PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

November 16, 2010 // 11:44 pm - A few days ago we reported on graf_chokolo's progress in decrypting PS3 Firmware 3.50, and today he has made available to the PlayStation 3 Wiki (linked above) his PS3 hypervisor reverse-engineering work to date, as follows:

The hypervisor stores a pointer to some structure per LPAR in HSPRG0 register. There are actually 2 HSPRG0 values: one for each thread of Cell CPU !!! There is a HSPRG0 array at 0x8(-0x69A0(HSPRG0)) + 0x20.

LPAR = Logical Partition

lpar1 starts at 0x(unknown), and its believed to be the memory space wherre lv1 stores its variables, flags and other data.
lpar2 starts at 0x80000000000 and it's believed to be the memory space where lv2 stores its variables, flags and other data.

The pointer to active LPAR is stored at -0x67E8(HSPRG0).

0x0033CA40 (3.15)

Member variables
offset 0x38 - some pointer
offset 0x50 - LPAR id (8 bytes)
offset 0x70 - pointer to VAS id bitmap
offset 0x78 - power of 2 of word size from VAS id bitmap (4 bytes), equal to 6
offset 0x7C - number of 64-bit words in VAS id bitmap(4 bytes)

Interrupt handling
The pointer to the interrupt handler that is called e.g. when an external interrupt occurs is at -0x69F0(HSPRG0).

0x00001930 (3.15 and 2.60)

Interrupt vector tables
There are 2 interrupt vector tables. One for each thread. The pointer to these tables is at -0x6950(HSPRG0).

offset 0x8 - IIC memory base address (8 bytes)
offset 0x10 - thread register offset (8 bytes)
offset 0x18 - start of interrupt vector table (19 entries, each entry 32 bytes)

Interrupt vector table entry
offset 0x0 - pointer to interrupt handler
offset 0x8 - TOC
offset 0x10 - 0
offset 0x18 - parameter to interrupt handler

Interrupt handlers
Spurious interrupt handler
0x002BC174 (3.15)

0x00219A44 (3.15)
0x002176FC (2.60)

SB bus
0x002B9CC4 (3.15)

I/O address translation
0x002CD7D8 (3.15)
0x002C9214 (2.60)

Performance monitor
0x002F0584 (3.15)
0x002EB1B0 (2.60)

Token manager
0x002BBA9C (3.15)
0x002B754C (2.60)

HV call
The address of HV table is stored at -0x6FC8(HSPRG0).
The address of HV table size is stored at -0x6FD0(HSPRG0).

Continue reading the PS3 Hypervisor Reverse Engineering Progress HERE.

PS3 Hypervisor Reverse Engineering Progress is Detailed

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#19 - Starlight - November 20, 2010 // 4:12 am
Starlight's Avatar
Sounds like great news and hopefully will help into unlocking the ps3 fully some day.

#18 - mjgdroid - November 18, 2010 // 8:37 pm
mjgdroid's Avatar
This is awsome, someone finally showed us what the playstaion can do. There is almost endless possibilities now this is like the commands in linux terminal although they are numbers not words.

It just facinates me how the playstation reads binary and this is going to help us unlock everything soon we will be changing the dashboard and having the ability to run anything on this godly device.

#17 - whinis - November 18, 2010 // 4:34 am
whinis's Avatar
With the current information we have we can only add more ram patchs (payloads) however this will eventually lead to the entire ps3's security being broken down. Currently HV is blocking our access to the juicy things in the ps3 and with more information we can essentially disable to security with a patch and even possibly make our own signed pups by extracting very important keys.

This is just sticking our foot in the door of the ps3 though, a tank is around the corner coming to help out though.

#16 - War Kid - November 17, 2010 // 9:44 pm
War Kid's Avatar
This is ridiculous... and awesome at the same time. lol.

So, is all this leading towards a FW 3.50 jailbreak, or just the ability to downgrade? I'm pretty much up to either one. But... being able to modify the XMB and make custom FW would be sooo cool.

#15 - tragedy - November 17, 2010 // 8:00 pm
tragedy's Avatar
This is massively interesting reading... I'd say without a doubt that this is probably the most useful dump of information to date. Props to the guy!

#14 - TechGeek990 - November 17, 2010 // 6:03 pm
TechGeek990's Avatar
Wow that went way over my head. This guy must be a double agent working inside sony for us hackers! How else would you explain how he knows all this? Pretty soon we'll even be making grilled ham and cheese sandwhichs with our PS3's. Take that xbox!

#13 - clouduzz - November 17, 2010 // 4:29 pm
clouduzz's Avatar
damn that's a lot of info, but props to him especially since it's not all the info, I look forward to the day we have custom firmware with the ability to run anything including DLC like my xbox 360 JTAG. Go Hackers!

#12 - Ramres - November 17, 2010 // 2:26 pm
Ramres's Avatar
go scene!! Its very incredible!!

#11 - whinis - November 17, 2010 // 1:16 pm
whinis's Avatar
Quote Originally Posted by farenheit View Post
And that's suppose to be a snippet?

here is what he said about it on xorloser blog:
It doesn’t contain all the knowledge about PS3 hypervisor i gained through reversing, in truth, it’s just a small piece of it, but i don’t have time to write everything i know down. I will update this page regularly

#10 - farenheit - November 17, 2010 // 10:57 am
farenheit's Avatar
And that's suppose to be a snippet?