Sponsored Links

Sponsored Links

PS3 Hack Exploit SX28 Hardware Arrives, Bring on the Hypervisor!


Sponsored Links
264w ago - Today the PS3 hack exploit SX28 hardware arrived, so we can begin work on dumping the PlayStation 3 Hypervisor to examine!

Up to now, both GeoHot and xorloser have successfully performed the PS3 hack while a few others simply obtained GeoHot's PS3 Hypervisor dump to study privately.

Needless to say, the rest of the PS3 scene including most of us here, have been waiting to take a peek at the unencrypted bootloader and Hypervisor lv0 and lv1 dumps.

We started by writing a Ubuntu Guide (as did titanmkd HERE) and attempted to use a 555 timer to obtain the 40ns pulse required to trigger the exploit, but like many others who attempted this we too had no such luck!

Luckily xorloser shared some propered code to trigger a 40ns pulse using an SX28 chip. They are a bit harder to find, and a little more expensive (as you need a programmer) but the method is sound.

That brings us to today, and our SX28 chips and programmer arrived - so we will be recreating the hardware, and giving this a go soon!



Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!
Sponsored Links
Sponsored Links

Comments 107 Comments - Go to Forum Thread »

• Please Register at PS4News.com or Login to make comments on Site News articles.
 
#67 - mushy409 - 264w ago
mushy409's Avatar
I bet he has blisters like walnuts on his fingers!

Good job guys, the PS3 is going to be THE console to own this year. The bank has been broken, now for the safe

#66 - CJPC - 264w ago
CJPC's Avatar
Yeah the biggest problem is really the fact that the exploit itself is well a glitch. I mean, the hardware works perfectly, I can get it to start to exploit the box within 20 seconds of trying , every time.

The problem is, 90/100 times the exploit crashes / locks up the ps3 / errors , resulting in the need to reboot, and restart.

Once the exploit is planted, then we start running our own kernel module to dump out the real memory. The way we we're doing it is well, unreliable and prone to massive corruption (not to mention slow)

[Register or Login to view code]



(it looks better in a Hex Editor!)

But, with dumping memory to a file you run into other issues. You can't just use FileI/O in a kernel module any more, and you can't access lv1_peek from user mode either, so you need to make some additional code to handle it, which is what were working on now - although I'm open to any suggestions to get it done faster, its such a pain after your kernel module crashes, and having to reboot and re-exploit the PS3!

#65 - PS4 News - 264w ago
PS4 News's Avatar
Quote Originally Posted by veggav View Post
You are the most patient guy on earth, boss. It's the third time I see this kind of question this week.

Actually, CJPC gets my vote for that... this PS3 exploit is SUPER annoying to get the timing just right so that it triggers but doesn't crash the PS3 (which means restarting each time).

Even bushing from the Wii hacking scene agrees (http://xorloser.com/?p=175#comments), to quote:
I used an FPGA (Spartan3E starter kit) to do this — but for some reason, I was unable to get 40ns pulses to have any effect whatsoever. I kept stretching the pulse width until it started affecting execution — by the time I had the exploit working, my pulse width was approx 200us — yes, that’s 20,000 times the length of the suggested glitch. Did anyone else run into this problem?

This hack is fairly annoying to get working, in the sense that you spend a lot of time mashing a button. It’s also not horribly great for the hardware — you’re briefly overdriving a bus-driver transistor inside the Cell, and you’re probably doing a little bit of damage each time you do it. It may not matter in the long run, but it just feels wrong.

I’ve been able to also trigger the exploit by pulling the Vref on one of the XDR chips down to ground — on the whole, it seems slightly less reliable than the RQ2 glitch, but it’s a lot easier on the hardware and a slightly easier place to solder to.

I think the biggest issue affecting reliability is the timing of the glitch, so I’m putting my effort into fixing that — I think I’ve found a signal I can abuse for the purpose.

The advantage of using the SX28 is that it can trigger the exploit a lot quicker, however, the patience comes into play when it doesn't actually work most of the time.

For example, the HTAB entries take around [51.748028] time was 0x12afa9, 0x1b per, 0, which is like 1/5 reboots.. most of the time its 0xfc000 so a a bit faster but harder to glitch.

In layman's terms, CJPC has done more button-pushing and PS3-resetting in the last 2-3 days than most people have in the last 2-3 years.

#64 - veggav - 264w ago
veggav's Avatar
Quote Originally Posted by PS3 News View Post

Probably not likely, as reversing the HV dumps is extremely tedious and time-consuming so if anything good comes out of it chances are it will be a ways off... but the more people working on it, the better of course!

As I mentioned in another thread, one of the areas CJPC is seeking to examine from the dump is the boot flag data, as he is interested in being able to convert his Service Mode PS3 to a Debug one, or better yet Retail PS3 consoles to Debug units optimistically.

You are the most patient guy on earth, boss. It's the third time I see this kind of question this week.

#63 - Progeria - 264w ago
Progeria's Avatar
Quote Originally Posted by PS3 News
Yes, you do not need a PS3 once you have the dumps... anyone with the time and talent can use IDA (on their PC) and xorloser's PS3 plug-ins to begin reverse-engineering the code and looking for "interesting" things.

great! with all those talented scene and ind crackers i bet HV will get a hard time..

will be fun to follow when dumps get released

edit: good timing for the ida and ida sdk releases that got released not so soon ago

#62 - SiZMiK - 264w ago
SiZMiK's Avatar
excellent news, good luck with it.

It's all a bit exciting

#61 - NaTaS69 - 264w ago
NaTaS69's Avatar
Cool news. Keep the updates coming.

#60 - PS4 News - 264w ago
PS4 News's Avatar
Quote Originally Posted by Lazy Boy View Post
So ETA of the dump is Sunday?

Well, today is Wednesday and CJPC plans to work some more on it, so it really depends on how quickly he is able to get it done. If he does it later today, then there is a good chance they could surface publically before Sunday so we'll see how things go.
Quote Originally Posted by Progeria View Post
you'll release a dump of it, so others can try crack it? man that will be nice..

but can all great crackers, without a ps3, also give it a shot? or do you need a ps3 for it?

Yes, you do not need a PS3 once you have the dumps... anyone with the time and talent can use IDA (on their PC) and xorloser's PS3 plug-ins to begin reverse-engineering the code and looking for "interesting" things.
Quote Originally Posted by dante995 View Post
Is this mean that homebrew will come out soon?

Probably not likely, as reversing the HV dumps is extremely tedious and time-consuming so if anything good comes out of it chances are it will be a ways off... but the more people working on it, the better of course!

As I mentioned in another thread, one of the areas CJPC is seeking to examine from the dump is the boot flag data, as he is interested in being able to convert his Service Mode PS3 to a Debug one, or better yet Retail PS3 consoles to Debug units optimistically.

#59 - dante995 - 264w ago
dante995's Avatar
Is this mean that homebrew will come out soon?

#58 - Progeria - 264w ago
Progeria's Avatar
Quote Originally Posted by PS3 News
Correct, once the full lv0 and lv1 dumps are obtained we will sort out the best way to pass them along. My preferred method is through an actual scene release on topsites, but if that doesn't work it will be done via IRC probably... and of course those who grab it from there will upload it to the other channels (P2P, torrents, MU/RS etc).

I can confirm it will definitely NOT be posted here though, only news of the "leak" will like all warez releases.

you'll release a dump of it, so others can try crack it? man that will be nice..

but can all great crackers, without a ps3, also give it a shot? or do you need a ps3 for it?

 

Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS4 Downloads - PS4 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 4 News