XorHack v2.0: The Updated PS3 Exploit Toolkit

After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line :)

Download XorHack v2.0 here

Hypervisor Exploit Changes

At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.

Kernel Module Changes

In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.

User Library changes

Finally the on outermost level  I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.

Sample Application Changes

As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.

Here are some examples of what these tools can be used for.

Dumping the hypervisor

This reads 0×10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.

ps3peek 0 -s 0×1000000 -d 8 -b > hvdump.bin

Reading the status register for spu0

ps3peek 0×20000044024 -d 4

Loading metldr..

Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.

Everyone loves pictures

The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…

918 thoughts on “XorHack v2.0: The Updated PS3 Exploit Toolkit

  1. Hey graf awesome work on ps3.. Just wanted to ask abt the progress on 3.5 jailbreak.. Any idea how the x3 douches did it?

  2. graf_chokolo,

    The logic does seem a bit in reverse, but as a Master at Reversing, maybe that just the way you think :) (jk)

    The longer you hold it back, the more money they make because it’s not public.

    Great job by the way, I knew you would do it, but I didn’t think so fast after getting your SX28.

  3. When you say “let PSGrade become more widespread” do you mean as in the knowlege of it to other websites and devs… Anyway a big thankyou goes out to you graf well done for your hard work :D.

    But once grade is compiled with the key, an open source version will become imminent. Also, companies are making money via this hack anyway, so i dont see what not releasing it does. : (

    Perhaps you unlike most devs you dont want the attention of whiners, like some noobs on this site? :D But more importantly Sony.

    Also, besides letting you downgrade, what else can the USB Master Key be used for? *…opens treasure box…. Graf has found the master key…* :D *cue epic music*

  4. in my view. psgrade is in wrong way, it still using hub , but now just the JIG .siingle usb, it can be reprogram soon. it still depend on the 20 bytes. for yor “more widespread”

  5. Hey graf i rarely post things i am just merely an observer but i would just like to say that you are indeed a master of your craft and have nothing by my applause

  6. my 1st post.

    @Graf…well done.
    @zAxis….”maybe” on that psgrade with the key really made me lose hope.

    BUT…
    you guys really are my second best friend, after my PS3.. :)

    keep up those great work…Thanx

  7. Hm, just had a thought. If the Jig doesn’t require a hub anymore, does that mean that it can finally be ported to the PSP?

  8. What the hell!?!? Why are so many people whining about it? At the end of the day the solution will be FREE – just impatient GREEDY peasants. Let the guys do their work.
    What would you do if they DID release the key and the PSGrade soft just bricked your PS3?
    Tut…

  9. Congratulations Graf! Lot of people we’re sure you’re going to make it! :D CONGRATS again!

  10. E3 is based on Ingenic jz4725 MIPS SoC what i think has no secure boot option, so while the update can encrypted the enctryptio key for e3 update is in plain code in e3 bootloader, so everything can decrypted and pulled from e3 update.

  11. graf_ if you HAVE really the usb key, you SHOULD right now publish either
    1) MD5 hash of the KEY
    2) partial key

    so others could later know and credit you as the one really having the key at this time when you announced having it.

  12. hmm, just really angry reading almost all the comment, all those crying 5 years old guys judging others while they did nothing and only thinking about themselves.
    i hope graf, estx and people who really are working on something usefulll for others and especially for free wouldn’t pay attention on them and will continue on what they started

  13. Hello

    It’s hard that you just realese but i’m afraid with the last news that JailCrab quit the PS3 scene, i’m not sur but i think like PSP Sony have a lot of peolple com to the scene and make all to Dev quit this scene .

    Just Thanks .

  14. @graf it would be nice if you would share with other non-profit opensource projects like psgroove/psfreedom, at least not for the their release (you can ask them to wait till psgrade as well) but maybe for more developing progress and help from their side(fresh view from different angles is always good)

  15. excellent work.
    don’t release the key graf, allow it to form psGrade, and when a new fw rolls out patching this great find, release it then as it will be useless for it’s then current status.

    again great work, you just made history

  16. Great work friends, 1 problem is…..The key just needs to be added to key.h for the downgrade to work, wont be hard to get after that! Maybe graf should release it anyway?

  17. @Xorloser

    Your site is wonderful and your work is fantastic! (like you didn’t know) Thank you.

    @Graf

    Is there any possibility you would be interested in documenting your process? I’m sure there are many who could benefit from it. The ones who are more interested in the assembly than the key that is. And thank you SO much for your massive contributions.

  18. Hi Graf,congrats with your work i have been following it since the beginning.
    nice to see that some honest ppl just do things instead of talking BS.

    Nice way to celebrate my birthday!

  19. > You don’t have the key, you want graf_chokolo to send you his real Key
    He can post the first 10 Bytes and i’m sure “the man of the day” can tell us if it is the real key.;-)

  20. thanks graf you are the best.
    i can understand anyone on 3.50 wanting a psgrade release NOW.
    but i think it is more important to have a stable release and therefore we should be patient.

