Technological discussion on PS3 security and crack.*

[bomlat]

Well, kinda pointless if you can install a CFW with the BR check removed? And well, you will be able to downgrade every existing PS3 (and install CFW as result), the way the PS3 is serviceable and secured theres no way a future firmware can ever stop that.
Or if you could just turn the game into a "PSN downloadable" then copy it to the HDD (using compromised keys).

There really is no easy way out for Sony, the hardware is fully compromised - actually more so than the PSP ever was (the pirates just dont have full grip on the firmware yet).
It will be a cat and mouse game with OFW updates and hacked CFW, if you think that time is on Sonys side then consider that games newer ship with brandnew OFWs, they all are atleast 2 months old to allow testing and production of the disc. Enough time to hack them for dedicated guys in their basement (on the PSP, once the first CFW was figured out it only took a couple days after the OFW to release).

The games released dont have unique disc-based checks, I would guess that this is the best option for disc releases. Add securom-like protection (with checks thorough the game)and atleast each game has to be cracked, giving it atleast a breather after release/each update

The service mode call is in the lv0,which is up datable,as I see .
there is minimal information about it,but the only one that I found sound like this:



metldr is the first loader in the system, and it's in ROM on the CPU die. It decrypts and executes lv0ldr, which is in flash. Watch http://www.youtube.com/watch?v=eVXfgg7otJw#t=11m37

for a complete description by experts.

Using the metldr private key, I can decrypt Sony's lv0ldr code, write my own based on that, re-encrypt and sign it with the metldr key and start up all the PS3 hardware however I like.

Sony might stop me burning a new lv0ldr with a future firmware update (by issuing a new firmware with the old key, saying not to accept firmware updates using the old key), but if they do I can still piggy back on the flash chip and write my signed lv0ldr to it it while the PS3 is switched off.


http://www.reddit.com/r/programming/comments/evl86/ps3_root_key_found/?limit=500

So,the lv0 decrypted with the metdlr key,and that hard wired in the cpu.
so,the update have to encrypt the lv0 with the compromised metdlr,but after that the console can decide what type of key it will accept for update (even in service mode)

So now software mod,later ASIC chip .

If you have more information about the lv0/lv1,and the service mode initialisation,then it is more than welcome.

 

[aaronspink]

so you think the Sony will leave the old,compromised key as valid firmware signature in the 3.6 firmware?
It could be quite stupid thing - but it is needed to install a cfw onto a post 3.55 ps3 with a fake PSN

I think some comprehension and education might do you some good. Reading comprehension would be great. What part of: "THERE IS NOTHING THAT SONY CAN HIDE" do you not understand.

Hey we need a new super secret password to exchange email, I'll post it on the main board at GRAND FRIGGIN CENTRAL STATION or AS THE FIELD AT THE SUPERBOWL! Hey I've got an idea, we don't want to be heard so lets meets and SHOUT AT EACH OTHER IN A CROWDED LIBRARY, I'M SURE NO ONE WILL HEAR US.

ETC ETC ETC

The firmware update is plaintext, any keys contained in the firmware update are plain text, anything signed or encrypted with those keys are plain text and/or can be forged.

KEYS DON"T WORK WHEN EVERYONE HAS THEM!

 

[Xenus]

They can create new keys that are proper perfectly. However it will only be a temp measure as those keys will eventually be broken as no encryption is perfect however you can succeed in annoying the hackers for a week or a month.

 

[aaronspink]

So,the lv0 decrypted with the metdlr key,and that hard wired in the cpu.
so,the update have to encrypt the lv0 with the compromised metdlr,but after that the console can decide what type of key it will accept for update (even in service mode)

Except we already would have any new key sony would use. It is pointless. You cannot keep secrets when you have to shout them in the commons to communicate.

 

[Silent_Buddha]

I can't found your post.
But why they can't just simply restrict the usage of the old key to the pressed BR discs?

You can. But since the PS3 is wide open with the lowest level hardware hidden master key available to the hacker community, they can just modify any official firmware to ignore that restriction.

The BRD may have code that, in conjunction with the correct firmware may restrict how it is run. But since the system is wide open, it is possible to modify that firmware so that it ignores it. Or modify the firmware so that it automatically assumes that all BRDs are pressed disks.

Because the lowest level hidden security key is available to the community there is no way to change it through firmware without the community knowing what it is changing to since the firmware must be decryptable by the machine in order to flash it and use it.

And if you don't change that, then any future keys are discoverable because you have the master key.

Requiring PSN connectivity is one step. But things like that have had limited success on PC unless the game is an MMO or an application without widespread popularity. In other word niche applications don't get cracked due to limited userbase combined with frequent application updates. MMO's don't get pirated/modified since there are entire servers farms required to host most of the online data.

None of the above is going to be able to protect the software on the PS3, except for MMOs.

With the masterkey out in the wild, the PS3 is no better protected than a PC. And it is extremely difficult to combat piracy on the PC.

Regards,
SB

 

[Silent_Buddha]

Haven't we already discussed the face that Sony made hacking the PSP so annoying that it stalled most piracy?

PSP, at least when I was still on the scene required exploiting either the hardware, software, or OS in order to inject code to initiate the hack. Hardware revisions could combat some of that. Firmware revisions can patch the OS. Games that rely on code introduced with future firmware revisions which remove exploits in the OS made that level of firmware required.

None of that is required on the PS3. You don't have to glitch anything. You don't need a buffer overflow. You don't need to modify hardware. You don't need anything.

PS3 hackers have what PSP hackers didn't have. The keys that Sony uses to sign everything and anything.

It's analygous to the PSP being a house where you have a key that lets you in and you have windows, ventilation ducts, chimneys, basement, and houseowners. The hackers don't have the key to get in. But they can break in through the window, or the chimney, or the ventilation ducts, or maybe even convince the houseowners they are here to repair something.

With the PS3, you may have a similar situation but bars over the windows, grating in chimneys, homeowners that can't be fooled etc. Only now, the hackers have the key to the front door so all that beefed up security doesn't mean squat. And the kicker to the whole thing? You can't change the lock without the hackers knowing what the new key is.

Regards,
SB

 

[Silent_Buddha]

The service mode call is in the lv0,which is up datable,as I see .
there is minimal information about it,but the only one that I found sound like this:



metldr is the first loader in the system, and it's in ROM on the CPU die. It decrypts and executes lv0ldr, which is in flash. Watch http://www.youtube.com/watch?v=eVXfgg7otJw#t=11m37

for a complete description by experts.

Using the metldr private key, I can decrypt Sony's lv0ldr code, write my own based on that, re-encrypt and sign it with the metldr key and start up all the PS3 hardware however I like.

Sony might stop me burning a new lv0ldr with a future firmware update (by issuing a new firmware with the old key, saying not to accept firmware updates using the old key), but if they do I can still piggy back on the flash chip and write my signed lv0ldr to it it while the PS3 is switched off.


http://www.reddit.com/r/programming/comments/evl86/ps3_root_key_found/?limit=500

So,the lv0 decrypted with the metdlr key,and that hard wired in the cpu.
so,the update have to encrypt the lv0 with the compromised metdlr,but after that the console can decide what type of key it will accept for update (even in service mode)

So now software mod,later ASIC chip .

If you have more information about the lv0/lv1,and the service mode initialisation,then it is more than welcome.

And you missed the whole thing with how metldr (which is available to the hacker community) is hardwired and is required to decrypt and execute lv0ldr. Right there, whatever Sony does is available to the hackers and they can change, modify, discover, and do whatever they want with it.

Sony can do whatever they want with lv0ldr. But the PS3 is hardwired that it always has to run metldr first. And since that metldr must be able to decrypt lv0ldr in order to run it, you can discover whatever keys Sony decides to implement since you have the metldr key. And now, again, you have both the metldr key which wasn't changed as well as the new lv0ldr key.

Sony can make things difficult, it cannot stop anything without modifying the console hardware.

Basically as everyone has been saying, with the metldr key, there is nothing Sony can hide. Everything Sony does is decryptable and discoverable by the hacker community going forward as long as existing PS3's aren't hardware modified to change the metldr at a Sony facility.

Regards,
SB

 

[Xenus]

The keys are in plain txt really? Wow the stupidity knows no bounds.

 

[Npl]

The service mode call is in the lv0,which is up datable,as I see .
there is minimal information about it,but the only one that I found sound like this:

no, everything touching the outside of the CPU is done at lv2. its pointless anyway since the PS3 has to be serviceable somehow and thanks to the keys you will always be able to decrypt newer keys and sign your own service-mode tools.

metldr is the first loader in the system, and it's in ROM on the CPU die. It decrypts and executes lv0ldr, which is in flash. Watch http://www.youtube.com/watch?v=eVXfgg7otJw#t=11m37

for a complete description by experts.

yeah I watched it, and I still dont know if the leaked keys are the "PS3 Masterkeys" (lv1/lv2) or "Cell Masterkeys" (lv0/bootloader). I find the later unlikely for various reasons (particulary since I doubt lv0 had to be changed yet and you need 2 different signed modules to calculate the key, and since IBM is behind Cell I wouldnt be surprised if they did the signing)

Using the metldr private key, I can decrypt Sony's lv0ldr code, write my own based on that, re-encrypt and sign it with the metldr key and start up all the PS3 hardware however I like.

Sony might stop me burning a new lv0ldr with a future firmware update (by issuing a new firmware with the old key, saying not to accept firmware updates using the old key), but if they do I can still piggy back on the flash chip and write my signed lv0ldr to it it while the PS3 is switched off.

http://www.reddit.com/r/programming/comments/evl86/ps3_root_key_found/?limit=500

Or you could just wait till someone lifted the keys from the new firmware and signed a servicetool, or signed a CFW with the new keys (or if you fancy this branded an old OFW as a newer one).

So now software mod,later ASIC chip .

err ASIC what? replacing the key in hardware should be enough?
If software mod would be enough, then PS3 with "secure" future firmware should suffice. The point is it doesnt

If you have more information about the lv0/lv1,and the service mode initialisation,then it is more than welcome.

only my interpretation of the Cell manual and the presentation you linked.

 

[Toaddio]

None of that is required on the PS3. You don't have to glitch anything. You don't need a buffer overflow. You don't need to modify hardware. You don't need anything.

Obviously you need SOMETHING because not every PS3 right now has custom firmware. The question is, how difficult can Sony make it for the average user to update to a custom firmware? I'm not sure why people are avoiding that question.

Yes, hackers can decrypt new firmware and change the code. How easy will it be? Sounds like a decent question to me. Just because you can see the code doesn't mean it's going to be easy to change specific pieces in a timely manner.

 

[makattack]

Obviously you need SOMETHING because not every PS3 right now has custom firmware. The question is, how difficult can Sony make it for the average user to update to a custom firmware? I'm not sure why people are avoiding that question.

Yes, hackers can decrypt new firmware and change the code. How easy will it be? Sounds like a decent question to me. Just because you can see the code doesn't mean it's going to be easy to change specific pieces in a timely manner.

Essentially, with the key vulnerability, to execute any software, all you need to do is burn a BDR with your own code that's properly signed. To install custom firmware, all you need is a generic USB drive.

It would be as "simple" as:

!) Create your custom firmware/OS replacement
2) sign it with the Sony secret keys
3) install it on the USB drive
4) plug the USB drive into the PS3, and boot it.

No need to open the console, use some JTAG interface to trick the boot loader, or the myriad other ways to hack closed devices.

 

[Silent_Buddha]

Obviously you need SOMETHING because not every PS3 right now has custom firmware. The question is, how difficult can Sony make it for the average user to update to a custom firmware? I'm not sure why people are avoiding that question.

Yes, hackers can decrypt new firmware and change the code. How easy will it be? Sounds like a decent question to me. Just because you can see the code doesn't mean it's going to be easy to change specific pieces in a timely manner.

Obviously you'd need some way to transport your code to the machine whether it be a USB stick, wireless or ethernet connection, BRD, or DVD.

But you are no longer reliant on finding any vulnerabilities in the OS, hardware, or anything.

You now have exactly the same access and more importantly security levels on the PS3 as Sony has. So whatever Sony does, you can see and potentially modifiy, then resign, and install or run whatever it is.

Regards,
SB

 

[BRiT]

I can't found your post.
But why they can't just simply restrict the usage of the old key to the pressed BR discs?

