Technological discussion on PS3 security and crack.*

Discussion in 'Console Technology' started by senas8, Jan 23, 2010.

  1. egoless

    Regular

    Joined:
    Jul 12, 2005
    Messages:
    321
    Likes Received:
    29
    Delete
     
    #761 egoless, Sep 5, 2010
    Last edited by a moderator: Oct 4, 2014
  2. -tkf-

    Legend

    Joined:
    Sep 4, 2002
    Messages:
    5,632
    Likes Received:
    36
    Android as well and PSP is incoming , just a matter of "details" to include backup.

    One thing, is it confirmed that you only can play your own backups? So trying to download someones rip wont work on your machine?`
     
  3. androvsky

    Newcomer

    Joined:
    Dec 6, 2007
    Messages:
    76
    Likes Received:
    0
    The open source version is just for homebrew, but being open source, some other group has a patch for it to include a "backup" manager.


    I haven't seen confirmation that you can pass rips around. I've seen people have trouble getting other's rips to work, but I'm also starting to see activity that would strongly indicate that distributing rips work. The activity is stuff like MD5 sums of "properly" extracted executables of PS3 games.
     
  4. Kasersky

    Regular

    Joined:
    Sep 26, 2009
    Messages:
    305
    Likes Received:
    0
    wow, are you serious. i dont know if i find that more funny or sad that sony was so haphazard with such a vulnerable piece of the code. tho i wonder if sony had found this vulnerability before the hackers did personally i doubt it since they would have preemptively patched this in their latest hardware revision.
     
    #764 Kasersky, Sep 6, 2010
    Last edited by a moderator: Sep 6, 2010
  5. patsu

    Legend

    Joined:
    Jun 25, 2005
    Messages:
    27,614
    Likes Received:
    60
    I remember it's a hardware timing glitch, so no code is involved. As I understand, it's also not easy to reproduce.

    The Jig Card attack is much more simpler and easier to execute (though should be patchable by Sony).
     
  6. DieH@rd

    Legend Veteran

    Joined:
    Sep 20, 2006
    Messages:
    6,101
    Likes Received:
    2,024
    Its doable, private torrent trackers are starting to fill up with PS3 games. Once the game passes once trough the Backup Manager it can be shared with other consoles.
     
  7. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    40,606
    Likes Received:
    11,031
    Location:
    Under my bridge
    Yeah, GeoHotz had to repeatedly attempt to glitch the system before he could get in. Nothing a typical pirating user would be up to and not an exploit that could be covered up really. No system is going to be immune to people poking around with electrodes and physically rerouting signals!
     
  8. Butta

    Regular

    Joined:
    Jan 18, 2007
    Messages:
    361
    Likes Received:
    2
  9. Brad Grenz

    Brad Grenz Philosopher & Poet
    Veteran

    Joined:
    Mar 3, 2005
    Messages:
    2,531
    Likes Received:
    2
    Location:
    Oregon
    Well, the original post says PS2 games can be backed up on any PS3, which is perfectly plausible, but there's no confirmation that they can be played on any PS3. And even if there is some super-secret software only emulation for PS2 hidden in the PS3's firmware, I'm dubious as to whether it runs at an acceptable speed and compatibility level to be usable.
     
  10. N_B

    N_B
    Regular

    Joined:
    Sep 14, 2009
    Messages:
    684
    Likes Received:
    0
    Location:
    New Zealand
    3.42 is out, and reportedly removes compatability with PS Jailbreak, Groove and Freedom.
     
  11. androvsky

    Newcomer

    Joined:
    Dec 6, 2007
    Messages:
    76
    Likes Received:
    0
    Agreed, and the addition NTFS support is even more unlikely, especially in the span of a couple of weeks.
     
  12. messyman

    Regular

    Joined:
    Apr 17, 2010
    Messages:
    770
    Likes Received:
    40
  13. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    40,606
    Likes Received:
    11,031
    Location:
    Under my bridge
    They've plugged it? This'll be a new record, won't it, unless the hackers find a workaround. Shortest piracy hack ever.
     
  14. inefficient

    Veteran

    Joined:
    May 5, 2004
    Messages:
    2,121
    Likes Received:
    53
    Location:
    Tokyo
    So what is the current thinking on this? I took a glance at the source code. But it looked like all the important parts were in the form of hex strings / byte arrays. Looked like binary program code dumped from another device. The C code itself only looked like the USB control routines. Did someone essentially steal a Sony USB debug device with Sony digitally signed binary executables and then just clone it?

