I’ve been busy digging into the PS3 lately, I decided it’s finally time to see what secrets can be extracted from it. During my investigations I found that level-1 syscalls, a.k.a. hypercalls, are not handled by IDA so I decided to add support for it to the existing PPC Altivec plugin. Get the updated plugins here and copy them to your “IDAplugins” directory to install them.
For those who don’t know, level-1 syscalls are used to call hypervisor functions. On a PS3 the hypervisor is known as as “lv1″ (level1) since it is the lowest level that runs directly on top of the hardware. The operating system is executed on top of this and is known as “lv2″ (level2). The two common operating systems are GameOS which PS3 games run on, and OtherOS which is usually used to run linux. Since both OSes run on top of the same lv1 hypervisor, they use the same set of hypercalls which has been partially documented here.
It is getting more interesting after i read Geohot’s post that made a quite of sensation after he ‘revealed’ that he has been able to hack the PS3 earlier this year.
I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me, as I now have dumps of LV0 and LV1. I’ve also dumped the NAND without removing it or a modchip.
3 years, 2 months, 11 days…thats a pretty secure system
Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.
Shout out to George Kharrat from iPhoneMod Brasil for giving me this PS3 a year and a half ago to hack. Sorry it took me so long
As far as the exploit goes, I’m not revealing it yet. The theory isn’t really patchable, but they can make implementations much harder. Also, for obvious reasons I can’t post dumps. I’m hoping to find the decryption keys and post them, but they may be embedded in hardware. Hopefully keys are setup like the iPhone’s KBAG.
Oh and not to confused everyone, KaKaRoToKS has just explained it on Twitter.
To everyone misunderstanding: no lv1 access, all I did was be able to dump the “call trace” of lv1 hypercalls. same as payload_dump_syscalls
edit: KaKaRoTo tweeted :
“Here’s a sneak peak at the hv+sc log during boot (filtered out a lot of calls that flood the log)”
for your convenience, I have ZIP’ed the 40MB log file, you can download it here: