(adsbygoogle = window.adsbygoogle || []).push({}); "This is only really a concern if you're interested in modding - otherwise I'm not convinced there's a 'threat' as such," Boyd told El Reg. "I'm still waiting for someone to explain how this 'PS3 rootkit' could be used to run unsigned malicious code on a non-jailbroken box," he added.

Boyd's credibility just dropped to zero with that comment. The leaked keys give us the ability to sign our own code. He's quite the expert. We can all pretend to be masters on the subject and debate whether Sony can fix things or that the hackers are all powerful but it's pointless. Fact is since late December the PS3 was cracked in such a way that current models will never be completely secure again.

Experts and fanboys can deny that all they want but the day news reports state Sony is being blackmailed over the 1,000,000s of credit card number magically stolen over PSN I'll be laughing. Well, laughing as long as mine isn't one of them."

You must login or register to view this content.

The war is coming..


Wait for it....Wait for it....

The war is here

You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.

Now dev's don't get to crazy. But raise your hands if you like glitching the memory bus .

I can say it works on ps3 fat 40/60 and ps slim 320gb

Haven't tested with anything else yet.

Proof of the exploit is all above and if you want more information and proof on the concept. Here is an irc conversation

You must login or register to view this content.
geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate cal

Mmmm wonder whois going to be the first to take credit card #'s off the psn database Hah
the war is here

Peace

Bump: Update:

Today I verified my theories about running the isolated SPUs as crypto engines. I believe that defeats the last technical argument against the PS3 being hacked.

In OtherOS, all 7 SPUs are idle. You can command an SPU (which I'll leave as an exercise to the reader) to load metldr, from that load the loader of your choice, and from that decrypt what you choose, everything from pkgs to selfs. Including those from future versions.

The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

Ah, but you still didn't get the Cell root key. And I/we never will. But it doesn't matter. For example, we don't have either the iPhone or PSP "root key". But I don't think anyone doubts the hackedness of those systems.

I wonder if any systems out there are actually secure?.

People said it wasn't possible.

More updates to come in the next following days + i'll do some video of the exploit in action and more detailed.

Pretty much the easier way to exploit a ps3 console is a rigged FPGA button to send the pulse. I have tested this with one of my testing ps3s

Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
If the module exits, you are now exploited.

This adds two new HV calls,
u64 lv1_peek(16)(u64 address)
void lv1_poke(20)(u64 address, u64 data)
which allow any access to real memory.

The PS3 is hacked, its your job to figure out something useful to do with it.

Once something is hacked you get bored with it. So after my video releases to demonstrate this exploit further and show you a pretty much step by step video. I won't be releasing anything more. I'm stepping back was i've received *Sighs* Which in short is i've been given a DCMA Notice. Don't want taken to court by sony. Or anything in that aspect.

But i will still take part as a hobby. Who knows might get back into it when the ps4 is released.


The ps3 is yours. Don't worry you don't need to downgrade as you can install otheros with homebrew.

Go wild people can't wait to see what everyone does with this

Bump: Update:

Just finished a beer and talking with a few people according to someone i randomly let on IRC he has already made up a quick tutorial.

So Kudos dude thanks for saving me some work.

You must login or register to view this content.

Have had a read through it, All is legit (This method works as well as you don't need to butcher your ps3 to get it to get Kernal panic)

If you are interested in learning to program or you already know how to. This is a funny hobby. You've got the exploit and the ability to decrypt self files on any version.

So hey any firmware version is owned now.

3.56 anyone? I'd give it a week tops before someone releases it and continues the war with sony.

But just remember by me releasing this and helping a few people out i don't condone piracy in anyway. I support backing up games you already own and you are doing this for home brew and the ability to customise your ps3 in anyway you see fit.

*Slaps psn game hackers* Defeats the purpose of the game if you hack it. Just play it and hack the console instead

Peace

One last update i thought i would mention, just had an private message stating this was old news.

Umm yeah kinda old news in an aspect but the theory behind behind it has come back to bite sony in the ass.

3.56? No problem the above exploit will allow you to run homebrew again (Just off line so sony can't unsign your .pkgs)

Yada yada yada

Also not to mention the lvl0 access

yea true but Geo said the hes gonna hack there new Phone so i dont think he cares lol

This isn't real. For the people who have been following the hack scene for a few years should know this is just the original geohot exploit that was found that caused the removel of OtherOS. This is not real this guy is just trying to get rep. Its just reworded to look current. Don't be fooled.

Buzz killer lol :jim::jim:

The links he provides, The dates are wayy expired

GeoHot Just Got Banned And he Back On the Scene

I lobe how we leech off Geohot


Love that dude

Go geoho!!!:d

yeah im pretty sure this is how geohot explained he had cracked the 3.55 firmware lol. It is isn't it haha

Thanks for this +1 Rep

For everyone getting excited, this is a fake! It's old news which he has twisted to make it sound up to date, the thread is 20 days old for god sake! If this was real new then it would be on the front page of PSX - scene or psgroove. Don't be fooled by this, remove you thanks and give him some minus rep which he deserves.