PS3 Hypervisor Hacked

[fe_man2000]

a couple of months and BANG! - a snes emulator...finally. The must have app for any device no matter how powerful. Then and only then will I buy a PS3 - till then I am staying on a DEC alpha running a mac OS emulator acting as a shell for a windows 95 emu hosting my SNES emulator as god intended.

[casio]

with the power of the PS3??? wowzer!

thats what i was thinking, imaging having a ps3 running behind your computer monitor, it'd beat the snot out of mine performance wise, it'd interesting to see how it would stack up head to head with a normal dual or quad core desktop pc, imagine running some video encoding software you could convert your home movies to dvd in record time, not to mention other file conversions that would be a breeze

[raelmadrid]

another interesting point - the cell has 8 cores - 1 is dedicated to security and encryption and 1 is disabled at the factory so they get a higher production yield. Hopefully when it gets hacked these extra 2 can be used properly and make it even more powerful

[SiE]

I wouldnt get that excited about its power. The games developers are yet to create a game that looks better on PS3 than 360. The cell is a load of sony hype.

Homebrew will be nice though but im not expecting miracles

[raelmadrid]

i'm not talking about games looking better than 360 or sony hype

raw figures - 8 cores is more than 6 cores

[fe_man2000]

Doesnt it have very low memory and a slow hdd though - hence a lot of cores for say video encoding could be somewhat crippled - which as it was never designed for that type of thing would be no surprize of course.

[raelmadrid]

wow now i know what a ps3 fanboy feels like lol

it has the same memory as a 360, only difference is that its split 256mb for the graphics and 256mb for system. Slow HDD? its just a 2.5" SATA drive you could have an SSD in there if you wanted.

[Sanj[UK]]

He's released it

In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works

Upto 2.4 is good as it shouldn't affect online play unless some c*nts are using ps3proxy(but i don't think that works anymore)

EDIT 2.4.2 is linux kernal. Bollocks. Hopefully nothing ever comes out of this

[raelmadrid]

NFO:

geohot: well actually it's pretty simple geohot: i allocate a piece of memory geohot: using map_htab and write_htab, you can figure out the real address of the memory geohot: which is a big win, and something the hv shouldn't allow geohot: i fill the htab with tons of entries pointing to that piece of memory geohot: and since i allocated it, i can map it read/write geohot: then, i deallocate the memory geohot: all those entries are set to invalid geohot: well while it's setting entries invalid, i glitch the memory control bus geohot: the cache writeback misses the memory :) geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated geohot: then i create a virtual segment with the htab overlapping that piece of memory i have geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab geohot: switch to virtual segment geohot: write to main segment htab a r/w mapping of itself geohot: switch back geohot: PWNED geohot: and would work if memory were encrypted or had ECC geohot: the way i actually glitch the memory bus is really funny geohot: i have a button on my FPGA board geohot: that pulses low for 40ns geohot: i set up the htab with the tons of entries geohot: and spam press the button geohot: right after i send the deallocate call

NFO:

!!EXPLOIT IS FOR RESEARCH PURPOSES ONLY!! Usage Instructions: Compile and run the kernel module. When the "PRESS THE BUTTON IN THE MIDDLE OF THIS" comes on, pulse the line circled in the picture low for ~40ns. Try this multiple times, I rigged an FPGA button to send the pulse. Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!! If the module exits, you are now exploited. This adds two new HV calls, u64 lv1_peek(16)(u64 address) void lv1_poke(20)(u64 address, u64 data) which allow any access to real memory. The PS3 is hacked, its your job to figure out something useful to do with it. http://geohotps3.blogspot.com/ ~geohot

[fe_man2000]

I'm not sure why your bringing the xbox as a comparision, that seems strange it isnt going to be competing again it in this area - I was just saying that a games console, even with a good cpu but only 256mb of ram might not be much good at things , like video encoding for example as that was mentioned earlier. I dont know of course as this is all just theory but when you are moving a lot of data around system RAM can be a factor as can the speed of the Sata controller. The Cell CPU is a good one but inside the PS3 its sitting on bespoke hardware with a narrow set of requirements that it has to be good at. If, and its a big if, it could be opened up and used for something else - that something else better not need that much memory is what I am saying. Was a throwaway comment really.

Not even getting into the question of someone making it run at 100% effency and with the software running well etc.

[mysterym]

My gut feel is a modern day pc would trounce the 4+ year old cell processor, yes it has spe's, but they are more like DSP rather than fully fledged processor cores.

The belief that the ps3 is some mythical supercomputer is unfounded.

[raelmadrid]

video encoding? it plays bluray at 1080p and has already been confirmed that it will play 3D with a firmware update.

I think your missing my original point - if they get full control of the system there are 2 spare cores to take advantage of

[braymond]

im sure i read somewhere that the ps3 has ideal architecture for video encoding etc, maybe on digital foundry. it was a proper article not fanboy nonsense.in fact it maye be some product available using ps3 or cell or some bespoke software.cant remember. i didnt dream it......
anyway - uncharted 2 is the best looking video game ive played, so its def capable.
and for the record - i prefer my 360 before the fanboy accusations fly

[casio]

My gut feel is a modern day pc would trounce the 4+ year old cell processor, yes it has spe's, but they are more like DSP rather than fully fledged processor cores.

The belief that the ps3 is some mythical supercomputer is unfounded.

I beg to differ m8, look at the current graphics cards that can do some of the heavy lifting through the gpu, DARPA use gpu's to do the hard work on their automated cars as they scan the road and drive themselves. they do that because the current cpu's cant keep up, now imaging using a ps3 using all 8 cores running a full tilt doing something like using rainbow tables to crack wpa/wpa2 wifi keys or encoding; or encode a dvd to an mp4 format to put on to your iphone/ipad it would be great.

is it at supercomputer level performance? no of course not but it would be alot faster at certain things that a current computer. The key would be finding what its strengths are. Saying that I remember reading that in america they were using an array of 16 ps3's called -PS3 gravity grid to replace the need for a supercomputer, they spent something like $5000 per simulation on a full on supercomputer from memory they built it for about $6000 and can run as many simulations as they like

you can build one yourself should you feel the need www.ps3cluster.umassd.edu/ also http://gravity.phy.umassd.edu/ps3.html theres some piccys on there that make me jealous lol

[4me2]

PS3: Hacked

January 26th, 2010
Page 1 of 2.

