PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

December 26, 2009 // 6:22 pm - This weekend GeoHot, the hacker responsible for several Apple iPhone hacks, has returned to Sony PS3 hacking after his initial announcement a few months back and has opened a PS3 hacks blog (linked above).

He recently made this Tweet:

"I just pulled everything from the USB bus... the Cell processor SPI bus, PS3 is going down :-)"

These are the latest posts on his new PS3 hacks blog:

Cell SPI

The Cell processor has an SPI port which is used to configure the chip on startup. Well documented here. It also allows hypervisor level MMIO registers to be accessed. In the PS3, the south bridge sets up the cell, and the traces connecting them are on the bottom layer of the board. Cut them and stick an FPGA between.

Quick theoretical attack. Set an SPU's user memory region to overlap with the current HTAB. Change the HTAB to allow read/write to the hypervisor! If that works it's full compromise of the PPU.

A Real Challenge

The PS3 has been on the market for over three years now, and it is yet to be hacked. It's time for that to change.

I spent three weeks in Boston working software only, but now I'm home and have hardware. My end goal is to enable unsigned code execution, making every unit into a test and opening up a third party development community, either through software or hardware (with a mod chip). The PS3 is a prime example of how security should be done, very open docs wise, and the thing even runs Linux. But it isn't unbreakable :-)

GeoHot Resumes Sony PS3 Hacking, Opens PS3 Hacks Blog

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#152 - PS4 News - January 23, 2010 // 12:39 am
PS4 News's Avatar
Use the new thread here for continued discussion:

#151 - chipsy - January 23, 2010 // 12:36 am
chipsy's Avatar
geo congratulations, I knew you could do it

#150 - adrianc1982 - January 23, 2010 // 12:36 am
adrianc1982's Avatar
I know everyone will give me the look, but I really knew george would hack it sooner or later. I really feel this guy doesnt give up easily and when he wants to crack something he will. Congrats geohot.

#149 - Drakhen - January 23, 2010 // 12:29 am
Drakhen's Avatar
Congrats, I as I am sure Millions of others all look forward to things to come...

#148 - Starlight - January 23, 2010 // 12:29 am
Starlight's Avatar
Sounds promising and will see what happens in the near future and congrats so far but maybe not quite out of the woods just yet but very close maybe.

#147 - semitope - January 23, 2010 // 12:23 am
semitope's Avatar
Hello hypervisor, I'm geohot
I have full read/write access to the entire system memory, and HV level access to the processor.

In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me.

Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.

Shout out to George Kharrat from iPhoneMod Brasil for giving me this PS3 a year and a half ago to hack. Sorry it took me so long

As far as the exploit goes, I'm not revealing it yet. The theory isn't really patchable, but they can make implementations much harder. Also, for obvious reasons I can't post dumps. I'm hoping to find the decryption keys and post them, but they may be embedded in hardware. Hopefully keys are setup like the iPhone's KBAG.

A lot more to come...

Just like that it is done? lol We'll see what comes out of it but congrats to him!!

#146 - Preceptor - January 22, 2010 // 7:57 am
Preceptor's Avatar
But if he managed to dump the hypervisor, correct me if I'm wrong, I'm pretty sure the Devs would be able to properly decrypt the HDD using the keys stored in it. If I'm not wrong, using the Knightsolidus' method there are still some files that are inaccessible. So it could prove useful.

#145 - pirge - January 21, 2010 // 3:54 am
pirge's Avatar
He appears to be trying to access the memory where the hypervisor is resident. If he can dump the hypervisor then that should provide a lot of useful information.

But given the PS3 security architecture is seems unlikely the hypervisor could be modified and still run on the PS3. The Cell security design is supposed to prevent modification of signed code... so something else would also be needed for a full 'hack'.

#144 - PS4 News - January 21, 2010 // 2:52 am
PS4 News's Avatar
Not that I know of... although a few may have tried it on their own but never mentioned it in the channel due to nothing noteworthy being found on their end.

#143 - semitope - January 21, 2010 // 2:41 am
semitope's Avatar
Quote Originally Posted by PS3 News View Post
One of them said the following on IRC about it today: "fuzzing lv1 calls could be interesting" but that is about it. CJPC is busy with his latest "toy" which arrived today and will be covered in this weekend's Site News update.

So they've tried it?