After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line 
Hypervisor Exploit Changes
At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.
Kernel Module Changes
In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.
User Library changes
Finally the on outermost level I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.
Sample Application Changes
As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.
Here are some examples of what these tools can be used for.
Dumping the hypervisor
This reads 0x10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.
ps3peek 0 -s 0x1000000 -d 8 -b > hvdump.bin
Reading the status register for spu0
ps3peek 0x20000044024 -d 4
Loading metldr..
Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.
Everyone loves pictures
The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…
Other news and probably HV lv2 dump at http://jaicrab.blogspot.com/
Some people says that jaicrab is Dark_Alex
Bye
Finally HV lv2 dump download:
http://jaicrab.blogspot.com/
– more comments added
http://pastie.org/903083
I found this image is it the blue circled pathway or the red dotted one lol. didnt know if the red way a upper-left dot. thanks, also great work, much improved over the original
http://www.eurasia.nu/wiki/index.php/Image:New_ps3.jpg sorry for 2 different posts
graciasx a tu herramienta se ha logrado mucho sigue asi
Looks like things may soon get really interesting with lv2 dump out in the open now
Firstly, my thanks for an excellent set of tools. Cracking job. I’ve begun looking through the xorhack source now that I have the exploit working reliably on my PS3 and noticed in dumpbl.c that two addresses are defined (DUMP1_ADDR and DUMP2_ADDR) but both are set to the same location.
The addresses are then used as part of the function that dumps the BL code:
printf(“\nPS3 is version: v%s\n”, get_ps3_ver_str());
xorhack_get(test1, DUMP1_ADDR, sizeof(test1));
xorhack_get(test2, DUMP2_ADDR, sizeof(test2));
if( test1[0] == test1[4] )
{
dump_mem_to_file(DUMP1_ADDR, DUMP_SIZE, DUMP_NAME);
}
else if(test2[0] == test2[4] )
{
dump_mem_to_file(DUMP2_ADDR, DUMP_SIZE, DUMP_NAME);
}
which is what got me started on posting in the first place: why compare the first and fourth elements of the test arrays when dumping the bootloader (it doesn’t appear in the ROM and HV dumping code)?
Perhaps more importantly from my POV, why would one expect these elements to be the same?
Again, thanks for a great set of tools, lovely code and for taking the time to doc things. Brilliant research fun.
KrisAbsinthe: i took that picture, it is from one of my previous posts. please read back over the posts about ps3 exploit hardware for the full info on it.
covenant: in dumpbl.c if you look a bit closer you will see that DUMP1_ADDR and DUMP2_ADDR are actually different addresses, not the same. the comparison you talk about is checking which address the bootloader exists at, since the same 32bit value is at offset 0x00 and 0x10 in the bootloader. the bootloader is at a different address depending on whether you have an older ps3 or newer ps3 which is why this check is necessary.
I see the mistake I made in reading the two addresses now. Makes perfect sense. Thanks for the quick reply!
One follow on question: how did you establish that the values at offsets 0x00 and 0x10 would be the same for the bootloader?
Finally, I am interested in contributing any findings I make with the tools/exploit but am unsure where the priorities presently lie. If you are so inclined, would you drop me a mail and perhaps we could exchange ideas as to which priorities best fit the skills/experience I can bring to bear?
Hey Xorloser!
Some guys and my self on #PS3dev we’ve started a project on improving xorhack. Would you mind if we setup a project for it on Assembla or Github so we can work on it together ?
So far we are having difficulities with the sharing of source files so we decided to make an SVN or something.
The guys working on xorhack sofar are TitanMKD, covenant_, makeclean, my self (Disane).
Let us know what you think…
http://pastebin.com/Hh14gkhd
all done, currently we are examaning the undocumented hypercalls.
A small update to xorhack_sc.h and probably the last from me for a while as I need to get to grips with IDA now:
http://pastebin.com/vszR9TZt
This version is rather verbose as it also contains most of the notes I collected from the ps2dev wiki, as much code as I can put together around the undocumented calls (based on present knowledge – hence IDA) and a number of corrections to typos, mistakes etc. The xorhack tools compile cleanly with this version of xorhack_sc.h on my PS3 (Ubuntu 8.10).
I hope it is of some use.
Hey Xorloser !
I know you haven’t even answered on my previous messages, but are you planning to port Xorhack to the latest Linux Kernel (2.6.31-20 for example) ?
I’m asking this, because I would like to delve deeper into Xorhack and perhaps fix it so that it would run on latter linux kernels.
So far the problem is that the ‘irq_to_desc’ cannot be found in asm/irq.h ,but you can find it in irqnr.h . This is the problem I ran into on my Ubuntu 9.10 with kernel version 2.6.31-20.
A friend of mine, Jestero has managed to compile and run Xorhack 2.0 on his Ubuntu 8.10 (Kernel 2.6.27) and found out that the HTAB’s are not written automatically. So this must be fixed in the future versions of Xorhack (if this can be fixed). I haven’t looked deeper into the problem, this is why I’m asking if it’s even worth looking into or maybe you have already solved the problem but haven’t made it public yet.
Thanks for you answer in advance.
Disane
covenant: i found the correlation between offsxet 0x0 and 0x10 by working out the small part of metldr/bootloader that isnt just entirely encrypted or random bytes.
disane: xorhack is more a low level library to facilitate the easy development of other things. the apps that are included with are are just examples of how to use it to make useful apps. for this reason i do not plan to extend it much more than it is now as it already pretty much does everything required at this level. fixes would indeed be done if required and i will include the updated xorhack_sc.h file that you have worked so diligently on.
that said if you wish to make any public project based upon xorhack go for it, thats exactly what it was made for. it comes with full source code too, so you can always make any changes or whatever you want.
i have noticed some memory access issue that needs fixing, but not had a chance to look through the exploit code to work out what might be wrong. i have been doing other things recently but might have some time to look back at ps3 stuff this week so if i fix the memory issue or if you or anyone else has any ideas on it i’ll see about a v2.1 release
Hey Xorloser!
Thanks for answering. I believe TitanMKD was working on a SPU_dev class to make SPU isolation easier and to make Metldr load. Also he talked about somekind of exception handler that would prevent the system to go into panic mode. He’s been doing lot’s of trial and errors with makeclean to try and communicate with the metldr. They were a bit upset about the system always panicing when something went wrong.
I just wanted to add the hypercalls so i could play around with them see what they do. But now that we have lv1 dumps we can go further and find out what they do by reversing them.
Anyway I’ve been also trying to look for any possible exploits in fw 3.15 regarding the hypercalls. My idea is that there might be calls that could crash the system so that we could inject code (unhandled exceptions or something). Or perhaps overflow some hypercalls by passing them long arguments. These might be amature methods, but at least I’m trying 😛
I am out of place here although I want to join in on the experiment, I still do not want to break my ps3. If I get this far with the Hypervisor please continue with level 3 HV dump. Also, in between spending time and money: on a level 2 dump and the correct system calls, could 3D emulations be played. My goal is to be able to use the ps3 as a ppc and run n64 emulators and DreamCast Emulators. iso’s would be fun also but I kind of enjoy the blu ray packaging.
Just want to be sent in the right direction. I have a friend that can do the sys calls and I am somewhat of a hardware guy. Do you, Xorloser know for sure that it is possible to run 3D Roms on ps ubuntu? What is possible with level 2 with gaming? What is possible with level 3 dump with gaming? Am I going to have to buy a new ps3 phat off of E Bay or Amazon from destroying a 500GB ps3? I have all 2d emulations including Dos and Mdnefen, snex etc. My goal is to be able to emulate ps2 games and perchase ps3 games in there nice blu ray package. I ask the simple questions because I think in simple terms: what can be done through these findings? What is the Xorhack going to do? I made the Micro controller purchase and Tool kit for opening my ps3 up for surgery. Is it going to be worth it? I’m all in and if I have to spend another $1,000 on a old school ps3, so be it. I’m at the point of no return. I truly hope something good like 3D Emulators comes out of all this. ISO files are also a plus yet still down the road as far as I know. Maybe Infectus chips will do all the work for us one day? lol for now, I’ll stick with the SX Controller method. Cheers on all the new findings and please show some 3D games in action. Maybe a ps1 or ps2 EMU? Now that would truly be awesome!!! I’m just a fan following in the foot steps of Giants…I’ll post something once the saudering begins after my microcontroller kit arrives. Then I’ll have some real simple works or does not work input. I need a clean area and all the tools ready befor I begin, then we’ll see about not only producing 3D images as seen on you tube, but 3D Emulators and getting the ps3 acting as a true Power Personal Computer. I know, I’m just a noob with a dream and mayby one day I’ll find my own self living that dream of an all in one system. :))
Q: What size of wire exactly shall I use for the connection between motherboard and Micro controller? I know it’s small wire but what size should I pick up from my local radio shack? I want as small of a surge as possible as to not short out mu cpu ppc ps3…
@ Mattew
I can’t really answer on your first post. Good luck reversing the hypercalls though. Your friend will have a hard time figuring them out and how to use them :-/
You need a pretty short wire also buy and isolated switch (yeah that big switch with dielectricum protection on it). It makes the hack much more stable and won’t randomly crash your PS3 when you press the glitch button. Since the wire will act as a antenna you might want to buy a wire that is protected well against signals comming from the enviroment.
