Tag Archives: George Hotz

[PS3] GeoHot Opens All HV’s SPUs / XorLoser Preps Manual

1 Reply

Obviously notorious George Hotz has managed to get all 7 SPUs of the Playstation 3’s CPU under his control. This means although he cannot access the CPU’s root key, he now can decrypt everything that’s going thru these SPUs like datastreams of (encrypted) commercial games.

The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

In the meantime another hacker going under the nick XorLoser has released a more detailed manual of how to use GeoHot’s exploitation files and how to do the glitching.

Besides that XorLoser maintains a plugin for reverser’s beloved Interactive Disassembler (IDA) that contains special PPC instructions for Xbox360 and PS3.

Congratulations to GeoHot. Kudos fly out to XorLoser.

Links

» GeoHot: On Isolated SPUs
» XorLoser: PS3 Exploit – Software
» XorLoser: PS3 Exploit – Hardware
» XorLoser: PS3 and Xbox360 IDA PlugIn
» Hex-Rays.com: IDA Pro

[iPhone] iPhone Dev Team Release RedSn0w Unlock Solution

1 Reply

From the iPhone Dev Team’s Wiki:

What is it?

A cross-platform jailbreaking, unlocking, and customizing tool for iPhones and iPod touches. Customizations include boot logos, recovery logos, and “verbose” boot. It’s a standalone program that doesn’t use iTunes (no custom IPSWs are involved).

The download links are at the bottom of this page (but please read the whole page anyway!).

We’ve been offering redsn0w in various incarnations over the years (including poorlad’s Windows version of QuickPwn). The most recent release before this one was redsn0w 0.8, which targeted Apple firmware 3.0/3.0.1.

» More information and download here

[PS3] GeoHot Hacks PS3’s Hypervisor Protection

2 Replies

Notorious iPhone hacker GeoHot has succesfully circumvented the Playstation’s security system. According to his latest blog entry, he has dumped LV0 and LV1 code, thus allowing him to (theoretically) run code on the processor, bypassing the hypervisor.

The Playstation’s hypervisor is intended to run third party software (like Yellow Dog Linux) on a virtualized level, thus maintaining system integrity and protection of the host system. Within this virtualized environment arbitrary access to certain hardware devices has been disabled, thus allowing only basic access to the graphic processing unit (GPU) for example.

GeoHot seems to have broken the chain of trust. This means he can bypass the hypervisor to directly access hardware like the GPU with his custom code. Anyway he has not released any further information or proof of his work. But hey, it is not anyone, it is GeoHot, so it seems solid.

We compiled some links for people being interested in the hypervisor protection topic.

» GeoHot: Hello hypervisor, I’m GeoHot
» WeboPedia.com: Virtualization – All About Hypervisors
» PS3News: Overview on Security architecture of the PS3
» PS2Dev Wiki: Details about hypervisor functions of the PS3 and Toshiba’s CellEB
» PS3News: A PS3 Game’s Flow of Execution; PS3’s base AIX


Massive Attack: Protection (1995)…

[iPhone] GeoHot Announces Latest Baseband Unlock

Leave a reply

George Hotz – by now almost any iPhone user should know that guy – hacked the latest baseband firmware 05.11.07. The unlock will be named BlackSn0w, well …

That means all carrier or SIM locked iPhones around the globe running this latest firmware can be used with different SIM cards from different carriers. Thus making holidays no roaming fee horror show.

Information about the unlock procedures will be released on BlackRa1n.com on Nov 04, 2009. Until then, enjoy GeoHot’s video proof:

Kudos fly out to GeoHot. Standing work, dude. But why the hell is there always Snow, Rain, Snow, Rain. Why no sunshine, guys?

[iPhone] GeoHot Releases Jailbreak for 3.x Called BlackRa1n

Leave a reply

Today notorious GeoHot released a standing new jailbreak tool called BlackRa1n. BlackRa1n is currently only available for Microsoft Windows. It is supposed to jailbreak any 3.x based iPhone or iPod touch. No matter if you’ve jailbroken before or not.

BlackRa1n is fairly self explaining and straight forward designed. It’ll bring your iPhone or iPod Touch automatically into Recovery Mode.

Sadly currently BlackRa1n does not hacktivate your iPhone. So you still need a valid subscription with an Apple licensed carrier or a factory unlocked iPhone.

Kudos fly out to GeoHot. Standing work again.

» Download BlackRa1n here

[iPod] GeoHot Jailbreaks iPod Touch Firmware 3.1

Leave a reply

GeoHot today posted a photo of a jailbroken iPod Touch running iPhone OS 3.1. He eventually made it. As of now there is no more information available, but it is likely that this is the approach he and the Chronic Dev Team were talking about.

ipt3_jailbroken

[Show as slideshow]

[iPhone] GreenPois0n to Jailbreak all iPhones and iPod Touchs

2 Replies

What has happened so far

Some irritation is going on in the Apple hacking community. On the one hand GeoHot today announced that there will be a tool that will allow jailbreaking all iPhones and iPod Touchs, but as he wished to perform further tests he didn’t tell anything about the procedure.

