1.
Security offense and defense strategies:
Video-game consoles architecture under microscope
Ryad BENADJILA, Mathieu RENARD
forename.name@ssi.gouv.fr
July 2016

2.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Context
Gaming consoles:
Technology showcases regarding security
Video game industry actors are spending a lot of money
Fighting against counterfeiting and piracy
Keeping control of their platform (soft + hard)
1/70 Game consoles security July 2016

3.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practices
Security features of iconic gaming consoles
2/70 Game consoles security July 2016

4.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practices
Security features of iconic gaming consoles
Playstation 1: birth of modchips
Xbox: some security concepts are introduced
Xbox360 and PS3: advanced security features are used
2/70 Game consoles security July 2016

5.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practices
Security features of iconic gaming consoles
Playstation 1: birth of modchips
Xbox: some security concepts are introduced
Xbox360 and PS3: advanced security features are used
New generation consoles
Playstation 4
2/70 Game consoles security July 2016

6.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practices
Security features of iconic gaming consoles
Playstation 1: birth of modchips
Xbox: some security concepts are introduced
Xbox360 and PS3: advanced security features are used
New generation consoles
Playstation 4
2/70 Game consoles security July 2016

7.
Warning !
This talk discusses jailbreak techniques with purely
defensive aims in mind.
ANSSI encourages publishers to systematically correct any
identified vulnerabilities in the shortest possible time.
Users are invited to apply security updates as soon as
possible.

8.
Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

9.
Choose your player
PS1
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

10.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1
Produced by Sony Computer Entertainment in 1994
Mass hacking starting in 1995
5/70 Game consoles security July 2016

11.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: lack of security by design
Processor: custom MIPS R3000
No MMU
Other processors of the family like RS3000E have a MMU
In 1995, Sony does not care about security
The priority is to implement DRM features
6/70 Game consoles security July 2016

12.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: regional zoning
Games and consoles are specified for only one region
Regional code information is stored:
In the console BIOS
On the (Lead-IN) track of the CD-ROM
7/70 Game consoles security July 2016

13.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: regional zoning
Games and consoles are specified for only one region
Regional code information is stored:
In the console BIOS
On the (Lead-IN) track of the CD-ROM
Information stored has a string like: SCEx
A for America (SCEA)
E for Europe (SCEE)
I for Japon (SCEI)
7/70 Game consoles security July 2016

14.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: regional zoning
Games and consoles are specified for only one region
Regional code information is stored:
In the console BIOS
On the (Lead-IN) track of the CD-ROM
Information stored has a string like: SCEx
A for America (SCEA)
E for Europe (SCEE)
I for Japon (SCEI)
Regional information is stored using the Wobble Groove
DRM
Prevent perfect game clones
7/70 Game consoles security July 2016

15.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: wobble groove
No wobble data
Wobble Data (SCEx)
Data
0
0
0
0
1
1
1
10
0
0
0
0
No Wobble Data
Lead-IN
Lead-OUT
Data
8/70 Game consoles security July 2016

16.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: attacks
Lack of security features
Aim: bypass DRM features
9/70 Game consoles security July 2016
1996 1997 1998 1999 20001994
PS1
SCPH-1000
Action Replay
Game Hacking
(Hardware Attack)
1995
PS1
SCPH-9000
PS1
SCPH-100
Modchips
Game Hacking
(Hardware Attack)

17.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: attacks
Lack of security features
Aim: bypass DRM features
9/70 Game consoles security July 2016
1996 1997 1998 1999 20001994
PS1
SCPH-1000
Action Replay
Game Hacking
(Hardware Attack)
Modchips
Game Hacking
(Hardware Attack)
PS1
SCPH-9000
PS1
SCPH-100
1995

18.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: architecture
CONTROLLER
MEMORY
CARD
CONTROLLER
MEMORY
CARD
DRAM
4Mbit
DRAM
BOOT
ROM
CPU
AUDIO
CDROM
VIDEO
GPU
CDROM
CPU
RS3000
CD-­‐ROM
CONTROLLER
/
SG-­‐RAM
/
*Only berore SCPH-900x
MULTIOUT
SERIAL
IO
DAC
DRIVER
CD-­‐RF
RGB
Encorder
PARALLEL
I/O*
10/70 Game consoles security July 2016