    Are they just tricking the PS3 to run signed code from a device other than the BR player. Or did they truly get it to run unsigned code? Did someone even get as far as a "hello world" yet?


    Edit. Read this and it is clearer now. Interesting
    http://ps3wiki.lan.st/index.php?title=PSJailbreak_Exploit_Reverse_Engineering

    From what I can make out, it can run unsigned code once the hacked lvl2 kernel is running. But the "Jig authentication code" is needed to load that in the first place. And it remains to be seen if they can reproduce this exploit once that specific code gets banned in future firmware.
     
    #774 inefficient, Sep 7, 2010
    Last edited by a moderator: Sep 7, 2010
  15. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    40,606
    Likes Received:
    11,031
    Location:
    Under my bridge
    It's not just a code, but an exploitation of the USB device loading. If Sony have plugged that, they won't be able to push code into the USB heap. It all depends at what level Sony can address this.
     
  16. androvsky

    Newcomer

    Joined:
    Dec 6, 2007
    Messages:
    76
    Likes Received:
    0
    Chances are this exploit is gone for good. The question now is what will already hacked systems be able to do?

    Currently, it looks like the executables from ripped games are still encrypted, so simple hex-editor hacks to change the firmware version number that games require won't work (yet).

    On the other hand, unless Sony's changed it in the last firmware or two, the overall firmware package isn't encrypted very well (or at all), so in theory someone could mix and match firmware modules from different versions and it would install on any retail PS3; say the USB device driver code from 3.41, the linux boot option from 3.15, and everything else from the newest firmware. I'm pretty sure this is how geohot's cfw trick worked. I've read the firmware package just uses a simple hash to verify the package integrity (with the hash in the package header), and the rest of it's pretty much a tarball of individually encrypted modules.

    The good news is that if the USB driver code is part of a monolithic kernel, then it won't be possible to mix firmware versions with it and another kernel. Sony might want to change the driver API if the USB driver loads as a module...

    edit: and I just read that psgroove has added support for patching the kernel on the fly. It's going to take real work from Sony to prevent currently hacked system from pirating newer games; a simple version bump isn't going to do it.
     
    #776 androvsky, Sep 7, 2010
    Last edited by a moderator: Sep 7, 2010
  17. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    40,606
    Likes Received:
    11,031
    Location:
    Under my bridge
    On the upside, this has to be a pretty minimal number of PS3 at the moment. They plugged it quick enough for that. The worry, as you say, is if open systems find other exploits.

    The next consoles should have this vectors tied up completely. In some cases it's been laughably simple to hack, with DVD firmware for examples. Overflows are often an issue, and should have been addressed. Clearly Sony didn't expect a USB exploit like this, but lesson learned. Any user-affectable system has to have boundaries to prevent memory overflows.
     
    #777 Shifty Geezer, Sep 7, 2010
    Last edited by a moderator: Sep 8, 2010
  18. androvsky

    Newcomer

    Joined:
    Dec 6, 2007
    Messages:
    76
    Likes Received:
    0
    The funny thing is that I thought Sony did have the buffer overflow problem pretty well nailed with the hypervisor on the PS3. Overflows have always been considered a non-starter in the PS3 hacking scene; if they were normally viable, I think there would've been a hack within a couple months of launch. I don't think the fact that this overflow was at the kernel level makes much of a difference. I've been wondering if the Sony jig device ID makes the hypervisor look the other way for a few milliseconds.
     
  19. patsu

    Legend

    Joined:
    Jun 25, 2005
    Messages:
    27,614
    Likes Received:
    60
    I read somewhere that it's a combination of race condition and buffer overflow. May be difficult to catch in a new implementation if true. Something along the line of "plugging and unplugging" 32 (?) virtual USB devices in parallel very quickly to expose the hole.

    One of the virtual USB devices bears the ID of the JigCard, and is able to escalate the privilege of the user.
     
  20. obonicus

    Veteran

    Joined:
    May 1, 2008
    Messages:
    4,939
    Likes Received:
    0
    It's interesting. Back during 3.21 people found out about a proxy that allowed you to bypass Sony's FW version check. Then, AFAIK without any firmware updates from Sony, this proxy stopped working.

    Now, all of a sudden, with 3.42 the proxy works again! This seems deeply suspicious to me; could it be a Sony honeypot?
     
Loading...

Share This Page

  • About Us

    Beyond3D has been around for over a decade and prides itself on being the best place on the web for in-depth, technically-driven discussion and analysis of 3D graphics hardware. If you love pixels and transistors, you've come to the right place!

    Beyond3D is proudly published by GPU Tools Ltd.
Loading...