Just a quick pic of it all working together cos everyone loves pictures!
This is the PS3 with the newer motherboard where the socket I installed in the front actually looks nice, the other one was a bit of a hack job 
PS3 Exploit Setup
February 8th, 2010PS3 Exploit: Hardware
February 8th, 2010This post will deal with the hardware required to trigger the PS3 hypervisor memory access exploit. The purpose of the hardware is to stop the PS3 from saving a change to a value that we don’t want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.
The PS3 sends the write command to the RAM over some control lines, so we interfere with these control lines when the write command is sent. The result we want is having the PS3 think it has successfully written the value to RAM, but the RAM didn’t receive the write command due to our interference and so it did not perform the write operation. Read the rest of this entry »
PS3 Exploit: Software
February 5th, 2010As I’m sure everybody heard, the memory access exploit for the PS3 hypervisor was released recently by geohotz. I was finally able to replicate his hack so I thought I’d take the time to help out others who may also have trouble due to being linux n00bs like me 
If I were to post everything at once it would be too much work and I’d never get around to it, so I’ll post bits at a time to ensure I actually do post it heh. Today’s post will talk about the software side of the exploit.
Please note that the geohotz exploit software was hardcoded for the v2.42 firmware, I have made a small fix that attempts to dynamically support all firmware versions. I have only tested and used it on v3.15 however.
PS3 and Xbox360 IDA Plugin Update (again)
January 26th, 2010As more special PPC instructions are stumbled across, support for them gets added to the plugin. I know I could go through an exhaustive list of all instructions and add them all, but for now I am content with adding them a few at a time 
PPC Altivec plugin v1.6 for IDA v5.6
Support added for the instructions: attn, lwsync, ptesync, tlbiel, tlbie, tlbi, slbie.
Also added support for the SystemSim “callthru” instruction (should this even be used outside of a simulator?) and lastly an instruction that I cannot find any information about. The hex value is 0×02002000 so for now I have added this instruction as opcode_02002000 so that it will at least disassemble to code and can therefore be treated as code. If anyone knows what this instruction is please let me know
PS3 and Xbox360 IDA Plugin Update
January 24th, 2010Here is version 1.5 of the PPC Altivec Plugin for IDA v5.6 which adds support for special instructions that are used by some PPC based devices. This was originally written by Dean Ashton and then updated by Takires.
This is useful when disassembling Xbox360 and PS3 binaries in IDA as they utilise these special instructions that are not supported by IDAs built in PPC disassembler module.
I have done some fixes to instructions that were previously handled incorrectly, as well as adding support for some new instructions. I also fixed an issue where instruction sizes were being reported incorrectly resulting in an incorrect disassembly.
More broken technology
November 12th, 2009In lieu of adding real content to my blog, here is some more broken techonology I came across. It is an electronic billboard that is basically a computer running ads on a widescreen LCD screen. It seems to be lonely without its keyboard however.
Close up of electronic billboard
Wii: Load Nintendo SDK ELFs via the HBC
July 8th, 2009The Homebrew Channel (HBC) was designed to be used with the Homebrew SDK aka devkitPro. So any files you compile with devkitPro should load OK via the HBC.
If you try to load a file that was compiled with the Nintendo SDK however you will get an error that “This is not a valid Wii application”. This is because the Homebrew Channel retrieves the load addresses for each ELF program segment from the Physical Address field, and in Nintendo SDK files this field is set to zero.
Hopefully the HBC guys will fix this in the next release, making the HBC more compatible. In the meantime you can use this little tool I made to patch your ELF file. It copies the values from the Virtual Address field into the Physical Address field for each program segment in your ELF file.
When arcade machines go bad…
July 1st, 2009I love seeing these kinds of things, so when I saw this at my local pub I thought I would share it with the world.
-
- I’ve got the faulty-dongle-driver blues
-
- Standing back to show where the picture is from
Small update to PS3 IDA plugin
May 25th, 2009I’ve been busy digging into the PS3 lately, I decided it’s finally time to see what secrets can be extracted from it. During my investigations I found that level-1 syscalls, a.k.a. hypercalls, are not handled by IDA so I decided to add support for it to the existing PPC Altivec plugin. Read the rest of this entry »
Bruteforcing AES encrypted data
May 8th, 2009When it comes to cryptography algorithms the topic of bruteforcing them appears often, however is rarely dealt with in a satisfying way. Usually such a discussion will start with someone asking “Why not just bruteforce it?” and end with someone stating “It is not possible, it would take too long”. Occasionally someone will chip in with ”Why not randomly guess it? You might get lucky”. So one day I decided to find out if it is possible, and if not, to at least get an idea of just how long “too long” is.