Close

Page 4 of 4 FirstFirst 1234
Results 61 to 80 of 80
  1. #61
    DF VIP Member fe_man2000's Avatar
    Join Date
    Jul 2001
    Location
    St Albans
    Posts
    2,511
    Thanks
    0
    Thanked:        1
    Karma Level
    405

    Default Re: PS3 Hypervisor Hacked

    think its going to be a while before anything that means anything comes out

    At best expect a "hello world" at some point in the coming /weeks/months.

  2. #62
    DF VIP Member HELPERS's Avatar
    Join Date
    Aug 2001
    Location
    Manchester, Un
    Posts
    1,354
    Thanks
    40
    Thanked:        35
    Karma Level
    334

    Default Re: PS3 Hypervisor Hacked

    George Hotz, previously known as an iPhone hacker, announced that he hacked the Playstation 3 and then provided exploit details. Various articles have been written about this but none of them appear to have analyzed the actual code. Because of the various conflicting reports, here is some more analysis to help understand the exploit.

    The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.

    Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.

    The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor. The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).

    George’s hack compromises the hypervisor after booting Linux via the “OtherOS” feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.

    His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.

    George connected an FPGA to a single line on his PS3’s memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.

    His goal was to compromise the hashed page table (HTAB) in order to get read/write access to the main segment, which maps all memory including the hypervisor. The exploit is a Linux kernel module that calls various system calls in the hypervisor dealing with memory management. It allocates, deallocates, and then tries to use the deallocated memory as the HTAB for a virtual segment. If the glitch successfully desynchronizes the hypervisor from the actual state of the RAM, it will allow the attacker to overwrite the active HTAB and thus control access to any memory region. Let’s break this down some more.

    The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file’s data can still be accessed.

    The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor’s write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.

    At this point, the hypervisor has an HTAB with one or more read/write mappings pointing to a buffer it has deallocated. Thus, the kernel no longer owns that buffer and supposedly cannot write to it. However, the kernel still has one or more valid mappings pointing to the buffer and can actually modify its contents. But this is not yet useful since it’s just empty memory.

    The exploit then creates a virtual segment and checks to see if the associated HTAB is located in a region spanning the freed buffer’s address. If not, it keeps creating virtual segments until one does. Now, the user has the ability to write directly to this HTAB instead of the hypervisor having exclusive control of it. The exploit writes some HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.

    It is quite possible someone will package this attack into a modchip since the glitch, while somewhat narrow, does not need to be very precisely timed. With a microcontroller and a little analog circuitry for the pulse, this could be quite reliable. However, it is more likely that a software bug will be found after reverse-engineering the dumped hypervisor and that is what will be deployed for use by the masses.

    Sony appears to have done a great job with the security of the PS3. It all hangs together well, with no obvious weak points. However, the low level access given to guest OS kernels means that any bug in the hypervisor is likely to be accessible to attacker code due to the broad API it offers. One simple fix would be to read back the state of each mapping after changing it. If the write failed for some reason, the hypervisor would see this and halt.

    It will be interesting to see how Sony responds with future updates to prevent this kind of attack.
    HTTP://FISTF.COM
    © 2011 FEDERATION INTERNATIONAL SPORTS TABLE FOOTBALL. All Rights Reserved

  3. #63
    DF VIP Member ek247's Avatar
    Join Date
    Dec 2002
    Location
    Birmingham
    Posts
    358
    Thanks
    22
    Thanked:        4
    Karma Level
    276

