Reply With Quote
More like "crofl $ony"
I've hacked my PS3 since Oct. and it's been great.
Hackers leave PS3 security in tatters
January 3rd, 2011
PlayStation 3's internal security scheme is a shambles, with all of its major anti-piracy features failing abysmally. The system is so vulnerable that hackers now have the exact same privileges as Sony in deciding what code can run on the console.
So says the self-styled "Fail0verflow" team, hackers with a successful track record in opening up closed devices such as the Nintendo Wii for running homebrew code and – of course – perennial favourite, Linux. Yes, despite the removal of OtherOS, Linux is coming back to PS3.
Fail0verflow's comments, presented at the 27th Chaos Communication Conference (27c3) might seem somewhat at odds with reality. PlayStation 3 launched in NTSC territories in November 2006 and yet the first widespread piracy only kicked in this summer with the release of PSJailbreak.
IBM's Cell Broadband Engine has been widely praised for its tough on-die security features which ensure that none of the essential decryption keys ever leave the main CPU, and so can't be accessed via RAM dumps. The protection has certainly lasted longer than that of the Wii and Xbox 360, both of which have been running pirate games for years now.
Fail0verflow's explanation? Hackers want to run their own code on the hardware they buy and PS3 allowed them to do that from day one. Only when the Linux-stripped PS3 Slim appeared – which they say can run the OS just as well at the older model – and when OtherOS was removed from the "fat" console, were the hackers suitably motivated to expose the security shortcomings of the system.
The team also believe that piracy is a consequential effect of such hacks, and that the PS3 remained secure for as long as it did simply because hackers weren't interested in opening up a system that was already open enough, with Linux implementations supported vigorously at launch by the platform holder.
Across a 45-minute presentation, the team revealed the methodology that made the on-die security an irrelevance and proved beyond doubt that the Hypervisor tech – the CPU guardian that is supposed to stop unauthorised code running – was almost completely pointless.
According to the Fail0verflow team, the PS3's architecture appears to allow the execution of rogue "unsigned" code with only the minimum of effort required from a determined hacker – which seems to explain in part how the PSJailbreak exploit was able to run pirate games even though the Hypervisor was not touched at all.
Based on their presentation, it looks as though the team has not cracked the Hypervisor even with the new hack, but their contention is that its application is an irrelevance anyway. Even specific code that Sony revokes and bans from use within the PS3 isn't actually being checked when it is run, so after the Hypervisor's cursory check, rogue code can be patched back in and run as per normal.
However, the Fail0verflow team's work goes way beyond this traditional style of hacking. They have released the technique by which any kind of unauthorised code can be run on any PS3. Every PS3 executable file is encrypted, or signed, using private ciphers only available (in theory) to Sony itself. It has long been established that brute-forcing the keys would take hundreds of thousands of computers hundreds of thousands of years to complete.
However, despite this mathematical reality, Fail0verflow are now in possession of all of the encryption keys Sony uses. They can create DLC-style packages that will run on any PlayStation 3, and yes, they can create their own custom firmware upgrades. Their stated aim is to produce their own firmware update that boots directly into Linux on any PS3, but the methodology allows for any kind of custom firmware to be produced – and we all know what that means.
So how did Fail0verflow get the keys so quickly? Well, in creating the encrypted files, an important element of the mathematical formula is the use of a random number. The PS3 encryption scheme uses just a single random number that never varies between each signed file, while the proper way of carrying out the signing process is to use a different random number every time a file is signed. Armed with just two signatures, it is possible to mathematically reconstruct the encryption key thanks to this constant variable. In theory, it's as simple as that. In practice, some simple equation work is required.
There are many different keys used by Sony – keys for game code, firmware components, and the isolated SPU decryption system, for example. All of them have been encrypted with the same random number faux pas, meaning that all of them can be reversed. In a stroke, hackers now have the exact same privilege level for running code as Sony itself, and this encompasses all file-types the console uses.
It's a monumental error made by the platform holder that has serious repercussions for the future of the PlayStation 3. Hardware hacks like flashed Xbox 360 DVD drives and modchipped Wiis seem to introduce an inherent limitation that stops a majority of devices from being modified: maybe people just don't have the skill or the willingness to toss away their warranties. But a full software hack like this one, compatible with all machines currently on the market, can spread like wildfire.
Recently, hackers have been able to reverse-engineer PS3 firmware updates by decrypting the contents using currently available exploits. But once the code had been decrypted, they could never re-encrypt it and pack it into the format the PS3 requires to install an updated system software. The secrets of the console could be revealed, but no changes could ever be made to the console. Custom firmware was impossible, and the console effectively remained secure.
Now all bets are off. Modules within the firmware can be patched, re-signed and repacked into an update file that any PS3 – jailbroken or not – can read. The patches made by the PSJailbreak USB dongles could be hard-coded into custom firmware, meaning dongle-less piracy that encompasses current and future firmwares. In effect, the PlayStation 3 is now the most vulnerable console on the market, even more exposed to hackers than the Wii and Xbox 360.
