To quote: This is incredible, hackers are making big progress towards reverse engineering the hypervisor on the PS3. The latest work and release comes from a developer who goes by the name 'user'-which is a hypervisor debugging tool that can run from GameOS.
The tasks can be performed using this tool: Com Lib debug, Storage Manager debug, SB Manager debug, Update Manager debug, SYSCON debug, Dispatch Manager debug, VTRM debug, and patch Dispatch Manager policies.
• Enable debug for some HV services
• Patch Dispatch Manager policies (allow everything)
CECH-25xxA: 0x66EF00 thanks to MikeM64 and manster
CECH-25xxB: (maybe just like CECH-25xxA)
114w ago - Despite Sony's legal action, PS3 hacker Graf Chokolo has released some PS3 Linux Tools including PS3 Linux Hypervisor Scripts and Dispatcher Manager Utilities alongside a PlayStation 3 Debug Console Dumper.
To quote: For today’s update on graf_chokolo, we’ll get to see some new cool releases from the respected PS3 scene hacker to our very own git. You guys with the developing sense, should seriously check them out and report back to graf if you want to help improve it.
Debug console dumper for PS3 hypervisor
Different Linux scripts that enable cool features by patching PS3 hypervisor and its processes
Also, some new updates on Dispatcher Manager utilities for PS3 Linux repository.
Today Graf_Chokolo announced that he has successfully exploited the PS3 hypervisor 3.15 through GameOS and dumped it, and plans to do the same for version 3.41 along with sharing more details soon.
Here is what he had to say on the matter, to quote: "I have just exploited and dumped HV 3.15 from GameOS
I used memory glitching like Geohot to get dangling HTAB entry but 2nd and 3rd stages are quite different. I used my knowledge about HV internals and created a simpler exploit for stage2 and stage3.
I didn’t use second VAS like Geohot. I used lv1_undocumented_function_114 and lv1_undocumented_function_115...
129w ago - After creating Simple AVCHD Manager - the first AVCHD manager for a jailbroken PS3 - some of the other programs I have been exploring had the requirement for a file selection screen in common, so i decided to create a simple file manager utilising a pointer like Multiman and added some other useful functions.
131w ago - A few days ago we reported on graf_chokolo's progress in decrypting PS3 Firmware 3.50, and today he has made available to the PlayStation 3 Wiki (linked above) his PS3 hypervisor reverse-engineering work to date, as follows:
HSPRG The hypervisor stores a pointer to some structure per LPAR in HSPRG0 register. There are actually 2 HSPRG0 values: one for each thread of Cell CPU !!! There is a HSPRG0 array at 0x8(-0x69A0(HSPRG0)) + 0x20.
LPAR LPAR = Logical Partition
lpar1 starts at 0x(unknown), and its believed to be the memory space wherre lv1 stores its variables, flags and other data.
lpar2 starts at 0x80000000000 and it's believed to be the memory space where lv2 stores its variables, flags and other data.
The pointer to active LPAR is stored at -0x67E8(HSPRG0).
vtable 0x0033CA40 (3.15)
Member variables offset 0x38 - some pointer
offset 0x50 - LPAR id (8 bytes)
offset 0x70 - pointer to VAS id bitmap
offset 0x78 - power of 2 of word size from VAS id bitmap (4 bytes), equal to 6
offset 0x7C - number of 64-bit words in VAS id bitmap(4 bytes)