PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

273w ago - As a BIG follow-up to his Sample PS3 Linux Isolated SPU Loader Code, GeoHot has now released his coveted PS3 hack so end-users can exploit their non-Slim PlayStation 3 Entertainment System!

Essentially what it does is modify the PS3's hypervisor adding two calls for reading/writing to all of the system memory.

To quote: "In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works

I've gotten confirmation the exploit works on 3.10. Also I've heard about compile issues on Fedora. I did this in Ubuntu.

Good luck!"

Usage Instructions:

Compile and run the kernel module.

When the "PRESS THE BUTTON IN THE MIDDLE OF THIS" comes on, pulse the line circled in the picture low for ~40ns.
Try this multiple times, I rigged an FPGA button to send the pulse.
Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
If the module exits, you are now exploited.

This adds two new HV calls,
u64 lv1_peek(16)(u64 address)
void lv1_poke(20)(u64 address, u64 data)
which allow any access to real memory.

The PS3 is hacked, its your job to figure out something useful to do with it.

How it works:

geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call

On the Isolated SPUs

Today I verified my theories about running the isolated SPUs as crypto engines. I believe that defeats the last technical argument against the PS3 being hacked.

In OtherOS, all 7 SPUs are idle. You can command an SPU (which I'll leave as an exercise to the reader) to load metldr, from that load the loader of your choice, and from that decrypt what you choose, everything from pkgs to selfs. Including those from future versions.

The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

Ah, but you still didn't get the Cell root key. And I/we never will. But it doesn't matter. For example, we don't have either the iPhone or PSP "root key". But I don't think anyone doubts the hackedness of those systems.

I wonder if any systems out there are actually secure?

GeoHot Releases PS3 Hack, Exploit Your System and Enjoy!

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!


  • Sponsored Links




#219 - CJPC - 271w ago
CJPC's Avatar
Quote Originally Posted by TUHTA View Post
Pings on what? HFE... or NE555? just can you upload ur new flasher diagram..

I've yet to try this (will later) but the diagram that Mdiv mentioned, wiring pin 6 to 2, is attached!

#218 - mrbeers - 271w ago
mrbeers's Avatar
I'm fairly new to the site. I have been reading through a lot of various threads and noticed since Geohot released his hack, most people have become impatient lost their appreciation to the devs that are spending their time and working hard on researching and developing things that will make our PS3 experience a lot better at no cost to us.

So without flaming anyone or calling anyone fake or complaining about what has or has not been done, my thanks and gratitude goes to the people that are working on the PS3. Whether progress has been made or not.

I dont need to mention names. You know who you are. And I hope others will post their appreciation as well.

Thanks.

#217 - TUHTA - 271w ago
TUHTA's Avatar
Pings on what? HFE... or NE555? just can you upload ur new flasher diagram..

#216 - Mdiv - 271w ago
Mdiv's Avatar
Quote Originally Posted by TUHTA View Post
Mdiv does your 40ns button is fully work? I just assemble it but it isn't?! i just press it sometimes and its not!!


I haven't made one yet, Uni work has taken priority. Try wiring Pin 6 to Pin 2, that might solve it, I think CJPC has wired Pin 6 to 5V directly. I have see 1 shot 555 timers in both configurations and some work one way and the others work a different way.

Check the data sheet for your 555 chip to see if pin 4 inverts the signal or not. If it does invert it that's fine, if it doesn't wire pin 4 to ground.

#215 - TUHTA - 271w ago
TUHTA's Avatar
Mdiv does your 40ns button is fully work? I just assemble it but it isn't?! i just press it sometimes and its not!!

#214 - veggav - 271w ago
veggav's Avatar
Ok, Why 40ns pulse ? 39 and 41ns would not work ? O.o

Geohot has guessed the exact right time you need ?

#213 - SCE - 271w ago
SCE's Avatar
OK I have ordered the parts 4016 and 555. So, I am screwed

#212 - Mdiv - 271w ago
Mdiv's Avatar
Quote Originally Posted by conee View Post
I took a look at his datasheet.. seems the propagation delay isn't equal on both sides (high/low vs low/high). normally shouldn't be that much of a problem, except that the propagation delay difference is on the order of your pulse width. at 5V, datasheet specifies worst case scenario for the difference at 10ns, and typical case at 5ns.

i'm not sure how sensitive the timing is for this glitch to work, but with the circuit the way mdiv designed it, you'll be putting in anywhere from a 45ns pulse to a 50ns pulse (this is also disregarding the capacitor's charging characteristic and whether it performs within a tight enough tolerance).

PSPICE sims with that very circuit gave a high pulse for 30-35 nS then rolled off down to 0V at 45-50 nS. If you want to replace the bilateral switch for a transistor it might work a little bit better and be more accurate timing wise. Base to pin 3, Collector to PS3, Emitter to ground. Also, talking to my tutor the smaller the capacitor the more defined the pulse will be with less roll off.

So if you can, try C = 10pF, R = 3k6 Ohms (40nS)
If no luck try C = 10pF, R = 3k1 Ohms (to allow for 5 nS delay).

#211 - p00chie - 271w ago
p00chie's Avatar
It's a shame i've got no ps3. i have a spartan3-an evaluation kit and even virtex4 ml405 by my side. what i am trying to say is that if someone gets a board i could provide the source code to trigger the 40ns and i can create the *.bit file if you tell the fpga.

just a help if someone gets his hands on such a board and don't know how to program/code for them.

msg me if you need any help...

#210 - conee - 271w ago
conee's Avatar
Quote Originally Posted by CJPC View Post
Hey Mdiv,

Gave your circuit a run - alas it does not "appear" to work. Wired into the PS3, it won't even hiccup (vs say, directly grounding the line) Just to make sure, I rebuilt the thing from all new parts (again). Any suggestions?

Edit: Finally got "something" after making a modification (pin 6 held high), basically getting it to successfully install the exploit (twice), but then crashing soon there after. Over the course of two hours managed to get it to hit twice, so it may need a bit of work, but the general principle does seem sound - question is, is it too slow, or something else?

I took a look at his datasheet.. seems the propagation delay isn't equal on both sides (high/low vs low/high). normally shouldn't be that much of a problem, except that the propagation delay difference is on the order of your pulse width. at 5V, datasheet specifies worst case scenario for the difference at 10ns, and typical case at 5ns.

i'm not sure how sensitive the timing is for this glitch to work, but with the circuit the way mdiv designed it, you'll be putting in anywhere from a 45ns pulse to a 50ns pulse (this is also disregarding the capacitor's charging characteristic and whether it performs within a tight enough tolerance).

 











Advertising - Affiliates - Contact Us - PS4 Downloads - PS4 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 4 News