Tag Archives: modchip

[PS3] Firmware 3.42 Breaks Jailbreaks

Sony tries to rearm their game console flagship. Most of you using your Playstations will likely have found out: since the end of last week Sony broadcasts a new firmware 3.42. They say it fixes security issues, which not quite wrong. But do we wanna have this issue fixed?

At the moment for online players there doesn’t seem to exist any other possibility but updating, so be aware you’re gonna lose root access to your fav console and it will possibly not come back anytime soon.

For all the others playing once in a while and mostly offline: just don’t update. We really suppose something is being worked on in the background to allow updating and not losing root access, but let’s see. Sony’s fighting with two armies: the army of technicians, and the army of darkness: they got aweful lawyers also out there ;-)

[PS3] Game Over – PS Jailbreak Exploit Is Public Now

A community around french hacker Mathieulh has provided information and assumptions of the PS Jailbreak’s bowels. Find the original article here and a PDF copy here.


Picture is courtesy of PS3News.com

Sniffed Code and Processing

As of yesterday they say they successfully managed to clone PS Jailbreak and they will document the exploit on the PS3 Wiki soon.

Moreover PS3News.com released the sniffed USB stream of the PS Jailbreak device:

(..) Descrambler sniffed the USB traffic and shared the log.(..)

  • The PSJailbreak is inserted
  • It connects with the host (PS3) and sends 09 02 12 00 01 00 00 80 + all the bytes from the first packet starting at 0008 up to 00EFF.
  • The stack is overwritten and the PS3 jumps into code from the packet
  • The Atmega sends a “USB Disconnect command”
  • The last three steps are repeated four times
  • It connects with the host and sends 09 02 4D 0A 01 01 00 80 + the bytes from the second packet starting at 0008 up to 0A4C
  • The stack is overwritten and the PS3 jumps into code from the packet
  • The Atmega sends a “USB Disconnect command”
  • The last three steps are repeated twice.

Voilà… The PS3 is in “Debug Mode”.

Apparently the third and fourth byte of the after the 09 02 are the numbers of bytes to be sent. At least this goes for the second log (4D 0A->0A4D bytes)…

The first 8 bytes are from the usb protocol left [09 02 ... ]
The code will be pushed four times onto ps3 usb stack:
00000: 09 02 12 00 01 00 00 80 FA 09 04 00 00 00 FE 01
00010: 02 00 00 00 00 00 00 00 FA CE B0 03 AA BB CC DD
00020: 38 63 F0 00 38 A0 10 00 38 80 00 01 78 84 F8 06
00030: 64 84 00 70 38 A5 FF F8 7C C3 28 2A 7C C4 29 2A
00040: 28 25 00 00 40 82 FF F0 38 84 00 80 7C 89 03 A6
(..) this is a snipped only.

Find the whole sniffed hex code and asm readable code here and as 7zip downloadable archive here

Our Comments

Well, this game is over. It’s pretty sure, that the commercial hackers have lost and so do the chinese clone makers. Even before the devices have been made available to the masses.

We suppose this might not have happened if Sony wouldn’t have disabled the Other-OS/Linux feature a couple of months ago. At that point only GeoHot and XorLoser were attacking the PS3 with a rather mass-incompatible but techie approach, that includes badly glitching technics.

Now this new bootloader exploit is known to the community. In fact, it is only a matter of days until a free open source solution will be available on the internet.

[PS3] Sony Australia Vs. PS Jailbreak Suppliers

Sony Australia somehow managed to get court orders for a temporary injunction against australian based modchip sellers like OZModChips, ModSupplier and Quantronics. Until today (Aug 31st, 2010) none of the modchip sellers is allowed to sell any PS Jailbreak device they rather have to give up the whole stock that they get until today.

Well this doesn’t come unexpected as modchip sellers in Europe have had the same legal battles a couple of years ago.

We don’t believe Sony will win in the end. Their strategy can only be delaying the inevitable. As a matter of fact, the PS3 has eventually been broken, the PS Jailbreak device samples have already been fully reverse engineered by a couple of chinese manufacturers and also by other teams.

A free open source solution is most likely to be released sooner or later.

[PS3] Hacking the Hackers: PS Jailbreak Reverse Engineered

German Gamefreax claim to have reverse engineered a testing PSJailbreak device. They say this exploit is based on emulating of a USB hub which gets virtual devices attached and unattached at certain points during the boot process.

Among those emulated devices there is also one that uses the ID of Sony’s JIG module. Anyway Gamefreax claim this hack is based on a self developed exploit. Dumped files that might support this claim are not available at this moment…

Picture snippet of USB Stream is courtesy of Gamefreax.de

[PS3] XorLoser Releases PS3 Exploit Toolkit

Notorious XorLoser has fully rewritten GeoHot’s PS3 glitch attack programs, that allow more convenient exploiting. He names it XorHack.

It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:

  • ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).
  • dumphv – Dumps the hypervisor to a file in the current directory.
  • dumpbl – Dumps the bootloader to a file in the current directory.
  • dumprom – Dumps the system  rom to a file in the current directory.

Links

» XorLoser: XorHack – The PS3 Exploit Toolkit
» GeoHot: Here’s Your Silver Platter

Picture is courtesy of XorHack

[PS3] GeoHot Opens All HV’s SPUs / XorLoser Preps Manual

Obviously notorious George Hotz has managed to get all 7 SPUs of the Playstation 3’s CPU under his control. This means although he cannot access the CPU’s root key, he now can decrypt everything that’s going thru these SPUs like datastreams of (encrypted) commercial games.

The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

In the meantime another hacker going under the nick XorLoser has released a more detailed manual of how to use GeoHot’s exploitation files and how to do the glitching.

Besides that XorLoser maintains a plugin for reverser’s beloved Interactive Disassembler (IDA) that contains special PPC instructions for Xbox360 and PS3.

Congratulations to GeoHot. Kudos fly out to XorLoser.

Links

» GeoHot: On Isolated SPUs
» XorLoser: PS3 Exploit – Software
» XorLoser: PS3 Exploit – Hardware
» XorLoser: PS3 and Xbox360 IDA PlugIn
» Hex-Rays.com: IDA Pro

[PS3] GeoHot Hacks PS3’s Hypervisor Protection

Notorious iPhone hacker GeoHot has succesfully circumvented the Playstation’s security system. According to his latest blog entry, he has dumped LV0 and LV1 code, thus allowing him to (theoretically) run code on the processor, bypassing the hypervisor.

The Playstation’s hypervisor is intended to run third party software (like Yellow Dog Linux) on a virtualized level, thus maintaining system integrity and protection of the host system. Within this virtualized environment arbitrary access to certain hardware devices has been disabled, thus allowing only basic access to the graphic processing unit (GPU) for example.

GeoHot seems to have broken the chain of trust. This means he can bypass the hypervisor to directly access hardware like the GPU with his custom code. Anyway he has not released any further information or proof of his work. But hey, it is not anyone, it is GeoHot, so it seems solid.

We compiled some links for people being interested in the hypervisor protection topic.

» GeoHot: Hello hypervisor, I’m GeoHot
» WeboPedia.com: Virtualization – All About Hypervisors
» PS3News: Overview on Security architecture of the PS3
» PS2Dev Wiki: Details about hypervisor functions of the PS3 and Toshiba’s CellEB
» PS3News: A PS3 Game’s Flow of Execution; PS3’s base AIX


Massive Attack: Protection (1995)…

[PS3] Infectus Chip downgrades Playstation 3 Firmware

The first mod chip has been released a couple of days for the Playstation 3 (PS3). It allows installation of any firmware revision you prefer for your best gaming experience, means you can up- and downgrade to whatever firmware you like (see video below). And no: it does not allow playing backups of your games. Even if you could afford a blu ray burner you cannot backup PS3 games currently.

The interesting point is: this chip is platform independent and can also be installed into Nintendo’s Wii or Microsoft’s XBOX 360. Since we don’t know for sure about the legal situation for such a mod chip in our beloved Germanistan, we will not include any links in this article. You know how to find, otherwise you would not be here ;-) Thanks for your understanding.