XorHack v2.0: The Updated PS3 Exploit Toolkit

After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line :)

Download XorHack v2.0 here

Hypervisor Exploit Changes

At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.

Kernel Module Changes

In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.

User Library changes

Finally the on outermost levelĀ  I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.

Sample Application Changes

As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.

Here are some examples of what these tools can be used for.

Dumping the hypervisor

This reads 0×10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.

ps3peek 0 -s 0×1000000 -d 8 -b > hvdump.bin

Reading the status register for spu0

ps3peek 0×20000044024 -d 4

Loading metldr..

Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.

Everyone loves pictures

The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…

918 thoughts on “XorHack v2.0: The Updated PS3 Exploit Toolkit

  1. @rooksi

    The key is encrypted and he said he got it through brute force in less than 30 minutes. It would take several life times to accomplish this with brute force alone. Sorry, he’s full of shit.

  2. @graf:
    I couldn’t figure out a automatic way to do the EA/VA/RA translation in IDA and make IDA create proper RTOC reference in the process 6 code. so I made a trick. I extract the process 6 code to binary files per the protectionpage list, then I create new segments in IDA and load those binary files back, with the address set to the EA the code use, ie, the code section is loaded to segment based from 0×80000000, and the data section is loaded to segment based from 0xc0000000. then I apply xorloser’s fix_rtoc_usage routing, with the rtoc I found (0xc00145e8), to code segment. and finally I got the code and data cross referenced. and it’s now very easy to see the code with reference to those interesting strings and the encrypted master key. and finally I am getting to have fun. :)

    My question is:
    1. is there any other ways to create proper cross references between code and data in IDA per these discontinuous address pages? together with the RTOC usage fix?
    I couldn’t imagine how you did your REs without this kind of trick.

    2. for the OPD of process 6, I used a brute force method to locate it (that includes using of my eyes, my fingers, and my brain with headache), that’s not a clever way. Is there any known good method to locate the OPD entries?

  3. @lanzl, Yes. The all hypervisor dumps have the master key.

    But what we want is a hypervisor dump with the decrypted master key. After PSGrade has been run on that PS3, the hypervisor dump will have the decrypted master key.

  4. @Jack Chen

    Congrats :-) I respect people who are trying to learn something by themself. Good work :-)

    I also extracted all segments from HV dump and imported them at right addresses into IDA.

    The RTOC can be found very easily in code :-)
    E.g. Process 6, look at this snippet of code, RTOC is loaded here :-)

    ROM:8000002C start:
    ROM:8000002C lis %rtoc, 0
    ROM:80000030 mr %rtoc, %rtoc
    ROM:80000034 rldicr %rtoc, %rtoc, 32,31
    ROM:80000038 oris %rtoc, %rtoc, -0×4000
    ROM:8000003C ori %rtoc, %rtoc, 0x26E8 # 0xC00026E8
    ROM:80000040 ld %rtoc, 8(%rtoc)
    ROM:80000044 subf %sp, %r3, %sp
    ROM:80000048 ld %r3, 0(%sp)
    ROM:8000004C ld %r4, -8(%sp)
    ROM:80000050 ld %r5, -0×10(%sp)
    ROM:80000054 ld %r6, -0×18(%sp)
    ROM:80000058 ld %r7, -0×20(%sp)
    ROM:8000005C addi %sp, %sp, -0×30
    ROM:80000060 li %r0, 0
    ROM:80000064 std %r0, 0(%sp)
    ROM:80000068 stdu %r0, -0×70(%sp)
    ROM:8000006C bl main

  5. @Jack Chen

    I don’t know if you know it or not but you can set RTOC in IDA and IDA calculates all the references automatically for you :-)

  6. Holy shit, guys, please stop flooding this blog, i don’t think xorloser appreciates this :-) He said he doesn’t mind technical conversasions :-)
    And if someone has USB Dongle Master Key then just make it public, i don’t mind, maybe then people will stop asking me questions about it :-)

    What i don’t understand giuys, why do you need to downgrade your PS3, you won’t be able to play new games with it, and from your posts i understand that is what most of you want to do :-) I need it only to make research, to gain more knowledge about HV :-) So why do you want to downgrade your PS3 so bad ?

  7. @graf_chokolo

    We want to downgrade the ps3 so bad because currently, that’s the only firmware where we can jailbreak. Yes, there are compatibility issues but I believe those are being worked on via payloads and such. Also, there are also the homebrew apps which include awesome emulators ^^

  8. Because people have PS3s on 3.42 or 3.50 and want to be able to jailbreak, which as you well know, is for more than just playing games. It’s for homebrew, Linux, and helping to do research like you’re doing.

  9. you are a dickhead !!!!!
    e3 card reader now has at least allowed to downgrade free for a few euro,
    and what do you do? keep talking about the master key? 3:50?
    graf … but go fuck !!!!!!!!!!!!!!!!!!!
    not worth anything, you know just talk nonsense, blah blah blah, but you never do shit.
    you’re a hacker failed shit !!!!!!!!!!!!!

  10. Alright guys, I’ve waited long enough, I’m uploading my findings, as well as hex files. I’m having trouble getting git to work the way I want it to for the code, but it won’t take me too long to figure this out. You guys have been really positive, and your loyalty will be rewarded very soon!

  11. @Estx congrats if you actually found it. Do yourself a favor and stop reading anything on the internet until you release it. You will only find bashing from non believers. It’s what they do, trolls they are. They did the same when JB was discovered, and stopped after the correct proof.

  12. I’m not.

    @Bob: I didn’t use brute from 0 to FF^20. From the dumps I had made full of 20 byte arrays terminated by 0×0 I generated little more than 8,100,000 byte arrays of 20 bytes.

    That LIST was then transcended via the loop and located the correct key.

    Forget trying to bruteforce 255^20.. I would die before a key was found.

    See you guys tomorrow. – I hope graf proceeds further.

  13. graf_chokolo,

    The primary reason for downgrade would be to jailbreak new PS3 consoles shipped with firmware v3.42 or v3.50, and for those who upgraded by mistake.

  14. or those who upgraded before know about jailbreak like me :’( (30 minutes before precisely :’( )

  15. @raptor21000

    I’m among that group of people. I remember I was browsing some forums and saw rips of PS3 games and thought “pfft, morons. Why upload a game that can’t be played?”. I realized I was the moron LOL

  16. I would have said something, but watching people cry was worth it

    here’s the key

    68 65 79 20 79 6f 75 20 6c 69 74 74 6c 65 20 63 6f 63 6b 73 75 63 6b 65 72 73 2e 0d 0a 73 74 6f 70 20 66 75 63 6b 69 6e 67 20 63 72 79 69 6e 67 20 61 6e 64 20 61 6e 64 20 74 61 6b 65 20 79 6f 75 72 20 64 69 63 6b 20 6f 75 74 20 66 72 6f 6d 20 62 65 74 77 65 65 6e 20 79 6f 75 72 20 6c 65 67 73 2e 0d 0a 74 75 63 6b 69 6e 67 20 79 6f 75 72 20 66 75 63 6b 65 72 20 61 6e 64 20 63 72 79 69 6e 67 20 64 6f 65 73 6e 27 74 20 6d 61 6b 65 20 74 68 69 73 20 70 61 72 74 20 6f 66 20 68 69 73 74 6f 72 79 20 6c 6f 6f 6b 20 67 6f 6f 64 2e 0d 0a 0d 0a 4d 61 73 74 65 72 2e 4b 65 79 0d 0a 0d 0a 41 35 42 32 30 41 39 38 45 33 34 44 31 32 30 43 33 45 44 37 41 31 36 35 33 38 37 31 32 45 43 45 30 41 39 33 43 38 36 31 46 32 46 46 30 39 37 33 36 31 41 45 46 30 32 38 37 33 43 31 35 30 34 33 32 32 33 32 38 33 34 37 32 39 33 38

    CHKSM

    MD2: 4024b793977351b99c5f34b652ea814e
    MD4: 23fff219f2763bc4a0a96a70cf66830b
    MD5: 0fc07387619a56079f3b43310774807d
    CRC 8, ccitt, 16, 32 :

    CRYPT (form: $ MD5? $ SALT $ CRYPT):
    $1$/WFjFOl0$PrJDWIBACC0QVOPM7/fVd0
    (form: SALT[2] CRYPT[11]):
    psME/LI/XuqIw

    SHA1: 7281ee9342066f13cf9b3b08f206ab70054d0820
    RIPEMD-160:
    ee5c7e333fc1e57041b5ccedc7ab1bfc878fb4f7

    btw
    49 20 41 4d 20 41 20 46 55 43 4b 49 4e 47 20 54 52 4f 4c 4c 20 4c 4f 4c 0d 0a 41 4e 44 20 59 4f 55 20 4a 55 53 54 20 53 55 43 4b

  17. We don’t need downgrade, we need PSJ on new FW, is it true. Why old FW when i don’t need otherOS?????

  18. @Estx

    well i’m not that keen on the masterkey, but i’m interested in how you dumped the hv :)
    did you dump the hv on 3.15 linux?
    did you patch “denied by policy” in hv?
    or did you use the exploit without running linux?

  19. The downgrader will enable custom firmware in the near future, some time soon. :) as we can write to flash now, thats what the downgrader does.. it writes to flash :D

  20. I know you are impatient to get this USB Dongle Master Key but without my devboard i cannot do much, there are so many guys out there who has already everything to dump USB Dongle Master Key, i gave you the knowledge how to do it so use it :-) Your brain can be a powerful tool guys :-)

  21. @Jack Chen

    Hey, Jack don’t hesitate to ask me any questions about HV :-) I see you are very interested in HV reversing and also capable i think :-) I will gladly help you if i can.

  22. i hope this is true and not a fake story …like others have been on psx-scene , if this is correct why dont you release it so other members can flash there ps3 back to 3.40 , theres lots of sticks out there sayin they can downgrade to 3.40 i dont see any point wasting cash untill some one hacks it and release it for free ..ok i know theres a few games that need 3.50 firmware but am sure there will be a patch to sort this problem out so many members can enjoy new release games – so what are you waiting for …release it !!! untill then good luck with your work !!!

  23. Usually I am too lazy to post a comment, but in this case, I’d just like to say that graf_chokolo is one of the few that are acting so correct and in the best way for the ps3 scene! Without claiming of being a god or to say “hey, I can do it, but wait, won’t tell you yet because blahblahblah”. He always shared everything, in a clear way an helping out everyone. My Congratulations for your hard work and for all the support/hopes/idea and presence around the ps3 world, graf! ;)

  24. I think downgrading is a step backward rather than forward. Not that I don’t appreciate the devs work, no, I love it, really.

    But what we should actually work on is a CFW or compatibility to newer games or impressive payloads..

    Anyways, keep up the good work, guys!

  25. All those 0×20, really suspicious whitespace ;)
    Is the key inside the “key” worth anything?
    38 bytes long, i thought of 25/22 bytes?

  26. hmm ETSX posted the master key (which I doubt is the master key) but ESTX is the original finder so is someone spoofing his name in an attempt to get the crowd roaring? Drop these values above into a hex editor and it basically translates to “I love a big penis” :)

    “68 65 79 20 79 6f 75 20 6c 69 74 74 6c 65 20 63 6f 63 6b 73 75 63 6b 65 72 73 2e 0d 0a 73 74 6f 70 20 66 75 63 6b 69 6e 67 20 63 72 79 69 6e 67 20 61 6e 64 20 61 6e 64 20 74 61 6b 65 20 79 6f 75 72 20 64 69 63 6b 20 6f 75 74 20 66 72 6f 6d 20 62 65 74 77 65 65 6e 20 79 6f 75 72 20 6c 65 67 73 2e 0d 0a 74 75 63 6b 69 6e 67 20 79 6f 75 72 20 66 75 63 6b 65 72 20 61 6e 64 20 63 72 79 69 6e 67 20 64 6f 65 73 6e 27 74 20 6d 61 6b 65 20 74 68 69 73 20 70 61 72 74 20 6f 66 20 68 69 73 74 6f 72 79 20 6c 6f 6f 6b 20 67 6f 6f 64 2e 0d 0a 0d 0a 4d 61 73 74 65 72 2e 4b 65 79 0d 0a 0d 0a 41 35 42 32 30 41 39 38 45 33 34 44 31 32 30 43 33 45 44 37 41 31 36 35 33 38 37 31 32 45 43 45 30 41 39 33 43 38 36 31 46 32 46 46 30 39 37 33 36 31 41 45 46 30 32 38 37 33 43 31 35 30 34 33 32 32 33 32 38 33 34 37 32 39 33 38 “

  27. E[b]ts[/b]x =/= E[b]st[/b]x

    People, [b]don’t[/b] bother posting this all over forums! It’s nonsense!

    We gotta wait for Estx / Graf / Hansi to decide if they’ll release it..

  28. i see ps3key now has a downgrader incoming as well….Seems to me like this “master key” has been known for a while…Instead of collecting the bounty by ps3-hacks they figure they would make more money selling it to the “ps3 jailbreak clones” selfish YES but also genius… so now that these clones are popping up with downgraders why not just release the damn thing already! (I must admit I already jumped on the E3 Band wagon last night but still would be nice to see the open source psgrade released and working) I also read that if E3 Sells as much as they expect that they will ask you Graf to work for them???

  29. Hex to Char

    stop fucking crying and and take your dick out from between your legs.
    tucking your fucker and crying doesn’t make this part of history look good.

    Master.Key

    A5B20A98E34D120C3ED7A16538712ECE0A93C861F2FF097361AEF02873C15043223283472938

  30. I happen to have a ps3 that was interrupted during a firmware update (kids running around and unplugged cord in the middle of update) essentially leaving me with a paper weight. I bought another ps3 but still have the brick, i’m hoping the master key will help me get my fat ps3 paper weight up and running once more!! thanks to all who have given so much of their time to the ps3 scene!!

  31. hey you little cocksuckers.
    stop fucking crying and and take your dick out from between your legs.
    tucking your fucker and crying doesn’t make this part of history look good.

    Master.Key

    A5B20A98E34D120C3ED7A16538712ECE0A93C861F2FF097361AEF02873C15043223283472938

  32. Haha. Nice master key. Junior is right… Just google ASCII hex translator and paste his “master key” in it. What a tool

  33. Used the provided encypted master key from Etsx with PSGrade. With some minor modfix works like a charm. Don’t want to make a mess here – for interested, downgrade log & more info: http://bit.ly/yWbFi

  34. There are downgrading solutions under $20 already, and it’s also a normal jailbreak solution. X3max has announce a 3.50 JAILBREAK and Downgrader. That means you get 3.50 with jailbreak on psn, playing GT5. =) I myself am more interested in a custom firmware. Has anyone around here tinkered around with the Service Mode? If we can find a way to get it to load a modified PUP (With hacks allowing dev options). I know that the PUP files are encrypted and if even 1 byte changes it is INVALID, but maybe in service mode there are things we haven’t heard of. This might be a stupid question, but since I don’t have a downgrader, is it possible to get into Dev-Service Mode? There has to be some development method hidden that Sony uses to test to ensure a firmware is stable on a retail unit…I wish I had a downgrade dongle to help contribute to the scene the best I can, but bills are killing me right now. I HATE WINTER!

  35. Guys all these downgrade tools and other commercial hacks are nice but only temporary. Sony will be quick to release a 3.51 then a 3.52

    It’s Graf’s HV reversing work that will futureproof and really move the scene forward. When all of the secrets of the HV are unlocked, we will have full control of the machine no-matter what Sony throws at its security measures. Similar to the Xbox Jtag Hack.

    Please keep it technical, and leave all of the complaints and haters to the other forums. Let graf do his thing and collaborate with other likeminded individuals. Graf shares all of his findings, so no need to push or ask when it will be avail, it will be avail as progress is made.

    Thanks for all of your work Graf, it’s been very interestering reads and I wish you all the best on your new hobby. don’t let the kids make it less fun for you.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>