PlayStation 3 Hack Released Online

itwbennett writes "On Friday, George Hotz, best known for cracking Apple's iPhone, said he had managed to hack the PlayStation 3 after five weeks of work with 'very simple hardware cleverly applied, and some not so simple software.' Days later, he has now released the exploit, saying in a blog post that he wanted to see what others could do with it. 'Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released,' he wrote. 'I have a life to get back to and can't keep working on this all day and night.'" Reader MBCook points out an article written by Nate Lawson "explaining how the hack bypasses the hypervisor to gain unrestricted access to memory. It seems the trick is to use a pulse to glitch the hypervisor while it's unmapping memory, leaving a favorable page table entry."

Summary of what I've seen so far

[b1t+r0t]

* This is based on a Linux kernel module, so NO SLIM already, okay?
* All it does is poke a hole in the hypervisor allowing memory access. This means it's not going to give you homebrew quite yet, but it's going to make it possible for people to start exploring and tinkering further.
* It requires hardware that generates a 40ns pulse on some point on some version of the board. Apparently it introduces a hardware glitch that allows the hole to be opened. And it doesn't persist after a reboot.
* The top level of security in the PS3 is in that one reserved SPU. Apparently it is given the root key during startup, holds all the other keys, and is responsible for decrypting and checking everything. But it's going to be very hard to get into.
* Now that it's possible to get into the hypervisor, people can start poking at that SPU. But Sony's security model was supposed to include the possibility of the hypervisor being compromised in just this way.

Re:Does this open the floodgates?

[decipher_saint]

I often wonder if part of the success of the original XBox was it's "hackability".

Anyone care to weigh in?

Nice step forward, but no full compromise

[Superken7]

While indeed this opens the door for PS3 hacking, the PS3 has not yet been fully "hacked".
See http://streetskaterfu.blogspot.com/2010/01/ps3-is-hacked-urban-legend-continues.html

The security architecture of the PS3 is designed in a way to prevent hacks like this to fully compromise the system.

Another interesting read, by Kanna Shimizu, http://dslab.lzu.edu.cn:8080/members/zhangwei/doc/Cell_Broadband_Engine_processor_vault_security_architecture.pdf

Re:'I have a life to get back to'

[Vanderhoth]

Yeah, he thinks he's all special because he has a life or something.

"It seems the trick is to use a pulse..."

[Broken+Bottle]

"It seems the trick is to use a pulse to glitch the hypervisor while it's unmapping memory, leaving a favorable page table entry" Well shit, when you put it like that it's a wonder this thing wasn't cracked by a kindergartner two and a half years ago. :)

Re:"It seems the trick is to use a pulse..."

[nutshell42]

"Mr La Forge, how did you manage to disable the Borg Cube?"
"Sir, it seems the trick is to use a pulse to glitch the hypervisor while it's unmapping memory, leaving a favorable page table entry."

Honestly, if Star Trek had fed me that as techno babble I would've called bullshit. I'm deeply impressed that it actually means something and works.

Re:This guy is a hack, not a hacker.

[Sir_Lewk]

Trying and failing where none have succeeded before does not a "hack" make.

If indeed he simply duplicated what someone else has done before then that does diminish this acheivement, but I have heard nothing of the sort, you are an AC, and have not provided any citations.

Your ad hominem attack, and your unprovoked lashing out at game piraters makes me think that you have a personal stake in this somehow. Without citations, I'm going to go ahead and say you are full of shit.