Mathew: I dont think this hack is for you. For one thing you say that you want to play PS3 games, but newer games and online play will require updating your PS3 past firmware v3.20, which will remove your ability to run this exploit.
If you want to run emulators try a PC, emulators run best on it. If you want to use a console to run them then I suggest an xbox1, they are cheap and easy to mod to run the many emulators that have been ported to it.
As for the wiring, I just used quite fine wiring often sold as “mod chip” wire. Keep it as short as possible and where you route the wire makes a big difference. If it causes trouble try moving it around so that it lies next to different components to try and reduce any induced interference in the wire.
Disane: If by “switch” you refer to the button you press to trigger the exploit then it does not have to be anything special. This is because the swicth is only connected to the microcontroller, not the PS3 itself. The microcontroller code has some simple debounce logic to only send an “exploit trigger pulse” to the PS3 once and then delay for a small amount of time. For this reason a “dirty” switching signal does not matter. If you refer to inserting an extra switch on the wire between the PS3 and the microcontroller that you plan to toggle while the PS3 is running, then a better switch might be of use.
xorloser: Disane is referring to an additional switch, midway between PS3 and the SX28 proto board, as I currently have. I followed the setup you described and it works beautifully but I found the PS3 was very unstable, I got a lot of video glitches and increasing environmental noise (e.g. taking the side off my PC to which the SX-KEY is attached) made this even worse. Admittedly, the environment I have the PS3 in is not really sympathetic to electrically sensitive devices; lots of other consoles and PCs nearby.
To address this, I intially put a small toggle switch between the SX28 and PS3 and, whilst better, this was still unsatisfactory as the ends of the cables were exposed and I didn’t like the prospect finger static disasters! I finally opted for a large rocker switch (a small light switch really) and some hot glue to keep the fine Kynar 30AWG fixed and protected.
This solution is robust and functions very well; the improvement in stability is startling. With my initial setup, I would be lucky to get 15-30 mins exploiting/exploited. With the isolation switch in place, the PS3 is up for days exploited (unless I do something dumb with the code I am playing with….which is often :)).
Thought it worth describing in case it’s of any use to anyone.
Xorloser,
Hi, I just want to know, if somebody is working on ps3slim or I have to buy a phat ps3 to beging apply the exploit?
thanks, and nice work.
@rockmetal: you need to do the expoloit on “other os”. since ps3-slim has no other-os feature (like ps3-phat > 3.20) …
i think you should be able to answer the question on your own now.
Stay Alive…
please…
Xorloser:
Have you contacted jaicrab? He is doing some research too using your software for ps3 xorhack. I believe you 2 can make a great team http://jaicrab.blogspot.com/
Jaicrab has done a lot of work based in your xorhack software. He needs a bld file in order to get a clean dump and find the key. I know you have currently made a huge contribution to the ps3 scene but i think you guys should work together
nothing new?
What JaicraB needs is someone to integrate parts of Xorhack into his BootLoader. Well I think he should be able to do that alone.
I have to buy a phat ps3 to beging apply the exploit?
How do i exploit ps3 if i found a overflow in PS3 browser
@Ask
Look if you find any vulnerabilities in the browser (which means you dumped it somehow), then I’m sure you’ll know how to exploit it. Other than that contact me and we can discuss the rest. But I hope your talking about a “legit” vulnerability and not some speculation (which most people come up with).
@Disane
It’s not speculation, browser crash and anything stop working,
press any button won’t work, i think it is a heap/stack overflow or
memory corruption bug.
i know test firmware able to trun “Core dump” on, but i don’t know how to install the test ( or call debug) firmware.
Leave a message on #Efnet #ps3dev or just come over there and pm me. So we can discuss how you managed to crash the browser. Can you make it happen multiple times or it only happened once. What are the conditions you need to create?
I was analyzing the memory dump of the hypervisor and found some interesting stuff.
hvcall table: 0x003601E4
lv1_invalid_hvcall: 0x002BF1E4
lv1_get_logical_partition_id: 0x002E0984
system_call_int (aka hvcall): 0x00000c00
yes if you use my setup script for IDA it should setup all hv call functions and more.
It seems that the hypervisor saves some important context information in register HSPRG0
graf_chokolo: Use Xorloser’s IDC script to view more details inside the lv1 dump. Almost every single hypercall was recognized apart from the unknown hypercalls which are believed to be called by
lv1_mm_call(). Though it’s now invalid in Linux :-/
Found strlen function. Address: 0x002AFCC4
It is used a lot in the code, i think to output strings on console
graf_chokolo: strlen? From the C runtime?
Yeah. It’s pretty simple if you know PowerPC assembler
Code snippet:
—————————————————————————
ROM:002AFCC4 mr %r9, %r3
ROM:002AFCC8 li %r3, 0
ROM:002AFCCC lbz %r0, 0(%r9)
ROM:002AFCD0 cmpwi cr7, %r0, 0
ROM:002AFCD4 beqlr cr7
ROM:002AFCD8
ROM:002AFCD8 loc_2AFCD8:
ROM:002AFCD8 addi %r3, %r3, 1
ROM:002AFCDC lbzx %r0, %r3, %r9
ROM:002AFCE0 cmpwi cr7, %r0, 0
ROM:002AFCE4 bne cr7, loc_2AFCD8
ROM:002AFCE8 blr
—————————————————————————
INPUT:
r3 – address of string
OUTPUT:
r3 – string length
And i found a lot of places where this function is used to obtain the length of a string and print it on console, like error messages.
For example this peace of code prints “new ATA_Command ERROR\n”:
ROM:0026075C ld %r4, -0x5a98(%rtoc)
ROM:00260760 std %r9, 0x580(%r30)
ROM:00260764 bl print_str
%rtoc – pointer to TOC = 0x0000000034cc48
-0x5a98(%rtoc) = 0x00000000315528 = pointer to “new ATA_Command ERROR\n”
And i think i found console output functions which prints strings or numbers.
print_str: 00266ED8
print_number: 00268E44
print_console: 002AFEF8
printf: 00290FFC
Nicely done! Actually I’m not familiar with the disassembled PPC code of all C runtime functions, although I know PPC “assembly” (assembler is the “compiler”). If you want some assistance then meet me on #PS3dev #EFNET. Where we could discuss the HV dump 😛
I think i just found memset and memcpy functions:
memset: 002AFEB8
memcpy: 002AFEC8
They are optimzed and use dcbz instruction, hehe
THANK U! NOW I CAN PLAY DOWNLOADED GAMES! YOU ARE THE GOD!
WAIT HOW DO I INSTALL THIS CODES
memcpy(), strlen() it’s starting to get interesting. Make sure you make notes of your findings. btw about that spinlock you’ve found. I would like to take a look at it as well. Which dump are you using?
Found some sort of debug level variable which controls debug messages output. If it is > 0 then debug messages are printed, hehe
TOC of variable: 00347310
Address of variable: 0035663C
It’s 0 in the dump i’m analyzing
Disane:
i sent you the link to the dump i’m analyzinh.
Spinlock: look for opcodes lwarx, stwcx, mtmsrd, cctpm or cctpl.
For example in this function: 00373B60
Found a new function which parses and returns a loader parameter, hehe
Location: 002B1318
For example parameter “sys.lv1console.mode”
Location: 002B0A2C
Loader parameters are stored at 00002C10.