XorHack v2.0: The Updated PS3 Exploit Toolkit

After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line :)

Download XorHack v2.0 here

Hypervisor Exploit Changes

At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.

Kernel Module Changes

In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.

User Library changes

Finally the on outermost level  I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.

Sample Application Changes

As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.

Here are some examples of what these tools can be used for.

Dumping the hypervisor

This reads 0x10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.

ps3peek 0 -s 0x1000000 -d 8 -b > hvdump.bin

Reading the status register for spu0

ps3peek 0x20000044024 -d 4

Loading metldr..

Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.

Everyone loves pictures

The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…

920 thoughts on “XorHack v2.0: The Updated PS3 Exploit Toolkit

  1. To forfeit all credibility I have, unfortunately. I’m going to stick with graf on this and keep it quiet.

    I’d almost apologize, but there are so many arrogant people here.


  2. zAxis – if you stay in contact with graf and figure out a new way to publish discussions please post it on PSX-scene so people know where to find him.

  3. Great, people spoofing names.. now who knows if graf’s post about the key is real or not.. it seemed surprising that he managed to do it so soon after receiving his board.
    Also, I don’t know if zAxis’s post about PSGrade being abandoned is real or not. Either way, if the key is found, let me know, as PSFreedom supports already the jig method and it should work and I don’t plan on abandonning PSFreedom anytime soon.
    Also, FYI, like I commented on PSGrade’s commits on github, PSGrade will NOT work even with the key. The hashing algorithm is all wrong. PSFreedom *should* work, but that can’t be guaranteed without proper testing.
    Either way, graf, if you see this and if (or when) you have the key, don’t forget about me! :)


  4. due to the ridiculous number of worthless posts, i have decided to moderate all posts for a while.

    i will only be allowing only useful posts, that is posts that give actual information or ask actual meaningful questions. all other posts will go into the trash.

    i will not allow any posts asking about when keys or other crap will be released. i will also not allow any “good work guys” style posts, not because i dont think the work is good, but merely because i dont want this comments section filling up with more uneeded posts that make it hard for ppl to find real info between.

    since i will have to confirm every post, it may take a unmber of hours even for worthwhile posts to appear. this is because i have many other things better to do than to moderate posts 24/7. when i get time i will see about going back thru the existing posts and removing all the crap posts just leaving the useful ones. but this may or may not happen as my time is limited as it is. (if i had more time i would do useful things like more actual posts on this blog :P)

  5. Guys, i was not idle again :-) I’m able now to decrypt lv2_kernel.self, ps2_emu.self, ps2_softemu.self and ps2_gxemu.self from 3.41 firmware by using metldr and lv2ldr directly. I’m working now on 3.50 decryption :-) $ONY changes something in 3.42 and 3.50 :-)





    I will make everything public very soon, as usually :-)

  6. I will soon have my PS3 at home. It comes with 3.40 firmware. I would like to use it for productive work like yours graf_chokolo. I have experience in embedded programming, X86, etc. I also did many time reverse engineering of PC software and embedded microprocessors too. Just for studying purposes. What do you recommend me to start? What tools do I need? I would love some architecture information about PS3. Also, is there a way to downgrade to 3.15? It seems that is the only way to exploit the console, right?
    Well sorry to bother with this newbie questions but I am really interested and inspired by graf_chokolo’s work. THANKS!

  7. Graf, would it be possible for you to give more details on how to get your payload working?

    I can compile bootstrap without problem, convert it to HEX using bin2hex, then substitute psgroove payload in port1_config_descriptor – and pad it properly (so that payload size remains 3840). However, PS3 freezes completely on boot, and I can’t seem to get the payload working. Tried using different psgroove revisions, as well as PL3 – but no luck. Tried compiling psgroove for Minimus 32 (atmega32u2, then at90usb162) as well as flashing it onto PS3USBJailbreak device – but end up with frozen PS3 as well (it freezes shortly after USB devices gets initialized).

    Which psgroove revision are you using? Could you post your HEX file by any chance? Or full port1_config_descriptor?

    Thanks Graf, and keep up the good work :)

    P.S: Now it occurred to me that I’ve never tried using sendfile to send the payload.bin while PS3 was in that frozen state. Does PS3 boot into XMB with your payload at all? :)

  8. Graf, on a sidenote have you checked the repository ? Could you hop on the chan later on ? Thanks

  9. @cmpd

    You definetely need very good ASM knowledge in PPC of course :-) And knowledge about operating systems design like Linux, BSD or other Unix would help a lot :-) IBM and $ONY provided us with a lot of free useful documentation about Cell CPU and other stuff. And look at my HV reversing page.