    Default Re: PS3 Hypervisor Hacked

    from Modshacks.net

    A well known hacker in the console hacking scene has said that the Geohots’s PS3 exploit will not lead to a proper hack that allow fro PS3 homebrew or backup games.
    [Quote]
    So the PS3 is hacked ? Well that’s nothing more than an urban legend.
    “Altough it’s nice to capture all these HV calls and stuff from a plain (not encrypted) lv1 binary, but this will never lead to a hacked PS3.
    Let’s have a look.
    The major security architecture on the PS3 is called the “Secure Processing Vault” and is the most important thing regarding “hacking” the PS3.
    There is NO WAY for the PPU or even the HV to gain access to the SPU, which is an application running inside of an isolated SPU.
    Well you can kick out the isolated SPU, like geohot mentioned, but this gives you nothing, as ALL the encryption and execut1on of applications (HDD encryption, app encryption, decryption, executing, signature checking, root key extraction) happens inside the isolated SPU.
    To run homebrew on the PS3 you would have to reassemble the whole functionality from the SPU inside a binary running on the PPU.
    For this you will need the root key. The root key is stored in hardware (not even close to the things on the iPhone). The root key cannot be extracted by any software or hardware means and is essential to ALL encryption/decryption, executing and checking routines.
    The only way to get the root key is inside of an isolated SPU, as it is kick-starting the hardware encryption facility. There is no other way to do that !
    Let’s just assume that geohot or some other guys are able to break into the local store of the isolated SPE. There they will just find some encrypted binaries.
    The key for decryption is encrypted by the root key !
    You won’t get anywhere without the root key.
    Let’s assume that someone managed to do all those stuff from the isolated SPU on the PPU and creates a CFW.
    There is still a secure booting environment. The first module loaded/bootet is integrity checked by the hardware crypto facility utilizing the root key. So you have also to address this booting stuff. Again, no root key, no booting.
    So there’s always runtime patching you might ask ? Not possible on the PS3 because the hardware crypto facility is able to check the signatures whenever it wants to. And which part is responsible for this ? Exactly, the isolated SPU.
    So if you kick out the isolated SPU the system will not boot/run anymore.
    The PS3 is neither an PSP nor an iPhone. It’s the most secure system architecture of this time !
    The girl behind this stuff, Kanna Shimizu, is not somebody. Messing around with this is not like saying Bruce Schneier is a n00b.
    Btw.: forget about all those stories, that certain hackers are or will be employed by SONY. That’s nothing more than another urban legend.
    @geohot It is OBVIOUS that the HV is PPC. The Cell BE is a PPC architecture, you know Better read those IBM papers in first place !”

  4. #64
    DF Admin maltloaf's Avatar
    Join Date
    Dec 2000
    Location
    Hereford, Here
    Posts
    16,064
    Thanks
    958
    Thanked:        1,271
    Karma Level
    1234

    Default Re: PS3 Hypervisor Hacked

    sounds like jealousy to me. Time will tell...
    Facebook: http://facebook.com/maltloaf Garmin Connect: http://connect.garmin.com/profile/maltloaf_df
    Strava: https://www.strava.com/athletes/2631290
    i5 6600k @ 4.5GHz/3060ti 8GB Oculus Quest 2
    Laptop Asus FX505GT i5 9500/1650 4GB

  5. #65
    DF VIP Member Chubbs's Avatar
    Join Date
    May 2002
    Location
    London
    Posts
    1,808
    Thanks
    138
    Thanked:        78
    Karma Level
    352

    Default Re: PS3 Hypervisor Hacked

    Quote Originally Posted by maltloaf View Post
    sounds like jealousy to me. Time will tell...
    Random isn't, he makes it sound like GeoHots effort are old new yet Geos work is all new to me, could he have done better?

    Might be some rep in being the first nay-sayer?

  6. #66
    DF Founder Raptor's Avatar
    Join Date
    Nov 1999
    Location
    USA
    Posts
    95,487
    Thanks
    477
    Thanked:        1,885
    Karma Level
    4957

    Default Re: PS3 Hypervisor Hacked

    He's in the console scene so naturally he's a little bitch.

  7. #67
    DF VIP Member jojomuniandy's Avatar
    Join Date
    Dec 2002
    Location
    newcastle
    Posts
    372
    Thanks
    0
    Thanked:        0
    Karma Level
    285

    Default Re: PS3 Hypervisor Hacked

    your gut feeling is correct


    Quote Originally Posted by mysterym View Post
    My gut feel is a modern day pc would trounce the 4+ year old cell processor, yes it has spe's, but they are more like DSP rather than fully fledged processor cores.

    The belief that the ps3 is some mythical supercomputer is unfounded.

