PS3 Exploit Tidbits

I haven’t gotten around to doing an update in a while due to work (and a little relaxation) taking all my time. Rather than wait till I have finished all of the stuff I wanted to before posting again I decided to post some tidbits to tide you over until the rest is ready. Before I do so I’d like to make the following clear as no matter how many times I say it, people believe what they want to believe instead:

THIS PS3 EXPLOIT WILL NOT ENABLE PLAYING OF COPIED OR BACKED UP GAMES. THE EXPLOIT IS FOR RESEARCH PURPOSES ONLY.

It seems someone took some initiative and made some software themselves to dump the hypervisor once they have the correct hardware and software. So for anyone who has used that and dumped their own hypervisor I present this PS3 HV Dump setup script for IDA. This script will setup function tables including the hypercall (syscall) table, mmcall table, OPD, TOC, GOT. It will find common functions such as puts and printf and very importantly it will fixup all rtoc references which are used to access global variables and strings.

To use the script you should extract it somewhere and then from within IDA select “File->IDC File…”, then navigate to where you extracted the file and select it. Please note that this script could overwrite your previous work, so please run backup your idb/i64 file before running it. I recommend running it on a freshly created database by loading your hypervisor dump into IDA as “ppc” at ROM address 0 and then running this script as detailed above before doing anything else.

The other tidbit I wanted to share was the updates to the PPC Altivec plugin source code which I had forgotten to include in the recent releases, but which a few people have since asked for. Here is the PPC Altivec plugin v1.6 for IDA v5.6 with sourcecode. If anyone makes any fixes or adds support for new functions please pass these updates back to me so I can share them on this site.

19 thoughts on “PS3 Exploit Tidbits

  1. Yay this is really an exciting time for the PS3 community xorloser,thanks for the script and plugin update i will be sure to pass this update on to my IDA user friends.

  2. Well done, very good work !!

    It is a very good script.
    But I have fixed some declaration error for older IDA version.

    To patch your script using my little patch use:
    1) go in directory where PS3_HV_Dump.idc is extracted
    2) Launch following command:
    patch -p0 < patch_TitanMKD.patch

    Content of patch file name "patch_TitanMKD.patch":
    — PS3_HV_Dump.idc Wed Feb 24 17:39:14 2010
    +++ PS3_HV_Dump_TitanMKD_Fix.idc Wed Feb 24 12:24:16 2010
    @@ -486,7 +486,8 @@

    static find_lv2ldr_start(startAddr, endAddr)
    {
    - auto addr = 0×020000;
    + auto addr;
    + addr = 0×020000;
    if( Dword(addr+0) == 0×53434500 && Dword(addr+4) == 0×00000002 )
    return addr;
    return BADADDR;
    @@ -494,7 +495,8 @@

    static find_lv2ldr_end(startAddr, endAddr)
    {
    - auto addr = startAddr;
    + auto addr;
    + addr = startAddr;
    if( Dword(addr+0) == 0×53434500 && Dword(addr+4) == 0×00000002 )
    return startAddr + Qword(startAddr+0×10) + Qword(startAddr+0×18);
    return BADADDR;
    @@ -502,7 +504,8 @@

    static find_appldr_start(startAddr, endAddr)
    {
    - auto addr = 0×037000;
    + auto addr;
    + addr = 0×037000;
    if( Dword(addr+0) == 0×53434500 && Dword(addr+4) == 0×00000002 )
    return addr;
    return BADADDR;
    @@ -510,7 +513,8 @@

    static find_appldr_end(startAddr, endAddr)
    {
    - auto addr = startAddr;
    + auto addr;
    + addr = startAddr;
    if( Dword(addr+0) == 0×53434500 && Dword(addr+4) == 0×00000002 )
    return startAddr + Qword(startAddr+0×10) + Qword(startAddr+0×18);
    return BADADDR;
    @@ -518,7 +522,8 @@

    static find_isoldr_start(startAddr, endAddr)
    {
    - auto addr = 0×055000;
    + auto addr;
    + addr = 0×055000;
    if( Dword(addr+0) == 0×53434500 && Dword(addr+4) == 0×00000002 )
    return addr;
    return BADADDR;
    @@ -526,7 +531,8 @@

    static find_isoldr_end(startAddr, endAddr)
    {
    - auto addr = startAddr;
    + auto addr;
    + addr = startAddr;
    if( Dword(addr+0) == 0×53434500 && Dword(addr+4) == 0×00000002 )
    return startAddr + Qword(startAddr+0×10) + Qword(startAddr+0×18);
    return BADADDR;

    End of the Patch !! (do not include this line)

    Best Regards

    TitanMKD

  3. I have updated the script as per TitanMDKs instructions to make it more compatible with odler versions of IDA. The same link in the above post now contains the updated script.

  4. Hello, to use this exploit I must do the GeoHot’s procedure with a pulse generator SX28 in the Memory Bus??
    Or just that I’ve installed Linux?

