After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line 
Hypervisor Exploit Changes
At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.
Kernel Module Changes
In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.
User Library changes
Finally the on outermost level I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.
Sample Application Changes
As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.
Here are some examples of what these tools can be used for.
Dumping the hypervisor
This reads 0×10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.
ps3peek 0 -s 0×1000000 -d 8 -b > hvdump.bin
Reading the status register for spu0
ps3peek 0×20000044024 -d 4
Loading metldr..
Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.
Everyone loves pictures
The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…
[...] ability to read, write and execute memory from the command line Download XorHack v2.0 here xor's blog __________________ Kevin skitzo Register [...]
“Hello Geohot” from geo´s blogspot…!!!
Greetings
Thanks for your job Xorloser
If french people read this, i translated this article into french here ( http://www.ps3-addict.fr/forum/xorhack-2-0-le-toolkit-ps3-exploit-mis-a-jour-t244.html )
see you
The adventure deepens
I look forward to the next installment.
Top Job XorLoser
Its always exciting to see when you have updated your web site!!
Keep up Awesomous to the Maximous Work.
[...] Ça se passe chez lui [...]
there is any way to use it without the pulser?
no
Hello,
With this hack, how i install ubuntu and take full control of the nvidia gfx card?
I need to make my ps3 into a htpc (htps3, lol)
And will it be able to play mkv’s with subs?
Thanks in advance
this hack enables you to write your own hacks based on it. so to do all that stuff you need to work it out for yourself.
root@playstation3:/home/jose/ps3share/xorhack# ls
apps common kmod Makefile user
root@playstation3:/home/jose/ps3share/xorhack# make
make -e PWD=/home/jose/ps3share/xorhack/kmod -C kmod
make[1]: se ingresa al directorio `/home/jose/ps3share/xorhack/kmod’
make -C /lib/modules/2.6.31-19-powerpc64-smp/build M=/home/jose/ps3share/xorhack/kmod modules
make[2]: se ingresa al directorio `/usr/src/linux-headers-2.6.31-19-powerpc64-smp’
CC [M] /home/jose/ps3share/xorhack/kmod/xorhack_kmod.o
CC [M] /home/jose/ps3share/xorhack/kmod/exploit.o
/home/jose/ps3share/xorhack/kmod/exploit.c: In function ‘exploit_first_stage’:
/home/jose/ps3share/xorhack/kmod/exploit.c:288: warning: format ‘%016lx’ expects type ‘long unsigned int’, but argument 3 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c:288: warning: format ‘%016lx’ expects type ‘long unsigned int’, but argument 4 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c:293: warning: comparison of distinct pointer types lacks a cast
/home/jose/ps3share/xorhack/kmod/exploit.c:318: warning: comparison of distinct pointer types lacks a cast
/home/jose/ps3share/xorhack/kmod/exploit.c:339: warning: format ‘%016lx’ expects type ‘long unsigned int’, but argument 2 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c:339: warning: format ‘%016lx’ expects type ‘long unsigned int’, but argument 3 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c: In function ‘copy_htab_to_new_vas’:
/home/jose/ps3share/xorhack/kmod/exploit.c:456: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 2 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c:456: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 3 has type ‘long long unsigned int’
/home/jose/ps3share/xorhack/kmod/exploit.c:463: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 2 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c:463: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 3 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c:463: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 4 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c:463: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 5 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c: In function ‘exploit_second_stage’:
/home/jose/ps3share/xorhack/kmod/exploit.c:541: warning: format ‘%016lx’ expects type ‘long unsigned int’, but argument 2 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c:541: warning: format ‘%016lx’ expects type ‘long unsigned int’, but argument 3 has type ‘long long unsigned int’
/home/jose/ps3share/xorhack/kmod/exploit.c:547: warning: format ‘%016lx’ expects type ‘long unsigned int’, but argument 2 has type ‘u64’
/home/jose/ps3share/xorhack/kmod/exploit.c:547: warning: format ‘%016lx’ expects type ‘long unsigned int’, but argument 3 has type ‘long long unsigned int’
/home/jose/ps3share/xorhack/kmod/exploit.c:589: warning: comparison of distinct pointer types lacks a cast
/home/jose/ps3share/xorhack/kmod/exploit.c:599: warning: comparison of distinct pointer types lacks a cast
/home/jose/ps3share/xorhack/kmod/exploit.c: In function ‘install_hypercalls’:
/home/jose/ps3share/xorhack/kmod/exploit.c:684: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 2 has type ‘u64’
CC [M] /home/jose/ps3share/xorhack/kmod/PS3SLB.o
CC [M] /home/jose/ps3share/xorhack/kmod/PS3HTAB.o
LD [M] /home/jose/ps3share/xorhack/kmod/xorhack.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: “.irq_to_desc” [/home/jose/ps3share/xorhack/kmod/xorhack.ko] undefined!
CC /home/jose/ps3share/xorhack/kmod/xorhack.mod.o
LD [M] /home/jose/ps3share/xorhack/kmod/xorhack.ko
make[2]: se sale del directorio `/usr/src/linux-headers-2.6.31-19-powerpc64-smp’
make[1]: se sale del directorio `/home/jose/ps3share/xorhack/kmod’
make -C user
make[1]: se ingresa al directorio `/home/jose/ps3share/xorhack/user’
gcc -c xorhack.c -o xorhack.o
ar rcs libxorhack.a xorhack.o
cp xorhack.h /usr/include/xorhack.h
cp xorhack_sc.h /usr/include/xorhack_sc.h
cp libxorhack.a /usr/lib/libxorhack.a
make[1]: se sale del directorio `/home/jose/ps3share/xorhack/user’
make -C apps
make[1]: se ingresa al directorio `/home/jose/ps3share/xorhack/apps’
gcc dumpbl.c -o dumpbl -lxorhack
gcc dumphv.c -o dumphv -lxorhack
gcc dumprom.c -o dumprom -lxorhack
gcc ps3exec.c -o ps3exec -lxorhack
gcc ps3exploit.c -o ps3exploit -lxorhack
gcc ps3peek.c -o ps3peek -lxorhack
gcc ps3poke.c -o ps3poke -lxorhack
make[1]: se sale del directorio `/home/jose/ps3share/xorhack/apps’
root@playstation3:/home/jose/ps3share/xorhack# make install
make -C kmod install
make[1]: se ingresa al directorio `/home/jose/ps3share/xorhack/kmod’
# install kernel module
chmod a+rwx ./xorhack.sh
install -m 644 xorhack.ko /lib/modules/2.6.31-19-powerpc64-smp/kernel/drivers/xorhack.ko
/sbin/depmod -a
# load kernel module and start device at boot time
install -m 755 xorhack.sh /etc/init.d/xorhack.sh
update-rc.d -f xorhack.sh defaults
System start/stop links for /etc/init.d/xorhack.sh already exist.
# start now
./xorhack.sh start
FATAL: Error inserting xorhack (/lib/modules/2.6.31-19-powerpc64-smp/kernel/drivers/xorhack.ko): Unknown symbol in module, or unknown parameter (see dmesg)
mknod: «/dev/xorhack»: El archivo ya existe
make[1]: se sale del directorio `/home/jose/ps3share/xorhack/kmod’
make -C user install
make[1]: se ingresa al directorio `/home/jose/ps3share/xorhack/user’
cp xorhack.h /usr/include/xorhack.h
cp xorhack_sc.h /usr/include/xorhack_sc.h
cp libxorhack.a /usr/lib/libxorhack.a
make[1]: se sale del directorio `/home/jose/ps3share/xorhack/user’
make -C apps install
make[1]: se ingresa al directorio `/home/jose/ps3share/xorhack/apps’
install -m 755 dumpbl dumphv dumprom ps3exec ps3exploit ps3peek ps3poke /usr/bin
make[1]: se sale del directorio `/home/jose/ps3share/xorhack/apps’
root@playstation3:/home/jose/ps3share/xorhack# uname -a
Linux playstation3 2.6.31-19-powerpc64-smp #56-Ubuntu SMP Thu Jan 28 02:38:11 UTC 2010 ppc64 GNU/Linux
root@playstation3:/home/jose/ps3share/xorhack#
Does anyone know where can I view those syscalls, xorloser is looking for?
