PlayStation 3 security finally cracking?

PlayStation 3 security finally cracking?
I don't generally like to post articles on claims about console hacking. Over the past few years, the PS3 and Xbox 360 have been subject to numerous hoaxes. In the Xbox 360 case, there were several that turned out to be true (esp. of late), but so many others that didn't. For the PlayStation 3, there has been a lot of claims made and not a lot that has come from them (that's just good security, over three years now).

So I have been following a blog from George Hotz (geohot), who is responsible for several iPhone hacks, on PlayStation 3 (PS3) hacking, and just today I came across a blog entry dated as the 22nd January, 2010 with an immediately intriguing title: "Hello hypervisor, I'm geohot". So while I (and most of us) generally ignore things like this that are submitted to us by users, in this case I'm willing to make an exception, even just for the sake of discussion, and out of respect.
Hello hypervisor, I'm geohot



I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3. The rest is just software. And reversing. I have a lot of reversing ahead of me, as I now have dumps of LV0 and LV1.

3 years, 2 months, 11 days...thats a pretty secure system

Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software.

Shout out to George Kharrat from iPhoneMod Brasil for giving me this PS3 a year and a half ago to hack. Sorry it took me so long :)

As far as the exploit goes, I'm not revealing it yet. The theory isn't really patchable, but they can make implementations much harder. Also, for obvious reasons I can't post dumps. I'm hoping to find the decryption keys and post them, but they may be embedded in hardware. Hopefully keys are setup like the iPhone's KBAG.

A lot more to come...
Source: http://geohotps3.blogspot.com/2010/01/hello-hypervisor-im-geohot.html

Written by: James Delahunty @ 22 Jan 2010 20:26
Advertisement - News comments available below the ad
  • 38 comments

  • biglo30

    Wow 3 years and someones finally cracked it, cant wait to see what else he undercovers later.

    22.1.2010 20:34 #1

  • PantherM

    3 years is pretty good.....that is like two lifetimes in the world of gadgets....

    22.1.2010 20:36 #2

  • whatevs

    As I said in my PS3 discussion forum thread, geohot has always delivered to his word. However, he is easily annoyed by impatient people. Let's hope for something soon before he becomes overwhelmed by ps3 owners asking "is it done yet? Is it done yet? Is it done yet?"

    22.1.2010 20:38 #3

  • SmOkM

    want surprise me if they shift more units, if this takes off.

    id certainly think about buying my own

    22.1.2010 20:42 #4

  • ZippyDSM

    I hope its a simple plug in hack, that would be godly.

    22.1.2010 20:49 #5

  • CJ007

    Wow, just in time for God Of War 3 and Final Fantasy 13. Anyway, I still keeping my pre-order.

    22.1.2010 21:33 #6

  • Morreale

    An unrestricted OtherOS? I hope so...

    22.1.2010 22:44 #7

  • KillerBug

    Originally posted by Morreale: An unrestricted OtherOS? I hope so...Let's hope for unrestricted OtherOS (even on slims), PS2 compatability, the ability to load disk-based games onto the harddrive to save constant swapping, cross-game-chat...the sky is the limit now.

    22.1.2010 22:57 #8

  • Promethos

    I had confidence that this guy could deliver on his word. The others just didn't sound as determined as him.

    Hope this finally means other PS3 models can be backward compatible.

    22.1.2010 23:41 #9

  • escalante

    Woah, woah, woah. So everyone's just taking this guy's word for it? I'll wait and see what happens first, thank you. There have been countless attempts and countless hoaxes from mostly respectable crack teams ranging far and wide. What makes this guy's word gold? I'm just a skeptic for now.

    23.1.2010 00:39 #10

  • thor999

    A little too late, IMHO. 3 yrs ago the excitement would be inspiration enough to warrant attempting a hack but now, well why would you? You can run an alternate OS already on the older models, therefore homebrew, am I correct? And blank BR discs are still expensive enough to dissuade me from jumping in.

