PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

February 9, 2010 // 10:10 pm - Today the PS3 hack exploit SX28 hardware arrived, so we can begin work on dumping the PlayStation 3 Hypervisor to examine!

Up to now, both GeoHot and xorloser have successfully performed the PS3 hack while a few others simply obtained GeoHot's PS3 Hypervisor dump to study privately.

Needless to say, the rest of the PS3 scene including most of us here, have been waiting to take a peek at the unencrypted bootloader and Hypervisor lv0 and lv1 dumps.

We started by writing a Ubuntu Guide (as did titanmkd HERE) and attempted to use a 555 timer to obtain the 40ns pulse required to trigger the exploit, but like many others who attempted this we too had no such luck!

Luckily xorloser shared some propered code to trigger a 40ns pulse using an SX28 chip. They are a bit harder to find, and a little more expensive (as you need a programmer) but the method is sound.

That brings us to today, and our SX28 chips and programmer arrived - so we will be recreating the hardware, and giving this a go soon!

PS3 Hack Exploit SX28 Hardware Arrives, Bring on the Hypervisor!

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#87 - Hortlo - February 11, 2010 // 9:12 am
Hortlo's Avatar
Please correct me if im wrong, but this hack also allows one to write to the HV?

I presume it should be a matter of mapping certain flags and just marking them as true etc to go from retail to debug etc?

#86 - gtxboyracer - February 11, 2010 // 7:19 am
gtxboyracer's Avatar
Congrats on that progress.. looks interesting.. tell me, are you able to change any of those comands coming through... maybe one that any time the debug flag comes through switch it on automated of course..

#85 - zangetsu1 - February 11, 2010 // 7:14 am
zangetsu1's Avatar
Nice to see you've made some progress..

#84 - CJPC - February 11, 2010 // 6:49 am
CJPC's Avatar
Quote Originally Posted by ekrboi View Post
i'm more of a reader than a poster.. but i had been wondering if this was a one time deal or if it had to be redone every time it reboots.. I assumed by the way it works it had to be redone every time... which i'm sure sucks! Good luck though! I can't wait to see the dumps.. doubt i will find anything with my current limited knowledge but i do know how to work ida and i'm sure i'll waste a few nites staring at stuff i don't understand for the heck of it =P

It has to be re-done each time the PS3 reboots - it can be quite the pain!

However, progress was made tonight. After the dumping code was changed from my horrible, horrible way to that of one of our DEV's, things started working (after a bit of debuggery) much, much better!

Basically, the "real" memory gets mapped to a nice file, in which data can be read out, which makes things very convenient - assuming you run over the amount of real memory, crashing the PS3...

We are hoping to have something "user friendly" for the weekend, although there is still the whole hardware issue - it's still a pain to trigger the exploit, even with the SX28.

Needless to say, this is a bit better eh, nice and proper!

7570 6461 7465 5F6D 616E 6167 6572 3A3A
696E 6974 5F64 6576 6963 655F 7479 7065
2829 2072 6561 6420 6570 726F 6D20 6661
696C 7572 6528 2564 290A 6661 6C6C 2062
6163 6B20 746F 2075 7369 6E67 2073 6166
6520 7061 7261 6D65 7465 720A 0000 0000
7570 6461 7465 5F6D 616E 6167 6572 3A3A
696E 6974 5F73 735F 7061 7261 6D73 5F72
6570 6F73 6974 6F72 6965 7328 2920 6673
656C 665F 636F 6E74 726F 6C20 3D20 3078
2578 0A00 0000 0000 7365 745F 6673 656C
665F 636F 6E74 726F 6C5F 7265 706F 7369
746F 7279 2829 2066 6169 6C75 7265 0A00
7570 6461 7465 5F6D 616E 6167 6572 3A3A
696E 6974 5F73 735F 7061 7261 6D73 5F72
6570 6F73 6974 6F72 6965 7328 290A 0000
7365 745F 6673 656C 665F 636F 6E74 726F
6C5F 666C 6167 2829 2066 6169 6C75 7265
203D 2025 640A 0000 7365 745F 7265 636F
7665 725F 6D6F 6465 5F66 6C61 6728 2920
6661 696C 7572 6520 3D20 2564 0A00 0000
7365 745F 6465 6275 675F 7375 7070 6F72
745F 666C 6167 2829 2066 6169 6C75 7265
203D 2025 640A 0000 7570 6461 7465 5F6D
616E 6167 6572 3A3A 7365 745F 7570 6461
7465 5F73 7461 7475 735F 7265 706F 7369
746F 7279 2829 206D 6F64 6966 7920 7265
706F 7369 746F 7279 2066 6169 6C75 7265

