GeoHot has had a reverse-engineerer’s look into Sony’s high tech gadget and Sony immediately declared war.
Obviously in panic, Sony announced to deactivate Linux (Other-OS) support with their latest firmware 3.21. This was the time when people were wondering how long it would take until GeoHot would reenable it.
The magic PUP files
So it did not take too long. That notorious hacking genious did it. He says he’s using a custom PUP file. A PUP file basically is an update file for the PS3. The interesting point is usually PUP files are signed by Sony.
Could that mean there is a major flaw in Sony’s implementation of checking the authenticity of update files (at least until firmware 3.15, which GeoHot mentions is the latest that allows to install his custom PUP).
Obviously notorious George Hotz has managed to get all 7 SPUs of the Playstation 3’s CPU under his control. This means although he cannot access the CPU’s root key, he now can decrypt everything that’s going thru these SPUs like datastreams of (encrypted) commercial games.
The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.
In the meantime another hacker going under the nick XorLoser has released a more detailed manual of how to use GeoHot’s exploitation files and how to do the glitching.
Besides that XorLoser maintains a plugin for reverser’s beloved Interactive Disassembler (IDA) that contains special PPC instructions for Xbox360 and PS3.
Congratulations to GeoHot. Kudos fly out to XorLoser.
Notorious iPhone hacker GeoHot has succesfully circumvented the Playstation’s security system. According to his latest blog entry, he has dumped LV0 and LV1 code, thus allowing him to (theoretically) run code on the processor, bypassing the hypervisor.
The Playstation’s hypervisor is intended to run third party software (like Yellow Dog Linux) on a virtualized level, thus maintaining system integrity and protection of the host system. Within this virtualized environment arbitrary access to certain hardware devices has been disabled, thus allowing only basic access to the graphic processing unit (GPU) for example.
GeoHot seems to have broken the chain of trust. This means he can bypass the hypervisor to directly access hardware like the GPU with his custom code. Anyway he has not released any further information or proof of his work. But hey, it is not anyone, it is GeoHot, so it seems solid.
We compiled some links for people being interested in the hypervisor protection topic.
The first mod chip has been released a couple of days for the Playstation 3 (PS3). It allows installation of any firmware revision you prefer for your best gaming experience, means you can up- and downgrade to whatever firmware you like (see video below). And no: it does not allow playing backups of your games. Even if you could afford a blu ray burner you cannot backup PS3 games currently.
The interesting point is: this chip is platform independent and can also be installed into Nintendo’s Wii or Microsoft’s XBOX 360. Since we don’t know for sure about the legal situation for such a mod chip in our beloved Germanistan, we will not include any links in this article. You know how to find, otherwise you would not be here ;-) Thanks for your understanding.