Well he said he had it and now here it is 
GeoHot has releases his PS3 exploit today. The exploit grants us “full memory access and therefore ring 0 access from OtherOS”.
Original post:
In the interest of openness, I’ve decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can’t keep working on this all day and night.
Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I’d like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.
This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I’ll write up how it works
Good luck!
There is also an explanation on how it works that Geohot told on IRC:
geohot: well actually it’s pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn’t allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it’s setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call
You can download the exploit files here.
This exploit obviously is not newb friendly, but it nevertheless a huge progress to crack open the PS3 scene. More information and updates will be posted as available, stay tuned!
More information via instructions in download file.
[VIA]
fair play to him for finding the hack and all but he is an idiot... now he has released it sony will find it and patch it ASAP. and it will take a while for the user friendly version to be released and most people will get bored of waiting and update. also shame its not "slim-friendly"
i've wanted to say this for a while, ITS ****ING REAL *****ES!!!!!! IN YOUR FACE SONY, THAT **** JUST HAPPENED. and now im done, congrats and thanks geohot.
here's proof for all the haterzz.
its a start, the start of a new era hopefully.
he's done a great job and now the linux experts (not me) can take hjt further.
do i need the fpga board to glitch it or is everything i need in the download?
Yes, could I ask what the image is of and/or for
Is it just me or does anyone find it unusual that he'd release the exploit so early on? I'm not calling him an idiot but kazza13 is right. Sony will be bricking it and so have people ready to patch this up as soon as he posted the exploit.
#1 This won't work on the slim as there is no OtherOS support.
#2 This exploit is not patchable via firmware, it is a problem that's hardware based.
They could shut down linux all together on there system, but that would kill a lot of people and companies, so they probably won't do that.
Also Kazza13, if you get bored and can't wait for a true exploit to do something major to the PS3, then go ahead and update. I'll be waiting myself.
Warning
No flaming
Excuse me $n!pR, where did you read that? Or if nowhere, how did you come to that conclusion? I am just asking, as I did not run on that info. Great info btw. thx, that's a relief.
This is very epic. Big congratz to Geohot! Big things are going to come now.
yeah, i got banned from XBL for flashing mydrive in the 1m ban wave so im slightly weary of exploiting my beloved PlayStation. But i will wait to see for a month or two and follow progress, and to whoever said its hw based, you are right BUT sony could quite easily kill the OtherOS in a patch blocking off any further progress.
************* [ - Post Merged - ] *************
Kazza13, do you have any programming and hardware experience? if so, please explain what you have done/know.
i was joking about the "doing it myself" bit but yeah, i know some basic coding... Java, C++, HTML, C#, and i also build computers. Dont get me wrong i am very grateful for Geo's work and i dont care if a slim version is released or not. but some people are so shallow minded to say 14 year olds dont have lives? I have a girlfriend and a job and im currently on police bail, so yeah...
Not to mention, who said you have no life? Please direct me to the post that shows somebody discussing you having no life.
i don't know where to begin, but i got an hour of american idol to figure that out. i'll log what i do if it matters any.
Having a life is living on your own. I have no life because I live in my parents basement and don't have a job and sit and play games all day while eating there food and using there internet.
KaZzA13, don't take **** so serious. You'll get much farther in life.
Not that that is taken care of, I am going to test this. Do I need to do anything out of the ordinary or just try and run it?
Meaning I'd have to take apart my PS3? Well, here we go, xD
Wait a minute, couldn't we find the information that is running through the isolated SPU to read where it is going and coming out of in the isolated SPU to know where to look?
If we are not able to do this, it will either be impossible to collect the codes, or take a damn good team to get it done. We'd pretty much have to replace the isolated SPU or involve something to collect what it is viewing, and that would require us to tell the system nothing is going on, so continue when it see's something else there that isn't supposed to be there, meaning it will cut us off.
Whoever came up with the idea of making a specific SPU isolated just for decryption methods is a genius...
All you guys complain about it not being slim friendly, which is why he released it, hes tired of working on it nonstop, so, he released it publicly to reduce the stress. With that said, just like the psp, releasing the exploit to the public allows other devs to do it and dump system information and etc. to possibly find another bug that would be compatible with all systems, such as, another .tiff exploit or another game save exploit, who knows. Now that its released to the public anything is possible, Im waiting for hello world.
now i havnt done much of any research, but. If this isolated SPU can be updated by sony's official firmwares (can it be?) Then there has to be some way to access it. maybe only while updating (which would require the SPUs decryption lol) so, i agree, whoever had that idea is a damn genius.
Kanna Shimizu is the womens name. Wait, a women thought this up...Oh god men, we HAVE to hack this system just because of that.
Anyways, no more of the sexism, xD.
A "Hello World" is a screen showing "HELLO WORLD" to show that unsigned code can be ran on the system.
The problem with hardware is when it is released, there is nothing you can change, but software changes as the world changes.
Hello, to anyone who reads this, I am a newb. not a very big newb ive been on this site for some time and done some ammeter stuff, I was just wondering where I can learn the stuff to understand this so I can do this to my ps3 as well. I am a big fan, and have bin using the blackra1n for awhile. PLEASE CAN SOME GIVE SOME ADVISE ON HOW I CAN LEARN THIS STUFF.
ahh right! like when musclenerd made a video showing a terminal being ran on the iPod touch 2g?
************* [ - Post Merged - ] *************
5715540, I would suggest programming things for the computer or mess with programming on something else because it is something you have to acquire. Knowing and understanding these things are not just something people know and read a book to figure out. It is something that you need the knowledge for. There are tons of things you have to remember and know how to do in order to do this. It is kind of like working on cars. If your car breaks down and you have no idea on what to do or what happened, of course you can look up what happened and how to fix it, but what if something in the future happens with the same part and you have no idea how to fix it.
With programming (Or fixing cars), if there is a problem, I must read through the code and find my own solution. I can go on the internet and ask somebody, but they don't know EXACTLY what I need and/or EXACTLY what the problem is. Programming and coding is a HUGE knowledge to know and understand. I found that out after taking 2 years of C++ in High school. I found out I knew NOTHING about C++ from reading and working on my own stuff.
Long answer short, it isn't something you can just read and understand. Programming is a very large vault of info and there are an endless amount of things you can do with it, therefore, there is A LOT to know and understand.
__________________________________________________
Wouldn't we be able to code a RTOS to run with this, so once the code it implemented, the PS3 can't block anything?
where's dark alex now? i have read that he will make a cfw for the ps3 if someone else hack the ps3. but this was month ago. the first step was maked, now he must handle it. i wish i can make something with this exploit, but i don't have that linux experiences that i need. i hope homebrew will come in the next few month, and that dax will start to make a cfw !!!
and thanks to ALL guys that help to bring homebrew to the ps3
and sorry for my english
^^ oh god here we go again!!!
We don't even have a "hello world" and you are already talking about CFW's??
Guys seriously do you expect geohot to do everything??? he was asked to find an exploit or at least he tryed to mess with the machine to find an exploit, he is not going to do anymore stuff, he found an exploit that lets you have read and write access to the memory what else could we ask, this is just a meter of time.
Meanwhille don't update your ps3! oh and to all slim users no luck for you, and the problem is not that slim doesn't have other OS its because geohot doesn't have the slim version to try and hack in some other way, so i sugest EBAY
If you use the same exploit with some changes on a PS3 Silm version, it'll work. Because the RAM chip of the Slim version doesn't have ECC support as well.
Anyways, if you know how the HV works... you would know that we can't easily get the keys with this exploit. So, what's our next step? We just need to find software exploit. Geohot's exploit + software exploit = hello world program.
I guess this is my last post here again. See you all in a few months later.
Thank you nOT. That was a very good explanation!
Hey Well done Geohot, awsome job dude
well at least its real, and not easy to patch : ) there's no way im gonna try this so, will wait for a software version. One ting though, now with full linux support, will the game os run slower than the linux side? or are they completely separate? from the ram and stuff?
i cant wait to use linux on this beast ^_^ i wonder if sudo apt-get install will work heheh.. :$ or even sudo apt-get moo XD
So ,in order to r/w the memory we need to glitch the it :-/
Well ,that really doesn't sound too user friendly indeed. I was doing a lot of research lately on Google and such, Trying to find out how are the isolated SPUs getting the HW key and other codes to decrypt. Does anyone know what kind of device is communicating with the isolated SPU when its getting the codes ?
GeoHot mentioned that he can load the SPE but i guess he failed to get the keys :-(
It has the codes inside itself. That's the problem. It doesn't use the RAM to hold the codes, it is actually done inside the chip itself.
Yeah the HW master key we're looking for is already inside the isolated SPE but where's the encrypted code coming from ?
He did it right. He got so much drama and hysteria over his work. Now if PS3 scene wants move foward it will go. It's how it works, but there is always a crowd of noobs waiting for more "OMG OMG GIMME DA ISO LODERZ". Maybe now the rage goes on and leave him to reasearch more.
Ok ,i D/L-ed the files he got on his blog and checked the source code. It seems GeoHot has done a great job. Much respect to the Guy ,he was born to be a hacker that's for sure
Ok it seems only people who are familiar with PPC assembly (and have FPGA devboard connected to the mobo) can muck around with LV1 at the moment.
I myself started to read up some articles about PPC assembly and programming.
Is there anyone out there who has managed to replicate what GeoHot has done sofar (like run his exploit) ?
I'm just happy that this is finally taking shape, i was tempted to get a 360 due to the hacks, but Ive changed my mind. I wish i could program though.
there are a few things i dont get, sure i know how to run the command but what does "ring 0" mean?
one question please for all
these exploit on PS3 mean running games copy or not ??
Pleaseeee
some disturbing news ,i wonder if this is true. What do you guys think ?
