A few days ago we told you about how to use Geohots exploit via software, today xorloser has posted up his latest tutorial teaching us how to do it via hardware.

The purpose of the hardware is to stop the PS3 from saving a change to a value that we don’t want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.

He also promises some code next post to dump the hypervisor and more.

You can download the fixed version of the exploit here.

You can view the tutorial here or VIA link below.

[VIA]

PS3 hacker xorloser has released a fix for Geohots PS3 exploit, making it friendly across different firmwares.

To quote:

As I’m sure everybody heard, the memory access exploit for the PS3 hypervisor was released recently by geohotz. I was finally able to replicate his hack so I thought I’d take the time to help out others who may also have trouble due to being linux n00bs like me If I were to post everything at once it would be too much work and I’d never get around to it, so I’ll post bits at a time to ensure I actually do post it heh. Today’s post will talk about the software side of the exploit.

Please note that the geohotz exploit software was hardcoded for the v2.42 firmware, I have made a small fix that attempts to dynamically support all firmware versions. I have only tested and used it on v3.15 however.

You can download the fixed files here.

xorloser also has posted a tutorial on how to use this exploit, which is now a bit more newb friendly (for those not experienced with linux anyways), and provides some good information/guidance to help you get started using this exploit. You can view the tutorial HERE, or via link below.

[VIA]

Geohot has today confirmed on his blog that his exploit DOES work on firmware 3.10. He also added that there are compile issues in Fedora but works fine in Ubuntu.

[VIA]

With the recent explosive news of Geohot managing to successfully hack the PS3, he has now posted another blog post clarifying more information on what is he doing, and the direction he plans to take.

Quote:

What it is and what it isn’t
First off, this is not a release blog like “On The iPhone”. If you are expecting some tool to be released from this blog like blackra1n, stop reading now. If you have a slim and are complaining this hack won’t work for you, stop reading now. WE DO NOT CONDONE PIRACY, NOR WILL WE EVER. If you are looking for piracy, stop reading now. If you want to see the direction in which I will take this blog, read the early entries in the iPhone one. Information on this blog is for research purposes only.

That aside, I’ll tell you what I have so far. I have added two hypercalls, lv1_peek and lv1_poke. peek reads memory in real space(including all the MMIO), poke writes it. I can also add other arbitrary hypercalls as I see fit.

The hypervisor is complicated, it is written in C++ and is PPC, which I am not that familiar with yet. At first I was trying to add a hypercall to add arbitrary real memory to the LPAR, but it kept crashing(because I can’t code), which is really annoying, because I have to wait while Linux reboots.

Some people pointed out that I have not accessed the isolated SPEs. This is true. Although as far as doing anything with the system, it doesn’t matter. The PPE can’t read the isolated data, but it can kick the isolated SPEs out. Decrypt the PPE binary you need using the intact SPE and save the decrypted version. Kick out the SPE, and patch the decrypted version all you want. And interesting note, by the time you get to OtherOS, all 7 working SPEs are stopped.

Despite this, I am working on the isolated SPEs now(which I can now load), because what I’d really like to do is post decryption keys here so you guys can join the fun.

As of now the current status of if this hack works on the SLIM PS3′s is UNKNOWN.

[VIA]

Here is an interview GeoHot apparently has apparently done with BBC relating to the most recent news of the PS3 hack quoted below:

A US hacker who gained notoriety for unlocking Apple’s iPhone as a teenager has told BBC News that he has now hacked Sony’s PlayStation 3 (PS3).

George Hotz said the hack, which could allow people to run pirated games or homemade software, took him five weeks.

He said he was still refining the technique but intended to post full details online soon.

The PS3 is the only games console that has not been hacked, despite being on the market for three years.

“It’s supposed to be unhackable – but nothing is unhackable,” Mr Hotz told BBC News.

“I can now do whatever I want with the system. It’s like I’ve got an awesome new power – I’m just not sure how to wield it.”

Sony said it was “investigating the report” and would “clarify the situation” when it had more information.

‘Open curiosity’

Mr Hotz said that he had begun the hack last summer when he had spent three weeks analysing the hardware.

After a long break, he spent a further two weeks cracking the console, which he described as a “very secure system”.

He said that he was not yet ready to reveal the full details of the hack but said that it was “5% hardware and 95% software”.

“You can use hardware to inject an insecurity and then you can build on that,” he said.

He admitted that he had not managed to hack the whole system, including the protected memory, but had worked out ways to trick the console into doing what he wanted.

Mr Hotz said that he was continuing to work on the hack and, once finished, would publish details online in a similar way to his previous iPhone exploits.

