Developer esc0rtd3w made some changes to the original BadHTAB code , the exploit for the PlayStation 3 hypervisor has its roots in a vulnerability discovered by legendary hacker XORLOSER and later exploited by GeoHot in 2010.

The name comes from a bug in the management of the Hash Table (HTAB), a fundamental data structure of the hypervisor that maps virtual memory to physical memory, ensuring access control.

The exploit uses a combined hardware-software technique: a hardware glitch briefly interrupts a RAM signal to ground, while a software payload uses this interruption to suspend the HTAB data pointer while invalidating an entry.

This bug allows an otherwise protected region of memory to remain valid by providing full read and write permissions to a small area.

This area can then be manipulated by the hypervisor itself, allowing full access to the console’s memory.

Main Components

BadHTAB is based on two key elements:

BadHTAB (Software) : The software component, distributed as a PKG file for PS3, handles the exploit once the glitch is initiated . It is responsible for accessing the hypervisor and executing user-configured functions.
ps3pulldown2 (Hardware) : The hardware part, based on a Raspberry Pi Pico (RP2040), communicates with the PS3 via USB and automates the glitch . Unlike the Linux version, which tolerated a wider glitch window , on GameOS automation is essential to ensure minimal stability.

Despite these advances, the success rate remains low (5-10%), making BadHTAB an option for experienced users and patients, not for everyday use.

It also requires soldering onto the motherboard, which is not a complex process but can destabilize the console’s boot if not done correctly.

Characteristics

After a successful execution, the following operations will be possible:

hvcall 114 anywhere – Allows mapping any memory area without restrictions.
New lv1_peek/poke/exec functions via hvcall : added support for lv1 peek(34), poke(35) and exec(36) via hvcall (see below).
Memory dump lv1 : allows you to save the lv1 memory to a file.
Booting a custom lv2_kernel.fself – Allows loading any lv2 kernel, as long as it is in .fself.
Boot OtherOS – Allows you to boot into the Petitboot bootloader and restore the ability to use OtherOS and Linux.

Note : If you use lv2/OtherOS boot functions, the new hvcall will be removed. However, hvcall 114 will remain active everywhere, so you can use it to reinstall the new hvcall again.

New hv calls (hypervisor calls)

// lv1_peek(34)
// in: r3 = addr
// out: r3 = value

// lv1_poke(35)
// in: r3 = addr, r4 = value
// out: r3 = 0

// lv1_exec(36)
// in: r3-r8 = args, r9 = addr

BadHTAB Installation Guide

Here is a detailed guide to install and use the second build of BadHTAB :

Hardware Requirements

Raspberry Pi Pico (RP2040).
0.1mm magnetic wire.
Welding Tools
PS3 Super Slim (this guide is specific to this model).

Hardware Installation

Identifying the solder points : Locate the RQ resistors on the motherboard (e.g. RQ8 on the left side, RQ7 on the right). Consult the service manual or desolder the RAM to trace them manually.
Welding :
- Solder one wire to RQ8 (left side) and the other end to GP15 of the Pico.
- Solder a second wire to RQ7 (right side) and the other end to GP16 of the Pico.
Assembly : Reassemble the console, making sure the wires do not touch the ground or metal (keep them suspended).
Installing the Pico firmware : Hold down the BOOTSEL button while connecting the Pico to the PC, copy the file.uf2(from the repository ) to the drive that appears and disconnect.
Boot Test : Connect the HDD to the PS3 and turn it on with the cover off to test booting (the HDD light should be flashing). If it doesn’t boot, adjust the wires. Use a screwdriver to short out the power button (fragile on Super Slims).

Software Installation

Installing the PKG : Download the fileBadHTAB.pkgand install it on your PS3 via USB or Package Installer .
Configuration :
- Dump LV1 : Create an empty file ( BadHTAB_doDumpLv1.txtfor 16 MB or BadHTAB_doDumpLv1_240M.txtfor 240 MB) in /dev_hdd0/.
- Start lv2_kernel.fself : Decrypt the file lv2_kernel.selfin .elf, convert it to .fselfwith make_fself.exe(Sony SDK), create a file BadHTAB_doLoadLv2Kernel_Fself.txtin /dev_hdd0/and copy the file lv2_kernel.fselfto /dev_flash/sys/(use /dev_blind/with webMAN MOD).
- Boot OtherOS : Create the file BadHTAB_doOtherOS.txtin and copy the dtbImage.ps3.fself/dev_hdd0/ file to (free up space by deleting ps1emu/ps2emu/pspemu if necessary)./dev_flash/sys/
Safe Shutdown : Turn off the console before proceeding.

Executing the Exploit

Connect the Pico to the USB port on the PS3.
Launch BadHTAB from the XMB menu.
Listen to the beeps:
- A short triple beep indicates the exploit has started.
- During the glitch , the Pico LED will flash and you will hear frequent beeps. If they stop or the console shuts down, the attempt has failed: restart and try again (this may take hours).
- Two short triple beeps with a pause indicate success: The exploit patches LV1, installs hvcalls and executes the chosen configurations.
- With lv2/OtherOS , booting happens now; otherwise, a 5-second beep signals a return to the XMB.
Logs are saved in /dev_hdd0/BadHTAB.txt.

Additional changes from esc0rtd3w

Automatic restart if glitch crashes PS3.
UART0 enabled for Pico.
UART1 enabled for PS3 sb_uart input.
Power Supply Unit (PSU) Standby Monitoring.
Monitoring the power flat cable connector.
4 status LEDs.

The glitch is much easier to execute repeatedly in the event of a crash — and it will — without having to unplug the power cord or turn off the power strip.

Supports auto reboot when errors are detected. Monitors PS3 sb_uart for messages and controls Pico behavior. Many other tweaks are included.

There are still some bugs to iron out: sometimes the PS3 will crash from which the Pico cannot automatically recover, requiring you to manually turn the PS3 off and on again.

You need to solder wires to the appropriate spots on the PS3 and Pico.