Welcome to PS3Hax, your official PS3 hacks, PS3 Homebrew, and PS3 Downloads scene. Check back daily to keep up with the latest PS3 Hacks and drop by our forums for more PS3 Hacks discussions.
  • Posted by Pirate , on 28/01/2010 , @ 10:35am

     

    With the great news of the hypervisor being hacked by Geohot, many people are now wondering, what next, how does this work, and what can I look for in the future? Nate Lawson has posted up an excellent explanation detailing Geohots hack and what exactly is going on. For those interested in a less technical explanation you can view one here.


    To quote:

    George Hotz, previously known as an iPhone hacker, announced that he hacked the Playstation 3 and then provided exploit details. Various articles have been written about this but none of them appear to have analyzed the actual code. Because of the various conflicting reports, here is some more analysis to help understand the exploit.

    The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.

    Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.

    The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor.  The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).

    George’s hack compromises the hypervisor after booting Linux via the “OtherOS” feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.

    His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.

    George connected an FPGA to a single line on his PS3’s memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.

    His goal was to compromise the hashed page table (HTAB) in order to get read/write access to the main segment, which maps all memory including the hypervisor. The exploit is a Linux kernel module that calls various system calls in the hypervisor dealing with memory management. It allocates, deallocates, and then tries to use the deallocated memory as the HTAB for a virtual segment. If the glitch successfully desynchronizes the hypervisor from the actual state of the RAM, it will allow the attacker to overwrite the active HTAB and thus control access to any memory region. Let’s break this down some more.

    The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file’s data can still be accessed.

    The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor’s write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.

    At this point, the hypervisor has an HTAB with one or more read/write mappings pointing to a buffer it has deallocated. Thus, the kernel no longer owns that buffer and supposedly cannot write to it. However, the kernel still has one or more valid mappings pointing to the buffer and can actually modify its contents. But this is not yet useful since it’s just empty memory.

    The exploit then creates a virtual segment and checks to see if the associated HTAB is located in a region spanning the freed buffer’s address. If not, it keeps creating virtual segments until one does. Now, the user has the ability to write directly to this HTAB instead of the hypervisor having exclusive control of it. The exploit writes some HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.

    It is quite possible someone will package this attack into a modchip since the glitch, while somewhat narrow, does not need to be very precisely timed. With a microcontroller and a little analog circuitry for the pulse, this could be quite reliable. However, it is more likely that a software bug will be found after reverse-engineering the dumped hypervisor and that is what will be deployed for use by the masses.

    Sony appears to have done a great job with the security of the PS3. It all hangs together well, with no obvious weak points. However, the low level access given to guest OS kernels means that any bug in the hypervisor is likely to be accessible to attacker code due to the broad API it offers. One simple fix would be to read back the state of each mapping after changing it. If the write failed for some reason, the hypervisor would see this and halt.

    It will be interesting to see how Sony responds with future updates to prevent this kind of attack.

    [VIA]


  • Posted by Pirate , on 28/01/2010 , @ 10:31am

     

    Geohot has today confirmed on his blog that his exploit DOES work on firmware 3.10. He also added that there are compile issues in Fedora but works fine in Ubuntu.

    [VIA]

  • Posted by Pirate , on 26/01/2010 , @ 07:01pm

     

    Well he said he had it and now here it is :)

    GeoHot has releases his PS3 exploit today. The exploit grants us “full memory access and therefore ring 0 access from OtherOS”.

    Original post:

    In the interest of openness, I’ve decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can’t keep working on this all day and night.

    Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I’d like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

    This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I’ll write up how it works :)

    Good luck!

    There is also an explanation on how it works that Geohot told on IRC:

    geohot: well actually it’s pretty simple
    geohot: i allocate a piece of memory
    geohot: using map_htab and write_htab, you can figure out the real address of the memory
    geohot: which is a big win, and something the hv shouldn’t allow
    geohot: i fill the htab with tons of entries pointing to that piece of memory
    geohot: and since i allocated it, i can map it read/write
    geohot: then, i deallocate the memory
    geohot: all those entries are set to invalid
    geohot: well while it’s setting entries invalid, i glitch the memory control bus
    geohot: the cache writeback misses the memory :)
    geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
    geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
    geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
    geohot: switch to virtual segment
    geohot: write to main segment htab a r/w mapping of itself
    geohot: switch back
    geohot: PWNED
    geohot: and would work if memory were encrypted or had ECC
    geohot: the way i actually glitch the memory bus is really funny
    geohot: i have a button on my FPGA board
    geohot: that pulses low for 40ns
    geohot: i set up the htab with the tons of entries
    geohot: and spam press the button
    geohot: right after i send the deallocate call

    You can download the exploit files here.

