Hacking The Ps3 and PSP 3000 So Far [Detailed]

A VERY Detiald Guide On How Far We Are On.

Hacking the Play station 3 is one of the hardest things hackers have ever faced. The only person to ever access play station 3 system files without authorization is George Hotz Also Known as Geohot in this article I am going to give you a very detailed “idea” of what is happening.

The play station 3s file systems are not accessible from the play station OS, so Geohot used the “othersOS” feature and installed a distribution Linux. From there he could read and write files on the partition the he had designated to the Linux installation but unlike having a second drive on a windows machine he could not access the ps3 partition of the drive. This is where the hardware side of the hack comes into play, The Play station 3 has a piece of technology in it called a hypervisor, a hypervisor (also known as a virtualization layer) is used in most programs that allow you to run a Guest Operating System on your computer (running 2 OS on one computer at the same time) a Popular program that does this operation is VMware. The hypervisor allows two operating systems to use one piece of hardware without allowing data from one operating system cross over into the next. Here is a picture of what the hypervisor or virtualization layer does:

The Hypervisor is a low-level code that no-one outside of IBM and Sony should have access to, It controls access to the hardware and monitors the operating system running on it.

In the simplest of terms Geohot open a whole bunch of holes in the hypervisor with authorization (the hole would have been monitored by the HV (Hypervisor) so no code or data gets thorough) then he closed them all here comes the smart part, see it takes time to open the holes because it has to be authorized and what not so they also have to be de-authorized will they are being closed and this takes time so will they are being closed Geohot spiked a chip on the motherboard with electricity, this can have 2 results. 1. The system will KP (kernel panic) and crash or reboot or 2. The hypervisor will accidently jump over 2 holes leaving them opened and unmonitored. Obviously the wanted result is number two because then the hypervisor will think they are closed when there not allowing un-monitored access.

From here it’s all software, from here Geohot has access to the ps3 system, and from here he can edit the ps3 files. BUT Sony and IBM’s security protocols were created to anticipate a worst-case scenario, and assumed that at some point someone like Geohot would gain access in this way. So even more layers of security were added to the design.

Now Geohot and the developer teams will have to deal with the same problem they did with the psp. See all of the system files in the psp had signatures is a file is edited the signature on it is deleted automatically, so Sony but a signature on most of the ps3 system files you would think well so what go ahead and edit them. Well Sony wouldn’t but signatures on files for no reason now comes into play another key component of hacking the ps3 the PRE-IPL.

When you turn on your ps3 or psp system the PRE-IPL is the first thing that loads, what the PRE-IPL does is take the signature of all the system files and compares it to a list, if any of the signatures don’t match the ps3 or psp wont boot. What DarkAlex a psp hacker did was simply hack into the PRE-IPL and DUMP or Remove all the codes so that the psp system would boot up with unsigned files from there he could change the system files to allow unsigned games or codes to run and ta-da you have a hacked psp system.

Here is a image version of that:

Then Sony changes the how the PRE-IPL loads so instead of checking from a list it does a mathematical equation to compare the codes. Here is a image of the new codes:

Now you would just say well dump it again but because we can’t dump because remember before we can but psp 1000’s & 2000’s in service mode with a hacked battery and that’s how we dumped it last time, but in the Sony psp 3000 the completely changed it so only signed battery could boot it which brings us back to square one, in the chickhen hack it ran an exploit that overloaded the RAM (random access memory) and then added some code into it will it over loaded and then when the psp reset itself it loaded the code but because it was only on the RAM the code was reset on reboot and that’s the problem you need to reboot the psp to DUMP the flash and because the code is lost upon reboot that cant happen. ALTHO recently there has been talk about a new hacker by the name of BrokenCodes finding a way to dump the flash as we speak DarkAlex and BrokenCodes are working on exploiting his find.

The same problem is with the ps3 we can’t edit the PRE-IPL, but recently Geohot discovered a function on the ps3 processor which is used to configure the chip on startup. Here is an image for more technical people:

So this means we may be able to fully re-right the codes to not even use the PRE-IPL, I would have no idea what can be done with this function we can probably re-route the boot code to not even use the PRE-IPL or some kind of a workaround.

Now you know where we are in time with the ps3 system and the psp system, we still have not fully hacked the ps3 system or the psp 3000 but because of new finds we are getting close.



thats longer than i thought

comments powered by Disqus