In short, because of offline gaming. It's the situation where if new games force a new firmware update then they'd need to also bundle the update of ALL downloaded games (PSN titles). That would require a bluray or two all to itself just for title updates. Here's my original post detailing this issue as it originally pertained to whitelisting, but that issue also pertains to your forced update and invalidating of old keys.

 

[tia86]

yeah I watched it, and I still dont know if the leaked keys are the "PS3 Masterkeys" (lv1/lv2) or "Cell Masterkeys" (lv0/bootloader). I find the later unlikely

If the hardware keys (Cell keys) are unknown, the root of the trust chain is intact and Sony can rebuild all the chain with firmware updates. Hackers cannot execute code in Security Vault (Isolated SPE) so they can't access the hardware-based cryptoengine with its hardware keys.

 

[tia86]

If the hardware keys (Cell keys) are unknown, the root of the trust chain is intact and Sony can rebuild all the chain with firmware updates. Hackers cannot execute code in Security Vault (Isolated SPE) so they can't access the hardware-based cryptoengine with its hardware keys.

And Sony can release a new firmware update, with new software keys, requiring the decryption throught Security Vault. Since hackers cannot go into Security Vault, the new keys are protected by the root of trust.

But i don't know if hackers can go or not into the Secury Vault.

 

[Trejser]

Essentially, with the key vulnerability, to execute any software, all you need to do is burn a BDR with your own code that's properly signed. To install custom firmware, all you need is a generic USB drive.

It would be as "simple" as:

!) Create your custom firmware/OS replacement
2) sign it with the Sony secret keys
3) install it on the USB drive
4) plug the USB drive into the PS3, and boot it.

No need to open the console, use some JTAG interface to trick the boot loader, or the myriad other ways to hack closed devices.

That's why they need to make this hack as hard/complicated as possible to the end user. All current consoles are vulnerable and this won''t change, but at least Sony can make PSN as clean as possible. OFW can't run any homebrew or pirated copies from optical drive or USB ports, that's why CFW/patching is needed. OFW with disabled USB updates would make current solutions useless. PS3 probably can tell he difference between burned BD and manufactured one, so OFW should allow FW updating only from manufactured discs. Only thing left is PSN updating, so encryption or something like that...

The goal is to make consoles with OFW as hard as possible to modify (starting with "FW 3.6"). CFW consoles should be banned from PSN.

 

[corduroygt]

Of course this all depends on the assumption that metldr is not updateable. The fact that it hasn't ever been updated yet via firmware updates, does not necessarily mean it cannot be updated, or that there aren't any hardware switches that can change the keys...That's the only way to truly secure the PS3 now, if it exists that is...

 

[Toaddio]

Obviously you'd need some way to transport your code to the machine whether it be a USB stick, wireless or ethernet connection, BRD, or DVD.

But you are no longer reliant on finding any vulnerabilities in the OS, hardware, or anything.

You now have exactly the same access and more importantly security levels on the PS3 as Sony has. So whatever Sony does, you can see and potentially modifiy, then resign, and install or run whatever it is.

Regards,
SB

I understand this. My point is if it takes a month or more after the release of new software to make it work the average user may ignore the option. We all know that hackers will break every system.

 

[Colourless]

If the hardware keys (Cell keys) are unknown, the root of the trust chain is intact and Sony can rebuild all the chain with firmware updates. Hackers cannot execute code in Security Vault (Isolated SPE) so they can't access the hardware-based cryptoengine with its hardware keys.

The hardware keys are system specific. The only way Sony can issue a new metldr is if they recorded the hardware key for each PS3 produced, and can somehow sign and distribute the new machine specific metldrs. It would only be possible to do this over PSN and would make future on disk firmware updates virtually impossible due to the space needed to put every single possible metldr varient on a disk.

 

[Npl]

If the hardware keys (Cell keys) are unknown, the root of the trust chain is intact and Sony can rebuild all the chain with firmware updates. Hackers cannot execute code in Security Vault (Isolated SPE) so they can't access the hardware-based cryptoengine with its hardware keys.

except if the hypervisor is ineffective and they are able to peek at memory they shouldnt (which they demonstrated). been talked about lots how you can just shutdown the isolated SPU after decrypting/validating and do whatever you want with the data.