PS3 Hackers able to sign code (and more)!

[doyama]

1:48 "The Videoram is turned off and we have no clue how to turn it on"
What dose that mean? Is it about PS3 or his netbook or whatever...sorry, Im a noob.

Basically it means that at this point the video out is not working with the exploit. I'm not sure if it's because they don't have lvl1 yet or if it's just a bug in the way the loader currently works. As they mentioned the way it works now is not very refined so there are going to be inevitable bugs like that.

 

[doyama]

Thinking about it more, I suspect that Sony is already working on their 'master' revocation list right now. The DSi worked on a similar principle of whitelisting all their previous games and doing an RSA sig for new ones. Watch out for some new firmware updating coming in the next months.

 

[ManFranceGermany]

1:48 "The Videoram is turned off and we have no clue how to turn it on"
What dose that mean? Is it about PS3 or his netbook or whatever...sorry, Im a noob.

Basically it means that at this point the video out is not working with the exploit. I'm not sure if it's because they don't have lvl1 yet or if it's just a bug in the way the loader currently works. As they mentioned the way it works now is not very refined so there are going to be inevitable bugs like that.

But isn't this really bad news? Without Videoram access the whole thing is almost useless, isn't it?
At least u can't play backups and Homebrew could just run from the normal RAM.

 

[doyama]

1:48 "The Videoram is turned off and we have no clue how to turn it on"
What dose that mean? Is it about PS3 or his netbook or whatever...sorry, Im a noob.

Basically it means that at this point the video out is not working with the exploit. I'm not sure if it's because they don't have lvl1 yet or if it's just a bug in the way the loader currently works. As they mentioned the way it works now is not very refined so there are going to be inevitable bugs like that.

But isn't this really bad news? Without Videoram access the whole thing is almost useless, isn't it?
At least u can't play backups and Homebrew could just run from the normal RAM.

That depends on your perspective. For running Linux on the PS3, getting the video out working is really not that important, sincce you can run X and remote in. There are some benefits though to getting video out working. You could get something like XBMC/Boxee running with video. Ultimately though they've accomplished what they wanted.

1) Get Linux running on a PS3 without any dongles (loader overlfow exploit)
2) Being able to boot strap loader overflow exploit, without any dongles ('random number fail' private key)

That's not to say they won't get it working. Sounds like they were rushed to get a work in progress going for the conference. Hopefully by next month when they release the PUP file it will be more refined and such.

However, for them all the 'fun' stuff is done. They've basically owned all existing PS3's in the market and exposed the PS3's security features like the naked Emperor. It'll be up to other people to take up what they've done and see what happens.

 

[shakirmoledina]

i think the architecture of the ps3 has been figured out and hacked so the issue of how to exploit it will be multiple and cleaner in the future (we hope)
i guess the equations are predefined then... ellipses were quite easy to solve when our teacher taught it (well i guess we had a great teacher)

 

[doyama]

I take it you will need a jailbreak device in the 1st place to make the hack permanent and a 3.41 or lower fw ps3?

No, the beauty of this discovery is that no "hacks" or "exploits" take place
They correctly sign it, the ps3 reads it and that's all
Fail0verflow are currently working on a .pup file that will install a cfw that replaces gameOS with AsbestOS (so it'll boot on power-up rather than using a dongle and pressing power+eject on power-up)

I would preface that with all existing PS3's that have the current firmware version (3.55) and below do not need any dongle to use the upcoming PUP file. I suspect Sony is furiously trying to get 3.6 out with a whitelist to block the leak of the private key.

 

[trumpet-205]

Time to buy a PS3.

Poor Xbox 360.

 

[ManFranceGermany]

1:48 "The Videoram is turned off and we have no clue how to turn it on"
What dose that mean? Is it about PS3 or his netbook or whatever...sorry, Im a noob.

Basically it means that at this point the video out is not working with the exploit. I'm not sure if it's because they don't have lvl1 yet or if it's just a bug in the way the loader currently works. As they mentioned the way it works now is not very refined so there are going to be inevitable bugs like that.

But isn't this really bad news? Without Videoram access the whole thing is almost useless, isn't it?
At least u can't play backups and Homebrew could just run from the normal RAM.

That depends on your perspective. For running Linux on the PS3, getting the video out working is really not that important, sincce you can run X and remote in. There are some benefits though to getting video out working. You could get something like XBMC/Boxee running with video. Ultimately though they've accomplished what they wanted.

1) Get Linux running on a PS3 without any dongles (loader overlfow exploit)
2) Being able to boot strap loader overflow exploit, without any dongles ('random number fail' private key)

That's not to say they won't get it working. Sounds like they were rushed to get a work in progress going for the conference. Hopefully by next month when they release the PUP file it will be more refined and such.

However, for them all the 'fun' stuff is done. They've basically owned all existing PS3's in the market and exposed the PS3's security features like the naked Emperor. It'll be up to other people to take up what they've done and see what happens.

Thanks for your explanation!
Time will tell if this hack will be useful for me or not

 

[doyama]

i think the architecture of the ps3 has been figured out and hacked so the issue of how to exploit it will be multiple and cleaner in the future (we hope)
i guess the equations are predefined then... ellipses were quite easy to solve when our teacher taught it (well i guess we had a great teacher)

Yep the equations aren't the typical elliptical curves you would have learned before. They're in multiple dimensions and include scalar multiplication and other crazy mathematical mumbo jumbo. It was amusing to see the mathematical slides done in LaTEX. Ah the good old days of academia. I still dabble in some advanced math, but really a lot of stuff these days just requires too much background knowledge to even begin to understand the basics.

 

[cwstjdenobs]

But isn't this really bad news? Without Videoram access the whole thing is almost useless, isn't it?
At least u can't play backups and Homebrew could just run from the normal RAM.

It really only means they need a new "driver" of sorts, I think in their replacement GameOS not Linux. Sony's probably sets this up right so they haven't had to worry about it while using JB's, but now they have to do all that set up themselves.

But as sweet as this is right now did anyone catch the RC4 and deobfuscation talks? The techniques used could be very relevant in the future.

EDIT: Well for those of us who count the regular set of dimensions as too much hard work without even going all hypertourus.

 

[doyama]

Time to buy a PS3.

Poor Xbox 360.

Dunno personally I think the PS3 really dropped the ball on the whole internet integration. The Xbox dashboard is a really solid piece of UI and usability. If you think about it, the xbox only bans you from their live service. Which is a smart move, because the hardware itself is worthless, its bascically a gateway to Xbox Live where you ACTUALLY want to be. I never thought the PS3 or PSN was really as polished or as feature rich as Xbox Live.

 

[SifJar]

Some pretty interesting quotes from fail0verflow's twitter [http://twitter.com/fail0verflow]:

@redsquirrel87 yes, we'll release all our tools as soon as we cleaned them up in january or so

Note: we won't be working long-term on CFW or similar. We'll release tools and a PoC, someone else can take over. The fun part is done

QUOTE

we only started looking at the ps3 after otheros was killed.

So they'll be releasing the tools to sign stuff quite soon apparently. Good news for anyone with a PS3 interested in homebrew.

 

[Kwartel]

Does this mean it'll be plausible to make a cfw which doesn't send ID's from unofficial shit, only official? That would be a big breaktrough!

 

[doyama]

Does this mean it'll be plausible to make a cfw which doesn't send ID's from unofficial shit, only official? That would be a big breaktrough!

It might sorta be plausible. I recall that the ID's are store in a file (or somewhere) for upload later to PSN. So you could 'possibly' have the firmware only write for specific IDs in theory. Not enough is known about that whole cycle to speculate if it's possible or not.

 

[DeltaBurnt]

Does this mean it'll be plausible to make a cfw which doesn't send ID's from unofficial shit, only official? That would be a big breaktrough!

Well it depends on how the ID's are sent to the PSN. If it's the PS3 that sends them then probably. If the PSN scans your PS3 to get the information then probably not, but still maybe.

