Sponsored Links

Sponsored Links

Apple iPhone Unlocker GeoHot Begins Hacking Sony's PS3


Sponsored Links
279w ago - Over the weekend [Register or Login to view links], famous for unlocking Apple's iPhone, has posted a few tweets on his [Register or Login to view links] account that he has began looking into hacking Sony's PS3 console.

He has also dropped by our Forums to enquire about the PS3 Hypervisor Decryption Keys, and has been in touch with CJPC via IRC as well.

To date, geohot has reported the following via tweets:

"ooo got access to a couple more pages of ram...still no hypervisor there tho. it's hiding in the top 2 MB.

anyone know if the 360 guys had a pt hypervisor to reverse?

my goal is to break out of the hypervisor... then see what my morals will allow.

gotta flip one little bit to hack the ps3. unfortunately the ps3 doesn't want me to flip it.

so, the hypervisor is in the first 0x1000 pages of RAM...think I could just pull an address line down and dump? not from kernel tho

PS3 memory map [Register or Login to view links] ... why did I think this would be useful again? i really want these dumps @ bootloader

it'd be nice if that worked, linux accesses sandboxed part of nand... 4mb of uselesses.

hacking the PS3, not hacked in three years how long will it take me?"



Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew releases!

Comments 141 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
 
#121 - RexVF5 - 276w ago
RexVF5's Avatar
Quote Originally Posted by mondoparalelo View Post
So how you expect to decrypt anything when every time you try to do it you're taken to a deeper layer of encryption that will only stop at the Cell hardware?

If you cannot obtain any encryption key in the middle of the way and you don't have access to memmory, how else are you supposed to get the keys if not by trying to rip it off the hardware itself? And what do you mean by "no hardware manipulation will help you at all. And these are still protected by chain of trust"?


What I meant is that even if you were able to retrieve the keys from hardware they would be the public keys usable for decrypting the binaries or verifying digital signatures. These keys cannot be used for encrypting/signing binaries (yours - i.e. patched/hacked/...) in a way that would allow you to run them.

#120 - olamundo - 276w ago
olamundo's Avatar
Geohot is an excellent hacker, sure he would hack the PS3, but after he betrayed the iPhone Dev-Team after leaking their unlock for iPhone 3Gs, it would be hard to trust him.

#119 - mondoparalelo - 276w ago
mondoparalelo's Avatar
Quote Originally Posted by RexVF5 View Post
Oh man - I have posted this few times already and need to do it again: read something about Public-key cryptography ([Register or Login to view links]) This mechanism ensures that private keys do not need to be present at all on PS3! Only public keys are enough to decrypt/check stuff (it would be quite helpful to be able to be able to decrypt binaries to be able for example to try to find some exploit). So no hardware manipulation will help you at all. And these are still protected by chain of trust...

Ok then, got it about the private/public keys. As I stated earlier, I'm no expert on this subject, so there's no need for flaming. If you know better, please care to explain. I'd appreciate it a lot.

But then again, as quoted from xorloser's blog by PS3News in this very thread:
xorloser says:
August 17, 2009 at 4:35 pm
Correct, lv1.self is the hypervisor. The keys to decrypt it are stored inside lv1ldr which is a secure loader that runs on the SPU. So to get the the lv1 decryption keys you first need the secure loader decryption keys and decrypt lv1ldr. This chain of trust goes back to the initial bootloader that is encrypted using a key stored in the cell hardware itself. So you find a way around the chain of trust if you want to decrypt the hypervisor.

So how you expect to decrypt anything when every time you try to do it you're taken to a deeper layer of encryption that will only stop at the Cell hardware?

If you cannot obtain any encryption key in the middle of the way and you don't have access to memmory, how else are you supposed to get the keys if not by trying to rip it off the hardware itself? And what do you mean by "no hardware manipulation will help you at all. And these are still protected by chain of trust"?

#118 - RexVF5 - 276w ago
RexVF5's Avatar
Quote Originally Posted by mondoparalelo View Post
That's Trusted Computing (check Wikipedia) and it seems that the PS3 is the first fully functional Trusted Computing device to be largely distributed to people in general, as it has all the requirements for this type of technology. It's very likely that the PS3 itself is a console developed in a way as to test the security of such new tech since we all know any console would be under heavy atack by hackers for obvious reasons.

Oh man - I have posted this few times already and need to do it again: read something about Public-key cryptography ([Register or Login to view links]) This mechanism ensures that private keys do not need to be present at all on PS3! Only public keys are enough to decrypt/check stuff (it would be quite helpful to be able to be able to decrypt binaries to be able for example to try to find some exploit). So no hardware manipulation will help you at all. And these are still protected by chain of trust...

#117 - mondoparalelo - 276w ago
mondoparalelo's Avatar
Quote Originally Posted by Llacune View Post
This definitely look promising.. Although I personally think the way to go is HDD decryption, and re-encryption.

Which you cannot do since the encryption keys are protected through a long "chain of trust" (as Geohot said) that ultimately leads to the Cell hardware.

That's Trusted Computing (check Wikipedia) and it seems that the PS3 is the first fully functional Trusted Computing device to be largely distributed to people in general, as it has all the requirements for this type of technology. It's very likely that the PS3 itself is a console developed in a way as to test the security of such new tech since we all know any console would be under heavy atack by hackers for obvious reasons.

To me (and I'm no expert) it looks like the only two means by which this type of security would be broken is:
1) Find a way to obtain the private and public endorsement keys somehow via hardware manipulation, since the private key would never be obtained through a virtual environment as it never leaves the chip. I have absolutely no idea if this is even possible at this moment, you know, to read hardware... but eventually, I think it could be done one day.

2) Breach the curtained memmory so the encryption keys might be read. This wouldn't get the private endorsement key but would get the means to communicate and authenticate to it and would open a hole in the chain of trust that could lead not only to the decryption of the HDD but also allow hackers to find ways to spoof remote attestation. This is, I think, the most likely way of doing it on the long run since it's inevitable that one day programmers will understand how curtained memmory works.

So, for now, I think we have to trust the devs work and wait for things to happen.

 

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News