Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS3 Jailbreaking       Thread starter PSXHAX       Start date Aug 18, 2017 at 10:01 PM       10      
Status
Not open for further replies.
Following the previous work, PlayStation 3 developer @zecoxao with help from Zer0Tolerance, IronMan and AlexAltea updated their PS3 RSXploit with details below. :ninja:

Download: rsxploit.7z (154.79 KB)

To quote from zecoxao on the update: So, after some deliberation with Zer0Tolerance, we decided to release an updated version of the lv2 exploit that my friend released a long time ago.

First, some notes:
  • This exploit was patched on 4.40, NOT on 4.45
  • There isn't just ONE non checked pointer, there are FOUR! they are all 4 now checked in 4.40
Code:
/*
     * lv2 SysCall 670 (0x29E): sys_rsx_context_allocate
     * @param context_id (OUT): RSX context, E.g. 0x55555555 (in vsh.self)
     * @param lpar_dma_control (OUT): Control register area. E.g. 0x60100000 (in vsh.self)
     * @param lpar_driver_info (OUT): RSX data like frequencies, sizes, version... E.g. 0x60200000 (in vsh.self)
     * @param lpar_reports (OUT): Report data area. E.g. 0x60300000 (in vsh.self)
     * @param mem_ctx (IN): mem_ctx given by sys_rsx_memory_allocate
     * @param system_mode (IN):
     */
 
    /*
    After some verification it turns out that 4 pointers aren't checked
    They are:
    context_id
    lpar_dma_control
    lpar_driver_info
    lpar_reports
 
    we can write values at:
    rsx_context + 0x04 (4Bytes) - context_id
    rsx_context + 0x20 (8Bytes) - lpar_dma_control
    rsx_context + 0x30 (8Bytes) - lpar_driver_info
    rsx_context + 0x40 (8Bytes) - lpar_reports
 
    to properly specify a kernel address use ULL for big numbers
    */
You can test this for instance on a 4.21 cfw console by specifying an address in one of the parameters and then dumping memory before and after running the syscall. just be careful that you need to be able to write to that region!

Many thanks to IronMan and AlexAltea for the help. this exploit will be even better later, so stick around (-:

:arrow: Update: In related PS3 hacking news, ZeroTolerance has released ps3encdec which is a port of flat_z's encdec emulator to C. source code (and binaries) can be found here:

Download: ps3encdec_saucy.rar (224.74 KB)

"The encdec emulator supports all crypto types (NAND/NOR/ARCADE NAND/ ARCADE NOR) and, being is C, is faster than the original one (between 1-3MBps on creating decrypted/encrypted file) and this can be improved by using OpenCL or other multithreading tools"
"ZeroTolerance just made version 0.1.0 of ps3encdec. users will notice a significant improvement in speed (from 3MBps max to 96MBps max). readme (with working examples) is also added. and finally, a timer was added to do benchmarks of the program"
Cheers to @SSShowmik for the news tip in the PSXHAX Shoutbox this afternoon! :beer:
PlayStation 3 RSXploit is Now Updated and Working via Zecoxao.jpg
 

Comments

Look I don't mean to be a buzz kill but nobody will ever release any exploit for ps3 anytime soon. Simply because what ever secret access point they have they don't want patched.
 
Status
Not open for further replies.
Back
Top