Slashdot Mirror

To further rain on the "VMs, even hardware ones, aren't exploitable" parade, the history of hacking the PS3 is always a fun read-

http://wiki.ps2dev.org/ps3:rsx

"
FIFO workaround

The hack consists of asking the Hypervisor to return without waiting for a blit to end. After the Hypervisor returns there is a small length of time during which the FIFO or FIFO registers can be modified before the GPU has finished reading the command. This will occur when a large blit is decomposed into many smaller 1024×1024 blits by the Hypervisor. The last operation pushed to the FIFO by the Hypervisor is a wait for the GPU engine to go idle. By skipping this operation, it is possible to enqueue more commands to the FIFO for the GPU to execute. So the hack consists in either patching the last operation with a NOP, or changing the FIFO write pointer to stop earlier.
"

Concur as well. I once submitted a change to a Sony PSP related page, links and all, correcting many factually incorrect statements (that are easily verified to be incorrect).

Problem #1 is there's some errrr... person that keeps reverting that stuff because it wasn't published in a paper magazine/newspaper. Problem #2 is that the articles that are there, are incorrect, and there won't be any new ones because it's no longer relevant/newsworthy.

Soon after the PSP was released, hackers began to discover exploits in the PSP that could be used to run unsigned code on the device. Sony released version 1.51 of the PSP firmware in May 2005 to plug the holes that hackers were using to gain access to the device.[1] On 15 June 2005 the hackers distributed the cracked code of the PSP on the internet.

Hhahahahaha! What a moron.
Fact is that is that the PSP was released in Japan on December 12, 2004.
Fact is also that nem's "hello, world" program was announced on ps2dev on May 5, 2005 (allowing for time zone/date differences).

So this did not happen 'soon after the PSP was released'. It was also not an exploit, as 1.00 firmware never bothered to check for signatures for regular unencrypted binaries.

Sony released firmware 1.50 on March 24, 2005 where this oversight was rectified.

Sony released firmware 1.51 on May 24, 2005, well ahead of the release by PSP-DEV of 'Swaploit' on June 15, 2005 which only worked with firmware 1.50 - incidentally the same date as the release of firmware 1.52 (note: the swapless KXploit, named after PSP-DEV member Killer-X, was released on June 22, 2005 and also only worked with the 1.50 firmware).

I could continue on and on.

I now wonder about many other articles on Wikipedia. Is crap-that-was-printed preferred over truth-that-was-not-printed? Some writer that doesn't really have a clue interviewing someone that, as the Dutch say, "heard the bell toll but doesn't know where the clapper is"? The editor doesn't care either and by the next issue it's all forgotten about.

Here's an exercise for the reader: find an obscure, fairly recent subject on which you are an expert (non-science), and check relevant Wikipedia articles for obvious, factually incorrect statements that any other expert would recognize as such. Submit appropriate corrections, preferably with links. Wait and see what happens.

Except people could already access the GPU from Linux before (See http://wiki.ps2dev.org/ps3:rsx). It's not useful because nobody bothered to write a driver for it as far as I know. This new "hack" won't change anything about the situation.

Did you notice that you're not allowed to use the GPU in the PS3 under Linux? That's not Linux, that's crippleware. Sony can take their hypervisor and stick it up their ass.

There's two good reasons for that. Number one, they don't want PS3 Linux to serve as a cheap devkit. Number two, they want people programming with the SPUs as much as possible...in fact, the early PS3 designs had no GPU at all. You can do a lot of video and audio processing with the SPUs, if you take the time.

Anyone want to package this tool up with the PS3 mplayer vo driver for the PS3 Ubuntu Intrepid release?

It would probably compile, but Linux on the PS3 runs under a hypervisor that blocks access to the GPU, so it's pretty much useless for everything except audio.

Not that there haven't been attempts or anything. But we all know how quick Sony is to put out firmware updates to prevent things that might actually allow people to use the hardware they paid for.

I was under the impression that the upper limit of video performance in PS3 linux is not user-accessable, because it depends on the hypervisor (which runs on one SPE):

Be aware that the memory that holds the physical GPU frame buffer is not allocated by the Kernel, just used. So on the first call to this, some or all of the memory you request (depending on now much you request) may be actually used as the frame buffer. You will know this, because your writes to memory will mysteriously disappear up to 20ms after you perform them. Note that direct access to video ram is very slow (~10MB/s).

If this link is correct, the maximum throughput into the framebuffer is a paltry 10MB/s, which isn't good enough for video at anywhere near HD resolutions. Or is this link incorrect?