    23.1.2010 01:11 #11

  • Morreale

    Originally posted by Promethos: I had confidence that this guy could deliver on his word. The others just didn't sound as determined as him.

    Hope this finally means other PS3 models can be backward compatible.    Most don't even mention the hypervisor at all, just faking new ways to magically play copied games.

    23.1.2010 01:40 #12

  • SDF_GR

    Originally posted by escalante: Woah, woah, woah. So everyone's just taking this guy's word for it? I'll wait and see what happens first, thank you. There have been countless attempts and countless hoaxes from mostly respectable crack teams ranging far and wide. What makes this guy's word gold? I'm just a skeptic for now.Me too and to be honest, i dont believe it.
    Even if this is true i dont think that sony wont do anything.
    The only thing that a PS3 hack will accomplish is more often FW updates.

    23.1.2010 03:37 #13

  • windsong

    Originally posted by thor999: A little too late, IMHO. 3 yrs ago the excitement would be inspiration enough to warrant attempting a hack but now, well why would you? You can run an alternate OS already on the older models, therefore homebrew, am I correct? And blank BR discs are still expensive enough to dissuade me from jumping in.But..Krazy Ken said the PS3 would last 10 years :)

    Lulz!

    23.1.2010 03:53 #14

  • KillerBug

    Originally posted by thor999: A little too late, IMHO. 3 yrs ago the excitement would be inspiration enough to warrant attempting a hack but now, well why would you? You can run an alternate OS already on the older models, therefore homebrew, am I correct? And blank BR discs are still expensive enough to dissuade me from jumping in.The PS3 is still a current-gen system, in fact it is the most advanced system other than the PC (and it is still faster than most PCs).

    Quality blank bluray disks can be gotten for $3, and idealy, a hack would allow you to run games from the hard drive, to avoid the trouble of disk swapping & burning (and it would allow you to do the job without a bd burner).

    OtherOS lets you run 2D homebreew linux apps, but there is no 3D support and it does not allow for homebrew PS3 apps.

    23.1.2010 04:18 #15

  • thor999

    Allright, educated here!

    23.1.2010 05:01 #16

  • Ryu77

    Originally posted by KillerBug: Quality blank bluray disks can be gotten for $3Are you in the US? Even still, I am in Australia and most on this forum pay much more for dual layer DVD's than I do ($1.00 each) and nowhere have I seen blank Blu-ray discs for $3 each, and you say you can obtain quality discs for this price. The best I can come up with are Ritek's BD25's for $6 each.

    Do you mind sharing which brand and where from?

    23.1.2010 06:05 #17

  • Dela

    Quote:Originally posted by escalante: Woah, woah, woah. So everyone's just taking this guy's word for it? I'll wait and see what happens first, thank you. There have been countless attempts and countless hoaxes from mostly respectable crack teams ranging far and wide. What makes this guy's word gold? I'm just a skeptic for now.Me too and to be honest, i dont believe it.
    Even if this is true i dont think that sony wont do anything.
    The only thing that a PS3 hack will accomplish is more often FW updates.    Well as I wrote in the start of the news above, I don;t generally like to write claims of hacks of consoles because they so often turn out to be misleading.

    In this case though, I decided to make an exception just based on who this guy is, and the respect he commands online.

    Take a look at the PS3 hack blog he has been maintaining for a few weeks --> http://geohotps3.blogspot.com/ --> so there's no doubt he has gone to extensive lengths to get the PS3 to obey.

    More info on him: http://en.wikipedia.org/wiki/George_Hotz

    And his twitter: http://twitter.com/geohot (almost 40,000 followers).

    So it's not just a random guy coming along and making a claim. He has been working on this for a while and has been followed for several weeks since he started really getting down and dirty with the hardware. I'm not taking anybody as their word, I'm just redirecting his words onto people at aD who might be curious.