I don’t have linux but they should be documented somewhere…
lol i think i found them on ps2dev, man i was looking for traditional linux sys calls like wait() and such…
hehe forgive my idiotism i schall start working on those syscalls right away…
Okay I managed to add lv1_write_htab_entry(), what do you think xorloser. I can also write a short doc on the args and return values if needed. So “users” won’t really have to start up their browser just to look them up…
upps.. here’s the link: http://pastie.org/877239
[...] [...]
managed to get this far. I’ll continue my work implementing all of the hv calls tomorrow:
http://pastie.org/878027
Yup thats the correct way of doing it Disane.
And including all info on args into that header file would be good so that the user doesn’t have to look them up elsewhere.
the idea is that the user can call them exactly the same as the lv1 calls, same args and returned vaules. they just have to substitue “xorhack_” for “lv1_” showing that the call is done via xorhack.
we nees more
i mean we need lore man , i’m tired of the very huge price games ,
i need to play god of war ,
please man , keep up ,
and let us hear the good newz soon .
Thanks
Hey Xorloser.
I’m glad you wrote back.
I have a n00b C language question. I haven’t really messed with inline functions before. I know that inline functions usually copy them selves and not by passing a reference. But how come you pass ‘ret’ by value and the rest of the output arguments by address ? I just couldn’t understand this part of your code. Cause as far as I can tell output values are pointers and ‘ret’ is passed differently to xorhack_syscall().
It’s not that important but still
Anyway I’m going to add more lv1 calls today and post my work by the end of the day…
xorloser could you send me your email for direct contact for next step on xorhack 3.0
Best Regards
TitanMKD
well here’s what I managed to complete today:
http://pastie.org/879151
There are still more lv1 syscalls out there…
AzagraMac: this is why i say to use Ubuntu v81.0, beacuse it will work on it
chaos_11: if you are tired of high game prices maybe you should watch tv, it is free.
Disane: inline just attempts to insert the function into your code without jumping to a separaet function. i use it in this form because they are just calling the syscall function with set args and so are simple enough to just include in a header file like this. inline doesn’t have anything to do with how parameters are passed, as far as that is concerned they are passed just like any other function. also ‘ret’ is not passed by value, it uses the ‘&’ operator to get a pointer to the value and passes that pointer in. also the undocumented functions do do things, just what they do isnt documented yet.
Oh man, I understand now. Since ret is declared as u64 and not u64*. pff. It was a long time ago when I worked with C. &ret returns the address of ret. It all makes sense now…
Since we are passing the rest of the args as pointer to a pointer then we only need to pass their addresses. It all makes sense now.
I’m not sure about the undocumented lv1 syscalls. Is there some way to find out what they do? Or how many input and output arguments they have and what they mean?
Ok I schall start implementing the rest of the lv1 syscalls.
little error on ubuntu 8.10 :
root@ps3:/home/cold# make
make -e PWD=/home/cold/kmod -C kmod
make[1]: Entering directory `/home/cold/kmod’
make -C /lib/modules/2.6.25-2-powerpc64-smp/build M=/home/cold/kmod modules
make[2]: Entering directory `/usr/src/linux-headers-2.6.25-2-powerpc64-smp’
make[2]: Makefile: No such file or directory
make[2]: *** No rule to make target `Makefile’. Stop.
make[2]: Leaving directory `/usr/src/linux-headers-2.6.25-2-powerpc64-smp’
make[1]: *** [all] Error 2
make[1]: Leaving directory `/home/cold/kmod’
make: *** [all] Error 2
please help
It’s strange because on ubuntu 9.10 the make and make install are working…
but I can’t load the exploit…
sorry for the bad english
Cold-FX: did you follow my post on software setup for the exploit? there is a step that involves the renaming/moving of your kernel headers directory which i think is what you are missing.
Now, yes x)
I haven’t see this post.
Thank You !
Great work man !
ok that’s working.
Now I need the hardware part…
Cause pushing the button xDDD
Thanks Xorloser, Simone and others…
[...] v2.0 Von: XorHack v2.0: The Updated PS3 Exploit Toolkit xorloser’s blog [...]
some progress: 1/2 of the lv1 syscalls are done:
http://pastie.org/883265
I’ll continue my work and add the rest.
Do I have to add the ones that are not supported by the current kernel?
Done 1/2 of the lv1 syscalls. Now I’m off to bed:
http://pastie.org/883919
Is this how you wanted to document the lv1 syscalls?
I’ll continue my work tomorrow…
bonjour a tous sorry i dont speak english j’aurais voulu savoir si quelqun avais reussi avec un pic si oui le quel?
si non j’aurais voulu savoir si il étais possible de me faire un sx28 deja programmer et me l’envoyer j’habite en France savoir aussi le prix merci pour les info
geohot: you need to work it out for yourself
xorloser: you need to work it out for yourself
demonhades: you need to work it out for yourself
mathieulh: you need to work it out for yourself
skfu: you need to work it out for yourself
ps3news: we’re working on it
Hi xorloser!!! geohot its playing modifiying the flash, but him can have a brick, first of all we need a hardware for create a backup of the real flash (cxd4302gb chip) i have identified all tests points of that chip, that chip its 2Gbits (256MB), and the samsung are 1Gbits (128MB)x 2 chips are 2Gbits (256MB), thats chips in the past with infectus can be downgrade, but now not work, because now run from the cxd4302gb chip and use the samsung flash for backup, understand? you can add me to msn for pins…. thanks!!!
bebou007: sorry do not speak french, but i also cannot provide you with a preprogrammed sx28. i provided the full source code and circuit diagram. if you need more than this then i dont think this project is for you.
rez: you need to work it out youself.
hehe you seriously expect someone to do anything you want? i believe the slave market is that way…
knightsolidus: yes some way of backing up and restoring flash would be useful. the infectus just seems kind of expensive for what it does tho. seems you could just hook up the wires to any cheap old microcontroller and achieve the same result…
sorry for my english, i want to say you, the real flash its the cxd chip on ps3 and i have identified the testpoints for read and program that, but i dont know any programmer for read and write understand? i have identified all point for read and program, that have 16 pins for data, 18 pins for address, chip enable 1 and 2, clk, mode select, reset, write enable… understand? sorry for my english
please delete that post http://xorloser.com/?p=175&cpage=2#comment-1213 thanks!!!
So, knightsolidus
So i can dump it,but holy SH*T we need to solve 54 wires?
So i can do it for test , just, we need hardware part.We need to know which chip we can use for it!?
I think this is interesting for all
http://rapidshare.com/files/369167358/ps3_app_loader.rar.html
PS3 is loosing Other-OS Option with next Firmware-Update v3.21
from official Playstation-Blog:
[... For those PS3 users who are currently using the “Other OS” feature but choose to install the system software update, to avoid data loss they first need to back-up any data stored within the hard drive partition used by the “Other OS,” as they will not be able to access that data following the update. ...]
read for yourself:
US -> http://blog.us.playstation.com/2010/03/28/ps3-firmware-v3-21-update/
EU -> http://blog.eu.playstation.com/2010/03/29/ps3-firmware-3-21-coming-april-1st/
Sony to remove “OtherOS” option with firmware update 3.21 on April 1st…
DON’T UPDATE
http://blog.us.playstation.com/2010/03/28/ps3-firmware-v3-21-update/
[...] from the efforts of GeoHot’s attack on Sony’s hypervisor protection and the release of XorLoser’s PS3 Exploit Toolkit. Consumers and organizations that currently use the “Other OS” feature can choose not to [...]
This is terrific, thanks for all the work.
One bit of the code that is still unclear to me is the htab_ra_from_lpar() function. Can anyone provide an explanation of how this works, and specifically what this 0x0001408F92C94400ULL is all about? I don’t see how this gives you the pa, unless the hypervisor is doing something under the hood?
///////////////
Para says:
March 29, 2010 at 1:21 am
I think this is interesting for all
http://rapidshare.com/files/369167358/ps3_app_loader.rar.html
///////////////
Please RE-UP
do not worry about otheros os.
cfw 3.21 from geohot with “otheros os” enabled is on the way.
some update on the lv1 calls:
http://pastie.org/895840
(some calls are not added i mentioned which ones in the comments)
Keep up the good work xorloser
some correction this should be able to compile fine:
http://pastie.org/896183
LV2 full dump and simple method for pulse of 40ns. on this site
http://jaicrab.blogspot.com/