Jump to content
AlexAltea

[Release] Full RSX VRAM/IO access exploit

Recommended Posts

This allows userland/lv2 access to the entire 256 MB RSX VRAM range and the entire RSX IO address space and works on all firmwares up to the last version. Particularly interesting here, is that this allows to access the last 2 MB of VRAM, reserved only for the LV1 driver, and maybe slightly less interesting, accessing 'vsh.self' VRAM area and IO mapped memory.

 

## Disclaimer

The requirements are quite hard to satisfy (many of you either don't need this, or can't run this) and it's only relevant for devs (so some don't need to care about it either). It just gives you access to something inaccessible before with userland/supervisor privileges, nothing else. That's the ONLY reason I'm posting this (and maybe the hope of someone being able to do something better with it).

 

## Requirements:

You need either:

  1. Userland entry point (e.g. Browser exploit [1], <= 4.78?) + NAND console (although probably if you have this, you already hacked it and have LV1 access).
  2. LV2 entry point (e.g. RSXploit [2], <= 4.45?). You will need to replace the `sys_rsx_context_attribute` LV2 syscall with the `lv1_gpu_device_map` LV1 call in the source code of the PoC provided below (and remove all the GCM library code among other things).

 

## Download

Source code available here (documentation inlined as comments):

https://github.com/AlexAltea/ps3autotests/blob/master/exploits/user_vram_access/user_vram_access.cpp

 

## Acknowledgements:

Thanks a lot to @3141card, for his LV1 RE files, and to people from Nouveau/Envytools people, specially mwk.

 

[1] There's a browser-based (was it Webkit?) memdump PoC for PS3. So, just dump memory, find gadgets and build a ROP chain to load userland code.

[2] There's a flaw in 'sys_rsx_context_allocate' that allows that. More info on the RSXploit thread.

 

Edited by AlexAltea
Clarification
  • Upvote 11

Share this post


Link to post
Share on other sites
4 hours ago, AlexAltea said:

This allows userland/lv2 access to the entire 256 MB RSX VRAM range and the entire RSX IO address space and works on all firmwares up to the last version. Particularly interesting here, is that this allows to access the last 2 MB of VRAM, reserved only for the LV1 driver, and maybe slightly less interesting, accessing 'vsh.self' VRAM area and IO mapped memory.

 

## Disclaimer

The requirements are quite hard to satisfy (many of you either don't need this, or can't run this) and it's only relevant for devs (so some don't need to care about it either). It just gives you access to something inaccessible before with userland/supervisor privileges, nothing else. That's the ONLY reason I'm posting this (and maybe the hope of someone being able to do something better with it).

 

## Requirements:

You need either:

  1. Userland entry point (e.g. Browser exploit [1], <= 4.78?) + NAND console (although probably if you have this, you already hacked it and have LV1 access).
  2. LV2 entry point (e.g. RSXploit [2], <= 4.45?). You will need to replace the `sys_rsx_context_attribute` LV2 syscall with the `lv1_gpu_device_map` LV1 call in the source code of the PoC provided below (and remove all the GCM library code among other things).

 

## Download

Source code available here (documentation inlined as comments):

https://github.com/AlexAltea/ps3autotests/blob/master/exploits/user_vram_access/user_vram_access.cpp

 

## Acknowledgements:

Thanks a lot to @3141card, for his LV1 RE files, and to people from Nouveau/Envytools people, specially mwk.

 

[1] There's a browser-based (was it Webkit?) memdump PoC for PS3. So, just dump memory, find gadgets and build a ROP chain to load userland code.

[2] There's a flaw in 'sys_rsx_context_allocate' that allows that. More info on the RSXploit thread.

 

 

 

Thank you so much @AlexAltea for this release, at least the PS3 Scene still a live and push up for a longer time ;)

@GregoryRasputin  i think that @AlexAltea must entitled to Developers Group also long time ago;)

 

Edited by Abkarino
  • Upvote 5

Share this post


Link to post
Share on other sites
4 hours ago, AlexAltea said:

This allows userland/lv2 access to the entire 256 MB RSX VRAM range and the entire RSX IO address space and works on all firmwares up to the last version. Particularly interesting here, is that this allows to access the last 2 MB of VRAM, reserved only for the LV1 driver, and maybe slightly less interesting, accessing 'vsh.self' VRAM area and IO mapped memory.

