Where is this PS3 CPU Exploit?


Submitted by greg; March 07, 2011
Am I missing something here? Apparently darkhacker has released a PS3 CPU exploit, or at least that is what Im reading everywhere… But all I see is references to old, leaked PS3 service manuals and this *ahem* explanation:
i know you all remember the exploit with ram and so on back in 3.15 well your going look for the 'CELL RESET LINE' and that going be where the exploit is you know how the small 60ms or ns i dont remember thing sent to ps3 for the read and write of the ram ? well use line send that and connect it to the cell reset line. ( FIND IT IN DOC ) and ground on outside of case and the example of what can be done with this is a cold reset which still has acess to the memory from gameos - dont let this die out people im taking a big risk by giving you all this information Example of what can be done with this -- untouched memory on cold boot full access to lv2 and all game os memory
So that's it, huh? Just "use line send that and connect it to the cell reset line." And the rest is in the PDFs? Excuse my ignorance and sorry to sound snide here... I'm no hardcore PS3 developer/hacker, which is why I'm open to question. Anyone have a proof-of-concept or something? Is there another download that I'm missing? What's the deal? Mathieulh tweeted something semi-similar to this a couple days ago: "I hesitated a lot before tweeting about it, but a bug allows exploiting metldr, the bootloader and 3.56+. I don't intent to ever unveil it." If this is what darkhacker is talking about then where is it? I mean everyone is calling it a release after all... If anything this sounds like geohot's memory glitching exploit, which is last years news... Not to mention geohot actually released something. - source: ps3sdk.com


Tags: metldr, PS3 Exploits



Related Stories:




Become a Member of Dashhacks!

If you want your comments to go live without waiting for moderation, you need to be logged in. Being logged in has its benefits:
  • Logged in members do not wait for their comments to be approved.
  • Logged in members can sign up for nightly updates.
  • Logged in members can create Profiles to be seen by other users.
So why wait? Create an account or login now! It's easy, quick, and free.

To get started, use the LOGIN boxes, or the REGISTER link at the top right!

Comments 


 
# WiredKWT 2011-03-07 02:07
It's pretty much an improvement on what geohot had done last year, before OtherOS feature was removed, except this is run of the GameOS, i like you have no clue what this would mean, but i'm hoping some devs will probably find this very useful.

news around twitter is it was released by a guy called DarkHacker

Reply
 

 
# -hacks 2011-03-07 02:12
geohot actually released something - this... i don't get

Reply
 

 
# WiredKWT 2011-03-07 02:40
From what i understood on psx-scene atleast, from the member Ben Jeremy, he says

"The Dark Hacker exploit is a HARDWARE EXPLOIT. It bypasses all the key nonsense and gives the potential for code to be injected and have complete control over the system."

Reply
 

 
# Steven Wilshire 2011-03-07 03:16
Hmmmm...... sounds a little.......FAKE, but I guess anything makes news nowadays....LMAO

Reply
 

 
# Kirro 2011-03-07 04:51
I imagine Darkhacker's trick is a nice way to brick a PS3. If you can't rationally explain your hack, odds are you're lying. Then there's Mathieulh, going with the good old excuse, "I won't release it because people might do something illegal with it." In other words, gloating without proof. I suppose what I'm trying to say is PICS OR IT DIDN'T HAPPEN.

Reply
 

 
# Libyan 2011-03-07 06:36
@ Kirro.

Mathieulh is experienced and has been signing things and worked on the PSP scene for a while too. The exploits on PSP come from a crash in a Game or a Demo - and were useful to load in HalfBite Loader and then other tools - This works the same way and Sony can patch them with an update release. The hackers aren't telling where the Exploit is probably until Sony releases the new "unhackable" model of PS3 with maybe firmware > 3.60 Then, the exploit can be tested and released when a Homebrew Enabler can be made for it.

