PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

February 12, 2010 // 10:22 pm - We are happy to report that the PS3 Hypervisor LV1 and Bootloader LV0 are dumped from the PlayStation 3's RAM after getting our SX28 Hardware a few days ago, utilizing code for glitching and mashing buttons for hours - the exploit eventually will get triggered!

We tried a few different ways to dump out the real memory - the biggest "problem" was the fact that you can't just simply use File I/O code in a kernel module. Furthermore, you can't call the lv1_peek function from user mode either.

Luckily, resident DEV kakarotoks was up to the challenge. After some trial and error (and too many PS3 crashes!) he made a kernel module which maps the "real" PS3 memory to a device in /proc. The /proc area lets the kernel and userland interact some.

Basically, the device /proc/ps3_hv_mem is created when the kernel module is inserted. Once it is inserted, you can use dd to read the device. By doing this, the device gets passed arguments, which is passed along to lv1_peek - which in turns reads out the real memory.

Be advised, don't go beyond the PS3's upper memory limit. At around 260MB, the PS3 tends to crash - it does not like trying to read beyond RAM limits! So, for usage:

First, run the exploit, and get it triggered and working - that's the hard part!

Next, download the attached file, inside are three files, a Makefile, the ps3_hv_mem.c and a pre-compiled version. Stick these in a folder, and run make. It will then compile a kernel module for you (ps3_hv_mem.ko, or use the pre-compiled one). Then simply type: sudo insmod ps3_hv_mem.ko

Enter your password and check /proc for a ps3_hv_mem entry, or your dmesg. If it is there - let the dumping begin!

You can dump out the PS3 Hypervisor and Bootloader (and the rest of the real memory) via dd. You can use the command:

dd if=/proc/ps3_hv_mem of=PS3_Memory_Dump.bin bs=1024 count=10K

That command will dump out 10485760 bytes, or about 10MB - which nicely includes the goodies like LV0 and LV1. Finally, you can also increase the count, which will increase the amount dumped (multiply by blocksize).

PS3 Hypervisor and Bootloader Dumped from RAM and More!

PS3 Hypervisor and Bootloader Dumped from RAM and More!

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.



#79 - PSPSwampy - February 13, 2010 // 8:09 pm
PSPSwampy's Avatar
Quote Originally Posted by CJPC View Post
Well, yeah data could be written back with the lv1_poke function (to write to memory) - however of course, you don't want to just start writing arbitrary data at random memory locations. It helps to dump the memory and then analyse said data first, before you go off and start writing to it!

Yeah (D'oh!) just meant that i hoped it was easily possibly to do so once that work has been done. More to the point that the changes will stay resident in memory following a warm reboot - Not that this will help any normal users at this time, but at least will allow Devs with this hack further oppotunities

Or, you could see what would happen if you just wrote back a whole block of nothing - i'd love to see the result! lol (but then a blank screen probably wouldn't be that exciting now would it)

#78 - baddino - February 13, 2010 // 7:57 pm
baddino's Avatar
Big, Big News!!! nice work m8

#77 - PS4 News - February 13, 2010 // 7:21 pm
PS4 News's Avatar
Quote Originally Posted by Neo Cyrus View Post
Can you outline what the planned steps are at this point?

The only thing left that is planned is to release the HV dump code so others can get involved, examine it, reverse it and hopefully find some useful things to share with us and the scene as a result.

CJPC spent the last two weeks on this project primarily because some of the Devs who wanted to peek at it don't have the required hardware or money to dump their own, and as mentioned previously nobody else was sharing.

That said, CJPC now plans to let those who specialize in RE'ing begin their part on it so he can finally resume work on his own projects (PS3 TOOL, PS3 Service Mode, PS3 Debug Guide, etc).

#76 - Neo Cyrus - February 13, 2010 // 6:56 pm
Neo Cyrus's Avatar
Can you outline what the planned steps are at this point?

#75 - CJPC - February 13, 2010 // 6:30 pm
CJPC's Avatar
Quote Originally Posted by PSPSwampy View Post
Great job CJPC, just wondering if you've been able to post back into the HV/LV1 memory?

Well, yeah data could be written back with the lv1_poke function (to write to memory) - however of course, you don't want to just start writing arbitrary data at random memory locations. It helps to dump the memory and then analyse said data first, before you go off and start writing to it!

#74 - njenge - February 13, 2010 // 6:18 pm
njenge's Avatar
Great job guys we are almost there!

#73 - PSPSwampy - February 13, 2010 // 6:03 pm
PSPSwampy's Avatar
Great job CJPC, just wondering if you've been able to post back into the HV/LV1 memory?

Once the dumps have been fully investigated, my guess would be to try writing back some cool functions and see if they persist after a warm boot into XMB - but That's a ways of yet anyway i'd think! Would be fantastic if the keys could be bypassed

Anyway dissassembly is all a bit over my head so I wish you all the luck in the world and am looking forward to more good news

PS3 "the un-unhackable console" ?
(don't you just love double negatives)

PSPSwampy.

#72 - chrykel - February 13, 2010 // 5:36 pm
chrykel's Avatar
too bad i got ylod on my 60gig now i'm stuck with slim.

#71 - febag92 - February 13, 2010 // 4:03 pm
febag92's Avatar
My IDA Pro is ready to be used

Who already have the dump? I can't wait to get it..

#70 - FixxeD9000 - February 13, 2010 // 3:49 pm
FixxeD9000's Avatar
heheh. Well done guys!