News over the weekend that iPhone hacker George Hotz has "hacked the PS3" has been met with shock, surprise and incredulity. Sony's console is undisputedly the most secure games machine ever made, yet Hotz claims to have achieved a full hack in just five weeks. PS3's security fail is generating incredible interest both inside and outside of the games industry, to the point where an interview he gave to the BBC became the most popular news story on the site last night.
However, despite the level of publicity, it remains unclear what the ramifications of the hack actually are: whether homebrew coding can actually be enabled, whether the deliberately hobbled implementation of Linux can be improved and - crucially - whether Hotz's work will open the door to piracy. It is interesting to note that despite the many claims, right now there has been no "hello world" homebrew code executed that typically demonstrates that the hacker actually has full control over the system.
What Hotz (hacker alias: Geohot) claims to have achieved is clearly important though. Posts on his blog put it blankly, revealing that he has "read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3".
In older systems, like the PSP, reverse-engineering code contained within that memory map was enough to find the decryption keys to game security and system software updates, and so the concepts of ISO loaders and custom firmware emerged.
"Basically, I used hardware to open a small hole and then used software to make the hole the size of the system to get full read/write access," Hotz told The Register. "Right now, although the system is broken, I have great power. I can make the system do whatever I want."
The HV in question is the so-called Hypervisor - low-level code that no-one outside of IBM and Sony should have access to. It controls access to the hardware and monitors the operating system running on it. It's also a key component of the security of both PlayStation 3 and Xbox 360. In theory, during run-time it can detect hacker attacks on the system - for example, the TIFF image exploits that have brought down some firmware revisions of the PSP. These typically worked by overrunning memory buffers, allowing hackers to implant code in memory where it really shouldn't be, where it would then be executed. The implementation of the Hypervisor makes such attacks almost certain to fail.
Hotz reckons that his control over the Hypervisor is so complete that when it attempts to run code designed to secure the system, he can simply stop the call from ever happening. More than that, he can create his own calls designed to access the system at the very lowest levels. He claims to have created two new calls so far, one to read from any point in system memory (Peek) and the other to write (Poke). As the code injection is happening at pretty much the lowest level, the only way Sony can effectively defeat it is to redesign the hardware - although firmware updates can seek to circumvent whatever brand of code he chooses to inject into the system.
Making matters difficult is the fact that Sony and IBM's security protocols were created to anticipate a worst-case scenario, and assumed that at some point someone like Geohot would gain access in this way. So even more layers of security were added to the design.
First up there's the matter of the all-important decryption keys. The PS3 has eight SPUs circling its PowerPC core. One of those is disabled (to improve yields in fabricating the expensive CELL chip - more "faulty" ones can be used if the defective element of the chip is disabled). Another SPU handles security, processing encrypted code, leaving six purely for game developer usage. While the hack gives access to the entire system memory, the all-important decryption keys are held entirely in the SPU and can't be read by Hotz's new Hypervisor calls.
The other security element is the so-called root key within the CELL itself. It's the master key to everything the PS3 processes at the very lowest level, and according to publicly available IBM documentation, it is never copied into main RAM, again making its retrieval challenging. While there is no evidence that Hotz has this, his BBC interview does make for alarming reading for Sony, particularly when he talks about publishing "details of the console's 'root key', a master code that once known would make it easier for others to decipher and hack other security features on the console".
Once the root key is available, it's essentially game over for the system's security for all-time, but it's here that some of the claims being made for the hack don't really add up. PSP has been compromised on many levels again and again, but its root key apparently remains unknown. The BBC report also quotes Hotz as saying that the hack opens up the PS3 to allow all models to run PS2 software: unless the original Graphics Synthesizer chip from the old console is in there, or a software emulator exists, this is almost certainly not the case. While elements of the story don't add up, it is clear that what Geohot has achieved is significant, leaving many commentators to wonder what happens next.

