PS3 Exploit: Hardware

This post will deal with the hardware required to trigger the PS3 hypervisor memory access exploit. The purpose of the hardware is to stop the PS3 from saving a change to a value that we don’t want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.

The PS3 sends the write command to the RAM over some control lines, so we interfere with these control lines when the write command is sent. The result we want is having the PS3 think it has successfully written the value to RAM, but the RAM didn’t receive the write command due to our interference and so it did not perform the write operation.

The easiest (and moderately safe) way to interfere with these control lines is to ground them. This is done easily enough by connecting a wire between one of the control lines and ground. The tricky part is timing it just right so that it only interferes with the write we want to stop, and not anything that occurs before or after this write. This might be achievable with costly equipment and a lot of work, however geohotz used the simple method of “luck”. This involves repeatedly preparing the situation to best favour the chance of overwriting the correct write command and then continually grounding a control line until either something crashes that shouldn’t or the mark is hit stopping the write operation from occurring. At this point the exploit has been successfully triggered! :)

Now that you know how it works it is time to implement it. A connection is required to the control line that will be grounded as well as a connection to ground. These two wires then need to be connected to each other momentarily. If you were to try and do this manually as fast as you could you might connect them for a millisecond or so, however RAM control lines are very fast so 1ms is going to interfere with way too many commands. Instead these lines need to be connected to some hardware that is able to bridge the connection between then for very small periods of time at once. Geohotz suggests a connection period of 40 nanoseconds.

There are many ways that some hardware can be made to perform this short connection. Geohotz used an FPGA he had on hand in order to do it. Others have suggested using a 555 timer, however I have not heard of anyone having any success with this method. I used a small sx28 microcontroller I had on hand due to using it for a project some years ago. It runs at 50MHz with an instruction cycle of 20 nanoseconds, which means it should be fast enough to provide the 40 nanosecond connection required.

The first step is to take apart your PS3 in order to expose the top side of the motherboard. Once you do so look for one of the following areas on it depending on what version PS3 you have.

This first picture is from an old 60GB PS3 which came with the 4 USB ports and the card readers. You can see I have soldered a wire to the side of a resistor. This is the connection to the PS3 RAM control line that you need to solder on. I suggest you route this wire down and then to the left of the two pronged power plug you can see. My wire continues downward in this picture, but I found that doing so caused interference in the wire that would unintentinally trigger RAM corruptions. To avoid this you should route it to the left underneath the power plug so that it then comes out of the left side of the PS3 case. You can use a long wire during installation, but try to keep it short when you finalise its routing and final positioning. You can see I used a hot glue gun to ensure any stress placed on the wire will not pull at the solder joint.

 This second picture is from an 80GB PS3 with 2 USB ports and no card readers. This was the model that was out just before the “fat” PS3s were replaced by the “slim” PS3s, so it is a newer motherboard revision where there are two RAM chips on both sides of the motherboard instead of all four on one side. In this picture I have circled the trace you should solder to for your RAM control line connection. In order to solder to this I used a craft knife to carefully scratch the paint off the top of the trace to expose the copper underneath which I then soldered a wire to. Once connected you should route this wire straight down towards the front of the case to best avoid interference in the wire from other parts of the PS3. Once again try to keep the final wire nice and short.

 

Next you need to get a ground connection. This is done the same way for both motherboard versions and is very easy. You can just wrap a wire around any of the metal screws that screw into the metal shielding that covers the top of the motherboard. You don’t even need to solder it, just wrap it under the screw head and screw it into place :) This wire should be routed out of the console next to to your other control line wire.

The above two wire connections are common to any implementation of a hardware trigger. The following is specific to how I did my hardware trigger but you may implement your trigger however you want. Note that I initially tried wiring 5 Volts of power out next to these lines but doing so continually resulted in unwanted interference in the control line causing the PS3 to crash while booting.

