1780 27c3 console_hacking_2010

6,424 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
6,424
On SlideShare
0
From Embeds
0
Number of Embeds
3,598
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

1780 27c3 console_hacking_2010

  1. 1. 27th Chaos Communication Congress Console Hacking 2010 PS3 Epic Fail bushing, marcan, segher, svenMittwoch, 29. Dezember 2010
  2. 2. Who are we? • In 2008 at 25c3 these teams worked together as WiiPhonies • We won the 25c3 CTF • We changed our name to Fail 0verflow • Not trademark infringing • The domain was available • The ratio of fail to win is high. Weve been collaborating on various embedded and thought expansive projects, the most famous of which that hit the press earlier this year was the full reconstruction of the $REDACTED allowing $REDACTED to be completely broken, that was a fun couple of weeks.Mittwoch, 29. Dezember 2010
  3. 3. Wii had a good run • 3 years, 9 firmware updates, 1 real feature • 73 mil. consoles, 30 mil. vuln. bootloaders • 1 million users of Homebrew ChannelMittwoch, 29. Dezember 2010
  4. 4. Wii Xbox 360 PS3 2006 2007 2008 2009 2010 2011 tMittwoch, 29. Dezember 2010
  5. 5. Wii Xbox 360 PS3 2006 Drivechips 2007 Twiizer Attack 2008 Twilight Hack Homebrew Channel 2009 Bannerbomb Indiana Pwns Bannerbomb for 4.2 2010 latest update broken 2011 tMittwoch, 29. Dezember 2010
  6. 6. Wii Xbox 360 PS3 2006 Drive firmware hacked Drivechips King Kong Hack 2007 Twiizer Attack 2008 Twilight Hack Homebrew Channel 2009 Bannerbomb JTAG Hack Indiana Pwns Bannerbomb for 4.2 2010 latest update broken 2011 tMittwoch, 29. Dezember 2010
  7. 7. Wii Xbox 360 PS3 2006 Drive firmware hacked Drivechips King Kong Hack 2007 Twiizer Attack OtherOS RSX exploit 2008 Twilight Hack Homebrew Channel 2009 Bannerbomb JTAG Hack Indiana Pwns slim w/o Linux Bannerbomb released for 4.2 Geohot’s hack 2010 Linux removed latest update Jailbreak broken Downgrade this talk :) 2011 tMittwoch, 29. Dezember 2010
  8. 8. Mittwoch, 29. Dezember 2010
  9. 9. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed PS3 2006 executables, hypervisor, eFuses, isolated SPU not yet - - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracyMittwoch, 29. Dezember 2010
  10. 10. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed PS3 2006 executables, hypervisor, eFuses, isolated SPU not yet - - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracyMittwoch, 29. Dezember 2010
  11. 11. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed PS3 2006 executables, hypervisor, eFuses, isolated SPU not yet - - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracyMittwoch, 29. Dezember 2010
  12. 12. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed PS3 2006 executables, hypervisor, eFuses, isolated SPU not yet - - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracyMittwoch, 29. Dezember 2010
  13. 13. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed PS3 2006 executables, hypervisor, eFuses, isolated SPU not yet - - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracyMittwoch, 29. Dezember 2010
  14. 14. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed PS3 2006 executables, hypervisor, eFuses, isolated SPU not yet - - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracyMittwoch, 29. Dezember 2010
  15. 15. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed PS3 2006 executables, hypervisor, eFuses, isolated SPU not yet - - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracy iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracyMittwoch, 29. Dezember 2010
  16. 16. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed PS3 2006 executables, hypervisor, eFuses, isolated SPU not yet - - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracy iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracyMittwoch, 29. Dezember 2010
