PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

December 26, 2009 // 7:22 pm - This weekend GeoHot, the hacker responsible for several Apple iPhone hacks, has returned to Sony PS3 hacking after his initial announcement a few months back and has opened a PS3 hacks blog (linked above).

He recently made this Tweet:

"I just pulled everything from the USB bus... http://pastie.org/757313 the Cell processor SPI bus, PS3 is going down :-)"

These are the latest posts on his new PS3 hacks blog:

Cell SPI

The Cell processor has an SPI port which is used to configure the chip on startup. Well documented here. It also allows hypervisor level MMIO registers to be accessed. In the PS3, the south bridge sets up the cell, and the traces connecting them are on the bottom layer of the board. Cut them and stick an FPGA between.

Quick theoretical attack. Set an SPU's user memory region to overlap with the current HTAB. Change the HTAB to allow read/write to the hypervisor! If that works it's full compromise of the PPU.


A Real Challenge

The PS3 has been on the market for over three years now, and it is yet to be hacked. It's time for that to change.

I spent three weeks in Boston working software only, but now I'm home and have hardware. My end goal is to enable unsigned code execution, making every unit into a test and opening up a third party development community, either through software or hardware (with a mod chip). The PS3 is a prime example of how security should be done, very open docs wise, and the thing even runs Linux. But it isn't unbreakable :-)

GeoHot Resumes Sony PS3 Hacking, Opens PS3 Hacks Blog

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.



#142 - PS4 News - January 20, 2010 // 8:38 pm
PS4 News's Avatar
Quote Originally Posted by aries2k6 View Post
Just wondering what the devs here think about this?

One of them said the following on IRC about it today: "fuzzing lv1 calls could be interesting" but that is about it. CJPC is busy with his latest "toy" which arrived today and will be covered in this weekend's Site News update.

#141 - aries2k6 - January 20, 2010 // 6:56 pm
aries2k6's Avatar
Now this looks interesting and from what another user on his blog commented, it's even got more my attention. Just wondering what the devs here think about this? Maybe a serious attack point or just another stone wall.

Alot of technical talk above me but i picked up things like glitching lvl 1 data before it hits the HV or something like that... I think, lol

#140 - shalina - January 20, 2010 // 3:54 pm
shalina's Avatar
Update: No ECC
Just cause I can't read the ram bus doesn't mean I can't mess with it.


greetings
George Hotz said...
Really Dumbed Down Version: No, you still don't get an aimer hack for MW2.

Yea, the HV is in XDR, top 2MB. I'm trying now to glitch the page tables to allow R/W to the page tables themselves. Then I can map w/e I want, including the hypervisor R/W

#139 - PS4 News - January 20, 2010 // 1:33 pm
PS4 News's Avatar
Another brief update from his Blog comments:
George Hotz said...
@Rich Thanks a lot for the offer, but I imagine the hard part is wiring it up. The proper way to do this is to design a passthrough board. Not sure I'm willing to put that time in yet.

To people asking if it'll work on the slim, what are you asking if it'll work? This is exploration, not a final product you get. And it never will be, learned my lesson with blackra1n.

@Paunstefan Obvious troll is obvious.

I'm trying now to find a GPIOish thing I can use to tell the injector when to inject. Thinking flash reads, but for some reason they aren't working.

#138 - Mathieulh - January 20, 2010 // 1:16 pm
Mathieulh's Avatar
Quote Originally Posted by Haksam View Post
They were angry idiots who wanted geohot to deal with the new iphone bootrom. They dont even know what NAND is god save their new iphones (for being cheap and waiting for the price to drop)

Blackrain app solely developed by geohot and appreciated by the devs as one of the last few exploitations found until Apple learned their lesson and improved the security.

If one area has been tried, there's no harm trying again. This is why you never be pessimistic about something, so what if there's official documents to brag about a security system, even stupid idiots like IBM can have flaws and they definitely wouldn't document that in a public PDF. If this thing ever got hacked, Sony is gonna be pissed with IBM rather than the public for cracking it.

I can see you never even read these docs to begin with. Perhaps you should and then make your statement.

These documentations are very detailed about the cell security architecture and quite accurate.
Quote Originally Posted by modzila View Post
Suppose in a way you could say that the peeps hacking the PS3 are actually doing $ony a favour; one could say that $ony might learn a lesson just before releasing the PS4. That is if George exhibits something before the PS4's development is finished.

The idea to use PS3s as a blade server does tickle my nerdy gland though in case heavy computational power is required, wouldn't it be impressive that 20 million CELLs are out there and could be linked by the Internet. (Sure there are already supercomputers out there, with the power of Petaflops, but only in hands of a few)

Back to the topic, I am glad to read this show is back on the road and I don't care, Hacking is useful for society (Micro$oft backfilling holes in IE after hackers used it to attack Google, anyone...?)

Sony already learned their lesson from various plateforms, namely the xbox360 (they actually made the drive quite hard to mess with), the psp, the playstation 2 etc etc

Of course hacking a console always teaches a lesson to someone, but that still defeats millions of dollars previously put into security researches and implementations.

#137 - TUHTA - January 20, 2010 // 12:09 pm
TUHTA's Avatar
well it's nothing on his blog..

#136 - Mdiv - January 20, 2010 // 11:04 am
Mdiv's Avatar
Quote Originally Posted by Preceptor View Post
Hmmmm Good to know Geohot is still working on the ps3, despite the fact that he blatantly ignore all of Mathieulh's advices. I still wish him good luck for all our sakes

I kinda respect him for not appearing to take on Mathieulh's advice. A lot in the world wouldn't happen if you just believed what another man says is gospel.

#135 - TUHTA - January 20, 2010 // 7:50 am
TUHTA's Avatar
Quote Originally Posted by Raze1988 View Post
He said the following (also on the first page of this thread):

thank you so Raze1988.. i'm waiting

#134 - modzila - January 20, 2010 // 7:19 am
modzila's Avatar
Suppose in a way you could say that the peeps hacking the PS3 are actually doing $ony a favour; one could say that $ony might learn a lesson just before releasing the PS4. That is if George exhibits something before the PS4's development is finished.

The idea to use PS3s as a blade server does tickle my nerdy gland though in case heavy computational power is required, wouldn't it be impressive that 20 million CELLs are out there and could be linked by the Internet. (Sure there are already supercomputers out there, with the power of Petaflops, but only in hands of a few)

Back to the topic, I am glad to read this show is back on the road and I don't care, Hacking is useful for society (Micro$oft backfilling holes in IE after hackers used it to attack Google, anyone...?)

#133 - Haksam - January 19, 2010 // 8:15 pm
Haksam's Avatar
Quote Originally Posted by Sh1m3oN View Post
I don't share what have posted some people in his blog. The offensive comments aren't utility! He only want try...


They were angry idiots who wanted geohot to deal with the new iphone bootrom. They dont even know what NAND is god save their new iphones (for being cheap and waiting for the price to drop)

Blackrain app solely developed by geohot and appreciated by the devs as one of the last few exploitations found until Apple learned their lesson and improved the security.

If one area has been tried, there's no harm trying again. This is why you never be pessimistic about something, so what if there's official documents to brag about a security system, even stupid idiots like IBM can have flaws and they definitely wouldn't document that in a public PDF. If this thing ever got hacked, Sony is gonna be pissed with IBM rather than the public for cracking it.