 

[doyama]

But isn't this really bad news? Without Videoram access the whole thing is almost useless, isn't it?
At least u can't play backups and Homebrew could just run from the normal RAM.

It really only means they need a new "driver" of sorts, I think in their replacement GameOS not Linux. Sony's probably sets this up right so they haven't had to worry about it while using JB's, but now they have to do all that set up themselves.

But as sweet as this is right now did anyone catch the RC4 and deobfuscation talks? The techniques used could be very relevant in the future.

EDIT: Well for those of us who count the regular set of dimensions as too much hard work without even going all hypertourus.

Which track was the de-obfuscation talk? I saw RC4 one which was interesting, though I don't think having to crack WEP is a huge thing

It was more interesting that they used fuzzy logic to actually find the vulnerability, rather than attacking it directly.

 

[8BitWalugi]

Small bit of trivia for you guys:

By having access to the private keys, one of the more renowned discussions about it is homebrew apps can just be "liscensed" and interpreted as Sony-official applications on the PS3. Another thing to note, and probably the reason it may take a new console SKU to fix this is that every single PS3 game currently released uses that set key. The only way to counteract that exploit would to make an all new model of the PS3 that regenerates a random key while having a method to reset every single PS3 game ever released to now recognize the new key as legitimate.

This has the potential damage of being so bad for Sony that their next console may have to prevent PS3 backwards compatibility, as the exploit with the key will simply transfer over. This is a huge fuckup for Sony, and it's absolutely amazing to see the once impenetrable fortress basically be on the whim of being the most exploited platform this generation in terms of an exploit. To put this into perspective, nobody even has access to the private keys on the Nintendo Wii. This is a gigantic missile to the PS3 much more than custom firmware was for the PSP.

And to believe this all started by Sony bullshitting and taking out features for a device.

Woah...
Sony, you fucked up bad.

 

[RupeeClock]

Woah...
Sony, you fucked up bad.

They really did, having a random number generator somehow always return the same result?
PS3 won't even need a custom firmware now, people can run whatever the hell they want.

 

[doyama]

Small bit of trivia for you guys:

By having access to the private keys, one of the more renowned discussions about it is homebrew apps can just be "liscensed" and interpreted as Sony-official applications on the PS3. Another thing to note, and probably the reason it may take a new console SKU to fix this is that every single PS3 game currently released uses that set key. The only way to counteract that exploit would to make an all new model of the PS3 that regenerates a random key while having a method to reset every single PS3 game ever released to now recognize the new key as legitimate.

This has the potential damage of being so bad for Sony that their next console may have to prevent PS3 backwards compatibility, as the exploit with the key will simply transfer over. This is a huge fuckup for Sony, and it's absolutely amazing to see the once impenetrable fortress basically be on the whim of being the most exploited platform this generation in terms of an exploit. To put this into perspective, nobody even has access to the private keys on the Nintendo Wii. This is a gigantic missile to the PS3 much more than custom firmware was for the PSP.

And to believe this all started by Sony bullshitting and taking out features for a device.

Woah...
Sony, you fucked up bad.

I don't totally agree with this sentiment. The leak of the current master key just means that all existing PS3s as of firmware 3.55 can run any code that is signed with this master key.

To get around this problem, you'd have to do is create an admittedly large whitelist of all existing PS3 games and their corresponding signatures. All new games will be signed with a new master key, while old games will rely on the whitelist to be run. Not impossible as the DSi already does something similar-ish.

 

[doyama]

Woah...
Sony, you fucked up bad.

They really did, having a random number generator somehow always return the same result?
PS3 won't even need a custom firmware now, people can run whatever the hell they want.

They implemented the security the wrong way. They did use a random number generator, they just didn't make a new one every time like you're supposed to. Here's an interesting read on how you can use crypto but screw up in any number of ways if you're not reading the specs carefully. The devil is in the details.

http://rdist.root.org/2010/11/19/dsa-requi...random-k-value/
http://rdist.root.org/2009/10/06/why-rsa-e...ng-is-critical/