Post Reply 
Geohot's PS3 Exploit
Author Message
Joom
WOOP
Worlds End

Posts: 4,206.7320
Threads: 417
Joined: 20th Mar 2009
Reputation: 5.41709
E-Pigs: 134.1772
Offline
Post: #1
Geohot's PS3 Exploit
[Image: geohot-113-iphone-unlock.jpg]



Geohot Wrote:Here's your silver platter
In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works :)

Good luck!
Posted by George Hotz at 6:10 PM


Geohot Wrote:!!EXPLOIT IS FOR RESEARCH PURPOSES ONLY!!

Usage Instructions:

Compile and run the kernel module.

When the "PRESS THE BUTTON IN THE MIDDLE OF THIS" comes on, pulse the line circled in the picture low for ~40ns.
Try this multiple times, I rigged an FPGA button to send the pulse.
Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
If the module exits, you are now exploited.

This adds two new HV calls,
u64 lv1_peek(16)(u64 address)
void lv1_poke(20)(u64 address, u64 data)
which allow any access to real memory.

The PS3 is hacked, its your job to figure out something useful to do with it.

http://geohotps3.blogspot.com/
~geohot


Spoiler for More Details:
eurogamer Wrote:PS3: Hacked

January 26th, 2010

Page 1 of 2. Page 2 »

News over the weekend that iPhone hacker George Hotz has "hacked the PS3" has been met with shock, surprise and incredulity. Sony's console is undisputedly the most secure games machine ever made, yet Hotz claims to have achieved a full hack in just five weeks. PS3's security fail is generating incredible interest both inside and outside of the games industry, to the point where an interview he gave to the BBC became the most popular news story on the site last night.

However, despite the level of publicity, it remains unclear what the ramifications of the hack actually are: whether homebrew coding can actually be enabled, whether the deliberately hobbled implementation of Linux can be improved and - crucially - whether Hotz's work will open the door to piracy. It is interesting to note that despite the many claims, right now there has been no "hello world" homebrew code executed that typically demonstrates that the hacker actually has full control over the system.

What Hotz (hacker alias: Geohot) claims to have achieved is clearly important though. Posts on his blog put it blankly, revealing that he has "read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3".

In older systems, like the PSP, reverse-engineering code contained within that memory map was enough to find the decryption keys to game security and system software updates, and so the concepts of ISO loaders and custom firmware emerged.

"Basically, I used hardware to open a small hole and then used software to make the hole the size of the system to get full read/write access," Hotz told The Register. "Right now, although the system is broken, I have great power. I can make the system do whatever I want."

The HV in question is the so-called Hypervisor - low-level code that no-one outside of IBM and Sony should have access to. It controls access to the hardware and monitors the operating system running on it. It's also a key component of the security of both PlayStation 3 and Xbox 360. In theory, during run-time it can detect hacker attacks on the system - for example, the TIFF image exploits that have brought down some firmware revisions of the PSP. These typically worked by overrunning memory buffers, allowing hackers to implant code in memory where it really shouldn't be, where it would then be executed. The implementation of the Hypervisor makes such attacks almost certain to fail.

Hotz reckons that his control over the Hypervisor is so complete that when it attempts to run code designed to secure the system, he can simply stop the call from ever happening. More than that, he can create his own calls designed to access the system at the very lowest levels. He claims to have created two new calls so far, one to read from any point in system memory (Peek) and the other to write (Poke). As the code injection is happening at pretty much the lowest level, the only way Sony can effectively defeat it is to redesign the hardware - although firmware updates can seek to circumvent whatever brand of code he chooses to inject into the system.

Making matters difficult is the fact that Sony and IBM's security protocols were created to anticipate a worst-case scenario, and assumed that at some point someone like Geohot would gain access in this way. So even more layers of security were added to the design.

First up there's the matter of the all-important decryption keys. The PS3 has eight SPUs circling its PowerPC core. One of those is disabled (to improve yields in fabricating the expensive CELL chip - more "faulty" ones can be used if the defective element of the chip is disabled). Another SPU handles security, processing encrypted code, leaving six purely for game developer usage. While the hack gives access to the entire system memory, the all-important decryption keys are held entirely in the SPU and can't be read by Hotz's new Hypervisor calls.

The other security element is the so-called root key within the CELL itself. It's the master key to everything the PS3 processes at the very lowest level, and according to publicly available IBM documentation, it is never copied into main RAM, again making its retrieval challenging. While there is no evidence that Hotz has this, his BBC interview does make for alarming reading for Sony, particularly when he talks about publishing "details of the console's 'root key', a master code that once known would make it easier for others to decipher and hack other security features on the console".

Once the root key is available, it's essentially game over for the system's security for all-time, but it's here that some of the claims being made for the hack don't really add up. PSP has been compromised on many levels again and again, but its root key apparently remains unknown. The BBC report also quotes Hotz as saying that the hack opens up the PS3 to allow all models to run PS2 software: unless the original Graphics Synthesizer chip from the old console is in there, or a software emulator exists, this is almost certainly not the case. While elements of the story don't add up, it is clear that what Geohot has achieved is significant, leaving many commentators to wonder what happens next.

According to his latest blog post, Hotz sees the reserved SPU with its precious cache of decryption keys as his primary target now. "Some people pointed out that I have not accessed the isolated SPEs," he wrote on his blog. "This is true. Although as far as doing anything with the system, it doesn't matter. The PPE can't read the isolated data, but it can kick the isolated SPEs out. Decrypt the PPE binary you need using the intact SPE and save the decrypted version. Kick out the SPE, and patch the decrypted version all you want."

In short he's looking to the use the processor core (the PPE) where he does have access to emulate the isolated SPU (for those interested, strictly speaking, the "SPE" is the name given to the group of all the SPUs). Holding him back - for now - is Hotz's contention that the PowerPC implementation of C++ is being used at this level, and it's somewhat removed from the ARM coding he is used to when hacking mobile devices like the iPhone.

It is safe to say however that Geohot's hack will open the door to piracy by offering low-level access to any one technically minded to do with as they will. Right now, he's looking to extract the crucial decryption keys from the isolated SPU and post them on his blog so others can, as he puts it, "join in the fun" without him having to reveal details of his actual hack - which by his own admission is far from complete or stable.

However, Sony's attempts to secure the game delivery system and the Blu-ray drive itself mean that there'd still be a huge reverse-engineering job required to enable piracy. While PS3 might well be hacked today on a low-level, further levels of protection remain in place to prevent copying games, and will require a significant effort in terms of reverse-engineering to overcome. Those expecting working PS3 games to appear on torrents in the next days or weeks are going to be disappointed.

PlayStation 3's security on the Blu-ray drive itself is (was?) pretty much untouchable and was designed to foil the kinds of attack seen on competing systems. Xbox 360 was compromised owing to the unencrypted nature of the firmware on the original DVD drives. Wii was hacked because the system itself was so similar to the GameCube that when the old hardware was cracked, the new revision fell with it. PlayStation 3 is far smarter. Not only is the drive software itself encrypted, but it's widely believed that the mandatory firmware updates can also reflash the Blu-ray drive too - even if the drive was hacked (it never has been) it would be re-secured next time you updated your PS3.

Completing the puzzle is the file system encryption on the disc itself. While PS3 game dumps are as old as the system itself, they are almost entirely useless and a complete waste of internet bandwidth for those that have been uploading and downloading them - the dumps do not contain the encryption keys apparently hidden in Blu-ray's proprietary ROMmark copy protection system, which remains inaccessible. While Geohot's hack potentially opens the door to piracy, in any eventuality, games would still need to be heavily patched to operate without the encryption even on a compromised system.

Geohot himself won't be coding anything that directly attacks these systems, and reckons that his hacking blog isn't intended for those looking for user-friendly Jailbreak-style software like his various iPhone unlocking tools.

"If you are expecting some tool to be released from this blog like blackra1n, stop reading now," he posted. "If you have a Slim and are complaining this hack won't work for you, stop reading now. WEE DO NOT CONDONE PIRACY, NOR WILL WEE EVER. If you are looking for piracy, stop reading now. If you want to see the direction in which I will take this blog, read the early entries in the iPhone one. Information on this blog is for research purposes only."

This protects Hotz from legal action on the part of Sony and allows him to present the hack itself as the key to making PlayStation 3 an open platform. However, assuming the hack itself is published, and decryption keys posted, it's only a matter of time before someone else takes on the challenge of peeling back the remaining security, and the first downloadable, copied games hit PS3.

- Source: [EuroGamer.com]


Someone just leaked this to me so I thought that I'd share.

Edit: It seems that it's actually hosted on his site.

Download- HERE


- Source: [HERE]

[Image: ROVBdMh.png]
3DS Friend Code: 5000-6045-4964
(This post was last modified: 27/01/2010 11:42 AM by YoYoBallz.)
26/01/2010 05:01 PM
Find all posts by this user Quote this message in a reply
ProperBritish
Daddy Proper
Team DreamArts

Posts: 5,666.3250
Threads: 192
Joined: 19th Nov 2008
Reputation: -2.36574
E-Pigs: 147.7035
Offline
Post: #2
RE: Geohot's PS3 Exploit
oh lawd

so it begins

[Image: rsz_contrast.png]

Spoiler for More sigs:
[Image: 6xu74t8]
[Image: sig.php]

[Image: 656embk]
[Image: sig.png]
26/01/2010 05:14 PM
Find all posts by this user Quote this message in a reply
1-R
forced consensual sex
Team DreamArts

Posts: 5,515.3939
Threads: 396
Joined: 22nd Dec 2007
Reputation: 5.91682
E-Pigs: 115.1024
Offline
Post: #3
RE: Geohot's PS3 Exploit
Oooh nice. :p

[Image: OLmvS.png]
Twit | DA | G+ | Last.fm
26/01/2010 05:20 PM
Find all posts by this user Quote this message in a reply
Joom
WOOP
Worlds End

Posts: 4,206.7320
Threads: 417
Joined: 20th Mar 2009
Reputation: 5.41709
E-Pigs: 134.1772
Offline
Post: #4
RE: Geohot's PS3 Exploit
I can't wait for the fun to begin.

Quote:geohot: well actually it’s pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn’t allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it’s setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory :)
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and sPa/\/\ press the button
geohot: right after i send the deallocate call

[Image: ROVBdMh.png]
3DS Friend Code: 5000-6045-4964
(This post was last modified: 26/01/2010 05:45 PM by Joom.)
26/01/2010 05:21 PM
Find all posts by this user Quote this message in a reply
YoYoBallz
L4YoY0s

Posts: 6,057.4567
Threads: 644
Joined: 3rd Mar 2007
Reputation: 15.01961
E-Pigs: 13327.7533
Offline
Post: #5
RE: Geohot's PS3 Exploit
not leaked, he released it

http://geohotps3.blogspot.com/2010/01/he...atter.html


don't mind me, imma clean up your post and move it to different section soon

<Myth0s> i love boys
-------------------------------------------------------------------
I Go To Earth When Mars Is Boring.
-------------------------------------------------------------------
¿ʞɔпɟ əɥʇ ʇɐɥʍ I was first EPerson to have upside down title.
-------------------------------------------------------------------
(This post was last modified: 26/01/2010 06:02 PM by YoYoBallz.)
26/01/2010 05:48 PM
Find all posts by this user Quote this message in a reply
Joom
WOOP
Worlds End

Posts: 4,206.7320
Threads: 417
Joined: 20th Mar 2009
Reputation: 5.41709
E-Pigs: 134.1772
Offline
Post: #6
RE: Geohot's PS3 Exploit
I just found that...Apparently, the person that "leaked" it is spreading bullchocolate again.

[Image: ROVBdMh.png]
3DS Friend Code: 5000-6045-4964
(This post was last modified: 26/01/2010 06:12 PM by Joom.)
26/01/2010 05:59 PM
Find all posts by this user Quote this message in a reply
Kana
♥pudding,pudding♥

Posts: 4,410.1139
Threads: 356
Joined: 19th Sep 2008
Reputation: -6.39875
E-Pigs: 98.8940
Offline
Post: #7
RE: Geohot's PS3 Exploit
that's it. I'm buying a 2nd ps3.

[Image: snow-1.png][Image: snow-2.png][Image: Untitled-14.png]
26/01/2010 06:09 PM
Find all posts by this user Quote this message in a reply
YoYoBallz
L4YoY0s

Posts: 6,057.4567
Threads: 644
Joined: 3rd Mar 2007
Reputation: 15.01961
E-Pigs: 13327.7533
Offline
Post: #8
RE: Geohot's PS3 Exploit
Joomla12 Wrote:I just found that...Apparently, the person that "leaked" it is spreading bullchocolate again.

Ill guess and say ps3newz ?

<Myth0s> i love boys
-------------------------------------------------------------------
I Go To Earth When Mars Is Boring.
-------------------------------------------------------------------
¿ʞɔпɟ əɥʇ ʇɐɥʍ I was first EPerson to have upside down title.
-------------------------------------------------------------------
26/01/2010 06:13 PM
Find all posts by this user Quote this message in a reply
xero1
Love Mage/Red Mage LV: 99/75

Posts: 1,193.1964
Threads: 136
Joined: 14th Apr 2007
Reputation: -2.36942
E-Pigs: 51.3231
Offline
Post: #9
RE: Geohot's PS3 Exploit
I hope that wee will get homebrew in the XMB and not just having full hardware access in Linux. Don't get me wrong I would love Linux with full 3D, but..
26/01/2010 06:14 PM
Find all posts by this user Quote this message in a reply
Joom
WOOP
Worlds End

Posts: 4,206.7320
Threads: 417
Joined: 20th Mar 2009
Reputation: 5.41709
E-Pigs: 134.1772
Offline
Post: #10
RE: Geohot's PS3 Exploit
The oh so wonderful Kratos John. I didn't really believe him but whatever.

[Image: ROVBdMh.png]
3DS Friend Code: 5000-6045-4964
26/01/2010 06:15 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 3 Guest(s)

 Quick Theme: