Sponsored Links

PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!
Sponsored Links
Sponsored Links
Home PS4 News - Latest PlayStation 4 and PS3 News

PS3 Hack Exploit SX28 Hardware Arrives, Bring on the Hypervisor!


Sponsored Links
268w ago - Today the PS3 hack exploit SX28 hardware arrived, so we can begin work on dumping the PlayStation 3 Hypervisor to examine!

Up to now, both GeoHot and xorloser have successfully performed the PS3 hack while a few others simply obtained GeoHot's PS3 Hypervisor dump to study privately.

Needless to say, the rest of the PS3 scene including most of us here, have been waiting to take a peek at the unencrypted bootloader and Hypervisor lv0 and lv1 dumps.

We started by writing a Ubuntu Guide (as did titanmkd HERE) and attempted to use a 555 timer to obtain the 40ns pulse required to trigger the exploit, but like many others who attempted this we too had no such luck!

Luckily xorloser shared some propered code to trigger a 40ns pulse using an SX28 chip. They are a bit harder to find, and a little more expensive (as you need a programmer) but the method is sound.

That brings us to today, and our SX28 chips and programmer arrived - so we will be recreating the hardware, and giving this a go soon!

PS3 Hack Exploit SX28 Hardware Arrives, Bring on the Hypervisor!

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!

Comments 107

+ Reply to Thread


#107 - ekrboi - 268w ago
ekrboi's Avatar
Quote Originally Posted by CJPC View Post
Alas not that easy, the calls need to be reversed, and they need to be analyzed - namely, you don't want to run the call, then the unit bricks because it's trying to use different crypto keys.

damn crypto.. i have not read the available docs on the cell/ps3 security.. i suppose i need to.. but why would it matter? we wouldn't personally be messing with encrypted data? just "using" the hypervisor which as far as it.. or the ps3 is concerned is "allowed" to do it.. so it would pass through appropriate channels..

but i do understand wanting to know what the call actually does before just trying it..

#106 - CJPC - 268w ago
CJPC's Avatar
Quote Originally Posted by ekrboi View Post
cool.. obviously we can add our own calls for reading/writing memory using the exploit.. and you may already have done/tried it.. can't you just push one of the set flag calls into memory so that the hypervisor executes it? or not that simple?

Alas not that easy, the calls need to be reversed, and they need to be analyzed - namely, you don't want to run the call, then the unit bricks because it's trying to use different crypto keys.

#105 - ekrboi - 268w ago
ekrboi's Avatar
cool.. obviously we can add our own calls for reading/writing memory using the exploit.. and you may already have done/tried it.. can't you just push one of the set flag calls into memory so that the hypervisor executes it? or not that simple?

#104 - CJPC - 268w ago
CJPC's Avatar
Quote Originally Posted by ekrboi View Post
ah hah! now thats more like it! Good work! can't wait to see some more!

so i'm assuming what we are hoping to do here is find a way to use those set calls to set say recovery to maybe 1 instead of 0 and hope that when it reboots the bootloader boots to recovery.. vs. needing the "jig" to set that flag?

sorry.. further thought.. i would assume thats all the jig does.. supposedly when used the ps3 boots picks up the jig.. then it reboots again.. so i would assume thats what the jig is doing.. using hopefully the same set call to set the recovery flag then making it reboot and the ps3 system takes over from there.


Pretty much yeah. You boot the PS3, hit reset and eject with the JIG attached. This sends a signal from the System Controller (where the flags are set) to the Southbridge to do some "magic" and read the USB device. If it all checks out, a flag gets set in the System Controller, and the PS3 is automatically powered off.

Upon next power up, its in "manufacturing mode", which allows diagnostic tools (encrypted, of course) to be run.

#103 - ekrboi - 268w ago
ekrboi's Avatar
Quote Originally Posted by CJPC View Post
We are hoping to have something "user friendly" for the weekend, although there is still the whole hardware issue - it's still a pain to trigger the exploit, even with the SX28.

Needless to say, this is a bit better eh, nice and proper!

ah hah! now thats more like it! Good work! can't wait to see some more!

so i'm assuming what we are hoping to do here is find a way to use those set calls to set say recovery to maybe 1 instead of 0 and hope that when it reboots the bootloader boots to recovery.. vs. needing the "jig" to set that flag?

sorry.. further thought.. i would assume thats all the jig does.. supposedly when used the ps3 boots picks up the jig.. then it reboots again.. so i would assume thats what the jig is doing.. using hopefully the same set call to set the recovery flag then making it reboot and the ps3 system takes over from there.

#102 - DarkOgr - 268w ago
DarkOgr's Avatar
great news! keep fighting for freedom on ps3 guys

#101 - netpredakonn - 268w ago
netpredakonn's Avatar
Great to see some progress on ps3 scene, again. Hope this time something like homebrew can be achieved.

#100 - CJPC - 268w ago
CJPC's Avatar
Quote Originally Posted by Karl69 View Post
Why is it necessary to use an SX28? There is a device quite well known in the smartcard hacking scene called the T911 which can be bought on many internet sites. It uses an easily programmable AVR Atmel 2313 which can probably be overclocked to 25 Mhz to produce the necessary 40ns glitches.

Yeah, namely xorloser made some nice easy to use code to flash right to the SX28 - it works, why mess with what works? I'm SURE it can be done much cheaper, much easier. Can probably be done on a 18F PIC (if I recall it may be fast enough). But, xorloser made code, and it works!

#99 - PS4 News - 268w ago
PS4 News's Avatar
Quote Originally Posted by Neo Cyrus View Post
Anyway, I wanted to ask how much has been dumped so far. I thought it could all be done at once but we were only shown bits and there has been no announcement that the entire hypervisor has been dumped by the Devs so is it safe to assume that means it's being done a piece at a time?

It started out that way, but last night as CJPC posted HERE they got it working properly with new dump code.

CJPC plans to post an update in the Site News either tonight or tomorrow with the details, and also the dump code will be released then in case others wish to dump their own once they successfully trigger the exploit.

#98 - Neo Cyrus - 268w ago
Neo Cyrus's Avatar
Quote Originally Posted by mabraham View Post
You are too narrowminded and do not think outside the box. You are hung up on the way IBM/SCE describes security and not showing any hacker mentality.

You will soon be amazed - I promise you. Maybe not with lv2 exploits leading to loaders and such but other things that will surface. Rest assured - progress is being made as I write this.

That's what we've all been hoping for.

Anyway, I wanted to ask how much has been dumped so far. I thought it could all be done at once but we were only shown bits and there has been no announcement that the entire hypervisor has been dumped by the Devs so is it safe to assume that means it's being done a piece at a time? Forgive the crappy question but I have no knowledge on the topic.







Sponsored Links

Sponsored Links






Advertising - Affiliates - Contact Us - PS4 Downloads - PS4 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 4 News