Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
PS3 Ring0 Exploit Released (geohotps3.blogspot.com)
96 points by iheartmemcache on Jan 26, 2010 | hide | past | favorite | 16 comments


Nifty. It's a bit of C that you run in Linux mode, while simultaneously poking at a memory trace to glitch the bus. I think it tries to set a valid memory mapping over and over. The glitch turns that mapping into one that lets the user stomp all over the Hypervisor. Once the glitch is in place, he installs two extra Hypervisor calls that let you read and write arbitrary physical memory.

Edit: He explains in more detail here: http://pastie.org/795944

  geohot: well actually it's pretty simple
  geohot: i allocate a piece of memory
  geohot: using map_htab and write_htab, you can figure out the real address of the memory
  geohot: which is a big win, and something the hv shouldn't allow
  geohot: i fill the htab with tons of entries pointing to that piece of memory
  geohot: and since i allocated it, i can map it read/write
  geohot: then, i deallocate the memory
  geohot: all those entries are set to invalid
  geohot: well while it's setting entries invalid, i glitch   the memory control bus
  geohot: the cache writeback misses the memory :)
  geohot: and i have entries allowing r/w to a piece of   memory the hypervisor thinks is deallocated
  geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
  geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
  geohot: switch to virtual segment
  geohot: write to main segment htab a r/w mapping of itself
  geohot: switch back
  geohot: PWNED
  geohot: and would work if memory were encrypted or had ECC
  geohot: the way i actually glitch the memory bus is really funny
  geohot: i have a button on my FPGA board
  geohot: that pulses low for 40ns
  geohot: i set up the htab with the tons of entries
  geohot: and spam press the button
  geohot: right after i send the deallocate call


Wow talk about talent and hard work..


Could anyone tell me what map_htab and write_htab are?


They're syscalls in the PS3 hypervisor. map_htab maps the entire page table. write_htab writes to the page table.

More here: http://wiki.ps2dev.org/ps3:hypervisor


Thanks! Google wasn't particularly useful for me, unfortunately. Good for me to know, as a PS3 layman.


Guess this rules out the current generation of PS3s then as they lack the 'Install other OS' facility.


What is an htab?


"Hashed page table"; it controls virtual memory mappings. See Power ISA Book III-S 5.7.7.

http://www.power.org/resources/downloads/PowerISA_V2.06_PUBL...


When he mentioned that it didn't require a modchip, I assumed he had not taken the case off and done things to the board. Hopefully it still means that they can bypass this by being able to see what is going on, but it shows that sometimes you just need to connect some wires together first.


I was just talking with a friend about this today. If you get access to the GPU after trashing the hypervisor it may be possible to write a system emulator (think QEMU) for the PS2. I have to think about this a little more (performance hits, etc.) but it may work.


Do you think the folks at www.hackintosh.com will be able to to put Snow Leopard on it? A Mac Mini (with PowerPC-base Core @3.2GHz and Blu Ray player) for $300, this would be awesome!


You are, of course, aware that Snow Leopard does not run on PPC cores?


Thats a good point, I feel dumb


But you made me grin :)


Well, yeah, we'd need an emulator :)


For either amusement or a headache read the comments to his blog.

  casale2a said...
  How do you use this?!?!
:-D




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: