Porque o PS3 é tão chato de ser desbloqueado?
Qual é o "tcham" de segurança que impede?
pelo pouco q sei eh uma das cells dele (tpo um proc) feito somente para verificar qualquer tipo de alteração no sistema de arquivos e no sistema fisico... qualquer alteração, ele nao da "boot"
Houston, we have a problem
Houston, we have a problem...
Citando George Hotz
O mais engraçado é o Mathieulh (Hacker do PSP) deixando comments lá e rindo da cara do Geoge Hotz
Citando George Hotz
O blog do cara tá bombando hehehehe
sei la... pelo q vejo ps3 e xbox estao na mesma de jogos, msm qualidade, porem xbox é mais barato e ja tem desbloqueado...
até o ps3 chegar a preços competitivos, vai demorar.... um bom começo eh ja vir cm o desbloqueio, ja que tem mts q são fã msm da soni
o cara não é fraco não.... mas é bem o título do tópico: Luz no fim do tunel...oq ainda tem chão..
Citando Papaleu Paes
Hello hypervisor, I'm geohot
I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me, as I now have dumps of LV0 and LV1.
3 years, 2 months, 11 days...thats a pretty secure system
Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.
Shout out to George Kharrat from iPhoneMod Brasil for giving me this PS3 a year and a half ago to hack. Sorry it took me so long
As far as the exploit goes, I'm not revealing it yet. The theory isn't really patchable, but they can make implementations much harder. Also, for obvious reasons I can't post dumps. I'm hoping to find the decryption keys and post them, but they may be embedded in hardware. Hopefully keys are setup like the iPhone's KBAG.
A lot more to come...
Posted by George Hotz at 7:06 PM 65 comments
Wednesday, January 20, 2010
Just cause I can't read the ram bus doesn't mean I can't mess with it.
Posted by George Hotz at 4:36 PM 80 comments
Tuesday, January 19, 2010
I don't think...
...glitching the memory bus like a savage with a screwdriver is going to work.
Tomorrow, I'll try a real attack.
Posted by George Hotz at 2:41 AM 45 comments
Sunday, January 17, 2010
Messing with the Configuration Ring
Tried changing different values in the configuration ring. No good results.
The start vector doesn't matter, I can corrupt it and the system still boots fine. So somehow it's bypassing it, and is probably running the first stage loader in ROM. Therefore it's never on the bus. :-(
Changing almost anything else puts the system in Wait State, bit 20 of POR Status is high, and POR never completes. I was hoping to cleverly move some MMIO around to be able to access something I shouldn't, and strap up to an HTAB write. But change just about anything and the system doesn't boot. And the just about doesn't make me think I'm missing something obvious like a checksum. :-(
The SPI stuff is all documented here. Maybe someone has an idea about what to try. The only SPI MMIO accesses that work are the FlexIO ones, otherwise everything seems to match this document.
Here is a dump of the raw config data and it's parsing.
Looks like I might have to take this up a notch, like glitching the RAM bus to enter a corrupt HTAB entry or something. Although for all I know they read back. Logic analyzer on the RAM XDR bus? That's gotta be a decrypted hypervisor. Or glitching the address pins? I hate these stupid fast buses, reasonable buses make cell phones nice.
Posted by George Hotz at 4:37 PM 16 comments
Friday, January 15, 2010
The MMIO over SPI stuff doesn't appear to work, probably an efuse to disable it since the System Controller(or the bridge as I was calling it) doesn't need to use any of them.
A quick memory map:
IOIF0 = GPU = 0x28000000000(3 bytes in, 4 bytes out)
IOIF1 = SC = 0x24000000000(1 byte in, 1 byte out)
MMIO in cell = 0x20000500000
CELL ROM = 0x100(from datasheet, not seen in PS3)
XDR RAM = 0x0ish-0x10000000
On power up, the system controller downloads the configuration ring over SPI and calibrates the IOIF1 interface using the FlexIO registers. Then, according to the config ring, the reset vector is 0x2401FC00000, an address in the mapped System Controller memory. So the LV0 is sent(I can't imagine encrypted) over the FlexIO between the SC and the CELL.
So, how about this attack? Find some way to keep something resident somewhere in the memory space across powerups(does XDR go away? liquid nitrogen?). Move the reset vector there and write a little program to dump 0x2401FC00000 and somehow leak it to the outside world. Or sniff the FlexIO bus, any ideas?
I already know more about the Cell processor then I ever wanted to.
