Latest PS3 News Forum Updates

  • News
  • Posts
  • PS3 CFW
  • PS3 Files
  • PS3 Hacks
  • PS3 Help
  • PS3 Releases
  • PS3 Themes
  • PS3 Trophies
  • PS Vita Trophies
oLeatherfacex PS3 Unban and Anti-ban Methods for Console ID and Sign-In - 46m ago
JeoWay Piercings anyone? - 58m ago
JeoWay The Yes/No question thread - 1h ago
JeoWay Hitman absolution PS3 help? - 1h ago
dyceast Copying PS3 with CFW to PS3 with OFW help? - 2h ago
Liongooder Replace hdd and upgrade PS3 cfw help? - 4h ago
racer0018 PS3 Unbricking and Downgrading Service - 4h ago
JeoWay Sony PlayStation Plus: Saints Row: The Third Free for Members - 4h ago
JeoWay Can I create a PS3 hardware flasher help? - 5h ago
pumpkinslayer Rebug 4.30.1, Rebug 4.21.2 / 3.55.4 PS3 CFW REX Editions Arrive - 5h ago
+ Reply to Thread
Page 7 of 7 FirstFirst ... 5 6 7
  1. 04-09-2010 #61
    tragedy's Avatar
    tragedy
    tragedy is online now Senior Member tragedy has much to be proud of tragedy has much to be proud of tragedy has much to be proud of tragedy has much to be proud of tragedy has much to be proud of tragedy has much to be proud of tragedy has much to be proud of tragedy has much to be proud of tragedy has much to be proud of tragedy has much to be proud of tragedy has much to be proud of
    Quote Originally Posted by sapperlott View Post
    I'd be interested in how you think this could be circumvented without the keys necessary to create own signed / encrypted binaries.
    Well, that all depends if your goal is signing code so it can run on any console or just allowing unsigned code to run on your console. The latter will be possible, although still difficult.

    At the end of the day, the vast majority of encrypted code runs on the PPU after decryption, so even considering the encrypted metldr block, the general principle is:

    PPU: does basic initialisation
    PPU: requests SPU to start up in isolation mode
    SPU: decrypts lv0 and puts in somewhere PPU can access it
    PPU: waits for SPU to finish decrypting lv0
    *INSERT HACK HERE TO PATCH lv0 HERE*
    PPU: executes decrypted lv0 code
    ...
    PPU: lv0 sends message to still running metldr SPU to decrypt lv1
    SPU: decrypts lv1 and puts in somewhere PPU can access it
    PPU: waits for SPU to finish decrypting lv1
    *INSERT HACK HERE TO PATCH lv1 HERE*
    PPU: executes decrypted lv1 code
    ...
    PPU: lv1 sends message to still running metldr SPU to decrypt lv2
    SPU: decrypts lv2 and puts in somewhere PPU can access it
    PPU: waits for SPU to finish decrypting lv2
    *INSERT HACK HERE TO PATCH lv2 HERE*
    PPU: executes decrypted lv2 code
    ...
    *CHECK*
    PPU: lv2 sends message to still running metldr SPU to decrypt self
    SPU: decrypts self and puts in somewhere PPU can access it
    PPU: waits for SPU to finish decrypting self
    *INSERT HACK HERE*
    PPU: executes decrypted self code

    So, even without knowing the encryption keys, provided we can obtain the original metldr, we can always execute signed code so we can continue to run regular games with a modified lv2.

    To run unsigned code, where I've written *CHECK*, we check to see if the code is unisgned, if so we just execute it directly without ever asking the SPU to decode the data.

    Reply With Quote Reply With Quote
  3. 04-09-2010 #62
    sapperlott's Avatar
    sapperlott
    sapperlott is offline Registered User sapperlott is on a distinguished road
    All valid points and a very good summary of the boot process and a possible attack vector. But the original argument was about whether or not the data inside the isolated SPU can be compromised.

    Reply With Quote Reply With Quote
  4. 04-09-2010 #63
    teusjuh's Avatar
    teusjuh
    teusjuh is offline Contributor teusjuh has a spectacular aura about teusjuh has a spectacular aura about

    Question

    got an noob question

    with all information what public is... how far is it away to get unsigned code running. i mean how far is it away for devs to make an first hello world or something?

    edit: or is there still not enough dump information??

    Reply With Quote Reply With Quote
  5. 04-09-2010 #64
    moneymaker's Avatar
    moneymaker
    moneymaker is offline Registered User moneymaker is on a distinguished road
    Quote Originally Posted by tragedy View Post
    At the end of the day, the vast majority of encrypted code runs on the PPU after decryption, so even considering the encrypted metldr block, the general principle is:

    PPU: does basic initialisation
    <----here we can be already screwed, which code do you think PPU uses to init and ask SPU to start in isolation mode ?
    PPU: requests SPU to start up in isolation mode
    SPU: decrypts lv0 and puts in somewhere PPU can access it
    PPU: waits for SPU to finish decrypting lv0
    *INSERT HACK HERE TO PATCH lv0 HERE*
    PPU: executes decrypted lv0 code
    ...
    I just wonder a couple of things, what kind of code should switch on the SPU and what kind of system the SPU uses to de/crypt..

    To explain me better I'll use an example: to a secretary whom knows her job you can kindly pass a note asking her to translate it or you can simply throw it onto her desktop and she will do the translation without the need to ask...

    Have I given the idea of what I mean ?

    Reply With Quote Reply With Quote
+ Reply to Thread
Page 7 of 7 FirstFirst ... 5 6 7