Original post at http://www.ps3news.com/PS3-Hacks/apple-iphone-unlocker-geohot-begins-hacking-sonys-ps3/


Over the weekend geohot, famous for unlocking Apple's iPhone, has posted a few tweets on his Twitter account that he has began looking into hacking Sony's PS3 console.

He has also dropped by our Forums to enquire about the PS3 Hypervisor Decryption Keys, and has been in touch with CJPC via IRC as well.

To date, geohot has reported the following via tweets:

"ooo got access to a couple more pages of ram...still no hypervisor there tho. it's hiding in the top 2 MB.

anyone know if the 360 guys had a pt hypervisor to reverse?

my goal is to break out of the hypervisor... then see what my morals will allow.

gotta flip one little bit to hack the ps3. unfortunately the ps3 doesn't want me to flip it.

so, the hypervisor is in the first 0x1000 pages of RAM...think I could just pull an address line down and dump? not from kernel tho

PS3 memory map http://pastie.org/589218 ... why did I think this would be useful again? i really want these dumps @ bootloader

it'd be nice if that worked, linux accesses sandboxed part of nand... 4mb of uselesses.

hacking the PS3, not hacked in three years how long will it take me?"

Stay tuned for more PS3 Hacks news!

Read more: http://www.ps3news.com/PS3-Hacks/apple-iphone-unlocker-geohot-begins-hacking-sonys-ps3/#ixzz0aeGYLXRn

I always thought a hypervisor allowed more than one process( or OS) to run at once. Why would there be an hypervisor running on a ps3?

Also I assume he is referring to flashing the xbox 360's disk drive????

If so they did a full Acid Decapsulation to read the firmware.

The people who made custom firmware possible are geniuses truly. Each member was top notch at what they did. It would be great if they gave lessons out, I am extremely interested in the whole process.

I am looking forward to this guys progress with the ps3, although from the sounds of it, its going to be hard.

Letter to the scene (just gives a basic rundown of how the firmware came to be)


A great amount of work has been put into the xtreme, and now current ixtreme firmware. commodore4eva, now simply known as 'c4e' came upon the scene to bring changes to the xbox360's firmware that lead to new innovations and progress to a section within the xbox360 hacking scene.

These changes have been for the most part very positive, and in 2009 I formed a group who became known as 'Team Jungle' who spent 8 months working in unison to crack the first LiteOn drive. It was a very very big achievement, and kudos is deserved all around for each member that did their share. It was a very bleak dismal long process that did not look so promising for many many months. The conclusion of Team Jungle/Team HyperX has arrived, and will be documented in this story. It is also my intention to notify everyone of facts previously withheld from the public, and to clear the air with some people unfairly accused of fraud and elitism/heroism with malcontent smile

With the cat and mouse game of almost all modification scenes, with hackers vs vendors, technologies are constantly updated and secured against new vulnerabilities. As the ixtreme firmware was released for the LiteOn, it was apparent to that specific vendor that they needed to step up their game once their secure platform was defeated. It WAS a very brilliant design, for in the simplicity of basic hardware it becomes difficult to secure a platform without the host being entirely integrated into the overall security. We see the PS3 as a fine example of this: A hardware platform that has proven very secure from top to bottom!

Unfortunately, as the securities increased, known vulnerabilities decreased and new methods needed to be found. Alas, they were smile Some of these vulnerabilities were hardware based, and some software. Some were vendor commands (cdb's) that were intentionally placed within the firmware for diagnostic purposes! A large part of firmware 'hacking' is disassembling the firmware and discovering all of the hidden cdb's for alternative usage (piracy, homebrew, etc).

In order to hack the LiteOn, a team was necessary. c4e's talent was the final step to a very long process. You need experts on the physical/hardware side who are capable of extracting the firmware (since known software methods were locked out). Sometimes several hardware guys are needed for different area's of talent. One might be skilled in decapsulation and extraction methods and the other has xray and microscopes and is excellent at detailing smile The bottom line is 90% of the work was NOT associated with the firmware and the job preformed by c4e. The firmware modification was the easy part! Of the 8 months spent on that project, only 24hrs was needed by c4e to complete his part of the project smile

With every release of xtreme and ixtreme firmware different methods of hacking that particular hardware platform became apparent through documentation (tutorials), software (JF, sending cdb's, etc) or specs/technical information released. Speculation is always a key player whether methodology is apparent, released or not.

When the 83850c hit the shelves, the public quickly figured out that there was a flaw: serial output was not working. So the team found a few 83850c's through our usual channels (distributors), purchased them (despite what you think, we usually buy our materials, most dont ever make it back. donations are very 'final'.) and got them shipped to one of our hardware specialists that is capable of decapsulating and reading eeprom's. It takes a rather talented and unique skillset to decapsulate and dump eeprom's with microfiber smile Infact, the 'micro' is a understatement: Its so small its practically invisible to the human eye! Imagine trying to solder that!

