The following blog post, unless otherwise noted, was written by a member of Gamasutra’s community.
The thoughts and opinions expressed are those of the writer and not Gamasutra or its parent company.
There is a lot of smoke being blown about regarding what has and has not happened with the systematic circumvention of almost every part of the Playstation 3 security subsystem, with most journalistic units lacking the expertise required to understand the issues and time to do effective research.
This has lead to some fairly sickening press that does not adequately reflect the situation. For those wanting to know roughly what has actually happened and what it all means, I have written this.
This document should hopefully be accessible enough that people unfamiliar with the vagaries of specialist disciplines can follow along without too much difficulty. Please inform me of errors or omissions in the comments or via email.
- Multiple individuals working in concert discovered a method to access some functions of the RSX GPU directly from Linux instead of through the soft framebuffer. A driver, ps3.ko, was written to take advantage of this. While limited, the driver improved performance of some demanding video decode tasks to within usable ranges.
- What this means: Consumers were filling a software gap in their use case for their personal use on hardware they purchased.
- Sony: Removed the ability to use this driver with the patches in firmware 2.10.
- A full two years later, computer programmer George "GeoHot" Hotz began security analysis of the PS3 in response to the announcement of the PS3 Slim lacking OtherOS support. With careful application of a pin-shorting attack and a lot of persistence and luck, he managed to successfully map the hypervisor and run code in at the hypervisor level.
- What this means: Very little of any practical value. It was an exploit, in the most academic sense of the word, but not a long-term solution to running unsigned code on the system.
- In general, you find that homebrew developers much prefer software solutions; hardware disassembly and modification is a tall barrier for programmers.
- Sony: Removed support for OtherOS for all PS3 systems with their next firmware update.
- Less than a year later, the widely-maligned "PSJailbreak" was released by unknown parties.
- For the unfamiliar, the PSJailbreak is a hideous kludge relying on peculiarities of USB driver initialisation (or software that emulates this behaviour). The end result was Lv2 code execution.
- What this means: Piracy. Homebrew is vaguely possible at this point, but it relies on the easily-patched USB hack.
- Strangely, this is only an exploit against a small part of the security system: it doesn't allow lower-level code execution and the integrity of the "secure" SPE is intact.
- Sony: Injunction against the sale of the USB devices; patched firmware to defeat the exploit.
- Using leaked service software, firmware downgrading was made possible. To my recollection, this release is from the originators of the PSJailbreak.
- What this means: Still, mostly just piracy.
- Sony: A new battlefront in the war on modified firmware on Sony devices was predicted. But the scope of the conflict changed in short order
- Just last month, a group collectively known as "fail0verflow" (several of whom are known members of Team Twiizers, and involved with the Wii Homebrew Channel), revealed security work they had accomplished as a result of the public release of the PSJailbreak.
- Their findings, presented at 27C3, revealed a system riddled with flaws, including what seems to be an act of faith that the first line of defense would never be breached.
- Critically, the ECDSA signing implementation was flawed to the point that the generated signatures look something like this:
- 806E078FA1529790CE1AAE02BADD6FAAA6AF 74178BAEB115B68AE33CCD812CE8E85170BDA4F95417
- 806E078FA1529790CE1AAE02BADD6FAAA6AF 741771CD1F2DD1DB19252804DE93E50E71A69C9D1FFB
- 806E078FA1529790CE1AAE02BADD6FAAA6AF 7417304D6DE39A90746F858A505F0871DFA96FE14D8D
- 806E078FA1529790CE1AAE02BADD6FAAA6AF 7417A3B32962F39E6D08C4EFAB2EC3605C8257A070AA
- Independently of this team, George Hotz came out of retirement and, as far as we're able to tell, replicated the work done by fail0verflow but also released the keys to the web. There is some amount of implication that, he actually advanced the work of his predecessors by dumping the full metaloader key, but I believe this to be a misunderstanding.
- Against all expectations, this key works to sign PSP executables as well.
- What this means: This means that any person with sufficient knowledge, can write code for the PS3/PSP and run it on any PS3/PSP without modification.
- To some degree, this does also enable piracy, but not to a greater extent than was already possible with the PSJailbreak and the firmware downgrade hack that came with it.
- Sony: Currently pursuing legal against George Hotz, fail0verflow, and one hundred other unnamed people.
- Likely also sacking numerous people for incompetence above and beyond the call of duty.
- In the past day, an article has been circulated publicising the compromised security of Infinity Ward's Modern Warfare 2 servers. They have blamed the security breach for allowing this to happen.
- Infinity Ward states that they were reliant on the system's integrity to preserve the integrity of their own game.
- It seems likely that a modified game image was signed that allowed server vulnerabilities to be exploited.
- Infinity Ward further claims that this may not be recovered from.
- What this means: There is likely to be a short term uptick of online game exploiting as users discover new vulnerabilities in online services and developers scramble to issue patches as they see fit. Eventually this may incite networked game security as the assumption of a secure platform no longer holds.
- Sony: No response on record.
- This situation is ongoing.
- UPDATE: After statements in public and on his personal weblog about interest in Windows Phone 7, Microsoft has contacted Hotz with an offer for a free Phone 7 device.
- What this means: Many things.
- The open dialogue indicates George isn't "damaged goods" as a researcher.
- The positive stance by Miscrosoft may indicate better relations with security researchers in the future.
- UPDATE 2: Much has happened in the past month, but most notably, firmware 3.60 basically rolls the low-level loaders into a single encrypted blob. Cryptanalysis is ongoing, but this may be the "Epic Win" to go with the "Epic Fail". From what I've been able to ascertain, this is a very clever hack Sony whipped up. I am impressed. Meanwhile, they have started banning modified consoles that access PSN (not so impressed by this).
- What this means: Well, it means that, for the time being, the PS3 is secure once again. Many homebrewers are satisfied with the 3.55 firmware to the point that they're not interested in updating, so the flow of exploits is likely to slow considerably.
While this is doubtlessly a loaded topic, if you must comment, please do so with a modicum of courtesy. Unprovoked attacks on the character of the individuals or groups represented here are not acceptable. If you have an update or correction, as mentioned, please inform me however you are able.
As a further note, I don't intend to document the results of every bit of legal wrangling. On that, I am unqualified to offer more than my non-professional opinion. My primary interest lies in establishing what is and is not true about the state of PS3 security. I have attempted to avoid unproven extrapolation excepting cases where I feel it helpful to the developing discourse.
27C3 - Console Hacking 2010 (45 minutes)