19.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: architecture & action replay
CONTROLLER
MEMORY
CARD
CONTROLLER
MEMORY
CARD
DRAM
4Mbit
DRAM
BOOT
ROM
CPU
AUDIO
CDROM
VIDEO
GPU
CDROM
CPU
RS3000
CD-­‐ROM
CONTROLLER
/
SG-­‐RAM
/
/OE
/OE
*Only berore SCPH-900x
DAC
DRIVER
CD-­‐RF
RGB
Encorder
MULTIOUT
SERIAL
IO
PARALLEL
I/O*
11/70 Game consoles security July 2016

20.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: wobble groove architecture
12/70 Game consoles security July 2016
Wobble
Groove
Signal
Emula2on
CDROM
Reader
SCEE
CDROM
Controller
Lens
cart
Photoelectric
cell
Laser
CPU
Tracking
Signal
Error
Tracking
Signal
(Wobble
Groove)
Data
Data

21.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: modchips origins
13/70 Game consoles security July 2016
CDROM
Reader
SCEx
CDROM
Controller
Lens
cart
Photoelectric
cell
Laser
CPU
Tracking
Signal
Data
Data
Wobble
Groove
Signal
Emula@on

22.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: conclusion
No security features
DRM bypassed
Birth of the concept of modchips as mass hacking tools
Explosion of the game hacking market
14/70 Game consoles security July 2016

23.
Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

24.
Choose your player
Xbox
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

25.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox
Launched in the USA in 2001
Architecture similar to a standard PC
Windows 2000 kernel (stripped)
Embeds some security features
All bypassed by the Xbox hacking community
16/70 Game consoles security July 2016

26.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: architecture
17/70 Game consoles security July 2016
CPU
NV2A
(GPU)
SDRAM
64MB
MCPX
Secret
BootROM
FLASH
ROM
USB
Southbridge
Northbridge
GPU
Table
Ini?alisa?on
Bootloader
Kernel
…
Legacy
< 10 Mhz
64bits
133 Mhz
128bits
DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits
HyperTransport
200 Mhz
HDD
(Locked)
LPC
Extension

27.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: security
Signed executable binaries (XBE)
HDD acess restricted
Using ATA Security features
Secure boot chain
18/70 Game consoles security July 2016

28.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: bootROM and root of trust
Attempt to create a custom root of trust
Bootloader code is burned in the MCPX (Southbridge)
Storing a custom memory zone in a component is very
expensive
BootROM code limited to 512 bytes
Problem: DDR Training code size is > 1KB
19/70 Game consoles security July 2016

29.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: bootROM and root of trust
Attempt to create a custom root of trust
Bootloader code is burned in the MCPX (Southbridge)
Storing a custom memory zone in a component is very
expensive
BootROM code limited to 512 bytes
Problem: DDR Training code size is > 1KB
Solution: adding an external flash memory (NAND)
Problem: this is increasing the attack surface
Solution: encrypt the NAND content
Only some parts of the NAND are effectively encrypted
19/70 Game consoles security July 2016

30.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX
Flash
ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(BootLoader)
Xcode
Bytecode
RC4
Encrypted
t4
Démarrage de la console
t1
t2
1
2 3 4
t4
t3
RC4
Encrypted
Launching
Game

31.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX
Flash
ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(BootLoader)
Xcode
Bytecode
RC4
Key
Decrypt
Xcode
Interpretor
t4
Démarrage de la console
t1
t2
1
2 3 4
t4
t3
overlay
Launching
Game
RC4
Encrypted
RC4
Encrypted

32.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX
Flash
ROM
0xFFFF_FFF00xFFFF_FFF0
t4
Starting the console
Kernel
2BL
(BootLoader)
Xcode
Bytecode
t1
Executing1
2
RC4
Key
Decrypt
Xcode
Interpretor
Launching
Game
RC4
Encrypted
RC4
Encrypted

33.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX
Flash
ROM
t4
Kernel
2BL
(BootLoader)
Xcode
Bytecode
t1
Decrypting
Verifying
Executing
1
2 3
t2
0xFFFF_FFF00xFFFF_FFF0
RC4
Key
Decrypt
Xcode
Interpretor
Starting the console
Launching
Game
RC4
Encrypted
RC4
Encrypted

