Small update to PS3 IDA plugin

I’ve been busy digging into the PS3 lately, I decided it’s finally time to see what secrets can be extracted from it. During my investigations I found that level-1 syscalls, a.k.a. hypercalls, are not handled by IDA so I decided to add support for it to the existing PPC Altivec plugin. Get the updated plugins here and copy them to your “IDA\plugins” directory to install them.

For those who don’t know, level-1 syscalls are used to call hypervisor functions. On a PS3 the hypervisor is known as as “lv1” (level1) since it is the lowest level that runs directly on top of the hardware. The operating system is executed on top of this and is known as “lv2” (level2). The two common operating systems are GameOS which PS3 games run on, and OtherOS which is usually used to run linux. Since both OSes run on top of the same lv1 hypervisor, they use the same set of hypercalls which has been partially documented here.

14 thoughts on “Small update to PS3 IDA plugin

  1. Speaking of Xextool, I use it all the time for running my retail games on debug units. But I’m finding that the process of extracting the game data no longer seems to work properly – XDVD Mulleter seems to be missing out tons of data. Is there a better tool for this stage of the process?

  2. ali: I hadn’t read that article until you pointed it out.
    It is a nice introduction and overview of the cell for anyone who is new to it.

    Unfortunately the “hacking/exploit” section takes up about 1 paragraph among the pages and pages of general info. If you were to read the official docs that this was based upon then the hacking/exploit information is pretty self evident. Basically it comes down to no memory protection, so you can write to “code” sections and execute “data” sections which is the requirements for buffer overflow style exploits that have existed for a long time. The wrap around memory addressing is a bonus that makes this even easier.

    What they don’t mention is the secure isolated SPU mode that anything of consequence runs in on the SPUs. In this mode the only access to the internals of the SPU is through an interface that is defined inside the isolated SPU module. Also these modules are encrypted and signed so that you cannot see how they work or alter how they work, making exploiting them very tricky.

  3. Hello,

    I’m currently using your IDA Pro plug-in. There seems to be an error in decoding the RA field in the lvrx instruction (it’s always 0). Couldn’t check lvlx yet. Could you please fix it?

    Greetings,
    – dagger –

  4. Started looking into the PS3 today. I assume the hypervisor is a piece of software; how do I dump it or extract it from an update? Can it be updated? With all those commands there’s gotta be an overflow somewhere.

  5. The hypervisor is software yes, however you cannot easily dump or extract it. Also unlike simpler CPUs the PS3 has memory protection which only allows execution of “code memory” and “code memory” is always set to “read only”. The xbox360 is similar in this respect, however in both cases the hypervisor should be able to bypass these rules.

    One day when I get some time I plan on doing a writeup on the PS3 security and it’s various layers. It is quite interesting and unlike any other I’ve looked into before.

  6. I would assume it’s lvl1.self from the nand. But all the programs in the NAND look encrypted. We need to get access to the AES engine. Unless this has already been done.

    The DEP isn’t a dealbreaker, it’s the same way in the iPhone. Use a return to libc style attack

  7. Correct, lv1.self is the hypervisor. The keys to decrypt it are stored inside lv1ldr which is a secure loader that runs on the SPU. So to get the the lv1 decryption keys you first need the secure loader decryption keys and decrypt lv1ldr. This chain of trust goes back to the initial bootloader that is encrypted using a key stored in the cell hardware itself.

    So you find a way around the chain of trust if you want to decrypt the hypervisor.

  8. Hi xorloser,

    Im trying to patch a update with Xextool, but always give Runtime error…

    Can you fix the problem with xextool?

    Im trying patch RE5 title update 4.

Leave a Reply

Your email address will not be published. Required fields are marked *