(adsbygoogle = window.adsbygoogle || []).push({}); Check the site ur self or just read along
You must login or register to view this content.



geohot’s PS3 Exploit Released
Posted by greg on January 26, 2010
Geohot has released his PS3 exploit to the masses… This particular exploit is for research purposes only; it won’t serve the average user any real purpose. So now it’s on you — all you hardcores out there.

A couple things you should know:

1.You need a non-Slim PS3;
2.You need OtherOS installed.
Once you’ve soldered the appropriate connections (see pokemehere.jpg) and have loaded whatever Linux distro with OtherOS, you’re all set… Download the exploit below and:

Compile and run the kernel module.

When the “PRESS THE BUTTON IN THE MIDDLE OF THIS” comes on, pulse the line circled in the picture low for ~40ns.
Try this multiple times, I rigged an FPGA button to send the pulse.
Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
If the module exits, you are now exploited.

This adds two new HV calls,
u64 lv1_peek(16)(u64 address)
void lv1_poke(20)(u64 address, u64 data)
which allow any access to real memory.

The PS3 is hacked, its your job to figure out something useful to do with it.

Download: geohot’s PS3 Exploit

- source: geohot’s blog

Comments (17


The PS3 is Hacked!
Posted by greg on January 22, 2010
Update: One more update… And really, you should just go to geohot’s blog to see what’s up… He’s released some code for people to start playing with… Install OtherOS and have it.


--------------------------------------------------------------------------------

Update: Geohot has shared a little status update concerning his PS3 hackjob… But first, know this: 1) Don’t expect any tool to be released by Geohot himself; 2) This hack does not work on the PS3 Slim; 3) The plan is to [hopefully] find and post the PS3 decryption keys so other hardcores can partake in the PS3 hacking fun. So thus far, here’s what’s up… To quote Geohot –

I have added two hypercalls, lv1_peek and lv1_poke. peek reads memory in real space(including all the MMIO), poke writes it. I can also add other arbitrary hypercalls as I see fit.

The hypervisor is complicated, it is written in C++ and is PPC, which I am not that familiar with yet.

Some people pointed out that I have not accessed the isolated SPEs. This is true. Although as far as doing anything with the system, it doesn’t matter. The PPE can’t read the isolated data, but it can kick the isolated SPEs out. Decrypt the PPE binary you need using the intact SPE and save the decrypted version. Kick out the SPE, and patch the decrypted version all you want. And interesting note, by the time you get to OtherOS, all 7 working SPEs are stopped.

Despite this, I am working on the isolated SPEs now(which I can now load).

Again, I suggest you keep your browser locked and loaded at Geohot’s PS3 blog. Much respect, George.


--------------------------------------------------------------------------------

In yo face! Straight from Geohot himself… You know, the first person who successfully unlocked the iPhone, has again outdone himself: he’s hacked the PS3. Oooh — that must feel good.

Read it and weep… To quote Geohot verbatim –

I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me, as I now have dumps of LV0 and LV1.

3 years, 2 months, 11 days…thats a pretty secure system

Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.

The exploit itself isn’t released yet, but if you take a look here, you’ll see what’s up. It’s legit.

Stay tuned… Big things ahead. And you know that!

- source: geohotps3

---------- Post added at 08:12 PM ---------- Previous post was at 08:03 PM ----------

Lolololol