    23.1.2010 09:52 #18

  • CJ007

    Quote:Originally posted by KillerBug: Quality blank bluray disks can be gotten for $3Are you in the US? Even still, I am in Australia and most on this forum pay much more for dual layer DVD's than I do ($1.00 each) and nowhere have I seen blank Blu-ray discs for $3 each, and you say you can obtain quality discs for this price. The best I can come up with are Ritek's BD25's for $6 each.

    Do you mind sharing which brand and where from?    Hi Ryu, yes Blu-Ray discs cost less than $3.00 here in the state and its made by Verb. Link
    http://www.bhphotovideo.com/c/product/59...dable_Disc.html

    23.1.2010 10:15 #19

  • SpiderMoo

    PS3 it's really cool)I to be going to buy it.What's the craсk do you mean?

    23.1.2010 10:21 #20

  • whatevs

    From what I understand, since I've been following geohot, he didn't want to look for a software hack. He was actually looking for a hack that couldn't be patched with a firmware upgrade. He claims he can talk to the ps3 now but then the argument can start to whether or not Sony will start banning these hacked ps3s off the network since patching won't work for them.

    23.1.2010 11:26 #21

  • windsong

    Originally posted by whatevs: From what I understand, since I've been following geohot, he didn't want to look for a software hack. He was actually looking for a hack that couldn't be patched with a firmware upgrade. He claims he can talk to the ps3 now but then the argument can start to whether or not Sony will start banning these hacked ps3s off the network since patching won't work for them.I dont think I would mind being banned from the Sony network as long as I had a PS3 that could play backups. :)

    23.1.2010 13:18 #22

  • lukeboy3

    you can get 15 philips bd-r's in cake box for about $42.00.
    from meritline.com. a little over $3.00 each.

    lukeboy3

    23.1.2010 13:20 #23

  • Morreale

    Quote:Originally posted by whatevs: From what I understand, since I've been following geohot, he didn't want to look for a software hack. He was actually looking for a hack that couldn't be patched with a firmware upgrade. He claims he can talk to the ps3 now but then the argument can start to whether or not Sony will start banning these hacked ps3s off the network since patching won't work for them.I dont think I would mind being banned from the Sony network as long as I had a PS3 that could play backups. :)At least you wouldn't be losing the money you paid for an online subscription...

    23.1.2010 13:51 #24

  • Oner

    Quote:Originally posted by KillerBug: Quality blank bluray disks can be gotten for $3Do you mind sharing which brand and where from?Verbatim 25GB 4X BD-R 10 Pack for $24.99 or $2.49 each and they can be burned @ 10x or even 12x ~ STABLE

    And that's only from Newegg! You can get similar deals or sales from Amazon, Meritline and even Fry's Electronics (even more so if you live near one) you just gotta search, compare and catch/buy the deals when they pop up. But honestly I don't even bother myself...I just go to 1 or 2 places and buy a few here and there to stock up when they are on sale instead of searching all day to save .25 cents.

    On topic though ~ I too feel the same about "I'll believe it when I see it" and when I say "see it" I mean when I actually DO IT on 1 of my 3 PS3's as a test and actually PLAY a game...only THEN will I give him props. But honestly this has to be the first REAL threat/possibility coming from someone of his background and what he has actually proved by his iPhone hacking. But we'll see.



    Search > http://forums.afterdawn.com/search
    Rules > http://forums.afterdawn.com/thread_view.cfm/2487
    Important Rule > http://forums.afterdawn.com/thread_view.cfm/380660

    23.1.2010 18:24 #25

  • elbald90

    i cant wait hurry up and let us know how PLEASE

    23.1.2010 19:46 #26

  • TBandit

    I can't wait to see how this turns out weather its a hoax or not just PS3 being cracked in general. I hope it ends up something like the xbox since it has a built in hdd.

    24.1.2010 05:51 #27

  • Hunt720

    I'm mostly exited about this adding additional Multimedia support. If it adds the ability to play .mkv files it seems worth it. The hack is going to need to be streamlined enough that its not a hastle to use it. My biggest fear is that rampant piracy will overshadow the homebrew and sony will patch the firmware to disallow it.

    24.1.2010 13:13 #28

  • borhan9

    This is insane i would really love to see how far they can push the envelope here. Do we loose game quality or the true Blu-Ray effect or does it all stay the same. This is a note to follow.

    24.1.2010 21:56 #29

  • Seanspade

    As for hacking the PS3, it's worth it. It would mean a lot. The PS3 is definitely going to last at least another 3 years, and that's 100+ game releases I may have bought, and maybe some I wouldn't have, but now will get to play.

    As for backwards compatibility, not possible. The Emotion engine must already be in place for the system to play PS2 @ native speeds, so unless you have an original 20 or 60, not happening.

    For the claims that this may not work, you people must be living under a rock. Geohot is not only a hacker, he is PROMINENTLY one of the defining hackers of our time. He just doesn't do the illegal hack into NASA shit you hear on the regular from cutthroat black hat hackers.

    He is the reason the iPhone sold as well as it did. I personally can account for the 100+ iPhones I sold overseas to places that didn't take AT&T because his software allowed me to unlock it.

    If Geohot says it took 5 weeks to hack a PS3, when others have been trying for the whole 3 years, then it's true. He is amazing, and deserves credit. I need PSN, so I may actually buy a THIRD PS3 just to run homebrew.

    25.1.2010 04:25 #30

  • bmlshane

    If the person who has "Cracked" the code, will it mean that Sony may try to do something about it, like a legal challenge, we know how they operate, what with the Viao issues, the "Warranty" sticker, the YSOD issues, etc, etc. They do make some good items, but being profit driven, the customer comes a distant issue at times.

    warlock

    25.1.2010 05:02 #31

  • xnonsuchx

    Originally posted by Seanspade:
    As for backwards compatibility, not possible. The Emotion engine must already be in place for the system to play PS2 @ native speeds, so unless you have an original 20 or 60, not happening.    The guys saying this might mean PS2-compatibility just don't know what they're talking about...unless they or someone they know is going to write the best PS2 software emulator known.

    Originally posted by Seanspade: He is the reason the iPhone sold as well as it did.Well, I don't think that's so true...last I heard, only around 15% of iPhones are estimated to have been jailbroken, which is still a good #, but it was already a hit before the hacks.

    26.1.2010 20:18 #32

  • KillerBug

    Originally posted by whatevs: From what I understand, since I've been following geohot, he didn't want to look for a software hack. He was actually looking for a hack that couldn't be patched with a firmware upgrade. He claims he can talk to the ps3 now but then the argument can start to whether or not Sony will start banning these hacked ps3s off the network since patching won't work for them.I hope it at least opens the doors to others. I realy don't want to pirate games anyhow...I just want to load my games onto the hard drive to save all the disk swapping and laser wear. Plus, MKV support would be nice...and perhapse even some kind of support for some format that would allow for files on USB drives that are larger than 4GB. Oh, and if I was able to play MP3s durring ANY game, then that would be sweet too.

    [DFI M2RS] [Athlon 9950] [ATI 3870HD] [Hauppauge WinTV-HVR-1600] [6GB Corsair DDR2] [4x Seagate ST31500341AS + 3ware 9690SA = 4.5TB RAID5] [2x Seagate 750GB + 2x Seagate 500GB + Adaptec 1430SA = 750GB RAID1 + 500GB RAID1] [Intel Gigabit NIC (PCI)] [LG 20X Lightscribe DVDR] [Coolmax 1200w Power Supply] [Logitech G15(first edition)] [Logitech G5(Second Edition)] [320GB Hitachi Boot] [320GB Hitachi Temp/Swap] [Modified and overgrown 4U Rackmount case] [22" & 24" screens mounted overhead] [Perfect Chair 085] [Logitech 5.1 Audio] [Windows 7 RC1]

