Post: [BREAKING NEWS:]►HV Exploit and Dump from lv2 GameOS
Options
12-28-2010, 12:36 AM
#1
NextGenTactics
Banned
That is it guys!! almost full control of the Ps3 now! Hacker Extraordinaire Graf_Chokolo announced minutes ago that he successfully exploited the hypervisor through gameOS here is what he had to say on the matter:
Originally posted by another user
have just exploited and dumped HV 3.15 from GameOS
I used memory glitching like Geohot to get dangling HTAB entry but 2nd and 3rd stages are quite different. I used my knowledge about HV internals and created a simpler exploit for stage2 and stage3.
I didn’t use second VAS like Geohot. I used lv1_undocumented_function_114 and lv1_undocumented_function_115 to exploit HV after i got a dangling HTAB entry
I will make everything public very soon and i plan to dump HV 3.41 in the next days
Happy new year guys
I used memory glitching like Geohot to get dangling HTAB entry but 2nd and 3rd stages are quite different. I used my knowledge about HV internals and created a simpler exploit for stage2 and stage3.
I didn’t use second VAS like Geohot. I used lv1_undocumented_function_114 and lv1_undocumented_function_115 to exploit HV after i got a dangling HTAB entry
I will make everything public very soon and i plan to dump HV 3.41 in the next days
Happy new year guys
Originally posted by jo2305
Guys, this basically means that soon, if all the hv's and gameos's work the same on all systems (and firmwares) that everyone will be able to hack into their consoles and host modded lobbies for every game out there.
Everyone will have full control of the ps3's RAM, meaning that you can call a function, or run a program, probably just basically whenever you want.
That means that, just like on the PC, there will be cheaters, aimbotters and wallhackers, ppl who are 100th prestige with no skill, and a whole lot of piracy. Worse than it is now.
Other than that, THIS IS AWESOME!!!!
Everyone will have full control of the ps3's RAM, meaning that you can call a function, or run a program, probably just basically whenever you want.
That means that, just like on the PC, there will be cheaters, aimbotters and wallhackers, ppl who are 100th prestige with no skill, and a whole lot of piracy. Worse than it is now.
Other than that, THIS IS AWESOME!!!!
The following 12 users say thank you to NextGenTactics for this useful post:
12-28-2010, 12:40 AM
#2
manster
League Champion
What does that mean for us? what can we do with this?
look like good news from Graf_Chokolo :y:
Edit:
i found this
quote by graf_chokolo:
And now i dumped the real USB Dongle Master Key guys :-) Noone needs it now but here it is. I tested it with HMAC SHA1 and dongle key 0xAAAA and got the same dongle key that was reversed by KaKaRoTo :-)
Just as i said previously, use USB Dongle Authenticator, then dump HV and the decrypted USB Dongle Master Key will be in HV dump :-) I extracted this key from my HV dump after i used USB Dongle Authenticator on GameOS. Then i rebooted GameOS but not HV and the key was still in HV and still decrypted :-)
static u8 master_key[20] =
{
0x46, 0xDC, 0xEA, 0xD3, 0x17, 0xFE, 0x45, 0xD8, 0x09, 0x23,
0xEB, 0x97, 0xE4, 0x95, 0x64, 0x10, 0xD4, 0xCD, 0xB2, 0xC2,
};
other people:
look like good news from Graf_Chokolo :y:
Edit:
i found this
quote by graf_chokolo:
Originally posted by another user
Yeah, guys, that would mean $ONY press conference and GameOS removal in the next days :-)
Originally posted by another user
Finally i will get access to SYSCON, EPROM, ENCDEC device and more :-)
Originally posted by another user
And now i dumped the real USB Dongle Master Key guys :-) Noone needs it now but here it is. I tested it with HMAC SHA1 and dongle key 0xAAAA and got the same dongle key that was reversed by KaKaRoTo :-)
Just as i said previously, use USB Dongle Authenticator, then dump HV and the decrypted USB Dongle Master Key will be in HV dump :-) I extracted this key from my HV dump after i used USB Dongle Authenticator on GameOS. Then i rebooted GameOS but not HV and the key was still in HV and still decrypted :-)
static u8 master_key[20] =
{
0x46, 0xDC, 0xEA, 0xD3, 0x17, 0xFE, 0x45, 0xD8, 0x09, 0x23,
0xEB, 0x97, 0xE4, 0x95, 0x64, 0x10, 0xD4, 0xCD, 0xB2, 0xC2,
};
Originally posted by another user
Guys, it's just a beginning :-) I have now so many stuff to do with my PS3 :-)
I think i will just start with dumping all HVs <= 3.41 :-)
I think i will just start with dumping all HVs <= 3.41 :-)
Originally posted by another user
Originally Posted by graf_chokolo You must login or register to view this content.
You still need to do memory glitching like it did Geohot. I used sx28 devboard for this. But software exploit is totally different. I used my HV knowledge and exploited HV quite differently, i didn't use a second VAS like Geohot did.
I did my exploit from exploited GameOS. I used a FAT PS3 but it doesn't matter anymore, you could use a Slim PS3 even. Once exploited, the HV remains exploited as long as PS3 is not powered off, that means you can reboot GameOS as much as you want, HV still remains exploited :-) And you have full read/write access to all RAM and peripheral devices from GameOS except isolated SPUs :-) That means full access to SYSCON, ENCDEC device (which is responsible e.g. for HDD encryption/decryption) and other very interesting stuff :-)
That means, with an exploited GameOS every HV can be dumped and reversed.
If GameOS >= 3.42 could be exploited then we could dump the new HV again and reverse SELF decryption again and decrypt new games :-)
And i will dump HV 3.41 soon :-) And look for pure software exploits in it.
Does somebody have a nice picture of PS3 Slim motherboard where i should solder a wire to RAM control line ? Thanks.
You still need to do memory glitching like it did Geohot. I used sx28 devboard for this. But software exploit is totally different. I used my HV knowledge and exploited HV quite differently, i didn't use a second VAS like Geohot did.
I did my exploit from exploited GameOS. I used a FAT PS3 but it doesn't matter anymore, you could use a Slim PS3 even. Once exploited, the HV remains exploited as long as PS3 is not powered off, that means you can reboot GameOS as much as you want, HV still remains exploited :-) And you have full read/write access to all RAM and peripheral devices from GameOS except isolated SPUs :-) That means full access to SYSCON, ENCDEC device (which is responsible e.g. for HDD encryption/decryption) and other very interesting stuff :-)
That means, with an exploited GameOS every HV can be dumped and reversed.
If GameOS >= 3.42 could be exploited then we could dump the new HV again and reverse SELF decryption again and decrypt new games :-)
And i will dump HV 3.41 soon :-) And look for pure software exploits in it.
Does somebody have a nice picture of PS3 Slim motherboard where i should solder a wire to RAM control line ? Thanks.
Originally posted by chokolo
I just patched Dispatcher Manager and enabled access to all HV services :-)
Dumped SYSCON EPROM :-)
Decrypted USB Dongle Master Key with Virtual TRM Manager and guess what, it's the same i posted yesterday :-)
Dumped SYSCON EPROM :-)
Decrypted USB Dongle Master Key with Virtual TRM Manager and guess what, it's the same i posted yesterday :-)
other people:
Originally posted by another user
The decrypting and hypervisor master of the PS3 console, "Mr. Graf_Chokolo" has done it again!
Today, he informs our PSX-SCENE viewers that he is able to dump the Hypervisor v3.15 via the GameOS and plans to do the same for v3.41 and make all the technical details public in a few days!
Today, he informs our PSX-SCENE viewers that he is able to dump the Hypervisor v3.15 via the GameOS and plans to do the same for v3.41 and make all the technical details public in a few days!
Originally posted by another user
GameOS is exactly what it sounds like. It's the main "operating system" of the PS3. It's where games run from
Originally posted by another user
Its the PS3's operating mode when you boot it up, Game Operating System : Lol beaten to the punch!
Congrats Graf, always in awe of all the people that are working hard cracking Sony's baby open
Congrats Graf, always in awe of all the people that are working hard cracking Sony's baby open
The following 2 users say thank you to manster for this useful post:
12-28-2010, 01:31 AM
#4
vyselegend
Pokemon Trainer
The following user thanked SSgtHarrell for this useful post:
12-28-2010, 02:13 AM
#7
manster
League Champion
Originally posted by SgtHarrell
- rep. Who gives a rat's ass about 3.15????
Originally posted by another user
Today, he informs our PSX-SCENE viewers that he is able to dump the Hypervisor v3.15 via the GameOS and plans to do the same for v3.41 and make all the technical details public in a few days!
dont -rep for news...
12-28-2010, 02:24 AM
#8
Mr. Aimbot
¯\_(ツ
_/¯
_/¯
12-28-2010, 03:26 AM
#10
ihaxgames
Treasure hunter
Originally posted by SgtHarrell
- rep. Who gives a rat's ass about 3.15????
You sir are retarded. /facepalm It will likely still work on 3.55 and possibly future firmware versions, as to patch it sony will have to completely re-amp and upgrade security, which they won't, as they're too cheap, and if they do it would cause more problems than fix, so technically you should care.
I guess progress in the PS3 scene should be shunned by all :carling:
The following 2 users say thank you to ihaxgames for this useful post:
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
