Category PS3 Jailbreaking       Thread starter PSXHAX       Start date Aug 18, 2017 at 10:01 PM       12,447       10            
Following the previous work, PlayStation 3 developer @zecoxao with help from Zer0Tolerance, IronMan and AlexAltea updated their PS3 RSXploit with details below. :ninja:

Download: rsxploit.7z (154.79 KB)

To quote from zecoxao on the update: So, after some deliberation with Zer0Tolerance, we decided to release an updated version of the lv2 exploit that my friend released a long time ago.

First, some notes:
  • This exploit was patched on 4.40, NOT on 4.45
  • There isn't just ONE non checked pointer, there are FOUR! they are all 4 now checked in 4.40
Code:
/*
     * lv2 SysCall 670 (0x29E): sys_rsx_context_allocate
     * @param context_id (OUT): RSX context, E.g. 0x55555555 (in vsh.self)
     * @param lpar_dma_control (OUT): Control register area. E.g. 0x60100000 (in vsh.self)
     * @param lpar_driver_info (OUT): RSX data like frequencies, sizes, version... E.g. 0x60200000 (in vsh.self)
     * @param lpar_reports (OUT): Report data area. E.g. 0x60300000 (in vsh.self)
     * @param mem_ctx (IN): mem_ctx given by sys_rsx_memory_allocate
     * @param system_mode (IN):
     */
 
    /*
    After some verification it turns out that 4 pointers aren't checked
    They are:
    context_id
    lpar_dma_control
    lpar_driver_info
    lpar_reports
 
    we can write values at:
    rsx_context + 0x04 (4Bytes) - context_id
    rsx_context + 0x20 (8Bytes) - lpar_dma_control
    rsx_context + 0x30 (8Bytes) - lpar_driver_info
    rsx_context + 0x40 (8Bytes) - lpar_reports
 
    to properly specify a kernel address use ULL for big numbers
    */
You can test this for instance on a 4.21 cfw console by specifying an address in one of the parameters and then dumping memory before and after running the syscall. just be careful that you need to be able to write to that region!

Many thanks to IronMan and AlexAltea for the help. this exploit will be even better later, so stick around (-:

:arrow: Update: In related PS3 hacking news, ZeroTolerance has released ps3encdec which is a port of flat_z's encdec emulator to C. source code (and binaries) can be found here:

Download: ps3encdec_saucy.rar (224.74 KB)

"The encdec emulator supports all crypto types (NAND/NOR/ARCADE NAND/ ARCADE NOR) and, being is C, is faster than the original one (between 1-3MBps on creating decrypted/encrypted file) and this can be improved by using OpenCL or other multithreading tools"
"ZeroTolerance just made version 0.1.0 of ps3encdec. users will notice a significant improvement in speed (from 3MBps max to 96MBps max). readme (with working examples) is also added. and finally, a timer was added to do benchmarks of the program"
Cheers to @SSShowmik for the news tip in the PSXHAX Shoutbox this afternoon! :beer:
PlayStation 3 RSXploit is Now Updated and Working via Zecoxao.jpg
 

Comments

Silasgabe13

Contributor
Look I don't mean to be a buzz kill but nobody will ever release any exploit for ps3 anytime soon. Simply because what ever secret access point they have they don't want patched.
 
Recent Articles
PS4 System Software / Firmware 7.01 is Now Live, Don't Update!
It figures Sony wouldn't let the holidays roll by without giving the PlayStation 4 scene a present worthy of regifting, and today following their previous PS4 OFW update comes PS4 System Software...
Resident Evil 3 Returns to PlayStation 4 on April 3rd, 2020
In the footsteps of Resident Evil 2 on PS4 comes Capcom's return to Raccoon City in Resident Evil 3 arriving on PlayStation 4 next April 3rd, 2020! šŸ¦ Here are some RE3 PS4 screenshots alongside...
Sony PlayStation State of Play Live Stream for December 10th, 2019
Today as scheduled Sony held their last PlayStation State of Play December 2019 conference for the year, with a recap of the live stream and video game highlights below for those who missed it...
Redbox Video Game Rentals to End This Year, Game Sales by Early 2020
As GameStop reported massive financial losses and announced the closing of more stores this year, it appears Redbox is getting out of the video game rental business by the end of 2019... they'll...
Top