PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

March 6, 2011 // 6:27 pm - Today a PlayStation 3 hacker known as DarkHacker has released a PS3 CPU Exploit which he states will lead developers closer to METLDR exploitation.

From his site (linked above): This is a release of the hidden Cell Exploit found a while ago and one of the step taken to the metldr exploit i'm going to release the because i fell people should have the right to do as they wish and the information should be free to the public.

i know by releasing this exploit i'll probably be taken to court or sued but fck sony they can go to hell all i care for what there doing to us hackers i'll fight until the last min i got of my life if i have to for the right of the people.

for this exploit your going need a leaked service pdf which is below:

Time to explain this now listen up.

i know you all remember the exploit with ram and so on back in 3.15 well your going look for the 'CELL RESET LINE' and that going be where the exploit is you know how the small 60ms or ns i dont remember thing sent to ps3 for the read and write of the ram ?

well use line send that and connect it to the cell reset line. (FIND IT IN DOC) and ground on outside of case and the example of what can be done with this is a cold reset which still has acess to the memory from gameos - don't let this die out people i'm taking a big risk by giving you all this information.

- thanks to mitchy my personal hard drive - note i did not upload the documents and if requested i'll remove the links.

Example of what can be done with this -- untouched memory on cold boot full access to lv2 and all game os memory.

Below is some additional information from IRC, along with Mathieulh claiming ownership of the PS3 CPU Exploit released by DarkHacker:

Mathieulh: Matt_P yeah it has nothing to do with an exploit, all it allows is dumping 1.10 to 3.15 lv2
Mathieulh: using a coldboot and a small stub
Mathieulh: I gave this trick to darkhacker on msn months ago, looks like he leaked it for fame, I don't give a damn anyway, I am just pissed at lamers leaking stuff
Mathieulh: even useless stuffs like these
Mathieulh: and of course you can't dump metldr or any loader for that matter using this trick
Mathieulh: it's not even an exploit, the reset line is actually used every time your ps3 resets
Mathieulh: it's a feature
Mathieulh: you just abuse it of a sort along with otheros to dump lv2
Mathieulh: since we can decrypt lv2 you don't really need to dump it anymore...
Mathieulh: not to mention otheros is gone

From defyboy:

"All this does is resets the cell processor to its initial state after bootup. It exploits a weakness in the security where RAM is not cleared on bootup.

In order to successfully complete this hack we would need to write to an area of memory that would be executed on startup. There are two ways to do this, we could either do it with hardware, or software. Doing it by hardware is out of the question as the RAM is encrypted, and we are not able to access the keys required to access it. The other way would be via software, as was done with geohot’s memory glitching explot which ran through otherOS.

Basically we need to execute our own code to write to memory, If we are capable of doing this in the first place, what is the need for this hack? There is none."

Finally, from rms:

"Uhm, the thing is, you have to have access to that RAM, and you need OtherOS or another kernel that has access to that area of RAM. You also have to make sure nothing writes to that region, which will surely almost never happen. You also need enough luck to get the geohot dangling HTAB exploit working.

See, a hash page table, has the page table entries (PTEs) which provide Virtual Address to Physical Address (VA-to-PA or VA-to-RA), which is a mapping for virtual addresses such as 08000000000000001 to a physical address such as 040000000000. The dangling HTAB exploit is known to work in firmware 3.41 and 3.15. One needs to glitch the RAM bus when the page table write occurs, then create a new virtual page entry and hope it lies in that region you want.

Then, you can dump your data. This requires some good luck though, and some good button pressing skills! Also, this is very very very far from metldr. asecure_loader or metldr is decrypted inside the isolated SPU, or synergistic processing unit (/me shakes fist at Sony’s lawyers for calling it a “Stable Processing Unit”, which is not accessible by any other SPU or PowerPC unit. The only thing that has access to that SPU is the program inside the isolated SPU.

Also, I also don’t trust this guy because… he confused nanosecond RAM timing with millisecond RAM timing. There’s a huge difference! 1 millisecond is about 1 million nanoseconds.

Also, this is not the exploit Mathieulh tweeted about. This is far from it, it’s sort of like as far as the South Pole to the North Pole ."

PS3 CPU Exploit Released by DarkHacker, METLDR Exploitation

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#35 - costocart - March 9, 2011 // 5:58 am
costocart's Avatar
To mathieulh... stop whinning! You have the knowledge but you're too afraid to share it... that's your problem. But please shut up when other people who is willing to take the risk to share this kind of info to the public.

#34 - pjmiller435 - March 8, 2011 // 11:16 am
pjmiller435's Avatar
amen! finally headed in the right direction.

#33 - moja - March 8, 2011 // 4:24 am
moja's Avatar
Damn, that's what I get. Thanks for clearing that up guys.

#32 - tonybologna - March 8, 2011 // 3:48 am
tonybologna's Avatar
Quote Originally Posted by barrybarryk View Post
yes but math found this months ago, he just happened to teach it to some kiddie Dark a few days ago who decided to post it and claim it as his own.. just another script kiddie looking for efame.

That's what I was referring to barry in saying it was basically the same thing as before.

#31 - DeViL304 - March 7, 2011 // 9:02 pm
DeViL304's Avatar
Correct , only it was pretty much a year ago that math told "dark" about it. He probably knew about it for longer, geohot developed a bld that would dump the ram on booting otherOS.

#30 - barrybarryk - March 7, 2011 // 7:31 pm
barrybarryk's Avatar
yes but math found this months ago, he just happened to teach it to some kiddie Dark a few days ago who decided to post it and claim it as his own.. just another script kiddie looking for efame.

#29 - tonybologna - March 7, 2011 // 7:27 pm
tonybologna's Avatar
Exactly! It's basically the same thing. Math is the one that supposedly found a new one. This isn't new at all!

#28 - tjay17 - March 7, 2011 // 7:15 pm
tjay17's Avatar
I wonder if this can lead to a modchip where it does not matter what firmware is on the ps3 and possibly load backups from a disc.

#27 - barrybarryk - March 7, 2011 // 7:11 pm
barrybarryk's Avatar
I'm just trying to explain that this exploit is neither new nor of any use as it doesn't allow anything we couldn't do before or run on firmware that it didn't before and has nothing to do with JB devices or 3.56 hacking.

#26 - xrayglasses - March 7, 2011 // 6:57 pm
xrayglasses's Avatar
Who do you think I was talking about, and what do you think I mean by 'new way of old method'? Also LS has never been in XDR, LS-Shadow param mirrors it's vector if that's what you mean..

This can be done via PUP too.. maybe no payload in lv2 but definitely PUP.. but go on, I have better things to do than comment further..