PS3 CPU Exploit Released by DarkHacker

[The Central Scrutinizer]

One day after Mathieulh Tweeted about a new exploit he refuses to release, a previously unheard of person calling himself "Darkhacker" has released info on a new CPU exploit.

UPDATE: Mathieulh was apparently the original source of this "exploit" (click the link below for chatlog) but he and other devs claim it's useless. He adds that it is not the new exploit he Tweeted about yesterday.
http://pastie.org/private/cjcucrzayyijh5mcpqvmlg

CPU Exploit - one step closer to METLDR
this is a release of the hidden Cell Exploit found a while ago and one of the step taken to the metldr exploit im going to release the because i fell people should have the right to do as they wish and the information should be free to the public

i know by releasing this exploit ill probably be taken to court or sued but **** sony they can go to hell all i care for what there doing to us hackers ill fight until the last min i got of my life if i have to for the right of the people

for this exploit your going need a leaked service pdf which is below

time to explain this now listen up

i know you all remember the exploit with ram and so on back in 3.15
well your going look for the 'CELL RESET LINE' and that going be where the exploit is
you know how the small 60ms or ns i dont remember thing sent to ps3 for the read and write of the ram ?

well use line send that and connect it to the cell reset line. ( FIND IT IN DOC )
and ground on outside of case and the example of what can be done with this is a cold reset which still has acess to the memory from gameos - dont let this die out people im taking a big risk by giving you all this information


- thanks to mitchy my personal hard drive Tongue - note i did not upload the documents and if requested ill remove the links


Example of what can be done with this --
untouched memory on cold boot full access to lv2 and all game os memory

News Source: PS3SDK via PsGroove

Thanks to EmersonS35, natedogg20050 and spade_ for the news submissions.

PDF download mirrors (not hosted on PSX-SCENE)...

RapidShare - http://www.multiupload.com/RS_LGGA1T5T90
MegaUpload - MEGAUPLOAD - The leading online storage and file delivery service
DepositFiles - Deposit Files
Hotfile - Hotfile.com: One click file hosting: Ps3 Blue Prints.pdf
Zshare - zSHARE - Ps3 Blue Prints.pdf
Uploading - Download Ps3 Blue Prints.pdf for free on uploading.com

UPDATE #2: Mathieulh has added some additional information on the exploit via his Twitter feed.

muhahahahaha this is just the cell reset line trick, you can use this to dump lv2 from 1.10 to 3.15 but that's it.

Oh! and it's been known for ages by about....err... everyone...

The fact is you can't glitch the cell to even access the isolated LS because it's PHYSICALLY disconnected from the bus.

As in the cell was especially designed for the purpose of preventing access to the isolated LS by anything but the isolated process. You can read details about this here: The Cell Broadband Engine processor security architecture

Anyway I'll stop talking of ps3 stuff for now, I am still pissed.

That so called "cpu exploit" allows no more than dumping lv2 from 1.10 to 3.15. That's it. It's just pointless.

The trick only worked because the otheros setting was written upon selection rather than upon shutdown.

Then you could coldboot to a small piece of code installed in the linux partition which would dump the lv2 ram space for you.

No, the isolated LS gets physically disconnected from the bus when isolation kicks in. That's the way it's designed

Only the isolated process itself can access the isolated Local Store.

Isolation itself is designed in a very secure way, I have never seen IBM engineers messing around when it comes to security.

The line itself is cut, so to speak.

As in the bus can have no physical interaction whatsoever with the isolated Local Store.

In fact, should you have access to the nexus/jtag port on the cell, you still couldn't access the isolated Local Store.

This means that to effectively dump the isolated LS content, you need to exploit the isolated process itself.

Yes there is obviously a logic gate being involved in the process.

Sadly most details from IBM about isolation are under NDA, so we don't know what's going on for sure "underneath"

The only way to access the isolated LS again by software is to destroy the SPU and Create it again but this would delete the data.

of course I do not mean to physically destroy the spu xD.

Mainly what happens is that so long as a SPU runs isolated, only the software on that SPU can access the isolated LS, nothing else

Then how about the code that actually kickstarts the isolation ?

Then what does decrypt the bootloader and metldr ? There has to be some rom doing the decryption and holding key

Of course the spu isolation itself would be done by hardware, but only "trusted" software can run isolated

Those are the public docs you know ? :P

A lot of the cell docs are NDAed, You cannot expect the spu to just jump at encrypted instructions can you ?

[Anony]

let me see

[Dofu]

Why is Members News Submission private? Also, cool beans.

~Dofu

[Omnomnom]

Surprise surprise.

[cookiedood]

I don't know how to use this lol

[elk1007]

Sorry to be the ignorant one, but what does this mean for the scene, exactly?

[thebudman420]

I don't know how to use this lol

This is only useful for devs right now but with luck this may bring us some goodies in the future. Spread this like fire lol

[jayjayusa]

OHOH niceee, will I be sued If I see this page? lmao
Nice job, one step closer.

[Ro0tk3y]

BOOOOOOOOOOOOOOOMMMMMMMMMMMBBBBBBBBBBBBBBB!


Take this Sony!!! hahahahahahhahahahaahahahahahahaha

[2legit2quit]

Example of what can be done with this --
untouched memory on cold boot full access to lv2 and all game os memory

Nice