  8. #68
    DF Super Moderator Rick Sanchez's Avatar
    Join Date
    Dec 2004
    Location
    Shoney's
    Posts
    3,811
    Thanks
    1,326
    Thanked:        366
    Karma Level
    408

    Default Re: PS3 Hypervisor Hacked

    Quote Originally Posted by B3ARKILLA.UK View Post
    video encoding? it plays bluray at 1080p and has already been confirmed that it will play 3D with a firmware update.
    This is what i dont get as the AV manufacturers etc say you need HDMI 1.4 to view 3D
    Domain Registration, SSL Certificates and Web Hosting - Fusionhost- 25% Discount Available On All Web Hosting Plans For DF Members - Code: DF2022

  9. #69
    DF Moderator EvilBoB's Avatar
    Join Date
    Jan 2001
    Location
    Bedfordshire
    Posts
    6,353
    Thanks
    583
    Thanked:        620
    Karma Level
    606

    Default Re: PS3 Hypervisor Hacked

    Quote Originally Posted by hilljd00 View Post
    This is what i dont get as the AV manufacturers etc say you need HDMI 1.4 to view 3D
    This has gone a bit off topic. To answer this however you will find that 3D does not REQUIRE HDMI 1.4. Sony will probably develop their own BD3DROM format or something to enable it to play. As the PS3 is essentially a computer and the BD software can be programmed however you want there is no reason at all why you couldn't have 3D over SCART if you were that way inclined.

    What do you reckon Sony will try and ram another of their "formats" down our throats - only work with Bravia TVs and Sony Bluray players lol
    DF Moderator
    XBox One | Panasonic 4k | MS Surface Pro 3 | 3DSXL | WiiU | RPi3
    XBL : TheSumOfAllEvil

  10. #70
    DF VIP Member Flat's Avatar
    Join Date
    Apr 2008
    Location
    /
    Posts
    808
    Thanks
    7
    Thanked:        47
    Karma Level
    227

    Default Re: PS3 Hypervisor Hacked

    still no poc videos?

  11. #71
    DF VIP Member HELPERS's Avatar
    Join Date
    Aug 2001
    Location
    Manchester, Un
    Posts
    1,354
    Thanks
    40
    Thanked:        35
    Karma Level
    334

    Default Re: PS3 Hypervisor Hacked

    i can remember way back-many telling people i knew-yeah thats impossible-then some bloke turned up at a computer fair with 64 games the world did not even have lolol and a machine that played them all-100percent.wicked days in the past.............

    prolly about 12-16 months away but you will see custome stuff on this baby now i think.-dont matter for me about the copys-i am happy with what i got-but some cool pc stuff and extra code would be very nice to see-and playing old stuff-cool-xp on your ps3 or even win 7 ?
    HTTP://FISTF.COM
    © 2011 FEDERATION INTERNATIONAL SPORTS TABLE FOOTBALL. All Rights Reserved

  12. #72
    DF VIP Member Sanj[UK]'s Avatar
    Join Date
    May 2002
    Location
    Canada
    Posts
    5,761
    Thanks
    371
    Thanked:        286
    Karma Level
    647

    Default Re: PS3 Hypervisor Hacked

    Win7 would be slow as fuck on the ps3, it would have to be emulated as the ps3 is PPC.

    You could (somehow) get Tiger Osx running on it though, some linux distros, along with Windows CE.

  13. #73
    DF Founder Raptor's Avatar
    Join Date
    Nov 1999
    Location
    USA
    Posts
    95,487
    Thanks
    477
    Thanked:        1,885
    Karma Level
    4957

    Default Re: PS3 Hypervisor Hacked

    Quote Originally Posted by HELPERS View Post
    i can remember way back-many telling people i knew-yeah thats impossible-then some bloke turned up at a computer fair with 64 games the world did not even have lolol and a machine that played them all-100percent.wicked days in the past.............
    lol

  14. #74
    DF VIP Member Neo\nsc's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    1,400
    Thanks
    76
    Thanked:        9
    Karma Level
    389

    Default Re: PS3 Hypervisor Hacked

    I remember that day well helpers

  15. #75
    DF VIP Member HELPERS's Avatar
    Join Date
    Aug 2001
    Location
    Manchester, Un
    Posts
    1,354
    Thanks
    40
    Thanked:        35
    Karma Level
    334

    Default Re: PS3 Hypervisor Hacked

    Anti Geohack Patent?

