Based on the yesterdays NFO from PDX they clearly state that the hardware in the Euro release PS3 is causing there process not to work. The only hardware difference that I know of is the removal of the PS1/PS2 chip as seen in this post from the news back on March 14th:
Concerns regarding PS3's backward-compatibility have been raised since Sony announced European consoles would use software, rather than a dedicated internal chip, to emulate PSone and PS2 titles. This reduces the number of backward-compatible games for EU PS3s significantly, compared to the approximately 98% playable on American and Japanese machines.
I have no experience reverse engineering or developing, but to those that do I truly believe that this is where PDX was saying they found the exploit. Maybe they figured out a way to trick this chip into running an iso from the hard drive or external drive instead of a PS2 game in the BR drive. Maybe someone with more knowledge will shoot this theory down, or know of some other hardware changes done in the PAL units. But in my opinion this is the area to look at.
Can you give a high-level overview as to how their loader works so that others can try to break the stages down into more detail?
You are actually correct! PDX is actually using a hole in the PS2 hardware to jump into PS3 mode essentially (as it still does run). Once there, they have User Mode access and use a second hole/exploit (likely the LS hint mentioned) to escalate to Kernel Mode for running their iSO Loader, etc.
And again, you are correct on the console changes too... currently theirs doesn't work on PAL due to software. They can't get their exploit working because the PS2 is being emulated (different programming) so the hole is missing in action.
However, I have been told this is actually slightly "outdated" as of last night. I believe they have made some further progress (although I have no specifics on it at this time).
Is there a way to access installed game files? For instance, can we change the Motor Storm or Lemmings demo launch icon to point to something different like the iso files, etc.?
Also, PDX mentioned that the SPEs use shared memory. One SPE acts as the security. Is it possible that during the boot of the OtherOS that the system's security be can compromised to launch an iso at that point?
Could all of this have something to do with launching a PS2 game to launch a PS3 game? After all PDX did mention that the PAL hardware changes have created a problem. With no Emotion Engine chip, this would fall in line with that.
Just some thoughts that have been plaguing my ever waking moment.
Im currently at work and im overwhelmed but I finding time to still research possibilities. I have been curious about the chances of just wrapping a common PS2 ELF file or rebuilding the code from an ELF loader for example to work with the Cell BE.
One thing is catching my eye it is called "embedspu"
This is a special tool that converts SPE programs into an object file that can be linked into a PPE executable. It also creates a global variable that refers to the SPE program so that the PPE can load the program into the SPEs and run the program as needed.
Im wondering if it is possible to embed an ELF or disquise it to run somehow. I know, it could be crazy and make no sense but im throwing things out there.
i'm developing on Cell since the my jap PS3 arrived here in europe and achieved some knowledge on ppu/spu data transfer. Well, there is very useful function called spu_mfcdma32 !
The parameters are pretty easy:
spu_mfcdma32((void *)(&ctx), (unsigned int)parm, sizeof(context), tag_id, MFC_GET_CMD);
ctx: pointer to address in LocalStore (256 KB limit!!)
param: pointer to address in MainStore (256mb limit :P)
sizeof(context): i think, this is the tricky and most important part to generate an exploit. YOU decide how many bytes will be transfered from MS to LS. So if you transfer more than ~256kb (cause there is no limit check), you should get a buffer overrun, put data/code from you MS into the SPUs register and mabye change the return addresse :??
To get familiar with this topic, you should read the "Cell B.E. Programming Tutorial 2.0". Take a look at SPE registers on page 61 and page 86 for the MFC commands.
Well this is just my idea how this it COULD works.
Good night and good luck
o.k. take things back a notch, when you insert a ps1 title into the ps3 deos the emulation run "straight" from the ps3 or does it "borrow" ps1 emulation from the emotion engine. if so in pal ps3 is the ps1 emulation now running from the ps2 emulation (confusing i know) or is the ps1 info running through software on the ps3 itself. also how are memory cards / saves for the ps1/2 dealt with from the point of view of the ps3, it obviously creates virtual memory cards for these emulated machines.
do these "memory cards" live in protected or unprotected space. in other words is it possible to take apart a ps2 or ps1 save (which we have have a good understanding of) and somehow run or inject some arbitrary code, assuming that the memory cards are allowed kernal / user mode access to the ps3. the memory card files must be somhow linked through the emulation process in the ps3 to "relink" to some part of the hard disk in the ps3. are these files stored in a user accessible part of the ps3 ?
just some random thoughts from the top of my head, i'm more a thinker than a programmer.
I understand that sony probably did a collective effort into patching all "known" exploits in the ps2/ps1 saga etc.
I wanted to throw this out there for devs to consider. From the time the first ps1 exploit came out to the time the last ps2 exploit came out. A lot was learned regarding exploits. I have noticed people focused their efforts on exploiting games of interest.
Maybe the information gained from exploiting ps2 days a few months back (that is patched now in ps3) could be used into digging around in games from years back when that everyone seems to have forgotten. Maybe a save exploit that worked on GTA VC might have opened up a new approach to lunar for ps1. That kind of thing. I am assuming that the ps3 runs ps2/ps1 games in some sort of higher level then linux.
Also rather then games from big wig companies, how about crap games from gun and run publishers. maybe those programmers are the ones that left more shody programming in their software then the 400,000$ programmers that work for rockstar...etc.
Just a thought.