    This exploit obviously is not newb friendly, but it nevertheless a huge progress to crack open the PS3 scene. More information and updates will be posted as available, stay tuned!

    More information via instructions in download file.

    [VIA]

  • Posted by Pirate , on 26/01/2010 , @ 10:26am

     

    With the recent explosive news of Geohot managing to successfully hack the PS3, he has now posted another blog post clarifying more information on what is he doing, and the direction he plans to take.

    Quote:

    What it is and what it isn’t
    First off, this is not a release blog like “On The iPhone”. If you are expecting some tool to be released from this blog like blackra1n, stop reading now. If you have a slim and are complaining this hack won’t work for you, stop reading now. WE DO NOT CONDONE PIRACY, NOR WILL WE EVER. If you are looking for piracy, stop reading now. If you want to see the direction in which I will take this blog, read the early entries in the iPhone one. Information on this blog is for research purposes only.

    That aside, I’ll tell you what I have so far. I have added two hypercalls, lv1_peek and lv1_poke. peek reads memory in real space(including all the MMIO), poke writes it. I can also add other arbitrary hypercalls as I see fit.

    The hypervisor is complicated, it is written in C++ and is PPC, which I am not that familiar with yet. At first I was trying to add a hypercall to add arbitrary real memory to the LPAR, but it kept crashing(because I can’t code), which is really annoying, because I have to wait while Linux reboots.

    Some people pointed out that I have not accessed the isolated SPEs. This is true. Although as far as doing anything with the system, it doesn’t matter. The PPE can’t read the isolated data, but it can kick the isolated SPEs out. Decrypt the PPE binary you need using the intact SPE and save the decrypted version. Kick out the SPE, and patch the decrypted version all you want. And interesting note, by the time you get to OtherOS, all 7 working SPEs are stopped.

    Despite this, I am working on the isolated SPEs now(which I can now load), because what I’d really like to do is post decryption keys here so you guys can join the fun.

    As of now the current status of if this hack works on the SLIM PS3′s is UNKNOWN.

    [VIA]

  • Posted by Pirate , on 25/01/2010 , @ 04:07pm

     

    Here is an interview GeoHot apparently has apparently done with BBC relating to the most recent news of the PS3 hack quoted below:

    A US hacker who gained notoriety for unlocking Apple’s iPhone as a teenager has told BBC News that he has now hacked Sony’s PlayStation 3 (PS3).

    George Hotz said the hack, which could allow people to run pirated games or homemade software, took him five weeks.

    He said he was still refining the technique but intended to post full details online soon.

    The PS3 is the only games console that has not been hacked, despite being on the market for three years.

    “It’s supposed to be unhackable - but nothing is unhackable,” Mr Hotz told BBC News.

    “I can now do whatever I want with the system. It’s like I’ve got an awesome new power - I’m just not sure how to wield it.”

    Sony said it was “investigating the report” and would “clarify the situation” when it had more information.

    ‘Open curiosity’

    Mr Hotz said that he had begun the hack last summer when he had spent three weeks analysing the hardware.

    After a long break, he spent a further two weeks cracking the console, which he described as a “very secure system”.

    He said that he was not yet ready to reveal the full details of the hack but said that it was “5% hardware and 95% software”.

    “You can use hardware to inject an insecurity and then you can build on that,” he said.

    He admitted that he had not managed to hack the whole system, including the protected memory, but had worked out ways to trick the console into doing what he wanted.

    Mr Hotz said that he was continuing to work on the hack and, once finished, would publish details online in a similar way to his previous iPhone exploits.

    In particular, he said, he would publish details of the console’s “root key”, a master code that once known would make it easier for others to decipher and hack other security features on the console.

    He said his motivation was “curiosity” and “opening up the platform”.

    “To tell you the truth, I’ve never really played a PS3,” he said. “I have one game, but I’ve never really played it.”

    Opening the system could allow people to install other operating systems on their console and play homemade games, he said.

    In addition, he said, the hack would allow people to play older PS2 games on their consoles.

