Introduction to PS3 Learn safety and investigates PS3 This PDF will learn the basics above to analyze a system and know what we face ... Mostly you will see methods PS3 system security. 2010 DanteHades DH.org 16/03/2010
Hacker Basics How do we analyze a system to hack? ": First to be able to analyze a system we have to make a somewhat subjective assessment and visual, when we analyze a system we look at ways to attack know what we face. What can be the means of attack? There is really no way of attack similar to one between different systems, since there impact on the CD-ROM, others on the Memory Card (PS2), others via Savegame of games, others through an image file (TIFF is the most common) and others through chips. What are the steps? 1. We analyze all system ports (USB, Ethernet, CD-ROM, etc ...) 2. We analyze the architecture of the system (operating system and the code interpreted). 3. We analyze the internal components of the motherboard (CPU, GPU, RAM, NandFlash, HDD). 4. We watched the digital content of what the system allows, knowing that see if you have some protection and the environment that need to be used the code itself. Example: I've noticed one thing, the Pen D rive lights when i put a game ... This means one thing: that the procedure looking for something in the Pen Drive. We will look into it, we can see that now there are files that had not previously but there are many and I know no one ... We will delete five of the 10 files we found. We put the game again with Pen Drive and look curiously light blinking before now does not blink. What have we done? Very easy to just delete a file need to load which can modify and attack ... just a matter of locating. After some time to locate the file to flash the light, examined and see in it a path to C: xxxxxx. If we change the other way ... What happen? It may take a lot of things but you know how to modify and hack a system and you are altering the way for the system to load a file.
Disk Protection What is the coverage area? This area is a protected area of optical media (CD, DVD, BD) in which companies store an authentication code. Why does not work copy and an original if? When we make a copy of the original, this can not be recorded in the virgin at 1 / 1 as the virgin brings its own product code ... For example: - Original Game>>> Sony Computer Entertainment IDxxxxxx - Disco Lady>>> Disk Recordable Verbatim These two examples below show the area of protection and what the system looks at this case the Sony. The red circle shows the Protection Area 1. The moment you insert the disc the PS3 console in this case will read the Protection Area, if not his interpretation is that it is not a game Original so the PS3 will recognize it as CD, Data DVD or BD. So ... how do you charge for the copy? First to load the copy would have to cheat the system that searches for this area Protection, for it could only be re-programming of the reader, who is the search that area, but if you switch to the other side will read it. Move the area of safety for you to read it in another layer is not used by the disc and is available (would use Dual Layer discs) Then we tell the reader to read this new layer as if it were original, this does not read the Protection Area that came by default
not valid ... (Red circumference Verbatim BD) but had read the same as real (The Red circle GTA IV) but in another location. PS3 Security PlayStation 3 is the safest way to date in the world, its security resides in a combination of hardware and software art. PS3 System Protectors 1. BluRay Reader. 2. Protection against malicious code. 3. Protection against faults that cause an overflow. 4. Protection System file manipulation. 1. BluRay Reader BluRay Reader has several protections, including the following: Java Virtual Machine: disc generates certificates subsequently introduced stored in the HDD. Protection Area: where is the decryption key KEYBD this key, what it is similar to the protective layer (Layer BD Crypt), without this key the content is not can be deciphered. Layer Protection (Crypt Layer BD): This layer is applied in BluRay technology. What it does is that the files are destroyed by a mathematical algorithm, which which makes the files unreadable. Security Certificates: These certificates verify that the key area Protection is the same as requested by the Certificate, if different the game is not started. BDRom Mark: This protection is limited in that each X seconds lee Area Protection to discuss that has not changed the disk for a copy, if to do KEY reading does not detect this automatically for all processes of the game. 2. Protection against malicious code PS3 Malicious Software is protected by both routes of communication and implementation. To run something first need to appear within the TID list (Parts Identification), these titles have a name that identifies (BCES00001) without TID file is never executed. The files can not be manipulated because they have a HASH, this is a mixture mathematics that calculates the date of creation, size, file type, extension and a long etc ... You can be 128 bits or 16 digits, in the world there is a HASH identical to the other ... which is why we can not know its contents and if we never find.
The list of TID is always updated and stored in the isolated SPE. (Then what comment) We can not replace an executable in RAM and is also identified by the Isolated SPE. A PS3 executable (ELF) has several safeguards including these: 1. It is signed and HASH 2. I try to run the PS3 calculating the HASH, if any, match starts SPE. 3. The loaded SPE through an internal charger ELF (Executable Linux) 4. Load the first ELF (Executable visible) and isolates (Impossible attack) 5. This when it is decrypted by the SPU (Internal Processor SPE) gets another ELF "the occult" and decryption, which runs on the PPU (Central Processor the Cell) and starts the execution of the application.
3. Protection against faults that cause an overflow Other protection is your Operating System, being a microkernel works separately, this means that the kernel is on one side and the modules that trigger certain events go on the other side. To what benefits this system? In that if by some chance a module will have a global corruption in modules the kernel used but split with him, this means that the kernel this is to reset and regenerate from 0, and as the modules can be repaired adds another option to the system security. For example, if a game has been removed from the modules responsible for loads of textures, sounds or events already scheduled are not loaded automatically, launching a system known as "CheckStop", this system does is trigger separately from kernel and modules for the kernel takes control of the system and do what he creates appropriate to leave the problem, in this case we send directly to the main menu as security protocol. If we extract a pen drive while listening to music, the first thing he will do is separate the kernel module and restart the module, thus the whole point system restarts point so that automatically we do not have the typical Windows error.
5. Protection System file manipulation. PS3 System with an assurance that much XBOX360 for example also has, but this is even stronger as well, hence still can not fall ... The levels of performance or LV0, LV1 and LV 2. The PS3 has 3 levels of implementation which makes invincible ... the moment. 1. Level 0 or BootStrap This level is what makes it sends a CIF file / HASH / FIR to the SPE, this is isolated and by Master KEY is integrated in a ROM inside the file is CELL decryption, the decrypted appear KEYS of loaders 1 and 2, these loaders decode LV1 and LV2, depending on the LPAR where we are. 2. Level 1 or Hypervisor This level is the Hardware Manager is like having a factory where you have all the machinery, the machinery can be used by the manager but this has to be operatives trained to use each. 3. Level 2 or Supervisor This level only works in the main menu is the Manager Software. With the communication with the hypervisor the system works in harmony, the boss around here is him and give orders to the hypervisor to restart it, delete or acting in any manner specified. 4. The LPAR They are like virtual partitions within the RAM, these are assigned for each level. For example LPAR_PS3 it does is you have a certain type of resources you can not transfer, as not being able to load PS2 games, not being able to boot Linux (LPAR_LINUX) say that they are defined options which are given to each virtual resources to protect the system, summarizing limitations in place. We have several LPAR: LPAR_LINUX (Linux), LPAR_PS2 (PS2 Emulator) LPAR_PS3 (XMB or main menu).
METLDR ... ... What is and what it seeks The engine is METLDR initialization responsible for loaders authentication and launching of the LV0/1/2. He works in the framework known as secure_loader, this means that training exercises and a single SPU to work, according to this means that if only trained to process the METLDR SPU1 others do not enter the give appropriate privileges to use SPU with the master key. "This limits us to be able to use only one SPU for this task, but we forget something important, the SPU dedicated to this is already in use ... so we can not use. "Using the remaining three important steps would be followed in order. 1. SPU initialization and calibration. 2. Change of state (isolation). 3. Authentication and use of the master key. In step 3 must be given certain privileges, including having in mind the considerations that we apply the LPAR, this means that there are security policies and checks, such as ... To display the kernel has to be working as part of the lpar_ps3 - If the opposite is the case METLDR should not crack the LV2 in lpar_linux. - The METLDR only enter into authentication and execution if it complies with Rule 1, this rule it is to work in the spu1 dedicated to that purpose, otherwise the implementation of METLDR for decryption is void. The loads METLDR ldr, ldr but these must be authenticated by a hash METLDR itself contains internally. METLDR weighs 60KB, the local store of the SPU have 256KB. The loaders load the decrypted when lv0 (Time), LV1 (Time) and LV2 (Only in lpar_ps3). Decode themselves lv0 loaders, LV1 and LV2. The LV2 to be deciphered in lpar_ps3 local_store saved in the SPU isolated the idstorage, this idstorage stores the hash of valid executables. A key has an internal SELF, the SELF is composed of: SCE> header self ELF> Loader of SPU Normally when we see one with a hex editor SELF see you in a header ELF, the ELF we see is the delSPU app, this app is already hashed and introduced into the
idstorage, if you pass control is automatically decoded and executed by the PPU showing the actual internal ELF. FREQUENTLY ASKED QUESTIONS ... ... ... METLDR What is interesting METLDR? Well, because he could get the ps3 kernel. How can run the METLDR or PKG SELF? No, the METLDR has only one function ... and initialize the loaders and authenticate them, everything else is fantasy. So what could be done with the METLDR? The first thing is knowing that you interpret the METLDR, when you know it is then you shall say to yourself. Finally ... Why Geo & Company do not give details on METLDR? What are we hiding? Not all the steps that they do is maintain the status passivity, this means they only know the subject, but wrong ... because even though they be quiet and not say everything there is other we shut and not say it. "If it is used to secure dedicated SPU loader can not continue. (This means Geo) "If we remove the restrictions imposed by the lpar_linux not hyper we obtain the kernel as the kernel loader examine environment in which it is working. "If we do a reboot of SPU dedicated and we have applied the previous changes in the hyper we can not make the kernel. Finally, so as you see is temporary and has not any kind of persistence ... So we are already developing the idea hardware to make all these steps on the way game_os persistent while booting. ... CONTINUE .