Notorious XorLoser has fully rewritten GeoHot’s PS3 glitch attack programs, that allow more convenient exploiting. He names it XorHack.
It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:
ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).
dumphv – Dumps the hypervisor to a file in the current directory.
dumpbl – Dumps the bootloader to a file in the current directory.
dumprom – Dumps the system rom to a file in the current directory.
Obviously notorious George Hotz has managed to get all 7 SPUs of the Playstation 3’s CPU under his control. This means although he cannot access the CPU’s root key, he now can decrypt everything that’s going thru these SPUs like datastreams of (encrypted) commercial games.
The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.
In the meantime another hacker going under the nick XorLoser has released a more detailed manual of how to use GeoHot’s exploitation files and how to do the glitching.
Besides that XorLoser maintains a plugin for reverser’s beloved Interactive Disassembler (IDA) that contains special PPC instructions for Xbox360 and PS3.
Congratulations to GeoHot. Kudos fly out to XorLoser.
GeoHot posted a picture showing that he managed to run custom commands on iBoot. This seems to be the first major step for a jailbreak. Moreover GeoHot also managed to find the key for the Ramdisk while MuscleNerd of the iPhoneDevTeam obviously has already found the vfdecrypt key.
All this is good news. Anyway aswell as GeoHot and the DevTeam will have lots of work to do. Don’t expect anything soon, since GeoHot also found a new security addition called ECID, which obviously gets generated by Apple’s servers and which seems to be unique to every iPhone. Every restore seems to have to be validated by Apple’s servers. And this is bad news.
Landon Fuller reports that an almost six months old Java exploit has still not been fixed for Mac OS X. The exploit allows to compromise the Java sandbox in order to break out and run commands with the permissions of the executing user.
This issue is classified as serious as Java applets containing malicious code may be executed just by visiting a web page. Ladon Fuller says an illegal exploit is available in the wild. He prepared a proof of concept exploit that will make your Mac OS X computer say “I am executing in a user process“.
The exploit aswell applies to Intel as to PowerPC based Mac OS X systems running Safari or Firefox.
Some more background information and workarounds may be found on Fuller’s site.
Demo Exploits are in the wild for
Linux Acrobat Reader 8.14
Linux Acrobat Reader 9.1
Other operating system may also be affected.
As there is no patch available by Adobe at this moment, uninstalling the Acrobat Reader seems to be the best choice. Third party PDF readers are available all over the net. Find one of them here.
We’ve recently reported that exploits can be applied to the baseband bootloader 5.8 to install any bootloader. Now a working exploit has been released via Cydia.
As we have not tested this program we strongly recommend not to try this for two reasons: first it seems this package is in violation of Apple’s copyright, as it distributes a bootloader and second the script seems to have issues. In quite a few cases downgrading did not work, although everything seems to have applied properly. Don’t use untested exploits. Sideeffects and damaged basebands might be the result.
George Hotz – well known to the iPhone scene as GeoHot – has put some efforts into analyzing the behaviour of the bootloader 5.8 that is running in many iPhone 3G’s. He found the signature checking of the bootloader is buggy. By exploiting this bug we are now able to up- and downgrade the bootloader. Sadly many of nowadays iPhone 3G’s contain bootloader 5.91. which added an RSA check that GeoHot could not circumvent yet. Read his whole article here.
By the way: this seems to be the same exploit the iPhone Dev Team used and released to be able to be used for manipulating (read our news here). Anyway GeoHot did standing work again. Kudos to you, dude.