Technological discussion on PS3 security and crack.*

[Shifty Geezer]

I am unable to move the ethics discussion where it belongs due to lack of privelages. I'll call in someone bigger.

 

[DieH@rd]

George Hоtz said...

Ok, I figured out how to make iso loader. It will be ready in two hours.
January 26, 2010 9:24 AM

edit -waaait a little, that was posted from the fake "George Hоtz" account. Move along, nothing happened.

 

[Rangers]

edit -waaait a little, that was posted from the fake "George Hоtz" account. Move along, nothing happened.

 

[patsu]

Mathieulh said early on that this seemed legit, that geohotz did get what he got. He was among the people questioning geohotz as to how exactly he was going to actually finish the job, to which geohotz would reply that he didn't need to, that all he had to do was control the SPUs.

I'm wondering, though. If he can create new hypervisor calls, can't he execute arbitrary code? Or is he mangling the existing calls somehow?

He can execute arbitrary code that he writes, but he has not compromised the game DRM yet. He has said that he's not interested in piracy, but he will release the key that will enable others to further the work. Make sense ?

 

[obonicus]

Not really. If he can insert arbitrary hypervisor methods, what's stopping him from loading arbitrary code? I'm holding him to the same standard as before, I want to see something.

 

[-tkf-]

You are entitled to how you feel but one discrepancy in your argument is in your first paragraph. How secure is the PC? What some of you choose to do is ignore all other examples and limit the scope of your thinking. A hacked PS3 will most likely be banned from ever going online, from ever affecting these fellow players you care about so much..

Somehow the 360´s story tells us something different, and so does the PC gaming. There is a good chance a hacked PS3 will be able to hide itself while the player spoils countless games for other people.

Those commenting on the possible losses from piracy need to take a look at the previously and still preferred dev platform which is the 360. Still successful (except for self inflicted problems with RROD) after how many years of being hacked?

Didn´t pirated games more or less destroy the Dreamcast, how about the PSP, if games werent free for so many people how much money would Sony have made on this little device compared to what they do know?
It´s guessing time for everybody, but a PS3 that was hacked shortly after it was released had a fair chance of selling way less than it does now. We have demos that we can download for free, we can actually sample the games, and there is a hundreds of review and thousands if we include the players as well. We were never so informed about a game today before we actually buy it.

Your last line is irrelevant. Leave your money in your pocket? So in the end you rather they don't make any contribution whatsoever to the gaming industry? Pirates buy games, not that they will be the only ones interested in a modded ps3 but your arguments seem to be geared mainly towards them.

A PS3 is sold at a loss, the first money Sony lost was people buying a cheap blu-ray player and Zero software
How someone that primarily wants to play pirate games and run a power hungry half hearted Mediaplayer is gonna make Sony money is a wild guess. I acknowledge that pirates also buy games, but where we are now with the PS3 i would dare to say that those that still doesn´t have it and might get it just because it was cracked isn´t gonna be those that buy very many games, if any at all.

Also I don't think sony went through all this to stop pirates, more like preventing the console being used for purposes beyond simple end-user tasks.

A hacked ps3 would definitely interest researchers and the like. Sorry to be off-topic but this thread seems to always go in the direction of ethics.

When geohot mentioned stopped SPUs in linux he meant they were idle, not disabled. When the BBC article mentioned ps2 games on the ps3 those were the words of the author. Notice no quotations.

You really should give him more credit. Most of you are making claims based on theory while he is working directly with the hardware.

I think the man is a genius, and while others may find his arguments and motives strange i kind a like it that way. "Freedom fighter" in terms of liberating the PS3´s power to the people is cool enough. But the guy should understand his responsibilities and acknowledge that what he is doing it more than just a Cell Linux box for everybody. He is opening a can of worms that will influence a hell of alot of people.

 

[Vitaly Vidmirov]

The hack seems to exploit specific timing condition that can be altered with Sony's software tweaks.

I have no idea how typical hardware hacks is performed, but this sounds really clever.
As I understood, he can repeatly map htab entries in a cycle using lv1_* call, then just mess with XDR PCB traces until htab data is modified in a way he need. In a post below he states what XDR doesn't have ECC, and he can play with actual data.
The code probably executing from cache after the first run, so XDR access is not needed)
This should be enough to gain HV level of privileges to read/write anywhere.
Hope I'm not telling BS here

 

[senas8]

Not really. If he can insert arbitrary hypervisor methods, what's stopping him from loading arbitrary code? I'm holding him to the same standard as before, I want to see something.

