PS3 exploit released

You can now download the exploit package for the PlayStation 3. [Geohot] just posted the code you need to pull off the exploit we told you about on Sunday, making it available on a “silver platter” with just a bit of explanation on how it works. He’s located a critical portion of the memory to attack. By allocating it, pointing a whole bunch of code at those addresses, then deallocating it he causes many calls to invalid addresses. At the same time as those invalid calls he “glitches” the memory bus using a button on his FPGA board to hold it low for 40ns. This trips up the hypervisor security and somehow allows read/write access to that section of memory. Gentleman and Ladies, start your hacking. We wish you the best of luck!

[Thanks Phileas]

Comments

  1. thecityspiders says:

    Pwnage!!!

  2. Cody says:

    That guy must have spent endless hours trying again and again, solution after problem after solution, to get this to us.

    I’d give him my fucking life if I could.
    I don’t have a PS3 but that had to have taken some serious effort.

  3. blink says:

    holy crap, the comments section of that guy’s post is worse than youtube.

    Good work geohot.

  4. BIOS says:

    I remember seeing somewhere that it was possible to install Linux on the PS3 natively :\

    Either way that is Fkin awesome!

  5. jeff-o says:

    @BIOS: That used to be the case. Sony disabled that feature on the new PS3 Slim model.

  6. misha says:

    the best way to get an engineer to do something is to tell him he can’t.

    <3 geohot

  7. frank says:

    @BIOS: yes it is possible to install linux(yellowdog linux for example). BUT sony allows only very limited access to the hardware, which means the linux you can install has no access to the graphic card. all graphics under linux must be done by the main processor. and also the access to main processors is very limited. with the exploit geohot released it might be possible to get full access to the hardware. it’s still a long way to go, but one step closer…

  8. Seuss says:

    I really want to start going at this. I probably should’ve tried to get an fpga board during free day. Any body know of some cheap fpga boards that have a 40ns or a different way to do the 40ns pulse?

  9. Eric says:

    Awesome, I don’t have a PS3 bu I did at least understand everything he said.

    I LOL’d at all the kids looking for the custom firmware in GeoHot’s comment section.

  10. sneakypoo says:

    @Seuss: Pretty much any microcontroller can do it for you. Might even be able to do it with a 555 but I’m not sure since I never use them.

  11. hc says:

    you can just use a 25MHz crystal or oscillator and a flip flop to hold it low for 40ns.

  12. mlal says:

    we should admit “geohot” is a genius. Long time back, we used to hear a name “LINUS…”, now a phenomenon.

    good work, keep it.

  13. Quote for the pirates says:

    Below is iQD’s statement regarding the recent GeoHot PS3 Hack news, partly it really seems as if he does not read any docs.

    To quote: “So the PS3 is hacked ? Well that’s nothing more than an urban legend.

    Altough it’s nice to capture all these HV calls and stuff from a plain (not encrypted) lv1 binary, but this will never lead to a hacked PS3.

    Let’s have a look. The major security architecture on the PS3 is called the “Secure Processing Vault” and is the most important thing regarding “hacking” the PS3.

    There is NO WAY for the PPU or even the HV to gain access to the SPU, which is an application running inside of an isolated SPU.

    Well you can kick out the isolated SPU, like geohot mentioned, but this gives you nothing, as ALL the encryption and execution of applications (HDD encryption, app encryption, decryption, executing, signature checking, root key extraction) happens inside the isolated SPU.

    To run homebrew on the PS3 you would have to reassemble the whole functionality from the SPU inside a binary running on the PPU. For this you will need the root key.

    The root key is stored in hardware (not even close to the things on the iPhone). The root key cannot be extracted by any software or hardware means and is essential to ALL encryption/decryption, executing and checking routines.

    The only way to get the root key is inside of an isolated SPU, as it is kick-starting the hardware encryption facility. There is no other way to do that !

    Let’s just assume that geohot or some other guys are able to break into the local store of the isolated SPE. There they will just find some encrypted binaries.

    The key for decryption is encrypted by the root key ! You won’t get anywhere without the root key.

    Let’s assume that someone managed to do all those stuff from the isolated SPU on the PPU and creates a CFW.

    There is still a secure booting environment. The first module loaded/bootet is integrity checked by the hardware crypto facility utilizing the root key. So you have also to address this booting stuff. Again, no root key, no booting.

    So there’s always runtime patching you might ask ? Not possible on the PS3 because the hardware crypto facility is able to check the signatures whenever it wants to.

    And which part is responsible for this ? Exactly, the isolated SPU. So if you kick out the isolated SPU the system will not boot/run anymore.

    The PS3 is neither an PSP nor an iPhone. It’s the most secure system architecture of this time !

    The girl behind this stuff, Kanna Shimizu, is not somebody. Messing around with this is not like saying Bruce Schneier is a n00b.

    Btw.: forget about all those stories, that certain hackers are or will be employed by SONY. That’s nothing more than another urban legend.

    @geohot It is OBVIOUS that the HV is PPC. The Cell BE is a PPC architecture, you know ;-) Better read those IBM papers in first place !

    – iQD”

    that means he does nothing really, just baypass lvl1 security wich is great but paradox did it before him!

  14. minxo says:

    With his code you can inject shellcode through POKE, and run in supervisor, and also dump the HV code that is in lvl1 in main RAM that the kernel uses, this is the actual code for the interface Linux uses not just the symbols and pointers as before..including undocumented ones.

    True though you can’t dump the CELL boot ROM or code from the locked SPE yet. What really needs to be done is a dump while XMB is running not otherOS, and see what’s in main RAM then. There are also obscure instructions that interact with locked SPEs. Dumping while in XMB require XDR bus modification though, and can also be done on the SLIM.

    Most people are just going to sit back and criticize though because of lack of skill and/or laziness.

  15. Mr. Sandman says:

    Custom firmware in 5…4…

    I’ve been waiting for something like this to come along since the PSP had custom firmware for homebrew apps and .iso reading capabilities.

  16. john says:

    iQDs statement is nonsense.
    the rootkey is necessary if want to run pirated games, true… but
    that never was geohots target.
    the exploit allows access to the gpu for example, which was not possible under linux before. geohot never claimed he want to run pirated software, he only gave access to the hardware.

    Also it might not even be necessary to get the rootkey…with the exploit it might be possible to read the decrypted output of the SPEs and pass it to ps3 software. similar to how it was done to copy psp games without breaking any encryption algorithms.

  17. minxo says:

    FYI: Paradox has never done anything with the PS3, nobody has ever done dumps from RAM or ran in supervisor mode. About the only quality thing to ever come from Paradox is there losing demo division. Sorry if that insults all the pseudo-hax0rs. Don’t run metasploit on my gibson please.

  18. Andrew Moyer says:

    Looks like the glass case surrounding the Cell processor has a few cracks in it now…

  19. hunnter says:

    Patch in 3…2…1..HIT IT.

    The hack seems pretty specific, it will probably be fairly easy to patch up now they know said specifics.

    Also, does it work on more recent versions? Or is it still only 2.4.2?

  20. sutekh says:

    The only thing this does is remove the HV restrictions on the OtherOS. That will in no way allow any sort of manipulation of the GameOS. The sad thing is that George actually believes he unlocked it saying…

    “The system isn’t locked, you have access to everything now. The root key can’t be dumped, it can only be used, and is similar to many other crypto engines on platforms that have widely been considered hacked, such as the iPhone and PSP”

    Obviously he didn’t read up on how the Cell BE works and is completely delusional if he thinks it’s anything like the iPhone or PSP. It’s really not that hard for even a non-technical person to see that getting past the HV doesn’t do any good by reading this http://www.ibm.com/developerworks/power/library/pa-cellsecurity/

    I’m not saying what he did was worthless. It will allow us to use the hardware to it’s full extent from OtherOS. My problem is that he’s saying he hacked the PS3 which is like opening the first door on a vault behind 5 doors and saying it’s open.

  21. autobot says:

    I hope this ONLY allows full hardware utilization in linux, pirating games is for f’ing losers who don’t believe publishers deserve to be paid…..and yes I know they get paid anyway but without them there are no games.

  22. sutekh says:

    @autobot
    That is exactly what it does. It allows full use of the hardware in OtherOS. It does NOT allow access to any decryption keys and NEVER CAN. That’s just the way the Cell security works. Which means the GameOS can NOT be decrypted and can NOT be modified. This “hack” can NEVER lead to a CFW, iso loader, GameOS homebrew or anything like that.

    99% of the people reading about this “hack” simply can not get that through their head. I just don’t get it.

  23. jimmys says:

    sutekh-

    This guy has done some experimenting and documented some interesting behavior that others may find helpful in their PS3 projects.

    You seem hung up on the word ‘hack’. Its definition now is only slightly more broad than the word ‘smurf’ and ranges from blinking different colored LEDs to reverse engineering smartcards.

  24. sutekh says:

    @jimmys

    I’m not trying to say what he did wasn’t awesome and If I wasn’t too scared to open up my PS3 I’d play with it myself.

    What I’m saying is that most people (including George!) believe that this will allow developers to create CFW and such. But this has not compromised the GameOS at all and never can because of the way the system works.

  25. Mark says:

    I know quite a few people who’ve been disappointed by Linux on the PS3 and have ended up getting a PC in the end anyway.

    For a while now, people have asked me about getting a PC for their kids to play games on as well as allowing them to do basic school work and for a long time I’ve always wanted to say, you know what, just get a PS3 it can run linux for the kids school work and allow them play games.. but instead I’ve been telling them to get a cheap PC and buy an XBOX for games.

    Hopefully this hack on the PS3 will make it an actual useful Linux Desktop replacement.. Why Sony haven’t allowed Linux devs access to the GPU/etc before now I’m not quite sure, but the extra memory and faster display is going to be really good for a lot of the PS3 owners I know.. and I might even consider getting one myself…

    Now… how long before Mac OS X gets a look in on the PS3? ;)

  26. thecityspiders says:

    I like it a lot …. the fact “exploit” only opens the hardware up for actual GPU use is awesome especially when that really does nothing for the pirate community and i am glad…which like many I do not condone pirating games on consoles that are still active in the marketplace …I’m sickened by the perverse aspect of the pirating that takes place …which only increases these security measures we have to overcome to use a kick ass piece of hardware for any thing under the sun like home theater and fun things like juggling equations :-p
    Good job and keep up the hard work Geohot …we need more like you in the hardware community.

  27. stevediraddo says:

    Everyone is missing the whole point of this.

    Whoever is getting way too excited over this obviously doesnt understand what just happened. He got read/write access to the PS3’s RAM. Thats it. Everything else is imagination until it is made into a reality.

  28. jjrh says:

    @Mark, I can imagine sony didn’t want people using their ps3’s for exactly what you mentioned. Those folks aren’t buying games, and things like emulators in full screen would certainly take business away from their playstation store. There would also be more free things you could use your ps3 for to keep you entertained.

    This is pretty exciting stuff though. I might need to buy a ps3 soon.

  29. Wdfowty says:

    @everybody
    piracy, even if possible, would be comletely impractical. Can you imagine downloading a bluray iso? I think the reason piracy is so wild on other gaming platforms, like the xbox 360 and psp, is because it is reletively inexpensive and extremely easy to do. I don’t think that’s the case with the ps3.

  30. jimmys says:

    sutekh-

    “What I’m saying is that most people (including George!) believe that this will allow developers to create CFW and such.”

    Ok, we’re in agreement on that point.

  31. Rooster says:

    @ Wdfowty

    People thought it was crazy to think someone would download AN ENTIRE DVD in 1998 or 1999…don’t think blueray won’t end up the same way.

  32. wdfowty says:

    @Rooster

    who knows…lets hope not. im happy to pay for games for ps3. i save on multiplayer costs in the long run :D

  33. walt says:

    you know it’s tricky when hackaday says “…and SOMEHOW allows read/write access…”

  34. Godd says:

    I don’t pirate videogames, but I’m not at all sickened. It’s a similar idea to environmental niches. The people who enable the piracy to happen just give security peofessionals a job. And they develope some new coding principle and everybody benefits in the end. Yet again, I don’t condone it, but it has it’s place.

