androvsky said:
gofreak said:
well, if i understood it right - and i really don't remember the difference between cell's ppus, spus, spes and whatever - the blog dude who discredited geohot said that the root key can't be retrieved by hardware or software, and that at best he'd be able to copy encrypted data from the spe.gofreak said:
Well known PSP hacker and Dark_Alex's right hand man previously 'Mathieulh' has confirmed to us that Geohot's PS3 exclusive is indeed the real deal. He didn't want us to publish exactly why he knows it is the real deal, but let's just say he has some first hand evidence.
Green Biker Dude said:
bmf said:
Alec said:
Lillster said:
Vennt said:And I like owning previously perma-banned members who incorrectly think they are welcome back when we let a new batch of users in, cya
Vennt said:I never use IP address FWIW, firstly proxies and dynamic IP's make that pointless, secondly an IP search of the DB as things stand would make the 500's you see now seem like smallfry, hell such a search would probably cause a fire at the server host
Cruzader said:
ahahah.Vennt said:And I like owning previously perma-banned members who incorrectly think they are welcome back when we let a new batch of users in, cya
people are gonna need external hardware to trigger it.lupinko said:
geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call
I don't think many people were saying he was lying.santi_yo said:
Edit: beaten :lolIn the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.
Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.
This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works
Good luck!
Zen said:
Hacked way early on. Search Doctor V64 or Z64 for the most popular devices.darkwings said:
