GeoHot PS3 Hack Propered, Exploit for All PlayStation 3 Firmware
Today xorloser has 'propered' the recently released GeoHot PS3 Hack in attempt to accomodate all PlayStation 3 Firmware versions with the exploit.
Download: PS3 Exploit Fixed
To quote: As I'm sure everybody heard, the memory access exploit for the PS3 hypervisor was released recently by geohotz. I was finally able to replicate his hack so I thought I'd take the time to help out others who may also have trouble due to being linux n00bs like me.
If I were to post everything at once it would be too much work and I'd never get around to it, so I'll post bits at a time to ensure I actually do post it heh. Today's post will talk about the software side of the exploit.
Please note that the geohotz exploit software was hardcoded for the v2.42 firmware, I have made a small fix that attempts to dynamically support all firmware versions. I have only tested and used it on v3.15 however.
The first step is to install Linux on your PS3 which means of course that this will not work on a slim PS3. I tried a few different Linux distros and after various different issues I settled on using Ubuntu v8.10 since this is the same version that geohotz used.
I suggest using the "alternate" version since it includes a gui which the "server" version does not. You can download the 636MB image below, I suggest using the legal torrent below to save the bandwith of the Ubuntu servers.
Ubuntu for PS3 v8.10 alternate - Torrent
Ubuntu for PS3 v8.10 alternate - Direct Download
After downloading, burn the image to a CD-R and install as you would any OtherOS install. There are many generic and also Ubuntu specific guides for doing this, so I won't cover that here.
Once you have Linux up and running you should log in using the username you created during install. Now open a terminal (Applications->Accessories->Terminal). You can enable the root account by creating a password for it by typing "sudo passwd". You then enter your current users password once and then the new root password twice. The root account will now be usable.
Now type "su" and then enter the new root password to get root access. Create a dir to put everything in. You could probably create this in your home directory, but I created it in the root of the filesystem so that I can share it between root and my user account as well as setting up access to it via samba from my PC.
To create the dir do "mkdir /ps3share", you can call it anything you want, I call it ps3share because I share it with my PC over samba. Now allow all users to read and write to it by doing "chmod a+rw /ps3share". Finally give ownership of it to your normal user account by doing "chown username:username /ps3share" where username is your username.
Next you need to get the "fixed" exploit software onto your PS3. Using a USB flashdrive is easiest. Copy the extracted files onto it from your PC, then insert it into your PS3. It should automount and bring up an icon on your desktop.
Double click the icon to open the file browser. Right click on the USB drive in the filebrowser and choose to "Open in New Window". Then on the left side of the file browser select "File System" and then "ps3share". Now drag the files from the USB drive into your "ps3share" directory.
I have included a binary of the exploit file for those of you who don't want to build it yourself, but for those who do here is how. First you need to fix the location of the kernel headers so they can be found by the build scripts, so do "mv /usr/src/linux-ports-headers-2.6.25-2/ /usr/src/linux-headers-2.6.25-2/".
Now change to the directory with the exploit source in it "cd /ps3share/ps3_exploit_fixed/src" and then build it by typing "make". There will be a lot of warnings but it should create the file "exploit.ko".
You are now set to run the software side of the exploit. DO NOT run it from this terminal while in the GUI, it should only be run from console mode. If you do run it you will not see anything happening, but your PS3 will suddenly become really slow and you will have to turn it off. More about the running of it in a future post.
A summary of the commands to enter at the terminal is below:
(then enter users password once, then the new password for root twice)
(then enter root password)
chmod a+rw /ps3share
chown username:username /ps3share
(where username is replaced by your username)
Now copy the exploit files into /ps3share.
mv /usr/src/linux-ports-headers-2.6.25-2/ /usr/src/linux-headers-2.6.25-2/
More PlayStation 3 News...
nice finally a good guide people can undertand!
its also nice to know someone else successfully did the exploit, and they seem nice enough to make this guide so hopefully their nice enough to share their lvx dumps.
edit: wow i used nice a lot just then :s
Very nice and clean post. Thanks for sharing and updating for firmware compatibility. I'll try this out, if only to setup the software end of things.
I like the way things are moving around this. Hopefully, we'll see a very interesting and useful applications any time soon... we just have to wait. I've checked the code, and you sure did a very good modifications.
I wish I could try it by myself, but my PS3 is only one year old so is still under warranty; as soon as it expires, I'll do it with no hesitation just to feel the "power" hehe.
This is all very exciting news. I've been waiting for this since I bought my 1st generation console with SACD drive. I wonder if this exploit would lead to tapping of decrypted (if any) raw DSD stream and archiving to hd as .dsf or .dff files before the DSD to PCM conversion is taken place.
Further down the road, there may be a way to emulate the watermark encryption scheme that is only available for those 1st generation consoles with SACD drive (should be same blu-r drive as later generations) in all other consoles so all consoles out there can play SACD discs.
Just wonder if all these are possible.
wow, would be nice if exploit is all software. These directions are very clear and easy to understand. But I think there is a hardware solder that has to be done. Sounds very legit. Thanks for all your work.
great start. well the directions are as clear as day. Thanks for the wonderful guide. I'm prob going to give this a shot once all the guides are up. Just hope we will be playing some Backups soon or some iso from the hard drive.
This is all great work by PS3 devs but is there any point in the common man or woman using this hack just yet? Is there a chance of bricking your PS3? I'm all for hacking it but is this hack worth doing just yet because at the moment we don't know how SONY will respond.
When PS3 Devs get the dumps and examine them they will share any interesting things found (holes, vulnerabilities, etc) so don't worry. For example, I know CJPC plans to examine the flag data to continue work on his Service Mode PS3 project, in hopes of one day being able to convert it to a fully functional Debug PS3 and ultimately being able to convert retail units.