  21. Well, i bet that zaxis will release his free downgrade solution within 48 hours and this solution will spread like a virus – so i guess within a week graf will make the key public (btw.. with a free solution it is not needed for end users to know the key)

    More interesting is know, how x3 managed their 3.50 hack (release within 72h i heard) and if we can reproduce it for free.

  22. And guys : please stop doubting grafs statements – has he ever made false promises?
    if someone is a honest man, it is him. he always delivered as he said.

  23. i really miss the technical discussion that used to go on here.

    EVERYONE SHUT THE FUCK UP AND LEAVE THE COMMENT SECTION TO THE DEVS

    it would be nice if news sites would stop linking directly here.

  24. Although I just dumped the key, it may soon be obsolete :)

    I don’t want to cause a commotion but PS3Break and others aren’t the only ones with something up their sleeve :)

    I’ve been working on something very interesting and I believe it will make the key look like a drop in the bucket, I will update soon after I do some more testing :)

  25. Guys, someone posted here with my NICK beginning with December 5, 2010 at 4:21 pm. I will stop posting here right now. Because you are just flooding here, maybe xorloser could clean up here a bit, after that i will consider to post here again.

  26. Thank you Graf for all your hard work. Although I don’t really have use for the downgrade; I’m sure this will lead to many great things for the scene… Many people appreciate your time :)

  27. what happened is some little retarded kid bit his tongue and pretended to be graf!! but either way holding back on this key is not the way to go (in my opinion) sounds like egohot and now the infamous kakarotos whenever someone finds something of any interest they want to keep it hidden until after yno$ patches it. But why to get an extra 15 mins of fame?!?! Its not like yno$ isnt on to the scene they know the key is out there its only a matter of time before a patch wether they release us the key or not. so its quite pointless to hold back….again thats my opinion..

  28. So how many of graf’s post have been faked has the key really been found or is there a troll that needs slaying

    Btw all the trolls and peckerslaps are ruining this blog for everyone who comes here for technical information and advice

  29. Congrats graf_chokolo. You deserve some fame now :)

    You’ve been working really hard on reversing lv1 and it’s no wonder that you’ve found something of use after finding a way to decrypt selfs on your own :)

    I assume this is the public key we’re talking about. If it’s so then don’t let it get into the wrong hands. I can already forsee that some people are going to use it to brick devices (viruses and crap)… So be careful who you give it to.

    Btw how did you get it ? You just decrypted every self and then figured out what the key could be?

  30. Pingback: PS3 Master Key Found? Game EBOOT.BIN File Decrypted! | Godl1ke's Corner of the net

  31. @Fox2401

    “My” post from December 5, 2010 at 9:39 pm (the 2nd, not the first), was spoofed, that isn’t me. In other words, a troll. I have already sent the key to zAxis :)

  32. graf would you at least tell us how you dumped it? was it with egohots method or jaicrab? all this time we’ve followed you graf saying you would dump and release once your sx board came but now your saying its obsolete and doesnt matter lol as far as estx noone really believes he has the key his 15 mins of fame was just that…15 mins You definately have a lot of supporters graf and we’ve waited a few weeks already why wait longer???

  33. @ graf_chokolo

    is it Possible that you can Give The Master Key the “Team Gen” i mean the PSP CFW Makers they wanted to make a CFW for the PS3 too and i Think it would Make it easyer for all if they have the Master Key and release a CFW!!! The page is here : http://www.ps3gen.fr/

    Hope you can help becouse this will make the PS3 Scene Bigger and bigger!! ;)

  34. Graf, please do not stop posting I really enjoy seeing your progress day by day. Truly, you are the god of PS3 hacking. Thank you.

  35. Mha….||||Non si rende pubblica x far si che non si ci speculi su….ma in questo modo non fa altro che incentivare la gente ad acquistare i dongle a pagamento…CONFUSED!!!!

  36. this is why comments suck.
    no way to know who’s a faker and who’s not.

    get some forum close it for public and let the devs discuss in private

  37. I did not say this:
    “@hprocks123

    Unfortunately, I have not had any time to work on it and it is now a dropped project. So, no, there is no progress with any open source downgrade at the moment”
    and I doubt that graf said anything below it. some1 is hijacking our names.
    if I there was any updates about PSGrade you would have seen it at psx-scene where no one can hijack my name

  38. @porchmonkey happens everyday on IRC ….but private is not so much as “open source” as this was suppost to be. but now that the cat is out of the bag lets keep it private thats such crap and makes them no better than PSJB if I thought for a second that graf would dump this key and keep it hidden I wouldnt of followed a single thread pertaining to this bc thats what all the other teams did. x3max e3 psjb they have the key and wont release it so this is nothing new as we still wont have the key in open source . I do appreciate all of grafs work I will not discredit him for what he has done He is excellent at what he does hands down…. But keeping the key hidden is no better than any other team who is doing it for $ I can say graf is correct on one thing. This key is OBSOLETE …Because by the time they release it to us in open source (if they even do – my money is on zAxis encrypting the key into psgrade) yn0$ will have it patched and it will be useless or aka obsolete basically we wasted the past few weeks following this as we are no further than we were when PSJB announced they had the key and a downgrader!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>