Just over a month ago the PS3 Hypervisor lv2 (GameOS) was dumped and
GeoHot hinted that it was accomplished by commanding an SPU to load METLDR.
Today
dondolo let us know that
simone has detailed how to load METLDR in SPU isolation mode on the PlayStation 3 and included some
Register or
Loginhttp://www.piemontewireless.net/images/3/32/Spuisolation.tgz.
While this is definitely a step forward, he still doesn't specify what the read/write u32 functions are... or which functions to add to the recent XorHack release.
Those interested can check it out below, and to quote:
"After some experiment I succeded to load METLDR in spu isolation.
You need geohot's exploit to do this, because you need to turn spu relocation off (MFC_SR1[R]=0) and not let know the HV you are using a SPU (so no calls to lv1_construct_logical_spe or similar). For some strange conf, it doesn't work in HV way."
// Turn relocation OFF
printf("<TURN RELOCATION OFF>\n");
write_u64(SPU_P1(SPU_CURR)+0x0000, (read_u64(SPU_P1(SPU_CURR)+0x0000) & 0xFFFFFFFFFFFFFFEF�;
printf("MFC_SR1 = %llx\n", read_u64(SPU_P1(SPU_CURR)+0x0000�;
// no accesses are to be considered well behaved and cacheable
write_u64(SPU_P1(SPU_CURR)+0x0900, (u64)0x0);
// set overwrite mode for signal notification 1/2
write_u64(SPU_P2(SPU_CURR)+0x4078, (u64)0x0);
// set signal_notify1 = high metldr real address
write_u32(SPU_PS(SPU_CURR)+0x1400C, (u32)0x0);
// set signal_notify2 = low metldr real address
write_u32(SPU_PS(SPU_CURR)+0x1C00C, (u32)0x11000);
printf("---> START SPU IN ISOLATION MODE\n");
// set SPU_PRIVCNTL[LE]=1
write_u64(SPU_P2(SPU_CURR)+0x4040, (u64)0x4);
// set SPU_RUNCNTL[Run] = '11'
write_u32(SPU_PS(SPU_CURR)+0x401C, (u32)0x3);
for (cx=0; cx<3; cx++)
{
// Print SPU_STATUS
print__spu_status(read_u32(SPU_PS(SPU_CURR)+0x4024�;
sleep(5);
}
