grandmaster
Veteran
Technological discussion on PS3 security and crack.*
- Thread starter senas8
- Start date
Different documents.
He's saying that if you control the PPU you can control the SPUs and not worry about the isolated one, and that what he has is enough for homebrew. But we haven't seen Hello World yet.
Last edited by a moderator:
How would this help on writeable memory like stack, doesnt really help if module X` code is untouched if its never called. Once you got a foot in the system its definitely possible to compromise it, got nothing to do with being stupid its rather almost impossible to write invincible systems.
And AFAIK the xbox360 gets hacked again and again... what does this tell you about the runtime checks?
And no, Im no Sony Insider or anything like that, I just dont believe there is alot authentification at runtime. The point of isolation is to use relatively small programms which are tested thoroughly against attacks, and which itself are pretty much restricted in what they can access. Most of the XMB wont fall into that category, but the point is that even if the GameOS is breached and cant be trusted you can still start an isolated SPU (kinda like a seperate OS itself) but its secure only aslong its function doesnt depends on the GameOS in any way (like flashing a firmware update).
Invincible systems, no. But robust product lines, yes. It should be possible to design systems where a crack to an individual system does not lead to a wholesale crack that allows any device to be readily compromised. Ultimately if there are per-chip keys that need to be cracked, preferably using a proprietary encryption so you can't just throw processing power at it, it'll take that however long to crack each individual console.
In a way, Cell needs this attack. If it fends it off, the interest in Cell as a secure platform for big business and government should increase considerably. It's also an important test-case for future security designs. Should the defenses fail, lessons will be learnt for the next generation of 'secure' platform.
Its not feasible to write something like the XMB or GameOS as just seperate modules. There needs to be much communication and you cant route everything through isolated SPUs (for performance reasons and development time). Actually since you can start the XMB while games are running I dont think there is ever more than one SPU isolated and most of it just runs on the PPU.
And something like runtime checks only work on unmodifiable data which means you cant use relocation and dynamic linking aswell if you want the hashes for the code and data-sections to match.
I dont see how the security of the GameOS should be a indicator of the security of Cell. The whole point is that you dont get access to the lowest level so security can be renewed instead of leaving the door open.
But I agree that its interesting to watch how far the hackers will come (and how long it will take them). As soon as the hack is public it should be easily countered with a new Firmware unless somethings really wrong with Cell.
I doubt they allow you to execute code on the stack pages. That's about the first thing I would disable and has been standard practice in modern OSs for years.
As per the IBM paper the Cell's security is based on the assumption that even the HV might get compromised. The 360 was attacked on two fronts: unsigned shaders that can write anywhere in memory and custom drive firmware. The private keys have never been extracted AFAIK. Those attacks I mentioned cannot be used on the PS3 due to drive firmware encryption and memory layout differences.
We would need more information, we're just speculating here but given IBM's expertise in the ATM/cryptography business I'm pretty sure they build enough runtime checks in the hardware itself. Otherwise all you'd have to do is poke into the XDR mem and inject your code, which is not possible on the 360 either.
I will believe this guy's claims when he posts the technical aspects of the hack. I too can make a picture of an open PS3 and some FPGAs and claim to have broken it.
The XMB is probably an unprivileged process with no access to any security-critical part of the system so, even you compromise it, nothing should happen.
The hashes can be computed during loading/relocation after you verify a correct signature/encryption. After that the code is going to stay in the same place. And of your course you cannot execute code on data pages.
I think that's the key point. GameOS doesn't have to be unbreakable because even if it is compromised you will still not be able to gain access to the secure vault.
I'm not saying is not possible, but I'm skeptical as we've seen zero technical info on his achievement. Compare it to the amount of info that was released when the first xbox' security was cracked.
sigh... Im talking about function pointers and return addresses. You can protect the code / readonly data with hashes (and that only if you dont do anything that touches it like linking/relocating). You cant protect the state of a programm with cryptographic hashes.
And whatever method the hacker used, he claims R/W access to system memory, doesnt matter how he got there. Now MS does their runtime checks trying to detect modifications, but AFAIK those get patched up some time after MS modifies them.
Im just assuming its real, likely if the hacks going public it will be patched so theres a reason to keep it under wraps.
