PlayStation 3 exploit released, hackers rejoice
By Ross Miller 
posted January 26th 2010 6:54PM
posted January 26th 2010 6:54PM
In case you ever doubted his feat, or you simply wanted to recreate for sport, iPhone hacker extraordinaire George "Geohot" Hotz has released the exploit code he devised for properly hacking the PS3. This should give any aspiring minglers full memory access, and while he's only tested it with firmware version 2.4.2, he "imagine[s] it works on all current versions." A guide might follow sometime in the future, he says, but if you're really antsy to get your coding kicks, we wouldn't wait up.Update: EuroGamer's got a pretty thorough piece on what Geohot is claiming to have accomplished and what it means to the community -- and as Joystiq points out, until we see some "Hello World" proof of concept program, we don't quite know the extent of his claims. The guy's got a helluva track record, at least with iPhone, so we presume that's next on his and the community's list of to-do's.
[Thanks to everyone who sent this in]
@LOLCATZ
Well, if you regularly let people that have extreme technical skills disassemble your PS3 without supervision, then yes, your PS3 should be afraid.
Oh and for the OP... Heratiki = Hacker = Not Rejoicing... *wink* Not everyone likes to see what happens to a machine once it's been defeated... It's the reason I didn't buy a 360...
this hack, in it's current form only opens up the memory to be readable by programmers. there are a few more steps before this opens the door wide open.
@aphxtwn Details are scant, so please correct me if I'm wrong, but the exploit requires one to physically get on the memory bus to inject errors. Geohot imposed an FPGA which brought lines low for 40ns when the cache was being written back to main memory.
Again, scant details and I haven't looked at the code yet. Maybe he figured out a way to muck up the writeback in software.
@fdawg4l Yeah, he glitches during a dealloc. He then injects and adds a peek and poke command for memory access. You can then dump the HV or pretty much anything else.
Thats what it looks code looks like to me.
@bigal
"that's what his code looks like to me"
cough cough
Bulllllllshit
Awesome news. Even with only 256MB RAM, the PS3 will now be a fearsome Linux beast.
But the real question is, How long will it take Geohot to jailbreak the iTablet?
@Edobe
7 days after it comes out, knowing him...
Just announced! PS3 firmware 3.2.0!
great, now i need a ps3
this is just theoretical but if the ps3 gets hacked deep enough maybe it could be used to hack the psp and psp go alot easier since it could run unsigned code since it may trust the ps3
the picture shouldnt be slim, slims dont have 'other OS'
George is a pretty crafty fellow and we can't knock the accomplishment no matter how minor one might think it is. It is one small step for Geohot, one giant leap for geek-kind!
Noooooooo!!!! Lol
Great, 99+ percent of PS3 users will have the inconvenience of having to update a firmware with no new features.
@DVDSandwich
Yeah, that sucks. Sony did a good job trying to avoid this while giving people a more open console than any other I'm aware of. That wasn't good enough for this hacker, though. Good for him, I guess. Mad props. Sucks that people will use this to pirate games, but that's not his fault or anything. Except that it is.
When Sony sued pirate helper Lik-Sang into oblivion, they were doing gamers who pay for games, and devs who sell games, a huge favor. I want gaming to be profitable, because that's why people make great games. Duh.
@(Unverified)
Eh? Lik-Sang just sold import hardware and software.
@(Unverified) They destroyed Lik Sang because Lik Sang was buying PSPs in Japan and selling them in Europe.
Sony opened their system up somewhat.
No, not fully. You agreed to those terms, though, when you bought a fat PS3. You got to use Linux and play with different OSs, even compile software if you wanted.
this is why Sony doing that is so unusual. I enjoyed playing with my PS3 in linux, using openoffice and Firefox and all that. I doubt I'll be able to do that with my next xbox or playstation. the community said it hacked so it could take explore the system... do cool things with it. Sony said "OK, here's us meeting you in the middle... it's opened and lets you load Linux and play around. We disabled the GPU because we sell these things at a loss and want you to have to buy our games. "
That seems fair to me. but the it only takes one person to make it not work. Sony can't make money if people pirate their games. Like it or not, people will pirate their games. Using the PS3 requires you to agree to terms and conditions that preclude doing this. I know it's passe', but that is your word, your promise, that you won't use their software against them.
This means the next system won't be as open. That's all. I don't pirate games and I'm happy with linux on my PS3 already, so I don't understand why we needed to hack the PS3 to get to the GPU. It's already got great graphics and great games if you are willing to pay for them.
I can see now why Sony disabled this feature in the slim. They probably should have disabled linux on all PS3s.
Dont get too exciting, The cell processor architechture is very complicated and bypassing the Hyper Visor is only the beginning.
Without a 3D driver for the RSX/ZEGO chip there still wont be access to the full capability of the system.
Also, the code doesn't have access to root keys which are essential to have full SPE PPE acccess and get full use out of the cell processor.
Its a start, but there is a looooooooooong way to go.
Sony should hire this guy.
georgehotz. you sir are jesus in his true form
This is actually very smart. Its a hardware hack (not softmod)
He allocates some memory directly then glitches it with a low pulse during a dealloc call. He injects from there and swaps memory back and forth. You then have control of the hypervisor. At least thats what my meager understanding of the code and his comments are.
I wondered how did he figure that out?
Tricky part is the timing. The kernel could just panic and thats all she wrote.
It would hard for Sony to defeat this unless there's a change in hardware. Its essentially a memory management hack.
@bigal
That is an impressive method. Extremely advanced, and it's hard to see what more Sony could have done to avoid it. They avoided most hacker efforts by selling the PS3 fairly open (though unable to play pirated software), but this level of attack would overcome a lot of their efforts.
I think Sony should go ahead and put a fake exploit out there. Let people download it, and put it on their PS3. A message should come up at some point saying there is no warranty, and the user accepts the potential for bricking the console. After some period of time, perhaps 6 months, the PS3 throws up a message explaining that the PS3 is bricked. Maybe just a "LULZ" or something. Sony probably shouldn't take credit for this, as it's ridiculously bad PR. Just get the point across that hackers don't have to follow even the rules you might LIKE.
the key is to get a working "exploit" out there before this method becomes a key to pirating games. Suck out the oxygen. It won't affect the hackers who are just having fun with their projects and not out to screw with game dev profits. MS and Nintendo should do this too, though they are at a disadvantage.
@(Unverified)
@(Unverified)
WTF????
@(Unverified) They could've buried the motherboard in epoxy... while that would have negative thermal consequences, and would still be breakable, it would be something they could have done.
Awesome! Now for homebrew :)
this better not lead to pirated games, otherwise the ps3 will be dead.
@blackchaos209
Yea... Just like how the PS1, PS2, PSP, Xbox360 and Wii died after it was hacked right? A console only truly comes alive when it is hacked. The reason the ps3 is lagging slightly behind the 360 in terms of sales is because of that fact that you cannot purchase pirated games. However sad, it is a fact, piracy is thriving here in asia.
This guy is an idiot. He didn't hack the system at all, he's just so arrogant he thinks he did.
Was it too much effort to visit IBM's website, GeoNot?
So, where will this lead me with my ps3 slim and others with one too?
Slick play by Sony. Lagging against the xBox brings a desperate move to create a draw on the PS3. I'm not a hater, I love the PS3 and wish Sony had the jump on xBox live (fail). Its a better system. This will totally motivate a secondary market to snag up PS3's. Maybe. Or maybe not.
Let there be no pirate game PLOX!!
Yeah you don't get that same feeling when you pirate a game as when you buy it. It just feels better. They better not mess that up
Well, being one of the cheapskates who held out for a SLIM..I'm on Sony's side. Also, with the recent push Sony made into the social networking arena, Im not too enthusiastic about running CFW on a device that's linked to my FB account, not to mention those who have CC info on their PSN profile...I think trusting the hacker/open source community to always do the right thing will eventually come back and bite us one day.
The PS3 is nowhere near being hacked. Geohotz is using otheros to poke around the memory system. He can read, write and poke around the system all day long. What he can't get is the root key, which is handwired in the 7th spu used only for security. The root key decrypts the keys used to decrypt signed code. When a game request authentication, the decryption key enters the 7th spu, and the root key decrypts it. The spu is hardwired to only be able to physically retrieve the root key only after the spu enters isolation mode (no hardware of software access from anywhere in the system).
From http://www.ibm.com/developerworks/power/library/pa-cellsecurity/
"Therefore, if the operating system is compromised by an attack, the hardware security features can still protect the application and its valuable data. As an analogy, consider the protection the supervisory software provides as the castle's moat and the Cell BE security hardware features as the locked safe inside the castle."
"The fundamental problem with existing approaches is that they rely on software to provide the isolation, but at the same time software can be manipulated by an adversary. A better approach is for the hardware design to isolate the process in such a way that the software cannot override the isolation, and this is precisely what the Cell BE processor's Vault provides."
"Because of the root key's importance in keeping all other keys hidden, it must be robustly protected. The Cell BE processor accomplishes this with its Hardware Root of Secrecy. The root key is embedded in the hardware, and you cannot access it with software means; only a hardware decryption facility has access to it. This makes it much more difficult for software to be somehow manipulated so that the root key is exposed"
"In fact, the decryption based on the root key can only happen within an isolated SPE and not outside of it; no access to the root key is available, by hardware or software means, from a non-isolated SPE or the PPE. First, this implies that a system designer can force all data decryptions by the root key to happen within the protected environment of the Secure Processing Vault; the keys unsealed by the root key will always be placed (at least initially) in the Vault only. Second, only applications that have successfully passed the Runtime Secure Boot authentication are given access to the keys unsealed by the root key. Any software that might have been adversely modified will not be given access to the unsealed keys. Because the foundation of this control is grounded in both the Runtime Secure Boot and Hardware Root of Secrecy features, the process is more resistant to manipulation than with a pure software-controlled access mechanism. "
i downloaded the hack!!!!!
i hope i will be editing FIFA11, or PES2011 for PS3 next year.
I dont care about running pirated games, I just want a media player that will play everything
@Rodney
agreed.
Sony just need to give me .mkv playback and i'll be happy.
@Rodney
it's not about pirating games. it's really about patching them. for instance, the titles i mentioned. the ability to edit the game(s) to have up-to-date & authentic uniforms, balls, boots, etc., without worrying about licensing. better/improved stadia, turf, faces, menu graphics. in other words, practically personalizing the game.
Great! Now you can look forward to the possibility to play games that you haven't paid for.
If this really is gonna work its gonna be awesome. Okay people start buying PS3's
Why haven't Sony and Apple actually hired this guy? Help them find exploits and lock that shizz down. Boom problem solved and everyone's happy.
Can't wait to download ps1 n ps2 roms, luckily I have one of the older ps3s. Also want to connect the ipod touch to the ps3, maybe some type of psp functionality on the ipod... Definately would want bluetooth or wifi file transfers between ps3 and a computer, or even a dualshock to the ipod? We'll see what cool hacks come to the ps3
give me XBMC or give me death