Our hardware genius successfully dumped the firmware. Since our crypto (software) genius already cracked the encryption algorithm
of the original drive's firmware (which was one of the most difficult tasks of hacking the drive!!) it was just a matter of having him decrypt it for us. Once decrypted, c4e can start doing his patching routines, aswell as analyze the firmware for security changes. For a month I sat in the dark as c4e and the rest of the group 'worked' on getting the drive to output key/serial data. At the time it was presumed impossible. On the 5th week I was brought full circle and informed that the team had been coordinating decisions outside of my knowledge. Apparently the team came to a decision since there was no way to retrieve the key via software. The only hardware method at the time was full acid decapsulation, with the exception of the pin lift method. I would like to take a moment to explain the following with an analogy:

Sir Alex Ferguson is the manager of the world famous Manchester United football(soccer) club. He does not play soccer (he used to). However, he is essential to the success of the the football team. He uses his managerial experience to bring together players that would not normally play the sport together. When the team starts playing, he uses his decision making skills to combat changes within the field. Without him, the team can still play and successful at that! However, without him the team will eventually die, as they will become stale and not progress or get fresh blood into the roster. I use this analogy for myself. I created Team Jungle, which I renamed to THX due to a fallout between me and one of the developers who I had start the project we now know as 'jungle flasher'. He was not a team player(several incidents), so I removed him from the team. Instead of changing the name of his application
to disassociate himself from the team, I decided to change the team name! While I created the team, and organized it and made decisions, the essential process (hacking) can obviously be done without me. The team made that choice when they went outside of my circle to discuss the future of LiteOn in regards to the team.

The decision that the team had come to was to integrate a piece of hardware(a modchip) into the process that would make end users capable of modding the new LiteOn drive without us giving away our only hardware 'dumping' method, the pin-lift method recently disclosed by geremia. We did not want MS and LiteOn/MTK to patch the only known software hole(pin-lift method) as that would defeat our capabilities in the future to dump the firmware. While we can always try to decapsulate, there are methods to combat it, and its a very risky process that destroys the hardware. I am also experienced enough to understand that multiple avenues of hacking must be present in order to secure the *future* of this project! The reason the team did not disclose their decision, or the decision making process to me was simple: Greed. They wanted to bargin with the chinese to get the maximum money possible out of each chip sold, and I was one less pie cut. And hey, im not a hacker right? I dont do any work (other than creating the group and making the ENTIRE process possible!) so why should I get paid? Well, no loss on my end, and only theirs(the groups) because I would have been, and argued very strongly against ANY money-based process.

At that time c4e came to me and told me that they had been meeting behind my back and had come to a decision, however c4e in the 5th week after obtaining the fw found out how the serial key output had changed, with a encrypted key data. He had already contacted foundmy and made the key decryption services a reality. He had already consulted with the other group members who (due to legal risk) said they did not want to be a part of it. Everything was ready to launch by the time I was told about it, and asked whether I wanted to be a part of it.

http://geohotps3.blogspot.com

Yeah I agree this is a huge and difficult undertaking GeoHot is doing. But seeing as he actually did something that no one did in 3 years... (At least not to my knowledge or it wasnt made known) that is saying a whole hell of a lot.. He did it in 5 weeks to.
We will see what happens
The Xbox only needed a full Acid Decapsulation after a couple of updates from MS. I know the first hacks didnt require that.

Will it be a dvd firmware, or system firmware like psp?

No it won't be a BD-Rom bios update like the xbox 360. He actually got access to the cpu and ram. I'm wondering when they will get full access for the 360?

But sad thing is its only for the Phat PS3 which means anything made with this exploit i cant use yet :'(

what's taking so long for the ps3 to be hacked?

what's taking so long for the ps3 to be hacked?

we're waiting on u with ur 1337 reverse engineering programing skills.

cant wait for it to be hacked!

:lol: it's been 3 months now and nothing hmmmmmmm...

Pretty much the same as every other supposed "breakthrough" in hacking the PS3 :dabs:

Pretty much the same as every other supposed "breakthrough" in hacking the PS3 :dabs:

Lol yeah. But at least there's proof with this 'breakthrough' :unsure:

Nonetheless it's pointless, Sony probably have more use with it and are patching it as we speak.

Pretty much the same as every other supposed "breakthrough" in hacking the PS3 :dabs:

Lol yeah. But at least there's proof with this 'breakthrough' :unsure:

Nonetheless it's pointless, Sony probably have more use with it and are patching it as we speak.

Depressingly enough your likely right

It's going to be an everlong war between users and Sony. Look what's happening to the PSP. There's a new piracy combat measure where you have the register to PSN to play online.

http://au.psp.ign.com/articles/106/1069716p1.html