Technological discussion on PS3 security and crack.*

[Kasersky]

It's interesting. Back during 3.21 people found out about a proxy that allowed you to bypass Sony's FW version check. Then, AFAIK without any firmware updates from Sony, this proxy stopped working.

Now, all of a sudden, with 3.42 the proxy works again! This seems deeply suspicious to me; could it be a Sony honeypot?

could be sony went back for a more stable update or maybe the jailbreak exploit has some roots in newer firmware only. supposedly older fw didnt work with the jailbreak either so maybe updating to an older firmware is sony's temp solution.

 

[Silent_Buddha]

They've plugged it? This'll be a new record, won't it, unless the hackers find a workaround. Shortest piracy hack ever.

Quite possibly, although there's still probably a few hundred thousand PS3's in the channel that are presumably hackable still (yes a virtual drop in the bucket ). The important thing for Sony is whether hackers can find a way to use a bootloader to load future firmware while keeping the exploit active. And then beyond that, if a way is found to downgrade the firmware of the PS3.

As long as there isn't a way to downgrade the firmware, at worst this will be roughly similar to the JTAG exploit on X360 with a very limited number of machines still running the exploit.

If a way is found to downgrade the firmware, it could turn out to be as bad as the PSP situation.

Regards,
SB

 

[-tkf-]

If a way is found to downgrade the firmware, it could turn out to be as bad as the PSP situation.

Isn´t the challenge to have a Firmware with the "stack overflow" still active and yet supporting whatever new functions and memory savings Sony might bring to the table? That would require the mod scene to custom build firmwares and patch them in.

With the current info it actually doesn´t seem impossible at all, and the DNS hack works for the current firmware update. You point to another DNS and the PS3 doesn´t require a firmware upgrade in order to go online.

I am getting a feeling that Sony build an extremely strong defense around their console, but left the flank wide open (debug mode). And behind the line it seems they didn´t secure "anything" , the firmware isn´t crypted, user and passwords are stored in plain text. And with the leaked SDK it wont take long before we see some custombrew showing up. I am waiting with the update until GT5 arrives, maybe there is some fun stuff in the pipeline.

I do hope that Sony finds a way to absolutely 100% stop anyone from playing online that isn´t on the correct firmware.

 

[BRiT]

Isn´t the challenge to have a Firmware with the "stack overflow" still active and yet supporting whatever new functions and memory savings Sony might bring to the table? That would require the mod scene to custom build firmwares and patch them in.

The scene did this for the Xbox360 JTAG exploit and the scene will do this for the PS3 as well. It's just a matter of time for them to get up and running. I think the one version of the jailbreak already has some initial support for hot-patching the kernel/firmware.

 

[patsu]

I am getting a feeling that Sony build an extremely strong defense around their console, but left the flank wide open (debug mode). And behind the line it seems they didn´t secure "anything" , the firmware isn´t crypted, user and passwords are stored in plain text.

The debug mode wasn't wide open. It's not supposed to run retail software. So there should be some authorization framework in place, even if circumvented.

If the security is lax, we will know very quickly.

The proxy hole is interesting though. Not sure what's up.

 

[BadTB25]

How does it play "back-ups" if it can not run retail software through the Backup Manager app?

From what I understand, the software tricks the system into thinking the game on the HDD is running from the BD-ROM.

 

[patsu]

I was told they use GeoHot's tool to decrypt retail games.

 

[-tkf-]

The debug mode wasn't wide open. It's not supposed to run retail software. So there should be some authorization framework in place, even if circumvented.

If the security is lax, we will know very quickly.

The proxy hole is interesting though. Not sure what's up.

They didn´t leave the flank open on purpose, they just didn´t consider that an attack like the Jail Break would be a succes.

The USB is accepted by the system, and the payload is excuted so that the "backup" manager can be installed. And since the system still is secured it wont play crypted games, but it does accept "debug" code in this case complete backup of games where the encryption has been removed.

It´s pretty clever work, and i can understand why sony didn´t see it coming. Nevertheless, they could have kept the system more locked down that what it seems to be.

 

[Arwin]

As long as there isn't a way to downgrade the firmware, at worst this will be roughly similar to the JTAG exploit on X360 with a very limited number of machines still running the exploit.

If a way is found to downgrade the firmware, it could turn out to be as bad as the PSP situation.

Regards,
SB

Wasn't there already a way to downgrade the firmware to FW 3.40 though? It required some serious motherboard shorting or whatever, but I thought I saw this discussed already.

 

[Shifty Geezer]

There must be a way, for the purpose of the service jig is to replace the FW, hence there must be a way to gain authority over the FW and stick an alternative on.

 

[manux]

Wasn't there already a way to downgrade the firmware to FW 3.40 though? It required some serious motherboard shorting or whatever, but I thought I saw this discussed already.

I think there hasn't been a way to downgrade firmware. What you might be remembering is loading older modules to a newer firmware via geohot's hw hack. The case begin where geohot was able to load older module to newer firmware to bring the other os option back. This is Looong way from custom firmwares or firmware downgrading.

If custom firmwares happen we can be pretty sure sony will mine new games and firmwares with code detecting such custom firmwares/modchips and doing some banning from psn few times a year. It would be pretty impossible for a "cracker" to find those pieces of code trying to detect modchips and strip them out...

 

[JPT]

I thought that there was modchip on the market already that let you up and downgrade firmwares are you wanted.

http://www.infectus.biz/news.php?news=2007-05-18 14.47.04

 

[androvsky]

I thought that there was modchip on the market already that let you up and downgrade firmwares are you wanted.

http://www.infectus.biz/news.php?news=2007-05-18 14.47.04

Hasn't worked for years. Sony changed how the firmware was read to and written, and that was it.

 

[JPT]

Wow tons of stuff showing up on torrent sites now and people DL KZ2 for instance and saying its a great game zzzzz, why not just rent it or buy a cheap copy and get to play online?

 

[patsu]

Because it's free and there's no risk ! Only a subset of gamers play online anyway.

 

[Shifty Geezer]

I wish I hadn't bought KZ2!

 

[manux]

Wow tons of stuff showing up on torrent sites now and people DL KZ2 for instance and saying its a great game zzzzz, why not just rent it or buy a cheap copy and get to play online?

Assuming sony can keep the pirates plugged out of newer firmwares this might be best advertisement ever for killzone3. Maybe so for some other under appreciated games as well.

 

[-tkf-]

I guess this guide to backups from a Debug unit (they leaked?)

http://www.ps3news.com/forums/ps3-d...test-tool-debug-game-backup-guide-109988.html

Shows some hints on how the Jail broke backup stuff works

 

[oramay]

If I remember correctly, the proxy or DNS workaround for PSN didn't stop working right after a firmware update. At the time, it just seemed Sony did something on their server side to nullify them.

 

[grandmaster]

I would imagine that GameOS patches could mimic the challenge response of the PlayStation Store to keep 3.41 active.

Sony's best bet going forward is to change the encryption keys for the Christmas games, and put the decryption keys into Firmware 3.42 or higher.

Short of the hackers reverse-engineering future firmware updates to retrieve the keys and add them to 3.41 (very, very difficult) there is no way to otherwise play them on 3.41.

This is what they did on PSP by the way, the difference being that the PS3 is nowhere near as compromised as the PSP is/was and I'd imagine emulating future firmware modules is very tough.

What I will say however is that the hacker who found the exploit in the PS3 is clearly waaaaaaaaaaaaaay ahead of everyone else. And he's not talking publicly. It's all speculation really as to what he's got up his sleeve. The existing USB exploit suggests a pretty encyclopedic knowledge of the hardware.