34.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
Flash
ROM
0xFFFF_FFF0
t4
Kernel
2BL
(BootLoader)
Xcode
Bytecode
t1
t2
Decrypting
Executing
1
2 3 4
t3
Starting the console
Launching
Game
MCPX
0xFFFF_FFF0
RC4
Key
Decrypt
Xcode
Interpretor
RC4
Encrypted
RC4
Encrypted

35.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
Flash
ROM
0xFFFF_FFF0
t4
Kernel
2BL
(BootLoader)
Xcode
Bytecode
t1
t2
1
2 3 4 Verifying signature
Executing
t3
Starting the console
Launching
Game
MCPX
0xFFFF_FFF0
RC4
Key
Decrypt
Xcode
Interpretor
5
RC4
Encrypted
RC4
Encrypted

36.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
21/70 Game consoles security July 2016

37.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
21/70 Game consoles security July 2016

38.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
21/70 Game consoles security July 2016
Hack Firmware
lecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump
Flash
Dump
BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6
(Fash => ROM)
Softmods
Mist Hack
Xbox 1.1

39.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
21/70 Game consoles security July 2016
2002 2003 2004 2005 20062001
Xbox 1.0
Dump
Flash
Dump
BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6
(Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmware
lecteur DVD

40.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
21/70 Game consoles security July 2016
2002 2003 2004 2005 20062001
Xbox 1.0
Dump
Flash
Dump
BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6
(Flash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmware
DVD Player

41.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox : Hypertransport bus eavesdropping
22/70 Game consoles security July 2016
CPU
NV2A (GPU)
SDRAM
64MB
MCPX
Secret
BootROM
FLASH ROM
USB
Southbridge
Northbridge
GPU
Table
Initialisation
Bootloader
Kernel …
Legacy
< 10 Mhz
64bits
133 Mhz
128bits
DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits
HyperTransport
200 Mhz
HDD
(Locked)
LPC
Extension

42.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox : Hypertransport bus eavesdropping
22/70 Game consoles security July 2016
Northbridge
GPU
NV2A (GPU)
SDRAM
64MB
MCPX
Secret
BootROM
FLASH ROM
USB
Southbridge
Table
Initialisation
Bootloader
Kernel …
Legacy
< 10 Mhz
64bits
133 Mhz
128bits
DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits
HyperTransport
200 Mhz
HDD
(Locked)
LPC
Extension
CPU

43.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: Hypertransport bus eavesdropping
23/70 Game consoles security July 2016

44.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: conclusion
Attempt to use a secure boot chain (one of the first
platforms to implement it)
24/70 Game consoles security July 2016

45.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: conclusion
Attempt to use a secure boot chain (one of the first
platforms to implement it)
BootROM size limitation
Fatal for security
Many vulnerabilities in only 512 bytes of code
17 Mistakes Microsoft made in the Xbox Security System
by Michael Steil
Security features and DRM fully bypassed
24/70 Game consoles security July 2016

46.
Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

47.
Choose your player
Xbox 360
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

48.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: hardware architecture
Triple-core 64-bit PowerPC, close to a PC
GPU
CPU (3,2Ghz)
SOUTHBRIDGE
L1 Cache
Power PC
core
L2 Cache (1MB)
USB (4)
Ethernet
Flash
Audio
RAM
512MB 700Mhz
FSB
PCIE
L1 Cache
Power PC
core
L1 Cache
Power PC
core
HDD
SATA
26/70 Game consoles security July 2016

49.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: cryptographic coprocessor
RAM
CPU1
CPU1
CPU1
MMU
MMU
MMU
L1
L1
L1
L2
Hash
SRAM
@0x87654321 Virtual
@0x00010000-00000010
@0x10
Compute Hash
Verify Hash
@0x00010000-00000010
27/70 Game consoles security July 2016

50.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: cryptographic coprocessor
RAM
CPU1
CPU1
CPU1
MMU
MMU
MMU
L1
L1
L1
L2
Hash
SRAM
@0x87654321 Virtual
@0x00001000-00000010
@0x00001000-00000010
@0x10
Encrypt
DecryptEncrypt
28/70 Game consoles security July 2016

