PlayStation 3 hacked; GeoHot releases 'coveted PS3 exploit' - ramifications 'unclear' says DigitalFoundry

Yeah I bought ps3 on launch because of Linux support as well :) That was my primary reason and then realised how locked down it was.. I waited and waited to see when they would it open it up, and really thought they would :(

http://ww.neogaf.com/forum/showthread.php?t=383838

there was some tax break incentive for selling the ps3 as a pc rather than just a games console (luxury goods) within the EU, but I guess the amount of ps3 being sold to build supercomputers meant huge losses for sony because none of those units would be used to buy games..

The key for decryption is encrypted by the root key

So they used Biggleman's Safe for the encryption? That's actually rather ingenious on Sony's part.

And didn't the N64 get around people using carts to unlock the console by continuous checks of the authentication chip?

Yes Sony basically did lock the plans inside the "safe". I should also mention there are 8 walls of PS3 Security and all geoHot has done is slightly weaken ONE of the walls. If you go to his blog he even says he has given up on it.

The Titanic is neither the Delmar nor the Duchess of Fife. It's the most unsinkable ship of our time!

...Sorry, couldn't resist.

Well, Mr Pirate, I have no idea what you just said, but it sounds goddamn legit.

What annoys me most is that this is nowhere near a hack. Yet everyone is going around screaming that the ps3 has been hacked. It just baffles me.

Ill try explain the gist of it. the PS3 is protected by 8 walls and those 8 walls are all controlled by a Root Key. The key is locked down inside the SPU and the SPU is protected by the 8 walls. The 8 walls are impenetrable. the US Army Air-force and Marines use this type of security in their defence grids.

Yeah, the amount of jizzing going on his little 'blog' is disgusting.

well that's good then. thanks for the explanation. Joystiq should post that in a "read more" link to clear up any confusion.

the Pirate:
The stuff you say as I understand it. Essentially, the CPU runs encrypted code without anything decrypting it first. And it doesn't store it unencrypted anywhere and it refuses to do so if asked. It also refuses to encrypt anything with the execute key.

So how you are going to decrypted code and write it out I dunno. Furthermore, how you will encrypt code to get it to run I dunno. So to me piracy still doesn't seem possible.

The only mitigating factor in this is geohot is no joke. If he says he's onto something I have to pay attention, because maybe he is.

I did a bit of Googling and found an interesting read (PDF) in which (from what I got) it confirms how secure the Cell processor is...

Here's the link (WARNING PDF)
http://dslab.lzu.edu.cn:8080/members/zhangwei/doc/Cell_Broadband_Engine_processor_vault_security_architecture.pdf

I found that the end of Page 7 begins the amaziness of protection!!!

This Processor is bloody amazing O_O!

So I take it this is your blog then?

http://streetskaterfu.blogspot.com/

Well I must admit you are an Intelligent consumer, well aware of the PS3 market

You're doing it wrong..

HURRR.... U SO CLEVER

I LOLed when got HURRED at :D

Again, this is based on an OLD version. It's like saying that someone just now figured out an abacus and so calculators aren't reliable.

First: Screw you.

Second: The system isn't hacked, genius.

There will always be a group of people curious about the device's potential and so long as this group exists hacking will as well. It probably started before but was first really documented with people modding cars as early as the 1920's and will likely never end.

But he hasn't cracked the system. He's got memory access, not RSX access. And he doesn't have full Cell access either.

Brad I had written a whole big reply about this, but the beauty that is this comment system swallowed it up.

From what I understand you do get full hardware privileges to the ps3.. This doesn't mean you get access to the game os:

of interest:
http://pastie.org/795944
http://forum.beyond3d.com/showthread.php?t=56284&page=7

as well as his blog posts which is like walking through crap to find a good technical comment. I bury my head in shame for what humanity has become..

From what I understand (im neither a cracker nor an electronics engineer, so I can only explain it from the angle I understand)

Ive used xen quite a lot and that is hypervisor technology built on/using Linux.

To explain it in terms of xen the main controller os is called dom0 each os that runs on top of dom0 are referred to as domu's

the linux otheros is a domu, it gets a subset of the hardware calls and gets virtualised instances of memory etc.

the dom0 controls exactly what Linux has access to.

The ps3 gameos is also a domu, except its completely encrypted with a root key which is inside the hardware..

He glitches the memory bus which means that he escapes out of the allocation table and jumps into the actual hypervisor layer. This is why all of the extra hardware and system calls becomes available to him.

He uses the glitch to escalate his privileges which means that he can get full access to the hardware not, but it doesnt do anything for actually accessing the ps3 game os, from the hyper visor it becomes slightly easier to launch an attack because you can start working out all of the system calls all the calls made by the system what it all relates to and try to get the encryption key by some other inherent weakness in the os which maybe is not known about, so that you can then access the gameos.

Quote:

"Because of the root key's importance in keeping all other keys hidden, it must be robustly protected. The Cell BE processor accomplishes this with its Hardware Root of Secrecy. The root key is embedded in the hardware, and you cannot access it with software means; only a hardware decryption facility has access to it. This makes it much more difficult for software to be somehow manipulated so that the root key is exposed, and of course, the hardware functionality cannot be changed so that the key is exposed.

Furthermore, the activation of the hardware decryption using this root key is tightly integrated with the SPE isolation mode. When an SPE enters isolation mode, the hardware decryption facility is kick-started to fetch the encrypted data into the isolated SPE and decrypt the data using the hardware root key. The decrypted data is placed within the protected Local Store and is available for an isolated SPE application to use. In fact, the decryption based on the root key can only happen within an isolated SPE and not outside of it; no access to the root key is available, by hardware or software means, from a non-isolated SPE or the PPE. " -- from beyond3d which linked to to the following ibm article: www.ibm.com/developerworks/power/library/pa-cellsecurity/

Joystiq doesn't change article titles; Article titles change Joystiq.

really is it that serious? Besides, quite the opposites. People who take the time to expose holes in systems that have been billed as "secure" actually promote the need for tighter and better firmware, more updates, and better console management. I'd have to disagree with you there.

But honestly that whole disease prison thing was a little out of proportion. I feel that if it werent for initial hackers and proponents of homebrew, we would NEVER be enjoying features like the x-box live arcade, the PSN classics or arcades and the Wii's virtual consoles. It was the fact that HACKERS made retro games like this available for free on previous consoles (one could argue) that caused the companies to take up the torch and offer their own solutions to piracy.

Meh just one theory, at least. Nevertheless, ARRRRRRRRRRRRRRRR

I knew of many old xbox's that had hundreds of games installed on the harddrive. Games of yesteryear. This became prolific to a point where the big companies just threw up their hands and said "F**k it" and decided to offer this kind of service themselves, and also turn a profit. Makes sense to me.