So, what use is having a fast video decoder on the SPEs? You can't really make use of it for playback, because the hypervisor and framebuffer are holding you back. Until you find a PERMANANT hack for the RSX, you're SOL.

The SPU display code is not nearly as advanced as you imply (unfortunately) - whilst it can display at that rate / resolution, it is severaly limited in what data it can currently render. See http://wiki.ps2dev.org/ps3:spu-medialib here for the current status

Yeah, the acceleration capabilities of the hardware are not accessable from anything other than the stock OS so not too useful i nthat area and as you said, these processors are limited in what they can do, parallelisation for example isn't all that useful for tasks that cannot be parallelized [a lot of the desktop computing isn't if I remember correctly] and then again there actually might be a way to use that 3d capability after all, I haven't personally tried it so take with a dish of salt: http://forums.ps2dev.org/viewtopic.php?t=8364&postdays=0&postorder=asc&start=211

Umm, it's been done. It still needs work, but the access to thye 3d hardware has happened.

There's a very long thread about it here - http://forums.ps2dev.org/viewtopic.php?t=8364&postdays=0&postorder=asc&start=211

To be pedantic, while it is true that PS3-Linux does NOT run "on bare metal", it is not limited as you describe.

There is some access to the registers on the RSX chip itself, which is to say, while there isn't an X driver that takes advantages of it, there are simple demos that demonstrate that there IS access beyond a simple fb driver to the graphics chip.

The hard drive may 'virtualized' but the data iself isn't encrypted. Take the hard drive out, and skip the first 10G or so (depending on how your linux partition is setup) to where your Linux partition should be, and you have your ext3 (or whatever) partition unencrypted. (Thus avoiding known-plaintext attack on the hard drive's encryption.)

Bluetooth can be accessed via Linux and is supported by the generic hci_usb driver. pascal@pabr.org also has patches that let you use the SIXAXIS with the PS3 under Linux. (Similar to the USB patches that Sony released just prior to launch.)

WiFi can also be access via Linux, or at least Yellow Dog supports this.

There is enough access to use dd to dump the entire blue-ray disc. Any security on top of that is not covered. They are useless for pirates, but I've heard there are torrents are out there.

Rumor has it that if the people working on the RSX X driver for Ps3-linux could do a clean room implementation on the usage of the RSX chip, then Sony would be free to actually release an X driver.

http://ps2dev.org/ is useful if you are at all interested in development. The PS2, PS3 and PSP open source devkits are developed and discussed there.

How do I access the extra 256 MiB of RAM in the RSX chip from Linux, even if only to use it as a RAM disk for a swap file?

... has been done before, also on a fully virtualized context, memory protection, blablabla... PS2 Linux anyone? ;-) (greetings to Marcus R. Brown, damn great hacker!)

http://ps2dev.org/psp/Projects

Note that there is still a very active PS2, PSP homebrew scene. Check PS2Dev for example.

It's nice to see this information collected like this, instead of making prospective developers trawl through the ps2dev forums (where the toolchain development takes place, but it's not really saying much. Framebuffer graphics techniques and libpng aren't PSP specific, and if you can't do that stuff already you're probably going to have trouble getting much further. Take the pspdev FAQ and just look through the samples, that should be more than enough to get you started. And you'll be able to draw stuff the fast way, using the GU, instead of just writing directly to VRAM.

Also, Shine's lua player is an easier way to get into psp dev... but please, please don't go and write another shell.

Other good places to look for PSP homebrew/emulators:

http://emuholic.emuboards.com/
http://psp-news.dcemu.co.uk/
http://www.pspupdates.com/

A lot of the psp homebrew developers hang out at:
http://forums.ps2dev.org/index.php?c=5

and for some self promotion, check out pspChess:
http://forums.ps2dev.org/viewtopic.php?t=1760

Other good places to look for PSP homebrew/emulators:

http://emuholic.emuboards.com/
http://psp-news.dcemu.co.uk/
http://www.pspupdates.com/

A lot of the psp homebrew developers hang out at:
http://forums.ps2dev.org/index.php?c=5

and for some self promotion, check out pspChess:
http://forums.ps2dev.org/viewtopic.php?t=1760

The PSP well for owners of the V1.0 and V1.5 firmware (for now) is the ultimate Emulation and Homebrew Console with such sites as PSP Emulation News, the jap site PSP Wiki site and the forums at PS2 Dev being the best places to catch the new releases. Lets hope they crack the v2 and v1.51/1.52 software soon.

There are already hacks out that allow you to use the cheapy irda keyboards meant for PDAs:

http://forums.ps2dev.org/viewtopic.php?t=2926

If the author of the Bochs port wanted to he would be able to integrate it quite easily. Linux would be usable then ;)

Not exactly what you want as it's geared for PSP development using VS+cygwin but this could help:
http://forums.ps2dev.org/viewtopic.php?t=2493&high light=visual+studio

Perhaps you did not already know this, but at least someone understands how to decrypt the PSAR files containing the firmware as it's possible to disassemble the update application. (Also the decrypted firmware images of 1.51 and 1.52 firmwares have been floating around, so it has been done.) It's also known how to write to all of the flash memory in the PSP.

While it would not be possible to reencrypt the PSAR and re-sign the updater PBP so that it would run like the original, it would be possible to modify the decyrpted firmware then write an application that flases said modified firmware to a PSP in order to create a PSP with 2.0 firmware features that can still load unsigned code.

However, as I said before, the ability to do this to your own PSP means that you will have to begin with a PSP capable of executing unsigned code in the first place (currently 1.0 or 1.5) in order to run the hacked flashing utility and write the unencrypted and unsigned hacked-up firmware image to flash. Thus, if you update to 2.0 now you will perhaps not be able to install a hacked 2.0 that can run homebrew code IF such a thing is created and IF no exploit is found in 2.0.

The PS2DEV forums is currently the best resource to get started hacking your PSP with 1.0 firmware. There's even the beginnings of a PSP GCC toolchain: http://www.oopo.net/consoledev/files/psptoolchain- 20050603.tgz.

A warning for anyone thinking of grabbing homebrew without reading up on it.

Unfortunately the flash ROM on the PSP is completely writable by anything running on the machine. The 1.50 and 1.51 updates fix this, but in doing so locking out homebrew software. For anyone that can't see the connection - malicious writes to flash = a shiny PSP paperweight.

http://forums.ps2dev.org/viewtopic.php?t=1962 [ps2dev.org]

So, if you're going to run homebrew on your PSP, beware the possible consequences. Mine just arrived yesterday, I wish they'd release these things sooner in the EU! Alas, it's 1.50 :(

Thanks for linking to a crap blog. Let's try for some real content: PS2Dev Forum and the PSP Hacker link which contains two QT movies.

btw, hello world is already there (At least on firmare v1.0) v1.5 is proving somewhat more difficult.

http://forums.ps2dev.org/viewtopic.php?t=1570

Apparently someone has been able to run a hello world app off a memory stick, but it requires downgrading to a 1.0 firmware which removes an encryption requirement for running code off the memory stick... link and discussion are here

Someone has already kindly setup a portal for all you people who want to view this without setting up a DNS server or from any access point.
You can see his portal with your web browser (computer) here:

http://67.171.70.72/wipeout/index.html
To use this on your PSP simply set your DNS to 67.171.70.72 inside the network settings then go into Wipeout Pure and hit Download.

For more information visit this dudes website avaliable at:
http://fugimax.base2.org/

In other news the PSP firmware has been updated on the Japanese handhelds. See the following forum thread for more info:
http://forums.ps2dev.org/viewtopic.php?t=1201&star t=0&postdays=0&postorder=asc&highlight=.

For those curious you can extract the files from the update by using this C program avaliable on the following site:
http://www.oopo.net/consoledev/files/unpack-pbp.c.

Enjoy!

1. Katamari Damacy
2. Culdcept
3. Dark Cloud
4. Robot Alchemic Drive
5. ICO
6. Frequency
7. Chulip
8. Okami

There was a method discovered some time ago that allows you to swap the current (valid) disc with an invalid one and boot it all the same. This requires a PS2 boot disc that was designed to facilitate this and was mostly fixed in later PS2 revisions.

So a pure software loader would be unable to access an invalid disc unless it were swapped, but there are so many obstacles there that it isn't practical to attempt that (if it would even work) with this exploit - I am not naive enough to say it isn't possible - it just isn't practical to implement or use.

I have no idea if I would get burned (as in Sony would have a valid case) legally if this were to happen with the exploit, since the flaw that enables swapping has existed since the PS2 was launched. I guess what I'm trying to say is that the exploit doesn't enable any piracy features not already present in the PS2.

The first site we always recommend is ps2dev.org. You can also find us on IRC in #ps2dev on EFNet, where we can help you get setup (if ps2dev.org or it's links aren't enough).

You should be able to do just that without any special hardware other than that mentioned in the article. You can find more information on programming games for the ps2 here. They have links to tons of tools and compilers and such.