PS3 Exploit: Software

As I’m sure everybody heard, the memory access exploit for the PS3 hypervisor was released recently by geohotz. I was finally able to replicate his hack so I thought I’d take the time to help out others who may also have trouble due to being linux n00bs like me :) If I were to post everything at once it would be too much work and I’d never get around to it, so I’ll post bits at a time to ensure I actually do post it heh. Today’s post will talk about the software side of the exploit.

Please note that the geohotz exploit software was hardcoded for the v2.42 firmware, I have made a small fix that attempts to dynamically support all firmware versions. I have only tested and used it on v3.15 however.

Fixed PS3 Exploit Files

The first step is to install Linux on your PS3 which means of course that this will not work on a slim PS3. I tried a few different Linux distros and after various different issues I settled on using Ubuntu v8.10 since this is the same version that geohotz used. I suggest using the “alternate” version since it includes a gui which the “server” version does not. You can download the 636MB image below, I suggest using the legal torrent below to save the bandwith of the Ubuntu servers.

Ubuntu for PS3 v8.10 alternate – Torrent

Ubuntu for PS3 v8.10 alternate – Direct Download

After downloading, burn the image to a CD-R and install as you would any OtherOS install. There are many generic and also Ubuntu specific guides for doing this, so I won’t cover that here.

Once you have Linux up and running you should log in using the username you created during install. Now open a terminal (Applications->Accessories->Terminal). You can enable the root account by creating a password for it by typing “sudo passwd”. You then enter your current users password once and then the new root password twice. The root account will now be usable.

Now type “su” and then enter the new root password to get root access. Create a dir to put everything in. You could probably create this in your home directory, but I created it in the root of the filesystem so that I can share it between root and my user account as well as setting up access to it via samba from my PC. To create the dir do “mkdir /ps3share”, you can call it anything you want, I call it ps3share because I share it with my PC over samba. Now allow all users to read and write to it by doing “chmod a+rw /ps3share”. Finally give ownership of it to your normal user account by doing “chown username:username /ps3share” where username is your username.

Next you need to get the “fixed” exploit software onto your PS3. Using a USB flashdrive is easiest. Copy the extracted files onto it from your PC, then insert it into your PS3. It should automount and bring up an icon on your desktop. Double click the icon to open the file browser. Right click on the USB drive in the filebrowser and choose to “Open in New Window”. Then on the left side of the file browser select “File System” and then “ps3share”.  Now drag the files from the USB drive into your “ps3share” directory.

I have included a binary of the exploit file for those of you who don’t want to build it yourself, but for those who do here is how. First you need to fix the location of the kernel headers so they can be found by the build scripts, so do “mv /usr/src/linux-ports-headers-2.6.25-2/ /usr/src/linux-headers-2.6.25-2/”. Now change to the directory with the exploit source in it “cd /ps3share/ps3_exploit_fixed/src” and then build it by typing “make”. There will be a lot of warnings but it should create the file “exploit.ko”.

You are now set to run the software side of the exploit. DO NOT run it from this terminal while in the GUI, it should only be run from console mode. If you do run it you will not see anything happening, but your PS3 will suddenly become really slow and you will have to turn it off. More about the running of it in a future post.

A summary of the commands to enter at the terminal is below:

sudo password
(then enter users password once, then the new password for root twice)
(then enter root password)
mkdir /ps3share
chmod a+rw /ps3share
chown username:username /ps3share
(where username is replaced by your username)
Now copy the exploit files into /ps3share.
mv /usr/src/linux-ports-headers-2.6.25-2/ /usr/src/linux-headers-2.6.25-2/
cd /ps3share/ps3_exploit_fixed/src


79 thoughts on “PS3 Exploit: Software

  1. good work! thanks for the guide i know it will help a lot of people. now im just hoping you decide to share your lvX dumps with other devs or everyone :)

  2. playn: due to possible copyright issues it is best if people dump their own lv1. i plan to fill in the missing bits over the next few days to help anyone dump their own. this information should be enough to enable the types of people that the dump is useful to to dump their own lv1. it is of no use to 99.9999999% of people out there anyway.

    george: just using your “smash n grab” button attack for now hehe. there is potential for a not needing it in earlier firmwares, but i’m still looking into that, and most people don’t have these earlier firmwares anyway 😛

  3. I’m working on a FPGA (Spartan 3) code project in vhdl titled “ps3 glitch finder” where you can set low/high delay via buttons and have the nano second delay show in a led display. Created a DCM (Digital Clock Manager, available in Spartan 3) primitive to get 200MHz (still using a 25MHz external crystal) so the lowest pulse possible is 5ns (instead of 40ns). This way I hope the “optimal glitch” can be found, and the design can be used for other glitch project as well.

    Probably overkill for such a simple task, but it has been fun so far. 😉

  4. It seems you have done a really good work guys… it’s impressive for a noob like me ! congratulations. I just have one question, can somebody tels me why this will not work on a slim PS3 ? I’m really unluky because I’v got A slim PS3 and a BRAND NEW iphone 3GS (with new bootrom… :( so no exploit and no jailbreak for me ! But Thanks for your work 😉

  5. is there any code to dump the hypervisor available? or even what addreses it resides at?

    Thaks :)

  6. Great job. Hope this leads to linux on the slim though. That’d make the slim the perfect console.

  7. george I’m your fan and hope the good news of the ps3
    I just hope to the needle here in Brazil ….

  8. Xorloser: do we still need to solder points on the board first before running the exploit or is this a complete clone of the hardware exploit? Great job anyway.

    George: the hypservisor was written in c++, right?

  9. it won’t work on the ps3 slim because it requires otherOS, and that has been removed since the start of the slim models.

  10. Love you. I really want to try this out and this pretty much seems to be noob-friendly.

  11. @lordloki – this particular glitch using linux won’t work, however once certain keys are discovered it could lead to a break in the hd encryption or in the signing process for apps. one would assume that sony wouldn’t have changed the keys between the slim and the fat because there was no need to fix what wasn’t broken at the time.

    knowing the keys and diving into the firmware is just the start because once someone finds a hole it could lead to a cfw, which would work on slims and fats, or even just implementing the otheros feature on the slims.

  12. Pingback: Le tutoriel du “PS3 Exploit” par xorloser

  13. Normally, you never need a root password on Ubuntu. To become root, type
    sudo su
    and then your normal password. This requires that your account has permissions to do that, which the first activated account (when Ubuntu is installed) normally has. Otherwise, sudo permissions are controlled by the file /etc/sudoers. Read more on “man sudo”.

  14. Since i am more a linux user than a electronics guy, a tutorial to build this “button” would be more useful to me and many others 😀

    And something else to say: I m still not getting the use of your exploit george :( I mean you dont! have full access to the hardware, no SPU/root key means the PS3 is not hacked like everywhere is written :(

    And a question to XOR: Ever tried Ubuntu 9.10 Alternate? I tried it, but failed hard, dunno why they messed it up :( Ubuntu 8.10 works like a charm ;D

  15. Bruno: As ppl have said, Sony did not include support for installing linux (OtherOS) onto slim PS3s. This exploit requires software running on the PS3 which is what linux is used for.

    is0-mick: HV dumping code will be coming in my next post.

    Bang: You are mixing up your xors, i am xorloser not xor37h 😉

    Helge: Yeh I am a Linux n00b – I learn to use just enopgh of it to do what I need to. I am sure there are better ways of doing most of what I do in Linux hehe.

  16. sorny: The “button tutorial” is now up. I am not much of a hardware or Linux guy, I learn enough of each to use it along with my software :) I have not tried Ubuntu v9.10, however I did try other newer distros such as Fedora 11 and it seemed to not export some of the required functions from its kernel. After trying a few different distros I used the distro that geohotz used since I knew it would work on tht one at least.

    Geohotz’ original post title about the PS3 being hacked is a little ambiguous. Yes the PS3 has been hacked, although it it partially hacked, not fully hacked. A partial hack is still a hack however and it opens many doors for others to dig deeper and extend the hack.

  17. “partially hacked” are the right words! For me, the PS3 is fully hacked when the root key is public!

    I still wonder why there is so forum where all the stuff is going on :(
    All those blogs keep the information wide spreaded and attracts all those “thank you, i love u whatever” guys and the claimers for backup-loaders…
    That annoys me so much, bah :/

    btw: if you need help with linux etc., just email me!

  18. sorny: i don’t know that the root key will ever become public. as for forums they tend to just fill up with parrots anyway. xbox360 is a good example of this. with linux i just learn enough to get what i want working.

    Agent222: Sure translate and post to your hearts content. Just don’t do what some sites have done where they posted this info as their own discoveries 😛

  19. having this exploid isnt there a way to transfer backups from PC to PS3 and run them from the hard drive? cos burnigna 55gbg game is apin in thr ass.

