Search the Community
Showing results for tags 'rsx'.
This allows userland/lv2 access to the entire 256 MB RSX VRAM range and the entire RSX IO address space and works on all firmwares up to the last version. Particularly interesting here, is that this allows to access the last 2 MB of VRAM, reserved only for the LV1 driver, and maybe slightly less interesting, accessing 'vsh.self' VRAM area and IO mapped memory. ## Disclaimer The requirements are quite hard to satisfy (many of you either don't need this, or can't run this) and it's only relevant for devs (so some don't need to care about it either). It just gives you access to something inaccessible before with userland/supervisor privileges, nothing else. That's the ONLY reason I'm posting this (and maybe the hope of someone being able to do something better with it). ## Requirements: You need either: Userland entry point (e.g. Browser exploit , <= 4.78?) + NAND console (although probably if you have this, you already hacked it and have LV1 access). LV2 entry point (e.g. RSXploit , <= 4.45?). You will need to replace the `sys_rsx_context_attribute` LV2 syscall with the `lv1_gpu_device_map` LV1 call in the source code of the PoC provided below (and remove all the GCM library code among other things). ## Download Source code available here (documentation inlined as comments): https://github.com/AlexAltea/ps3autotests/blob/master/exploits/user_vram_access/user_vram_access.cpp ## Acknowledgements: Thanks a lot to @3141card, for his LV1 RE files, and to people from Nouveau/Envytools people, specially mwk.  There's a browser-based (was it Webkit?) memdump PoC for PS3. So, just dump memory, find gadgets and build a ROP chain to load userland code.  There's a flaw in 'sys_rsx_context_allocate' that allows that. More info on the RSXploit thread.
Hi, a few weeks ago I start RE the RSX driver in LV1 to help my buddy @AlexAltea for his PS3 emulator "nucleus" project, for this reason I code a little "emulator", a small static C program that help me with my RE work. I would share this code in case someone is interested too in this stuff. It is a work in progress, Iam currently in creating of a RSX context, gpu_context_allocate(). Thx to @AlexAltea and @zecoxao for the help. https://mega.nz/#!Utd3haYL!4gd1gnLni7lZClGqa00TrEG_p_zVmXbV_uJny5nesas