PS3 Glitch Finder

From EurAsiaWiki

Main Page | Recent changes | View source | Page history | Log in / create account |

Special pages Double redirects Broken redirects Disambiguation pages Log in / create account Preferences My watchlist Recent changes Upload file File list Gallery of new files User list Statistics Random page Orphaned pages Uncategorized pages Uncategorized categories Uncategorized files Uncategorized templates Unused categories Unused files Wanted pages Wanted categories Most linked to pages Most linked to categories Most linked-to templates Pages with the most categories Most linked to files Pages with the most revisions Pages with the fewest revisions Short pages Long pages New pages Oldest pages Dead-end pages Protected pages Protected titles All pages Prefix index List of blocked IP addresses and usernames User contributions What links here Book sources Categories Export pages Version System messages Logs MIME search List redirects Unused templates Random redirect Pages without language links File path Popular pages Search

Printable version | Disclaimers | Privacy policy
Category: PS3

---

Contents 1 PS3 Glitch Finder 1.1 Description 1.2 Download 1.3 Features 1.4 Operation 1.4.1 One-shot mode 1.4.2 Continuous mode 1.5 Requirements 1.6 Notes 1.7 Feedback 1.8 Greetings

PS3 Glitch Finder

by modrobert

---

Description

This VHDL design for the Spartan-3 FPGA creates a custom pulse which can be used to glitch various hardware, like the PS3 memory bus. The pulse LOW and HIGH multipliers have a resolution of 255 (X"FF") and can be set independently.

---

Download

The VHDL source code can be found here, it is open source and released under GPL v2.

---

Features

• Cycle exaxt pulse generator process tested with logic analyzer
• Digital Clock Manager (DCM) primitive @ 200MHz (5ns) with lock handling
• Continuous pulse or one-shot mode selectable via switch
• Debounce handling for push buttons to prevent erratic behavior
• Set the LOW and HIGH pulse length multipliers via buttons
• 7-seg LED display support showing HIGH and LOW pulse multipliers
• Open source release under GPL v2

---

Operation

One-shot mode

As seen on the image above the high pulse multiplier is set to X"64" (100 decimal x 5ns = 500ns = 0.5µs) and low pulse multiplier is at X"C8" (200 decimal x 5ns = 1000ns = 1µs), the lower part of the image is the pasted output from the logic analyzer to verify function. The device is set to one-shot pulse mode. The regular LED down on the right shows that the Digital Clock Manager is locked (at 200MHz / 5ns in this case).

Continuous mode

Here you can see the continuous mode in action, again, with high pulse multiplier set to X"64" (100 decimal x 5ns = 500ns = 0.5µs) and low pulse multiplier at X"C8" (200 decimal x 5ns = 1000ns = 1µs). The second LED down on the right indicates continuous mode is selected.

---

Requirements

• The target device is a Spartan-3 fitted on an FPGA board (eg. Spartan-3 Starter Kit, Basys, Nexys, or similar)
• Five push buttons (three are ok also)
• A four digit "seven-segment" LED display
• One dip switch
• Two regular LEDs
• One external crystal/clock at 25MHz or 50Mhz
• One free I/O port.

---

Notes

This design is probably overkill for the purpose intended, but I had fun creating it, so one thing led to another. After the pulses are sent the output port drives "Z" (instead if HIGH), thought that might be a good idea to keep the PS3 linux kernel from crashing. I've only tested PS3 Glitch Finder with a logic analyzer, not a scope yet, so the tri-state function has not been properly tested. By driving the pulse low and switch to "Z" I did notice that there can sometimes be roughly 300ns delay before high impedance occur, so to prevent the pulse generator from sending an invalid long low pulse I made sure the output is high before driving "Z". If you want to start out in the footsteps of geohot, switch to one-shot mode and then set the low pulse multiplier to 8 (8 x 5ns = 40ns) and the high can be 8 as well (don't think it matter much since only one pulse is sent).

---

Feedback

If you have any questions, suggestions, or just want to comment, post a reply in the PS3 tech forum here.

---

Greetings

Thank you geohot for the initial ps3 glitch hack, and the fact you kept going despite all the "professional doubters" out there. Hello xorloser, impressive follow-up with software and hardware tools for us to play with.

---

View source | Discuss this page | Page history | What links here | Related changes


This page has been accessed 1,589 times. This page was last modified 04:26, 8 March 2010.
Main Page | About EurAsiaWiki |