Sunday, January 31, 2010

Sony PS3 Hack to Play Cracked Games (Free Download)

Sony PS3 (PlayStation 3), one of the safest gaming platforms, has finally been cracked and enabling to run illegal pirated games and applications on the PS3 device platform. PS3 can only run those software or games which are digitally signed by Sony and controlled by DRM (Digital Rights Management) to prevent piracy.
But it was Sony Corp who made a big mistake by selling PS3 games on high rates making the crack for PS3 a highly demanded item.

George Hotz (or GeoHot), who first jailbroke and unlocked the original classic iPhone in 2007, has claimed been managed to find an exploit on the PS3 system for the machine to be hacked. The exploit, if further investigated and developed, may result in modchip or softmod that can be installed to PS3 to allow burned, backup or copied game DVD or CD to be played.




the Geohot exploit gives full memory access to PS3 and therefore ring 0 access from OtherOS. This exploit works on PS3 with firmware version 2.4.2, and most likely on most previous versions of firmware too. The exploit quickly allocates and deallocates memory in order to glitch the memory bus, so that the hypervisor thinks some repeatedly allocated memory is deallocated, allowing read-write access, and with some tricks read-write access to the main htab.

The exploit code has also been released by GeoHot to the hacking community, though it may not be useful for most end-users yet.

Download http://geohot.com/ps3_exploit.zip

The ZIP package contains a shell script file (run.sh), a Makefile, an instruction, a C file (exploit.c) containing the hack program, and a screenshot (pokemehere).

Here’s brief explanation by GeoHat on the PS3 exploit:


geohot: well actually it’s pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn’t allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it’s setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call


And, the brief usage instructions:


Compile and run the kernel module.
When the “PRESS THE BUTTON IN THE MIDDLE OF THIS” comes on, pulse the line circled in the picture low for ~40ns.
Try this multiple times, I rigged an FPGA button to send the pulse.
Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!!
If the module exits, you are now exploited.
This adds two new HV calls,
u64 lv1_peek(16)(u64 address)
void lv1_poke(20)(u64 address, u64 data)
which allow any access to real memory.
However, while the exploit may have been found, it can be quickly patched by Sony in new firmware update.

Note: This article is for informational purpose only.

If you enjoyed this post, you might want to subscribe our RSS Feeds

No comments: