163w ago - Update: JaicraB has now shared a second (36MB) dump and update, details and the download link are available HERE and the guide is being worked on!
Today JaicraB (linked above) with the help of DemonHades have done what GeoHot failed to do, dump and publicly leak the PS3 Hypervisor LV2 (GameOS) for the entire PS3 scene to begin reversing and examining for new holes, exploits, etc!
But wait, there's more... they also plan to share a guide soon detailing how the LV2 dump was done (see HERE for the LV1 dump leak) so that everyone in the PlayStation 3 development community can join in on the fun!
This is indeed refreshing news in comparison to a lone glory hound out only for himself instead of the PS3 scene, seeking attention while blinded by his own e-fame from the notion that others in the community are just as capable, if not moreso, as will surely be demonstrated in coming months.
164w ago - Today JaicraB shared with the PlayStation 3 scene a PS3 Hypervisor 3.15 lv0/lv1 dumped via XorHack using a parallel / LPT1 port as a trigger alongside source code for the application used to send the pulse.
Shortly following, he redumped it possibly due to file corruption.
170w ago - We are happy to report that the PS3 Hypervisor LV1 and Bootloader LV0 are dumped from the PlayStation 3's RAM after getting our SX28 Hardware a few days ago, utilizing code for glitching and mashing buttons for hours - the exploit eventually will get triggered!
We tried a few different ways to dump out the real memory - the biggest "problem" was the fact that you can't just simply use File I/O code in a kernel module. Furthermore, you can't call the lv1_peek function from user mode either.
Luckily, resident DEV kakarotoks was up to the challenge. After some trial and error (and too many PS3 crashes!) he made a kernel module which maps the "real" PS3 memory to a device in /proc. The /proc area lets the kernel and userland interact some.
Basically, the device /proc/ps3_hv_mem is created when the kernel module is inserted. Once it is inserted, you can use dd to read the device. By doing this, the device gets passed arguments, which is...
172w ago - A few days ago GeoHot Hacked the PS3 and dumped the PlayStation 3 hypervisor lv0 and lv1, and has now updated his blog with a technical writeup here on how it was done written by Nate Lawson at rdist.root.org.
To quote from the article: "The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.
Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this...