ZiNgA BuRgA has released his RCO manipulation tool which is compatible with PSP and the PS3. More information and download link below:

About
Rcomage is a general RCO manipulation/creation tool, which I hope, will replace RCO Editor (and potentially rcotool in the future).
It’s a CLI (command-line interface) however I’ve provided a simple Windows GUI to save you from remembering commands (though you may need to trawl through an XML file).

It currently only has two main functions – “dump” (dumps contents of an RCO) and “compile” (compiles an RCO from a dump).
For modifying an RCO, you would dump it, modify the dump, then compile it.
A dump will consist of an XML file, which contains all the metadata of the RCO (basically, it’s structure) as well as various resources, such as images, sounds etc.

How to use
Well, as mentioned above, basically dump and compile is the only thing you can do.
As for information on the XML structure, I don’t really have the time to write a good guide, so I guess you’ll probably just dump various RCOs to get an idea of how it works.  (I’d be willing to assist if someone would write a guide for me )
A quick idea of the structure is shown in the readme.

!! I strongly suggest that you don’t use Notepad to edit the XML files.  Suggested applications include Notepad++ and Notepad2 (or your favourite text editor; most should overcome the deficiencies of Notepad).

Notes
Because I was silly when writing RCO Editor, it doesn’t put in adler32 checksums for compressed images, etc, and thus, anything modified with it will generate a warning in Rcomage.  Otherwise, should work fine.
Also, Sony’s GimConv, which is used to convert GIM images, is a little slow, so if you choose to perform the conversion (affects both dumping and compiling), expect to wait some time…

Unknown values
If you go through dumped XML structures, you may notice a number of “unknown” labels for various objects (and some anim entries).  Finding out what these values do is, unfortunately, a little time consuming and I don’t really have that much time to test what each thing does.  It would be great if people would volunteer to play around with these values to see what effect they have, and I can add the definitions to Rcomage. (thanks in advance )

Credits
- highboy for his WAV <-> VAG conversion sample code
- Z33 for sample GIM handling code and his various RCO tools as well as guides/investigations on various file formats
- creators of 7-zip for their awesome implementation of deflate
- supporting libraries: libxml2, iconv and zlib
- geohot for help with PS3 RCO support
- alpha testers, for discovering some issues and supporting theme development
- everyone else supporting PSP customisation and homebrew scene (too numerous to name)
- anyone I forgot to mention

[Download Rcomage v1.1.0]
[VIA]

Title says it all. GregoryRasputin has posted on the forums that GeoHot announced his CFW for the PS3, which enables OtherOS on 3.21. He also says that it might be a way to enable it on the slimline PS3s

From the blog:

Here is a video demoing my “custom firmware”. I would have added something showing off the new features of 3.21, but oh wait, there aren’t any.

This can be installed without having to open up your PS3, just by restoring a custom generated PUP file, but only from 3.15 or previous. It’s possible this CFW will also work on the slim to actually *enable* OtherOS; I’ll know when my infectus gets here.

No release date yet, use the proxy hack to play online with 3.15

Note to the people who removed OtherOS, you are potentially turning 100000+ legit users into “hackers.” There was a huge(20x) traffic spike to this blog after the announcement of 3.21. If I had ads on this site I guess I’d be thanking you.

Head onto the thread to see the video of the firmware, and to post your comments.

If you have not heard by now, Sony plans to block OtherOS on FW 3.21 on April 1st. This seems to have made GeoHot angry and he has posted two new blog posts expressing his anger to Sony and promising PS3 custom firmware.

Don’t Update
A note to people interested in the exploit and retaining OtherOS support, DO NOT UPDATE. When 3.21 comes out, I will look into a safe way of updating to retain OtherOS support, perhaps something like Hellcat’s Recovery Flasher. I never intended to touch CFW, but if that’s how you want to play…

His second post:

Wait, you are removing a feature?
First off, I want to apologize to all the people who use Linux on their PS3. Before releasing, I weighed the pros and cons, and considered the possibility of an impact on OtherOS support. My logic was this. OtherOS support had already been removed from the Slim(not for technical reasons; I believe it only existed in the first place to promote the Cell for IBM) The builders had apparently no intention of including it in future products. So for the purposes of openness why not release? Not like anything else has(or probably will be) done on the PS3.

