Technological discussion on PS3 security and crack.*

[Squilliam]

. They could also potentially lock out older firmwares from going online if they can't identify a hacked console directly. That then limits the pirates to old games, no online, which is quite substantial.

AFAIK you need the latest firmware to go online anyway. Therefore the pirates, like the Xbox 360 will probably be confined just to offline play.

One thing of note is this. If they force a later firmware, what do they do with all the people who want to use Linux/other OS on the PS3?

Finally, does anyone think that a combo of Linux + unsigned code could lead to even more spectacular hacks in the future? Isn't one of the first steps in system hacking getting the systme to run unsigned code of the hackers choice? Linux could be the injection method and this key could let them run it. Where do they go from there? Of course I could be wrong.

 

[androvsky]

The booting order is in the BIOS. As grandmaster says, USB boot of this device has priority as a fix in case a firmware update gets corrupted and kills the PS3. If you are reliant on a firmware to boot to enable you to fix the firmware, a dead firmware stops you ever fixing a dead firmware! So the PS3 always boots first off this repair dongle to enable repairs to install a fresh firmware over the corrupted one of a returned PS3 in for repair.

This can only be addressed with a BIOS update. Androvsky thinks there's precedent for this, but for all we know network boot was enabled in the BIOS from day one but the mechanics not imlemented until later in firmware. Whether a firmware update can actually flash the BIOS, we don't know, though that'd have been a good thing to add!

When remote play was first enabled, there was a widespread problem of systems randomly turning on, probably due to misinterpreting network traffic as an on signal. If network booting was always enabled, wouldn't that problem have affected units starting at launch (or even with remote play disabled), but with them unable to complete the booting process?

Also, I'd be surprised if the PS3 (especially the slims) has a traditional PC-style BIOS. I honestly don't think it's a separate thing from the rest of the firmware. edit: Okay, I can understand an older console having a beefy boot ROM, but given the way the PS3 works (and worked with OtherOS), along with the old breakdowns of the PS3 boot process I've read on various websites, I'm having a hard time imagining an inflexible boot process that can load external code from the USB before it hits the internal flash.

Yes, I understand it needs to be able to put the PS3 in debug mode very early in the boot process in order to deal with bad firmwares, but I think there's a certain point where you say that if the firmware is so busted it can't even boot the USB, it's time to buy a new system. I don't see a strong need for a completely hard-wired external boot process for extreme repairs.

Now that I think about it, couldn't you boot off a USB drive in OtherOS mode? I think that points to at least some control over the pre-USB boot process, otherwise I'd still have YDL on my system.

 

[obonicus]

One thing of note is this. If they force a later firmware, what do they do with all the people who want to use Linux/other OS on the PS3?

This has always been an issue. When games with Move support come out, and your system doesn't support that peripheral, will you be able to play those games?

 

[Squilliam]

This has always been an issue. When games with Move support come out, and your system doesn't support that peripheral, will you be able to play those games?

It depends whether you'll need a firmware update to support them. Did people need a firmware update to support say the Singstar accessories?

 

[N_B]

So I read on GAF that this only works on consoles running firmware 3.41, and other firmwares just boot to a black screen Why would that happen

 

[Xenus]

I assume it would be because sony was smart enough to change the key with each firmware update but it could be any myriad of reasons really.

 

[DieH@rd]

Better pictures of opened USB stick.
http://www.planetadejuego.com/psjailbreak-destripando-el-modchip-de-ps3

 

[grandmaster]

So I read on GAF that this only works on consoles running firmware 3.41, and other firmwares just boot to a black screen Why would that happen

Because the patches injected by the dongle are firmware-specific. Patch the wrong firmware and it's bound to crash, or else the software on the dongle may well simply lock up the console to prevent damage if it sees that firmware 3.41 isn't present.

 

[patsu]

I haven't been tracking...

So we still have no official words from Sony ?

Does the net have any concensus yet ?

 

[Shifty Geezer]

http://www.eurogamer.net/articles/digitalfoundry-vs-psjailbreak-article

I like grandmaster's bluntlness about the price, and hopefully some potential buyers are being steered away from investing on what might be an overpriced yet useless system.

AFAIK you need the latest firmware to go online anyway.

Of course it does! I think my brain was running on 1 cylinder yesterday.

One thing of note is this. If they force a later firmware, what do they do with all the people who want to use Linux/other OS on the PS3?

That's already the case isn't it? Then again, I've never experienced a game requiring a later firmware, so perhaps the idea of firmwares on disk hasn't been used yet? Still, Linux users are already locked out of PSN, and I think they appreciate their Linux PS3's are really only fancy Linux boxes and not so good for gaming any more.

I haven't been tracking...
Does the net have any concensus yet ?

The Net never has consensus... But I think the DF article is the best coverage to date of what's known and the possibilities.

 

[NathansFortune]

It depends whether you'll need a firmware update to support them. Did people need a firmware update to support say the Singstar accessories?

Move games are running on a newer SDK revision so they will require a new firmware to run, probably 3.5. Don't forget that Move, unlike Singstar, actually sets aside system resources to run.

From what I can gather through corporate contacts is that there is a massive witch hunt in SCE right now as to who leaked this. They don't want to patch it until they find the leaker. It is patchable though, and they are sorting it out. Something to do with USB boot not requiring root privileges to make it easier for Sony repair centres to reflash consoles. It can be done without USB boot, and the new firmware will probably remove it completely and repair centres will just have a harder time and Sony will have to dole out more replacements rather than fixes.

 

[NathansFortune]

Because the patches injected by the dongle are firmware-specific. Patch the wrong firmware and it's bound to crash, or else the software on the dongle may well simply lock up the console to prevent damage if it sees that firmware 3.41 isn't present.

That is because it is specific to the keys used in SDK 341. This was without a doubt an inside job...

 

[patsu]

The Net never has consensus... But I think the DF article is the best coverage to date of what's known and the possibilities.

They were pretty quick to identify and agree on the APOCALYPS3 bug last time.

 

[Cyan]

That is because it is specific to the keys used in SDK 341. This was without a doubt an inside job...

Whoever did this it looks like, judging from the latest news, this isn't going anywhere.

Better pictures of opened USB stick.
http://www.planetadejuego.com/psjailbreak-destripando-el-modchip-de-ps3

Looking at the pics, the USB dongle doesn't contain much junk but if it sells well it will create mountains of junk.

Many people might have to toss the pendrive out, to be either put in some kind of electronic closet, ironed, :smile: and whatnot, but this became quite famous, and for Sony they will be somehow always there.

 

[grandmaster]

That is because it is specific to the keys used in SDK 341. This was without a doubt an inside job...

There are no keys in the SDK, and nobody can sign code outside of Sony's mastering labs - unless the patches the dongle uses are actually signed, in which case the hack is far further reaching than we can possibly envisage and it is indeed game over for the security scheme.

Whether the USB device can be revoked is the hot topic really. The whole concept of pirates getting hold of these service devices was a complete unknown until the PSP service battery was swiped some time in 2007. And of course the PS3 came out in 2006.

They didn't anticipate anything like this in creating the PSP-2000 which came out after the PS3, so would they even think to come up with a means with which to revoke the use of their own tools? Perhaps, perhaps not. Perhaps later PS3s can be patched while earlier ones cannot.

Bearing in mind what Sony's USB dongle is actually used for (flashing a service mode firmware basically), it wouldn't surprise me if the hackers eventually move onto their own custom firmwares based on the official releases: 1. download official firmware, 2. patch it, 3. flash it via the dongle.

It's all speculation from here on out really.

 

[-tkf-]

They didn't anticipate anything like this in creating the PSP-2000 which came out after the PS3, so would they even think to come up with a means with which to revoke the use of their own tools? Perhaps, perhaps not. Perhaps later PS3s can be patched while earlier ones cannot.