Posted by George Hotz at 2:19 PM 66 comments
Thursday, January 14, 2010
SPI hardware is done
Spent today rigging this up. Soldered to the bridge side of the SPI and the Cell side of the SPI. Cut the traces. The FPGA passes through the pins while the switch is on. So I power up the system with the switch on, chip gets configured, then turn the switch off to connect the Cell SPI to my USB parallel adapter. Now it's just a matter of the PC side SPI software and figuring out a way to use the myriad LV1 registers available to me to map the hypervisor.
MMIO over SPI doesn't appear to work
I have control over the BIC(Bus Interface Controller) through the FlexIO interface though. Now I just have to figure out what these things are.
Posted by George Hotz at 9:47 PM 21 comments
Saturday, December 26, 2009
The Cell processor has an SPI port which is used to configure the chip on startup. Well documented here. It also allows hypervisor level MMIO registers to be accessed. In the PS3, the south bridge sets up the cell, and the traces connecting them are on the bottom layer of the board. Cut them and stick an FPGA between.
Quick theoretical attack. Set an SPU's user memory region to overlap with the current HTAB. Change the HTAB to allow read/write to the hypervisor! If that works it's full compromise of the PPU.
Posted by George Hotz at 6:49 PM 67 comments
Subscribe to: Posts (Atom)
* ▼ 2010 (6)
o ▼ January (6)
+ Hello hypervisor, I'm geohot
+ No ECC
+ I don't think...
+ Messing with the Configuration Ring
+ New Approach
+ SPI hardware is done
* ► 2009 (2)
o ► December (2)
+ Cell SPI
+ A Real Challenge
I've done a little bit of hacking on the iPhone once.
View my complete profile
HACKEADO PORRAAA, agora eh so esperar
tinha q ter brasileiro no meio hahahah
hardMOB Staff - Moderação
lol, o brasileiro só deu o ps3...
Tomara q esse cara consiga. Um media center com leitor de blu-ray pelo preço de um PS3 seria praticamente irresistível pra mim. Eu sei q o PS3 já tem media player, mas ele não aceita MKV entre outras frescuras.
Se esse desbloqueador precisar de um modo linux, só quem tem PS3 fat vai conseguir, já q o PS3 slim não tem mais essa opção de instalar outros sistemas operacionais. Já tem alguns homebrews q rodam no PS3 fat neste modo...
Semana que vem, update de firmware e bug corrigido lol
hardMOB Staff - Moderação
Nossa, um PS3 com homebrews para rodar YouTube, media player fodão rodando 1080p + legendas embutidas ou avulsas, mp4, mkv, wmv e o que mais você jogar lá, emuladores, browser, skype, msn, etc. WIN WIN.
ele conseguiu PORRAAAA !!!!!
FINALMENTE !!! quero tocar MKV no PS3 !!!!!
WOOHOOO, so esperar agora..
e eu vou ficar quieto no meu canto, pq já fui banido de um :|
Falou muito bem!!!.. Assino embaixo!
WTF o cara conseguiu mesmo
fine, one tweet... i just hacked the PS3... http://geohotps3.blogspot.com/
about 14 hours ago from web
Alguem leu sobre esse Geohot na wikipedia?
O cara é o nerd mais fodão do planeta
"As far as the exploit goes, I'm not revealing it yet. The theory isn't really patchable, but they can make implementations much harder."
Prefiro acreditar em coisas mais concretas. Mas a luz se torna um holofote...
Importante lembrar que sse cara estava com o pé no chão quando crackou o iphone no ano passado. Alem disso, ele já tem uma certa reputação e moral no cenário. Não acredito que se queimaria por bobeira.
Pra quem não acompanhou:
7 de outubro - primeiro screenshot do hack
3 de novembro - iphones de todo o mundo desbloqueados
Citando [D] . n . L
A maior parte do lucro é feita pelos jogos vendidos e não pela venda do hardware, então ao contrário do que vc pensa, vc não estaria ajudando a sony.
AEHOAEAOEHEOHEE tinha que ser brasileiro postando no blog do cara:
I'm really glad for this, happy, for someone from brazil(i'm from Brazil hehe) that had a participation in this historical fact, even it wasn't so directly, but we participated.guy, we here in brazil love u, u can have certain when u come to Brazil, u won't wish to come back from wherever u r. u r the person to meery my sister.guy u rocks, thanks from every iphone, itouchs and now PS3 user not only in brazil but in all over the world
January 22, 2010 10:10 PM "
Os nego já tão oferecendo a irmã pro cara!!!
Corrige o maluco la no blog, que o certo é marry, e não merry, aqui não ajuda nada lol
Citando || Brutto-Netto ||
Po, maluco tem 20 anos, realmente surpreendente ter esse tipo de conhecimento.
só quero homebrew e linux com poder total do ps3
Assuntos do tópico