Media have widely reported about the latest steps in hacking the Playstation 3 console. Obviously that tiny PS Jailbreak USB Dongle turns a consumer PS3 into a debug PS3, thus allowing to run games from the internal or from an attached USB harddrive. The price is said to be around 160US$. For legal reasons here in Germany we can’t like to PS Jailbreak supplyers.
Now PS3Hax.net reports that using PS Jailbreak on Sony’s Playstation Network is very likely to result in being banned:
According to SKFUand RichDevX, the Backup manager game ID (LAUN-12345) could be logged/recorded by Sony when logged into PSN (when online). This would obviously allow Sony to see who would be using the illegal PSjb/clone and we could very well see ban waves similar to the Xbox 360. Sony does currently ban PSN/consoles that results in the 8002A227 error code.
Redmondpie.com reports that latest rumors indicate that there are also chinese clones of the PS3 Jailbreak called X3Jailbreak on their way, priced at 40$.
It seems like the PS3 hacking as a business model is out of date even before it started. We suspect it it won’t take long until a free open source solution will be available on the net aswell…
The story is burning all the Apple related pages. Although Apple officials say, their iPhone 4G prototype has been stolen, Gizmodo.com argues it has been lost by an Apple employee named Gray Powell. Powell is a developer at Apple and currently he works on Apple’s latest baseband.
It seems Powell has lost the device in the german restaurant Gourmet Haus Staudt in Redwood City, California, after having had too much of our wonderful german beer.
Anyway Gizmodo.com now got their hands on the device and show what it’s got. Sadly they cannot get past the “connect to iTunes” logo because the device has been deactivated over the air obviously using mobile me.
We feel like the iPhone Dev Team or GeoHot should get their hands on that device. Until further news enjoy Gizmodo’s vid:
GeoHot has had a reverse-engineerer’s look into Sony’s high tech gadget and Sony immediately declared war.
Obviously in panic, Sony announced to deactivate Linux (Other-OS) support with their latest firmware 3.21. This was the time when people were wondering how long it would take until GeoHot would reenable it.
The magic PUP files
So it did not take too long. That notorious hacking genious did it. He says he’s using a custom PUP file. A PUP file basically is an update file for the PS3. The interesting point is usually PUP files are signed by Sony.
Could that mean there is a major flaw in Sony’s implementation of checking the authenticity of update files (at least until firmware 3.15, which GeoHot mentions is the latest that allows to install his custom PUP).
Consumers and organizations that currently use the “Other OS” feature can choose not to upgrade their PS3 systems, although the following features will no longer be available;
Ability to sign in to PlayStation Network and use network features that require signing in to PlayStation Network, such as online features of PS3 games and chat
Playback of PS3 software titles or Blu-ray Disc videos that require PS3 system software version 3.21 or later
Playback of copyright-protected videos that are stored on a media server (when DTCP-IP is enabled under Settings)
Use of new features and improvements that are available on PS3 system software 3.21 or later
For those PS3 users who are currently using the “Other OS” feature but choose to install the system software update, to avoid data loss they first need to back-up any data stored within the hard drive partition used by the “Other OS,” as they will not be able to access that data following the update.
Notorious XorLoser has fully rewritten GeoHot’s PS3 glitch attack programs, that allow more convenient exploiting. He names it XorHack.
It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:
ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).
dumphv – Dumps the hypervisor to a file in the current directory.
dumpbl – Dumps the bootloader to a file in the current directory.
dumprom – Dumps the system rom to a file in the current directory.
Obviously notorious George Hotz has managed to get all 7 SPUs of the Playstation 3’s CPU under his control. This means although he cannot access the CPU’s root key, he now can decrypt everything that’s going thru these SPUs like datastreams of (encrypted) commercial games.
The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.
In the meantime another hacker going under the nick XorLoser has released a more detailed manual of how to use GeoHot’s exploitation files and how to do the glitching.
Besides that XorLoser maintains a plugin for reverser’s beloved Interactive Disassembler (IDA) that contains special PPC instructions for Xbox360 and PS3.
Congratulations to GeoHot. Kudos fly out to XorLoser.
Egyptian neurosurgeon Sherif Hashim seems to have found something very interesting. He found a way to actually crash the iPhone’s baseband 05.12.01 of the latest firmware update 3.1.3.
MuscleNerd of the iPhone Dev Team has confirmed this bug. Though the iPhone Dev Team posted later today that they cannot tell if this bug actually leads to an unlock. The iPhone Dev Team also warns for potential scammers trying to rip us off.
More information to come. Congrats to Egypt! Nice find…
A cross-platform jailbreaking, unlocking, and customizing tool for iPhones and iPod touches. Customizations include boot logos, recovery logos, and “verbose” boot. It’s a standalone program that doesn’t use iTunes (no custom IPSWs are involved).
The download links are at the bottom of this page (but please read the whole page anyway!).
We’ve been offering redsn0w in various incarnations over the years (including poorlad’s Windows version of QuickPwn). The most recent release before this one was redsn0w 0.8, which targeted Apple firmware 3.0/3.0.1.
Notorious iPhone hacker GeoHot has succesfully circumvented the Playstation’s security system. According to his latest blog entry, he has dumped LV0 and LV1 code, thus allowing him to (theoretically) run code on the processor, bypassing the hypervisor.
The Playstation’s hypervisor is intended to run third party software (like Yellow Dog Linux) on a virtualized level, thus maintaining system integrity and protection of the host system. Within this virtualized environment arbitrary access to certain hardware devices has been disabled, thus allowing only basic access to the graphic processing unit (GPU) for example.
GeoHot seems to have broken the chain of trust. This means he can bypass the hypervisor to directly access hardware like the GPU with his custom code. Anyway he has not released any further information or proof of his work. But hey, it is not anyone, it is GeoHot, so it seems solid.
We compiled some links for people being interested in the hypervisor protection topic.
Unlock Ur iPhone Now (http://www.unlockuriphonenow.com)
Unlocked iPhone (http://www.unlockediphone.info)
Unlock Any iPhone (http://www.unlockanyiphone.net)
iPhone unlocking seems to be a large market. Say any of these companies sold 5,000 unlocks (which is a quite conservative estimation). For an average price of 25US$. This makes 125,000US$ for setting up a stupid internet page with stolen and repackaged content.