XorHack: The PS3 Exploit Toolkit

I finally found the time to complete the PS3 exploit toolkit software I mentioned to in my previous posts. I call it XorHack. It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:

  • ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).
  • dumphv – Dumps the hypervisor to a file in the current directory.
  • dumpbl – Dumps the bootloader to a file in the current directory.
  • dumprom – Dumps the system  rom to a file in the current directory.

The XorHack package contains full sourcecode for everything including a rewrite of geohot’s exploit sourcecode to make it easier to read and understand (the new file is kmod/exploit.c). The rewrite doesn’t just fix the compilation warnings, it attempts to replace all “magic” values with the algorithms and reasoning as well as tidying up the code and commenting it all. I also added another syscall #21 to allow executing of code in hypvervisor context. Due to the associated complexities it is not available from usermode, it is for advanced users to make use of in kernel space. Some small changes were also made to the timing and the text that gets printed onscreen to make the exploit easier and hopefully more stable to use. I recommend XorHack when both looking into how the exploit works and when actually triggering the exploit.

XorHack is made up of three parts. The kernel module, the userspace library file, and lastly the userspace programs themselves. To build all three parts you need to first extract the contents of the XorHack zip file to a directory on your PS3 harddrive. Next you need to navigate on the command line to the directory you extracted the files to. You should be either logged in as root or running as root thanks to the “su” command. Now type “make” to build all parts of XorHack. Then once that completes type “make install” to install all parts of XorHack. If you wish to you can type “make uninstall” in this same directory to remove all of XorHack from your system. When you install XorHack on your system it will always be ready for use, even after rebooting it will be automatically reloaded and ready for use.

To use XorHack to perform the exploit on your PS3 first install it as per the directions above. You then need to switch to a console only mode (no GUI). This is required because it is the only way you can see the printed messages from the kernel module to know when to press the button. Once exploited all other programs can be run normally from a terminal window in GUI mode. To switch to console mode press Ctrl+Alt+F1 on your keyboard. To switch back to the GUI mode press Ctrl+Alt+F7. When you enter console mode you will be greeted with a login screen. Now login with your normal user account and password and type “ps3exploit 100″. This will start the exploit looping 100 times in which you need to successfully glitch the console by pressing the button on your glitch hardware. The idea is the perform the glitch when nothing else is occuring on your PS3. Therefore some things you may want to try when exploiting to help your chances are:

  • Only press the button once per loop.
  • Try to press the button around the middle of the pause between two concurrent prints of the “press button” message.
  • Don’t start pressing the button till after the 10th “press button” message (by this time the system should done loading and preparing the newly running code, so less likely to interfere with processes that occur during these stages)
  • Run the ps3exploit software after initially booting up the PS3 and switching to the console login without first logging into the GUI mode.
  • After booting the PS3 and switching to the console mode straight away, log in and then wait about a minute before running ps3exploit so that any processes that may occur upon login/startup have completed.
  • Don’t use any services that will cause more processes to be running until the exploit is completed. This includes things like accessing your PS3 over samba.
  • Once you have successfully exploited, stay in console mode as there is less chance of instabilities causing havoc and crashing your PS3.

The PS3 Exploit Game!

Once you can run the exploit it’s time to turn it into a game. Think of it as a cross between getting the turbo boost at the start of a Mario Kart race and Dance Dance Revolution with a finger pad. The aim of the game is to exploit your PS3 as quickly as possible without it crashing. Below is my highscore table picture showing my highscore of THREE!

39 thoughts on “XorHack: The PS3 Exploit Toolkit

  1. many many thanks XorLoser!
    you are doing great job for community!
    wish i could contribute but im too amateur with this stuff
    kudos

  2. Fantastic job. Thank you for sharing. I’ll try it out once I find a way to install my micro controller without putting my my PS3 into infinite re-boot loop…

  3. Pingback: ISO Loader [Raccolta Rumors] - Pagina 172 - PS3 World

  4. excellent stuff, and thanks so much for making that code not burn people’s eyes anymore :}

  5. Has anyone tried controlling the pulse by software yet? Perhaps by pulsing the power light line or something insignificant like that…?

  6. Awesome – thanks a bunch!

    I guess I’ll head over to eBay to find myself a cheap PS3 with a broken BD-ROM to hack away on :)

    BTW – you don’t happen to have a Jabber account, do you?