    26.1.2010 22:57 #33

  • xnonsuchx

    Originally posted by Hunt720: I'm mostly exited about this adding additional Multimedia support. If it adds the ability to play .mkv files it seems worth it. The hack is going to need to be streamlined enough that its not a hastle to use it. My biggest fear is that rampant piracy will overshadow the homebrew and sony will patch the firmware to disallow it.BTW, the hack is ONLY for OtherOS (i.e. Linux) capable PS3s...not the new slim ones. It is only allowing access to the hardware directly rather than through the HyperVisor via Linux, not hacking the firmware or anything. Oddly, he says the HV isn't even blocking the RSX...that it likely just needs a fully capable Linux driver (even though it was previously claimed that FW 2.1 or something around there locked out the RSX from Linux).

    26.1.2010 23:00 #34

  • gixxer07

    Quote:Originally posted by KillerBug: Quality blank bluray disks can be gotten for $3Are you in the US? Even still, I am in Australia and most on this forum pay much more for dual layer DVD's than I do ($1.00 each) and nowhere have I seen blank Blu-ray discs for $3 each, and you say you can obtain quality discs for this price. The best I can come up with are Ritek's BD25's for $6 each.

    Do you mind sharing which brand and where from?    If the disc's were 10.00 a piece(isn't that cheaper than 60.00??) yep it sure is

    28.1.2010 11:57 #35

  • Chaos66

    this is very interesting reading

    Guys n Girls check this: http://www.ibm.com/developerworks/power/library/pa-cellsecurity/


    Then read this. Taken from another forum.

    To quote: "So the PS3 is hacked ? Well that's nothing more than an urban legend.

    Altough it's nice to capture all these HV calls and stuff from a plain (not encrypted) lv1 binary, but this will never lead to a hacked PS3.

    Let's have a look. The major security architecture on the PS3 is called the "Secure Processing Vault" and is the most important thing regarding "hacking" the PS3.

    There is NO WAY for the PPU or even the HV to gain access to the SPU, which is an application running inside of an isolated SPU.

    Well you can kick out the isolated SPU, like geohot mentioned, but this gives you nothing, as ALL the encryption and execution of applications (HDD encryption, app encryption, decryption, executing, signature checking, root key extraction) happens inside the isolated SPU.

    To run homebrew on the PS3 you would have to reassemble the whole functionality from the SPU inside a binary running on the PPU. For this you will need the root key.

    The root key is stored in hardware (not even close to the things on the iPhone). The root key cannot be extracted by any software or hardware means and is essential to ALL encryption/decryption, executing and checking routines.

    The only way to get the root key is inside of an isolated SPU, as it is kick-starting the hardware encryption facility. There is no other way to do that !

    Let's just assume that geohot or some other guys are able to break into the local store of the isolated SPE. There they will just find some encrypted binaries.

    The key for decryption is encrypted by the root key ! You won't get anywhere without the root key.

    Let's assume that someone managed to do all those stuff from the isolated SPU on the PPU and creates a CFW.

    There is still a secure booting environment. The first module loaded/bootet is integrity checked by the hardware crypto facility utilizing the root key. So you have also to address this booting stuff. Again, no root key, no booting.

    So there's always runtime patching you might ask ? Not possible on the PS3 because the hardware crypto facility is able to check the signatures whenever it wants to.

    And which part is responsible for this ? Exactly, the isolated SPU. So if you kick out the isolated SPU the system will not boot/run anymore.

    The PS3 is neither an PSP nor an iPhone. It's the most secure system architecture of this time !

    The girl behind this stuff, Kanna Shimizu, is not somebody. Messing around with this is not like saying Bruce Schneier is a n00b.

    Btw.: forget about all those stories, that certain hackers are or will be employed by SONY. That's nothing more than another urban legend.

