XorHack v2.0: The Updated PS3 Exploit Toolkit

After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line :)

Download XorHack v2.0 here

Hypervisor Exploit Changes

At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.

Kernel Module Changes

In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.

User Library changes

Finally the on outermost level  I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.

Sample Application Changes

As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.

Here are some examples of what these tools can be used for.

Dumping the hypervisor

This reads 0x10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.

ps3peek 0 -s 0x1000000 -d 8 -b > hvdump.bin

Reading the status register for spu0

ps3peek 0x20000044024 -d 4

Loading metldr..

Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.

Everyone loves pictures

The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…

920 thoughts on “XorHack v2.0: The Updated PS3 Exploit Toolkit

  1. 2graf_chokolo
    Do you try decrypt new (3.40/3.41/3.50) debug firmwares?

    PS: Contact with me if you need PUPs.

  2. Sorry guys, no free time for my own blog :-) I think xorloser doesn’t mind if i use his blog :-) I have not much free time and spending all the free time on HV reversing :-)

    The lucky guys who has access to PS3Private wiki can already read some interesting stuff from HV i reversed. If admins of PS3Wiki will allow me to post my findings there for public, i will do it there. If not, then i will publish it somewhere else.

  3. graf_chokolo as far as I am concerned you have the rights to publish any of your findings at the place you see fit, so if you want to publish it on the public sections of the ps3wiki, I don’t mind.

    P.S. your reversing was impressive. Also if you wish to know about eeprom access, head to the chan, most of us will be glad to help you out.

  4. graf_chokolo , If the psjailbreak team have the USB Dongle Master Key.
    Why don’t you decompile and decrypt there flash file for their psdowngrade dongle and get the USB Dongle Master Key.

    Then we will be able to enter service mode.

  5. Hey chokolo,

    I really appreciate your work and hope that you’ll gonna stay on this!
    Great work, dude!

  6. @graf_chokolo i have just 2 questions:

    1) In decrypting CORE_OS from 3.50 did you found if they removed (probably changed) USB Master Key
    2) Did you found where the SPU’s decrypt the SELFs?

  7. I don’t think it is worthed to reproduce the jig, you still need to use leaked signed selfs that can (and will) be revoked the first chance sony gets, not to mention besides the obvious dongle id revocation, they can also update any part of the SPM (that includes the update manager) and change the whole jig authentication process. This makes such a hack a lot less appealing, that’s my personal opinion though.

    Sony should have done the whole challenge/response inside an isolated module though and kept the “master key” in there as well.

  8. Nice find :) I don’t know the spu_mode_auth.self and fdm_spu_module.self, the others are common though.

  9. @graf_chokolo

    Dare we hope for a \legit\ service stick in a couple of weeks?
    And, pardon my ignorance, are you working using jb or geohotz exploit?

  10. @Mathieulh

    I was interested how Sony disabled the PSJ exlpoit in 3.42/3.50, i think they just blacklisted some key.

    @graf_chokolo

    Have you find anything releated to the HDD encryption, while browsing through the updater?

  11. I want to help out the community, and i am a fast learner. anyone want to point me in the right direction where to learn all of this?

  12. mathieulh says:
    November 16, 2010 at 1:17 am

    graf_chokolo as far as I am concerned you have the rights to publish any of your findings at the place you see fit, so if you want to publish it on the public sections of the ps3wiki, I don’t mind.

    P.S. your reversing was impressive. Also if you wish to know about eeprom access, head to the chan, most of us will be glad to help you out.

    @ Graf:

    Haha!

    This is the typical bullshit that the dickhead “mathieulh” does to anyone who knows more than he does… he pretends to help you and then sticks his name on whatever you discover and spreads it on Twitter to the world as his own work.

    Don’t fall for his bullshit, keep posting as you are and ignore the pathetic french prat.

    – Someone who knows. :)

  13. @math don’t rise to this GeoMathLoveChild clown he’s either trying to throw a spanner in the works or so stupid he cant see 2 heads are better than 1!

    @GeoMathLoveChild: chillax! what did math steal from you? If Mathieulh can input something valuable then why the hell not! If you’re worried about scene stealing we all know graf has done this amazing work and when it comes to him releasing his findings it will be him that will give credit if any credit is due! anyway i’m sure math like all of us is just inquisitive!

