Technological discussion on PS3 security and crack.*

[NathansFortune]

The DNS method is only temporary. Sony close it off about a week or two after new firmware has been released. After that you have to be on the newest official or custom firmware.

 

[RenegadeRocks]

The DNS method is only temporary. Sony close it off about a week or two after new firmware has been released. After that you have to be on the newest official or custom firmware.

I don't get it. The DNS address he is using is from an old article which talks of FW 3.15 and 3.21 !!! He used that address and it worked. You mean that everytime a new FW is released this vulnerability opens up for a few weeks?

Here is the link to the article he referred:

http://www.mydigitallife.info/2010/04/05/how-to-access-psn-bypassing-ps3-firmware-3-21-upgrade-for-otheros/

Oh, and by the way, I am still on OFW 3.55, and I tried this address a few mins back to sync my trophies before backing up my ps3, as it doesn't backup trophy info, and it worked for me too. I signed in , synced trophies, browsed PSN and signed off !

 

[corduroygt]

I don't get it. The DNS address he is using is from an old article which talks of FW 3.15 and 3.21 !!! He used that address and it worked. You mean that everytime a new FW is released this vulnerability opens up for a few weeks?

The DNS only spoofs the PSN update servers. The actual PSN presence servers still allow for users on the previous firmware to connect for a week after a firmware update is released, then they disallow previous firmwares and only allow the newest firmware to connect.

 

[Cyan]

That is the one solution that would not require either massive effort (and massive user inconvenience) or just going to new hardware: PS4, with no backward compatibility.

It would still be onerous to users... but if their serial licensing system is sufficiently secure... it's the only real option. Still won't solve all problems, but will alleviate the problem of rampant piracy.

To their credit I think Sony are doing the right thing lately, despite some security mistakes, and those methods might actually help them stop piracy in the long run. Hopefully they can work things out and fight something very problematic that has negative implications for both the company, developers and publishers.

Pirates allowed homebrew, which is okay, and they didn't initially allow piracy. However.... well, you know the rest, lots of harm done here.

As a moderator stated before, maybe pirates will find workarounds or will create a mod chip, but it takes more patience and hassle, which a lot of users don't have. It's not as easy as downloading a new custom firmware and install it immediately.

I think companies should let users create homebrew applications such as emulators and so on, allowing very basic programming priviledges to communicate with the CPU and GPU. You don't need full performance to run some emulators of old consoles anyway.

Right now it isn't an issue for me, but allowing some apps working on the console is great. Years ago I had a shared computer, there was a time my sister played Sims all the time.

In fact, sometimes I couldn't get a hold of the computer because she was Simmin.

Having a console back then that allowed me to have access to the internet, for instance, would be actually good. Ironically, those days I didn't use the Internet much, but you get the idea.

 

[specwarGP2]

I don't get it. The DNS address he is using is from an old article which talks of FW 3.15 and 3.21 !!! He used that address and it worked. You mean that everytime a new FW is released this vulnerability opens up for a few weeks?

Sony is probably doing this on purpose to see how many people are using CFW

 

[bomlat]

More likely it is a server side problem,probably they need same time to update all servers,and due to that they accept the old keys .

 

[Deleted member 7537]

So, correct me if i'm wrong, this means that every new firmware Sony releases will be encrypted with just the new private key?

 

[NathansFortune]

No. The new private key is properly protected. I have heard it would take the most powerful supercomputer in the world 2,000 years to brute force the key now. Even a distributed network of 10,000 PS3s would take longer than a lifetime to do it.

The hackers thought that this hack would render Sony's ability to fix it pointless, but I have mentioned before that almost everything on the PS3 can be reflashed by firmware updates. The old key hasn't been blacklisted as it would break compatibility with older games, but from around March all new games will require 3.56 as standard and this time it won't just be the eboot, it will be coded in properly. Without the ability to sign code and firmwares they won't be able to make a 3.56CFW that will fool games into thinking they have 3.56OFW. From now on it looks as if CFW is stuck at 3.55 unless Sony have a leak (which is unlikely as the new private key is known only to the top, top levels of SCE and the new algorithm uses a proper random number instead of a constant) or the hackers get lucky.

I have heard from June all new consoles will ship with > 3.56 as standard and the only way to downgrade is to use a NOR/NAND flasher which is well beyond the capabilities of regular users.

I think this round has gone to Sony...

 

[Deleted member 7537]

Hi, I’m rms, a PS3 software/homebrew developer.

Well, I’ve been on EFnet for a while now, and I’ve seen many people asking about PS3 Custom Firmware 3.56, well, let me put it in a simple manner, it’s not possible thanks to what Sony did with their ECDSA (Elliptic Curve DSA) cryptography, and the new PUP format along with Cell-OS Lv2 having some extra checks on SELF files now.

See, when we used to get private keys for earlier fail ECDSA keyset revisions, a variable, r, in the ECDSA signature was static, thus allowing us to get the keys using the signature itself, now, Sony fixed this by making that variable random, so we can no longer use simple algebra to get the private key like before. Do note that to retrieve the older private keys, one needed to use 2 signatures, and simply compare them to get the private key. Now, for those who do not know about private keys and public keys and ERK/RIV, here’s a simple explanation: Private keys are used to create signatures, public keys are used to verify the signature’s authenticity. ERK/RIV is used to decrypt the encrypted SELF data.

The new PUP format has 2 extra files, one consists of a new tarball with spkg_hdr1 files, ensuring package integrity, so one can no longer create rehashed pups anymore. Until the spkg format is deciphered, and they can be resigned, one’s pretty much stuck with Official Firmware. Core OS also has some new additions, appldr now checks your SELF revision for NPDRM, and Lv2 selfs, they either must be whitelisted or use the new revision 0x0D keyset in 3.56. Lv2 now will also refuse to load older updater or Lv2diag.self files that do not use the 0x0D keyset. Core OS also has two new revoke lists, prog_srvk and pkg_srvk. They have yet to be fully inspected yet.

