No. The entire system is open for custom run firmware which means anything that is external to the system such as USB dongles or is software based such as game updates or firmware updates is open to be hacked.
Technological discussion on PS3 security and crack.*
- Thread starter senas8
- Start date
No. The entire system is open for custom run firmware which means anything that is external to the system such as USB dongles or is software based such as game updates or firmware updates is open to be hacked.
If they update the root key using a phased approach as mentionned could they not also include a whitelist such that old software can run and make a properly secured key? I understand that it may take a while to create a whitelist but if they send all the devs a notice to immediately provide the information required...can this not be rectified?
LMAO...deja vu or echo? Great idea on the whitelist though...never thought of that! 
search this thread for whitelist: http://forum.beyond3d.com/search.php?searchid=2200973
search this thread for whitelist: http://forum.beyond3d.com/search.php?searchid=2200973
Ok. I find it hard to believe. so much security in ps3 and everything is wide open if 1 key is leaked or retrieved due to an exploit.
They should have some kind of failsafe for situations like this.
What if theres another key already present in the hypervisor, maybe theres other ways to execute signed and encrypted code outside gameos.
They should have some kind of failsafe for situations like this.
What if theres another key already present in the hypervisor, maybe theres other ways to execute signed and encrypted code outside gameos.
Already discussed including how it can be circumvented by custom run firmware.
There isn't another hidden key already present.
If you would read this thread from December 30th until now you wouldn't post that.
Search this thread for "randomizer" then come back and contribute.
[Edit: removed the answer per my earlier post]
Sony's plan of counter attack
Since all ps3s are open for linux and custom firmwares now, sony can only minimze the damage that really affects them - namely, online cheaters and piracy of new games.
This is what they'll do:
1. make new keys for level 2 application code. use random k value this time for each signed binary. Since GameOS (and other stuff) runs at level 2, there is no need for a whitelist of these code. the new firmware will run a new version of GameOS(w/ new encryption) and only the new gameOS.
2. make new keys for games.
3. create a huge whitelist of all games and apps. This will done via a encrypted database of all games across all 3 regions. There are maybe like 2000 games per region. Maybe 6000 in total. a hash value of the encrypted exes would certainly be less than 10 megabytes. once a user puts in a game into the ps3, the ps3 hashes the exe, compares the hash value with what it has in the database. If it passes, then decrypts and executes the game in gameOS.
4. for all new games and apps, sign them with new keys
5. implement all the security deficiencies exposed by failoverflow - hypervisor needs to do more than virtualize OSes, it needs to protect against buffer overflow attacks, verify exes, etc..
This thing is, Sony has to do all this in one new firmware update. If they only the part of this in one and then another, everything again will be compromised.
I expect modchips to come out that on the press of a button, automatically downgrades the firmware to play pirated games and on a 2nd press, reenables the new official sony firmwares for online access and for new games.
Since all ps3s are open for linux and custom firmwares now, sony can only minimze the damage that really affects them - namely, online cheaters and piracy of new games.
This is what they'll do:
1. make new keys for level 2 application code. use random k value this time for each signed binary. Since GameOS (and other stuff) runs at level 2, there is no need for a whitelist of these code. the new firmware will run a new version of GameOS(w/ new encryption) and only the new gameOS.
2. make new keys for games.
3. create a huge whitelist of all games and apps. This will done via a encrypted database of all games across all 3 regions. There are maybe like 2000 games per region. Maybe 6000 in total. a hash value of the encrypted exes would certainly be less than 10 megabytes. once a user puts in a game into the ps3, the ps3 hashes the exe, compares the hash value with what it has in the database. If it passes, then decrypts and executes the game in gameOS.
4. for all new games and apps, sign them with new keys
5. implement all the security deficiencies exposed by failoverflow - hypervisor needs to do more than virtualize OSes, it needs to protect against buffer overflow attacks, verify exes, etc..
This thing is, Sony has to do all this in one new firmware update. If they only the part of this in one and then another, everything again will be compromised.
I expect modchips to come out that on the press of a button, automatically downgrades the firmware to play pirated games and on a 2nd press, reenables the new official sony firmwares for online access and for new games.
Last edited by a moderator:
RenegadeRocks
Legend
@mrcorbo@Nebula@Mize: Thanx for explaining !
What troubles me is that as you guys say, phone home DRMs and Cd-keys seems to be the way out of this, which will bring the same pains that legal users face on the PC side to the PS3 side too ! As with these DRM measures, it'll be again the legal buyers who'll suffer and not the @$$holes who pirate.
But look at X360 ! Heavily pirated, pirated games even worked online for quite some time, and no such DRM measures have been taken on that note by MS. I can cite many sales around me where 360 was preferred not because of its library but cos it could be modded. Even though the buyers were die-hard GoW fans, the lure of virtually no money being spent on games lured them to the X360. Maybe MS purposely doesn't implement those DRMs.
What troubles me is that as you guys say, phone home DRMs and Cd-keys seems to be the way out of this, which will bring the same pains that legal users face on the PC side to the PS3 side too
! As with these DRM measures, it'll be again the legal buyers who'll suffer and not the @$$holes who pirate.But look at X360 ! Heavily pirated, pirated games even worked online for quite some time, and no such DRM measures have been taken on that note by MS. I can cite many sales around me where 360 was preferred not because of its library but cos it could be modded. Even though the buyers were die-hard GoW fans, the lure of virtually no money being spent on games lured them to the X360. Maybe MS purposely doesn't implement those DRMs.
Silent_Buddha
Legend
In theory, that can all be defeated by decrypting the firmware and then removing the need to verify titles before running them then signing it and installing it.
Any firmware sent out to update a PS3 would have to be decryptable by the PS3 being updated. Hence, there's no way to release a firmware upgrade that can't be decrypted and modified.
Do you see why this hack is virtually impossible to hack? PSP's exploits for example required basically glitching the OS, firmware, game, etc. in order to gain an entry point from which to exploit the system.
Hence, Sony could address those by patching out those vulnerabilities.
PS3's situation is that you can sign anything and any new keys can be found out since you have access to the master key "hidden" in hardware.
Regards,
SB
is there anyway that they can release new titles that can delay it from getting hack by say weeks to a month, just enough to get some early sales? Think this is something that they've attempted in the PSOne era with some titles (insomnaic with spyro), it proof to be somewhat effective. If the game is also released in a holiday seaons especially, it worked for SE with dissidia, they said the game would have never sell as much as it did if if wasnt released at the time because of the major piracy issue they have in Japan on handhelds.
Silly question, but what if the PS3s were made to retrieve the key to decrypt the firmware via other means such as a dongle? So maybe a 2 stage firmware installation process, the first stage uses the hacked master key to install the firmware then connects to PSN to download the firmware using the secret key from the dongle.
Once again...
The entire system is open for custom run firmware which means anything that is external to the system such as USB dongles or is software based such as game updates or firmware updates is open to be hacked.
Despite what everyone things, not everyone who games has an internet connection. Making it so it's absolutely required will hurt sales more than you would think.
There's talk that the PSP2 will be online only, so at least supporting UMDs won't be necessary, and they can make people redownload resigned games they own via PSN.
aaronspink
Veteran
One thing that is important to understand in all this is the difference between architecture and implementation. Fundamentally, the security architecture of the PS3 is sound: signing, root of trust, secure isolated security processor, etc. It is the implementation which is horribly broken as exemplified in used both a non-random and non-unique sequence in the signing.
Architecturally they did have failsafes. but failsafes won't always work, nor can they protect everything, esp no human error. Think of it this way: Three Mile Island had plenty of failsafes.
aaronspink
Veteran
All of which will have to be updated in the clear and will be open to being single stepped via hacked HV and lvl 1.
Impractical. The installed base is too large.
Want to know how bad things are? There is no way to protect new keys.
The root of trust is gone. The system is wide open. Anything done to update it is open to the world. It is like trying to get out new one time pads to your friends by yelling them in the public square.
+1
This was what I posted on reddit:
http://www.reddit.com/r/programming/comments/evl86/ps3_root_key_found/c1bdhxr
One aspect of this exploit that some commenters here may be overlooking is that all PS3s (and all PSPs, presumably) can now run arbitrary software without any kind of firmware modification whatsoever. Applications for GameOS can be distributed and run anywhere, as if they were on PC, because they can be signed with Sony's key. Sony would have to introduce a whitelist to prevent this on systems running official firmware, but that could be easily circumvented by unofficial firmware. The only way to restore the chain of trust is to recall all the systems and flash them with new firmware, while revoking the old keys. If they don't do this, future game software could probably be secured via a mandatory serial number / online verification system. I wonder if we will see any delays in software while Sony and publishers devise a response?
But a flash recall will change the firmware but not the root key, leaving system open to flashing custom FW. AFAICS there is no software fix that will stop homebrew (and hence piracy), only delay it by giving the pirates some new problems to solve before they find workarounds to whatever software-based fixes.
I can already see the future....
/inserts Uncahrted 3 in ps3 for first time
Than you for buying U3. Before you start playing please authenticate your game:
1. Please enter product key.
2. Third word of a fifth paragraph on the 21th page of U3 game manual is: _______
3. Connect to U3 servers to finish authentication.
/inserts Uncahrted 3 in ps3 for first time
Than you for buying U3. Before you start playing please authenticate your game:
1. Please enter product key.
2. Third word of a fifth paragraph on the 21th page of U3 game manual is: _______
3. Connect to U3 servers to finish authentication.
Similar threads
- Locked