A use for all those teensy boards that were previously used for jailbreaking PS3s!
PS3 Memory Glitch Exploit – Teensy AVR Porting - PS3Crunch
This should also work from GameOS on other FWs with Graf Chokolo's method.----------------------------------------
--- PS3 Memory Glitch for Teensy AVR ---
---------------------2011 - Expanders --
----------------- firstname.lastname@example.org --
This has been tested on the following equipment/conditions:
- PS3 Fat 40GB
- Original Firmware 3.15
- Ubuntu linux 8.10
- Teensy 2.0
- XorHack 2.0
Get a working gcc-avr compiler on you box.
Check out Makefile to set MCU accordingly. then run
ihex compiled programs are in the relative subdirectories ready to be loaded with Teensy Loader.
Two different editions here.
- serial console :
Provides a basic console interface over an USB Modem (CDC ACM) ( Usually /dev/ttyACMx on linux )
For MS Windows you need a driver, download from http://www.pjrc.com/teensy/serial_install.exe
You can connect using minicom or screen in linux, or by using hyperterminal in windows. ( Set a baudrate >= 38400 )
Once connected, type "a" to adjust pulse duration or "x" to enter exploit mode.
When in exploit mode, tap SPACEBAR to send pulse.
- pushbutton :
Classic pushbutton, see pin connections below. To adjust duration you need to edit teensyglitch_pushbutton.c sourcecode and recompile.
B2 : PS3 ram control bus.
GND : PS3 Metallic shield / ground screw
if you use pushbutton edition connect button to GND and F4 pin.
Thanks to GeoHot for the original finding and code.
Thanks to xorloser for the XorHack toolkit.
Thanks to PJRC for the Teensy and the serial console library.
Hypervisor Reverse Engineering - PS3 Development Wiki
Exploiting HV with memory glitching and HV call lv1_undocumented_function_114
Here is a short description of the method i used to exploit HV from GameOS 3.15 and 3.41.
* First i used the Geohot's method to create a dangling HTAB entry.
* Making memory glitch work on GameOS was the largest of my obstacles but i solved it and i'm able to create a dangling HTAB entry from GameOS within 1-3 minutes.
* Then i created many Direct Map Memory Region objects of size 0 with HV call lv1_undocumented_function_114 and checked if they are within the page to which the dangling HTAB entry points to.
* When i found one such Direct Map Memory Region object i patched the size of this object to 0x1000. Then i pointed this memory region object to the code of HV call lv1_undocumented_function_114 and patched 4 bytes in this HV call which allows me to create any Direct Map Memory Region objects without any restrictions.
* Function LPAR_construct_direct_mapping_mem_region which is used by HV call lv1_undocumented_function_114 has a parameter (register %r9) and when this parameter is not 0 then HV will allow you to create any Direct Map Memory Region objects without restrictions, but unfortunately the HV call lv1_undocumented_function_114 passes 0 in this parameter, so i just patched it.
* Then i mapped whole HV memory range with the patched HV call lv1_undocumented_function_114 into the address space of GameOS.
* And now you have read/write access to the whole HV.
* $ONY could fix this exploit by disallowing creating of Direct Map Memory Region objects of size 0, but i know tons of other HV C++ classes which will allow me to exploit the HV in a similar way, so it wouldn't bring $ONY anything :-) And they have to change member variable offsets in those objects to make sure that i cannot patch them easily :-)