    @graf: amazing work so far we’re all looking forward to seeing what you can do with all these findings! Any hints to what is possible with all this newfound info?

  14. @GeoMathLoveChildYou don’t need to slag off mathieulh. I’ve been around in the IRC a bit and he doesn’t stick his name on anything. He learns new things every so often and helps out as much as he can!

  15. nebster says:
    November 16, 2010 at 12:13 pm

    @GeoMathLoveChildYou don’t need to slag off mathieulh. I’ve been around in the IRC a bit and he doesn’t stick his name on anything. He learns new things every so often and helps out as much as he can!

    Oh yes I do. Take it from someone who has been involved in the scene for years before that hairy French hobbit shithead was a cum stain in his fathers trousers.

    He’s a little thief and anyone who’s done any serious dev work on the PS3 knows this – he and his little gang of butt kissing cohorts are useless as tits on a bull and all they’ve done is damage to the scene, not help it.

    If you believe otherwise, you don’t know WTF you’re talking about (just like him).

    @graf: Keep doing your work – just don’t fall into the trap of “joining” some bullshit group or other based on the desires of some pretentious wannabe twat who’s knowledge could be written onto the back of an asprin tablet with a housebrick.

  16. @Zeratul

    You got debug firmware for 3.41 :-) Cool :-) Cannot wait to get my hands on it. How do i contact you ?

  17. Just a quick comment, been lurking here for quite a while now and this is a good blog with intelligent, informative posts from good devs, i hope for xorlosers sake that now this has been linked from psx-scene it doesn’t become overrun with haters and abuse. Thats all i have to say, keep it up peeps :)

  18. graf_chokolo: Could this well lead to an open source downgrade soon?
    Congrats on decrypting 3.50 😀 Lets hope your input continues to make the PS3 scene even more awesome 😀

  19. @graf_chokolo
    May I ask can your method decrypt .self file?
    Please kindly move the information you found to public section in wiki so that more people can work on that, really appreciate that ~~

  20. Hello,Nice Step further!

    Actually Using HV can giv really good results

    As you saw i got 3.21 CFW with OtherOS enabled,i just simply repacked PUP i got Master key and SHA1 key,actually To Repack it,you need Master key,Just edit CORE_OS_PACKAGE ,ive done a lot,i got DEBUG Firmware on Retail PS3 by Simply creating Gybrid PUP By Adding files from DEBUG PUP to Retail PUP,I canceled Scene becouse i failed with HV,i started to work with PSJailbreak with Math and some others,as you can see Math Released PsGroove,Becouse Math and Me Created it!

    So now we Created PSDowngrade,again Math and me behind that so,That’s Why you comments by math like: Oww i know how it workes but i wont tellyou anything and e.t.c.

    Keep a good work!This is really hack(maybe),PSJailbreak is Just a copy of JIG its not even exploit ,thats why i love ur work!

  21. @GeoMathLoveChild It’s been a while since he’s been in our group and we never stole any of his work. Haters gotta hate anyway right ?

  22. I promised to you guys that i will make my HV findings public.
    I just moved my “Hypervisor Reverse Engineering Page” from private section of ps3wiki to the public one. The page contains highly technical information and not all of you will understand it but i hope it will help us to reverse Hypervisor faster. It doesn’t contain all the knowledge about PS3 hypervisor i gained through reversing, in truth, it’s just a small piece of it, but i don’t have time to write everything i know down. I will update this page regularly :-)

    https://ps3wiki.lan.st/index.php/Hypervisor_Reverse_Engineering

    And i will also upload my PSGroove payload source code soon. And then you will be able to decrypt packages from PUP files by yourself, dump your FLASH memory, dump your LV2 kernel, run isolated SPU’s on GameOS and other cool things :-) So use this knowledge and code to help the PS3 developer community to reverse PS3 Hypervisor and GameOS :-)

  23. @graf_chokolo

    “0x200E – Decrypt Master ”

    Does that mean you have the USB Dongle Master Key?

  24. You have released amazing amount of information, thank you very much for that graf_chokolo.

    I hope you remain as persistant as you are, that’s a damn good quality 😉

  25. Another thing – would it be possible for you to make the dump you are analyzing public (so people end up analyzing same dump)? Also, I am assuming you are using IDA – would you mind just briefly documenting your setup (what plugins/scripts you use, which IDA version, etc) – so that people could try to be ‘compatible’? :))

    Thank you once again graf_chokolo, nice work.

  26. Hey graph, well done on all the work. You deserve affirmation for your hard work. Please continue just as you are, no need for a team unless to give insight. 😉 The hacker community adores your work bro.

  27. Mathieulh says:
    November 17, 2010 at 4:02 am

    @GeoMathLoveChild It’s been a while since he’s been in our group and we never stole any of his work. Haters gotta hate anyway right ?

    You really want to go that route you little French fuck?

    How about I post the IRC logs and rest of the info I have collected over the years?

    You are a little scum sucking shitbag, just like that turdlet “Jon Lech Johansen” before you – you take others hard work and then try to act as some kind of internet mouthpiece in order to garner you undeserved 15 minutes of fame – based on other peoples hard work who you claim to be “in your team”.

    Even in the PSP scene, you did nothing but steal other peoples work and portray yourself as some “high and mighty” insider, when all you really do is parrot the information you beg/borrow/steal from more knowledgable devs and present as your (or you and your “teams”) own discoveries…

    Pathetic little shitheads like you have caused more damage to the scene with your behind the scene panderings than Sony ever could. But, like everything, you’ll get yours, kid. Your type always does.

    NB: For Xor and for all who think I’m just hating or trolling, use your Google-fu and search a little more on the background of this little fuck – hell, even look here on Xorlosers own comments to the fucker on Twitter.

    You’ll then get a better understanding of why people like @graf are really only just rediscovering the wheel and doing stuff that’s already been known for years, just kept secret. As to that requirement for secrecy, it stems right back to twats like Math doing what he’s been doing and has resulted in the perceived lack of progress.

    It’s hard to have a free and open discussion of ideas and discoveries when some dickhead steals and claims as “his teams work” what others have been slaving over for years.

  28. @GeoMathLoveChild I don’t give a damn about your flaming so my answer to this will be : \No comment.\ Take it however you like.

  29. @GeoMathLoveChild
    The world works this way, the one to bring out the information to the wide public is the one getting credited for the work.

    There are a lot of things in the world that progressed further than the general public knows.
    We all think we live in the present, but most “consumer-tech” we use is old technology compared to whats going on in research labs all over the world, and so on.

    I’m not defending Math, I figured long time ago he was the Sony world’s answer to “DVD-Jon”.

    I just don’t see why graf can’t be credited for the discoveries he did on his own, regardless he’s the first to do it or not.

  30. I know that this is a stupid question^^, but
    How hard would it be to decrypt ps3 hard drive with all these new findings
    Ty

  31. @X-Copy_III

    Donations ? I don’t know. But if someone has old fat PS3 with HV 3.15 or older then it will help me immensely and i will buy it of course :-) I think you all will benefit from it when i finylly get my hands on HV :-) I have got a lot of knoweledge about HV but unfortunately no exploited HV to test my knowledge :-) It can be a PS3 with broken BD drive, it doesn’t matter, i don’t payl games with PS3 or use PSN, my PS3 slim was actually never connected to PSN :-) And i didn’t even play once games with it :-) Who cares about games, me and HV are best friends and we have a lot of fun together :-)

  32. You should open a paypal to get the donations, I will be first to donate; there are ps3 with and without broken BD unit on ebay and others, I think you would get one easily and in not too much time…

    Also, I’ve reading ps3wiki and I can just say: wow ! ( even if theres a lot of things I don’t even know what they are yet… not to say understand 😀 ) but seems there are lots of thing you just mentioned but not elaborated because you simply have no time :)

    Congratulations; exciting times for the scene…

  33. You should open a paypal to get the donations, I will be first to donate; there are ps3 with and without broken BD unit on ebay and others, I think you would get one easily and in not too much time…

    Also, I’ve reading ps3wiki and I can just say: wow ! ( even if theres a lot of things I don’t even know what they are yet… not to say understand 😀 ) but seems there are lots of thing you just mentioned but not elaborated because you simply have no time :)

    Congratulations graf_chokolo; exciting times for the scene…

Leave a Reply

Your email address will not be published. Required fields are marked *