Reply
 

 
# Randall Perkins 2011-03-07 07:04
i just tryed to get information out there but if you people really dont like it fine with me i made a quick post of something i was trusted with way back before ps3 was hacked, and this does work i have done and tested my self in the past it does allow a clean untouched dump of lv2 thanks to this little trick and i did not say it was for end user anyways anyone who understands and wants to will know what to do with this information

and i never said i ever found this exploit as some sites said i just shared what i know because of picky devs like math :P he should release face sony

Reply
 

 
# Jessie James 2011-03-07 09:17
So its kinda like wha the pandara battery does. Access the hardwear before the securty has a chance to block it. Security cant protect anything if it doesnt even have a chance to boot up can it ^_^

Reply
 

 
# Itaku 2011-03-07 09:33
This was released by geohot, and darkhacker is re releasing it, barely crediting geohot for it.

Reply
 

 
# Angelus Malus 2011-03-07 09:43
I thought the pandora battery was more like a backdoor and no exploit?
I see the connection though... Even multiboot would be possible...awesome... ^^

Reply
 

 
# Chris Johnson 2011-03-07 10:09
i was able to compile a cfw with ps3 keys for firmware 3.56... what, so im sure if i can do it then very much others can thusk- this is worthless

Reply
 

 
# Josh Clark 2011-03-07 10:10
If this is possible what could we do with this exploit? dirty details :D

Reply
 

 
# Patrick Bérubé 2011-03-07 10:41
Would you really doubt someone like MathieuLh?
I guess that you are the fake. Fake what, I can't tell, but you are a fake!

Reply
 

 
# Codvisp 2011-03-07 11:08
It's kinda nothing at all... All PS3 news sites went wrong & eagerly enthusiastic :) The WHOLE subject is old news...

BRAVO Greg :P

Reply
 

 
# Codvisp 2011-03-07 11:09
P.S: Mathieuhl has just tweeted the explanation...

muhahahahaha this is just the cell reset line trick, you can use this to dump lv2 from 1.10 to 3.15 but that's it.

Oh! and it's been known for ages by about....err... everyone...

The fact is you can't glitch the cell to even access the isolated LS because it's PHYSICALLY disconnected from the bus.

As in the cell was especially designed for the purpose of preventing access to the isolated LS by anything but the isolated process. You can read details about this here: The Cell Broadband Engine processor security architecture

Anyway I'll stop talking of ps3 stuff for now, I am still pissed.

That so called "cpu exploit" allows no more than dumping lv2 from 1.10 to 3.15. That's it. It's just pointless.

The trick only worked because the otheros setting was written upon selection rather than upon shutdown.

Then you could coldboot to a small piece of code installed in the linux partition which would dump the lv2 ram space for you.

No, the isolated LS gets physically disconnected from the bus when isolation kicks in. That's the way it's designed

Only the isolated process itself can access the isolated Local Store.

Isolation itself is designed in a very secure way, I have never seen IBM engineers messing around when it comes to security.

The line itself is cut, so to speak.

As in the bus can have no physical interaction whatsoever with the isolated Local Store.

In fact, should you have access to the nexus/jtag port on the cell, you still couldn't access the isolated Local Store.

This means that to effectively dump the isolated LS content, you need to exploit the isolated process itself.

Yes there is obviously a logic gate being involved in the process.

Sadly most details from IBM about isolation are under NDA, so we don't know what's going on for sure "underneath"

The only way to access the isolated LS again by software is to destroy the SPU and Create it again but this would delete the data.

of course I do not mean to physically destroy the spu xD.

Mainly what happens is that so long as a SPU runs isolated, only the software on that SPU can access the isolated LS, nothing else

Then how about the code that actually kickstarts the isolation ?

Then what does decrypt the bootloader and metldr ? There has to be some rom doing the decryption and holding key

Of course the spu isolation itself would be done by hardware, but only "trusted" software can run isolated

Those are the public docs you know ? :P

A lot of the cell docs are NDAed, You cannot expect the spu to just jump at encrypted instructions can you ?

