128w ago - Recently we reported on a 3.50 Firmware JailBroken PS3 x3Max video, and today PS3 developer xorloser has commented on the hack, as well as explaining why obtaining the hmac key for PlayStation 3 PUP files will not lead to PS3 Custom Firmware.

To quote from his blog, linked above:

"the hmac key for PUPs doesnt magically allow custom firmware. this is because all of the files that make up the PUP are signed anyway, so you cannot make custom versions of any of those files because you cannot sign them.

as for x3max supposedly working on v3.50, i call fake."

169w ago - Today xorloser has shared his XorHack: The PS3 Exploit Toolkit which allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program and run the software required when triggering the PS3 exploit from a normal userspace program.

To quote: I finally found the time to complete the PS3 exploit toolkit software I mentioned to in my previous posts. I call it XorHack.

It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:

ps3exploit - Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the "button pressing", it will not exploit the PS3 via software alone).
dumphv - Dumps the hypervisor to a file in the current directory.
dumpbl - Dumps the bootloader to a file in the current directory.
dumprom - Dumps the system rom to a file in the current directory.

The XorHack package contains full sourcecode...

172w ago - A few days ago xorloser propered the GeoHot PS3 Hack Exploit for all PlayStation 3 Firmware versions, and today he has detailed the required SX28 microcontroller hardware and shared the source code.

To quote: This post will deal with the hardware required to trigger the PS3 hypervisor memory access exploit. The purpose of the hardware is to stop the PS3 from saving a change to a value that we don't want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.

The PS3 sends the write command to the RAM over some control lines, so we interfere with these control lines when the write command is sent. The result we want is having the PS3 think it has successfully written the value to RAM, but the RAM didn't receive the write command due to our interference and so it did not perform the write operation.

The easiest (and moderately safe) way to interfere with these control lines is to ground them. This is done easily enough by connecting a wire between one of the control lines and ground. The tricky part is timing it just right so that it only interferes with the write...

209w ago - Today xorloser has posted an update to his previous PS3 ELF/SELF/PRX/SPRX PPU Loader for IDA v5.2.

To quote: I've been busy digging into the PS3 lately, I decided it's finally time to see what secrets can be extracted from it. During my investigations I found that level-1 syscalls, a.k.a. hypercalls, are not handled by IDA so I decided to add support for it to the existing PPC Altivec plugin. Get the updated plugins and copy them to your "IDAplugins" directory to install them.

Download: PS3 ELF/SELF/PRX/SPRX PPU Loader Update for IDA v5.2

For those who don't know, level-1 syscalls are used to call hypervisor functions. On a PS3 the hypervisor is known as as "lv1″ (level1) since it is the lowest level that runs directly on top of the hardware.

The operating system is executed on top of this and is known as "lv2″ (level2). The two common operating systems are GameOS which PS3 games run on, and OtherOS which is usually used to run linux.

Since both OSes run on top of the same lv1 hypervisor, they use...

254w ago - To quote from xorloser's Web site linked above:

This is a PS3 loader for IDA, it lets you open PS3 elf/self/prx/sprx files in IDA. I highly recommend you use this with the PPC-Altivec plug-in also available on this site.

Download: PS3 ELF/SELF/PRX/SPRX PPU Loader v1.1 for IDA v5.2

THIS DOES NOT DECRYPT ANY FILES !!!! That means that for now this loader will ONLY work on unencrypted files. There are a few such files "in the wild" that have been found on Sony update servers and such.

As well as loading the supported PS3 filetypes in both 32bit and 64bit vesions of IDA this also resolves and sets up all imports, exports and syscalls. It also only supports PS3 PPU files as the PS3 SPU CPU is not supported by IDA at this time.