According to his latest blog post, Hotz sees the reserved SPU with its precious cache of decryption keys as his primary target now. "Some people pointed out that I have not accessed the isolated SPEs," he wrote on his blog. "This is true. Although as far as doing anything with the system, it doesn't matter. The PPE can't read the isolated data, but it can kick the isolated SPEs out. Decrypt the PPE binary you need using the intact SPE and save the decrypted version. Kick out the SPE, and patch the decrypted version all you want."
In short he's looking to the use the processor core (the PPE) where he does have access to emulate the isolated SPU (for those interested, strictly speaking, the "SPE" is the name given to the group of all the SPUs). Holding him back - for now - is Hotz's contention that the PowerPC implementation of C++ is being used at this level, and it's somewhat removed from the ARM coding he is used to when hacking mobile devices like the iPhone.
It is safe to say however that Geohot's hack will open the door to piracy by offering low-level access to any one technically minded to do with as they will. Right now, he's looking to extract the crucial decryption keys from the isolated SPU and post them on his blog so others can, as he puts it, "join in the fun" without him having to reveal details of his actual hack - which by his own admission is far from complete or stable.
However, Sony's attempts to secure the game delivery system and the Blu-ray drive itself mean that there'd still be a huge reverse-engineering job required to enable piracy. While PS3 might well be hacked today on a low-level, further levels of protection remain in place to prevent copying games, and will require a significant effort in terms of reverse-engineering to overcome. Those expecting working PS3 games to appear on torrents in the next days or weeks are going to be disappointed.
PlayStation 3's security on the Blu-ray drive itself is (was?) pretty much untouchable and was designed to foil the kinds of attack seen on competing systems. Xbox 360 was compromised owing to the unencrypted nature of the firmware on the original DVD drives. Wii was hacked because the system itself was so similar to the GameCube that when the old hardware was cracked, the new revision fell with it. PlayStation 3 is far smarter. Not only is the drive software itself encrypted, but it's widely believed that the mandatory firmware updates can also reflash the Blu-ray drive too - even if the drive was hacked (it never has been) it would be re-secured next time you updated your PS3.
Completing the puzzle is the file system encryption on the disc itself. While PS3 game dumps are as old as the system itself, they are almost entirely useless and a complete waste of internet bandwidth for those that have been uploading and downloading them - the dumps do not contain the encryption keys apparently hidden in Blu-ray's proprietary ROMmark copy protection system, which remains inaccessible. While Geohot's hack potentially opens the door to piracy, in any eventuality, games would still need to be heavily patched to operate without the encryption even on a compromised system.
Geohot himself won't be coding anything that directly attacks these systems, and reckons that his hacking blog isn't intended for those looking for user-friendly Jailbreak-style software like his various iPhone unlocking tools.
"If you are expecting some tool to be released from this blog like blackra1n, stop reading now," he posted. "If you have a Slim and are complaining this hack won't work for you, stop reading now. WE DO NOT CONDONE PIRACY, NOR WILL WE EVER. If you are looking for piracy, stop reading now. If you want to see the direction in which I will take this blog, read the early entries in the iPhone one. Information on this blog is for research purposes only."
This protects Hotz from legal action on the part of Sony and allows him to present the hack itself as the key to making PlayStation 3 an open platform. However, assuming the hack itself is published, and decryption keys posted, it's only a matter of time before someone else takes on the challenge of peeling back the remaining security, and the first downloadable, copied games hit PS3.

http://www.eurogamer.net/articles/di...hacked-article

[mysterym]

I beg to differ m8, look at the current graphics cards that can do some of the heavy lifting through the gpu, DARPA use gpu's to do the hard work on their automated cars as they scan the road and drive themselves. they do that because the current cpu's cant keep up, now imaging using a ps3 using all 8 cores running a full tilt doing something like using rainbow tables to crack wpa/wpa2 wifi keys or encoding; or encode a dvd to an mp4 format to put on to your iphone/ipad it would be great.

is it at supercomputer level performance? no of course not but it would be alot faster at certain things that a current computer. The key would be finding what its strengths are. Saying that I remember reading that in america they were using an array of 16 ps3's called -PS3 gravity grid to replace the need for a supercomputer, they spent something like $5000 per simulation on a full on supercomputer from memory they built it for about $6000 and can run as many simulations as they like

you can build one yourself should you feel the need www.ps3cluster.umassd.edu/ also http://gravity.phy.umassd.edu/ps3.html theres some piccys on there that make me jealous lol

I rearlise that certain types of processors are better than others and i agree that the cell will indeed out perform a CISC processor on certain tasks, Nvidia were looking at using GPU's to do physics calcs simply because they are far better suited for that type of number crunching, however the point was that as computing power goes modern pc's are more of a powerhouse than the PS3.

[fe_man2000]

Maybe we are talking at cross purposes here - are we confusing video playback with video encoding ?
I am sure it will be able to play anything but I thought we were talking about converting from one video type to another, hence my comments about memory. You right about the cores of course but with only 256mb to play with in total they might be somewhat held back..anyway its a log way off from any of this stuff - hopefully we will be pleasently surprized if this does develop into more.

[EvilBoB]

The PS3's original design was to use the Cell as the graphics processor but at the last minute they stuck a gfx card in there as it was easier to program a known GPU than have to learn how to get the Cell to do it. Sony are convinced that the Cell is more powerful than a GPU. I aint convinced.

[braymond]

my response referred to encoding
heres the article i read last yr.i havent re-read it
http://www.eurogamer.net/articles/co...on-ps3-article

[Flat]

wasn't this about the hv hack? damn you offtopic spamers

any news / videos of the hack? havent heared anything since ...