  17. 17. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed PS3 2006 executables, hypervisor, eFuses, isolated SPU 4 years not yet - - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracy iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracyMittwoch, 29. Dezember 2010
  18. 18. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed Homebrew PS3 2006 executables, hypervisor, eFuses, isolated SPU 4 years not yet - Piracy - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracy iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracyMittwoch, 29. Dezember 2010
  19. 19. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed Homebrew PS3 2006 executables, hypervisor, eFuses, isolated SPU 4 years not yet - Piracy piracy - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracy iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracyMittwoch, 29. Dezember 2010
  20. 20. device y security hacked for effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed Homebrew PS3 2006 executables, hypervisor, eFuses, isolated SPU 4 years not yet - Piracy piracy - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracy iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracyMittwoch, 29. Dezember 2010
  21. 21. hacked after device y security hacked for it was closed effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed Homebrew PS3 2006 executables, hypervisor, eFuses, isolated SPU 4 years not yet - Piracy piracy - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracy iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracyMittwoch, 29. Dezember 2010
  22. 22. hacked after device y security hacked for it was closed effect PS2 1999 ? ? piracy - pay TV dbox2 2000 signed kernel 3 months Linux decoding GameCube 2001 encrypted boot 12 months Homebrew piracy Linux Xbox 2001 encrypted/signed bootup, signed executables 4 months Homebrew piracy iPod 2001 checksum <12 months Linux - DS 2004 signed/encrypted executables 6 months Homebrew piracy PSP 2004 signed bootup/executables 2 months Homebrew piracy encrypted/signed bootup,encrypted/signed Linux Xbox 360 2005 executables, encrypted RAM, hypervisor, eFuses 12 months Homebrew leaked keys encrypted/signed bootup,encrypted/signed Homebrew PS3 2006 executables, hypervisor, eFuses, isolated SPU 12 moyet s 4 years not nth - Piracy piracy - Wii 2006 encrypted bootup 1 month Linux piracy Front Row AppleTV 2007 signed bootloader 2 weeks Linux piracy Homebrew, iPhone 2007 signed/encrypted bootup/executables 11 days SIM-Lock piracy iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracyMittwoch, 29. Dezember 2010
  23. 23. PS3 ArchitectureMittwoch, 29. Dezember 2010
  24. 24. The Cell Broadband Engine Source: IBMMittwoch, 29. Dezember 2010
  25. 25. SPU Isolation Source: IBM 0x00000 0x3e000 0x40000Mittwoch, 29. Dezember 2010
  26. 26. LV1 / Hypervisor LV2 / GameOS SPU Problem State / GamesMittwoch, 29. Dezember 2010
  27. 27. metldrMittwoch, 29. Dezember 2010
  28. 28. metldr lv0ldrMittwoch, 29. Dezember 2010
  29. 29. metldr lv0ldr lv0Mittwoch, 29. Dezember 2010
  30. 30. metldr lv0ldr lv0 metldr / lv1ldrMittwoch, 29. Dezember 2010
  31. 31. metldr lv0ldr lv0 metldr / lv1ldr lv1Mittwoch, 29. Dezember 2010
  32. 32. metldr lv0ldr lv0 metldr / lv1ldr lv1 metldr / lv2ldrMittwoch, 29. Dezember 2010
  33. 33. metldr lv0ldr lv0 metldr / lv1ldr lv1 metldr / lv2ldr lv2Mittwoch, 29. Dezember 2010
  34. 34. Mittwoch, 29. Dezember 2010
  35. 35. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  36. 36. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  37. 37. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  38. 38. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  39. 39. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  40. 40. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  41. 41. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  42. 42. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  43. 43. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  44. 44. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  45. 45. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  46. 46. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  47. 47. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  48. 48. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  49. 49. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  50. 50. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ASSED BYP ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  51. 51. OtherOSMittwoch, 29. Dezember 2010
  52. 52. ✘ OtherOS Not supported on the PS3 SlimMittwoch, 29. Dezember 2010
  53. 53. ! You have earned a trophy. Draw Attention ✘ OtherOS Not supported on the PS3 SlimMittwoch, 29. Dezember 2010
  54. 54. Geohot Exploit XDR RAM Glitching AttackMittwoch, 29. Dezember 2010
  55. 55. RAM Kernel Hypervisor HTABMittwoch, 29. Dezember 2010
  56. 56. RAM Kernel Hypervisor HTABMittwoch, 29. Dezember 2010
  57. 57. RAM Kernel Hypervisor HTABMittwoch, 29. Dezember 2010
  58. 58. RAM Kernel Hypervisor HTABMittwoch, 29. Dezember 2010
  59. 59. RAM Kernel Hypervisor HTABMittwoch, 29. Dezember 2010
  60. 60. RAM Kernel HTAB Hypervisor HTABMittwoch, 29. Dezember 2010
  61. 61. RAM Kernel HTAB Hypervisor HTABMittwoch, 29. Dezember 2010
  62. 62. RAM You have earned a trophy. HV Hypervisor Exposed Kernel HTAB Hypervisor HTABMittwoch, 29. Dezember 2010
  63. 63. ✘ OtherOSMittwoch, 29. Dezember 2010
  64. 64. ✘ ✘✘OtherOS Forcibly removed on the PS3 FatMittwoch, 29. Dezember 2010
  65. 65. You have earned a trophy. Pissed Off Hackers ✘ ✘✘OtherOS Forcibly removed on the PS3 FatMittwoch, 29. Dezember 2010
  66. 66. Mittwoch, 29. Dezember 2010
  67. 67. PSJailbreakMittwoch, 29. Dezember 2010
  68. 68. PSJailbreak (And over 9000 clones)Mittwoch, 29. Dezember 2010
  69. 69. PSJailbreak ExploitMittwoch, 29. Dezember 2010
  70. 70. PSJailbreak Hub PWN1 PWN2 PWN3 PWN4 JIG FINALMittwoch, 29. Dezember 2010
  71. 71. Device 1 TL = 0xF00 CONFIGURATION #1 .. #4 INTERFACE #1 PAYLOADMittwoch, 29. Dezember 2010
  72. 72. Device 4Mittwoch, 29. Dezember 2010
  73. 73. Device 4 TL = 0x12 CONFIGURATION #1 INTERFACE #1Mittwoch, 29. Dezember 2010
  74. 74. Device 4 TL = 0x12 CONFIGURATION #1 INTERFACE #1 CONFIGURATION #2Mittwoch, 29. Dezember 2010
  75. 75. Device 2 TL = 0x16 INTERFACE #1 CONFIGURATION #1 04 21 B4 2FMittwoch, 29. Dezember 2010
  76. 76. Device 4 TL = 0x12 CONFIGURATION #1 INTERFACE #1 CONFIGURATION #1 04 21 B4 2F CONFIGURATION #2Mittwoch, 29. Dezember 2010
  77. 77. Device 4 TL = 0x12 CONFIGURATION #1 INTERFACE #1 TL = 0x2FB4 CONFIGURATION #2Mittwoch, 29. Dezember 2010
  78. 78. C++ Objects VTABLE POINTER INTERFACE OBJECT #N C++ VTABLE POINTER INTERFACE OBJECT #N+1 C++ VTABLE POINTER INTERFACE OBJECT #N+2 C++Mittwoch, 29. Dezember 2010
  79. 79. C++ Objects VTABLE POINTER INTERFACE OBJECT #N C++ CONFIGURATION #3 INTERFACE #1 INTERFACE OBJECT #N+1 C++ VTABLE POINTER INTERFACE OBJECT #N+2 C++Mittwoch, 29. Dezember 2010
  80. 80. C++ Objects VTABLE POINTER INTERFACE OBJECT #N C++ CONFIGURATION #3 INTERFACE #1 PAYLOAD POINTER INTERFACE OBJECT #N+1 C++ VTABLE POINTER INTERFACE OBJECT #N+2 C++Mittwoch, 29. Dezember 2010
  81. 81. Device 3 CONFIGURATION #1 .. #2 INTERFACE #1 INTERFACE #2 INTERFACE #3 INTERFACE #4 INTERFACE #5 INTERFACE #6 INTERFACE #7 INTERFACE #8 INTERFACE #9 INTERFACE #10 INTERFACE #11 ...........Mittwoch, 29. Dezember 2010
  82. 82. Mittwoch, 29. Dezember 2010
  83. 83. You have earned a trophy. LV2 Code ExecutionMittwoch, 29. Dezember 2010
  84. 84. NO W^X in LV2 Any old exploit == code executionMittwoch, 29. Dezember 2010
  85. 85. Hypervisor allows unsigned code It happily marks pages as executable and plays no role in enforcing that only trusted code runsMittwoch, 29. Dezember 2010
  86. 86. Results • LV2 “GameOS” compromised • LV1 Hypervisor NOT compromised • Secure SPE NOT compromisedMittwoch, 29. Dezember 2010
  87. 87. Resultsearned a trophy. You have Piracy • LV2 “GameOS” compromised • LV1 Hypervisor NOT compromised • Secure SPE NOT compromised • PiracyMittwoch, 29. Dezember 2010
  88. 88. Fail Security Model • The hypervisor does not enforce LV2 and game integrity • You can just patch LV2 to run games from HDDMittwoch, 29. Dezember 2010
  89. 89. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ASSED BYP ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ ✓ User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  90. 90. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓ Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ASSED BYP ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ E✓ ESS US L User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  91. 91. Xbox Wii 360 PS3 On-die bootROM ✓ ✓ ✓ ✓ On-die key storage ✓ ✓ Public-key crypto ✓ ✓ ✓ ✓ Chain of trust ✓ ✓ ✓ Per-console keys ✓ ✓ ✓ Signed executables ✓ ✓ ✓CTIVE FFE INE Security coprocessor ✓ ✓ Full media encryption and signing ✓ Encrypted storage ✓ ASSED BYP ✓ Self-signed storage ✓ Memory encryption/hashing ✓ Hypervisor ✓ E✓ ESS US L User/kernelmode ✓ Anti-downgrade eFUSEs ✓Mittwoch, 29. Dezember 2010
  92. 92. DowngradesMittwoch, 29. Dezember 2010
  93. 93. Downgrades • Sony fixed the exploitMittwoch, 29. Dezember 2010
  94. 94. Downgrades • Sony fixed the exploit • Service mode triggered by USB “JIG” • HMAC authenticated, keys dumpedMittwoch, 29. Dezember 2010
  95. 95. Downgrades • Sony fixed the exploit • Service mode triggered by USB “JIG” • HMAC authenticated, keys dumped • Leaked service app used to enable downgradesMittwoch, 29. Dezember 2010
  96. 96. Downgrades a trophy. You have earned More Piracy • Sony fixed the exploit • Service mode triggered by USB “JIG” • HMAC authenticated, keys dumped • Leaked service app used to enable downgradesMittwoch, 29. Dezember 2010
  97. 97. AsbestOSMittwoch, 29. Dezember 2010
  98. 98. AsbestOS • Replace LV2/GameOS in memoryMittwoch, 29. Dezember 2010
  99. 99. AsbestOS • Replace LV2/GameOS in memory • OtherOS mode and GameOS mode are virtually identical • Except GameOS can do more stuff, e.g. 3DMittwoch, 29. Dezember 2010
  100. 100. AsbestOS • Replace LV2/GameOS in memory • OtherOS mode and GameOS mode are virtually identical • Except GameOS can do more stuff, e.g. 3D • Run Linux again (even on the Slim!)Mittwoch, 29. Dezember 2010
  101. 101. AsbestOS • Replace LV2/GameOS in memory • OtherOS mode and GameOS mode are virtually identical • Except GameOS can do more stuff, e.g. 3D • Run Linux again (even on the Slim!) • Use NetRPC to remote-control the PS3 and experiment...Mittwoch, 29. Dezember 2010
  102. 102. SELFs SCE header ehdr + phdr ehdrehdr + phdr encrypted metadata key metadata ECDSA signature { ehdr + phdr (again...) phdr #0 data #0 phdr #1 data ELF ... phdr #N dataMittwoch, 29. Dezember 2010
  103. 103. SELFs SCE header ehdr + phdr ehdrehdr + phdr encrypted metadata key r key l oade metadata ECDSA signature { SELF key ehdr + phdr (again...) phdr #0 data #0 phdr #1 data ELF ... phdr #N dataMittwoch, 29. Dezember 2010
  104. 104. SELFs SCE header ehdr + phdr ehdrehdr + phdr encrypted metadata key er key load metadata AES ECDSA signature { SELF key ehdr + phdr (again...) phdr #0 data #0 phdr #1 data ELF ... phdr #N dataMittwoch, 29. Dezember 2010
  105. 105. SELFs SCE header ehdr + phdr ehdrehdr + phdr encrypted metadata key er key load metadata AES ECDSA signature { SELF key AES + SHA-1 ehdr + phdr (again...) phdr #0 data #0 phdr #1 data ELF ... phdr #N dataMittwoch, 29. Dezember 2010

×