PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

February 7, 2010 // 11:09 am - A few days ago xorloser propered the GeoHot PS3 Hack Exploit for all PlayStation 3 Firmware versions, and today he has detailed the required SX28 microcontroller hardware and shared the source code.

To quote: This post will deal with the hardware required to trigger the PS3 hypervisor memory access exploit. The purpose of the hardware is to stop the PS3 from saving a change to a value that we don't want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.

The PS3 sends the write command to the RAM over some control lines, so we interfere with these control lines when the write command is sent. The result we want is having the PS3 think it has successfully written the value to RAM, but the RAM didn't receive the write command due to our interference and so it did not perform the write operation.

The easiest (and moderately safe) way to interfere with these control lines is to ground them. This is done easily enough by connecting a wire between one of the control lines and ground. The tricky part is timing it just right so that it only interferes with the write we want to stop, and not anything that occurs before or after this write. This might be achievable with costly equipment and a lot of work, however geohotz used the simple method of "luck". This involves repeatedly preparing the situation to best favour the chance of overwriting the correct write command and then continually grounding a control line until either something crashes that shouldn't or the mark is hit stopping the write operation from occurring. At this point the exploit has been successfully triggered!

Now that you know how it works it is time to implement it. A connection is required to the control line that will be grounded as well as a connection to ground. These two wires then need to be connected to each other momentarily. If you were to try and do this manually as fast as you could you might connect them for a millisecond or so, however RAM control lines are very fast so 1ms is going to interfere with way too many commands. Instead these lines need to be connected to some hardware that is able to bridge the connection between then for very small periods of time at once. Geohotz suggests a connection period of 40 nanoseconds.

There are many ways that some hardware can be made to perform this short connection. Geohotz used an FPGA he had on hand in order to do it. Others have suggested using a 555 timer, however I have not heard of anyone having any success with this method. I used a small sx28 microcontroller I had on hand due to using it for a project some years ago. It runs at 50MHz with an instruction cycle of 20 nanoseconds, which means it should be fast enough to provide the 40 nanosecond connection required.

The first step is to take apart your PS3 in order to expose the top side of the motherboard. Once you do so look for one of the following areas on it depending on what version PS3 you have.

This first picture is from an old 60GB PS3 which came with the 4 USB ports and the card readers. You can see I have soldered a wire to the side of a resistor. This is the connection to the PS3 RAM control line that you need to solder on. I suggest you route this wire down and then to the left of the two pronged power plug you can see. My wire continues downward in this picture, but I found that doing so caused interference in the wire that would unintentinally trigger RAM corruptions. To avoid this you should route it to the left underneath the power plug so that it then comes out of the left side of the PS3 case. You can use a long wire during installation, but try to keep it short when you finalise its routing and final positioning. You can see I used a hot glue gun to ensure any stress placed on the wire will not pull at the solder joint.

This second picture is from an 80GB PS3 with 2 USB ports and no card readers. This was the model that was out just before the "fat" PS3s were replaced by the "slim" PS3s, so it is a newer motherboard revision where there are two RAM chips on both sides of the motherboard instead of all four on one side. In this picture I have circled the trace you should solder to for your RAM control line connection. In order to solder to this I used a craft knife to carefully scratch the paint off the top of the trace to expose the copper underneath which I then soldered a wire to. Once connected you should route this wire straight down towards the front of the case to best avoid interference in the wire from other parts of the PS3. Once again try to keep the final wire nice and short.

Next you need to get a ground connection. This is done the same way for both motherboard versions and is very easy. You can just wrap a wire around any of the metal screws that screw into the metal shielding that covers the top of the motherboard. You don't even need to solder it, just wrap it under the screw head and screw it into place This wire should be routed out of the console next to to your other control line wire.

The above two wire connections are common to any implementation of a hardware trigger. The following is specific to how I did my hardware trigger but you may implement your trigger however you want. Note that I initially tried wiring 5 Volts of power out next to these lines but doing so continually resulted in unwanted interference in the control line causing the PS3 to crash while booting.

For my hardware trigger I used an SX28 microcontroller which I bought years ago as part of this programming kit. To use the SX28 you need the SX28 chip, a way of programming the chip (usually an SX-Key or SX-Blitz) and an oscillator to drive the SX28 chip at 50MHz. All of these are included in the above programming kit. Maybe if enough people buy from them and mention xorloser they'll send me a USB version of the SX-Key instead of my old serial based one :/

Below is a crappy schematic of my circuit which I drew in windows paint. Please note that I am using the programming kit I mentioned above which utilises the SX-Key programmer in place of an oscillator while the SC-Key is attached. I do not have an external oscillator so I'll leave the hooking up of that to you. Just take note that you do need either an oscillator or SX-Key attached in order to make the chip run.

This SX28 sourcecode is the last piece of the puzzle. Program this to your SX28 chip using the free SX-Key Editor software from the Parallax. Once this is all hooked up to your PS3 you should be able to send a "pulse" (grounding of the control line) to the PS3 by pressing the switch. You should use a temporary-on push button switch to do so since it will keep sending pulses every 100ms if the switch stays connected. The LED on the right side of the schematic is just there to give the operator some feedback. It will light up when a pulse is sent to let you know that the circuit is working as it should.

I should mention that if you look at my SX28 sourcecode you will see that it appears as if I am sending a 360 nanosecond long pulse. I do not know how long the pulse is that actually gets sent as I do not have any hardware that I can measure the pulse with (yet). Possibly there are hardware induced delays that occur when changing the direction of the port which means that although I am waiting 360 ns, it still only sends a pulse that is about 4o ns. To arrive at the 360 ns value I tried many values making the pulse as short as I could until it didn't trigger anymore, then I increased it just a little bit to get the shortest pulse that still works.

Phew, this is finally the end of this post. My next post will tie it all together along with some software I have written to dump your own hypervisor and more. Cya.

GeoHot PS3 Hack Exploit SX28 Hardware Tutorial By Xorloser

GeoHot PS3 Hack Exploit SX28 Hardware Tutorial By Xorloser

GeoHot PS3 Hack Exploit SX28 Hardware Tutorial By Xorloser

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew.

#17 - PS4 News - February 7, 2010 // 7:25 pm
PS4 News's Avatar
Quote Originally Posted by TUHTA View Post
well and where to get this code?

Either you didn't fully read the Tutorial or you missed the link in it.

Go back, take your time, and read it... searching for the hyperlinked words "SX28 sourcecode" in it near the bottom.

As I mentioned the other day, it's cheaper than the GeoHot FPGA way ($150-200 range) as this only costs $50-100 for the parts.

#16 - TUHTA - February 7, 2010 // 7:22 pm
TUHTA's Avatar
Quote Originally Posted by CJPC View Post
To program it - no , you dont need to know programming. xorloser was nice enough to give the full source code, you can just compile it and flash it onto the SX28.

well and where to get this code?

And so actually i can go by easy way so i can just place 50ghz resonator and just do not worry about program sx28? so actually it is so expensive it cost like 90$!! this is not much cheaper... so.. well xorloser just used led to see how its working or something?

#15 - CJPC - February 7, 2010 // 7:11 pm
CJPC's Avatar
Quote Originally Posted by TUHTA View Post
well... on his pic its like 2 wires that must be wired to ps3's grounds? I say like on top one must be connected to ps3 ground... and left one too?

And well to program it i have to know programming? And where i must to wire 50mhz resonator? And which led i have to use?

You might want to wait for someone to make something more user friendly, the ground lines get tied together, so any line going to ground - goes to ground.

The LED should not matter too much - you could probably get away without it if you really wanted to. The 50mhz resonator needs to get wired into pins 26 and 27 I believe (check the datasheet).

To program it - no , you dont need to know programming. xorloser was nice enough to give the full source code, you can just compile it and flash it onto the SX28.

#14 - Rav - February 7, 2010 // 7:08 pm
Rav's Avatar
this helps a lot.. thanks, lots of good progress now. very excited to see what else is gonna happen soon with the scene.

#13 - TUHTA - February 7, 2010 // 7:07 pm
TUHTA's Avatar
well... on his pic its like 2 wires that must be wired to ps3's grounds? I say like on top one must be connected to ps3 ground... and left one too?

And well to program it i have to know programming? And where i must to wire 50mhz resonator? And which led i have to use?

#12 - CJPC - February 7, 2010 // 6:58 pm
CJPC's Avatar
The "thing" at the top is ground, connect that to the PS3's ground.

You will also need a programmer for the SX28, as well as a 50mhz resonator to set the clock speed of the chip. xorloser did not use one as he used the SX28 development kit, which has one built in (essentially).

As for 6-9 volts, you "might" be able to use a 9V battery (maybe), or any external 6-9V DC source!

#11 - TUHTA - February 7, 2010 // 6:54 pm
TUHTA's Avatar
He wrote that 5 volts will crash ps3 at boot... so where to get 6-9 volts? i don't have an a tester... to test where i can find voltage that i need... so please help? So and we need to program it?? So i think its more difficult that 555 one? ha? Please help... i will buy it tomorrow and assemble it and go to test it !

Well i just need:

10ohm resistor
Led (but wich one??)

Is that it? And i still cant understand what is "thing" that on top of picture near to 6-9volts... so i just do not need to do that? or its part of something? (led or and e.t.c)

#10 - bostwick - February 7, 2010 // 6:53 pm
bostwick's Avatar
I love seeing this. Man you guys are good. this is so cool.. keep up all the work. thanks!

#9 - zhixiang - February 7, 2010 // 6:51 pm
zhixiang's Avatar
very impressive work xorloser. You've done great work in ps3 hacking. The method is easier than Geohot's original hack. The soldering part is only two wires, I believe one has to solder to the trace for the controller line and the other is just ground wire(any ground on the motherboard will work).

The microcontroller part is very simple too. I wish I knew more about reverse engineering. Otherwise, I could really lend my hand to help analyze the lv0/lv1hyperviser dumps. Good luck xorloser, CJPC and the DEVS. Find an exploit and let's hack this "unhackable" beast.

#8 - PS4 News - February 7, 2010 // 6:46 pm
PS4 News's Avatar
You need to read the post, it's self-explanatory so there is nothing more I can say about the pic.