So what can Sony do? It can easily move on to new keys that do indeed use the random number element correctly, and these keys cannot be easily reversed. However, it cannot revoke the keys already used without invalidating every game and every piece of DLC released to date – and while those compromised keys remain valid, so does everything else signed by the hackers. Just about the only option available is to create a mammoth "white list" of executable code encompassing every single game and DLC patch released in the last four years and then blacklist anything else using the current keys.
However, the scale of this task is monumental – and ultimately pointless – as the Fail0verflow team have already demonstrated that revocation lists in the PS3 can be patched and that there is complete access to the system throughout its now-broken "chain of trust". New loaders using the new keys can simply be patched to accept the revoked older keys too. Making matters worse for Sony is the fact that the "master keys" for the PS3's initial bootloader – which can never be revoked and only changed with revised hardware – were uploaded onto the internet last night by iPhone hacker George Hotz (aka Geohot), using an exploit unknown even to the Fail0verflow team. This is system access at the very root of the system, a "master key" to the whole architecture.
At the time of writing, the Fail0verflow team have only just released their tools, but the methodology the team released has already brought about rapid progress in completely unlocking the PlayStation 3's internal workings. The principles behind making updates that can be unpacked, decrypted, patched, re-encrypted and recompiled into PUP files just like Sony's own firmware are right out there in the open, meaning that there's a good chance that a firmware 3.55 Jailbreak will be available very soon.
In the meantime, it must surely be panic stations at Sony and there must be some degree of introspection at the platform holder's HQ about why this has happened. The fundamental flaws in PS3's security model should have been exposed years ago – piracy is after all a big business in its own right. It's no mistake that PSJailbreak only appeared after Geohot publicly released his original hack – it was the toolkit that pirates required in order to understood how the system worked (though rumours persist that Hotz himself was in some way responsible for the Jailbreak, a technologically ingenious exploit he probably would have been very proud to uncover).
The Fail0verflow team says that hackers do the hard work in compromising a system to run Linux and homebrew code, while the pirates exploit that for their own ends. They suggest that the pirates themselves lack the skill to come up with the exploits, and that the PS3 was left unmolested for so long because Sony gave paying customers a way to run their own code on the system. In short, the real hackers weren't interested in opening up a system that was already open enough.
Fail0verflow says that removing OtherOS first from the Slim, and then from the original "fat" PlayStation 3 was the catalyst that brought this hack about and their own presentation tacitly acknowledges that piracy will be an inevitable consequence. As this article is being written, previously pirate-proof firmware 3.50 PS3 les are being decrypted and re-packed for the existing firmware 3.41 Jailbreak - a stopgap solution for piracy until full-on custom firmware appears.
"There is absolutely no doubt in our mind that the PS3 lasted as much as it did due to OtherOS. The security really is terribly broken," the team posted on their Twitter page.
The battle between users wanting the right to run their own code on their own hardware, up against platform holders who want to rigidly retain those rights for themselves looks set to rage on well into the foreseeable future. Fail0verflow suggests that OtherOS/PS3 Linux was a compromise that kept most parties happy and piracy at bay, but the technical ingenuity of the PSJailbreak suggests that sooner or later, copied software will always become a problem for any console platform holder.
More like "crofl $ony"
I've hacked my PS3 since Oct. and it's been great.
Damn, that only took years. Iron Mexican has probably burned more games for the 360 himself than the rest of the world has burned for the PS3.
Xbox 360 HD-DVD lol
'nuff said
That makes no sense. How bout LOL that 360's have been modable for a looooong time?
lol caring about sony or microsoft
it took forever but how long would it take to download a damn game for the ps3. arent blu rays 50 gigs?
Dual layer, yes. Most PS3 games are contained on 1 layer, though. They've been ripping PS3 games for a while, most seem to be between 15 and 25 GB. I know at my work I could get that in about 20-30 minutes.
no point even backing that up on blue ray when blue ray discs are damn not worth buying at its current prices...
its fkn how the biggest 2.5 hdd you can only get is around 600gb.....be nice if theres a 2tb 2.5hdd or 1tb ssd...
ps. hey guys u know with games bought overseas can work on the system right? the system is multi region when it comes to games, but for blue ray movies etc must check of region right? cause im thinkn of bringing me ps3 overseas
I go through 50 packs like nothing.
Ah. So my warranty is valid longer?
Cool story, brah
Last edited by Viva Las Espuelas; 01-08-2011 at 03:15 AM.
I think ps3>xbox for people who cant mod?Ah. So my warranty is valid longer?
Cool story, brah
New CFW released. You can now play backups and go on psn
http://www.neogaf.com/forum/showthread.php?t=418223
Guides:
http://psgroove.com/content.php?666-...g-Backups-PSN&
http://www.pshomebrew.net/wiki/Backup_Guide
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
