Welcome to PS3Hax, your official PS3 hacks, PS3 Homebrew, and PS3 Downloads scene. Check back daily to keep up with the latest PS3 Hacks and drop by our forums for more PS3 Hacks discussions.

  • GeoHot releases PS3 exploit!

    Posted by Pirate , on 26/01/2010 , @ 07:01

     

    Well he said he had it and now here it is :)

    GeoHot has releases his PS3 exploit today. The exploit grants us “full memory access and therefore ring 0 access from OtherOS”.

    Original post:

    In the interest of openness, I’ve decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can’t keep working on this all day and night.

    Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I’d like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

    This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I’ll write up how it works :)

    Good luck!

    There is also an explanation on how it works that Geohot told on IRC:

    geohot: well actually it’s pretty simple
    geohot: i allocate a piece of memory
    geohot: using map_htab and write_htab, you can figure out the real address of the memory
    geohot: which is a big win, and something the hv shouldn’t allow
    geohot: i fill the htab with tons of entries pointing to that piece of memory
    geohot: and since i allocated it, i can map it read/write
    geohot: then, i deallocate the memory
    geohot: all those entries are set to invalid
    geohot: well while it’s setting entries invalid, i glitch the memory control bus
    geohot: the cache writeback misses the memory :)
    geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
    geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
    geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
    geohot: switch to virtual segment
    geohot: write to main segment htab a r/w mapping of itself
    geohot: switch back
    geohot: PWNED
    geohot: and would work if memory were encrypted or had ECC
    geohot: the way i actually glitch the memory bus is really funny
    geohot: i have a button on my FPGA board
    geohot: that pulses low for 40ns
    geohot: i set up the htab with the tons of entries
    geohot: and spam press the button
    geohot: right after i send the deallocate call

    You can download the exploit files here.

    This exploit obviously is not newb friendly, but it nevertheless a huge progress to crack open the PS3 scene. More information and updates will be posted as available, stay tuned!

    More information via instructions in download file.

    [VIA]

    73 Comments |

  • PS3 Finally hacked by Geohot [UPDATES!]

    Posted by Pirate , on 23/01/2010 , @ 12:01

     

    “Hello hypervisor, I’m geohot”.

    Probably the last thing we would expect to see on the PS3, after 3 years it seems legendary iPhone hacker George Hotz (Geohot) has managed to crack the PS3 security in under a month (Geohot was the first person to unlock the iPhone). He has posted on his blog that he has full hypervisor access and read/write access to the entire system memory. He also says that this is not patchable and plans to reveal the method soon. There is still more work to be done according to Geohot.

    Original post:

    I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me, as I now have dumps of LV0 and LV1. I’ve also dumped the NAND without removing it or a modchip.

    3 years, 2 months, 11 days…thats a pretty secure system

    Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.

    Shout out to George Kharrat from iPhoneMod Brasil for giving me this PS3 a year and a half ago to hack. Sorry it took me so long :)

    As far as the exploit goes, I’m not revealing it yet. The theory isn’t really patchable, but they can make implementations much harder. Also, for obvious reasons I can’t post dumps. I’m hoping to find the decryption keys and post them, but they may be embedded in hardware. Hopefully keys are setup like the iPhone’s KBAG.

    A lot more to come…follow @geohot on twitter

    Very good news for PS3 hackers who have waited very patiently for this day, and great job Geohot, we will bring you more updates as they are available.

    [VIA]

    UPDATE #1 (1-23-2010):
    [I know some function names...]

    117 Comments |