PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

272w ago - Just over a month ago the PS3 Hypervisor lv2 (GameOS) was dumped and GeoHot hinted that it was accomplished by commanding an SPU to load METLDR.

Today dondolo let us know that simone has detailed how to load METLDR in SPU isolation mode on the PlayStation 3 and included some source code.

While this is definitely a step forward, he still doesn't specify what the read/write u32 functions are... or which functions to add to the recent XorHack release.

Those interested can check it out below, and to quote:

"After some experiment I succeded to load METLDR in spu isolation.

You need geohot's exploit to do this, because you need to turn spu relocation off (MFC_SR1[R]=0) and not let know the HV you are using a SPU (so no calls to lv1_construct_logical_spe or similar). For some strange conf, it doesn't work in HV way."

How to Load METLDR in SPU Isolation Mode on PlayStation 3

How to Load METLDR in SPU Isolation Mode on PlayStation 3

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.




#38 - dante489 - 271w ago
dante489's Avatar
Quote Originally Posted by Pu3Ho View Post
and what will you do if holes won't be found? which way then will you go? create a modchip or something like that? (i even don't own a ps3 and just intereting)

think of it like this !, you're searching for a treasure but you don't have a map, so you now don't know where to begin your search, if you got the map now you know the location of the treasure no one knows for sure if you find it or not but at least you know it's place, this level2 dump is like a map for the ps3 OS, a lot of hidden info will be available for devs after they get it maybe they get lucky and find holes in the system that will lead them to software hacks.

about the modchip, we have geohot's method.. it's already doing a modchip's job.

#37 - Pu3Ho - 271w ago
Pu3Ho's Avatar
Quote Originally Posted by CJPC View Post
Well, as we all know, LV2 = our glorious kernel. With the kernel, it can be reversed and holes can be looked for - possibly leading the way to load unsigned code straight from the XMB without any hardware (on any model of PS3, slim included).

Of course, it may only be usermode code (or, perhaps kernel mode), but it would still be a very nice step in the right direction!

and what will you do if holes won't be found? which way then will you go? create a modchip or something like that? (i even don't own a ps3 and just intereting)

#36 - sapperlott - 271w ago
sapperlott's Avatar
Whoops - forgot to add that.

This is how isolation mode is handled by spufs. This basically does the same but might be a bit more readable:
http://lxr.linux.no/#linux+v2.6.33/arch/powerpc/platforms/cell/spufs/run.c#L81

#35 - CJPC - 271w ago
CJPC's Avatar
Quote Originally Posted by Pu3Ho View Post
Hm can anyone here explain to me what we will have if we dump lv2? even geohot said he have lv2 dump but it changes nothing...


Well, as we all know, LV2 = our glorious kernel. With the kernel, it can be reversed and holes can be looked for - possibly leading the way to load unsigned code straight from the XMB without any hardware (on any model of PS3, slim included).

Of course, it may only be usermode code (or, perhaps kernel mode), but it would still be a very nice step in the right direction!

#34 - sapperlott - 271w ago
sapperlott's Avatar
Interesting - if I got this right, spu_isolation_ldr_kmod.c assumes that METLDR is located at absolute address 0x11000 (high 0x00000000, low 0x00011000) - at least that's what it passes into channels 3 and 4. When I look at that offset in the leaked HV dump, I see nothing particularly interesting.

Did I miss something or is this address just an offset on top of an (unknown) base address?

#33 - PS4 News - 271w ago
PS4 News's Avatar
Quote Originally Posted by pcsx2006 View Post
Great news indeed and i hope someone from PS3NEWS native DEVS could dump the lvl2 (gameos) using this method.

CJPC said he would once the missing details are available (what the read/write u32 functions are, which functions to add to the XorHack, etc) so no worries.
Quote Originally Posted by koerdecke View Post
Very nice when for example CJPC managed to do this, he must leak the dump

Definitely, the lv2 dump needs to be in the eyes of more than a select group of people who keep all the useful things internal and then whine when people want updates. There are countless others willing to help out without the egos or hypocritical anti-warez stance.

SkyOfHitmen: Nice to see you around... I'm sure you're aware that what GeoHot last posted was parroted from loser, who helps talented folks like GeoHot when he has the time but doesn't wish to get involved in scene BS.

Anyway, whatever you may contribute will be welcomed of course!

#32 - Pu3Ho - 271w ago
Pu3Ho's Avatar
Hm can anyone here explain to me what we will have if we dump lv2? even geohot said he have lv2 dump but it changes nothing...

#31 - lavatar - 271w ago
lavatar's Avatar
Quote Originally Posted by SkyOfHitmen View Post
People seem to blame me for not giving infos, but i cant (and wont) as long as i dont have solid ones to give. Like 'Boss' already mentioned, Hitmen is known for passing infos that are checked, tested and somewhat "ready to use", and no "hey, look at me, i understood the public available pdfs and can do some code" ... anyways, still searching/trying around ...

You are not the bad guy in this game. The french man and egohot are holding back informations...

#30 - SkyOfHitmen - 271w ago
SkyOfHitmen's Avatar
People seem to blame me for not giving infos, but i cant (and wont) as long as i dont have solid ones to give. Like 'Boss' already mentioned, Hitmen is known for passing infos that are checked, tested and somewhat "ready to use", and no "hey, look at me, i understood the public available pdfs and can do some code" ... anyways, still searching/trying around ...

#29 - koerdecke - 271w ago
koerdecke's Avatar
Very nice when for example CJPC managed to do this, he must leak the dump

Sooo... keep up the good work