

PS3 Ring0 Exploit Released - iheartmemcache
http://geohotps3.blogspot.com/2010/01/heres-your-silver-platter.html

======
mmastrac
Nifty. It's a bit of C that you run in Linux mode, while simultaneously poking
at a memory trace to glitch the bus. I think it tries to set a valid memory
mapping over and over. The glitch turns that mapping into one that lets the
user stomp all over the Hypervisor. Once the glitch is in place, he installs
two extra Hypervisor calls that let you read and write arbitrary physical
memory.

Edit: He explains in more detail here: <http://pastie.org/795944>

    
    
      geohot: well actually it's pretty simple
      geohot: i allocate a piece of memory
      geohot: using map_htab and write_htab, you can figure out the real address of the memory
      geohot: which is a big win, and something the hv shouldn't allow
      geohot: i fill the htab with tons of entries pointing to that piece of memory
      geohot: and since i allocated it, i can map it read/write
      geohot: then, i deallocate the memory
      geohot: all those entries are set to invalid
      geohot: well while it's setting entries invalid, i glitch   the memory control bus
      geohot: the cache writeback misses the memory :)
      geohot: and i have entries allowing r/w to a piece of   memory the hypervisor thinks is deallocated
      geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
      geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
      geohot: switch to virtual segment
      geohot: write to main segment htab a r/w mapping of itself
      geohot: switch back
      geohot: PWNED
      geohot: and would work if memory were encrypted or had ECC
      geohot: the way i actually glitch the memory bus is really funny
      geohot: i have a button on my FPGA board
      geohot: that pulses low for 40ns
      geohot: i set up the htab with the tons of entries
      geohot: and spam press the button
      geohot: right after i send the deallocate call

~~~
imok20
Could anyone tell me what map_htab and write_htab are?

~~~
streblo
They're syscalls in the PS3 hypervisor. map_htab maps the entire page table.
write_htab writes to the page table.

More here: <http://wiki.ps2dev.org/ps3:hypervisor>

~~~
imok20
Thanks! Google wasn't particularly useful for me, unfortunately. Good for me
to know, as a PS3 layman.

------
brianjherman
What is an htab?

~~~
wmf
"Hashed page table"; it controls virtual memory mappings. See Power ISA Book
III-S 5.7.7.

[http://www.power.org/resources/downloads/PowerISA_V2.06_PUBL...](http://www.power.org/resources/downloads/PowerISA_V2.06_PUBLIC.pdf)

------
invisible
When he mentioned that it didn't require a modchip, I assumed he had not taken
the case off and done things to the board. Hopefully it still means that they
can bypass this by being able to see what is going on, but it shows that
sometimes you just need to connect some wires together first.

------
Locke1689
I was just talking with a friend about this today. If you get access to the
GPU after trashing the hypervisor it may be possible to write a system
emulator (think QEMU) for the PS2. I have to think about this a little more
(performance hits, etc.) but it may work.

------
csmeder
Do you think the folks at www.hackintosh.com will be able to to put Snow
Leopard on it? A Mac Mini (with PowerPC-base Core @3.2GHz and Blu Ray player)
for $300, this would be awesome!

~~~
sliverstorm
You are, of course, aware that Snow Leopard does not run on PPC cores?

~~~
csmeder
Thats a good point, I feel dumb

~~~
romland
But you made me grin :)

------
itistoday
For either amusement or a headache read the comments to his blog.

    
    
      casale2a said...
      How do you use this?!?!
    

:-D

