PS3 [PS3] Full RSX VRAM/IO Access Exploit by AlexAltea

Discussion in 'PS3 News' started by STLcardsWS, Mar 23, 2016.

By STLcardsWS on Mar 23, 2016 at 9:38 PM
  1. 7,732
    6,689
    747
    STLcardsWS

    STLcardsWS Administrator

    Joined:
    Sep 18, 2014
    Messages:
    7,732
    Likes Received:
    6,689
    Trophy Points:
    747
    (UPDATED) Here is a very cool release for the PS3 Hacking community, as developer AlexAltea publishes Full RSX VRAM /IO Access Exploit. While this release is only intended for developer's consumption, it could lead to something more promising down the road for the end user as the developer hope someone can make use of this research and exploit, The capabilities are explained as followed "It just gives you access to something inaccessible before with userland/supervisor privileges". So now developer's can explore new areas on [break]j[/break]the PS3 and nothing better to explore then the RSX chip of the console. Checkout all the details from AlexAltea in the quote below:​


    rsx.png



    • Full RSX VRAM/IO access exploit


      This allows userland/lv2 access to the entire 256 MB RSX VRAM range and the entire RSX IO address space and works on all firmwares up to the last version. Particularly interesting here, is that this allows to access the last 2 MB of VRAM, reserved only for the LV1 driver, and maybe slightly less interesting, accessing 'vsh.self' VRAM area and IO mapped memory.


      Disclaimer The requirements are quite hard to satisfy (many of you either don't need this, or can't run this) and it's only relevant for devs (so some don't need to care about it either). It just gives you access to something inaccessible before with userland/supervisor privileges, nothing else. That's the ONLY reason I'm posting this (and maybe the hope of someone being able to do something better with it).

      Requirements:
      You need either:

      1. Userland entry point (e.g. Browser exploit [1], <= 4.78?) + NAND console (although probably if you have this, you already hacked it and have LV1 access).
      2. LV2 entry point (e.g. RSXploit [2], <= 4.45?). You will need to replace the `sys_rsx_context_attribute` LV2 syscall with the `lv1_gpu_device_map` LV1 call in the source code of the PoC provided below (and remove all the GCM library code among other things).


      Download

      Acknowledgements:
      Thanks a lot to @3141card, for his LV1 RE files, and to people from Nouveau/Envytools people, specially mwk.

      • [1] There's a browser-based (was it Webkit?) memdump PoC for PS3. So, just dump memory, find gadgets and build a ROP chain to load userland code.
      • [2] There's a flaw in 'sys_rsx_context_allocate' that allows that. More info on the RSXploit thread.


      See Post # 3 Below for UPDATE


    Download :user_vram_access.cpp

     
    Last edited: Nov 18, 2018
    esc0rtd3w likes this.

Comments

Discussion in 'PS3 News' started by STLcardsWS, Mar 23, 2016.

    1. quad1000
      quad1000
      Will it help to create Red Ribbon Linux 3D acceleration capable RSX drivers?
    2. kozarovv
      kozarovv
      Yes (probably, I'm noob :)), if any dev will want to make this. Thanks to AlexAltea and [MENTION=21]3141card[/MENTION] is possible to mess with all rsx can offer.
    3. STLcardsWS
      STLcardsWS

Share This Page