    @geohot It is OBVIOUS that the HV is PPC. The Cell BE is a PPC architecture, you know ;-) Better read those IBM papers in first place !


    thats means he does nothing really just baypass lvl1 security wich is great
    but paradox did it before him!.

    the hard and the unpossible thing to do is to get the root key from the
    isolated SPU. and that is by far uncheckable

    28.1.2010 12:39 #36

  • ZippyDSM

    Originally posted by Chaos66: this is very interesting reading

    Guys n Girls check this: http://www.ibm.com/developerworks/power/library/pa-cellsecurity/


    Then read this. Taken from another forum.

    To quote: "So the PS3 is hacked ? Well that's nothing more than an urban legend.

    Altough it's nice to capture all these HV calls and stuff from a plain (not encrypted) lv1 binary, but this will never lead to a hacked PS3.

    Let's have a look. The major security architecture on the PS3 is called the "Secure Processing Vault" and is the most important thing regarding "hacking" the PS3.

    There is NO WAY for the PPU or even the HV to gain access to the SPU, which is an application running inside of an isolated SPU.

    Well you can kick out the isolated SPU, like geohot mentioned, but this gives you nothing, as ALL the encryption and execution of applications (HDD encryption, app encryption, decryption, executing, signature checking, root key extraction) happens inside the isolated SPU.

    To run homebrew on the PS3 you would have to reassemble the whole functionality from the SPU inside a binary running on the PPU. For this you will need the root key.

    The root key is stored in hardware (not even close to the things on the iPhone). The root key cannot be extracted by any software or hardware means and is essential to ALL encryption/decryption, executing and checking routines.

    The only way to get the root key is inside of an isolated SPU, as it is kick-starting the hardware encryption facility. There is no other way to do that !

    Let's just assume that geohot or some other guys are able to break into the local store of the isolated SPE. There they will just find some encrypted binaries.

    The key for decryption is encrypted by the root key ! You won't get anywhere without the root key.

    Let's assume that someone managed to do all those stuff from the isolated SPU on the PPU and creates a CFW.

    There is still a secure booting environment. The first module loaded/bootet is integrity checked by the hardware crypto facility utilizing the root key. So you have also to address this booting stuff. Again, no root key, no booting.

    So there's always runtime patching you might ask ? Not possible on the PS3 because the hardware crypto facility is able to check the signatures whenever it wants to.

    And which part is responsible for this ? Exactly, the isolated SPU. So if you kick out the isolated SPU the system will not boot/run anymore.

    The PS3 is neither an PSP nor an iPhone. It's the most secure system architecture of this time !

    The girl behind this stuff, Kanna Shimizu, is not somebody. Messing around with this is not like saying Bruce Schneier is a n00b.

    Btw.: forget about all those stories, that certain hackers are or will be employed by SONY. That's nothing more than another urban legend.

    @geohot It is OBVIOUS that the HV is PPC. The Cell BE is a PPC architecture, you know ;-) Better read those IBM papers in first place !


    thats means he does nothing really just baypass lvl1 security wich is great
    but paradox did it before him!.

    the hard and the unpossible thing to do is to get the root key from the
    isolated SPU. and that is by far uncheckable
    Well you kinda have to worm your way there by gaining more access to as many parts as you can.

    28.1.2010 15:27 #37

  • pspbarry

    the only hack i have seen was on youtube and the guy had a mask on, he stripped down the machine and loaded the backup with a boot disc, showing you you each step as he did it, the thing is he had to strip down the ps3 and re build it ooch :(.... as for films well if you look about hum hum you can get 720p movies ripped down from 1080p, pop a 500gig hard drive in the ps3 and well there you go, iam not putting this guy down but as soon as he hacks the system sony will put out new firmware to stop it dead. ps dont burn me i love you all ;)

    28.1.2010 15:28 #38

© 2024 AfterDawn Oy

Hosted by
Powered by UpCloud