Now you go and remove a feature that people expected to be included with the expensive device they purchased, citing “security concerns”. What security concerns? It’s not like the exploit can be run even close to without the users knowledge. You have to open the fucking thing up. How could this harm users? Your blog post doesn’t list positive reasons for upgrading like I think most users expect. Instead it lists things you will lose if you don’t upgrade. Seriously?

The PlayStation 3 is the only product I know that loses features throughout it’s life cycle. Software PS2 emulation, SACD playback, and OtherOS support are all just software switches you can flip. It’s unbelievable you would go and flip one, not just on new boxes you are shipping, but on tens of millions already in the field.

Again I’m sorry users. Sony, I expected more from you.

Maybe this was the boost we were waiting for? Time will only tell now in the next few days, and remember not to upgrade your PS3 for the time being.

[VIA]

Yes you heard it, no its not an April Fools joke. Sony has confirmed and posted on their blog today that FW 3.21 will go live this Thursday, and it will block OtherOS. We highly recommend the hacking scene to stay away from updating their PS3 coming this Thursday. This is in no doubt Sony’s response to GeoHots PS3 hack.

The next system software update for the PlayStation 3 (PS3) system will be released on April 1, 2010 (JST), and will disable the “Install Other OS” feature that was available on the PS3 systems prior to the current slimmer models, launched in September 2009. This feature enabled users to install an operating system, but due to security concerns, Sony Computer Entertainment will remove the functionality through the 3.21 system software update.

In addition, disabling the “Other OS” feature will help ensure that PS3 owners will continue to have access to the broad range of gaming and entertainment content from SCE and its content partners on a more secure system.

Consumers and organizations that currently use the “Other OS” feature can choose not to upgrade their PS3 systems, although the following features will no longer be available;

* Ability to sign in to PlayStation Network and use network features that require signing in to PlayStation Network, such as online features of PS3 games and chat
* Playback of PS3 software titles or Blu-ray Disc videos that require PS3 system software version 3.21 or later
* Playback of copyright-protected videos that are stored on a media server (when DTCP-IP is enabled under Settings)
* Use of new features and improvements that are available on PS3 system software 3.21 or later

For those PS3 users who are currently using the “Other OS” feature but choose to install the system software update, to avoid data loss they first need to back-up any data stored within the hard drive partition used by the “Other OS,” as they will not be able to access that data following the update.

Additional information about PS3 firmware updates, including v3.21 (once it becomes available), can be found here:

http://us.playstation.com/support/systemupdates/ps3/index.htm

PS3 owners who have further questions should contact Consumer Services:

http://us.playstation.com/support/ask/

800-345-7669 (800-345-SONY)

Definitely a shocking move on Sony’s part, dropping entire Linux support on PS3 (not to mention many people/companies who use the PS3 Linux/otheros feature).

What is your take/opinion on this? Post and let us know.

[VIA]

Geohot has managed to do an RCO file edit on the PS3 using his exploit.

To quote:

As some people in the comments called, it’s an RCO file edit, just like RCO edits on the PSP(almost same format too). RCO files are resource files for VSH plugins, live in the dev_flash, and aren’t signed. To edit them on your system, patch your hypervisor to allow encrypted access to the partition(flash on old systems, hd on new), and mod ps3pf_storage. dev_flash is just a FAT partition, mount it in Linux and change what you’d like.

[VIA]

Remember the rumor a few days ago that Sony may remove the OtherOS feature on non-slim PS3′s in future firmware update? Well Geoff Levand, PS3-Linux maintainer, has gotten confirmation from SCE that the feature will NOT be removed in future firmware updates, and Sony will continue to support it.

To quote (read bolded statement):

Hi All,

On 02/26/2010 04:30 AM, David Woodhouse wrote:
> On Fri, 2009-08-21 at 09:58 -0700, geoffrey.levand at am.sony.com wrote:
>> The feature of “Install Other OS” was removed from the new
>> “Slim” PS3 model to focus on delivering games and other
>> entertainment content.
>>
>> Please be assured that SCE is committed to continue
>> the support for previously sold models that have the
>> “Install Other OS” feature and that this feature will
>> not be disabled in future firmware releases.
>
> Although it’s disappointing that Sony have removed the feature from new
> models, It’s good to have this public assurance from Sony that at least
> the feature won’t be removed from older models which are already
> working.

Please understand that in my position as PS3-Linux maintainer
I can really only provide users with technical support for
Linux and the LV1 hcall interface.

The text above was provided to me by SCE management. If
you have any questions regarding it or any other feature
of the PS3 please contact the Playstation Customer Support
in your country. Using Playstation Customer Support will
insure your inquiry is processed through the correct
channels within SCE.

-Geoff

So everyone can take a breather who thought that geohot’s exploit was going to be patched

Xorloser has released his complete the PS3 exploit toolkit software called XorHack. XorHack allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program.

To quote:

I finally found the time to complete the PS3 exploit toolkit software I mentioned to in my previous posts. I call it XorHack. It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:

• ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).
• dumphv – Dumps the hypervisor to a file in the current directory.
• dumpbl – Dumps the bootloader to a file in the current directory.
• dumprom – Dumps the system rom to a file in the current directory.

The XorHack package contains full sourcecode for everything including a rewrite of geohot’s exploit sourcecode to make it easier to read and understand (the new file is kmod/exploit.c). The rewrite doesn’t just fix the compilation warnings, it attempts to replace all “magic” values with the algorithms and reasoning as well as tidying up the code and commenting it all. I also added another syscall #21 to allow executing of code in hypvervisor context. Due to the associated complexities it is not available from usermode, it is for advanced users to make use of in kernel space. Some small changes were also made to the timing and the text that gets printed onscreen to make the exploit easier and hopefully more stable to use. I recommend XorHack when both looking into how the exploit works and when actually triggering the exploit.

XorHack is made up of three parts. The kernel module, the userspace library file, and lastly the userspace programs themselves. To build all three parts you need to first extract the contents of the XorHack zip file to a directory on your PS3 harddrive. Next you need to navigate on the command line to the directory you extracted the files to. You should be either logged in as root or running as root thanks to the “su” command. Now type “make” to build all parts of XorHack. Then once that completes type “make install” to install all parts of XorHack. If you wish to you can type “make uninstall” in this same directory to remove all of XorHack from your system. When you install XorHack on your system it will always be ready for use, even after rebooting it will be automatically reloaded and ready for use.

To use XorHack to perform the exploit on your PS3 first install it as per the directions above. You then need to switch to a console only mode (no GUI). This is required because it is the only way you can see the printed messages from the kernel module to know when to press the button. Once exploited all other programs can be run normally from a terminal window in GUI mode. To switch to console mode press Ctrl+Alt+F1 on your keyboard. To switch back to the GUI mode press Ctrl+Alt+F7. When you enter console mode you will be greeted with a login screen. Now login with your normal user account and password and type “ps3exploit 100″. This will start the exploit looping 100 times in which you need to successfully glitch the console by pressing the button on your glitch hardware. The idea is the perform the glitch when nothing else is occuring on your PS3. Therefore some things you may want to try when exploiting to help your chances are:

• Only press the button once per loop.
• Try to press the button around the middle of the pause between two concurrent prints of the “press button” message.
• Don’t start pressing the button till after the 10th “press button” message (by this time the system should done loading and preparing the newly running code, so less likely to interfere with processes that occur during these stages)
• Run the ps3exploit software after initially booting up the PS3 and switching to the console login without first logging into the GUI mode.
• After booting the PS3 and switching to the console mode straight away, log in and then wait about a minute before running ps3exploit so that any processes that may occur upon login/startup have completed.
• Don’t use any services that will cause more processes to be running until the exploit is completed. This includes things like accessing your PS3 over samba.
• Once you have successfully exploited, stay in console mode as there is less chance of instabilities causing havoc and crashing your PS3.

The PS3 Exploit Game!

Once you can run the exploit it’s time to turn it into a game. Think of it as a cross between getting the turbo boost at the start of a Mario Kart race and Dance Dance Revolution with a finger pad. The aim of the game is to exploit your PS3 as quickly as possible without it crashing. Below is my highscore table picture showing my highscore of THREE!

You can view and download XorHack and readme here.

[VIA]

Now this is a nasty rumor to be awoken to, just as the scene finally broke down the hypervisor security, we now hear rumors that Sony is planning to block OtherOS support via next PS3 firmware update.

Owen Stampflee Linux Product Manager for Fixstars Corporation made the following post in the yellowdog-boards:

Everyone,

I’ve caught a rumor from a reputable source that the next firmware update for old PS3s will remove the OtherOS feature…

I’m not sure if it’s true or not but it’s in the best interest of the YDL community to spread the word.

Cheers,
Owen

This indeed is an unexpected move on Sony’s part if indeed this rumor is real, but of course we all know the solution and that is to not update .

[VIA]

SKFU has stumbled across a new patent for a method to protect against encrypted section attacks

To quote from SKFU blog and patent below:

Recently a new patent by a SONY employee was published on the patent site at faqs.org. It seems it is SONY’s answer for Geohot’s progress. Take a look here:

“A method, system, and computer-usable medium are disclosed for controlling unauthorized access to encrypted application program code. Predetermined program code is encrypted with a first key. The hash value of an application verification certificate associated with a second key is calculated by performing a one-way hash function. Binding operations are then performed with the first key and the calculated hash value to generate a third key, which is a binding key. The binding key is encrypted with a fourth key to generate an encrypted binding key, which is then embedded in the application. The application is digitally signed with a fifth key to generate an encrypted and signed program code image. To decrypt the encrypted program code, the application verification key certificate is verified and in turn is used to verify the authenticity of the encrypted and signed program code image. The encrypted binding key is then decrypted with a sixth key to extract the binding key. The hash value of the application verification certificate associated with the second key is then calculated and used with the extracted binding key to extract the first key. The extracted first key is then used to decrypt the encrypted application code.”

You can read the full patent here.

[VIA]

Today GeoHot brings more updates from his blog and twitter about his PS3 work, to quote:

Today I verified my theories about running the isolated SPUs as crypto engines. I believe that defeats the last technical argument against the PS3 being hacked.

In OtherOS, all 7 SPUs are idle. You can command an SPU(which I’ll leave as an exercise to the reader) to load metldr, from that load the loader of your choice, and from that decrypt what you choose, everything from pkgs to selfs. Including those from future versions.

The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

Ah, but you still didn’t get the Cell root key. And I/we never will. But it doesn’t matter. For example, we don’t have either the iPhone or PSP “root key”. But I don’t think anyone doubts the hackedness of those systems.

I wonder if any systems out there are actually secure?

And from his twitter:

Today I validated my theories about running the isolated SPUs on the PS3 as crypto engines. The PS3 is 100% hacked. So where my homebrew at?

Stay tuned for more updates.

[VIA]

A few days ago we told you about how to use Geohots exploit via software, today xorloser has posted up his latest tutorial teaching us how to do it via hardware.

The purpose of the hardware is to stop the PS3 from saving a change to a value that we don’t want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.

He also promises some code next post to dump the hypervisor and more.

You can download the fixed version of the exploit here.

You can view the tutorial here or VIA link below.

[VIA]

PS3 hacker xorloser has released a fix for Geohots PS3 exploit, making it friendly across different firmwares.

To quote:

As I’m sure everybody heard, the memory access exploit for the PS3 hypervisor was released recently by geohotz. I was finally able to replicate his hack so I thought I’d take the time to help out others who may also have trouble due to being linux n00bs like me If I were to post everything at once it would be too much work and I’d never get around to it, so I’ll post bits at a time to ensure I actually do post it heh. Today’s post will talk about the software side of the exploit.

Please note that the geohotz exploit software was hardcoded for the v2.42 firmware, I have made a small fix that attempts to dynamically support all firmware versions. I have only tested and used it on v3.15 however.

You can download the fixed files here.

xorloser also has posted a tutorial on how to use this exploit, which is now a bit more newb friendly (for those not experienced with linux anyways), and provides some good information/guidance to help you get started using this exploit. You can view the tutorial HERE, or via link below.

[VIA]

With the great news of the hypervisor being hacked by Geohot, many people are now wondering, what next, how does this work, and what can I look for in the future? Nate Lawson has posted up an excellent explanation detailing Geohots hack and what exactly is going on. For those interested in a less technical explanation you can view one here.

To quote:

George Hotz, previously known as an iPhone hacker, announced that he hacked the Playstation 3 and then provided exploit details. Various articles have been written about this but none of them appear to have analyzed the actual code. Because of the various conflicting reports, here is some more analysis to help understand the exploit.

