I'm pretty sure that Ferrox and PDX use different exploits.. But it's a possibility that they use the same exploit. What I was thinking earlier is that Sony forgot to block all the access to the EmotionEngine in the OtherOS mode, and PDX has found out how to write code to the EE in OtherOS mode and once they do that, they use a buffer overflow in the SPE to gain Kernel mode thus allowing them to run their loader. I could be totally wrong though, that's just my hypothesis. It would be nice is PS3News could tell me if I was close or not.