Technological discussion on PS3 security and crack.*

Sorry if this has been posted already, but now you can do it with a nokia n900 or a palm pre.
http://www.engadget.com/2010/09/05/ps3-jailbreak-adapted-to-nokia-n900-palm-pre-in-wake-of-austral/

Curious. Is this just for the altruistic homebrew or does this also include "backups" (massive quotes).

Android as well and PSP is incoming , just a matter of "details" to include backup.

One thing, is it confirmed that you only can play your own backups? So trying to download someones rip wont work on your machine?`
 
Sorry if this has been posted already, but now you can do it with a nokia n900 or a palm pre.
http://www.engadget.com/2010/09/05/ps3-jailbreak-adapted-to-nokia-n900-palm-pre-in-wake-of-austral/

Curious. Is this just for the altruistic homebrew or does this also include "backups" (massive quotes).

The open source version is just for homebrew, but being open source, some other group has a patch for it to include a "backup" manager.


One thing, is it confirmed that you only can play your own backups? So trying to download someones rip wont work on your machine?
I haven't seen confirmation that you can pass rips around. I've seen people have trouble getting other's rips to work, but I'm also starting to see activity that would strongly indicate that distributing rips work. The activity is stuff like MD5 sums of "properly" extracted executables of PS3 games.
 
the exploit is hardware based and irrevocable.

wow, are you serious. i dont know if i find that more funny or sad that sony was so haphazard with such a vulnerable piece of the code. tho i wonder if sony had found this vulnerability before the hackers did personally i doubt it since they would have preemptively patched this in their latest hardware revision.
 
Last edited by a moderator:
I remember it's a hardware timing glitch, so no code is involved. As I understand, it's also not easy to reproduce.

The Jig Card attack is much more simpler and easier to execute (though should be patchable by Sony).
 
One thing, is it confirmed that you only can play your own backups? So trying to download someones rip wont work on your machine?`

Its doable, private torrent trackers are starting to fill up with PS3 games. Once the game passes once trough the Backup Manager it can be shared with other consoles.
 
I remember it's a hardware timing glitch, so no code is involved. As I understand, it's also not easy to reproduce.
Yeah, GeoHotz had to repeatedly attempt to glitch the system before he could get in. Nothing a typical pirating user would be up to and not an exploit that could be covered up really. No system is going to be immune to people poking around with electrodes and physically rerouting signals!
 
So according to this site the PS3Jailbreak also makes PS2 games playable on any PS3 with any firmware. Seems like a bunch of crap but wow if it turned out to be true.

http://translate.google.com/translate?js=n&prev=_t&hl=de&ie=UTF-8&layout=2&eotf=1&sl=de&tl=en&u=http%3A%2F%2Fwww.ps3inside.de%2Fforum%2Fps3-allgemein%2F16956-ps3-psjailbreak-ermoeglicht-abspielen-von-ps2-spiele.html

Well, the original post says PS2 games can be backed up on any PS3, which is perfectly plausible, but there's no confirmation that they can be played on any PS3. And even if there is some super-secret software only emulation for PS2 hidden in the PS3's firmware, I'm dubious as to whether it runs at an acceptable speed and compatibility level to be usable.
 
Well, the original post says PS2 games can be backed up on any PS3, which is perfectly plausible, but there's no confirmation that they can be played on any PS3. And even if there is some super-secret software only emulation for PS2 hidden in the PS3's firmware, I'm dubious as to whether it runs at an acceptable speed and compatibility level to be usable.

Agreed, and the addition NTFS support is even more unlikely, especially in the span of a couple of weeks.
 
They've plugged it? This'll be a new record, won't it, unless the hackers find a workaround. Shortest piracy hack ever.
 
So what is the current thinking on this? I took a glance at the source code. But it looked like all the important parts were in the form of hex strings / byte arrays. Looked like binary program code dumped from another device. The C code itself only looked like the USB control routines. Did someone essentially steal a Sony USB debug device with Sony digitally signed binary executables and then just clone it?

Are they just tricking the PS3 to run signed code from a device other than the BR player. Or did they truly get it to run unsigned code? Did someone even get as far as a "hello world" yet?


Edit. Read this and it is clearer now. Interesting
http://ps3wiki.lan.st/index.php?title=PSJailbreak_Exploit_Reverse_Engineering

From what I can make out, it can run unsigned code once the hacked lvl2 kernel is running. But the "Jig authentication code" is needed to load that in the first place. And it remains to be seen if they can reproduce this exploit once that specific code gets banned in future firmware.
 
Last edited by a moderator:
Edit. Read this and it is clearer now. Interesting
http://ps3wiki.lan.st/index.php?title=PSJailbreak_Exploit_Reverse_Engineering

From what I can make out, it can run unsigned code once the hacked lvl2 kernel is running. But the "Jig authentication code" is needed to load that in the first place. And it remains to be seen if they can reproduce this exploit once that specific code gets banned in future firmware.
It's not just a code, but an exploitation of the USB device loading. If Sony have plugged that, they won't be able to push code into the USB heap. It all depends at what level Sony can address this.
 
It's not just a code, but an exploitation of the USB device loading. If Sony have plugged that, they won't be able to push code into the USB heap. It all depends at what level Sony can address this.

Chances are this exploit is gone for good. The question now is what will already hacked systems be able to do?

Currently, it looks like the executables from ripped games are still encrypted, so simple hex-editor hacks to change the firmware version number that games require won't work (yet).

On the other hand, unless Sony's changed it in the last firmware or two, the overall firmware package isn't encrypted very well (or at all), so in theory someone could mix and match firmware modules from different versions and it would install on any retail PS3; say the USB device driver code from 3.41, the linux boot option from 3.15, and everything else from the newest firmware. I'm pretty sure this is how geohot's cfw trick worked. I've read the firmware package just uses a simple hash to verify the package integrity (with the hash in the package header), and the rest of it's pretty much a tarball of individually encrypted modules.

The good news is that if the USB driver code is part of a monolithic kernel, then it won't be possible to mix firmware versions with it and another kernel. Sony might want to change the driver API if the USB driver loads as a module...

edit: and I just read that psgroove has added support for patching the kernel on the fly. It's going to take real work from Sony to prevent currently hacked system from pirating newer games; a simple version bump isn't going to do it.
 
Last edited by a moderator:
edit: and I just read that psgroove has added support for patching the kernel on the fly. It's going to take real work from Sony to prevent currently hacked system from pirating newer games; a simple version bump isn't going to do it.
On the upside, this has to be a pretty minimal number of PS3 at the moment. They plugged it quick enough for that. The worry, as you say, is if open systems find other exploits.

The next consoles should have this vectors tied up completely. In some cases it's been laughably simple to hack, with DVD firmware for examples. Overflows are often an issue, and should have been addressed. Clearly Sony didn't expect a USB exploit like this, but lesson learned. Any user-affectable system has to have boundaries to prevent memory overflows.
 
Last edited by a moderator:
On the upside, this has to be a pretty minimal number of PS3 at the moment. They plugged it quick enough for that. The worry, as you say, is if open systems find other exploits.

The next consoles should have this vectors tied up completely. In some cases it's been laughably simple to hack, with DVD firmware for examples. Overflows are often an issue, and should have been addressed. Clearly Sony didn't expect a USB exploit like this, but lesson learned. Any user-affectable system has to have boundaries to prevent memory overflows.

The funny thing is that I thought Sony did have the buffer overflow problem pretty well nailed with the hypervisor on the PS3. Overflows have always been considered a non-starter in the PS3 hacking scene; if they were normally viable, I think there would've been a hack within a couple months of launch. I don't think the fact that this overflow was at the kernel level makes much of a difference. I've been wondering if the Sony jig device ID makes the hypervisor look the other way for a few milliseconds.
 
I read somewhere that it's a combination of race condition and buffer overflow. May be difficult to catch in a new implementation if true. Something along the line of "plugging and unplugging" 32 (?) virtual USB devices in parallel very quickly to expose the hole.

One of the virtual USB devices bears the ID of the JigCard, and is able to escalate the privilege of the user.
 
It's interesting. Back during 3.21 people found out about a proxy that allowed you to bypass Sony's FW version check. Then, AFAIK without any firmware updates from Sony, this proxy stopped working.

Now, all of a sudden, with 3.42 the proxy works again! This seems deeply suspicious to me; could it be a Sony honeypot?
 
Back
Top