01-26-2010 #21jul644 Guest
umm any comments on WTF that poke me thing is? and i hope sony dosnt block this up as it just creates a better linux on the ps3 and can some one confirm on higher firmware and with regular controller?
01-26-2010 #22semitope Guest
Back to waiting. Seems he is leaving this for now as well so we are with the devs again. I wonder why he didn't continue searching for the keys, even if not the root key. Any idea on whether this will be of more use on dev/test/tool systems? Do they use the same keys as the retail ps3s?
01-26-2010 #23iomega1972 Guest
01-26-2010 #24keytor69 Guest
geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call
01-26-2010 #25ZimZi Guest
01-26-2010 #26Niwroc Guest
This isn't, however, to say that they couldn't simply patch out the exploit and leave OtherOS intact.
01-26-2010 #27Douche69 Guest
So what do you think CJPC... Your opinion counts most
01-26-2010 #28Transient Guest
peek = read a specific memory address
Being able to do this to any address at will is quite significant. It might not mean much to the average user, but it definitely opens things up for devs.
01-26-2010 #29CJPC Guest
It may be a long process, but a very creative way to get it started - kudos to Geohot on the release!
01-26-2010 #30caner12 Guest
CJPC when do you think we will have like a custom firmware or something