PS3 Glitch Finder v1.0 VHDL Design for Spartan-3 FPGAs Arrives
Today modrobert has released PS3 Glitch Finder v1.0, which is a VHDL design for Spartan-3 (eg. xc3s400) FPGAs with the purpose of easily creating a custom pulse which can be used to glitch various hardware like the PS3 memory bus.
Download: PS3 Glitch Finder v1.0 VHDL Design for Spartan-3 FPGAs
From the ReadMe file: The pulse LOW and HIGH multipliers have a resolution of 255 (X"FF") and can be set independently.
- Cycle exact pulse generator process tested with logic analyzer
- Digital Clock Manager (DCM) primitive @ 200MHz (5ns) with lock handling
- Continuous pulse or one-shot mode selectable via switch
- Debounce handling for push buttons to prevent erratic behavior
- Set the LOW and HIGH pulse length multipliers via buttons
- 7-seg LED display support showing HIGH and LOW pulse multipliers
- Open source release under GPL v2
The target device is a Spartan-3 fitted on an FPGA board (eg. Spartan-3 Starter Kit, Basys, Nexys, or similar). You need 5 push buttons (3 is ok also), a four digit "seven-segment" LED display, a dip switch, two regular LEDs, an external crystal/clock at 25MHz or 50Mhz, and a free I/O port.
Notes: This design is probably overkill for the purpose intended, but I had fun creating it, so one thing led to another. After the pulses are sent the output port drives "Z" (instead if HIGH), thought that might be a good idea to keep the PS3 linux kernel from crashing.
I've only tested PS3 Glitch Finder with a logic analyzer, not a scope yet, so the tri-state function has not been properly tested. By driving the pulse low and switch to "Z" I did notice that there can sometimes be roughly 300ns delay before high impedance occur, so to prevent the pulse generator from sending an invalid long low pulse I made sure the output is high before driving "Z".
If you want to start out in the footsteps of geohot, switch to one-shot mode and then set the low pulse multiplier to 8 (8 x 5ns = 40ns) and the high can be 8 as well (don't think it matter much since only one pulse is sent).
More PlayStation 3 News...
Good looks bro! Wish I had the engineering skills to do this when i'm bored!!
The pinned "Ps3 hack status" topic can now be updated
Anyway, let's keep this thread on topic now.
No disrespect intended, but why are we wasting time reinventing the wheel here?
I'm not a developer or hacker (wish I had the skills) but it seems rather obvious that since we already have the pulse exploit and it does work, why are we wasting time improving the method to be easier? It seems we should move on from this and come up with more information or a more useful exploit.
Now there may be something worth it that I'm missing, but hey from what I can piece together this is my basic opinion on the matter.
But other than that, I suppose it does look like a "suped-up" version of the already-available exploit. It just seems unnecessary.
I guess the only thing happening here is that the glitching method is getting "professionalized", 'cause it seems that this thing does the same stuff that the other "rudimentaries" devices also do, but in a fancier, easier and more controled way.
I wouldn't call it a real progress, but it sure is a very nice form of doing the glitching, and it's nice to see that some people are still working in that matter. I think this guy deserves some credit for doing this.
Pretty much this is what modrobert has been spending his time working on that he wanted to share with the community... it just happened that a few other others made their own prior to him releasing his, but it's definitely still handy for some I imagine.
Real hardware hacking
Now, what would be really interesting is applying this kind of hack to finding the PS3's root key: http://www.theregister.co.uk/2010/03...vulnerability/
Seems someone who understands FPGA programming might have the chops to tackle that...
This will at least help developers to use another type of device to activate the exploit. As I've understood, the several methods presented require some expensive hardware and if there is other hardware being able to do the same thing I guess some are happy to be pointed to what HW you're able to use.
Ok i got a complete noob question for you guys.. What exacly are you guys trying to do with all this hardware stuff or trying to find? Is anything being tested with software or what? i don't understand anything that has been going on since George released the exploit.