    Which version of Linux you recommend? Yellow Dog or Ubuntu?

  5. First off – awesome work!

    You could add the four additional interrupt vectors mentioned in the CellBE Handbook (page 253):
    0x0F20 – VXU Unavailable
    0×1200 – System Error
    0×1600 – Maintenance
    0×1800 – Thermal Management

    Hypercalls 16 and 20 are lv1_peek and lv1_poke. Without the exploit they most probably would point to lv1_invalid_hvcall.

    Hypercall 221 contains a typo – it should read “lv1_gpu_context_iomap”.

  6. Pingback: xorloser n’est pas mort

  7. thanks sapperlott, i have updated the script from your notes (just use the same link from the post above). i wasn’t going to label the peek/poke calls, but i guess since they are otherwise invalid i guess it wont hurt. as for the htab parser, i don’t really see the point of it. if someone can point out how it helps with reversing i will add support for it to the script.

  8. Pingback: PS3 Exploit Tidbits | Hirdyz Emporium

  9. 0xe3000 seems to be some sort of NAND directory structure. So the code referring to unk_E3000 might access the flash. This structure appears at various memory locations (the first 0×80 bytes vary, though – some kind of header?)

    There might be some useful info about this here:
    http://www.ps3news.com/forums/playstation-3-dev-news/ps3-nand-dump-analysis-93348.html

    Just a wild guess but the flash could be mapped @ 0xA0000000. Could someone with an exploit-ready PS3 try to dump some memory from there?

  10. xorloser,

    Yes it will be a good things to add HTAB / PTE but in a more powerful way
    To have full memory mapping from EA -> VA -> Real Addr but it also requires dump of SLB …

    Best Regards

  11. sapperlott: that “dump anaysis” is basically just a bunch of n00bs reading ascii strings in a hex editor. the dump conatins lots of “parts” of data but not the full things. it is mainly just a dump of the hypervisor (lv1) code.

    titanmkd: check my new post for info on htabs and ptes etc. i dont really see how parsing them will help in anyway however. using the sourcecode in my new post you can dump and parse your own. they dont tell you anything of interest that isn’t already known.

    kicko: The blu-ray drives are totally untouched by this exploit. You cannot access anything inside the blu-ray drive via this exploit. And the whole PS3 bd-rom drive using rom-mark stuff is garbage, whoever said the PS3 uses it is pulling the information out of their arse.

  12. Yeah – that’s true for the HV dump analysis. But the thread I linked to deals with analyzing the NAND dumps and that NAND directory structure @ 0xe3000 I mentioned before.

  13. Guys can you tell me who taught you to know all those things about computers. Me personnally always wanted to know how to program computer but never could know where to learn from.I am just amazed how you know all those details about memory address and that its not scares you that ps3 is well secured.phenomenal.

  14. Shut-up dude.. it look pretty cool because they understand what they are talking about between them but this exploit doesn’t do anything special!

    It doesn’t bring anything new since the goal of the hack should be to use the Ps3 for other usage then playing game (since it is a gaming console) but nothing is done yet.. We cannot use it as a worstation, cannot use all the core power in Linux and of course cannot play game bypassing the security.

    So I don’t know what they are going to do with this “exploit” but all we know is about read and write access on the hypervisor. At least if it was possible to run a homebrew or something.. nothing yet.

  15. Guys,

    I think it’s great that you’re doing all this work, but being a complete noob to linux I’m not sure what it all means. I bought my PS3 when they first came out. One of the selling points (for me) was the fact that you could use it as a linux based computer as well. I installed yellow dog about 3 months after getting the PS3 and TBH, haven’t done anything since. I do want to learn how to use Linux (eventually), but don’t want to buy another laptop to do it. I’m totally hacked off with Sony for removing this function.
    I’ve never used Torrents, downloaded pirated movies, illegally downloaded any music and I’ve never played a hacked game in my life! I’ve had PS1.PS2 and PS3 and have always appreciated the \backward compatibility\ that has been a feature of Playstation as long as I can remember. I don’t wan’t to get involved in hardware hacks and am not interested in piracy or copyright theft, all I want is my other OS back! Currently I’m sat here on Vers. 3.15 waiting for the PUP file that will give me my Other OS but update the rest of the software. (Apparently the noisy fan will go a lot quieter after the update). In an aside, COD4, Modern warfare tried to update last night but failed to install(something to do with not being the right version OS?perhaps) Now I can’t play the game at all. Not even logging in as another user.
    George Hotz said that he’d be releasing a PUP file that would let you keep your Other OS function, but I think he’s been \nobbled\ by Sony not to release it. Is a suitably edited PUP file on the cards at all? Or am I to spend my life with my PS3 guts all over the floor, flashing the hypervisor every time I turn the machine off and rewriting code for every update Sony releases?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>