PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

December 26, 2009 // 6:22 pm - This weekend GeoHot, the hacker responsible for several Apple iPhone hacks, has returned to Sony PS3 hacking after his initial announcement a few months back and has opened a PS3 hacks blog (linked above).

He recently made this Tweet:

"I just pulled everything from the USB bus... the Cell processor SPI bus, PS3 is going down :-)"

These are the latest posts on his new PS3 hacks blog:

Cell SPI

The Cell processor has an SPI port which is used to configure the chip on startup. Well documented here. It also allows hypervisor level MMIO registers to be accessed. In the PS3, the south bridge sets up the cell, and the traces connecting them are on the bottom layer of the board. Cut them and stick an FPGA between.

Quick theoretical attack. Set an SPU's user memory region to overlap with the current HTAB. Change the HTAB to allow read/write to the hypervisor! If that works it's full compromise of the PPU.

A Real Challenge

The PS3 has been on the market for over three years now, and it is yet to be hacked. It's time for that to change.

I spent three weeks in Boston working software only, but now I'm home and have hardware. My end goal is to enable unsigned code execution, making every unit into a test and opening up a third party development community, either through software or hardware (with a mod chip). The PS3 is a prime example of how security should be done, very open docs wise, and the thing even runs Linux. But it isn't unbreakable :-)

GeoHot Resumes Sony PS3 Hacking, Opens PS3 Hacks Blog

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#132 - Sh1m3oN - January 19, 2010 // 8:50 pm
Sh1m3oN's Avatar
I don't share what have posted some people in his blog. The offensive comments aren't utility! He only want try...

#131 - Preceptor - January 19, 2010 // 8:02 pm
Preceptor's Avatar
Hmmmm Good to know Geohot is still working on the ps3, despite the fact that he blatantly ignore all of Mathieulh's advices. I still wish him good luck for all our sakes

#130 - Raze1988 - January 19, 2010 // 8:00 pm
Raze1988's Avatar
Quote Originally Posted by TUHTA View Post
i can't still understand what he want to do? I mean what finally he get? He want to attack CELL and what next?? Sorry... but i really can't understand

He said the following (also on the first page of this thread):
Quote Originally Posted by GeoHot
My end goal is to enable unsigned code execution, making every unit into a test and opening up a third party development community, either through software or hardware (with a mod chip).

#129 - TUHTA - January 19, 2010 // 7:41 pm
TUHTA's Avatar
i can't still understand what he wants to do? I mean what finally he get? He want to attack CELL and what next?? Sorry... but i really can't understand

#128 - smarty94 - January 19, 2010 // 7:00 pm
smarty94's Avatar
I hope something comes of this. I'm not sure if Geohot will be able to do much more than the PS3 Dev's have done, but it's nice to have a new angle.

For now... we wait

#127 - Raze1988 - January 19, 2010 // 4:04 pm
Raze1988's Avatar
Quote Originally Posted by GeoHot View Post
Trying a real attack

Oh boy, wonder what the next update will tell us.

#126 - jayjo - January 19, 2010 // 8:25 am
jayjo's Avatar
Another update below...
Quote Originally Posted by geohot
I don't think...
...glitching the memory bus like a savage with a screwdriver is going to work.

Tomorrow, I'll try a real attack.

Mathieulh said...
Indeed it wont xD

Dumping the XDR at runtime is most likely going to require expensive equipments, I'd rather look into the southbridge or syscon than into the spi bus or elsewhere for now.

#125 - xUb3rn00dlEx - January 19, 2010 // 4:01 am
xUb3rn00dlEx's Avatar
I am just amazed at reading this due to the amount of knowledge that pours out from these conversations. What do these guys do for a living?! (aside from geo being in school) Now I assume that since they might be going msn/ irc that no more updates of convos will be posted? Thank you for the update!

#124 - PS4 News - January 18, 2010 // 7:46 pm
PS4 News's Avatar
Some more comment updates:
George Hotz said...
I think we have different goals. My goal isn't to turn units into TESTs, it's to turn them into blades. If I broke through LV1, I could boot the system into blade Linux, and possibly use the NVidia drivers for the GPU.

Hacks on LV2 will be closed within the next update. Always better to focus on a lower level loader, because then you get every level from then on. Even if the isolated SPU I can't read is what loads LV2, theoretically I have to be able to call it and make it load(under my own modified hypervisor perhaps).

Mathieulh said...
Hacks in lv1 would be closed all the same, sony can update any code from the bootloader to the tiniest part of the vsh. They can also revoke any kind of code from the playstation3 as well. They have self and package revocation lists applied everytime you update your system.

The playstation3 hardware despite being quite similar (almost identical in its main components) to a blade, it is still different, the blade operating system wouldn't run as-is.

The blades operating system also isn't any more optimised for cell than playstation3 linux is, what is optimised is the code that people run on it (mostly for calculation purposes), it would run with the same speed on the otheros provided that the blade systems only had a single cell with 6 spes.

If you want to focus on the lowest level loader, you need to be aiming at the bootloaders, unfortunately that is the most unlikely part of the playstation 3 to ever be hacked.

You could most likely load lv2 from your hacked lv1, but an integrity/signature check would still be in place and your lv2 wouldn't load unless it passes that check (remember that you can't even decrypt lv2_kernel from lv1, you still need to rely on the isolated spu binaries to decrypt and load it, those would most likely make sure the self is properly signed before proceeding, in fact it is most likely no code from lv1 does the loading and it is entirely performed by the isolated spu code, then once loaded you no longer are in lv1 and whatever exploit you used to run your code or whatever code you had running earlier would not apply.

Of course if you could get a decrypted version of lv2 and reproduce the work done by lv2ldr to load it, then it's another story but it isn't happening anytime soon.

As I said, lv1 is the lastest thing you should be focussing at, it wont bring much more than what we currently have with otheros to hack it and it would certainly not allow you to run many emulators. As you say you may (and even then considering the complexity of gpu drivers and the fact that none of them are open source, there is no certainty about it) use the nvidia drivers for the RSX, but even if you do the RSX is not as good as advertised, it is a low end gpu chip, most (at least all the decent one) game developers barely rely on it, (if at all) and prefer to be using code designed and optimised for the spus.

I wish you the best of luck in your project but I still do think that your attack vector is wrong.

George Hotz said...
Assume the SPU does do the loading and verifying, and thats a one step operation I can't touch. Doesn't matter, as long as my hacked lv1 is still running, because I can just patch lv2 at runtime.

The era of the PS3s relevance as a supercomputer has pretty much passed. For $100, I can buy a GPU(HD4850) that far surpasses the 7 SPU's capabilities. I more want to hack it to prove I can.

And sure, if it's an lv1 software exploit, it'll be closed next update. But hardware combined with software won't be.

Mathieulh said...
Geohot, "what do you mean precisely by hardware combined with software" ?

P.S. Do you have msn or use irc ? It might be easier than talk through blog post all the time.

George Hotz said...
Hardware combined with software, for example, using OtherOS to map the htab, then when the HTAB mapping entry is being added, glitch the memory bus data line to add the mapping such that it's R/W instead of just read.

I'm on EFNet as geohot.

#123 - CJPC - January 18, 2010 // 4:54 am
CJPC's Avatar
Quote Originally Posted by Raze1988 View Post
What exactly does one gain from such dumps?

To be honest - right now not much, it's being over sensationalized by people, all of the really important stuff happens inside the CELL, it won't just be exposed on an external bus!