The Chronic Dev Team on the other hand who seem to have been working together with GeoHot now released the technical details about this hack. Sadly as there is no GreenPois0n tool available as of now, the technical details are most likely useless for 99,9% of all iPhone and iPod users.

Reasons are unknown why the Chronic Dev Team released the information before a tool has been finished. But it seems GeoHot is not amused by taking these steps.

Update 2009, Oct 19th: GeoHot and the Chronic Dev Team tell they have independently found the bug that allows for jailbreaking the 3.1 firmware.

Enduser compatible information

According to mFX.ch (german only) the forthcoming GreenPois0n jailbreak tool will not require to bring the iPhone into DFU mode. The GreenPois0n will be released on the PirateBay*.

External Links

» GeoHot on the universal 3.1 jailbreak
» Chronic Dev Team on 3.1. jailbreak progress
» GreenPois0n site (only dummy page atm)…
» TheiPhoneWiki with technical details

* for legal reasons here in Germany we cannot link directly to the PirateBay.

[iPhone] GeoHot releases iPhone 3Gs Jailbreak (Upd.)

Leave a reply

Update July 5th, 2009: GeoHot now also provides a Mac OS X version of the jailbreak tool. Windows and Mac versions ready for download at purplera1n.com

That’s it with the 3.0 firmware and the iPhone jailbreaks. Apple has been beaten again. This time by GeoHot. Although the iPhone Dev Team seems to have their programs already prepared they preferred to wait with the release of an updated PwnageTool. GeoHot did not wanna wait and decided to release a Windows based jailbreak tool for the iPhone 3Gs called PurpleRa1n.

Status

mrpurplera1n.png

All three iPhone generations can now be activated, jailbroken and unlocked with the current firmware 3.0. Currently for the iPhone 3Gs there is only a Windows version available that is under strong beta testing. Anyway you can give it a try. The security whole that gets exploited in the iPhone 3Gs is well known as the 24k bug that has been found in january in the iPod Touch 2nd generations.

After jailbreaking, the iPhone Dev Team’s UltraSn0w should unlock your baseband.

Our recommendations

By now you know we are the conservative ones. We recommend: wait a couple of days. PurpleRa1n is still beta. But can hacks ever become stable? ;-)

More information to be found here:
» GeoHot accounces jailbreak for iPhone 3Gs
» iPhone Dev Team confirm unlock of iPhone 3Gs
» Get iPhone 3Gs jailbreak tool (PurpleRa1n.exe) here

iPhone 3GS Unlock Demonstration from planetbeing on Vimeo.

[iPhone] Jailbreak for iPhone 3Gs on the Way?

Leave a reply

GeoHot posted a picture showing that he managed to run custom commands on iBoot. This seems to be the first major step for a jailbreak. Moreover GeoHot also managed to find the key for the Ramdisk while MuscleNerd of the iPhoneDevTeam obviously has already found the vfdecrypt key.

All this is good news. Anyway aswell as GeoHot and the DevTeam will have lots of work to do. Don’t expect anything soon, since GeoHot also found a new security addition called ECID, which obviously gets generated by Apple’s servers and which seems to be unique to every iPhone. Every restore seems to have to be validated by Apple’s servers. And this is bad news.

» Running custom commands on iBoot
» Ramdisk key found
» ECID signature layer found

ibootxploit.png

[iPhone] Geohot confirms 3G uses new Bootloader

3 Replies

Although we didn’t get our hands on a new iPhone 3G yet, things are as expected: the iPhone 3G uses a new bootloader for its baseband modem as confirmed by Geohot.

Bootloader versions from the “old” iPhones

As far as we are aware the there are those 3 different bootloader versions known on old iPhones:

  • 3.8 (very rare)
  • 3.9 (iPhones before november 2007) and
  • 4.6 (iPhones after november 2007).

It is widely known, that exploits for these old bootloaders have been found, that allow to SIM unlock any of these old iPhones. No matter which software revision is running.

No Unlock for iPhone 3G, but for old iPhones

For the new iPhone 3G bootloader, there is no (public) exploit known yet. Although the iPhone Dev Team states they can unlock firmware 2.0 – the unlock is most likely meant to work on “old” iPhones only. The only exploit yet known (in both old and new iPhones) is an iBoot bug. The iPhone Dev Team provided a video showing Pwnage Tool neutering the baseband for firmware 2.0:

Video: Pwnage Tool Bootneuter on firmware 2.0 (on an old iPhone)

Bootneuter 2.0 from iphonedev on Vimeo.

A new jailbreak for iPhone 3G and old iPhones

The Pwnage Tool 2.0 (and Geohot’s yiPhone) will most likely feature an iBoot bug to jailbreak old and new iPhones. iBoot is needed by iTunes to talk to when restoring firmware. About a year ago, Geohot found out that iBoot provides a full interactive shell. The only problem was, iBoot only allowed signed code to run. The iPhone Dev Team now managed to break the chain of trust from the earliest boot stage. Thus allowing to run unsigned code and in the end jailbreaking old and new iPhones (see video):

Video: Talking to iBoot unsigned

Talking to iBoot? from iphonedev on Vimeo.

Both videos are provided by iPhone Dev Team. Kudos to you guys.