 

## Disclaimer

The requirements are quite hard to satisfy (many of you either don't need this, or can't run this) and it's only relevant for devs (so some don't need to care about it either). It just gives you access to something inaccessible before with userland/supervisor privileges, nothing else. That's the ONLY reason I'm posting this (and maybe the hope of someone being able to do something better with it).

 

## Requirements:

You need either:

  1. Userland entry point (e.g. Browser exploit [1], <= 4.78?) + NAND console (although probably if you have this, you already hacked it and have LV1 access).
  2. LV2 entry point (e.g. RSXploit [2], <= 4.45?). You will need to replace the `sys_rsx_context_attribute` LV2 syscall with the `lv1_gpu_device_map` LV1 call in the source code of the PoC provided below (and remove all the GCM library code among other things).

 

## Download

Source code available here (documentation inlined as comments):

https://github.com/AlexAltea/ps3autotests/blob/master/exploits/user_vram_access/user_vram_access.cpp

 

## Acknowledgements:

Thanks a lot to @3141card, for his LV1 RE files, and to people from Nouveau/Envytools people, specially mwk.

 

[1] There's a browser-based (was it Webkit?) memdump PoC for PS3. So, just dump memory, find gadgets and build a ROP chain to load userland code.

[2] There's a flaw in 'sys_rsx_context_allocate' that allows that. More info on the RSXploit thread.

 

 

 

Well Done @AlexAltea Fantastic release You deserve developer :-p

Share this post


Link to post
Share on other sites
3 hours ago, StarMelter said:

Does this mean a cfw for superslims ?

 

Nope. It doesn't mean anything else aside from what has been explicitly stated. ;-)

 

Edited by AlexAltea
  • Upvote 1

Share this post


Link to post
Share on other sites

can't any of the developers release a downgrade for the ps3 slim or fat (Obviously not super slim) Ps3 dead any way everyone moved on but it would be nice to play free games

Share this post


Link to post
Share on other sites

... There are downgraders for the fat and slim models since years ago, such as teensy++2 for both NAND and NOR, and E3 for NOR.

 

Pure software downgrading wont happen, it doesnt work like that.


872daeaf9d5ccbb7d98bb4fef4246f6e9da5ddcf

Share this post


Link to post
Share on other sites

Let me see if I get this:

 

Full access to RSX VRAM/IO for userland/supervisor privileges could be translated into using this along with the FreeBSD RSX Driver for any tool/program/OtherOS 3D app?

Share this post


Link to post
Share on other sites
En 23/3/2016 a las 6:13 AM, StarMelter dijo:

¿Significa esto un CFW para superslims?

 

On 24/3/2016 at 5:20 AM, zecoxao said:

https://mega.nz/#!40ckjS6K!TjX_wpLc8cYs-yoZlj5-p5jaKSyojDiELWJu8SZXCPw

el espacio de usuario necesario explotar AlexAltea que menciona es éste. xerpi me permitió compartir, así que disfruto:)

el link ya no funciona, podria alguien volverlo a subir porfavor

21 hours ago, affigne said:

A ver si me sale esto:

 

El pleno acceso a RSX VRAM / IO para los privilegios de espacio de usuario / supervisor podría traducirse en el uso de esta, junto con el controlador de FreeBSD RSX de ninguna herramienta / programa / 3D OtherOS aplicación?

 

podrias darme el link de descarga?   el link de mega ya no funciona

Share this post


Link to post
Share on other sites

This is an international forum, kindly speak english that most of us (should) understand. Thank you.

  • Upvote 2

872daeaf9d5ccbb7d98bb4fef4246f6e9da5ddcf

Share this post


Link to post
Share on other sites

hahahahaha

 

laught aside, is there a way to mix this up with the FreeBSD RSX Driver to achieve full access/use of the PS3 GPU for any 3d App? If so, wouldn't that mean a better linux experience once implemented? 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...