51.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: software architecture
29/70 Game consoles security July 2016
RAM
Execu&ng
MMU
Configuring
Page Tables
1
2
3
Data
(Kernel
&
Game)
Code
(Kernel
&
Game)
Hypervisor
NOT
PRIVILEGED
PRIVILEGED
Verifying
signature
Loading

52.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: security model
30/70 Game consoles security July 2016
RAM
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
DMA
DMA
DMA
Data
(Kernel
&
Game)
Code
(Kernel
&
Game)
Hypervisor
~128Ko
Real Mode
Encrypted
Integrity check

53.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: anti-downgrade feature
Downgrade: decrease the version level of the console
system to exploit an old firware vulnerability
Detect the downgrade: hardware eFuses inside the CPU
eFuses are also used to generate a 128-bit CPU key
unique per console
31/70 Game consoles security July 2016

54.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: anti-downgrade feature
Downgrade: decrease the version level of the console
system to exploit an old firware vulnerability
Detect the downgrade: hardware eFuses inside the CPU
An eFuse is blown at each firmware upgrade
HMAC with the secret CPU key is used for pairing in NAND
31/70 Game consoles security July 2016
fuseNAND
HMAC 0000
fuseNAND
HMAC 0001
Pairing Pairing
Version 1 Version 2
UPGRADE
Replay Attack

55.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: secure boot
32/70 Game consoles security July 2016
RAM 4BL
Encrypted/Signed
K4BL
2
6BL/CF
Encrypted/Signed
RSASig (6BL)
Hash (7BL/CG)
K6BL
7BL/CG
Encrypted/Signed
Patches
5
5BL/CE
Encrypted/Signed
Hypervisor + kernel base
Hypervisor
+ Kernel patched6
3
4
6
CPU
SRAM
ROM (32Ko)
1BL
RSA PubKey
2BL/CB
Encrypted/Signed
Hash (4BL/CD)
Hash (5BL/CE)
RSASig (2BL)
K2BL
1
K1BL

56.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: secure boot
32/70 Game consoles security July 2016
RAM
2
Initialising RAM Encryption/Integrity
Initialising PCI Express
Desactivating JTAG GPU
ACK SMC
Verifying fuseset02 versus 2BL
Verifying le LDV (HMAC)
Loading & Decrypting 4BL en RAM
Verifying Hash (4BL/CD)
Decrypting & Extracting 7BL/CG
Verifying Hash(7BL/CG)
Decrypting 6BL/CF with
K1BL
Extracting 6BL/CF
Verifying RSASig(6BL/CF)
Verifying LDV
6BL/CF
Fuseset 07-11
5
6
Decrypting & Extracting 5BL/CE
Verifying Hash(5BL/CE) 3
4
6
CPU
SRAM
ROM (32Ko)
1BL
RSA PubKey
2BL/CB
Encrypted/Signed
Hash (4BL/CD)
Hash (5BL/CE)
RSASig (2BL)
K2BL
1
K1BL
4BL
Encrypted/Signed
K4BL
6BL/CF
Encrypted/Signed
RSASig (6BL)
Hash (7BL/CG)
K6BL
7BL/CG
Encrypted/Signed
Patches
5BL/CE
Encrypted/Signed
Hypervisor + kernel base
Hypervisor
+ Kernel patched

57.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Xbox 360 is released
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player

58.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Game piracy is made possible
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
Hack DVD Player
Kin gKong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester

59.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
First software vulnerability exploited (hypervisor mode
privilege escalation)
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timming Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player

60.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Downgrade to exploit the King Kong attack
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player

61.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Hardware glitch to bypass the secure boot
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player

62.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
The King Kong Attack, a purely software attack
Improper integer comparison in the hypervisor syscalls
handler
PSEUDO C CODE
extern u32 syscall_table[0x61]
void syscall_handler(r0, r3, r4, …) {
if((u32)r0 >= 0x61) {
goto bad_syscall;
}
r1 = (void*)syscall_table[(u64)r0];
r1();
}
34/70 Game consoles security July 2016

63.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
The King Kong Attack, a purely software attack
Improper integer comparison in the hypervisor syscalls
handler
PSEUDO C CODE
extern u32 syscall_table[0x61]
void syscall_handler(r0, r3, r4, …) {
if((u32)r0 >= 0x61) {
goto bad_syscall;
}
r1 = (void*)syscall_table[(u64)r0];
r1();
}
34/70 Game consoles security July 2016