    Recent versions of the PS3 do not have the ability to play PS2 games after Sony controversially removed a piece of hardware.

    He admitted that it could also allow people to run pirated games.

    “I’m not going to personally have anything to do with that,” he told BBC News.

    Gaming firms do not take the issue of game piracy and console modification lightly. Recently, Microsoft disconnected thousands of gamers from its online gaming service Xbox Live for modifying their consoles to play pirated games.

    Mr Hotz said that the nature of his PS3 hack means that Sony may have difficulty patching the exploit.

    “We are investigating the report and will clarify the situation once we have more information,” said a Sony spokesman.

    Mr Hotz rose to fame in 2007 at the age of 17 when he unlocked the iPhone, which could only be used on the AT&T network in the US at launch.

    The hack allowed the popular handset to be used on any network.

    He has since released various other hacks, allowing people to unlock later versions of the popular handset.

    [VIA]

  • Posted by Pirate , on 25/01/2010 , @ 04:03pm

     

    This includes all of the features of XBLA Unlocker previously released by dstruktiv.
    The additional “Collection Management” is contributed by node21.

    What’s new/fixed (v0.4)
    * Added ability to launch titles directly from the Scan list, or the Collection Manager List (for titles that you actually have) [use the A button]
    * added support for multiple usb devices being connected
    * More information is added the the resulting xbla_report.txt so you can choose to ignore missing titles that are rated very low.
    * Some titleIds are intentionally duplicated since they exist in the wild, but aren’t on the MS web site. You should simply “Ignore” (with the X button) the versions that you don’t have (assuming you care about such things)

  • Posted by Pirate , on 24/01/2010 , @ 05:35pm

     

    With the smartphone/android phones market booming, I decided to implement a more friendly way to surf the forums for those who wish to access Hax Network via mobile device. You can now view Hax Network on a friendly interface via Tapatalk application available on the Apple App store, and other android markets. The site works with a user friendly interface with the Apple iPhone, Motorola Droid, T-mobile G1, HTC Magic, HTC Hero etc.

    There are two versions to Tapatalk, pro and lite. The lite version is only a viewer, and the pro version ($2.99) carries many more features such as posting/PM/groups etc. Tapatalk and Haxnetwork are not affiliated and we receive no profit if you do choose to purchase the pro version.

    You can find Hax Network via Tapatalk by going to search and typing in “Hax”.

  • Posted by Pirate , on 23/01/2010 , @ 12:33pm

     

    “Hello hypervisor, I’m geohot”.

    Probably the last thing we would expect to see on the PS3, after 3 years it seems legendary iPhone hacker George Hotz (Geohot) has managed to crack the PS3 security in under a month (Geohot was the first person to unlock the iPhone). He has posted on his blog that he has full hypervisor access and read/write access to the entire system memory. He also says that this is not patchable and plans to reveal the method soon. There is still more work to be done according to Geohot.

    Original post:

    I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me, as I now have dumps of LV0 and LV1. I’ve also dumped the NAND without removing it or a modchip.

    3 years, 2 months, 11 days…thats a pretty secure system

    Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.

    Shout out to George Kharrat from iPhoneMod Brasil for giving me this PS3 a year and a half ago to hack. Sorry it took me so long :)

    As far as the exploit goes, I’m not revealing it yet. The theory isn’t really patchable, but they can make implementations much harder. Also, for obvious reasons I can’t post dumps. I’m hoping to find the decryption keys and post them, but they may be embedded in hardware. Hopefully keys are setup like the iPhone’s KBAG.

    A lot more to come…follow @geohot on twitter

    Very good news for PS3 hackers who have waited very patiently for this day, and great job Geohot, we will bring you more updates as they are available.

    [VIA]

    UPDATE #1 (1-23-2010):
    [I know some function names...]

  • Posted by Pirate , on 20/01/2010 , @ 11:14am

     

    C4eva presents iXtreme Lite Touch (LT) in association with Team Jungle and Team Xecuter:  Get it here.