For my hardware trigger I used an SX28 microcontroller which I bought years ago as part of this programming kit. To use the SX28 you need the SX28 chip, a way of programming the chip (usually an SX-Key or SX-Blitz) and an oscillator to drive the SX28 chip at 50MHz. All of these are included in the above programming kit. Maybe if enough people buy from them and mention xorloser they’ll send me a USB version of the SX-Key instead of my old serial based one :/

Below is a crappy schematic of my circuit which I drew in windows paint. Please note that I am using the programming kit I mentioned above which utilises the SX-Key programmer in place of an oscillator while the SC-Key is attached. I do not have an external oscillator so I’ll leave the hooking up of that to you. Just take note that you do need either an oscillator or SX-Key attached in order to make the chip run.

This SX28 sourcecode is the last piece of the puzzle. Program this to your SX28 chip using the free SX-Key Editor software from the Parallax. Once this is all hooked up to your PS3 you should be able to send a “pulse” (grounding of the control line) to the PS3 by pressing the switch. You should use a temporary-on push button switch to do so since it will keep sending pulses every 100ms if the switch stays connected. The LED on the right side of the schematic is just there to give the operator some feedback. It will light up when a pulse is sent to let you know that the circuit is working as it should. I should mention that if you look at my SX28 sourcecode you will see that it appears as if I am sending a 360 nanosecond long pulse. I do not know how long the pulse is that actually gets sent as I do not have any hardware that I can measure the pulse with (yet). Possibly there are hardware induced delays that occur when changing the direction of the port which means that although I am waiting 360 ns, it still only sends a pulse that is about 4o ns. To arrive at the 360 ns value I tried many values making the pulse as short as I could until it didn’t trigger anymore, then I increased it just a little bit to get the shortest pulse that still works.

Phew, this is finally the end of this post. My next post will tie it all together along with some software I have written to dump your own hypervisor and more. Cya.

73 thoughts on “PS3 Exploit: Hardware

  1. This is really well explained, thanks xorloser :)

    I hope this will lead more people into achieving this hack successfully.

  2. Impressive work!

    I just got another idea; suppose we can find a logic low pulse somewhere on the PS3 motherboard which can be triggered by software (the exploit kernel module)?

    Eg. A LED that we turn off or similar hardware which can be triggered from the software by poking an address with two different values, and then solder that point to the RAM control line. Another benefit would be that the trigger will be sent from software, might prevent kernel panic since it’s done at the correct time.

  3. The SX line of chips is going under. It’s hard to find them right now. If you go to Parallax.com and search for the chips, you’ll see a letter stating they are pretty much dead. So grab them while you can!

  4. Let’s say that, uh, someone messed up not only the resistor in the first picture, but the two adjacent ones as well, what would the values of those three be, for any, uhm, purely hypothetical, replacement? The top four are all 43 Ohms, right?

  5. Pingback: PS3 Exploit: Hardware | Hirdyz Emporium

  6. Pingback: Cómo ejecutar el exploit de PS3 « Omnium potentior est sapientia

  7. Pingback: Guia para probar el Exploit para PS3 de GeoHot | Scene?¿

  8. Pingback: xorloser passe au Hardware

  9. Pingback: Tutorial: Hackear la PS3.

  10. modrobert: Yeh its been suggested a few times to initiate the pulse from the PS3 itself. It could be a nice improvement if done correctly. For now the hardware part of the attack is a bit of a brute smash-n-grab, not very elegant, but it does work. :)

    dtomcat: The SX chips are indeed “end-of-lifed”, however they are not the only way this can be done. I used one because I already had one laying around unused so I didn’t need to buy any new hardware. Hopefully the explanation I gave about what the hardware is doing will enable others to then design their own hardware triggers which they may then choose to post publicly.

  11. Pingback: Ps3 haxxxzzz - Modern Warfare 2 Forum: Free Call of Duty MW2 Community

  12. Pingback: PS3 Exploit: Hardware « xorloser's blog | Drakz Free Online Service

  13. All the information you posted is extremely useful. Thanks a lot.

    It’s hard to make out the wiring in your SX board. Can you post a clear shot? Is the blue wire the RAM control line? Is the yellow wire the ground control line?

    Thank you for sharing all this information.

  14. Pingback: ISO Loader [Raccolta Rumors] - Pagina 161 - PS3 World

  15. This is so low doing stuff like this can lead to company’s losing millions of dollars, put a lot of people out of their jobs.

  16. Pingback: Tutorial para Hackear la PS3

  17. Now I am VERY interested in your articles about good tutorial and introduced it on my blog for japanese gamers to translate into japanese.

    Here:
    http://plaza.rakuten.co.jp/mamosuke2008/diary/201002070001/
    http://plaza.rakuten.co.jp/mamosuke2008/diary/201002080004/

    Now I have to apologize for you ,because I did it without your permission.

    If possile,can you give me a permission to translate and introduce your article for japanese gamers, including permission to reprint the images on my blog?

  18. xorloser… I realize the trigger method you describe can be used with many other IC’s. I only mentioned the end of life thing so that if anyone was trying to follow your guide with the same hardware, that they would know the difficulties ahead :) I myself have 3 sx28’s…. i think :) Thanks for the guide!

  19. Nice work – But I doubt Sony have much to worry about; seeing as this involves hardware modifications.

    If it were purely software based – then this would be big news.

  20. Pingback: Tweets that mention PS3 Exploit: Hardware « xorloser’s blog -- Topsy.com

  21. calosan: the schematic is posted above which should mean you don’t need to clearly see the wiring anyway.

    jack: if you understood the hack you would realise that it does not allow for booting of copied games or anything else that will cause loss of jobs or money. the main ps3 security is still intact as well as other separate parts of the system.

    mamosuke: sure go for it

  22. Hi! I wonder if you can do what you do with the ps3 than 80gb in a 160gb (my model). I need your answer!

  23. Is there anything useful that can be done with the hack yet or with a hypervisor dump?

    I’m stuck on highly restricted demo firmware (on a LEGALLY bought ps3) and I’m desperately waiting for a way to be able to flash it to a retail firmware.

    xorloser (or anyone else in the know) if you see this and can respond I’d be eternally grateful.

  24. I dont condone this sort of work if its used to play copied games (piracy on a large scale will only kill a console as software companies will stop supporting it) but if the hack is used to see how the hardware works (just for the interlectual challenge) then i dont see a problem. As for the IC problem for triggering, have you though of using a PIC chip, if so you could easily programme it (and simulate any circuit you need to power it) using the free to use at home software YENKA. As a teacher of electronics i can say that you can do loads of stuff with this software and you cant beat the price. FREE.

  25. just i admire you for your contribution and for using paint 😉

    only a question: why you think that “packaging” a glitching chip with a good timing need costly equipement? it is because it’s hard to syncronize the software and hardware components of GH exploit?

  26. Just out of curiosity, would this be something modchip manufactures could produce, where I just solder it in and it works? I have no problem with the soldering job, but all the timing and stuff seems out of my league.

  27. Ey xorloser!, I made a hardware based on a dspic. If you want to publish it in your blog or whatever just tell me.

  28. Blackyer: Contrary to how sony markets the PS3, its differences are based on internal parts and not just harddrive size. You best bet it to take it apart and look for one of the 2 areas I posted on the motherboard. If you cannot find these areas then you need to download the datasheets for the RAM you have and find your own solder points.

    Malax: The exploit is new just now and doesn’t do anything in “PS3 mode” so it will not help you with you situation.

    adrianw: A potential problem with using a normal PIC is that it may not be fast enough to send a short enough pulse. Its frequency of operation is a factor in determining the minimum pulse length it can send.

    Roberto: I was alluding more to hardware that was able to parse all commands and data in the communication between the PS3 and the RAM in order to “hit” the right point. Better timing is just a more accurate version of this kludge :)

    J0RD4N007: modchip makers could make something to trigger this, but because it doesn’t result in being able to play copied games there isn’t going to be much of a market for them.

    j1m: If you have a link with the info or a doc or something you have made up I can put it in a future post with credit for it to you of course. I’d want to ensure you had successfully used it to trigger the exploit before posting however.

  29. I just have to say, good work mate. Now i think that this will get shit crackin’ and we’ll soon have cfw. thnx for your hard work.

  30. another good and well explained project..thanks for this, and hope to share a hack my project too.

  31. Thanks for responding at all! I know it’s early, but I’m desperate, so I had to ask. I actually want to be able to BUY the stuff people are putting out. The wait continues.

    Anyway, keep up the good work, thanks for putting this stuff out in detail, and I’ll be following to see what you and the rest of the scene comes up with.

    Thanks again for putting up with bums like me.

  32. People like you should be arrested.
    We are in the middle of a time when jobs are the most important thing and your actions are going to cost hundreds to thousands their jobs.
    You should be ashamed of yourself.

  33. voice of reason: arrested for what exactly? hehe

    obviously you cannot read if you think that you can now play copied games on your ps3. but just to play the devils advocate…

    wouldnt creation of a modchip in fact create jobs? jobs for the ppl who design and market the chips, jobs for resellers, jobs for poor college students who do mod installs in order to get money for food, jobs for ppl who write copy protections to beat the modchips, jobs for lawyers and law agencies employed to stem the tide of modchips.

    troll feeding time has concluded k thx

  34. Xorloser: 1
    Voice of reason : 0

    I agree with xorloser. I think it is important, by working on this exploit, to let other see the potential of “normal” people. It is just amazing what it can be done only by thinking, brainstorming each other. Basicly I think this project show what human can do/create/accomplish when they believe in something. No certificate needed ; just on their own.

    Congrats guys keep it going!!

  35. Voice of confusion?
    Are you serious? How the heck will this make people lose jobs at Fony? Cause it looks like Microsoft has been laying people off left and right ever since the first xbox1 hacks started.
    If you’re so concerned about peoples jobs maybe you should get into government and start screwing people over in the big leagues…
    I dont have a PS3…
    So because of this hack Im probably gonna go out and get one. In fact the opposite is happening. Fony will actually sell 1 more unit then they would have.
    How does that not actually help Sony?

  36. Dear Voice of Reason, if all this process finally get to loading backups on any ps3 I am SURE I’LL BUY a Ps3, that’s the reason why I own a psp, wii and 360, so…wouldn’t this make Sony need more workers? And what about the new 2TB Hdd I’m gonna need to storage my backups? Think about the workers of Seagate and Western Digital and their families. They need to eat too! Long life for piracy. Anyway, I would need to buy some originals like buzz for the buzzers, or Guitar Hero, etc etc

    You should be arrested for your stupidity, swear you don’t have a fucking mp3 song in your hard disk…

  37. I used an FPGA (Spartan3E starter kit) to do this — but for some reason, I was unable to get 40ns pulses to have any effect whatsoever. I kept stretching the pulse width until it started affecting execution — by the time I had the exploit working, my pulse width was approx 200us — yes, that’s 20,000 times the length of the suggested glitch. Did anyone else run into this problem?

    This hack is fairly annoying to get working, in the sense that you spend a lot of time mashing a button. It’s also not horribly great for the hardware — you’re briefly overdriving a bus-driver transistor inside the Cell, and you’re probably doing a little bit of damage each time you do it. It may not matter in the long run, but it just feels wrong.

    I’ve been able to also trigger the exploit by pulling the Vref on one of the XDR chips down to ground — on the whole, it seems slightly less reliable than the RQ2 glitch, but it’s a lot easier on the hardware and a slightly easier place to solder to.

