Sponsored Links

PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!
Sponsored Links
Sponsored Links
Home PS4 News - Latest PlayStation 4 and PS3 News

GeoHot Releases PS3 Hack, Exploit Your System and Enjoy!


Sponsored Links
270w ago - As a BIG follow-up to his Sample PS3 Linux Isolated SPU Loader Code, GeoHot has now released his coveted PS3 hack so end-users can exploit their non-Slim PlayStation 3 Entertainment System!

Essentially what it does is modify the PS3's hypervisor adding two calls for reading/writing to all of the system memory.

To quote: "In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works

I've gotten confirmation the exploit works on 3.10. Also I've heard about compile issues on Fedora. I did this in Ubuntu.

Good luck!"

Usage Instructions:

Compile and run the kernel module.

When the "PRESS THE BUTTON IN THE MIDDLE OF THIS" comes on, pulse the line circled in the picture low for ~40ns.
Try this multiple times, I rigged an FPGA button to send the pulse.
Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
If the module exits, you are now exploited.

This adds two new HV calls,
u64 lv1_peek(16)(u64 address)
void lv1_poke(20)(u64 address, u64 data)
which allow any access to real memory.

The PS3 is hacked, its your job to figure out something useful to do with it.

How it works:

geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call

On the Isolated SPUs

Today I verified my theories about running the isolated SPUs as crypto engines. I believe that defeats the last technical argument against the PS3 being hacked.

In OtherOS, all 7 SPUs are idle. You can command an SPU (which I'll leave as an exercise to the reader) to load metldr, from that load the loader of your choice, and from that decrypt what you choose, everything from pkgs to selfs. Including those from future versions.

The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

Ah, but you still didn't get the Cell root key. And I/we never will. But it doesn't matter. For example, we don't have either the iPhone or PSP "root key". But I don't think anyone doubts the hackedness of those systems.

I wonder if any systems out there are actually secure?

GeoHot Releases PS3 Hack, Exploit Your System and Enjoy!

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!

Comments 289

• Please Register at PS4News.com or Login to make comments on Site News articles.
 
#279 - lilstevie - 267w ago
lilstevie's Avatar
That source is for a processor module for his disassembler that he created, having worked with EDA in the past it would be nice for an SPU library to exist, its much more intuitive than IDA.

#278 - worstenbroodje - 267w ago
worstenbroodje's Avatar
Here is a blog comment from geohot. could be something useful..
George Hotz said...

If someone wants to be useful, and can code in a little "language" I created, help me out.

http://github.com/geohot/eda-2/blob/master/spu.isdf is an Instruction Set Descriptor File For EDA, my disassembler. Someone pick up the syntax and finish it, SPU docs are public

To see what EDA is http://www.youtube.com/watch?v=9VO74HdCex0

[code]# SPU Instruction Set Descriptor File
# by geohot
# part of "The Embedded Disassembler"

# Registers is a reserved keyword
# Makes Registers_0 Registers_1 Registers_2... in global scope
# Haha, that would've been nice if true
# I don't think % is a reserved keyword
Registers 128 %0 %1 %2 %3 %4 %5 %6 %7 %8 %9
Registers 128 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19
Registers 128 %20 %21 %22 %23 %24 %25 %26 %27 %28 %29
Registers 128 %30 %31 %32 %33 %34 %35 %36 %37 %38 %39
Registers 128 %40 %41 %42 %43 %44 %45 %46 %47 %48 %49
Registers 128 %50 %51 %52 %53 %54 %55 %56 %57 %58 %59
Registers 128 %60 %61 %62 %63 %64 %65 %66 %67 %68 %69
Registers 128 %70 %71 %72 %73 %74 %75 %76 %77 %78 %79
Registers 128 %80 %81 %82 %83 %84 %85 %86 %87 %88 %89
Registers 128 %90 %91 %92 %93 %94 %95 %96 %97 %98 %99
Registers 128 %100 %101 %102 %103 %104 %105 %106 %107 %108 %109
Registers 128 %110 %111 %112 %113 %114 %115 %116 %117 %118 %119
Registers 128 %120 %121 %122 %123 %124 %125 %126 %127
Registers 32 PC