64.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
syscall0
…
t2Code (ROP)
Shader
(Notcodesigned)
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
DMA

65.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
syscall0
…
1 DMA
t2Code (ROP)
syscallx2A
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check

66.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
syscall0
…
DMA
1
2
Thread PC
syscallx2A
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
DMA

67.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
Instruction sc (syscall)
syscall0
…
DMA
1
2
3
DMA
Thread PC
syscallx2A
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
Ret2Code
(ROP)

68.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
Thread PC
Instruction sc (syscall)
syscall0
…
syscallx2A
DMA
1
2
3
4
DMA
Ret2Code
(ROP)
Exploit
Syscall
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check

69.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
Problem: the King Kong vulnerability has been patched
before its public disclosure
35/70 Game consoles security July 2016

70.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
Problem: the King Kong vulnerability has been patched
before its public disclosure
Solution: downgrade to a vulnerable kernel and exploit
the King Kong attack
But: how to bypass the eFuse protection?
35/70 Game consoles security July 2016

71.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
Problem: the King Kong vulnerability has been patched
before its public disclosure
Solution: downgrade to a vulnerable kernel and exploit
the King Kong attack
But: how to bypass the eFuse protection?
A non-constant time memcmp in the 2BL is used when
checking the eFuse pairing HMAC
It is possible to forge a valid HMAC without knowing the
CPU secret key
35/70 Game consoles security July 2016

72.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
New Try
FALSE
0.22ms0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){
[..]
for(
i=0
;
i
<
len
;
i++)
if
(
RealHMAC[i]
!=
TestHMAC[i]
)
break;
[..]
}
TestHMAC = 0000000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 0
TRUE

73.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){
[..]
for(
i=0
;
i
<
len
;
i++)
if
(
RealHMAC[i]
!=
TestHMAC[i]
)
break;
[..]
}
0.22ms
TestHMAC = 0100000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 1
FALSE TRUE
New Try

74.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){
[..]
for(
i=0
;
i
<
len
;
i++)
if
(
RealHMAC[i]
!=
TestHMAC[i]
)
break;
[..]
}
0.22ms
TestHMAC = 0200000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 2
FALSE TRUE
New Try

75.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
0.22ms0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){
[..]
for(
i=0
;
i
<
len
;
i++)
if
(
RealHMAC[i]
!=
TestHMAC[i]
)
break;
[..]
}
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 3
FALSE TRUE
New Try

76.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){
[..]
for(
i=0
;
i
<
len
;
i++)
if
(
RealHMAC[i]
!=
TestHMAC[i]
)
break;
[..]
}
0.22ms
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 0
TRUEFALSE
New Try

77.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016

78.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attack
The integrity check of the 4BL by the 2BL can be
glitched with a pulse inserted at the right time
37/70 Game consoles security July 2016

79.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attack
The integrity check of the 4BL by the 2BL can be
glitched with a pulse inserted at the right time
100ns glitch
CLK
0x36 0x39POST
ATTACK
/RESET
/CPU_
PLL-BYPASS
37/70 Game consoles security July 2016

80.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attack
The integrity check of the 4BL by the 2BL can be
glitched with a pulse inserted at the right time
100ns glitch
CLK
0x36 0x39POST
ATTACK
/RESET
/CPU_
PLL-BYPASS
FALSE TRUE
Not Glitched
isHashValid(
h1,h2
,len)
{
[…]
Res
=
memcmp(h1,h2,len)
If
(res
==
0
){
return
TRUE
}
return
FALSE
}
Glitched
RAZ des registresReseting all registers >> Res = memcmp(h1,h2,len)
37/70 Game consoles security July 2016

81.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attack
The integrity check of the 4BL by the 2BL can be
glitched with a pulse inserted at the right time
37/70 Game consoles security July 2016

82.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: conclusion
A good software architecture:
Tiny and auditable hypersvisor
W¨X
Any executable piece of code is authenticated
Secure boot process, eFuses against downgrade ...
38/70 Game consoles security July 2016

