Nifty. It's a bit of C that you run in Linux mode, while simultaneously poking at a memory trace to glitch the bus. I think it tries to set a valid memory mapping over and over. The glitch turns that mapping into one that lets the user stomp all over the Hypervisor. Once the glitch is in place, he installs two extra Hypervisor calls that let you read and write arbitrary physical memory.
geohot: well actually it's pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn't allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it's setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory :)
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call
When he mentioned that it didn't require a modchip, I assumed he had not taken the case off and done things to the board. Hopefully it still means that they can bypass this by being able to see what is going on, but it shows that sometimes you just need to connect some wires together first.
I was just talking with a friend about this today. If you get access to the GPU after trashing the hypervisor it may be possible to write a system emulator (think QEMU) for the PS2. I have to think about this a little more (performance hits, etc.) but it may work.
Do you think the folks at www.hackintosh.com will be able to to put Snow Leopard on it? A Mac Mini (with PowerPC-base Core @3.2GHz and Blu Ray player) for $300, this would be awesome!
[+] [-] mmastrac|16 years ago|reply
Edit: He explains in more detail here: http://pastie.org/795944
[+] [-] yan|16 years ago|reply
[+] [-] imok20|16 years ago|reply
[+] [-] robin_reala|16 years ago|reply
[+] [-] brianjherman|16 years ago|reply
[+] [-] wmf|16 years ago|reply
http://www.power.org/resources/downloads/PowerISA_V2.06_PUBL...
[+] [-] invisible|16 years ago|reply
[+] [-] Locke1689|16 years ago|reply
[+] [-] csmeder|16 years ago|reply
[+] [-] sliverstorm|16 years ago|reply
[+] [-] itistoday|16 years ago|reply