So, in the end, Sony pretty much fixed most of the fail, some’s still around though, go look for it. =)

http://psx-scene.com/forums/f118/road-ahead-dead-end-roadblock-tweet-rms-79224/

 

[Shifty Geezer]

No. The new private key is properly protected. I have heard it would take the most powerful supercomputer in the world 2,000 years to brute force the key now. Even a distributed network of 10,000 PS3s would take longer than a lifetime to do it.

Just to be clear, if the world's most powerful computer would take 2000 years, than 10,000 PS3's would clearly take more than a lifetime as 10,000 is not a patch on the world's most pweorful computer. It's also worth noting that something like the 2,000 year figure is just how long it would take to go through all possibilities, but not when the key may be found. It's like a lottery ticket - with a 1 in a million chance of winning, you'd expect to win once out of a million plays, but that once may come with the first ticket or the millionth or anywhere in between. Not that this pedantry on my part has anything to do with Sony sealing off this breach as well as is being reported.

http://psx-scene.com/forums/f118/road-ahead-dead-end-roadblock-tweet-rms-79224/

I don't understand how backwards compatibility is maintained with breached keys and homebrew signing is limited without a whitelist. If the old key still works in 3.56 for 3.55 and prior software, how can apps created with that key be denied access in 3.56?

 

[NathansFortune]

Just to be clear, if the world's most powerful computer would take 2000 years, than 10,000 PS3's would clearly take more than a lifetime as 10,000 is not a patch on the world's most pweorful computer. It's also worth noting that something like the 2,000 year figure is just how long it would take to go through all possibilities, but not when the key may be found. It's like a lottery ticket - with a 1 in a million chance of winning, you'd expect to win once out of a million plays, but that once may come with the first ticket or the millionth or anywhere in between. Not that this pedantry on my part has anything to do with Sony sealing off this breach as well as is being reported.

Sorry, I think it was actually 100,000 PS3s over a distributed network that would take around 100 years. Yes, that was why I said they could do it by a leak or by getting lucky. The second option was supposed to indicate that they could brute force and get the private key earlier than expected by getting lucky and winning the lottery.

I don't understand how backwards compatibility is maintained with breached keys and homebrew signing is limited without a whitelist. If the old key still works in 3.56 for 3.55 and prior software, how can apps created with that key be denied access in 3.56?

Right now Sony are letting it all slide, but once 3.56 has been mandated the old key will be taken out of circulation and any existing software using the old key would be whitelisted and signed with the new key. We are in a transition phase atm where the new encryptions and new defence mechanisms haven't actually started running yet. Once they do it will be very difficult to get CFW onto PSN.

 

[Deleted member 7537]

Well, you still have the same problem as with the OFW 3.55, you can't install/run homebrew signed with the old keys. And i can't see a reason to upgrade to a 3.56CFW if this one allowes remote code execution as a security measure.

 

[NathansFortune]

You wouldn't as 3.55 doesn't include any whitelist, the old key is fine and any software can be signed to run. It would just stop working if you went back to OFW 3.56 once the whitelist comes into effect. Atm the reports are that if you do use 3.56 OFW any homebrew software that remained on the system continues to work but you can't run new software signed with the old key. It could be a mixture of timestamps and whitelisting, but the older key is going to be taken out of circulation soon.

 

[tuna]

And i can't see a reason to upgrade to a 3.56CFW if this one allowes remote code execution as a security measure.

What does this mean and what is the difference from previous FW?

 

[betan]

What does this mean and what is the difference from previous FW?

It means with OFW3.56, Sony can remotely execute arbitrary code on your PS3 without installing anything. For example when connecting to PSN, Sony can send a small piece of code to run locally to check if the various properties of the firmware are intact. And since they can easily change the "checker" code, it is much more difficult for hackers to fake the results.

Of course this is another potential security vulnerability by itself.

 

[NathansFortune]

Not really. The code still needs to be encrypted using the private key which is not out in the open and likely won't ever get out in the open.

 

[bomlat]

Interesting situation.
The 3.56 just the first step,currently the sony in the sharge of the fw update,but it have to get back the controle above the codes too.

For that they have to re-encrypt everything in the PSN,force everyone to re-download that,and create a new encryption method for the "run from the HDD" option.

So,it is still a lot of work.

From the other side,currently the biggest protection for the PS3 the blue-ray drive

 

[tuna]

It means with OFW3.56, Sony can remotely execute arbitrary code on your PS3 without installing anything. For example when connecting to PSN, Sony can send a small piece of code to run locally to check if the various properties of the firmware are intact. And since they can easily change the "checker" code, it is much more difficult for hackers to fake the results.

Of course this is another potential security vulnerability by itself.

Is this any difference from previous FWs?

 

[patsu]

It means with OFW3.56, Sony can remotely execute arbitrary code on your PS3 without installing anything. For example when connecting to PSN, Sony can send a small piece of code to run locally to check if the various properties of the firmware are intact.

Oh how I wish our games can be distributed to another PS3 this way.

 

[NathansFortune]

Interesting situation.
The 3.56 just the first step,currently the sony in the sharge of the fw update,but it have to get back the controle above the codes too.

For that they have to re-encrypt everything in the PSN,force everyone to re-download that,and create a new encryption method for the "run from the HDD" option.

So,it is still a lot of work.

From the other side,currently the biggest protection for the PS3 the blue-ray drive

Nope. It won't work like that. Anything built on 3.55 or below will remain open to hacking/pirating. Everything made from 3.56 onwards will require the new key after a certain timestamp.