PS3 Hacked!!!!

A useable hack was just a matter of time, now there is light at the end of the tunnel. Party on!

Someone will have to get him onto the "NAG3", to hack/crack that...

--- Ian ---

wish i could do stuff like that well done lad

check out his blog
geohotps3.blogspot.com/
some good stuff in there

full exploit details

info from
http://geohotps3.blogspot.com/ by the hacker
also eploit details which can be found here


In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory space access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works

I've gotten confirmation the exploit works on 3.10. Also I've heard about compile issues on Fedora. I did this in Ubuntu. I would really like someone to write up a nice tutorial

This is a good article for what it means for the less technical. A good more technical writeup is here.

Good luck!

ps3:exploits [psDevWiki]
Geohot has published his hypervisor-exploit, you can find it here.

It basically works by quickly allocating and deallocating memory, while glitching the memory bus. This way the hypervisor thinks some repeatedly allocated memory is deallocated, allowing r/w-access and with some tricks r/w-access to the main htab.

You can find a more detailed explanation 1) :
geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call

instructions from inside RAR
!!EXPLOIT IS FOR RESEARCH PURPOSES ONLY!!

Usage Instructions:

Compile and run the kernel module.

When the "PRESS THE BUTTON IN THE MIDDLE OF THIS" comes on, pulse the line circled in the picture low for ~40ns.
Try this multiple times, I rigged an FPGA button to send the pulse.
Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
If the module exits, you are now exploited.

This adds two new HV calls,
u64 lv1_peek(16)(u64 address)
void lv1_poke(20)(u64 address, u64 data)
which allow any access to real memory.

The PS3 is hacked, its your job to figure out something useful to do with it.

On the PlayStation 3
~geohot

image from exploit rar
pokemehere.jpg

hope some1 can make sence of all this
i intend to go out a purchase "another" ps3 for when some1 can make use of all this good luck guys

i was thining that

So has anybody played a copied game on it yet then?

The exploit allows access for people to develop a os to run on console , which in turn will be developed to run copied games off the newly created os
this is 1st stage of exploiting the machine
but also the break through people have been looking for
give it 5/6 months and u will see the rise of the ps3 scene

From what i have read also, each game has a unique code so copying the games also could be an issue, then there is the price of the discs, they could be working on a hdd launcher at some point like the wii but i doubt it.

The game dumps that are out on the net are useless from what i read but you never know a new OS could trick it that these codes aint needed.

Interested days ahead in this scene, now an expliot has been made public, lets see if sony try to patch it as more than likely they always will....

I agree, Sony will prob try to patch it, like the are doing with the PSP firmware updates.
But the PSP is still being hacked after all these years.

--- Ian ---

Thats because the security is nowhere near as advanced as the ps3 is. No matter what patches they apply the base code has the flaws. Just hoping that this is the case with the ps3, if anything ever comes of the hack that is

Sony cant actualy patch it, the patch would take cycles off of at least one of the SPE's and the PPE to compare memory which isnt really anything to major, the fatal blow comes from the fact that in order to get it to actualy work they would need to half the memory bandwidth over the bus, which means any current and older games would take a severe performance hit.

In order to patch the exploit you would effectively kill the system as a gaming platform, and wind up with nothing but a decent BD player/ media center.

Sony's only move here is to drop the ability to run linux (which already happened with the slim) and dump linux entirely from their future products roadmaps.
The problem with this however is that it was precisely because the ps3 could run nix out of the box (albeit in a nerfed form) that prevented rapid growth of the scene in the first place.
(the mod scene is rarely interested in running pirate games, we just want to run our own code on a unit without having to pay extortionate developer fees to do so)
So they drop linux in the future then the next itteration will be likely to face xbox piracy levels.

So were looking at 6-months before anything comes of it at least. And then sony will only ban people who go online with the copied games so i woudlnt risk being barred from playing COD online!

This will not take off untill its on a MODCHIP etc ! the maze of wires and soildering is only 5% of the total hack and the rest is a complicated software introduced to the consoles firmware, which by all accounts an OS or Homebrew has not been developed yet, nor have Sony released any counter measures that could potentially null and Void this hack from the start.

Sony are to release a new pay service for ther online community over the next fe months in line with xbox live on the 360 thus bringing in new terms and conditions for online content and gaming, most likely banning pirated consoles if this hack takes off, Very easy as every game has its very own ID number registered to one console, if it pos up all over the place then its easy to ban everyone using any one copy.

Just because its hacked does not mean stleath software will be developed or the other software needed to stay alive online ... Sony may cripple pirated consoles fully unlike Microsoft banning online functionlity. who knows.

Don't hold your breath for this hack to become the next big thing.