    I think the biggest issue affecting reliability is the timing of the glitch, so I’m putting my effort into fixing that — I think I’ve found a signal I can abuse for the purpose.

  38. There seems to be many people against piracy but none of them seems to be aware the piracy is a lot bigger business than few companies making games and hardware. Without possibility to pirate world looses billions and billions of dollars and huge amount of work. Monopolies have NEVER been good for any economy, not even in this one. My family for example would buy the software and console and everything just like they do now even with the modchips and whatever but there is huge number of people who would not even buy the console without piracy option and when it comes a possible to pirate, people will spend thousands of dollars to pirate just because they do that as a hoppy and they have absolutely nothing to do with this industry and not to talk about people who just can’t afford to buy any game … economy is a lot more complex thing that people realise! World didn’t end when linux was created or when you are able to read news on internet, it just changes it’s form.

  39. Ok guys, this post should deal about the hardware and the method used to trigger the PS3 hypervisor memory access exploit.

    Let’s put this “job” debate away and please post only useful informations.

    Any of you guys have an idea what we can use to eliminate “push button switch”? Maybe by using a crystal oscillator we can send the pulse? I know about the HEF4060B chip can do slightly the same job than SX-28 DIP but let’s concentrate on the same DIP.

    Pulling the vref on one of the XDR chips down to ground is not a bad idea tough. Personally it’s dangerous, at my opinion, to damage something in this area.. Cell is, for sure, not designed to get to much “stress” on it (by searching the perfect frequency / pulse) but I prefer stay on the RQ2 since it is also more reliable.

    Still, the next step for me will be to figure out how I can get rid of that switch. It come really annoying to mash that button.

  40. What about connecting another line that is under control of the PS3 CPU and use that one to pull down the line used in the hack and do a s/w 40ns pulse from within the actual kernel module ???
    No need to sit and press a button.

  41. umm i was just taking the piss with the whole “piracy creates jobs thing”..

    and yes many ppl have had the same idea about triggering the pulse from some I/O on the PS3 itself. just waiting for someone to actually find some I/O that is useful in a kernel module and can be used without timing/delay issues ni the middle of the other code.

  42. The idea I got after reading the exploit code was this:

    Connect a usb-port to an oscilloscope, computer or anything that can be used to time things accurately. Add code to the exploit to send timing pulses just before the kernel lock & irq disable, and just after. Run the exploit a couple of times to get some idea about the precision of the usb-line. Change the code to send 2 values to the usb-line, a sleep value and a value how long the line should be pulled low. Program the FPGA/computer/whatever to sleep(X) and glitch(Y). Try the exploit with a couple of different parameter values and find the most suitable and stable one. Using a computer would be quite handy as it would be easier for most people to buy a device for interfacing their computer and run code than to program a chip to do things. For now, as this would quite quickly lead to someone programming this on an Arduino/whatnot. It might be even possible to work out the timing for a capacitor/flipflop kludge that would reduce the costs to the price of an usb-chip + some cents.

    Just my 2 cents, I’m not an electric wizard and don’t even have a PS3.

  43. Nevermind…
    I wiki’d it.

    To “take the piss” is an expression meaning to mock, tease, ridicule or scoff.

    I just thought it was a hacking/cracking term.
    Xor…
    Keep up the AWESOME work you do and everything you contribute to “us” whiney consumers. We really do appreciate everything you do.

  44. Pietari : Nice try but nothing really helpfull.. what you say cannot be done easily and it is not very logic. Never heard about hacking using the USB port to send pulse but anyway.. thing is.. I doesnt have a oscilloscope myself and I’m not sure if Xorloser have one either but George have one.

    Xorloser: are you in communication with GeoHot? Just by curiosity, from where you guys are from? Are you near each other? (Geohot & Xorloser)

    Again, Please share your knowledge, nothing is about glory and copyright here, it is just about hacking the PS3 console for good.

Leave a Reply

Your email address will not be published. Required fields are marked *