I think this guy is legit in that he got what he claims he has. I think he may be getting ahead of himself in claiming what he can do with it -- the system isn't cracked 'til we see unsigned code running on it, and given all the other restrictions we might need to see more than just 'Hello world' to know that he has full hardware control.
Theoretically many of these protections are meant to be purely hardware based though...he's claimed a hypervisor hack, but nothing about hacking the underlying hardware security elements.
Reading his last blog post and the comments afterward, he seems to be attempting now to patch hypervisor functions to do his bidding using his access to memory. I guess to the end of exposing keys. But there was no recognition in his post of the runtime integrity checking for code - theoretically that's the next hurdle he should be running into if it's being used properly and I'd have been curious to see how he intends to get around that, or if there is anything to get around (e.g. it's possible the usage of that stuff isn't as comprehensive as it should be, leaving holes for him to patch stuff with impunity). But I guess he wants to stay mum lest he give someone else a headstart on what he's doing.
Sorry, I misread you then. That would certainly work if the stack and thread states are no encrypted (which was one of the flaws in 360's security). That could allow you to perform a return to HV attack which would have to be exploitable as well (the 360's was). I assume Sony's HV is not running in real mode.
That's why I mentioned that the 360 has several security issues and had its security compromised because of this, it was not a single subsystem that was compromised.
I think he is way too optimistic. He said he would shut down the SPEs and stick to the PPE. Sorry, that's not going to enable him to run homebrew or backups (this was mentioned in some comments as well). The lv1 syscall dump has been known for years as well.
A modchip might limit some things, but really I think most people who pirate just pay some shady website $100 to get their console "fixed up". 99% of people are not going to do it themselves whether it's a hard or soft hack. Wasn't the PS2 piracy all about chipped?
What is he getting at there? Is he trying to say he has to say he's against piracy to avoid being sued?
Wow, talk about non logic. Very few boxed non-MMORPG PC games sell much at all anymore.
Disregarding that piracy has arguably killed most PC-only development in favor of quick and dirty console ports, and that many of those ports are even delayed to avoid hurting sales of the console version, console ports on PC seem mostly a way to make a small buck (and judging by sales small is the word) on the side since development costs to throw out a PC version are likely next to nil anyway.
What is he getting at there? Is he trying to say he has to say he's against piracy to avoid being sued?
Wow, talk about non logic. Very few boxed non-MMORPG PC games sell much at all anymore.
Disregarding that piracy has arguably killed most PC-only development in favor of quick and dirty console ports, and that many of those ports are even delayed to avoid hurting sales of the console version, console ports on PC seem mostly a way to make a small buck (and judging by sales small is the word) on the side since development costs to throw out a PC version are likely next to nil anyway.
Silent_Buddha
Legend
Yeah I don't get it. If you pirate something worth 1 USD you are scum. If you pirate something worth 60 USD, it's ok. So now we have a sliding scale of when it is and isn't ok to rip off someone's hard work? Ugh.
Why not just walk up to the developers and spit in their face while you are at it?
Gah, hate that attitude of, "If you can figure out how to steal something and get away with it, then you deserve to have it for free."
Regards,
SB
Why not just walk up to the developers and spit in their face while you are at it?
Gah, hate that attitude of, "If you can figure out how to steal something and get away with it, then you deserve to have it for free."
Regards,
SB
Great, so I guess he is fine with having his car stolen since if someone knows electronics enough to bypass his vehicles security system then I guess they deserve to take his car. Likewise if someone is smart enough to compromise the security on his bank account then perhaps they deserve to take his money as well. Very generous of him to offer up all of his personal wealth and belongings to whoever has the smarts to gain access to them. I wonder if he is fine having his home TV stolen by some smart guy who can bypass his home alarm. I mean, it sounds like he thinks that person would deserve some free electronics being so smart and all.
Yeah, he kind of dug a hole for himself and fell into it with that comment. I am all for paying for the games you play, and myself haven't pirated anything since some time in the late 90s (not counting the ~3500 or so arcade ROMs I torrented for use with MAME maybe 5 years ago of course.
...But I deleted all of those long ago now.)Similar threads
- Locked