PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

January 26, 2010 // 7:06 pm - As a BIG follow-up to his Sample PS3 Linux Isolated SPU Loader Code, GeoHot has now released his coveted PS3 hack so end-users can exploit their non-Slim PlayStation 3 Entertainment System!

Essentially what it does is modify the PS3's hypervisor adding two calls for reading/writing to all of the system memory.

To quote: "In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works

I've gotten confirmation the exploit works on 3.10. Also I've heard about compile issues on Fedora. I did this in Ubuntu.

Good luck!"

Usage Instructions:

Compile and run the kernel module.

When the "PRESS THE BUTTON IN THE MIDDLE OF THIS" comes on, pulse the line circled in the picture low for ~40ns.
Try this multiple times, I rigged an FPGA button to send the pulse.
Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
If the module exits, you are now exploited.

This adds two new HV calls,
u64 lv1_peek(16)(u64 address)
void lv1_poke(20)(u64 address, u64 data)
which allow any access to real memory.

The PS3 is hacked, its your job to figure out something useful to do with it.

How it works:

geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call

On the Isolated SPUs

Today I verified my theories about running the isolated SPUs as crypto engines. I believe that defeats the last technical argument against the PS3 being hacked.

In OtherOS, all 7 SPUs are idle. You can command an SPU (which I'll leave as an exercise to the reader) to load metldr, from that load the loader of your choice, and from that decrypt what you choose, everything from pkgs to selfs. Including those from future versions.

The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

Ah, but you still didn't get the Cell root key. And I/we never will. But it doesn't matter. For example, we don't have either the iPhone or PSP "root key". But I don't think anyone doubts the hackedness of those systems.

I wonder if any systems out there are actually secure?

GeoHot Releases PS3 Hack, Exploit Your System and Enjoy!

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#209 - CJPC - February 4, 2010 // 3:03 am
CJPC's Avatar
Quote Originally Posted by Mdiv View Post
You could probably make the circuit for a couple of quid (attached gif) if you don't have access to the components for free. I won't be trying it because tolerances of the components would probably make the pulse time swing wildly and I hate precision oscilloscopes with a passion to test the circuit.

t = R*C*Ln(3)

if t = 40 nS, C = 300 pF then R = 121.21 Ohms

using a 120 Ohm resistor (which is a standard value) gives 39.93 nS.

HEF4016B (Quadruple bilateral switch Data sheet here)

Hey Mdiv,

Gave your circuit a run - alas it does not "appear" to work. Wired into the PS3, it won't even hiccup (vs say, directly grounding the line) Just to make sure, I rebuilt the thing from all new parts (again). Any suggestions?

Edit: Finally got "something" after making a modification (pin 6 held high), basically getting it to successfully install the exploit (twice), but then crashing soon there after. Over the course of two hours managed to get it to hit twice, so it may need a bit of work, but the general principle does seem sound - question is, is it too slow, or something else?

#208 - cmccmc - February 3, 2010 // 11:26 pm
cmccmc's Avatar
I will dump it when all the necessary hardware arrives at my house and precompiled version of the exploit to dump the hypervisor is released since i'm too lazy too code it myself

#207 - arghzzz - February 3, 2010 // 10:16 pm
arghzzz's Avatar
To my understanding you have to hit exactly at the time it is deallocating the memory. (interrupting the signal)

you should read the articles linked from geohot's log:
The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file's data can still be accessed.

The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor's write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.

So it seems like you have to try until you get it right.

#206 - TUHTA - February 3, 2010 // 9:30 pm
TUHTA's Avatar
well i tried this... but i just not SPAM it... like pressing Button at millions... i thought that i need to do it at once and tried and nothing happened and i just unsolder everything from ps3 and assembly ps3!

But i thought that my button didnt work... now i think its working but i need to press button millions time. So... here we go... i used USB 5v and GND think its ok

#205 - angelbemine3 - February 1, 2010 // 11:09 pm
angelbemine3's Avatar
Would an avr have the speed to do the 40ns?

#204 - SCE - February 1, 2010 // 9:38 pm
SCE's Avatar
If I will be able to get a tool at a low price to pulse the bus, I will dump my own immediately

And release it

#203 - int0 - February 1, 2010 // 9:23 pm
int0's Avatar
Thnx for sharing

PS: I got an sms today from UPS so my delivery will be tomorrow I hope I will find time after work to do it until end of this week

#202 - PS4 News - February 1, 2010 // 8:49 pm
PS4 News's Avatar
Quote Originally Posted by titanmkd View Post
I think I will add a new thread in PS3 Guides for that (I hope I have right to create new Thread, else I will contact you).

Yep, you are a Registered User now so you have permission to start new threads in that section... I just double-checked.

#201 - titanmkd - February 1, 2010 // 8:36 pm
titanmkd's Avatar
Quote Originally Posted by PS3 News View Post
I gave you a +Rep for your contributions so far TitanMKD, but to answer your question: You should be able to go to "Post Reply" and then scroll down and click "Manage Attachments" and then Browse to the file on your PC and select Upload.


I'm also finishing a tutorial (i'm validating it step by step) called "How To Build GeoHot exploit easily from scratch (from kernel build to exploit run)" with included automatic scripts.

I think I will add a new thread in PS3 Guides for that (I hope I have right to create new Thread, else I will contact you).

Best Regards,


#200 - PS4 News - February 1, 2010 // 8:04 pm
PS4 News's Avatar
Quote Originally Posted by titanmkd View Post
does anyone know how to post that on this website because i'm new user and I have no right to upload files

I gave you a +Rep for your contributions so far TitanMKD, but to answer your question: You should be able to go to "Post Reply" and then scroll down and click "Manage Attachments" and then Browse to the file on your PC and select Upload.