ldr depending on 0 or other number in NAND FS
lvldr ----> lv1.self ----> cell_ext_area partition NAND, boot compressed linux kernel for example

load trvk_prg
spu_pkg_rvk_verifier.self load trvk_pkg
lv2ldr load lv2_kernel.self
spp_verifier.self load default.spp (bluetooth ?)
isoldr (?)
appldr (?)
sc_iso.self (?)
LV2 KERNEL MODULE ----> spu_token_processor.self
LV2 KERNEL MODULE ----> aim_spu_module.self
LV2 KERNEL MODULE ----> mc_iso_spu_module.self
LV2 KERNEL MODULE ----> ...
 

PS3 Development Discoveries: Week 1

100°
367w ago - Each week or so we will post a brief report from the resident PS3 Devs here, and below is one for this week:

The PS3 Boot-up Procedure.

The SCC (Super Companion Chip), made by Toshiba gets the PS3 started up. It reads asecure_loader from flash, and loads it into SPE in isolation mode. The Flash reading is interesting, as the data on the flash chips are interleaved, so the SCC merges them, among other things.

asecure_loader is then decrypted and ran, and it brings up lv1ldr. The keys for self decryption (among other things) are most likely accessible at this time.

lv1ldr is then decrypted and ran, and verifies the integrity of lv1.self , decrypts and runs it.

lv1.self is most likely our base code, also known as the Hypervisor. The Hypervisor then calls lv2ldr.

lv2ldr is ran, and it runs lv2_kernel.self

LV2 kernel.self is essentially the PS3OS, it starts up, brings the XMB up, any game/movie in the drive.

This is a solid working theory. Without expensive hardware, we can not confirm this 100%, but it is the most logical approach!

A few select files from the flash:

asecure_loader
lv1ldr
lv2ldr
isoldr
appldr
default.spp
lv0
lv1.self
lv2_kernel.self
 
Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links






Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News

Sponsored Links