PS3 Completely Cracked

PS3
PS3 cracked wide open

Lots of exciting things happened in the PS3 scene the past few days. The aftermath is that the entire PS3 encryption scheme has been irrevocably cracked and broken, with no possibility of a firmware fix, due to a rookie cryptography mistake made by Sony who is now crying in a corner.

Let’s take a look at the itinerary of events.

The Story

First, a little background.

Sony excluded Other OS (Linux) support from its new PS3 Slim models for unknown reasons. This annoyed some people but did not cause too much stir because hackers who wanted Linux still had their old PS3s.

In his attempt to restore Other OS functionality to the PS3 Slim, George Hotz, a famed iPhone hacker who has a slight ego issue, discovered an exploit in the PS3’s Other OS system that may lead to enabling of piracy. Sony made some legal noise and took the drastic measure of removing Linux support from all PS3 consoles through the 3.21 firmware update. This is illegal in Europe and probably other countries with decent consumer protection laws, but no substantial legal challenges have succeeded thus far. This move also pissed off a lot of hackers who previously ignored the PS3 due to its existing Linux support. George Hotz disappeared like a little girl without releasing his claimed exploit because he was afraid of law suits.

Months later when the uproar had died down, the PS3 was suddenly cracked using a USB exploit by a (presumed-to-be) Chinese hacker group who released the hack commercially as the PSJailbreak. Out of the blue, PS3 homebrew and piracy communities sprung to life. The technique was refined and made open source by various individual and community efforts such as PSGroove and PSFreedom and ported to numerous devices.

However, Sony released the 3.50 and 3.55 firmware to block the exploit. The community remained on 3.41 and no real breakthrough was made after that, with the small exception of a “downgrader” released by the same mysterious PSJailbreak team, which was also subsequently cloned by other jailbreak manufacturers and open sourced. While the downgrader allowed 3.50 and 3.55 firmwares to revert to 3.41 using USB protocols copied from Sony’s official maintenance tools, it does nothing to allow 3.41 firmwares to run new games such as Gran Turismo 5 which are signed by a new encryption key present only in 3.50 and newer firmwares.

The Breakthrough

On 29th Dec 2010, a collaboration of hackers called fail0verflow unveiled a groundbreaking discovery at the 27th Chaos Communication Congress (27C3) hacking conference held in Berlin. By observing files and runtimes in the PS3 using processes made possible by the PSJailbreak exploit, the team discovered that Sony had made numerous mistakes in the design of the PS3’s much-hyped security architecture. You can watch their presentation on YouTube and download their slides here.

Towards the end of their presentation, they revealed the most fatal flaw in the system: Sony had failed to correctly implement the cryptography scheme they used to sign their ELF executables (PS3’s equivalent of an EXE). The encryption scheme required the generation of a new random number each time a signature is created, but Sony’s implementation uses the same “random” number every time. This made it a constant instead of an unknown variable, reducing the number of unknowns from two (private key and random number) to one and making it mathematically possible to derive the encryption keys via algebra, which is what fail0verfow did. They published their method but not the actual keys they obtained through it.

The Keys

Almost immediately after fail0verflow’s disclosure, George Hotz made a sudden grand entrance back into the scene and released the PS3’s metldr keys he discovered by using an undisclosed exploit to dump the “metldr”, which fail0verflow did not achieve, and then applying fail0verflow’s method to recover the private encryption key. I am not completely clear on this part, but I gather that the metldr is some kind of bootloader the PS3 uses to call up the higher-level functions like the Game OS.

The metldr key is a very low level encryption key embedded in the PS3 hardware that can then be used to decrypt higher level keys found in the Game OS firmware that are used to sign actual games. Immediately following this announcement, community members of the PS3 scene used the metldr key to decrypt and post every single encryption keys used in every PS3 firmware version.

The Aftermath

With these keys, it is now possible for anyone to sign any PS3 ELF executable as if he were Sony and there is no reason for any PS3, modded or otherwise, to reject the signed files.

The immediate effect is of course homebrew. Anyone can now create applications for the PS3 and run them without using PSJailbreak.

The next obvious outcome is of course piracy. Since all PS3 games can now be decrypted, it is trivial to decrypt new games such as Gran Turismo 5 using the 3.55 key and re-encrypt them with the 3.41 key so that they can be played on an exploited PS3 running older firmware. Indeed, fixed EBOOT.BIN for the frequently-requested Gran Turismo 5 was one of the first scene releases following the breakthrough.

Going forward, it is likely that the current piracy methods will be greatly streamlined and such manual patching processes will no longer be necessary. This is because the keys allow hackers to decrypt all official Sony firmware updates and use them as the basis for creating custom firmwares similar to those prevalent in the PSP piracy scene. Since these custom updates will be signed with Sony’s official keys, even non-modded PS3s will accept them without complaints. The first custom firmware for the PS3 came out just days later and allows users to install homebrew without using the PSJailbreak exploit.

In the next few months, there will likely be non-stop releases and refinements of PS3 custom firmwares, amazing homebrews (an XMBC port maybe?) and streamlined piracy tools.

An amusing side effect of all these is that PSP’s private encryption keys are also completely exposed and they have been used to implement the HEN exploit on the newest 3000-series and PSP Go hardware running 6.31/6.35 firmware. The keys were presumably being used by the PS3 to play PSP Minis games. Apparently, Sony was very confident of the PS3’s protection scheme.