For the lazy (note the nice debug/fself/recover stuff):

update_manager::init_device_type() read eprom failure(%d)
fall back to using safe parameter
update_manager::init_ss_params_repositories() fself_control = 0x%x
set_fself_control_repository() failure
set_fself_control_flag() failure = %d
set_recover_mode_flag() failure = %d
set_debug_support_flag() failure = %d
update_manager::set_update_status_repository() modify repository failure

#83 - crazydude - February 11, 2010 // 6:12 am
crazydude's Avatar
Those SX chips seem a little slow at 4MHz... will it be able to make quick enough pulses? That's 250 ns per clock tick.

Xilinx sells some nice Spartan 3E boards for less than $200 that have a 25 Mhz clockbox on the board, so 40ns is exactly 1 tick from that clock. And they have free synthesis tools on their website.

I guess I better take this godforsaken ps3 apart...

#82 - gtxboyracer - February 11, 2010 // 1:17 am
gtxboyracer's Avatar
A snippet from a 2007 IBM doc ($file/CBE_Secure_SDK_Guide_v3.0.pdf) that Mathieulh tweeted.. "Some really informative documentation about the playstation3/cell loaders"

Under section 4.2.4 - its describing details about signing packages/verifying signatures.. now to get hands on an SDK

[Register or Login to view code]

Stating that the CA (Certification Authority) is stored in the SPE Secure Loader (public key) to verify CA certificates. On the other hand:

[Register or Login to view code]

The Root CA private key for signing packages is embedded in the Root CA

So from what i can gather - it may be impossible for us to get that key to sign our own packages, but we definitely might be able to access the Public key used to verify packages (such as Firmware updates/PSN downloaded content etc) and manipulate to allow packages to pass as valid even with a dodgy signature.

Some more tweets: "The 3.20 update for ps3 is soon to be released, although it is not yet tested, stay away from it until the exploit is known to work with it." "You can use a proxy to bypass the playstation network version checks (at least for now)"

#81 - ernvil - February 11, 2010 // 1:14 am
ernvil's Avatar
Hopefully this will lead us to the next step.

Can't wait!

#80 - r3pek - February 11, 2010 // 12:47 am
r3pek's Avatar
Quote Originally Posted by PS3 News View Post
Probably not likely, as reversing the HV dumps is extremely tedious and time-consuming so if anything good comes out of it chances are it will be a ways off... but the more people working on it, the better of course!

As I mentioned in another thread, one of the areas CJPC is seeking to examine from the dump is the boot flag data, as he is interested in being able to convert his Service Mode PS3 to a Debug one, or better yet Retail PS3 consoles to Debug units optimistically.

Why don't they export the hypercall to userland? Last time I checked it was easily done on x86 at least. don't know if it's anyway different on ppc...

#79 - Hemanleo - February 11, 2010 // 12:19 am
Hemanleo's Avatar
good luck. Hope we can have something going on the near future!

#78 - Tender Phantom - February 11, 2010 // 12:10 am
Tender Phantom's Avatar
This is great, hopefully someone will find something to enable some sweetass homebrew

I was also wondering after you have all snooped around a little and hopefully learnt some new things, would it make it any easier to craft say for example malformed tiff images or saved games etc?