Sony tries to rearm their game console flagship. Most of you using your Playstations will likely have found out: since the end of last week Sony broadcasts a new firmware 3.42. They say it fixes security issues, which not quite wrong. But do we wanna have this issue fixed?
At the moment for online players there doesn’t seem to exist any other possibility but updating, so be aware you’re gonna lose root access to your fav console and it will possibly not come back anytime soon.
For all the others playing once in a while and mostly offline: just don’t update. We really suppose something is being worked on in the background to allow updating and not losing root access, but let’s see. Sony’s fighting with two armies: the army of technicians, and the army of darkness: they got aweful lawyers also out there ;-)
Consumers and organizations that currently use the “Other OS” feature can choose not to upgrade their PS3 systems, although the following features will no longer be available;
Ability to sign in to PlayStation Network and use network features that require signing in to PlayStation Network, such as online features of PS3 games and chat
Playback of PS3 software titles or Blu-ray Disc videos that require PS3 system software version 3.21 or later
Playback of copyright-protected videos that are stored on a media server (when DTCP-IP is enabled under Settings)
Use of new features and improvements that are available on PS3 system software 3.21 or later
For those PS3 users who are currently using the “Other OS” feature but choose to install the system software update, to avoid data loss they first need to back-up any data stored within the hard drive partition used by the “Other OS,” as they will not be able to access that data following the update.
Notorious XorLoser has fully rewritten GeoHot’s PS3 glitch attack programs, that allow more convenient exploiting. He names it XorHack.
It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:
ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).
dumphv – Dumps the hypervisor to a file in the current directory.
dumpbl – Dumps the bootloader to a file in the current directory.
dumprom – Dumps the system rom to a file in the current directory.
Obviously notorious George Hotz has managed to get all 7 SPUs of the Playstation 3’s CPU under his control. This means although he cannot access the CPU’s root key, he now can decrypt everything that’s going thru these SPUs like datastreams of (encrypted) commercial games.
The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.
In the meantime another hacker going under the nick XorLoser has released a more detailed manual of how to use GeoHot’s exploitation files and how to do the glitching.
Besides that XorLoser maintains a plugin for reverser’s beloved Interactive Disassembler (IDA) that contains special PPC instructions for Xbox360 and PS3.
Congratulations to GeoHot. Kudos fly out to XorLoser.
Notorious iPhone hacker GeoHot has succesfully circumvented the Playstation’s security system. According to his latest blog entry, he has dumped LV0 and LV1 code, thus allowing him to (theoretically) run code on the processor, bypassing the hypervisor.
The Playstation’s hypervisor is intended to run third party software (like Yellow Dog Linux) on a virtualized level, thus maintaining system integrity and protection of the host system. Within this virtualized environment arbitrary access to certain hardware devices has been disabled, thus allowing only basic access to the graphic processing unit (GPU) for example.
GeoHot seems to have broken the chain of trust. This means he can bypass the hypervisor to directly access hardware like the GPU with his custom code. Anyway he has not released any further information or proof of his work. But hey, it is not anyone, it is GeoHot, so it seems solid.
We compiled some links for people being interested in the hypervisor protection topic.