PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

300w ago - Over the weekend geohot, famous for unlocking Apple's iPhone, has posted a few tweets on his Twitter account that he has began looking into hacking Sony's PS3 console.

He has also dropped by our Forums to enquire about the PS3 Hypervisor Decryption Keys, and has been in touch with CJPC via IRC as well.

To date, geohot has reported the following via tweets:

"ooo got access to a couple more pages of ram...still no hypervisor there tho. it's hiding in the top 2 MB.

anyone know if the 360 guys had a pt hypervisor to reverse?

my goal is to break out of the hypervisor... then see what my morals will allow.

gotta flip one little bit to hack the ps3. unfortunately the ps3 doesn't want me to flip it.

so, the hypervisor is in the first 0x1000 pages of RAM...think I could just pull an address line down and dump? not from kernel tho

PS3 memory map http://pastie.org/589218 ... why did I think this would be useful again? i really want these dumps @ bootloader

it'd be nice if that worked, linux accesses sandboxed part of nand... 4mb of uselesses.

hacking the PS3, not hacked in three years how long will it take me?"

Apple iPhone Unlocker GeoHot Begins Hacking Sony's PS3

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.




#71 - leuch3rd - 299w ago
leuch3rd's Avatar
from the looks of it, it does look like geohot is having a tough time - too bad, just wondering if there was any update as to the 'big news', even if i dont understand an inkling of what the devs do news is news and is interesting nonetheless

#70 - PS4 News - 299w ago
PS4 News's Avatar
Quote Originally Posted by jirachi155 View Post
do you think there will be near-news about this?... from his words it sounds like he is convinced that it will take less time than we thought.

From the sound of his last few tweets, I would say probably not too soon...

@p0sixninja any attack will be way beyond what fuzzing can discover. everything is whitelisted, and all data is passed in registers.
10:34 AM Aug 29th from web in reply to p0sixninja

how is it that half way through a dma transfer it knows i touched the page tables? i hate invisible hypervisors
about 22 hours ago from web

#69 - jirachi155 - 299w ago
jirachi155's Avatar
do you think there will be near-news about this?... from his words it sounds like he is convinced that it will take less time than we thought.

#68 - Dibblah - 300w ago
Dibblah's Avatar
Quote Originally Posted by AvidFFXIer View Post
sounds like he's having a hard time with this PS3, if I were him, I'd see what that unused core is doing, maybe he'll have better luck on the slim since its hypervisor has been stripped.

The hypervisor still exists, it is just that the external interfaces to it have changed due to newer hardware. They are unwilling to publish the new interfaces.

#67 - AvidFFXIer - 300w ago
AvidFFXIer's Avatar
sounds like he's having a hard time with this PS3, if I were him, I'd see what that unused core is doing, maybe he'll have better luck on the slim since its hypervisor has been stripped.

#66 - PS4 News - 300w ago
PS4 News's Avatar
A few more updates from geohot's twitter:

@KushanTheCat NAND is all encrypted, and pretty useless. RAM is what I need

@Quark0ne found something weird last night, gotta figure out what __ioremap is doing

i'm getting mad pissed at this PS3, LPM is locked down too. 11 processors, 3 MMUs, 0 exploits. hardware people know security

And some more from xorloser's blog:
George Hotz says:
August 17, 2009 at 3:08 pm
Started looking into the PS3 today. I assume the hypervisor is a piece of software; how do I dump it or extract it from an update? Can it be updated? With all those commands there’s gotta be an overflow somewhere.

xorloser says:
August 17, 2009 at 3:21 pm
The hypervisor is software yes, however you cannot easily dump or extract it. Also unlike simpler CPUs the PS3 has memory protection which only allows execution of “code memory” and “code memory” is always set to “read only”. The xbox360 is similar in this respect, however in both cases the hypervisor should be able to bypass these rules.

One day when I get some time I plan on doing a writeup on the PS3 security and it’s various layers. It is quite interesting and unlike any other I’ve looked into before.

George Hotz says:
August 17, 2009 at 4:00 pm
I would assume it’s lvl1.self from the nand. But all the programs in the NAND look encrypted. We need to get access to the AES engine. Unless this has already been done.

The DEP isn’t a dealbreaker, it’s the same way in the iPhone. Use a return to libc style attack

xorloser says:
August 17, 2009 at 4:35 pm
Correct, lv1.self is the hypervisor. The keys to decrypt it are stored inside lv1ldr which is a secure loader that runs on the SPU. So to get the the lv1 decryption keys you first need the secure loader decryption keys and decrypt lv1ldr. This chain of trust goes back to the initial bootloader that is encrypted using a key stored in the cell hardware itself.

So you find a way around the chain of trust if you want to decrypt the hypervisor.

#65 - darksyde - 300w ago
darksyde's Avatar
wow, nice development... don't want to get my hopes up, so its best to just wait and see.

#64 - footylad - 300w ago
footylad's Avatar
With a JIG we will be finally able to repair my Bricked Console! Its been bricked for 15 months now!

Footylad

#63 - imtoodvs - 300w ago
imtoodvs's Avatar
Quote Originally Posted by taladas20 View Post
Ps3 Test/ TOOL unit!

nah, I HIGHLY doubt this. there are quite a few of those floating around these parts, just check the debug forums (my favorite place).

Getting back to the original topic, has anyone got an update on GeoHot's progress. I applaud his effort, & wish him success. On a secondary note what ever happened to Dark Alex?

#62 - taladas20 - 300w ago
taladas20's Avatar
Ps3 Test/ TOOL unit!