PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

March 15, 2010 // 2:52 pm - Just over a month ago the PS3 Hypervisor lv2 (GameOS) was dumped and GeoHot hinted that it was accomplished by commanding an SPU to load METLDR.

Today dondolo let us know that simone has detailed how to load METLDR in SPU isolation mode on the PlayStation 3 and included some source code.

While this is definitely a step forward, he still doesn't specify what the read/write u32 functions are... or which functions to add to the recent XorHack release.

Those interested can check it out below, and to quote:

"After some experiment I succeded to load METLDR in spu isolation.

You need geohot's exploit to do this, because you need to turn spu relocation off (MFC_SR1[R]=0) and not let know the HV you are using a SPU (so no calls to lv1_construct_logical_spe or similar). For some strange conf, it doesn't work in HV way."

How to Load METLDR in SPU Isolation Mode on PlayStation 3

How to Load METLDR in SPU Isolation Mode on PlayStation 3

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.



#48 - Siggy12 - March 19, 2010 // 2:47 am
Siggy12's Avatar
Quote Originally Posted by DaweedFTW View Post

Just wondering, and maybe CJPC can tell, if it wouldn't be easier, once the lvl2 hole is found, to have some sort of "re-signed" firmware update to convert every retail PS3 to a debug/test unit, with the possibilities it would offer.

Yeah .. I'm totally agree... for me CJPC know very well debug and tool firmware so for him will be very easy convert a retail in a debug system or find a hole for execute code in a retail firmware, I hope that we will have LV2 dump very soon.

#47 - DaweedFTW - March 18, 2010 // 10:13 am
DaweedFTW's Avatar
Quote Originally Posted by MimmoD360 View Post
I would like to know what's the next step in order to run unsing code has isoloader or homebrew

Thx

Looks like we're quite far far away from running unsigned code, at least on every unit. My guess is that we first need to dump lvl2 gameOS, reverse it to find exploitables holes, use a hole to software-kick isolated SPU and replace it with a custom one that would automatically "validate" each pkg/self thrown at it.

We are not yet having the lvl2 dump, so there's still a loooong way to go for a simple hello world, and the dev most prolly are working on the second step toward the full hack of the PS3 (the first one being geohot exploit to R/W ram), dumping GameOS.

Just wondering, and maybe CJPC can tell, if it wouldn't be easier, once the lvl2 hole is found, to have some sort of "re-signed" firmware update to convert every retail PS3 to a debug/test unit, with the possibilities it would offer.

#46 - SCE - March 18, 2010 // 10:08 am
SCE's Avatar
Quote Originally Posted by MimmoD360 View Post
I would like to know what's the next step in order to run unsing code has isoloader or homebrew

Thx

Instead of consuming your time with subscribing, you should have read the entire thread to get the answer.

#45 - MimmoD360 - March 18, 2010 // 9:15 am
MimmoD360's Avatar
I would like to know what's the next step in order to run unsing code has isoloader or homebrew

Thx

#44 - r3pek - March 18, 2010 // 5:48 am
r3pek's Avatar
Quote Originally Posted by CJPC View Post
Actually the SPU_PX() is defined in the released code - however, both read/write_u32 do need to be added in to XorHack - namely the author says it does, plus it's not there.

But the hack does need to be done first, as xorlosers code provides the nice set of tools to interact between kernel and user mode, and adds in functions that the SPU isolation code calls.


Ok, then it's solved

I suppose that those functions are for I/O i can only program them on x86/64 asm... not ppc asm... If you stil want them, just post

#43 - CJPC - March 17, 2010 // 8:31 pm
CJPC's Avatar
Quote Originally Posted by r3pek View Post
Don't think there's anything to add to XorHack's code. Just compile a new module to be "modprobed" after the hack is done (i'm not sure even if the hack has to be done).

anyway, read_uXX(in_address) reads a 32/64 bit value from in_address. write_uXX does the exact opposite. The problem you have are not the functions, it's the constants SPU_PX(XXXXX), but they could be already defined in the kernel, really don't know...


Actually the SPU_PX() is defined in the released code - however, both read/write_u32 do need to be added in to XorHack - namely the author says it does, plus it's not there.

But the hack does need to be done first, as xorlosers code provides the nice set of tools to interact between kernel and user mode, and adds in functions that the SPU isolation code calls.

#42 - r3pek - March 17, 2010 // 7:44 pm
r3pek's Avatar
Quote Originally Posted by PS3 News View Post
CJPC said he would once the missing details are available (what the read/write u32 functions are, which functions to add to the XorHack, etc) so no worries.


Don't think there's anything to add to XorHack's code. Just compile a new module to be "modprobed" after the hack is done (i'm not sure even if the hack has to be done).

anyway, read_uXX(in_address) reads a 32/64 bit value from in_address. write_uXX does the exact opposite. The problem you have are not the functions, it's the constants SPU_PX(XXXXX), but they could be already defined in the kernel, really don't know...

#41 - Raze1988 - March 16, 2010 // 7:38 pm
Raze1988's Avatar
Oh wow, once again all eyes are upon CJPC and his team

But it's really interesting that things like that turn up out of nowhere. Shows that the "well known" PS3 sceners aren't the only ones who can achieve something.

#40 - SenorPickle - March 16, 2010 // 7:02 pm
SenorPickle's Avatar
Quote Originally Posted by waleed View Post
noob here, what does that mean and what outcome can happen for end users?

Advice: Read the entire thread before asking a question that was already answered. That way you don't look like a dumbass.

Actually I take that back, you quoted the answer you were looking for when you posted your question. If you don't understand what "running unsigned code from the XMB" means perhaps you should do some googling.

#39 - waleed - March 16, 2010 // 5:06 pm
waleed's Avatar
Quote Originally Posted by CJPC View Post
Well, as we all know, LV2 = our glorious kernel. With the kernel, it can be reversed and holes can be looked for - possibly leading the way to load unsigned code straight from the XMB without any hardware (on any model of PS3, slim included).

Of course, it may only be usermode code (or, perhaps kernel mode), but it would still be a very nice step in the right direction!

noob here, what does that mean and what outcome can happen for end users?