Geohot has published his hypervisor-exploit, you can find it here.
It basically works by quickly allocating and deallocating memory, while glitching the memory bus. This way the hypervisor thinks some repeatedly allocated memory is deallocated, allowing r/w-access and with some tricks r/w-access to the main htab.
A more detailed explanation 1) :
geohot: well actually it's pretty simple geohot: i allocate a piece of memory geohot: using map_htab and write_htab, you can figure out the real address of the memory geohot: which is a big win, and something the hv shouldn't allow geohot: i fill the htab with tons of entries pointing to that piece of memory geohot: and since i allocated it, i can map it read/write geohot: then, i deallocate the memory geohot: all those entries are set to invalid geohot: well while it's setting entries invalid, i glitch the memory control bus geohot: the cache writeback misses the memory :) geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated geohot: then i create a virtual segment with the htab overlapping that piece of memory i have geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab geohot: switch to virtual segment geohot: write to main segment htab a r/w mapping of itself geohot: switch back geohot: PWNED geohot: and would work if memory were encrypted or had ECC geohot: the way i actually glitch the memory bus is really funny geohot: i have a button on my FPGA board geohot: that pulses low for 40ns geohot: i set up the htab with the tons of entries geohot: and spam press the button geohot: right after i send the deallocate call