83.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: conclusion
A good software architecture:
Tiny and auditable hypersvisor
W¨X
Any executable piece of code is authenticated
Secure boot process, eFuses against downgrade ...
... but some DMA attacks are still possible (threads
states unprotected)
Some data are not authenticated
Some cryptographic weaknesses have been exploited
(timing attack, RC4)
The console has not been designed with hardware attacks
in mind (glitch)
38/70 Game consoles security July 2016

84.
Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

85.
Choose your player
PS3
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

86.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: architecture
40/70 Game consoles security July 2016
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPE
BEI
Element
Interconect
Bus
(EIB)
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPU
PXU
L2
L1
SPE – Synergistic Processor Element
SPU – Synergistic Processor Unit
SXU – Synergistic Execution Unit
LS – Local Store
MFC – Memory Flow Controller
BEI
MIC
Dual
XDR
DDR2
FlexIO
PPU – Power Processor Unit
PXU – Power Execution Unit
BEI – Broadband Engine Interface
MIC – Memory Interface Controller
XDR/DDR2 – Extreme Data Rate / Double Data Rate 2
CELL BroadBand Engine (PPE + 8 SPE)
PPE: classical 64-bit PowerPC architecture

87.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: architecture
40/70 Game consoles security July 2016
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPE
BEI
Element
Interconect
Bus
(EIB)
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPU
PXU
L2
L1
SPE – Synergistic Processor Element
SPU – Synergistic Processor Unit
SXU – Synergistic Execution Unit
LS – Local Store
MFC – Memory Flow Controller
BEI
MIC
Dual
XDR
DDR2
FlexIO
PPU – Power Processor Unit
PXU – Power Execution Unit
BEI – Broadband Engine Interface
MIC – Memory Interface Controller
XDR/DDR2 – Extreme Data Rate / Double Data Rate 2

88.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
MFC
Local
storage
Public
BOOTROM
(KCPU)
EIB
PPE

89.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
MFC
Local
storage
BOOTROM
(KCPU)
EIB
PPE
Code
KCPU
Public

90.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
(Isolated
Mode)
MFC
Local
storage
Private
Public
BOOTROM
(KCPU)
EIB
PPE
Code
Code
KCPU

91.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
(Isolated
Mode)
MFC
Local
storage
Private
Public
BOOTROM
(KCPU)
EIB
PPE
Code
Code
KCPU

92.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:
First level: they bootstrap SPE in isolated mode
Second level: they are executed by first level loaders
42/70 Game consoles security July 2016

93.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:
First level: they bootstrap SPE in isolated mode
Second level: they are executed by first level loaders
Hypervisor (lv1) : PPE in hypervisor mode
42/70 Game consoles security July 2016

94.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:
First level: they bootstrap SPE in isolated mode
Second level: they are executed by first level loaders
Hypervisor (lv1) : PPE in hypervisor mode
GameOS/OtherOS (lv2/-) : PPE in supervisor mode
OtherOS = Linux (removed after the first attack on the
console)
42/70 Game consoles security July 2016

95.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:
First level: they bootstrap SPE in isolated mode
Second level: they are executed by first level loaders
Hypervisor (lv1) : PPE in hypervisor mode
GameOS/OtherOS (lv2/-) : PPE in supervisor mode
OtherOS = Linux (removed after the first attack on the
console)
Applications : PPE in user mode
42/70 Game consoles security July 2016

96.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: secure boot
43/70 Game consoles security July 2016
metldr
rvkldr
isoldr
appldr
lv2ldr
lv1ldr
lv0
bootldr
Lv1.self
lv2_kernel.self
ps2_emu.self
ps2_gxemu.self
ps2_so9emu.self
vsh.self
sv_iso_spu_module.self
sb_iso_spu_module.self
mc_iso_spu_module.self
me_iso_spu_module.self
HypervisorGameOSappisorvk
ldrldr *ldr *ldr *ldr *ldr *
SPE0PPE
SPE2
SPE2
SPE2
SPE2
SPE2
SPE2
BootROM
SPE
1
2
3
4
5
6
7
3
PPE
PPE
PPE
PPE
PPE
Rvklist
/
rvkprg

