PPU/SPU bugs/flaws/exploits

There's a bug in the provided malloc function, if there's no heap

SPE mailbox has maximum depth of 4 messages

The depth of 4 messages for the spe in mailbox is not a bug, it's a simple hardware limitation (as you can read in this document: http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/topic/com.ibm.iea.cbe/cbe/1.0/Programming/L3T2H1_40_DevelopingCodeForCellMailboxes.pdf).

Local Storage can be accessed

Well if the spe is in isolation mode only code running on this particular spe can access it's LS.

^Not entirely true, the high segment of the LS is accessible from the other SPEs and the PPE. Shuffle2 10:01, 22 April 2011 (CDT)

need quotation / proper sources / documentation

local store dumping of SPE

LSPWN v0.1
 
spwn.rar (60.96 KB)
 
overview:
this app dumps the local store of an spe to /dev_hdd0/game/LSPWN0ADC/USRDIR/localstore.bin
 
a neat POC for devs, but also a n00b friendly introduction to the spe environment.
 
instructions:
 
1. run the app
2. copy the binary from the hdd using your preferred method
3. disasemble using ida and get a hands on look at the local store
4. ???
5. profit!
 
notes:
- source code forthcoming after some cleanup
- gui in v0.2 release
- support for isolation mode if there is demand
 
greetz: gitbrew, mathieulh, geohot, sonic iso, #ps3secret, uf6667, zerkman
and too many others to mention.
 
 
addendum: contact me, adrianc on efnet or [email protected],
if you wish to donate and help purchase a reference tool for the community.
this has many benefits such as new keys, debugging for all devs, syscon exploits and many more.
your support will not be forgotten.
 
-adrianc