This is a hardware-software based hypervisor (lv1) exploit for Sony Playstation 3. Initially invented by geohot for linux. If you pull certain RAM signal to ground for a short time, write may be skipped. If you do it while the hypervisor is invalidating a HTAB entry, it may stay valid. Giving us a full read-write permission of a small region of memory at certain location on memory. This location may be later used by the hypervisor itself, allow us to manipulate it and then later gain full access to all of memory.

This exploit has been now ported to GameOS environment, working on every models with PS3HEN. Allows full hypervisor access to non-CFW consoles for the first time ever. Gaining some of CFW-only features on non-CFW consoles.

This exploit contain two major components:

• BadHTAB - Software side of the exploit. released as a pkg files running on the PS3
• ps3pulldown2 - Hardware side of the exploit. Raspberry Pi Pico (RP2040) based. Communicate with PS3 through USB port

Unlike original linux version, GameOS have much more smaller glitch window than linux. This means automation is a must to get successful glitch while remain stable.

Even with that, success rate still remain low (5-10%). This means this is not for daily driver, it is for user with skill and patience only.

This exploit requires soldering, soldering isn't difficult part. Getting it to boot and stable after solder is.

This exploit is based from xorloser's implementation called Xorhack.

This exploit is not persistent and must be run again after reboot.

Supports firmware 4.70 or later

After successful run, these things will be possible:

• hvcall 114 everywhere allow mapping of any memory area without restrictions
• New lv1_peek/poke/exec hvcall added allow lv1 peek(34)/poke(35)/exec(36) through hvcall. See below
• Dumping of lv1 memory dump lv1 memory to file
• Boot OtherOS allow booting of petitboot bootloader, regain ability to use OtherOS and linux

Note: If you use boot lv2/OtherOS features, New hvcall will be removed. However hvcall 114 everywhere remains. So you can use that to reinstall it again.

// lv1_peek(34)
// in: r3 = addr
// out: r3 = value

// lv1_poke(35)
// in: r3 = addr, r4 = value
// out: r3 = 0

// lv1_exec(36)
// in: r3-r8 = args, r9 = addr

Guides

Requirements:

• Raspberry Pi Pico (RP2040)
• 0.1mm magnet wire
• Soldering tools

This guide will focused on superslim only.

These resistor can be found in following ways:

• Service manual
• Desolder the ram then trace it manually

Now, time to install:

1. Solder one wire to RQ resistor of each side. Example: first wire into RQ8 pin of left side, then second wire into RQ7 pin of right side
2. Solder other side of the wire into GP15/16 (bottommost) of pico: Example: first wire into GP15, then second wire into GP16
3. Assemble the console back, then ensure that it boot and stable
4. Install .uf2 file by holding BOOTSEL button while plugging your pico into your PC. New drive will appear then you can copy your .uf2 file into the drive.
5. Installation done

You will likely to find that your console doesn't boot, this is the difficult part. Here is some tips:

• Do not let wire touch ground, motherboard or any metal. Keep wire float in the air as much as you can
• Plug your HDD into the console, then power it on while your console is naked to rapid test if your console boots (HDD light should blink)
• Superslim power button are very fragile, they will likely to fall off after a while. I recommends you to use screwdriver to short the button pin to ground to power it on instead.

In the end, your setup may likely to end up like this:

Now it is time to run the exploit.

This exploit uses beep as status signal.

Log will be stored at /dev_hdd0/BadHTAB.txt

1. Plug your pico into your PS3 USB port.
2. Run BadHTAB
3. You will hear one short triple beep, this mean exploit started.
4. Then glitching process will start, led of your pico will turn on and blink briefly. You will hear beep few times every seconds.
5. If beep simply stop or console shut off, glitching fails. Reboot and try again. This process may take hours to succeed.
6. If you hear short triple beep, short wait, then triple beep again multiple times. This mean glitch succeeded.
7. It will patch lv1, install hvcall then do what you configured at previous section.
8. If "Boot lv2/OtherOS" are used, it should happen now.
9. If "Boot lv2/OtherOS" aren't used, exploit will exit. You will hear 5 seconds long beep then stop.
10. You should return to XMB now. Enjoy the exploit!