# Special Strings
ProgramCounter `PC`
LinkRegister `%R0`
StackPointer `%R1`
ProgramCounterOffset 0

# Instruction Comprehesions start here
# An instruction runs through all matching until it hits Stop
# * is don't care
# spaces are ignored
# any lowercase letter is a local variable
# DefaultChange, Registers are special global words
# Stop, Change, Parsed are special local words
# Everything else is a string, with all whitespace stripped
# Curly braces mean insert variable, undeclared vars are empty

# Parsed
# Parsed can be recursive, use percent to insert
# |...| is eval string to hex

# Noob notes
# |...| is eval string to hex
# {...} is get variable
# {{...}} is get register indexed by variable
# [...] is dereference
# `...` is "address of"

# So to clarify, [`{{n}}`] is the derefenced address of the register indexed by the variable "n". Got that?
# Though I don't understand {|{ri}|} for immeds, why the second get variable

# DefaultChanges apply to the inverse condition of anything targeting the target
# If that makes sense at all

# I don't think signed(as in like + and -) is handled yet

# This will not be a simulator for now

####DefaultChanges####

DefaultChange 32 `PC` [`PC`]+4

####Memory-Load/Store Instructions####

# Load Quadword (d-form)
00110100 iiiiiiiiii aaaaaaa ttttttt
ri {i}

#277 - ekrboi - 267w ago
ekrboi's Avatar
he has already figured out the "how".. what he is saying is that he can now force the spu to decrypt pkgs or selfs.. I would assume he can use them to decrypt anything.

#276 - worstenbroodje - 267w ago
worstenbroodje's Avatar
sounds interesting? or is this just something that was already known?

#275 - dante489 - 267w ago
dante489's Avatar
so what now? can we say that the ps3 entire system is down or what?

#274 - Pcsx2006 - 267w ago
Pcsx2006's Avatar
What i get from his update is the now he can command/force any of spus to decrypt any pkgs or selfs and even modified/make a custom hypervisor would it means he can run unsigned code or maybe i'm all wrong.

#273 - h3lder - 267w ago
h3lder's Avatar
I understand it like this (correct me if I'm wrong):

The problem now is to be solved by cryptoanalysis. Pkgs are visible now - but that's not a big deal - they are encrypted! So are firmware update downloadable files.

I understand Geohot is saying that now "we" can try to decrypt this files from the inside (don't imagine how) - and because of that inside approach it will be easy(er).

#272 - Tender Phantom - 267w ago
Tender Phantom's Avatar
George states that you can decrypt pkgs, would I be right in thinking that includes the files extracted from updates? If so then I'm guessing it would make it easier for people to analyse the firmware for possible "bugs"

#271 - PS4 News - 267w ago
PS4 News's Avatar
Quote Originally Posted by semitope View Post
What did Geohot do?

Unfortunately nobody here is a mindreader, so until he publishes his "theories" it would be a waste of time to speculate on tweets like that.

Edit: I see he has now updated his blog with more specific details, as follows:
On the Isolated SPUs

Today I verified my theories about running the isolated SPUs as crypto engines. So to people like this, sorry you are wrong.

In OtherOS, all 7 SPUs are idle. You can command an SPU (which I'll leave as an exercise to the reader) to load metldr, from that load the loader of your choice, and from that decrypt what you choose, everything from pkgs to selfs. Including those from future versions.

The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

Ah, but you still didn't get the Cell root key. And I/we never will. But it doesn't matter. For example, we don't have either the iPhone or PSP "root key". But I don't think anyone doubts the hackedness of those systems.

I wonder if any systems out there are actually secure?

So basically he's saying according to his research iQD's theory isn't correct is all.

#270 - semitope - 267w ago
semitope's Avatar
Today I validated my theories about running the isolated SPUs on the PS3 as crypto engines. The PS3 is 100% hacked. So where my homebrew at?

What did Geohot do?

 

Sponsored Links

Sponsored Links

Advertising - Affiliates - Contact Us - PS4 Downloads - PS4 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 4 News