Re: PS3 has been hacked...

pctechie — Thu Feb 04, 2010 11:35 pm

Author: pctechie

Posted: Thu Feb 04, 2010 11:35 pm

Here's how it works for technical minded people

Code:

geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory :)
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call

Read this article if you are less technical minded.

PS3 has been hacked...

Bazza — Tue Jan 26, 2010 6:45 pm

Author: Bazza

Posted: Tue Jan 26, 2010 6:45 pm

Hi all...

Interesting stuff...

http://geohotps3.blogspot.com/

Linux Format forums

Re: PS3 has been hacked...

PS3 has been hacked...