Je vous en parlais la semaine dernière, le hacker GeoHot annonçait sur son blog qu’il avait cracké la Playstation3 … Et bien il vient tout juste de publier l’exploit en question pour le plus grand bonheur de tous les autres hackers qui vont ainsi prendre le relai…
Il a demandé à la communauté qu’elle documente toutes ses trouvailles dans le Wiki psDev. L’exploit en question est téléchargeable ici avec les instructions.
geohot: well actually it's pretty simple geohot: i allocate a piece of memory geohot: using map_htab and write_htab, you can figure out the real address of the memory geohot: which is a big win, and something the hv shouldn't allow geohot: i fill the htab with tons of entries pointing to that piece of memory geohot: and since i allocated it, i can map it read/write geohot: then, i deallocate the memory geohot: all those entries are set to invalid geohot: well while it's setting entries invalid, i glitch the memory control bus geohot: the cache writeback misses the memory :) geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated geohot: then i create a virtual segment with the htab overlapping that piece of memory i have geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab geohot: switch to virtual segment geohot: write to main segment htab a r/w mapping of itself geohot: switch back geohot: PWNED geohot: and would work if memory were encrypted or had ECC geohot: the way i actually glitch the memory bus is really funny geohot: i have a button on my FPGA board geohot: that pulses low for 40ns geohot: i set up the htab with the tons of entries geohot: and spam press the button geohot: right after i send the deallocate call
J’ai hâte de voir tout ce petit monde s’enflammer et inventer des centaines de choses à partir de ce hack, y compris des petites bidouilles ou des homebrews.
Si vous voulez plus d’infos, rendez vous sur le blog de GeoHot !
Encore merci à Prototux pour l’info