Reply
 

 
# Codvisp 2011-03-07 11:13
That means:

All PS3 news sites 0 v/s PS3-hacks (Greg) 1

Nice to have a real cold blooded reporter :)

Reply
 

 
# Digi_PI 2011-03-07 11:28
I'll believe it when I see it. This "news" means nothing unless there is a release. There is no glory in saying you are capable of doing something. I can tell everyone that I am capable of flying through the air like a bird or a plane, but in the end I really am not Super Man.

Reply
 

 
# Lucy Bannerd 2011-03-07 11:40
May God Help The Ignorants

Reply
 

 
# Jeremy 2011-03-07 12:18
i just hacked the second string of keys that sony released and created cfw 3.56... shhh. i feel like i've said too much already.

Reply
 

 
# Longrod VonHugendong 2011-03-07 12:27
The irony of that statement is hilarious

Reply
 

 
# Michael Mclaughlin 2011-03-07 12:30
if you or anyone else made a cfw for 3.56 it would be all over the internet. quit making shit up

Reply
 

 
# James Soileau 2011-03-07 14:23
I would doubt him if I was a complete and utter dumb ass. Then again I'm not doubting him.

Reply
 

 
# James Soileau 2011-03-07 14:25
My left testicle wrote a cfw also :|

Reply
 

 
# James Soileau 2011-03-07 14:42
Mostly it seems reference to very old work dealing with the hypervisor with isolated spu metldr loading....nothing new as it was stated around over a year ago I believe. I may be misinformed or not remembering correctly but I thought it was also hardware faulted and not able to be patched until new systems came rolling out. Again the latter part I am not sure of and I really don't care digging up the information.

<speculation>
Maybe in dealings with 3.60 systems being rolled out?
</speculation>

Reply
 

 
# Decius 2011-03-07 14:57
Old news is old, yes hardware hack.

Reply
 

 
# Libyan 2011-03-07 15:26
These guys are not doing this for glory, besides notice the legal troubles. They have done credible things before and they come here and say "Hey everyone I found something - but not enough tools yet to make it perfect, and timing may not be best for it to be out." They don't care about your claims to flying - whether the news means something to most people or not it does not matter - to other dev who contact one another and build upon each others works it means a lot.

Reply
 

 
# Libyan 2011-03-07 15:28
kakaroto already has the secind set of keys for 3.56

Reply
 

 
# Decius 2011-03-07 15:34
It's already released, because the CELL RESET LINE is apart of the PS3's hardware, so grounding your pulse thingy (I forgot the name lol) and sending electrical pulses to the Hardware (CPU) it resets the PS3 so the ram is writeable/readable. They found this out from leaked Sony tech docs about the PS3.

If the firmware can't stop this process then the hardware is going to have to be redesigned, but no one's attempted this on newer Cell's like the Slims or outside of firmware 3.15. So it could be very well pointless, but I hope it isn't for OFW 3.56 case.

I just don't understand if this was used to unlock the ram in 3.56 assuming it boots after you reset the cell, how one would be able to read the ram in a firmware that's locked? especially without OtherOS to read the ram from.... if we already have access to 3.56 and a hacked PS3 can't we just decrypt the firmware(3.56) on a jb'd Ps3 and find exploits or better yet, find a way to launch homebrew via 3.56?


I bet mathieulh, hopefully has a different method that doesn't resolve in hardware hacking as this is OLD NEWS, I wouldn't doubt Mathieulh if people don't release things that's there business whether you think it's fake or not. He would be stupid to release an exploit now when 3.56 adds no functionality but be a requirement for newer games which can be patched later on anyways.

Reply
 

 
# Spsn Tos 2011-03-07 16:10
DarkHacker = Mathieulh I bet as he got pissed everyone is calling him a fake and then 1 day latter DarkHacker appears saying it is true.

Mathieulh is a goof that is all I can say he has got nothing but BS.

Reply
 

 
# Archaniel 2011-03-07 16:46
pfff wingsuit basejump ... pffff! :D

Reply
 

 
# micvhg 2011-03-07 18:40
please read the above comment about Mathieulh's reply to DarkHacker's release before making assumptions. Also DarkHacker's release is clearly a rehash of what Geohot found when he first found the exploit years ago before otheros was removed.

Reply
 

 
# mike 2011-03-07 18:43
isn't he the one that said there was a "rootkit" in the new firmware...he's not always right.

Reply
 

 
# Decius 2011-03-07 18:48
Geohot glitched memory, this exploit is about resetting the Cell CPU. But you're right it's from years ago and doesn't mean anything.

@Spsn, kinda like the bs you are spreading by saying "DarkHacker = Mathieulh I bet".

Reply
 

 
# James Soileau 2011-03-07 19:20
depends on how you define "rootkit" if you mean by sony ABLE to push information to your ps3 without your permission then yes he was correct. in the sense of pc terms of "rootkit" as in having their own little vn of your sony computer entertainment system, who knows. now if sony wants to travel down that road and push information to your ps3 and run into legal trouble is another topic.

you have to realize something more ever since Pandora's box was opened all the little demons are coming home to roost for sony.

Reply
 

 
# James Soileau 2011-03-07 19:27
I was expecting him to say DarkHacker = DarkAlex but hell lets just point the finger at everyone.

*Points to Decius*

Your fault!

Reply
 

 
# Kirro 2011-03-07 19:47
Maybe he did find an exploit, maybe he didn't. It doesn't change the fact that he hasn't shown any proof. And like I said, without proof he's just gloating.

Reply
 

 
# Jonny A$$ 2011-03-07 20:05
This isn't really news. It would be much more suited to an IRC channel.

However, I wouldn't discount it. I mean, these keys aren't anything new either. Fail0verflow has known about them for nearly a year.

I'm a software engineer myself, mainly assembly, drivers, that kind of thing (which includes reverse engineering). But I would imagine this is legitimate.

He's saying that with a hardware mod, you can maintain information in the RAM, namely a decrypted key, after the system has rebooted.

This can then be used with a few bootup interupts to output the decrypted keys memory location. Which is useful.

But I refer to my original statement, that this shouldn't of made the _news_, and instead should've been kept to IRC PS3 tech channels.

On the other hand... I thought people wanted something like this?

Personally, as 3.55 is useable online, with all the PSN hacks, and probably unbannable (even if they did, because of the current exploits, probably not a good idea to ban), I don't really see any point in 3.56 hack, other than a downgrade for those that are late to the game.

Reply
 

 
# Moise Myrvil 2011-03-07 23:05
Mathieulh is all, all is Mathieulh! Bow in his grace!

Reply
 

 
# Kirro 2011-03-08 01:02
Okay, that makes more sense. I can buy into the ace in the hole idea.

Reply
 

 
# spy4561 2011-03-08 02:32
I think I read this on psx scene and it actually was good I think ?. ??™©

Reply
 

 
# Codvisp 2011-03-08 04:52
That was exactly my point :)

Greg: "Am I missing something here? ...... But all I see is references to old, leaked PS3 service manuals and this *ahem* explanation"

Reply
 

 
# Jeremy 2011-03-10 11:46
understanding jokes fail.

and if that's the case, why hasn't he released it to us?

don't be a fag.

Reply
 

Add comment

Security code
Refresh




 
CREATE ACCOUNT NOW TO POST COMMENTS!

Why create an account on the Dashhacks network? Because being logged in has its privileges!

• COMMENTS! Only logged in users comments go live without waiting for moderator approval!
• No video! The video ad in the upper right doesn't interrupt you on all pages!
• Customize your profile! Flaunt your xBox Live & PSN gamertags!
• It's FREE and it's EASY! And one login works for all of the Dashhacks review sites!

So what are you waiting for?

Go to the TOP RIGHT of the page and LOGIN or click REGISTER!