In particular, he said, he would publish details of the console’s “root key”, a master code that once known would make it easier for others to decipher and hack other security features on the console.

He said his motivation was “curiosity” and “opening up the platform”.

“To tell you the truth, I’ve never really played a PS3,” he said. “I have one game, but I’ve never really played it.”

Opening the system could allow people to install other operating systems on their console and play homemade games, he said.

In addition, he said, the hack would allow people to play older PS2 games on their consoles.

Recent versions of the PS3 do not have the ability to play PS2 games after Sony controversially removed a piece of hardware.

He admitted that it could also allow people to run pirated games.

“I’m not going to personally have anything to do with that,” he told BBC News.

Gaming firms do not take the issue of game piracy and console modification lightly. Recently, Microsoft disconnected thousands of gamers from its online gaming service Xbox Live for modifying their consoles to play pirated games.

Mr Hotz said that the nature of his PS3 hack means that Sony may have difficulty patching the exploit.

“We are investigating the report and will clarify the situation once we have more information,” said a Sony spokesman.

Mr Hotz rose to fame in 2007 at the age of 17 when he unlocked the iPhone, which could only be used on the AT&T network in the US at launch.

The hack allowed the popular handset to be used on any network.

He has since released various other hacks, allowing people to unlock later versions of the popular handset.

[VIA]

“Hello hypervisor, I’m geohot”.

Probably the last thing we would expect to see on the PS3, after 3 years it seems legendary iPhone hacker George Hotz (Geohot) has managed to crack the PS3 security in under a month (Geohot was the first person to unlock the iPhone). He has posted on his blog that he has full hypervisor access and read/write access to the entire system memory. He also says that this is not patchable and plans to reveal the method soon. There is still more work to be done according to Geohot.

Original post:

I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me, as I now have dumps of LV0 and LV1. I’ve also dumped the NAND without removing it or a modchip.

3 years, 2 months, 11 days…thats a pretty secure system

Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.

Shout out to George Kharrat from iPhoneMod Brasil for giving me this PS3 a year and a half ago to hack. Sorry it took me so long

As far as the exploit goes, I’m not revealing it yet. The theory isn’t really patchable, but they can make implementations much harder. Also, for obvious reasons I can’t post dumps. I’m hoping to find the decryption keys and post them, but they may be embedded in hardware. Hopefully keys are setup like the iPhone’s KBAG.

A lot more to come…follow @geohot on twitter

Very good news for PS3 hackers who have waited very patiently for this day, and great job Geohot, we will bring you more updates as they are available.

[VIA]

UPDATE #1 (1-23-2010):
[I know some function names...]

MysticHades has resurfaced an old hack that allowed the booting of PS3 games (originally found here). He has posted a video showing how this exploit works. This method only works with BluRay backups and NOT DVD. It does not work on all games.

Here is a rough translation of the tutorial, you can download all the needed files below:

Step 1: Install Ubuntu on your PS3 (or kubuntu)
Step 2: Install Windows XP on Ubuntu
Step 3: Install CloneCD on Windows XP and connect to network another PC so has seen in My Network Places. I do not know if AnyDVD HD is necessary, but I installed it for me
Step 4: Open CloneCD, select new image, insert the game, select “Protected PC Game”, change the extension to ISO.
Step 5: Ripper Blu-Ray on PC via network favorites.
Step 6: Burn with ImgBurn (or CloneCD) in 1X on the PC or has been ripped game

So what exactly is going on? This was the release post about this method via Elotrolado

PS3 backups load thanks to an exploit discovered when it is considered necessary is to upload a video showing the event.
My way of working will protect this exploit and not give details of how this occurs so that might not make the same mistakes of the past.
You have to patch both updates as other functions, the iso is not worth anyone … It requires a different process than those generated in linux are not worth keeping the encryption layer.
The exploit creates a CheckStop that generates a reboot and does not load everything back into memory but the function of pre patched disk and run the new copy.
The models are tested 40/60/80.
The games tested are 3, Killzone 2, burnout paradise, pes2008.

Video of this exploit in action:

A more in-depth tutorial will be posted once we can get a better translation of the video. If you have a BluRay burner lying around and are willing to try, let us know and post your results.

[Download MotorStorm Hack + Tutorial Files]

MaTiAz has discovered a TIFF exploit on PSP’s running on firmware 5.03. The current release version is only for PSP-1000 units, there is a separate release planned for the slim PSP’s (2000/3000). MaTiAz also promises more exciting news very soon and we will keep you updated on the new releases.

You can view the read-me with instructions and technical information via download link below.

[Download MaTiAz PSP 5.03 Exploit]
[VIA]