  7. Pingback: PS3: XorHack: The PS3 Exploit Toolkit - ModControl.Com - GermanysNr1MultiConsoleSceneSource

  8. Well done xorloser !!!

    It is a new big step with very usefull libraries like possibility to execute code into hv from user space and also good libraries to manipulate SLB & HTAB easily …
    (But missing example to use exec syscall code, IIRC it requires to convert the addr of code in user mode memory(EA) to real addr(also called physical addr) seen bypervisor before to use this function and give as argument in r3 64bit ptr of function code to execute and just return with blr).

    Best Regards

    TitanMKD

  9. Congratulations, xorloser. Great job!

    Is there any step-by-step tutorial for this exploit? I’d very much like to help with software analysis, but hardware manipulation is my weak point.

  10. Thanks,

    I had problems understanding all the memory mappings in the dump, it all starts to make sense now.

    tridentsx

  11. Hello xorloser,
    it could be a good idea to set the ps3 to “single user no gui mode” via “telinit 1″. Afaik this will reduce the number of running processes on a system.

  12. Hi xorloser,great work ;) my english is bad sorry

    I have a dude,when u coment it…

    “dumprom – Dumps the system rom to a file in the current directory”

    Tell u the nandflash os partition(core_os store) or full dump how infectus?

    I study the eeprom(syscon) for replace the boot and using the arm for writing using dma channel for replace on fly the privilege zone for use calls lvl1 on lpar_ps3 at unix code(dont lv2 kernel).

    thx and 1saludo

  13. P: I did build my own PS3 today out of bread, then I hacked that shit, now its toast.

    DemonHades: the systemrom is just the small section that the ps3 refers to as the sys.rom, it is not the full flash dump. also i think the arm thing you are looking at is just the wifi firmware. is it from the eurus file?

  14. keep the good work , i hope you be all the ps3 owners hero by isoloading or backed up games or any how , release us , if that cost us the online so be it .

  15. i ve been seing this Xor Hack everywhere, but no one does mention the most important information: what the purpose of this, like your first comment says, what does it do?

    Is it finally THE hack that we ve been all waiting for to play backups on PS3, or is it another type of hack? Thanls for clarifying, i m sure i m not the only one wondering.

  16. thx xorloser,i know the Os zone into nandflash store the core_os,and arm is the bios ps3 named”CXR713120″,i have a study how work and active flags init boot.

    Factory mode,Restore Resolutions and Recovery mode for example.

    The cxr(mullion) is know how SYSCON,and using channel dma for comunicate just whith the CBE,and yellogstone”XDR”.

    I Study replace code into syscon for when boot at lpar_ps3 write new calls lv1 into privilege zone ram,syscon have generator pulse for attack it point…and later using calls news and little shell for run code(using ppu and spu free),dont using the real kernel(need code sony)The real kernel is limited and need sign sony.

    You are welcome to my forum investigation at spain ;)

  17. nice work.. we still need to do the hard hack to use this?? so , do you think that we can do it via software?? or never gone be ?? and last , do you think this is the only atack way , or could exist anothers ways??
    cheers and thank for your time!!!

  18. Pingback: Le Toolkit de xorloser

  19. Strange behavior of your exploit on my CECHG v2.6.0.
    It dump always the same 0x0002e900 bytes of code, no matter the addresses I code to dump.
    Geohot’s exploit works well.
    I’ll explore the problem.
    Anyone with the some problem (maybe other version) ?

  20. Pingback: Console-Spot » Blog Archive » Playstation 3 Exploit Toolkit

  21. Hi Xorloser,
    Please che this comment from Skywalker of Hitmen,

    hey geohot, metldr is running, and from its size and the ELF section layout of the other loaders i would now assume metldr loads those below its own mem in LS instead of replacing it, thus keeping metldr alive while crossloading different loaders during session, what do you think about this
    Thx

  22. Pingback: [PS3] XorLoser Releases PS3 Exploit Toolkit

  23. I totally get it! Lol, I’ve barely been doing this shit a week but you guys explain it so well, and let’s face it…game machines are just simple computers, and I’m good with computers.

    Oh, Gods of the internet…why can’t someone create a firmware that’s able too start and carry out the “exploit looping 100 process” automatically everytime the system is started after the expolit and boot loader have been installed?”

    Nice work man, you are at the top of the game for sure.

  24. Interesting stuff. I did have one question, every time I want to play a PS3 game I’ll have to run the exploit (100 button presses?)! ? Is there not a way to have the system automatically pulse the board using the controller ?

    I’d be interested to know if this is possible, seems like the next logical step, and for a programmer it seems like that would be a cinch to add …..

    Why has no one done it yet !?

    Thanks, great work (fuck the haters!)

  25. I looked at your kernel module and something i don’t understand.
    Why is HTAB mapped to address 0xD000080080000000 ?

  26. Pingback: PS3 News

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>