    Recently a new patent by a SONY employee was published on the patent site at faqs.org. It seems it is SONY's answer for Geohot's progress. Take a look here:

    "A method, system, and computer-usable medium are disclosed for controlling unauthorized access to encrypted application program code. Predetermined program code is encrypted with a first key. The hash value of an application verification certificate associated with a second key is calculated by performing a one-way hash function. Binding operations are then performed with the first key and the calculated hash value to generate a third key, which is a binding key. The binding key is encrypted with a fourth key to generate an encrypted binding key, which is then embedded in the application. The application is digitally signed with a fifth key to generate an encrypted and signed program code image. To decrypt the encrypted program code, the application verification key certificate is verified and in turn is used to verify the authenticity of the encrypted and signed program code image. The encrypted binding key is then decrypted with a sixth key to extract the binding key. The hash value of the application verification certificate associated with the second key is then calculated and used with the extracted binding key to extract the first key. The extracted first key is then used to decrypt the encrypted application code."
    HTTP://FISTF.COM
    © 2011 FEDERATION INTERNATIONAL SPORTS TABLE FOOTBALL. All Rights Reserved

  16. #76
    DF VIP Member Chubbs's Avatar
    Join Date
    May 2002
    Location
    London
    Posts
    1,808
    Thanks
    138
    Thanked:        78
    Karma Level
    352

    Default Re: PS3 Hypervisor Hacked

    Quote Originally Posted by HELPERS View Post
    Anti Geohack Patent?

    Recently a new patent by a SONY employee was published on the patent site at faqs.org. It seems it is SONY's answer for Geohot's progress. Take a look here:

    "A method, system, and computer-usable medium are disclosed for controlling unauthorized access to encrypted application program code. Predetermined program code is encrypted with a first key. The hash value of an application verification certificate associated with a second key is calculated by performing a one-way hash function. Binding operations are then performed with the first key and the calculated hash value to generate a third key, which is a binding key. The binding key is encrypted with a fourth key to generate an encrypted binding key, which is then embedded in the application. The application is digitally signed with a fifth key to generate an encrypted and signed program code image. To decrypt the encrypted program code, the application verification key certificate is verified and in turn is used to verify the authenticity of the encrypted and signed program code image. The encrypted binding key is then decrypted with a sixth key to extract the binding key. The hash value of the application verification certificate associated with the second key is then calculated and used with the extracted binding key to extract the first key. The extracted first key is then used to decrypt the encrypted application code."
    And the thigh bone is connected to the knee bone...

  17. #77
    DF VIP Member HELPERS's Avatar
    Join Date
    Aug 2001
    Location
    Manchester, Un
    Posts
    1,354
    Thanks
    40
    Thanked:        35
    Karma Level
    334

    Default Re: PS3 Hypervisor Hacked

    well rap did say Sony would move quick to block all hacks
    HTTP://FISTF.COM
    © 2011 FEDERATION INTERNATIONAL SPORTS TABLE FOOTBALL. All Rights Reserved

  18. #78
    DF VIP Member jamie_h88's Avatar
    Join Date
    Oct 2006
    Location
    A, A
    Posts
    1,200
    Thanks
    7
    Thanked:        11
    Karma Level
    266

    Default Re: PS3 Hypervisor Hacked

    Are we till allowed to talk about PS3 hack news in here??

  19. #79
    DF VIP Member DJ OD's Avatar
    Join Date
    Jul 2001
    Location
    On da decks.
    Posts
    10,114
    Thanks
    1,008
    Thanked:        2,254
    Karma Level
    1104

    Default Re: PS3 Hypervisor Hacked

    Not really...


    DJ OD

  20. #80
    DF VIP Member jamie_h88's Avatar
    Join Date
    Oct 2006
    Location
    A, A
    Posts
    1,200
    Thanks
    7
    Thanked:        11
    Karma Level
    266

    Default Re: PS3 Hypervisor Hacked

    Cheers

Page 4 of 4 FirstFirst 1234

Similar Threads

  1. Sony music hacked by taliban supporters?
    By Chip2k in forum The Dog and Duck
    Replies: 2
    Last Post: 28th November 2002, 02:27 AM
  2. Some Tw*t has hacked my icq number
    By FireBlade in forum System Security
    Replies: 5
    Last Post: 25th November 2002, 01:49 PM
  3. "hacked" google perhaps??
    By chippy in forum The Dog and Duck
    Replies: 2
    Last Post: 5th November 2002, 07:53 PM
  4. truth.org got hacked haha
    By station420 in forum The Dog and Duck
    Replies: 7
    Last Post: 16th October 2002, 05:45 AM
  5. XM Radio Hacked
    By jikalx in forum Buy, Sell and Trade
    Replies: 37
    Last Post: 13th September 2002, 06:53 PM

Social Networking Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •