Ps3 Exploit released

Today Geohot released his Exploit. Now everybody can test with it.

Haven Fun

http://geohot.com/ps3_exploit.zip

Short Geohot Exploit FAQ

Question: Do i need a modchip?
Answer: No you aren't!

Question: Works this Exploit on Ps3 Slim?
Answer: No it works only on the Fat one. Because of the Otheros Function.

Question: Can I play Backups with this Hack?
Answer: Yes! Time will bring a backup loader but Geohot did not want be actuated with this Loader.

Question: Can we get a full Linux?
Answer: This is indeed working said George.

Question: When will Geohot this Hack release?
Answer: When Geohot is ready to release it!

Question: Is it patchable?
Answer: Not really but it can be complicated by Sony.

Question: Can i play emulators and homebrew now?
Answer: Time will bring nice emulators and homebrew, too.

Question: Does this Exploit require Otheros?
Answer: Yes.

Question: Why is it not released? What's the Problem?
Answer: The Exploit is there. But now everything must be reversed. Geohot tries his best in finishing this hack. He isn't that familar with C++ on PPC. He worked before the Ps3 on the ARM of the Iphone. Give it some time ! ;-)

Cheers

Full Summary: Geohots Hack

Friday, January 22, 2010

Hello hypervisor, I'm geohot

I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me, as I now have dumps of LV0 and LV1. I've also dumped the NAND without removing it or a modchip.

3 years, 2 months, 11 days...thats a pretty secure system

Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.

Shout out to George Kharrat from iPhoneMod Brasil for giving me this PS3 a year and a half ago to hack. Sorry it took me so long :)

As far as the exploit goes, I'm not revealing it yet. The theory isn't really patchable, but they can make implementations much harder. Also, for obvious reasons I can't post dumps. I'm hoping to find the decryption keys and post them, but they may be embedded in hardware. Hopefully keys are setup like the iPhone's KBAG.

A lot more to come...follow @geohot on twitter

Mathieulh said...
@geohot there wont be any keys in lv1, the keys NEVER Leave the isolated spu. (even the useless ones)

George Hotz said...
I know, I'm not looking for keys in the dump directly. But I now have all the routines that set up and talk to the SPU

George Hotz said...
Now I know what other people see when they look at ARM assembly :)

Saturday, January 23, 2010

I know some function names...

And now if calls have restrictions I don't like, I zap them.

Benjamin said...
these function names are nothing new http://wiki.ps2dev.org/ps3:hypervisor

George Hotz said...
@Benjamin yea, thats the point

George Hotz said...
If they start using lv1ldr for anything I don't like...I'll just kick it out.

Just because it's isolated doesn't mean it keeps running. PPE can say no.

And for GPU access, I think you already have it, just no driver. Hacking doesn't change that, although reversing lv1 could aid development.

George Hotz said...
On my system SPE3 is disabled and SPE2 runs security, leaving 6 SPEs for games and otheros. Theres another fuse register which says which SPEs are actually broken and hard disabled in manufacture, which mine is. But yea, I bet a percentage of PS3s could get access to all 8.

George Hotz said...
Granted, if we could decrypt the ISO SPUs, things would be a lot easier.

Mathieulh said...
@geohot yes but the whole security relies on the isolated spu, all the keys are there and it does much more than just decryption and checks, so yes you can manage without hacking them, you can even get rid of them (though I can't guarantee that wont crash the system) but it still isn't hacking the system overall until you get to hack every single part of the console and dump every single piece of hidden code.

In that regard even the psp isn't truly hacked considering the kirk and spock engines have not been dumped.

George Hotz said...
Read your last paragraph in your last comment, and you'll see why I'm right.

You can't expect to know everything and dump every piece of code. This hack is enough for homebrew, full linux, and even backups.

Mathieulh said...
well running backups is very theoretical at this point, for one would need to load a patched version of lv2 in order to do so, at this point this is still premature, a lot of things could prevent such an implementation from happening.

I am not saying this can't be done but in my opinion we are months away with the hack in its current state of seeing this happen.

Incgamers Rumor...
We contacted Sony on the issue and a spokesperson confirmed that the company is looking in to the issue.

"We are investigating the report and will clarify the situation once we have more information," said the statement. (http://www.incgamers.com/News/20648/sony-investigating-ps3-hack-allegations)

George Hotz said...
Haha "A Sony Spokeperson" is probably his neighbor who worked for Sony once in the mid 1990s. If Sony wanted to make a statement, they'd make a statement.

George Hotz said...
the stupid hypervisor is PPC and C++
if it were C and ARM, maybe i'd have a public sw exploit already.


TJ said...
"Unfortunately, unless Sony makes an example of Hotz it may encourage other hackers to continue defeating their proprietary protection schemes without ill consequence" - ps3news

Also DMCA doesn't legally apply..he's reversing hardware and publishing the exploit...morons

We found out it was people from ps3news putting the "leak" malware in these comments. We've also found some discreet association with that one game site that nobody has ever heard of..


George Hotz said...

ps3news, are you serious???

Are you really that jealous? Or do you work for Sony?

People have been hacking video game systems for a long time, back to Bunnie and the Xbox. If I am hit with a lawsuit, I will fight it. I have not, nor do I plan to, circumvent any DRM, which is what the DMCA targets. Get your facts straight. A kid running around posting on a blog that he hacked the PS3 is nothing warranting a lawsuit.