  20. Pingback: PS3: Neues vom PS3 Hack - Xorloser & Modrobert arbeiten auch am Exploit - ModControl.Com - GermanysNr1MultiConsoleSceneSource

  21. Pingback: Playstation 3 (PS3) exploit « (In)Security Research Underground | Pt-Br

  22. Just wondering, what good is hacking the PS3 if it will not allow us to play burnt/backed up games? I don’t really know any every day person (other than hackers who hack for the hell of it) who would want to hack their PS3 just to have read/write capabilities. It does us no good. I am happy that the PS3 is starting to be hacked and I know it has to start somewhere, I am only saying this because GeoHot is anti-piracy, so my question is, what use is a hacked PS3 (or any gaming system for that matter) other than playing burnt/backed up games. I have a computer to do computer things and an iPhone to do iPhone things, I wouldnt do computer nor would I do iPhone things on a PS3 so why would I want to hack my PS3 if it is not going to allow me to play burnt games? As I said I know it has to start somewhere but I just don’t understand why geohot would hack the PS3 if he is so anti-piracy???????

  23. @xorloser: isn’t there a way to replicate this hack via the xmb? and as for the root key being public i know its just a matter of time. i have java installed on ps3 via linux. will try to see if i can replicate this in java. just for the fun of it. good job. wish i could make a donation to boost da spirit.

  24. PS3 FTW: As I’ve said a few times now there indeed is no reason why any normal person would want to use this hack. It does not allow your to play backed up or burnt games. Like you suggest the only reason you’d want do this hack is to look deeper inside at how the PS3 works. Most people don’t care about this kind of stuff, but a very small amount of people are interested in it. It is like a big crossword puzzle figuring it out. I don’t play games on my PS3, I prefer tinkering around on it instead. To use the old “car analogy” it’s like people who buy cars to tinker with them rather than drive them around.

    kofigame: The root key won’t become public, it is hidden in hardware. As the posts say Linux is required for the hack, and java doesn’t give low level access so it is useless for this.

  25. Hi… i dont even own a ps3 but i damn well respect the work your doin to get this shit into the community, mite even go out and buy myself one of these. keep up the good work 😀

  26. Pingback: Via de Scene semi-abierta en PS3 « Insert Coin Site

  27. Please, see if you can help me, I have lost my bd drive, have brought to a suppost specialist who has sent me back without the whole unit (bd) btw he disapeared. I would like to make the ps3 useful somehow as I don’t even have the disk reader. Do you guys have any idea? btw i purchased on ebay the whole unit, but unfortunately mine was for ps3 60gb and the one I purchased was not compatible (160GB one) I still have it, but the connectors don’t even fit. Please help

  28. I’m waiting for you guys to make a modded firmware (i know u will) like Xbox360 geniuses did , then i’ll buy a PS3 and play to all games for free .

    Thanks .

  29. I think that you guys are going the wrong way with this hack idea. I wish I knew more about computer programing but from what I understand the PS3 uses .self which is based on .elf which is normal ppc programing so def. related. The basic idea is brilliant however linux will never get you where you want to go.

    Adding usefullness to hypervisor control in linux isn’t going to come easy. but why not use a small custom linux kernal to convince the ps3 that modded decrypted firmware is linux. obviously the traditional hack would have to be ran to decrypt each ps3’s firmware then modded through linux.

    Otherwise start writing a gpu driver. thats the delima right hack firmware or write gpu driver (and bootloader for games for those pirates) I personaly want a xbmc for ps3 but i’ll settle for xbmc like menu’s and full codec support for the XMB.

  30. First up very good work guys! I’m very impressed! Keep up the good work!

    I do hope this will go in the PS3 direction!

    Oh and George, you asked retorically on your blog if ever a secure system has been made. Well while I doubt it , and the signs are that you’ve just conquered one of the toughest security beasts out there, If you’re looking for another challenge it seems the ipod classic models have still never been cracked -owing to firmware encryption I believe – still I find it hard to believe that the encryption could be better on the ipod touch/iphones little brother than on apples pride and glory….yet still it stands unhacked…

    So once we’re all done hacking the PS3 right down to the deepest levels of it’s security (well once those of you with the ability are – I’d break it) if you’re looking for a new challenge remember the ipod classic remains for the conquering!

    Anyway many many thanks for this, hopefully this will let people hack deeper and usher in the world of custom firmwares for the PS3….Now I wish I hadn’t just bought a 120GB slim……Still I can’t help but feel that having chinked open the door on the fat PS3s also brings tantalisingly closer the posability of eventually mastering the slim too!

  31. I have some PS3 games that no longer runs on my PS3 and I need to backup them. It is possible to hack the PS3 and run backup games?? If possible, how do I do that?

  32. this hack does not and will not be used for booting backups or copies or whatever you want to call it. it is useful for research purposes only. *sigh* how many times must this be said?

Leave a Reply

Your email address will not be published. Required fields are marked *