************* [ - Post Merged - ] *************
sorry for spamming so much posts but I'm just going OMG-Spree here
Anyone got an idea what can we use RTOS for?
************* [ - Post Merged - ] *************
Seriously stick to reading! and stop posting that kind of stuff.
I already read that disturbing news Disane, don't know if those are real and if in fact that is what is happening, we have to wait and see damn isolated SPU, still read and write access to the memory is a good start that should allow us to do some stuff, i just don't know what kind of stuff can we do :S
@IQD statement
You have gone on a techincly profound ramble. But in the process, you didnt do your research in middle school because your grammer was fail-sauce. looks like someone didn't read their docs. LOL. Remember, software exploits are a thorn in sony's ass.
Zeruth
well there might be some mistakes in there but technically its seems logic and correct, and that is what i am afraid right now, lets see if this can be bypassed in any way :S
What im wondering to myself VERY loudly here is. so you can can add your own functions to the HV right?, well, then you should be able to delete them right? just delete a function that you could controll (i.e. panic). make a new function named after the one you deleted, and have it do whatever you want inside gameos.
Or try and dump the HD unencrypted. idk, i lack the knowledge to do such things.
ive just read in the spanish forums that geo and demonhades are working together and whats theyre goal? HOMEBREW they wont work on backups period said by dhades himself.
Keep these ideas coming Zeruth, someone that actually contributes with something usefull
the problem with deleting and creating same function name is
1)certain values are sent to that specific function (that can create an error if the amount of values sent don't equal the amount of value receive)
2)what is the return value (if the function returns a boolean ( i dont know wat it returns im just giving an example) and its suppose to return a object)
3)what does each function specifically do (IE lv1_panic can also be used for more situation then just to panic the system like change certain values)
but wat we could do is bruteforce(try and fail a whole lot with injecting functions, using logic of course) the function
i think this is more of a trial and error kind of programing
we have to remove certain functions and see if that creates results that we didn't expect
btw before removing any function create a function that will copy the function ur deleting in another part of the hard drive so u can still run the ps3 if u deleted something critical
------edit----------------
geohot was able to add two functions called
lv1_peek and lv1_poke. peek reads memory in real space(including all the MMIO), poke writes it
so it is possible
the computer language that is needed is C++
i know some C++ if you guys want me to write code pm wat code you want me to write
PS: can some1 print the purpose of each function (no speculation pls, actual knowledge) and the limitations of this new exploit
great news,hopefully see something user friendly come from this exploit,it would be really awesome to see what some people could come up with for homebrew.
this is good news
ok i finally look trough a bit of the isolated SPUs I think I found something GeoHot was talking about. Got this from an IBM article on Cell BE security.I'll just Quote this and explain what i think:
the memory flow controler sends & recives via the SPE to & from SPE's
being we are in a isolated spu (more than likley ALL the spu's are isolated). If we can read & write. Couldnt we gain access to the MFC, therefore send & recive code to & from the SPU's? or maybe tag onto the EIB? then from there we can do whatever.
Can anybody verify with me what this key is. What type?
As said on PS3News, it could be Base64.
As the other forum is PS3News, I will not listen to this.
Interesting. Somebody claimed to had gotten this while using this glitch, but people are unreliable.
It indeed looks like base64 (c'mon you should have known that if you know at least a bit from security and computer algorithms :9) but it decodes into a binary, or at least in a non-readable format.
But I am convinced that Sony will not use base64 decoding on their systems, because it is one of the weakest security algorithms that ever existed...
^^ thats what i was about to say! Base64 here?? naaahh it can't be, i mean it looks like base64 but as you said its too unsecure to use on machine like this!!!!
HELL THIS GETS ME CONFUSED!!!!!!
I'm not really an expert ,but if the Runtime Secure Boot is a hardware based security feature then maybe it's something very primitive. Which can make a primitive encryption and decryption.
I might be wrong but who knows...
still reading trough some of the security stuff. Here is what caught my eye:
i think ALL the SPE are isolated.....you can set whcih ones are isolated or not....so my gues is that sony isolated ALL of them for security, relied on the HV to stop anything not "right" being sent across the MFC or the EIB
We don't know anything really on a hardware level (lv0) - except from IBM documents, because the HV was blocking that from us. This is just a case of trial and error.
However, concerning the Base64 encoding. You don't even have to have a hardware decrypter/encrypter because it is that insecure! I think the 'minimal algorithm' that Sony/IBM will use in their beloved system would be MD5 or SHA-1.
Just read something about basic security on Wikipedia and you'll know what I am talking about.
-- Damn my English is rusty... --
EDIT: @Qraze1; I get your point, but.. Base64?! No dude.. that's just like giving out your creditcard number in reverse to a fraud and than giving him unlimited options to try it out... That's just wrong!
could sony have used two encryptions? kinda like a lock that only gets to another lock before opening the door? the first lock being really basic and the 2nd being really advanced or vice versa or anything in between?
i'm trying.