George Hotz : "I can now do whatever I want with the system. It's like I've got an awesome new power - I'm just not sure how to wield it." (http://news.bbc.co.uk/2/hi/technology/8478764.stm)

Monday, January 25, 2010

What it is and what it isn't

First off, this is not a release blog like "On The iPhone". If you are expecting some tool to be released from this blog like blackra1n, stop reading now. If you have a slim and are complaining this hack won't work for you, stop reading now. WE DO NOT CONDONE PIRACY, NOR WILL WE EVER. If you are looking for piracy, stop reading now. If you want to see the direction in which I will take this blog, read the early entries in the iPhone one. Information on this blog is for research purposes only.

That aside, I'll tell you what I have so far. I have added two hypercalls, lv1_peek and lv1_poke. peek reads memory in real space(including all the MMIO), poke writes it. I can also add other arbitrary hypercalls as I see fit.

The hypervisor is complicated, it is written in C++ and is PPC, which I am not that familiar with yet. At first I was trying to add a hypercall to add arbitrary real memory to the LPAR, but it kept crashing(because I can't code), which is really annoying, because I have to wait while Linux reboots.

Some people pointed out that I have not accessed the isolated SPEs. This is true. Although as far as doing anything with the system, it doesn't matter. The PPE can't read the isolated data, but it can kick the isolated SPEs out. Decrypt the PPE binary you need using the intact SPE and save the decrypted version. Kick out the SPE, and patch the decrypted version all you want. And interesting note, by the time you get to OtherOS, all 7 working SPEs are stopped.

Despite this, I am working on the isolated SPEs now(which I can now load), because what I'd really like to do is post decryption keys here so you guys can join the fun.


archie4oz said...
SPE's aren't "deactivated", they're just stopped, i.e. idle. PS3 Linux isn't using them out of the box. It doesn't mean you can't. YDL comes with an SPE-gcc compiler and you can compile and execute code on the SPEs. You can even get IBM's XLC for PPE and SPE along with threading and matrix math libraries for free from IBM's website.

People bitchin' about Linux being restricted and it can't do HTPC are a bunch of crybabies. The fact of the matter is that you don't need access to RSX (yes it would be really nice, but it's not necessary) to decode HD videos. The fact of the matter is that people wanting the PS3 to be an HTPC have wasted years sitting on their asses obsessing about GPU access when all the processing power necessary was sitting right in front of their faces.

Even the bdp stack on the GameOS does the bulk of it's H.264 decoding on a couple of SPEs and only uses RSX for scaling and some filtering (also to conserve RAM).

George Hotz said...
@archie4oz Spot on about the SPEs

And actually, the RSX being restricted is just theory as far as I know. OtherOS under the hypervisor may have the access required to write a 3D driver, just no one wrote one.

SquidMan said...
Nice going, George. Thanks for trying to help us get involved, so we can try and poke around too. Anyways, about the adding hypervisor calls, how did you do that? Isn't all memory encrypted? Or is the hypervisor code unencrypted? Also, if you kick out the isolated SPE, wouldn't that crash the system, since all running code is encrypted? Also, how are all the 7 working SPEs kicked out by the time of running OtherOS?
And, I have experience reverse-engineering PPC code written in C++ (Wii System Menu R/E is fun :3) so getting some binaries in my hands could be some fun. Anyways, nice work, try to ignore all the n00bs begging for warez and such. :)

George Hotz said...
@SquidMan Details of the exploit are still private, hence why I'm hoping to get keys to give people something to reverse and document.

uf6667 said...
if you're able to modify HV code, why don't you modify your interrupts?
this way you modify machine check (0x200?), illegal address translation (0x300?) and illegal instruction (0x400?) to output you the last accessed addresses.
evade the problem of rebooting everytime :P

George Hotz said...
Saw two intelligent posts here @Cameron and @uf6667. Awesome idea with the interrupts! Will try it today.

George Hotz said...
Oh, I'm a beast at coding in C++. Reversing it, not so much. Trying to call into it, really hard.

Tuesday, January 26, 2010

A Level Playing Field

Right now, I'm playing with the isolated SPEs, trying to get metldr to load from OtherOS. Interesting thing, I am not using the exploit. I always assumed the enable isolation mode register was hypervisor privileged. It's not, it's kernel privileged, which means using hypervisor calls you can all get to it. So, get to hacking. Here is the code I am playing with.

I'm not that opposed to releasing the exploit, but I think the majority of you are going to be disappointed, even if you do get it working. Unless you have pushed the HV to it's limits, this exploit really isn't going to do much for you...yet. So install OtherOS and start playing around. If people start coming up with convincing reasons why they need the exploit to go further, I'll release it. It's just a waste to release if people can't make use of it.

As far as the GPU goes, I have full access to the GPU memory space 0x2800... But without a driver, it's useless. 3D video card drivers are notoriously hard to write, look at the ATI and NVIDIA ones for linux. The best are still the closed source manufacturer ones. I'm not even sure I believe that the HV restricts video card access, just that the OtherOS driver is 2D. If someone skilled in video card driver development comes forward, and they can explain in detail what the HV is restricting, I'll send them the exploit.

And something has to be done about the comments. Theres a couple of good ones, mixed in with tons of trash. Please, if you don't have something technical and useful to say, don't say it. This is not the place for congratulations(go back to the hello hypervisor post), debates about piracy(go somewhere else, the internet is big), or trying to convince me to do X.

Tuesday, January 26, 2010

Here's your silver platter

In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory space access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works :)

This is a good article for what it means for the less technical.

Good luck!

We keep you Updated!

Source: http://geohotps3.blogspot.com/

Ps3-Homebrew Blog opened

We post here Ps3 "hacking" Updates from Geohot.
Once the Exploit is released. We can hopefully post
nice homebrew.

Cheers