PS3 Hacker CJPC has managed to dump the PS3 hypervisor and LV1 and Bootloader LV0 via PS3 RAM. He has provided a brief explanation of what he did and a download file to the exploit can be found in the VIA link:
We are happy to report that the PS3 Hypervisor LV1 and Bootloader LV0 are dumped from the PlayStation 3′s RAM after getting our SX28 Hardware a few days ago, utilizing code for glitching and mashing buttons for hours – the exploit eventually will get triggered!
We tried a few different ways to dump out the real memory – the biggest “problem” was the fact that you can’t just simply use File I/O code in a kernel module. Furthermore, you can’t call the lv1_peek function from user mode either.
Luckily, resident DEV kakarotoks was up to the challenge. After some trial and error (and too many PS3 crashes!) he made a kernel module which maps the “real” PS3 memory to a device in /proc. The /proc area lets the kernel and userland interact some.
Basically, the device /proc/ps3_hv_mem is created when the kernel module is inserted. Once it is inserted, you can use dd to read the device. By doing this, the device gets passed arguments, which is passed along to lv1_peek – which in turns reads out the real memory.
Be advised, don’t go beyond the PS3′s upper memory limit. At around 260MB, the PS3 tends to crash – it does not like trying to read beyond RAM limits! So, for usage:
First, run the exploit, and get it triggered and working – that’s the hard part!
Next, download the attached file, inside are three files, a Makefile, the ps3_hv_mem.c and a pre-compiled version. Stick these in a folder, and run make. It will then compile a kernel module for you (ps3_hv_mem.ko, or use the pre-compiled one). Then simply type: sudo insmod ps3_hv_mem.ko
Enter your password and check /proc for a ps3_hv_mem entry, or your dmesg. If it is there – let the dumping begin!
You can dump out the PS3 Hypervisor and Bootloader (and the rest of the real memory) via dd. You can use the command:
dd if=/proc/ps3_hv_mem of=PS3_Memory_Dump.bin bs=1024 count=10K
That command will dump out 10485760 bytes, or about 10MB – which nicely includes the goodies like LV0 and LV1. Finally, you can also increase the count, which will increase the amount dumped (multiply by blocksize).
[VIA]
02-13-2010
02:00 PM
am I right or we are closer to something like ,,Iso Loader'' ?
02-13-2010
02:07 PM
these means can be used ( ISO Loader ) ?
02-13-2010
02:36 PM
OMG what is it with people and the rush to get iso loader if an iso loader comes out it will ruin the ps3 game makers that is not on, then people will wonder why no new ps3 games. i for one have my fingers crossed that an iso loader does not come out
02-13-2010
02:51 PM
you are wrong look at XBOX 360 scene its hacked and games on XB are going to rly rly nice lvl
02-13-2010
03:17 PM
I like that the PS3 is not hacked but hate that there is not enough access to it to make linux worth having on it. Also not being able to play PS2 games (all regions) and all region PS1 games also sucks. If the system was able to do that then it would be perfect or near perfect. I don't want stuff like a iso loader witch will promote pirating of games. That would make the PS3 like gaming on a PC or PSP. By that it will make the devs not want to make as many games for it cause the games will be pirated to the point it will drive up developing cost. In turn less games will be made for it the same as for the PSP and PC.
02-13-2010
03:17 PM
yeah but look what they have done now on the xbox scene sony will do same anybody that does this takes the risk of been baned and that will hurt the pocket i can tell you
02-13-2010
03:24 PM
does this means something for acess on gameOS?
Will it be able to make a Homebrew like Snes emulator run from the gameOS? I Wanna play Mario World with my sixaxis goddamit
02-13-2010
10:36 PM
Honestly, I'd be happy if an Isoloader never comes out.
02-14-2010
12:10 AM
Wether anyone likes to hear this or not, one WILL be released because they ALWAYS DO. Piracy is quite a reluctant bastard.
02-14-2010
12:32 AM
YouTube - Emulation on the Playstation 3 made easy with The Zerogame Project 0.50 (phat only)
02-14-2010
02:33 AM
personally im poore a iso loader comes out.
also i hope its not goin 2 b downloads cuz some ps3 games r over 10 gigs.
02-14-2010
03:42 AM
02-14-2010
04:39 AM
I don't wan't to have a ISO Loader on PS3.
I like to have this feeling that I can do with my PS3 anything I'd like - some kind of homebrew - emulation of old consoles - including Nintendo 64 (never got a chance to play on it :/ ).
Maybe homebrew will give us an opportunity to play PSX/PS2 games with some grahic filters and so
Native playback of .mkv movies
Hardware acceleration for movies encoding ^^
This would be cool
02-14-2010
05:37 AM
So what happens when they dump the memory, what can they do with it?
02-14-2010
05:38 AM
:aetsch:
02-14-2010
06:43 AM
Why do people have to wade through the tides of fools asking for a method to play copies and the opposition with their condescending or simply rude manners. They're two of the many categories of people the world could do without.
02-14-2010
07:18 AM
Here is a blog comment from geohot
02-14-2010
11:27 AM
@devinger
too low level, I just can't understand a thing from this
Guess i just cant understand anything below C/C++/C#
From what i understood from his code is that he's trying to map every single instruction the Cell SPU handles.
02-14-2010
02:13 PM
02-14-2010
02:18 PM
What people tend to forget is that this hack will only work with a serious hardware hack, it will only work on systems with OtherOS.. and the decrypting etc will not work in plain OtherOS (otherwise it would have been done ages ago)..
Also people wanting it for hardware video encoding: it's already possible, there are even some companies who sell a whole PS3 package for this..
02-14-2010
02:31 PM
I would like to connect my USB HDD to PS3, copy movies and encode them quickly to any format that I like with all customizable options and I didn't find anything like this xD
02-14-2010
02:38 PM
Yup im waitng for some video player with mkv (and other type of video) support +subtitles...
02-14-2010
04:36 PM
02-14-2010
05:14 PM
# Load Quadword (d-form)
00110100 iiiiiiiiii aaaaaaa ttttttt // <- I understand this part
ri {i} << 4 // <- starting from here i become clue less
Parsed "O R, I(R)" lqd {{t}} {|{ri}|} {{a}}
#Change 128 `{{t}}` [[`{{a}}`] + {ri}]
Stop
according to the official documentation:
Load Quadword (d-form)
Requiredv 1.0
The local storage address is computed by adding the signed value in the I10 field, with 4 zero bits appended, to the value in the preferred slot of register RA and forcing the rightmost 4 bits of the sum to zero. The 16 bytes at the local storage address are placed into register RT. This instruction is computed using the following formula:
lqd rt,symbol(ra)
0 0 1 1 0 1 0 0 I10 RA RT
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 // all the above makes perfect sense
LSA ← (RepLeftBit(I10 || 0b0000,32) + RA0:3) & LSLR & 0xFFFFFFF0
RT ← LocStor(LSA, 16)
I'm completely clueless
02-14-2010
05:50 PM
I am not sure either but i think it is a command for EDA to examinate?
Couldnt think of something else.
I saw your blog comment with the question; hopefully you will get a awnser soon. If he awnsers, please post it here. Im very interested
02-14-2010
05:57 PM
you bet i will
I'm dying to know the answer
02-14-2010
09:34 PM
02-14-2010
10:52 PM
Jesus. What programming language is that?
02-15-2010
10:05 AM
I think i understood how George is interpreting the data in the IBM documentation and converting it into a SPU.isdf meta data for his EDA application.
I'll try and help him out
02-15-2010
01:50 PM
I'd would like to have the ISO loader. The games are just way to dang expensive for what you get. Not all the games are true HD as they advertise. It doesn't cost that much for a game to be developed and burned to a disc. CGI does most the most work. I think the games should cost no more than $40-45. I used to have over 150 PS2 games and all were burned. So please lets go forward and enter the world of everything being free and free share. Also, one more note as well. The expansion packs they charge for should also be not charged extra for as you already paid $63 for a game, and when you keep adding add-ons the price just keeps going up. For example, MW WAW. After you purchase the game, add all the map packs you spent over $90 on a dang game. Well, that's all I gotta say now.
02-15-2010
01:52 PM
Ok i helped out GeoHot a bit:
http://github.com/Disane/eda-2/blob/...50342/spu.isdf
I'll try and add more instructions and data
02-15-2010
02:56 PM
of encoding isn't that good.I'm now using Handbrake with almost same encoding speed on an dual 2.6 Ghz, and a lot better quality.
02-15-2010
03:09 PM
Great job Disane keep it up, if i had some time myself i would help, stupid university exams :S
I saw your post at geohot's blog great job figuring out those instructions
keep up the good work.
02-15-2010
03:47 PM
************* [ - Post Merged - ] *************
the dumps are leaked:
http://www.multiupload.com/9A8VSJIZ93
02-15-2010
04:24 PM
02-15-2010
05:18 PM
02-17-2010
12:54 AM
Now lets get this right, I have pirated things as most of us have. My PSP for instance is hacked wide open, but my PS3 is different. I look on the shelf and it is good to know that I worked and paid for my growing collection of games. Consoles are not hacked primarily for piracy. I personally like following this because of the knowledge I am gaining about the electronics. I have been studying electronics for almost 2 years in college and I will never get to play around with a hardware architecture like this in the school lab because we work with older chips nothing near as advanced as the cell. Some of us value knowledge while others are just worried about ripping people off. An iso loader will come in time if we get anywhere with this exploit, but remember that consoles are not hacked for piracy, they are hacked for understanding and to unlock a machines true potential. If this hack does eventually allow us to run cfw or unsigned code, I hope an ISO loader is the last thing we see.
02-17-2010
08:08 AM
Of course expansion packs mostly cost money. The devs who create them need a licing too, and no one works for free. It's their job, and it's only fair that they earn a good living. If they don't earn money on them, it would be like giving them out free, and that would just be plain stupid. Piracy is ruining the scene. Try think about how much money the devs have lost on your 150 pirated games? if it's true that you normaly spend 90$ pr game, it would be 13500$. also the dev companys spend money on protecting their cd's and so do sony on creating extra security on their products. All this costs!
I am no angel myself, but if I like a game, I ALWAYS buy it. I don't need 150 games I don't like. I would rather ahve 10 games I love, which I PAID for.
playing games on old emulators, and the classic psx games, which are very rare, is different, as they wouldnt be sold anyways these days, especially not as NEW AND SEALED. So homebrew rocks, but lousy sucking leeches like you suck
02-17-2010
09:59 AM
somebody at the blog posted this:
02-17-2010
12:32 PM
Not sure, i guess thats a path to the driver but can it be extracted?? what lv is this 0,1,2?
Only this is not enough at least for me...
maybe Dissane can tell us more.
02-17-2010
01:21 PM
I don't think the drivers can be extracted since the they`re not installed (or at least the necessary drivers for the RSX is not provided for the PS3 on Linux). Also we can't even address the frame buffer (w/o a hack). This means zero support for any RSX goodies or maybe not...
If I'm correct. According to the memory dumb lv1 is looking for the RSX driver's source code. Well I can see a "device.h" header file there. When the Hypervisor realizes that the source file is not there it stops checking for any other source files. We really need those Zego drivers to figure this out. I'm pretty sure the Zego drivers solely just won't be enough but from there on things would become easier. Modifying the drivers to work with the PS3 shouldn't be as challenging as finding a hole on the Hypervisor.
Maybe I'm right maybe I'm wrong. Who knows...