The Conclusion

For Sony, there is no way to put the genie back into the bottle. The metldr key cannot be revoked through a firmware update and changing it will require new hardware. But a new hardware revision is utterly meaningless, since current PS3 consoles (with their metldr key exposed) must presumably be able to run all future PS3 games and firmwares. As a result, future game- and OS-level encryption keys will forever remain vulnerable to reverse engineering, unless Sony takes the extremely drastic action of breaking games compatibility with current PS3s.

The conventional wisdom has always been that console-hacking is motivated mainly by piracy. This idea is being challenged by the case study of the PS3, a console which remained secured for years despite what we now know is a utterly broken security architecture. The piracy motivation has always been there, but the pirates apparently did not possess the technical expertise needed to make the breakthrough.

The explanation proposed by fail0verflow, which they say apply to themselves, is that highly motivated and technically competent hackers were initially not interested in cracking the PS3 protection scheme because it ran Linux out of the box. Efforts to crack it by capable individuals only began after Sony excluded Other OS from the PS3 Slim and subsequently removed it from all existing PS3s through a firmware update.

Looking at the flurry of activities in recent months, less than a year after Other OS was removed, there appears to be some truth in that explanation.

Sony has completely lost the battle. The war will continue with the PS4.

This entry was posted in Tech and tagged , , , , , , , . Bookmark the permalink.

20 Responses to PS3 Completely Cracked

  1. Vincent says:

    Epic.

  2. KayDat says:

    “The war will continue with the PS4.”

    Or Sony could wise up and just keep Linux support to begin with.

  3. info600 says:

    nice summary, I highly doubt that I can follow the PS3 story in real time (or somewhere that quick)

    oh, nice pic btw…

  4. Panther says:

    Good game, Sony.

  5. Hitoribocchi says:

    So I take it that as long as you provided the community with an incentive to not jailbreak the console, which is, in this instance, the ability to host another OS on top of the PS3, the community will reply in kind. Is this what you’re leading to, DM?

  6. DarkShadowRavenBloode says:

    Is there some way to run Japanese ps2 games on an American ps3 with this exploit?

  7. Jesus says:

    ……Does Sony EVER win?

  8. DarkMirage says:

    Hitoribocchi:

    That’s the way the hackers explain it.

    In a way it makes sense since there are very few people capable of doing these cracks and most of them do not care about piracy. Commercial pirates usually wait to leech off their work. Removing Other OS pissed off people who otherwise didn’t care about cracking the PS3 and made them want to put Linux back onto the PS3 just to prove that they can.

    I wouldn’t exactly say that the talented hackers “reply in kind”. They simply do not see the challenge in unlocking a system that already runs Linux. The removal of Other OS made it a valid challenge. Breaking DRM to run open source software is what they are interested in. Piracy is the collateral damage.

    Perhaps the flawed system would still have been eventually cracked by pirates, but Sony certainly didn’t help themselves when they basically issued a challenge out to everyone else by remotely removing an advertised product feature from sold hardware.

    And given that we now know that the Xbox 360’s security system was actually slightly better than the PS3’s despite being cracked a long time ago, I think there is something for Sony to think about there.

    Jesus:

    Arguably they didn’t lose badly this time. The PS3’s security lasted the longest in this generation and earned it the mainstream reputation of being the most secured console, DRM-wise. The question is whether it lasted this long because it was good or because no one good enough was trying until recently.

  9. Jason says:

    Naise post. Kept me up to date from all the confusing news about the ps3 these days.

  10. exaltdragon says:

    Does it bother anyone that their name is so similar to a certain violent eroge producing company?

  11. MarcosV says:

    It would be interesting to see if this accelerates the release of the PS4.

    Better assured world domination should be sufficient motivation for putting a PS4. The new unit would probably have multiple keys with online activation. Sony probably wouldn’t mind leaving out all those without internet connection next time around.

  12. Pingback: PS3 COMPLETELY CRACKED – SONY HAS LOST. « LoneTear77 Blog

  13. Animeking says:

    “This move also pissed off a lot of hackers who previously ignored the PS3 due to its existing Linux support. George Hotz disappeared like a little girl without releasing his claimed exploit because he was afraid of law suits.”

    I disagree, I personally think he was full of shit. He probably did hack it but didn’t make any special firmware and then got pissed when people were begging him after he promised them he would release something and making noise about showing Sony who is boss. Seems some people could replicate what he did with his youtube video through other means as well. I could be wrong though, I was just keeping track with his blog and youtube videos and some forums that were discussing him.

    To the rest of what you wrote, epic! I hate sounding like a hippie but I love it when ‘hackers’ stick it to the ‘man.’ XD

  14. heights says:

    gr8t.,.is it even possble 2 install Windows 7?

  15. Animeking says:

    well, there is a video with Windows Vista on the PS3…I believe it uses virtualization. It be slow as hell and can’t utilize the full potential of the PS3 anyways, so not much point. :/

    http://www.youtube.com/watch?v=w-CrEAzpuxc

  16. Officials said the undrafted rookie from Florida Atlantic led with his helmet while hitting Price.

  17. Thanks for the great post. I love your Blog. I hope you will post more :D.

  18. Good bot to obtain free of cost token on chaturbate

  19. Hello friends, its great piece of writing on the topic
    of educationand fully explained, keep it up all the time.

    Feel free to surf to my web blog :: data center energy management –
    http://gg.gg/16txs,

  20. Movie reason for simple fact a fantastic internet marketer. The site loading velocity will be extraordinary. This form of thinks you’re executing any exclusive trick. Furthermore, A articles are must-see. you’ve done an excellent activity in this theme!

Leave a Reply

Your email address will not be published. Required fields are marked *