The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.

Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.

The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor.  The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).

George’s hack compromises the hypervisor after booting Linux via the “OtherOS” feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.

His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.

George connected an FPGA to a single line on his PS3’s memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.

His goal was to compromise the hashed page table (HTAB) in order to get read/write access to the main segment, which maps all memory including the hypervisor. The exploit is a Linux kernel module that calls various system calls in the hypervisor dealing with memory management. It allocates, deallocates, and then tries to use the deallocated memory as the HTAB for a virtual segment. If the glitch successfully desynchronizes the hypervisor from the actual state of the RAM, it will allow the attacker to overwrite the active HTAB and thus control access to any memory region. Let’s break this down some more.

The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file’s data can still be accessed.

The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor’s write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.

At this point, the hypervisor has an HTAB with one or more read/write mappings pointing to a buffer it has deallocated. Thus, the kernel no longer owns that buffer and supposedly cannot write to it. However, the kernel still has one or more valid mappings pointing to the buffer and can actually modify its contents. But this is not yet useful since it’s just empty memory.

The exploit then creates a virtual segment and checks to see if the associated HTAB is located in a region spanning the freed buffer’s address. If not, it keeps creating virtual segments until one does. Now, the user has the ability to write directly to this HTAB instead of the hypervisor having exclusive control of it. The exploit writes some HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.

It is quite possible someone will package this attack into a modchip since the glitch, while somewhat narrow, does not need to be very precisely timed. With a microcontroller and a little analog circuitry for the pulse, this could be quite reliable. However, it is more likely that a software bug will be found after reverse-engineering the dumped hypervisor and that is what will be deployed for use by the masses.

Sony appears to have done a great job with the security of the PS3. It all hangs together well, with no obvious weak points. However, the low level access given to guest OS kernels means that any bug in the hypervisor is likely to be accessible to attacker code due to the broad API it offers. One simple fix would be to read back the state of each mapping after changing it. If the write failed for some reason, the hypervisor would see this and halt.

It will be interesting to see how Sony responds with future updates to prevent this kind of attack.

[VIA]

Geohot has today confirmed on his blog that his exploit DOES work on firmware 3.10. He also added that there are compile issues in Fedora but works fine in Ubuntu.

[VIA]

Well he said he had it and now here it is

GeoHot has releases his PS3 exploit today. The exploit grants us “full memory access and therefore ring 0 access from OtherOS”.

Original post:

In the interest of openness, I’ve decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can’t keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I’d like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I’ll write up how it works

Good luck!

There is also an explanation on how it works that Geohot told on IRC:

geohot: well actually it’s pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn’t allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it’s setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call

You can download the exploit files here.

This exploit obviously is not newb friendly, but it nevertheless a huge progress to crack open the PS3 scene. More information and updates will be posted as available, stay tuned!

More information via instructions in download file.

[VIA]

With the recent explosive news of Geohot managing to successfully hack the PS3, he has now posted another blog post clarifying more information on what is he doing, and the direction he plans to take.

Quote:

What it is and what it isn’t
First off, this is not a release blog like “On The iPhone”. If you are expecting some tool to be released from this blog like blackra1n, stop reading now. If you have a slim and are complaining this hack won’t work for you, stop reading now. WE DO NOT CONDONE PIRACY, NOR WILL WE EVER. If you are looking for piracy, stop reading now. If you want to see the direction in which I will take this blog, read the early entries in the iPhone one. Information on this blog is for research purposes only.

That aside, I’ll tell you what I have so far. I have added two hypercalls, lv1_peek and lv1_poke. peek reads memory in real space(including all the MMIO), poke writes it. I can also add other arbitrary hypercalls as I see fit.

The hypervisor is complicated, it is written in C++ and is PPC, which I am not that familiar with yet. At first I was trying to add a hypercall to add arbitrary real memory to the LPAR, but it kept crashing(because I can’t code), which is really annoying, because I have to wait while Linux reboots.

Some people pointed out that I have not accessed the isolated SPEs. This is true. Although as far as doing anything with the system, it doesn’t matter. The PPE can’t read the isolated data, but it can kick the isolated SPEs out. Decrypt the PPE binary you need using the intact SPE and save the decrypted version. Kick out the SPE, and patch the decrypted version all you want. And interesting note, by the time you get to OtherOS, all 7 working SPEs are stopped.

Despite this, I am working on the isolated SPEs now(which I can now load), because what I’d really like to do is post decryption keys here so you guys can join the fun.

As of now the current status of if this hack works on the SLIM PS3′s is UNKNOWN.

[VIA]

Here is an interview GeoHot apparently has apparently done with BBC relating to the most recent news of the PS3 hack quoted below:

A US hacker who gained notoriety for unlocking Apple’s iPhone as a teenager has told BBC News that he has now hacked Sony’s PlayStation 3 (PS3).

George Hotz said the hack, which could allow people to run pirated games or homemade software, took him five weeks.

He said he was still refining the technique but intended to post full details online soon.

The PS3 is the only games console that has not been hacked, despite being on the market for three years.

“It’s supposed to be unhackable – but nothing is unhackable,” Mr Hotz told BBC News.

“I can now do whatever I want with the system. It’s like I’ve got an awesome new power – I’m just not sure how to wield it.”

Sony said it was “investigating the report” and would “clarify the situation” when it had more information.

‘Open curiosity’

Mr Hotz said that he had begun the hack last summer when he had spent three weeks analysing the hardware.

After a long break, he spent a further two weeks cracking the console, which he described as a “very secure system”.

He said that he was not yet ready to reveal the full details of the hack but said that it was “5% hardware and 95% software”.

“You can use hardware to inject an insecurity and then you can build on that,” he said.

He admitted that he had not managed to hack the whole system, including the protected memory, but had worked out ways to trick the console into doing what he wanted.

Mr Hotz said that he was continuing to work on the hack and, once finished, would publish details online in a similar way to his previous iPhone exploits.

In particular, he said, he would publish details of the console’s “root key”, a master code that once known would make it easier for others to decipher and hack other security features on the console.

He said his motivation was “curiosity” and “opening up the platform”.

“To tell you the truth, I’ve never really played a PS3,” he said. “I have one game, but I’ve never really played it.”

Opening the system could allow people to install other operating systems on their console and play homemade games, he said.

In addition, he said, the hack would allow people to play older PS2 games on their consoles.

Recent versions of the PS3 do not have the ability to play PS2 games after Sony controversially removed a piece of hardware.

He admitted that it could also allow people to run pirated games.

“I’m not going to personally have anything to do with that,” he told BBC News.

Gaming firms do not take the issue of game piracy and console modification lightly. Recently, Microsoft disconnected thousands of gamers from its online gaming service Xbox Live for modifying their consoles to play pirated games.

Mr Hotz said that the nature of his PS3 hack means that Sony may have difficulty patching the exploit.

“We are investigating the report and will clarify the situation once we have more information,” said a Sony spokesman.

Mr Hotz rose to fame in 2007 at the age of 17 when he unlocked the iPhone, which could only be used on the AT&T network in the US at launch.

The hack allowed the popular handset to be used on any network.

He has since released various other hacks, allowing people to unlock later versions of the popular handset.

[VIA]

“Hello hypervisor, I’m geohot”.

Probably the last thing we would expect to see on the PS3, after 3 years it seems legendary iPhone hacker George Hotz (Geohot) has managed to crack the PS3 security in under a month (Geohot was the first person to unlock the iPhone). He has posted on his blog that he has full hypervisor access and read/write access to the entire system memory. He also says that this is not patchable and plans to reveal the method soon. There is still more work to be done according to Geohot.

Original post:

I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me, as I now have dumps of LV0 and LV1. I’ve also dumped the NAND without removing it or a modchip.

3 years, 2 months, 11 days…thats a pretty secure system

Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.

Shout out to George Kharrat from iPhoneMod Brasil for giving me this PS3 a year and a half ago to hack. Sorry it took me so long

As far as the exploit goes, I’m not revealing it yet. The theory isn’t really patchable, but they can make implementations much harder. Also, for obvious reasons I can’t post dumps. I’m hoping to find the decryption keys and post them, but they may be embedded in hardware. Hopefully keys are setup like the iPhone’s KBAG.

A lot more to come…follow @geohot on twitter

Very good news for PS3 hackers who have waited very patiently for this day, and great job Geohot, we will bring you more updates as they are available.

[VIA]

UPDATE #1 (1-23-2010):
[I know some function names...]