Linux Format forums Forum Index Linux Format forums
Help, discussion, magazine feedback and more
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

PS3 has been hacked...

 
Post new topic   Reply to topic    Linux Format forums Forum Index -> Other OS
View previous topic :: View next topic  
Author Message
Bazza
LXF regular


Joined: Sat Mar 21, 2009 11:16 am
Posts: 1474
Location: Loughborough

PostPosted: Tue Jan 26, 2010 6:45 pm    Post subject: PS3 has been hacked... Reply with quote

Hi all...

Interesting stuff...

http://geohotps3.blogspot.com/
_________________
73...

Bazza, G0LCU...

Team AMIGA...
Back to top
View user's profile Send private message
pctechie



Joined: Tue Nov 17, 2009 1:20 pm
Posts: 49
Location: Manchester,UK

PostPosted: Thu Feb 04, 2010 11:35 pm    Post subject: Reply with quote

Here's how it works for technical minded people
Code:
geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory :)
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call


Read this article if you are less technical minded.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
View previous topic :: View next topic  
Display posts from previous:   
Post new topic   Reply to topic    Linux Format forums Forum Index -> Other OS All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Linux Format forums topic RSS feed 


Powered by phpBB © 2001, 2005 phpBB Group


Copyright 2011 Future Publishing, all rights reserved.


Web hosting by UKFast