Author Topic: PS3 hacked again...this time for good?  (Read 3136 times)

Offline idolminds

  • ZOMG!
  • Administrator
  • Forum god
  • *
  • Posts: 11,939
PS3 hacked again...this time for good?
« on: Tuesday, October 23, 2012, 06:27:06 PM »
Oh noes!

Heres an explanation I found on slashdot:
Quote
The first-stage bootloader is in ROM and has a per-console key which is effectively in tamper-resistant silicon. The second-stage bootloader (bootldr) is encrypted with the per-console key, but is not upgradable and is the same for all consoles (other than the encryption wrapper around it). This second-stage bootloader verifies lv0. Sony signed lv0 using the same broken process that they used for everything else, which leaks their private key. This means that the lv0 private key was doomed from the start, ever since we demonstrated the screwup at the Chaos Communication Congress two years ago.

However, because lv0 is also encrypted, including its signature block, we need that decryption key (which is part of bootldr) before we can decrypt the signature and apply the algorithm to derive the private key. We did this for several later-stage loaders by using an exploit to dump them, and Geohot did it for metldr (the "second root" in the PS3's bizarre boot process) using a different exploit (we replicated this, although our exploit might be different). At the time, this was enough to break the security of all released firmware to date, since everything that mattered was rooted in metldr (which is bootldr's brother and is also decrypted by the per-console key). However, Sony took a last ditch effort after that hack and wrapped everything after metldr into lv0, effectively using the only security they had left (bootldr and lv0) to attempt to re-secure their platform.

Bootldr suffers from the same exploit as metldr, so it was also doomed. However, because bootldr is designed to run from a cold boot, it cannot be loaded into a "sandboxed" SPU like metldr can from the comfort of OS-mode code execution (which we had via the USB lv2 exploit), so the exploit is harder to pull off because you don't have control over the rest of the software. For the exploit that we knew about, it would've required hardware assistance to repeatedly reboot the PS3 and some kind of flash emulator to set up the exploit with varying parameters each boot, and it probably would've taken several hours or days of automated attempts to hit the right combination (basically the exploit would work by executing random garbage as code, and hoping that it jumps to somewhere within a segment that we control - the probabilities are high enough that it would work out within a reasonable timeframe). We never bothered to do this after the whole lawsuit episode.

Presumably, 18 months later, some other group has finally figured this out and either used our exploit and the hardware assistance, or some other equivalent trick/exploit, to dump bootldr. Once the lv0 decryption key is known, the signing private key can be computed (thanks to Sony's epic failure).

The effect of this is essentially the same that the metldr key release had: all existing and future firmwares can be decrypted, except Sony no longer has the lv0 trick up their sleeve. What this means is that there is no way for Sony to wrap future firmware to hide it from anyone, because old PS3s must be able to use all future firmware (assuming Sony doesn't just decide to brick them all...), and those old PS3s now have no remaining seeds of security that aren't known. This means that all future firmwares and all future games are decryptable, and this time around they really can't do anything about it. By extension, this means that given the usual cat-and-mouse game of analyzing and patching firmware, every current user of vulnerable or hacked firmware should be able to maintain that state through all future updates, as all future firmwares can be decrypted and patched and resigned for old PS3s. From the homebrew side, it means that it should be possible to have hombrew/linux and current games at the same time. From the piracy side, it means that all future games can be pirated. Note that this doesn't mean that these things will be easy (Sony can obfuscate things to annoy people as much as their want), but from the fundamental security standpoint, Sony doesn't have any security leg to stand on now.

It does not mean that current firmwares are exploitable. Firmware upgrades are still signed, so you need an exploit in your current firmware to downgrade. Also, newer PS3s presumably have fixed this (probably by using newer bootldr/metldrs as trust roots, and proper signing all along).
Sucks for Sony, but in the grand scheme of things we're near the end of the PS3 lifespan anyway so it did its job. People have been pirating 360 and Wii games for years already. But we'll see what happens. The last hack was supposed to be "final" and Sony managed to lock it back up, but that explanation above seems to indicate that that was their last refuge of security and now its broken.

Personally I hope we see some emulators.

Offline gpw11

  • Gold Member
  • *
  • Posts: 7,182
Re: PS3 hacked again...this time for good?
« Reply #1 on: Tuesday, October 23, 2012, 07:29:27 PM »
I seriously hope someone cracks the 3ds. I might buy one in that case.

Offline Pugnate

  • What? You no like?
  • Global Moderator
  • Forum god
  • *
  • Posts: 12,244
    • OW
Re: PS3 hacked again...this time for good?
« Reply #2 on: Wednesday, October 24, 2012, 02:14:23 AM »
And this is why online authentication for console games is going to be part of the next generation. We can say it is to destroy the used games market, but this is also it.

Offline Xessive

  • Gold Member
  • *
  • Posts: 9,920
    • XSV @ deviantART
Re: PS3 hacked again...this time for good?
« Reply #3 on: Wednesday, October 24, 2012, 05:38:00 AM »
There are plenty of good reasons (from a corporate perspective) to have online authentication; all sales are tracked, all customers and their activities are tracked, they can practically guarantee first-hand sales and returns for DLC or additional content.

Then again, this sort of behaviour can alienated the consumer base. One ideal example is the Sony PSP vs the Nintendo DS; the DS sold a heck of a lot more units despite it's pricetag and technical inferiority (excepting the touchscreen). Its library of games was larger and it wasn't locked like the PSP. Even after the PSP was jailbroken, Sony's futile efforts of releasing and forcing firmware updates on the customers was a deterrent.

Instead of focusing on really moving units, Sony seem to always be preoccupied with locking down the hardware and software. I don't see any PC manufactures cracking down on what you can do with the hardware you buy.

Offline Cobra951

  • Gold Member
  • *
  • Posts: 8,934
Re: PS3 hacked again...this time for good?
« Reply #4 on: Wednesday, October 24, 2012, 07:54:51 AM »
And this is why online authentication for console games is going to be part of the next generation. We can say it is to destroy the used games market, but this is also it.

If it is, I won't be participating in it until that changes, one way or another.