If they didn´t anticipate it before, then they must at least have had a "wake up" call afterwards. I hope they went over the PS3 security after the PSP hack and hopefully learned a lesson that might have been implemented since.

 

[Shifty Geezer]

It's possible they did regards the Slim, just as with later PSP models once they were made aware of the Pandora-type service exploits, and possibly PS3's being sold now can be patched even if the older model can't. That's still a good 3/4 of the install base that could become pirates though which won't come as much consolation.

Next-gen will feature a rethink of service models. IMO a service HDD that can be plugged in, formatted with a proprietary format, is the sort of direction needed. Making an unreadable service format prevents tampering and leaves the hackers thrashing away at finding keys. In this case the service data is just on a FAT32 drive, meaning anyone can poke around with it. The hackers have got hold of SDK modules, placed them on an open format drive, and are injecting them into the system. If we accept leaks are always going to happen, the human element that businesses so often don't consider properly (we've got signed NDAs so what can go wrong?!), elliminating the means by which the pirates can get their hacked code onto the system locks them out. Sony have done well in keeping out the mod-chip expolits that GeoHotz explored, but left this door wide open where legitimate code is used.

 

[flynn]

That is because it is specific to the keys used in SDK 341. This was without a doubt an inside job...

That's an extremely weak hack then and proof that the PS3's security model works modulo an imbecile leaking keys. I hope they patch it soon and find the person who did this, then send a bunch of Yakuzas to pay him a visit.

 

[NathansFortune]

There are no keys in the SDK, and nobody can sign code outside of Sony's mastering labs - unless the patches the dongle uses are actually signed, in which case the hack is far further reaching than we can possibly envisage and it is indeed game over for the security scheme.

Whether the USB device can be revoked is the hot topic really. The whole concept of pirates getting hold of these service devices was a complete unknown until the PSP service battery was swiped some time in 2007. And of course the PS3 came out in 2006.

They didn't anticipate anything like this in creating the PSP-2000 which came out after the PS3, so would they even think to come up with a means with which to revoke the use of their own tools? Perhaps, perhaps not. Perhaps later PS3s can be patched while earlier ones cannot.

Bearing in mind what Sony's USB dongle is actually used for (flashing a service mode firmware basically), it wouldn't surprise me if the hackers eventually move onto their own custom firmwares based on the official releases: 1. download official firmware, 2. patch it, 3. flash it via the dongle.

It's all speculation from here on out really.

That's why there is an internal witch-hunt at SCE. The reason why Sony aren't worried is because keys can be revoked by a new firmware update, but until the leaker is found there is no point. It is a relatively easy fix but it needs to come soon so the majority of people update beyond the affected firmware.

Don't get me wrong it is a problem for them, but the nature of this hack and how it has come about makes it less difficult to fix.

The whole security scheme behind the PS3 was made to be dynamic, Sony can revoke keys, functionality and reflash hardware with firmware updates.

 

[upnorthsox]

That's why there is an internal witch-hunt at SCE. The reason why Sony aren't worried is because keys can be revoked by a new firmware update, but until the leaker is found there is no point. It is a relatively easy fix but it needs to come soon so the majority of people update beyond the affected firmware.

Don't get me wrong it is a problem for them, but the nature of this hack and how it has come about makes it less difficult to fix.

The whole security scheme behind the PS3 was made to be dynamic, Sony can revoke keys, functionality and reflash hardware with firmware updates.

Or the keys were already changed with 3.41 and the leak continued, thus the reason it only works with 3.41 and why they are more interested in plugging the leak (witch-hunt) than rolling out another firmware fix. Personally, I prefer timed certificates as the first line of defense for FOBs, they can still be hacked somewhat but it's an isolated hack and extremely difficult to mass produce them and you still have other options after that. It also breeds responsibility as you must periodically submit your FOB for inspection.

I chuckle a bit at some of the doom and gloom posts on this but am also interested in the intrigue/ espionage angle like everyone else. It'd make a great game if you could capture the sense of realism.