| Author |
PS3 Glitch Finder released! |
modrobert
Registered: 2003-10-17
From: Bangkok
Messages: 3358
Status: Offline
|   #25733 posted 2010-03-07 @ 18:28 GMT
I have released PS3 Glitch Finder v1.0 under GPL v2.
Brief description:
This VHDL design for the Spartan-3 FPGA creates a custom pulse which can be used to glitch various hardware, like the PS3 memory bus. The pulse LOW and HIGH multipliers have a resolution of 255 (X"FF") and can be set independently.
Features:
* Cycle exaxt pulse generator process tested with logic analyzer
* Digital Clock Manager (DCM) primitive @ 200MHz (5ns) with lock handling
* Continuous pulse or one-shot mode selectable via switch
* Debounce handling for push buttons to prevent erratic behavior
* Set the LOW and HIGH pulse length multipliers via buttons
* 7-seg LED display support showing HIGH and LOW pulse multipliers
* Open source release under GPL v2
You can find more info in the wiki here:
http://www.eurasia.nu/wiki/index.php/PS3_Glitch_Finder
Please reply here if you have any questions or just want to comment.
[ This message was edited by modrobert on 2010-03-07 @ 18:31 GMT ]
|
|
|
 Profile
 pm
 www
 Quote
|
krathoz
Registered: 2010-03-22
Messages: 6
Status: Offline
|  #25855 posted 2010-03-26 @ 00:20 GMT
hello and thank you very much for the code.
i have a question.
i have a Basys 2 i compile your code to *bit and flash ok to the FPGA, but the question is whats point need solder to ps3?
|
|
|
Profile
pm
Quote
|
modrobert
Registered: 2003-10-17
From: Bangkok
Messages: 3358
Status: Offline
| #25857 posted 2010-03-26 @ 04:33 GMT
Connect the GLITCH pin (see VHDL source) to the PS3 motherboard. You can find info about where to solder the memory bus point and hook up ground in xorloser's blog (also in the wiki).
[ This message was edited by modrobert on 2010-03-26 @ 07:06 GMT ]
|
|
|
Profile
pm
www
Quote
|
krathoz
Registered: 2010-03-22
Messages: 6
Status: Offline
| #25860 posted 2010-03-26 @ 22:30 GMT
sorry but im a idiot i cant find the pin into the source
|
|
|
Profile
pm
Quote
|
modrobert
Registered: 2003-10-17
From: Bangkok
Messages: 3358
Status: Offline
|  #25861 posted 2010-03-27 @ 09:45 GMT
It's the first port in this segment from ps3_glitch.vhd:
Code:
| entity ps3_glitch is
Port ( GLITCH : out std_logic;
PIN_CLOCK : in std_logic;
PB1 : in std_logic; -- Push button 1 to trigger pulse
PB2 : in std_logic; -- Push button 2 to increase pulse_low_multiplier
PB3 : in std_logic; -- Push button 3 to increase pulse_high_multiplier
PB4 : in std_logic; -- Push button 4 to add X"10" to pulse_low_multiplier
PB5 : in std_logic; -- Push button 5 to add X"10" to pulse_high_multiplier
SWITCH1 : in std_logic; -- Select one-shot (off) or continous mode (on)
LED_L0 : out std_logic; -- LED lit when DCM is locked ok at 200mhz
LED_L1 : out std_logic; -- LED lit when in continous mode
LED_SEGMENT : out std_logic_vector(7 downto 0); -- 7-seg LED display
LEFT_LEDH_SELECT : out std_logic; -- Common cathode
LEFT_LEDL_SELECT : out std_logic; -- have to spin
RIGHT_LEDH_SELECT : out std_logic; -- through all
RIGHT_LEDL_SELECT : out std_logic -- of these.
);
end ps3_glitch; |
|
I don't understand how you can assign the package pins without seeing it, maybe something wrong. Did you set ps3_glitch.vhd as the top source and ps3_glitch_dcm.vhd as a module?
|
|
|
Profile
pm
www
Quote
|
krathoz
Registered: 2010-03-22
Messages: 6
Status: Offline
| #25904 posted 2010-04-02 @ 17:38 GMT
i have now a nexys2 i compile ok and assign the pin package, but when connect the FPGA to the ps3 he block and shutdown.
|
|
|
Profile
pm
Quote
|
modrobert
Registered: 2003-10-17
From: Bangkok
Messages: 3358
Status: Offline
| #25905 posted 2010-04-02 @ 19:41 GMT
When you press PB1 or before?
|
|
|
Profile
pm
www
Quote
|
krathoz
Registered: 2010-03-22
Messages: 6
Status: Offline
| #25906 posted 2010-04-02 @ 20:26 GMT
|
Profile
pm
Quote
|
modrobert
Registered: 2003-10-17
From: Bangkok
Messages: 3358
Status: Offline
|  #25907 posted 2010-04-03 @ 04:09 GMT
Yes, try hooking up the GLITCH wire when the PS3 is powered off, then power on the FPGA and after that the PS3 (in that order). Nothing "should" happen before you press PB1 regardless of settings or mode. The DCM has to calibrate before LED_L0 lights up and the process starts to drive Z on the GLITCH pin. This is all done fast in real time, but slow enough to screw up the PS3.
Let me know how it goes.
EDIT:
Another thing I noticed now is that the Nexys2 uses a 50MHz crystal, make sure you edit ps3_glitch_dcm.vhd according to the comments in the beginning of the file (default is 25MHz operation).
[ This message was edited by modrobert on 2010-04-03 @ 06:15 GMT ]
|
|
|
Profile
pm
www
Quote
|
krathoz
Registered: 2010-03-22
Messages: 6
Status: Offline
| #25908 posted 2010-04-04 @ 02:12 GMT
i have this:
CLKFX_MULTIPLY : integer := 4;
CLKIN_DIVIDE_BY_2 : boolean := FALSE;
CLKIN_PERIOD : real := 20.000000;
Edit:
But 25Mhz no are 20.000000 of cycles of clock, 25Mhz are 25.000000 cycles of clock
[ This message was edited by krathoz on 2010-04-04 @ 02:17 GMT ]
|
|
|
Profile
pm
Quote
|
modrobert
Registered: 2003-10-17
From: Bangkok
Messages: 3358
Status: Offline
| #25909 posted 2010-04-04 @ 02:24 GMT
Quote:
| On 2010-04-04 @ 02:12 GMT, krathoz wrote:
i have this:
CLKFX_MULTIPLY : integer := 4;
CLKIN_DIVIDE_BY_2 : boolean := FALSE;
CLKIN_PERIOD : real := 20.000000;
|
|
That is correct when the external clock source (crystal) is 50MHz.
[ This message was edited by modrobert on 2010-04-04 @ 07:44 GMT ]
|
|
|
Profile
pm
www
Quote
|
krathoz
Registered: 2010-03-22
Messages: 6
Status: Offline
| #25910 posted 2010-04-04 @ 05:03 GMT
work fine now, thank you very much for the help.
Edit:
i make the pulse ok with this configuration:
Code:
| CLKIN_PERIOD : real := 30.000000; |
|
and this too:
Code:
| CLKIN_PERIOD : real := 40.000000; |
|
[ This message was edited by krathoz on 2010-04-04 @ 06:24 GMT ]
|
|
|
Profile
pm
Quote
|
modrobert
Registered: 2003-10-17
From: Bangkok
Messages: 3358
Status: Offline
|  #25911 posted 2010-04-04 @ 06:54 GMT
Good you got it working! Please note that CLKIN_PERIOD is nano seconds (not MHz) and should be fixed at 20.000000 for your Nexys2 board (with 50MHz clock), use PB2-PB5 to set the pulse multiplier to change glitch pulse length, that's the whole idea.
If you are using ISE you can create your own DCM source module (using the "Architecture Wizard" in ISE 8.1i), might be best considering that the Spartan-3E (XC3S500E) on Nexys2 differs slightly from the Spartan-3 (XC3S400) I used, not sure if there are any differences regarding DCM though. You need a CLKFX_OUT at 200MHz (5ns pulse with multipliers set to [01] [01]) for the design to work as intended.
BTW:
Please let me know what you set the pulse multipliers to when glitching the PS3. Same like GeoHot [08] [08] on the display (which is 8 x 5ns = 40ns pulse)?
[ This message was edited by modrobert on 2010-04-04 @ 07:40 GMT ]
|
|
|
Profile
pm
www
Quote
|