  • Posted by Pirate , on 19/01/2010 , @ 10:24am

     

    Most people have supported C4E and Team Jungle for some time now, and it is so ridiculous to everyone, when you see so much garbage, and drama being posted around on different forums. First you see some sites trying to sell iXtreme LT for stupid amounts of money, then the price goes in half, then it doubles ,then it shows as out of stock? Well, how can a piece of copy-n-paste software be out of stock? Then of course everyone bitches about C4E, even though this wasn’t his idea and; these guys also forget that the iXtreme firmwares are HIS work, and no one else’s. The fact is, he owes nothing to anyone. He should be showered with credits and support, not with bitching and whining. It’s a surprise that he even bothers any more with all that, but we also know how much he loves to do this work. It really is pathetic to see some fools post crap like that, but the console scene never changes, does it?

    Now you see attempts at “cracking” a pre-release demo version of the LT firmware, and people trying to gain credits and “pats on the back” for this work. Well, umm, people have looked at both firmwares; the real Lt and the leaked one. Take some well read advise, don’t use the leaked one! It’s an incomplete version, and if you connect to Xbox Live, you’ll be sorry, and; even MORE sorry if you paid for it.

    You should know how much time and effort it takes to do this kind of work – so you should fully support C4E in all the work he does, and as members of the entire XBox360 scene, you should thank him for it, and stop complaining because it’s not out when YOU want it to be.

    Anyway the guys at Team Jungle have updated their Twitter page with this info:
    “iXtreme LT will release shortly as promised for free. Unofficial files are incomplete and unsafe. Protection was to prevent unofficial use!” This is LiteOn firmware, by the way.

    Maybe you should start giving a few posts of appreciation, kudos, SOMETHING! Then maybe you’ll see Benq, Samsung & Hitachi versions too – because they won’t come from anyone else, you can be assured of that.

    [VIA]

  • Posted by Pirate , on 03/01/2010 , @ 02:40pm

     

    MysticHades has resurfaced an old hack that allowed the booting of PS3 games (originally found here). He has posted a video showing how this exploit works. This method only works with BluRay backups and NOT DVD. It does not work on all games.

    Here is a rough translation of the tutorial, you can download all the needed files below:

    Step 1: Install Ubuntu on your PS3 (or kubuntu)
    Step 2: Install Windows XP on Ubuntu
    Step 3: Install CloneCD on Windows XP and connect to network another PC so has seen in My Network Places. I do not know if AnyDVD HD is necessary, but I installed it for me
    Step 4: Open CloneCD, select new image, insert the game, select “Protected PC Game”, change the extension to ISO.
    Step 5: Ripper Blu-Ray on PC via network favorites.
    Step 6: Burn with ImgBurn (or CloneCD) in 1X on the PC or has been ripped game

    So what exactly is going on? This was the release post about this method via Elotrolado

    PS3 backups load thanks to an exploit discovered when it is considered necessary is to upload a video showing the event.
    My way of working will protect this exploit and not give details of how this occurs so that might not make the same mistakes of the past.
    You have to patch both updates as other functions, the iso is not worth anyone … It requires a different process than those generated in linux are not worth keeping the encryption layer.
    The exploit creates a CheckStop that generates a reboot and does not load everything back into memory but the function of pre patched disk and run the new copy.
    The models are tested 40/60/80.
    The games tested are 3, Killzone 2, burnout paradise, pes2008.

    Video of this exploit in action:



    A more in-depth tutorial will be posted once we can get a better translation of the video. If you have a BluRay burner lying around and are willing to try, let us know and post your results.

    [Download MotorStorm Hack + Tutorial Files]

  • Posted by Pirate , on 03/01/2010 , @ 02:13pm

     

    Well its 2010, and what a better way to start of the new year with another ISO Loader video. So what exactly is ZPack?

    Here is the description by the creator:

    I found this in my holiday in Korea, there are PS3 cafes which run their games from external harddisk without using the original disks. I am one of the first who tested this Zpack System.

    Zpack is the first working Backup System for PlayStation 3. It was especially designed for PlayStation Cafes across the world to avoid damaging your original game disk and beware them to be stolen by customers. You will not need the original disk to play on your PS3 anymore just start any game you have directly from your external hard disk.

    Zpack comes to you with a USB Dongle and a DISK with the Zpack Software, which you only need the first time for installation. The USB dongle have to be connected to your PS3 all the time. When you run a PlayStation Cafe with 8 PlayStation Terminals, you will need 8 Zpacks for each PS3 Terminal to run the games from the external drives. Please pay Attention for our Zpack bundles.

    There are also two videos demonstrating this new loader:



    So what do you think, fake or real? Leave your comment and let us know what you think.

    Thanks to Pocket69 for the tip