Here is 'SOMETHING"

volatile int init_module() {
unsigned long priv2_addr, problem_phys, local_store_phys, context_addr, shadow_addr, spe_id, vas;

lv1_get_virtual_address_space_id_of_ppe(0, &vas);

printk(KERN_ERR "die kernel %d\n", lv1_destruct_logical_spe(0xb));

printk(KERN_ERR "construct SPE: %d\n", lv1_construct_logical_spe(0x10,0x10,0x10,0x10,0x10, vas, 0, &priv2_addr, &problem_phys, &local_store_phys, &context_addr, &shadow_addr, &spe_id));
boom_lpar(shadow_addr);
printk(KERN_ERR "make SPE id: %d\n", spe_id);
printk(KERN_ERR "enable SPE: %d\n", lv1_enable_logical_spe(spe_id, 0));


unsigned long *problem_mapped, *privileged_mapped, *local_mapped;

problem_mapped =__ioremap((unsigned long)problem_phys, 0x20000, PAGE_SHARED_X);
privileged_mapped =__ioremap((unsigned long)priv2_addr, 0x20000, PAGE_SHARED_X);
local_mapped =__ioremap((unsigned long)local_store_phys, 0x40000, PAGE_SHARED_X);

printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);
privileged_mapped[0x4040/8] |= 4;
printk(KERN_ERR "privileged control: %lx\n", privileged_mapped[0x4040/8]);

struct file* fd;
mm_segment_t old_fs = get_fs();
set_fs(KERNEL_DS);
fd = filp_open("/work/pwned/metldr", O_RDONLY, 0);
if(!IS_ERR(fd)) {
printk(KERN_ERR "file is open\n");
printk(KERN_ERR "read %d\n", fd->f_op->read(fd, local_mapped, 0x40000, &fd->f_pos));
filp_close(fd, NULL);
} else {
printk(KERN_ERR "file open failed!!!!\n");
}
set_fs(old_fs);
printk(KERN_ERR "read in metldr\n");

problem_mapped[0x4018/8] |= 3;

int i;
for(i=0;i<0x20;i++) {
printk(KERN_ERR "status: %lx\n", problem_mapped[0x4020/8]);
}
printk(KERN_ERR "destruct SPE: %d\n", lv1_destruct_logical_spe(spe_id));

return 0;
}

"Now go have some fun with it"

 

[NathansFortune]

Not sure if already posted:

PS3 is hacked - The urban legend continues

Altough it's nice to capture all these HV calls and stuff from a plain (not encrypted) lv1 binary, but this will never lead to a hacked PS3.

Let's have a look.
The major security architecture on the PS3 is called the "Secure Processing Vault" and is the most important thing regarding "hacking" the PS3.

There is NO WAY for the PPU or even the HV to gain access to the SPU, which is an application running inside of an isolated SPU.
Well you can kick out the isolated SPU, like geohot mentioned, but this gives you nothing, as ALL the encryption and execution of applications (HDD encryption, app encryption, decryption, executing, signature checking, root key extraction) happens inside the isolated SPU.

To run homebrew on the PS3 you would have to reassemble the whole functionality from the SPU inside a binary running on the PPU.
For this you will need the root key. The root key is stored in hardware (not even close to the things on the iPhone). The root key cannot be extracted by any software or hardware means and is essential to ALL encryption/decryption, executing and checking routines.
The only way to get the root key is inside of an isolated SPU, as it is kick-starting the hardware encryption facility. There is no other way to do that !

Let's just assume that geohot or some other guys are able to break into the local store of the isolated SPE. There they will just find some encrypted binaries.
The key for decryption is encrypted by the root key !
You won't get anywhere without the root key.

Let's assume that someone managed to do all those stuff from the isolated SPU on the PPU and creates a CFW.
There is still a secure booting environment. The first module loaded/bootet is integrity checked by the hardware crypto facility utilizing the root key. So you have also to address this booting stuff. Again, no root key, no booting.

So there's always runtime patching you might ask ? Not possible on the PS3 because the hardware crypto facility is able to check the signatures whenever it wants to. And which part is responsible for this ? Exactly, the isolated SPU.
So if you kick out the isolated SPU the system will not boot/run anymore.

The PS3 is neither an PSP nor an iPhone. It's the most secure system architecture of this time !

The girl behind this stuff, Kanna Shimizu, is not somebody. Messing around with this is not like saying Bruce Schneier is a n00b.

Btw.: forget about all those stories, that certain hackers are or will be employed by SONY. That's nothing more than another urban legend.

@geohot It is OBVIOUS that the HV is PPC. The Cell BE is a PPC architecture, you know ;-) Better read those IBM papers in first place !

- iQD

Kanna Shimizu
Cell Broaband Engine Security Architect
PhD Stanford
MSc. Computer Science from Oxford University

So there you have it. As many people figured geohotz is a bit of an amateur.

 

[senas8]

The cell architecture has one fail (not perform errors check),but now can put 1Spu in a isolated mode,then the ppe close the thread of spu1 and open a second thread with a second isolated spu2,exploit inside the cell architecture,no need keys

Not sure if already posted:

PS3 is hacked - The urban legend continues





So there you have it. As many people figured geohotz is a bit of an amateur.

 

[obonicus]

Here is 'SOMETHING"

No, that's nothing. He's the one saying he hacked it, he's the one tweeted that, he has to run it and show the results. All you're showing is some code with linux system calls.

 

[assen]

NathansFortune, even if the architecture is well thought out, simple stupid errors can result to huge security holes. The initial Xenon arbitrary code execution hack was due to a bug in the OS, not a design defect.

 

[obonicus]

Again, we need to see something running. skfu might be too dismissive of this, and it seems like he's repeating what we already know. I'm not sure why he's name-dropping Kanna Shimizu, either.

Also, is the root key inherent to the isolated SPU somehow? Or does it load it from a different location? It seems odd to say that nothing either software or hardware will ever extract the key.

 

[NathansFortune]

Here is 'SOMETHING"

"Now go have some fun with it"

Hmm, until geohotz has a legitimate Hello World (which I think he won't get, not that it's impossible, he's just not talented enough).

Clearly geohotz is just an attention whore, and his profile had been dipping due to iPhone not being that difficult to hack/exploit. I'll bet his blog has had a bunch of hits in the last few days and his notoriety will have increased somewhat.

 

[assen]

Also, is the root key inherent to the isolated SPU somehow? Or does it load it from a different location? It seems odd to say that nothing either software or hardware will ever extract the key.

http://www.ibm.com/developerworks/power/library/pa-cellsecurity/

Because of the root key's importance in keeping all other keys hidden, it must be robustly protected. The Cell BE processor accomplishes this with its Hardware Root of Secrecy. The root key is embedded in the hardware, and you cannot access it with software means; only a hardware decryption facility has access to it. This makes it much more difficult for software to be somehow manipulated so that the root key is exposed, and of course, the hardware functionality cannot be changed so that the key is exposed.

Furthermore, the activation of the hardware decryption using this root key is tightly integrated with the SPE isolation mode. When an SPE enters isolation mode, the hardware decryption facility is kick-started to fetch the encrypted data into the isolated SPE and decrypt the data using the hardware root key. The decrypted data is placed within the protected Local Store and is available for an isolated SPE application to use. In fact, the decryption based on the root key can only happen within an isolated SPE and not outside of it; no access to the root key is available, by hardware or software means, from a non-isolated SPE or the PPE.

 

[obonicus]

Right. It seems really really hard to get it via hardware, as per Titanio earlier in the thread, not literally impossible.

 

[specwarGP2]

what exactly is geohot claiming? It sounds as if he's saying he doesn't need the hardware key because he can trick the isolated SPU into decrypting code sent by the PPE that is fully under his control?

 

[Vitaly Vidmirov]

the hardware decryption facility is kick-started to fetch the encrypted data into the isolated SPE and decrypt the data using the hardware root key

Seems the root key is not directly exposed to the isolated SPU. Instead it have some form of "smart" dma what can decrypt the data on the fly.

 

[V3]

what exactly is geohot claiming? It sounds as if he's saying he doesn't need the hardware key because he can trick the isolated SPU into decrypting code sent by the PPE that is fully under his control?

That's what he is hoping, but doing it that way is a bitch. I think he knows it too that the proper way to hack the PS3 is to get that root key. And it's not an impossible thing to do, just a bitch. But the guy is dumb enough that he already wasted nearly a month of his life on it, so I am hoping he will stick for several more months (assuming he is talented enough) to get the root key.

 

[Npl]

the hardware decryption facility is kick-started to fetch the encrypted data into the isolated SPE and decrypt the data using the hardware root key

Seems the root key is not directly exposed to the isolated SPU. Instead it have some form of "smart" dma what can decrypt the data on the fly.

Nope, when an SPU enters "isolated mode" a part of the LS is locked from all direct access to the outside and the master decryption/authentication code, data and root-key is loaded. Until you compromise the isolated SPU from the inside it stays that way, it should be however possible (but probably still hard) to peek at the remaining LS.

And the idea is that the rootkey is only used to load and verify another decryption/authentication module and key which are used for almost everything else. That way should you be able to break into the system and can instruct cleartext or whatever key attacks(and succeed against all odds), you still dont get the rootkey and comprise all existing Cell-chips.
The rootkey-decrypted data never leaves the isolated SPU which makes is practically impossible to break.

For the secondary decryption algorithms - the data will ultimately be decrypted into system Ram which makes it more accessible to attacks and reverse-engineering. Theres no need to implement the isolated SPU for decryption.. if its possible to start the decryption and simply observe the output.