    Yeah, if GameOS freezes than it’s a “good” sign :-) My code doesn’t use any GameOS functionality. Try to send a payload.bin to PS3. Sniff with wireshark and if you see ACKS coming from PS3 then it works :-) I can send you my payload header for PSGRoove via email if you want. If you still has problems then you can write to my email and i will try to help you if i can.

    I’m using an old version of PSGRoove, i think, didn’t update it since monthes. I just programmed my JIG once with bootloader and after that just change payloads. Don’t need to change the bootloader very often.


    I’m back on channel today in the evening.

  10. hi graf anychance you can email me on ash.warrington@gmail.com i would like to help with things and zaxis said speak to you i also have msn and stuff and do you use any irc servers? and good job xorlooser it is about time your blog got moderated i am willing to setup a forum and irc server for all the devs if they want it but need to know
    aka serveroverload on psx-scene

  11. jig master key

    0x32, 0x78, 0x57, 0x2D, 0x90, 0X90, 0xD5, 0xAC, 0xAE, 0xF9,
    0x03, 0xCA, 0x1A, 0xB6, 0x5E, 0xF1, 0xB7, 0x69, 0x4C, 0xDE,

  12. I got the master key its “0x32, 0x78, 0x57, 0x2D, 0x90, 0x90, 0xD5, 0xAC, 0xAE, 0xF9, 0x03, 0xCA, 0x1A, 0xB6, 0x5E, 0xF1, 0xB7, 0x69, 0x4C, 0xDE” can somebody test it?

  13. 0x32, 0x78, 0x57, 0x2D, 0x90, 0x90, 0xD5, 0xAC, 0xAE, 0xF9, 0x03, 0xCA, 0x1A, 0xB6, 0x5E, 0xF1, 0xB7, 0x69, 0x4C, 0xDE, Have a nice day xD

  14. @graf
    it seems that is a master key hope that help ur work
    32 78 57 2D 90 90 D5 AC AE F9
    03 CA 1A B6 5E F1 B7 69 4C DE

  15. hey Graf

    congrats on the hard work,
    is there anyway that the new 3.55 f/w can
    be Decrypted using your tools? and see what has been modified
    between 3.50 and 3.55?

    cheers and keep up the hard work

  16. Hey, Graf you seem to know a lot about PPC. I need help, the IBM resources don’t go into any detail on the ‘mr’ instruction. If you know, could you explain what exactly the ‘mr’ instruction does with an example?

    Thank you.

  17. @graf_chokolo

    Is the transition from x86 ASM to ppc ASM a steep learning curve?, I’ve never worked outside of x86 but am thinking of looking at PPC because the PS3 is such an interesting target :)

  18. Thats the right one:

    0xAAAA dongle key: 0x04, 0x4E, 0x61, 0x1B, 0xA6, 0xA6, 0xE3, 0x9A, 0x98, 0xCF, 0x35, 0x81, 0x2C, 0x80, 0x68, 0xC7, 0xFC, 0x5F, 0x7A, 0xE8

  19. The key from KaKaRoTo for 0xAAAA dongle id is fine :-) Just tested it by communicating directly with USB Dongle Authenticator from GameOS through DM VUART. Congratulations KaKaRoTo :-) Good work :-)

  20. @graf_chokolo: I told @dashhacks to send you the bounty, he’s looking for you for the money transfer. Can you contact him (or me and I can relay) ?

  21. Pingback: PSGRADE finally WORKING! - Attached Complied Hex's for All Boards! - Page 6 - PSX PS2 PS3 Scene Modchip & Jailbreak Community

  22. nope it is 04 4E 61 1B A6 A6 E3 9A 98 CF 35 81 2C 80 68 C7 FC 5F 7A E8 – it was obfuscated…

  23. @graf_chokolo: Of course it worked, I tried it before announcing it :p
    Still waiting for you to contact me or dashhacks : http://www.ps3-hacks.com/2010/12/07/psfreedom-now-supports-factoryservice-downgrade-mode/

    ‘mr A, B’ == ‘Move Register B into register A”, it’s the simplest of the instructions.

