these guys from ps3 cobra made it without manipulating the hypervisor. We can't touch lv1 with the dongle exploit and unless they found an exploit in lv1 they can't either. so if ps3 cobra is real, they most likely modify lv2 only.
if we would hook syscall 602 (lv2_storage_read) and return data of our iso instead of data from the bd drive (legit psx disc inserted), we might be able to run psx isos. it could work for ps3 isos as well.
this is an example how it gets called from a gameos app:
guys, what do you think?
// taken from graf's code
57 * lv2_storage_read
59 static inline int lv2_storage_read(uint32_t dev_handle, uint64_t unknown1, uint64_t start_sector, uint64_t sector_count,
60 const void *buf, uint32_t *unknown2, uint64_t flags)
62 return Lv2Syscall7(602, dev_handle, unknown1, start_sector, sector_count,
63 (uint64_t ) buf, (uint64_t) unknown2, flags);