PS3 has been hacked...

Help and discussion about non-Linux operating systems

Moderators: ChriThor, LXF moderators

PS3 has been hacked...

Postby Bazza » Tue Jan 26, 2010 6:45 pm

Hi all...

Interesting stuff...

Bazza, G0LCU...

Team AMIGA...

The less that I speak, the smarter I sound.
LXF regular
Posts: 1510
Joined: Sat Mar 21, 2009 11:16 am
Location: Loughborough

Postby pctechie » Thu Feb 04, 2010 11:35 pm

Here's how it works for technical minded people
Code: Select all
geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory :)
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call

Read this article if you are less technical minded.
Posts: 49
Joined: Tue Nov 17, 2009 1:20 pm
Location: Manchester,UK

Return to Other OS

Who is online

Users browsing this forum: Yahoo [Bot] and 1 guest