PS3 is hacked!!

bitblt · January 25, 2010, 04:04:17 AM

Now this is not the first time someone has claimed to have hacked the PS3, ~~so this is classified as a rumor~~. Previous claims have been fruitless. However this time the claim comes from a reliable developer named geohot with a reputation in the iPhone hacking scene. The amazing thing is geohot believes it's possible to compromise the PS3 without needing a hardware mod. This is surprising to me considering the PS3 has processor level security called hypervisor that should prevent running unsigned code without decryption keys. Perhaps geohot has found a loophole and the PS3 can be exploited similar to the PSP? I personally hope ~~this rumor pans out to be true and~~ we will see homebrew and HD loaders for PS3 sometime in the near future.

http://geohotps3.blogspot.com/2010/01/hello-hypervisor-im-geohot.html

Quote
Hello hypervisor, I'm geohot

I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me, as I now have dumps of LV0 and LV1. I've also dumped the NAND without removing it or a modchip.

3 years, 2 months, 11 days...thats a pretty secure system

Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.

Shout out to George Kharrat from iPhoneMod Brasil for giving me this PS3 a year and a half ago to hack. Sorry it took me so long

As far as the exploit goes, I'm not revealing it yet. The theory isn't really patchable, but they can make implementations much harder. Also, for obvious reasons I can't post dumps. I'm hoping to find the decryption keys and post them, but they may be embedded in hardware. Hopefully keys are setup like the iPhone's KBAG.

A lot more to come...follow @geohot on twitter

fexo · January 25, 2010, 08:25:03 AM

Here's the hardware that was used.............

http://psx-scene.com/forums/showthread.php?t=63443

socket · January 25, 2010, 10:52:29 AM

awesome.

fexo · January 25, 2010, 01:07:16 PM

Even on the BBC (so it must be true........................)

http://news.bbc.co.uk/1/hi/technology/8478764.stm

socket · January 25, 2010, 04:03:33 PM

I wonder how much they'll pay him to keep his methods quiet...

bitblt · January 25, 2010, 06:16:52 PM

Quote from: socket on January 25, 2010, 04:03:33 PM
I wonder how much they'll pay him to keep his methods quiet...

Well who knows, Sony might sell more PS3 units because of the buzz surrounding this exploit, and even sell more PS3 games as a side effect? Wouldn't that be ironic.

bitblt · January 27, 2010, 02:43:46 PM

Well it's official. PS3 is hacked! Geohot has released his PS3 exploit.

Let PS3 homebrew development begin . . .

http://geohotps3.blogspot.com/2010/01/heres-your-silver-platter.html

Quote
Here's your silver platter
In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory space access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works

This is a good article for what it means for the less technical.

Good luck!

Download

kkan · January 27, 2010, 04:35:03 PM

meh and I just got a 250gb Slim after selling my 40gb FAT

bitblt · January 27, 2010, 07:22:20 PM

Quote from: kkan on January 27, 2010, 04:35:03 PM
meh and I just got a 250gb Slim after selling my 40gb FAT

Well, if they find the root encryption keys for the PS3 then they will then be able to make a software only exploit that will work with any PS3. I'm crossing my fingers but not holding my breath as it could take some time.

socket · February 03, 2010, 04:02:16 PM

Agree, it's great news that he got so much access but it still doesn't mean all that much. This should, however, lead to some good things!

kkan · February 04, 2010, 03:32:02 AM

Quote from: socket on February 03, 2010, 04:02:16 PM
Agree, it's great news that he got so much access but it still doesn't mean all that much. This should, however, lead to some good things!

Apparently He's NOT THE FIRST to gain this kinda information!? ... He just happens to be a more HIGH PROFILE hacker so got a bit more credit for his work?!

I'm not going to hold my breath here on this one as Blu Ray Blanks are stupidly over priced atm anyway...and I don't think I could be bothered to spend my time or bandwidth downloading a 50gb sized ISO ...but backward compatibility for ALL PS3's would be a good thing ...then again I think that's going to be comming anyway as a software update but at a price no doubt they will release PS2 as PSN titles with their planned Premium PSN packages.

DeVS · February 04, 2010, 05:42:23 PM

Well if their getting access to the PS3 like they say they are, im sure the main hack would be an iso loader not iso blu ray back ups.

bitblt · February 04, 2010, 11:13:03 PM

Quote from: kkan on February 04, 2010, 03:32:02 AM
Apparently He's NOT THE FIRST to gain this kinda information!? ... He just happens to be a more HIGH PROFILE hacker so got a bit more credit for his work?!

That is not correct. This hack is the first time someone has bypassed the PS3 hypervisor and gotten full read/write access to protected system memory. This is significant and has never been done before. What geohot has done is essentially the first step in creating a modchip exploit for PS3. Of course some reverse engineering still needs to be done before we will see the first "hello world" homebrew. After that more sophisticated homebrew like emulators and HD loaders will be made. Finally if and when the PS3 root encryption keys are found then a software only HEN can be made (no need for a modchip).

The hacks you may have read about in the past are not the same . . .

The first so-called PS3 hack was a way to run BD backups using a disk swap method. Unfortunately it only worked with a few launch titles like Resistance FOM and required taking the PS3 apart as well as having an expensive BD ROM burner and backup disks that cost $25 each. (at the time) It was hardly worth the trouble. Sony later fixed this hack by updating the firmware in the PS3 BD-ROM drive.

The second so-called PS3 hack was the discovery that Java code could be run from a memory card on the PS3. Running homebrew Java code on the PS3 was interesting, and a few Java games were developed, but overall wasn't very useful in tapping the full power of the PS3. Sony later squashed PS3 Java homebrew with a firmware update.

Geohots hack is a whole new ballgame and provides low level access to protected PS3 system resources. Not only that but this hack takes place before the PS3 OS is started so a firmware update will not be effective in stopping it. The only thing Sony can do is keep updating the firmware to make things more difficult for developers, similar to what Sony does to slow down the PSP scene.

bitblt · February 16, 2010, 07:28:15 PM

It looks like Sony might be trying to throw a wrench in the development of the new PS3 exploit. Sony has filed a patent with the description “A method, system, and computer-usable medium are disclosed for controlling unauthorized access to encrypted application program code.". It's not clear if this patent is a direct response to the geohotz exploit or is an unrelated patent filed by Sony.

Quote“A method, system, and computer-usable medium are disclosed for controlling unauthorized access to encrypted application program code. Predetermined program code is encrypted with a first key. The hash value of an application verification certificate associated with a second key is calculated by performing a one-way hash function. Binding operations are then performed with the first key and the calculated hash value to generate a third key, which is a binding key.

The binding key is encrypted with a fourth key to generate an encrypted binding key, which is then embedded in the application. The application is digitally signed with a fifth key to generate an encrypted and signed program code image. To decrypt the encrypted program code, the application verification key certificate is verified and in turn is used to verify the authenticity of the encrypted and signed program code image. The encrypted binding key is then decrypted with a sixth key to extract the binding key.

The hash value of the application verification certificate associated with the second key is then calculated and used with the extracted binding key to extract the first key. The extracted first key is then used to decrypt the encrypted application code."

Source

kkan · February 17, 2010, 01:11:14 AM

Quote“A method, system, and computer-usable medium are disclosed for controlling unauthorized access to encrypted application program code. Predetermined program code is encrypted with a first key. The hash value of an application verification certificate associated with a second key is calculated by performing a one-way hash function. Binding operations are then performed with the first key and the calculated hash value to generate a third key, which is a binding key.

The binding key is encrypted with a fourth key to generate an encrypted binding key, which is then embedded in the application. The application is digitally signed with a fifth key to generate an encrypted and signed program code image. To decrypt the encrypted program code, the application verification key certificate is verified and in turn is used to verify the authenticity of the encrypted and signed program code image. The encrypted binding key is then decrypted with a sixth key to extract the binding key.

The hash value of the application verification certificate associated with the second key is then calculated and used with the extracted binding key to extract the first key. The extracted first key is then used to decrypt the encrypted application code."

Source

[/quote]

say WUT!?

yeah ummmmmmmmmm ok SONY!...... But why did you not just say OH some one clever cracked our code so now we are releasing and update that uses 6 ENCRYPTED KEYS/METHODS and this will put an end to the GEOHOT exploit!