Jump to content


Founding Member
  • Content Count

  • Donations

  • Joined

  • Last visited

  • Days Won


AlexAltea last won the day on March 23 2016

AlexAltea had the most liked content!


About AlexAltea

  • User Group: Founding Member

  • Rank: Newbie

  • Post Count: 9

  • Post Ratio: 0.00

  • Total Rep: 21

  • Member Of The Days Won: 1

  • Joined: 11/14/2014

  • Been With Us For: 2025 Days

  • Last Activity:

  • Currently:

  • Age: 25


Contact Methods

  • Website URL
  • Twitter

Profile Information

  • Gender
  • Consoles I Own

Recent Profile Visitors

1,471 profile views
  1. I just completed this quiz. My Score 50/100 My Time 108 seconds  
  2. Thank you guys! :-) You are hurting the francesinha's feelings, how dare you, hahah.
  3. Nope. It doesn't mean anything else aside from what has been explicitly stated. ;-)
  4. This allows userland/lv2 access to the entire 256 MB RSX VRAM range and the entire RSX IO address space and works on all firmwares up to the last version. Particularly interesting here, is that this allows to access the last 2 MB of VRAM, reserved only for the LV1 driver, and maybe slightly less interesting, accessing 'vsh.self' VRAM area and IO mapped memory. ## Disclaimer The requirements are quite hard to satisfy (many of you either don't need this, or can't run this) and it's only relevant for devs (so some don't need to care about it either). It just gives you access to something inaccessible before with userland/supervisor privileges, nothing else. That's the ONLY reason I'm posting this (and maybe the hope of someone being able to do something better with it). ## Requirements: You need either: Userland entry point (e.g. Browser exploit [1], <= 4.78?) + NAND console (although probably if you have this, you already hacked it and have LV1 access). LV2 entry point (e.g. RSXploit [2], <= 4.45?). You will need to replace the `sys_rsx_context_attribute` LV2 syscall with the `lv1_gpu_device_map` LV1 call in the source code of the PoC provided below (and remove all the GCM library code among other things). ## Download Source code available here (documentation inlined as comments): https://github.com/AlexAltea/ps3autotests/blob/master/exploits/user_vram_access/user_vram_access.cpp ## Acknowledgements: Thanks a lot to @3141card, for his LV1 RE files, and to people from Nouveau/Envytools people, specially mwk. [1] There's a browser-based (was it Webkit?) memdump PoC for PS3. So, just dump memory, find gadgets and build a ROP chain to load userland code. [2] There's a flaw in 'sys_rsx_context_allocate' that allows that. More info on the RSXploit thread.
  5. I doubt that's on-topic nor particularly respectful towards picard. Nevertheless, if you are looking for recording/submitting video. Usually when an application is done rendering a frame, it submits a 0xE92X (SCE_DRIVER_FLIP) command, that interrupts LV1 and can be used to process further the frame before submitting it to the video output. That chance can used, for instance, to draw XMB in top of said frame when the user is ingame. Unfortunately reading the DDR memory from Cell is terribly slow, but you should be able to inject M2MF (NV0039) commands to copy the framebuffer back to CPU, encode it with ffmpeg and do whatever you want with it (submit it via sys_net* or store it to HDD). At 1080p / 60FPS, you would only consume 0.48 GB/s extra bandwidth, so it shouldn't be a big deal (assuming transfer isn't already happening and you can reuse the buffer). Add some NV406E_SEMAPHORE_* methods at the end to synchronize your encoder and done. (About sys_io* stuff for the "remote gamepad", no idea, but should be doable as well. the only thing that is required is time and people willing to work on that.)
  6. Many thanks picard! Your work is truly awesome and a real help when it comes to understanding the driver at hypervisor level and the RSX. :-) There has never been such a detailed reconstruction of all the lv1_gpu* functions. I'm really excited for the coming infos and reversed functions. Hats off to this awesome guy. \o/
  7. Happy birthday, zecoxao! Cheers to you and another year filled with francesinhas.
  8. Happy birthday, Picard! Alles gute und herzlichen Glückwunsch zum Geburtstag! ;-)
  • Create New...