  35. Mr. Sandman says:

    @wdfowty: im not specifically excited because of the posability of burning games, more along the lines of .iso capabilities, like with the psp custom firmwares, which allow .iso images to be run directly from memory. it’s pretty easy to upgrade the HD in a ps3, so “image size” wouldnt be a concern, especially since i dont even on a ps3 (yet, waiting to see where this goes, then i might consider it)

  36. Elementslgodz says:

    This may sound stupid. But making a mod chip that emulates where root key is stored and creating cfw to bypass the spu and use the modchip. To authenticate bds and access the rest of hardware in the ps3. I am sorry if my comments aggravate some ppl but I am still trying to learn all this new info. Anyway best wishes and happy hunting

  37. 45munk says:

    Emulating a spu for root keys and encryption within a modchip, creating a cfw to utilise the modchip instead of the spu, ppu, spc, CIA whatever it’s called I’m not exactly abbreviatedly minded like some. And thus in my child like mind authenticate bds and unsigned code into rest of hardware….I don’t even understand what I said

  38. none says:

    @Godd: Let’s start breaking windows (and I mand glass windows), because it gives glass professionals a job and benefits us all in the end. Not.

  39. Seuss says:

    @sneakypoo @hc
    thank you

  40. bob says:

    Studies have shown that piracy actually increases sales. Not to mention the games, music and movie industries have all posted record profits this year despite the depression and this so called piracy problem.

    Actually it is the big distributors/studios who are ripping off the poor artists/programmers by not passing on the good fortune.

    Don’t listen to the propoganda. Piracy is not theft. Copyright/patents were designed to let people earn a reasonable amount for their ideas not a licence to hold them to ransom. They are supposed to be there to promote innovation, not to stifle it.

  41. jimmys says:

    bob-
    The game, music, and movie industries would make MORE profit if they promoted piracy but they’re not smart enough to understand the situation as well as you do?

    Or maybe the shareholders just aren’t interested in stuff like the value of their shares.

  42. suckas!

  43. bob12 says:

    yea cant believed the ps3s finally hacked
    been doing some extensive research on my site
    Geohots PS3 exploit

    it took him only 5 weeks. and it been out 3 years

  44. bob says:

    @jimmys

    Why should innovators/artists and consumers all lose out for a few greedy shareholders who have done nothing to get richer?

    Duty to shareholders is often used as a lame excuse to throw morals and commonsense out of the window, but actually businesses can be profitable without doing their best to rip everybody off.

  45. jimmys says:

    bob-
    They do nothing? Shareholders (individuals, pension funds, teachers’ unions) have fueled the innovation that has brought us all this sweet stuff like the internet, iphones, drugs to fight HIV/cancers and the awesome things to come like commercial spaceflight and drought-resistant crops. But if shareholders, who have NO guarantee of ANY return on their investment, are motivated by profit and if you’re correct that promoting piracy increases profit, then why wouldn’t these ‘greedy’ shareholders jump at the opportunity?

    I’m just grateful that I get a few more years with family members who would have died painfully but didn’t because their cancers are now detectable and treatable.

    What have YOU done to make life better for others?

  46. Mr. Sandman says:

    Take it outside, boys.

  47. jimmys says:

    mr sandman-

    You the new hall monitor now?

    There’s a lot of people who think that
    the heart of hacking is illegal activity.
    That’s more from the younger crowd that
    pirates movies, games, music. They want it,
    it’s easy to take, and there’s no chance
    of getting caught so why not. I think
    bob is one of those that says the current
    concept of intellectual property is bogus.
    I disagree.

    You might not like the tone but it’s a valid
    discussion especially for a PS3 hacking
    thread.

    What do you think, son?

  48. nick says:

    I don’t get it! I study electronic engineering but i can’t understand the methodologies these guys use to test/hack systems like the PS3 or PSP. Can anyone give me some pointers please? There has gotta be a standard method (at least at the beginning). Thanks

  49. xhei says:

    that’s hacking…but i don’t get this too much? i mean u can backup ur games now,or burn games ect??

  50. BIGJohnson says:

    I understand the reason behind “hacking,” and I understand why certain things need to be safeguarded against it. What I do not understand is, if I am going to pay $600.00 (2nd generation, early 2007) for a machine that can “do it all,” why am I not able to do it all. The game OS is excellent for games and media, but when it comes to the internet… the browser sucks. The “Other OS” feature is genius and works well enough that it makes the first, 2nd, and 3rd gen ps3 worth buying, with the exception of the 20gig (worthless). Now that there is a “hack” to make the other os feature better, it would be in Sony’s best interest to put it back onto the 5th generation. The buzz of this hack alone would boost unit sales… I would try to hack it if I could get my hands on what is needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,288 other followers