    @*M*: I had never seen PPC assembler before starting PL3, it’s really a LOT easier than x86, there’s always a learning curve but it’s much easier than other assembly languages, It’s really intuitive and easy to learn. Give it a shot!

  24. hi, devs. can you, please make a diagram for the booting process. something like bootrom–>lv1ldr–>lv1–>lv2ldr–>lv2. otherwise, it is not always clear what is achieved and what is not.

  25. Any news on the X3MAX?

    @KaKaRoTo and graf_chokolo:
    Will you be editing the .bin files and porting them over to the X3MAX?
    I would assume, I may be WAY off due to my lack of knowledge, that using the X3MAX’s Generic .BIN’s you would be able to modify and edit them with the released downgrader .BIN’s…

    As far as I can tell the .hex files released with PSGrade are not working with X3MAX so assuming again that I am near the right path the .bin editing might be the only solution here correct?

  26. do you know why downgrade is not working with original 3.41 pup file? (with 3.50 installed)
    is psjailbreak 3.41 modded pup file a signed pup? how they managed to do this?
    how do you think geohot resigned 3.21 custom pup?

    read this too (shutbox of logic-sunrise.com):
    7 DIC
    [18:30] Math, do you think x3max jb is real?
    [18:30] and how tall r u?
    [18:30] it’s real
    [18:30] they use it as a root key for beta internal shit
    [18:31] and seems like they never changed it

    what is this root key? :)

    @graf_chokolo: btw i never upgraded my ps3 40gb, is always with original 3.15, i’m repairing bluray too, let me know if you need it for future tests :)

  27. @Franchise
    if your x3max uses atmel avr microcontrollers that are lufa-lib complaint then u can compile psgrade for it otherwise no luck… :(

  28. @TehProZ
    first try to read as much as possible, on computer architecture. try to understand how computer works, what is a machine cycle, how instructions are loaded and wht instructions do what. then read common instructions like register manipulating, arthmetic instructions, shifts, rotates, comparision and branching. then learn about stacks, stacks frames and learn the ABI of the architecture. and i think you will be ready to go….. good luck on that… 😀

  29. I just release my lv2 kernel decrypter :-) You need metldr, lv2ldr, RL_FOR_PROGRAM.img and lv2_kernel.self. You have first to dump your metldr from FLASH memory. lv2ldr you will find also in your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg from PUP files.
    RL_FOR_PROGRAM.img is a revoke list for programs and can be also found in PUP files. lv2_kernel.self is on your FLASH memory or in decrypted CORE_OS_PACKAGE.pkg.

    First i send all files to PS3 and store them in memory. After that i load metldr in isolation mode and pass it the addr e ss of lv2ldr. The code is very low level and many things are done by directly manipulating SPU registers :-)

    If you have any questions or problems then feel free to contact me or ask here. I will try to help you. I will try to document my findings on my homepage :-)

    I also uploaded a code which can communicate with USB Dongle AUthenticator by using Dispatcher Manager without using any GameOS functions :-) It’s exactly what GameOS does, just low level :-)

    Have fun guys :-)

  30. Obviously the modified pup has a signed key. Was the original jailbreak team the ones to release it? (leak) if so they may have the key, would it be possible to compare the orignal 3.41 and the modifed one to retrieve the key? or maybe jailbreak team was expecting sony to do this, and now in the next day or so they’ll release 3.55 downgrader software. Who knows, but in my opinion this “Ps jailbreak team” sounds supsicious. Either they are A+ Theives and getting all there code in secret, or they are sony…

  31. @invalid
    I have NO IDEA what that meant lol…

    I have the X3MAX that has been shipping as of lately, I actually have a business account with them and have 50 of them left haha..

    How would I go about checking to see if it is what you said, or is anyone in the process of compiling or porting an X3MAX Compatible .bin or .hex?

    This is what I am getting with ALL of the .hex files that have been released over the past few days…

    “File does not contain valid descriptor. Please try another HEX file”

  32. About Modified and origanal pups

    Uploaded with [URL=http://imageshack.us]ImageShack.us[/URL]

  33. @novice: this is just HMAC SHA-1 for modded 3.41 pup, what really changes is dev_flash3 inside update_files.tar (swapped with a “debug” one), what we need is to know how recalculate a new hash for a modded pup.
    i think it’s the same method used by geohot, many sources say that he stolen new hash from ram to rebuild custom pup, but only graf_chokolo can enlight us about these things :)
    it’s possible to steal the “final check about [our has]==[what_should_be] hmac sha-1 hash” ??? (in these case just to build a new pup with already signed files)
    it’s possible with geohot exploit to access lv1 and loaders, to read unencrypted HMAC key? (after that i think everyone will be able to recompile files, packages, pups….)

  34. For the gurus here,

    If FW3.51 is just revocating lv2diag.self file… would that mean if a new lv2diag.self gets leaked we would have downgradability till that point in time ?

    I mean till a new FW version appeared that revoked that same new lv2diag.self…

    And more over, if we still have service mode; couldnt we crack revocation ? I assume we would need some way to have lv1 access *in* service mode session

    and I am thinking/wondering if we can use a hybrid dongle ( service mode stuff + jailbreak stuff ) for the second reboot where the ps3 is about to enter

    service mode… so with this jailbreak part and the memory write glitching pulse we could have lv1 peek+poke *in* service mode session… maybe with that

    we could force revoked lv2diag.self load and we would be back in business…

    But I preffer the idea of being able to decryot future firmwares+selfs and being able to bootstrap new firmwares from usb…

    Good luck guys, and thank you !

  35. Also, yes, I know there is no jailbreak exploit on firmware’s over 3.41 but, if some rumor about x3max 3.50 jailbreak are true ( see elotrolado.net… ), 3.50 jailbreak is achieved via a downgrade to old 1.50 fw and then a “controlled” upgrade to 3.50 fw where some of the written parts are from 3.41 fw; making the written fw be a still vulnerable 3.41 + 3.50 hybrid.

    If these rumors are true, we would have a @chained” way of keeping the exploitation even if lv2diag.selfs where reviked…

    does this still make sense to you ,

  36. Guys, just to make sure that you know :-) LV2 decrypter is also PS2 emu decrypter, just change LPAR auth id in code :-) PS2 emu is like GameOS, it’s LV2 and is decrypted by lv2ldr :-)

  37. Now that we can all enter Service Mode and downgrade firmware will it even be possible to “marry” a new drive board to the ps3 mainboard?

  38. How exactly did sony block the jailbreak in 3.50? does anybody know? We are able to get into service mode on 3.55, but cannot downgrade due to a change on lvl2diag.self (From what I’ve heard) Has anybody tried putting 3.55 on a flash drive and try loading it? Maybe they just blocked any previous firmware from being installed, but will allow new. “Possible way for custom firmware) I would test these things out, but I’m waiting for my e3 downgrade to get here, and it still hasn’t even been shipped, it’s been 3 days now :/

    If we can figure out how to get modified pup to load in service mode, we can enable jailbreak on 3.50, as stated by c0de90e7. that very well could be what x3max was offering too, but since 3.55 came out, maybe thats why they’ve been delayed and no further notice has been revealed.

    BTW, how was otheros disabled in 3.21? Can by studying the 3.15 (Jailbreak mode) and decrypting the otheros.self on both 3.15 and 3.41 enable it in future firmwares? I wish someone could check this out for me, it’s been bugging me, but I can’t jailbreak anything to find out. The only dongle I got is the ps jailbreak clone, and it’s not upgradable. Thus, practically useless.

    All my statements are just theories, and ideas. =)

  39. @graf_chokolo: reading some stuffs on the web, i read thet HMAC key is in software_update_plugin.sprx loaded by appldr.self, it’s true? :)

  40. apparently there is a chance the hmac key for the PUP is located in the software_update_plugin.sprx file. Could someone try decrypting it? Maybe we’d find some ways to achieve it. If we get the hmac key, we can make a custom 3.55 firmware. (Much like how the jailbreak team created custom/modified 3.41″)

    After some research on all this. I can almost guarantee that x3max activates service mode and applies a custom 3.50 (Was latest firmware at that time) firmware since obviously they have the HMAC, In other words it is most likely they’ll release a encrypted hex for there dongles to make money, allowing service mode and installing 3.55 modified firmware (enabling jailbreak). If this is true it will ONLY work on 3.50 to start not 3.55, however you’ll end up in a custom 3.55 firmware.

    If all this is correct. Welcome to the world of custom firmware. =)

Leave a Reply

Your email address will not be published. Required fields are marked *