97.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: secure boot
43/70 Game consoles security July 2016
metldr
rvkldr
isoldr
appldr
lv2ldr
lv1ldr
lv0
bootldr
Lv1.self
lv2_kernel.self
ps2_emu.self
ps2_gxemu.self
ps2_so9emu.self
vsh.self
sv_iso_spu_module.self
sb_iso_spu_module.self
mc_iso_spu_module.self
me_iso_spu_module.self
HypervisorGameOSappisorvk
ldrldr *ldr *ldr *ldr *ldr *
SPE0PPE
SPE2
SPE2
SPE2
SPE2
SPE2
SPE2
BootROM
SPE
1
2
3
4
5
6
7
3
PPE
PPE
PPE
PPE
PPE
Rvklist
/
rvkprg
CPUKey
ECDSA/AES

98.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: anti-downgrade and revocation
No hardware anchor (such as eFuse) for anti-downgrade
CPU/Mode Update Revocation
bootROM Cell No No
bootldr SPE0 No No
lv0 PPE/HV Yes No
metldr SPE2 No No
lv1ldr SPE2 Yes No
lv1 PPE/HV Yes No
lv2ldr SPE2 Yes No
lv2 PPE/SP Yes Yes
isoldr SPE2 Yes No
appldr SPE2 Yes Yes
games/applications PPE/USR Yes Yes
44/70 Game consoles security July 2016

99.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: security model
PPE/hypervisor is outside the TCB
Sensitive elements are executed on the SPE
Any code is encrypted and signed
Security through obscurity
45/70 Game consoles security July 2016

100.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: security model
PPE/hypervisor is outside the TCB
Sensitive elements are executed on the SPE
Any code is encrypted and signed
Security through obscurity
Encryption of the EIB bus (RAM, peripherals)
DMA attacks are limited
45/70 Game consoles security July 2016

101.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: security model
PPE/hypervisor is outside the TCB
Sensitive elements are executed on the SPE
Any code is encrypted and signed
Security through obscurity
Encryption of the EIB bus (RAM, peripherals)
DMA attacks are limited
No W¨X, the hypervisor verifies almost nothing
45/70 Game consoles security July 2016

102.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: hello hypervisor, I’m geohot
Glitch A take control of the hypervisor from
OtherOS/Linux
46/70 Game consoles security July 2016
Other OS
2007 2008 2009 2010 20112006
PS3
Fat
Hypervisor
Glitch hack
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Bootldr key attack
ECDSA Attack + lv2ldr key
Mtldr key attack

103.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: hello hypervisor, I’m geohot
Glitch A take control of the hypervisor from
OtherOS/Linux
Does not allow to control other elements
No possible game piracy
46/70 Game consoles security July 2016
Other OS
2007 2008 2009 2010 20112006
PS3
Fat
Hypervisor
Glitch hack
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Bootldr key attack
ECDSA Attack + lv2ldr key
Mtldr key attack

104.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: PSJailbreak
First attack that allows game piracy
Attack on the USB stack of the lv2 (GameOS)
No W¨X: hypervisor fail
47/70 Game consoles security July 2016
2007 2008 2009 2010 20112006
PS3
Fat
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Other OS
Hypervisor
Glitch hack
Bootldr key attack
ECDSA Attack + lv2ldr key
Mtldr key attack

105.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: attacking the bootloaders
2010: major vulnerability in Sony’s ECDSA
implementation
Same nonces for different firmware versions
With two signatures, one can compute the private key!
48/70 Game consoles security July 2016
2007 2008 2009 2010 20112006
PS3
Fat
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Other OS
Hypervisor
Glitch hack
Bootldr key attack
ECDSA Attack + lv2ldr key
Mtldr key attack

106.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: attacking the bootloaders
2010: major vulnerability in Sony’s ECDSA
implementation
Same nonces for different firmware versions
With two signatures, one can compute the private key!
Boot chain is completely and forever broken
48/70 Game consoles security July 2016
2007 2008 2009 2010 20112006
PS3
Fat
PSJailbreak
USB/JIG
Downgrade
bootldr key attack
ECDSA Attack + lv2ldr key
mtldr key attack
PS3
Ultraslim
2012
Other OS
Hypervisor
Glitch hack

107.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: conclusion
Interesting exotic hardware platform (isolated SPE)
DMA attacks mitigations
BootROM with a dedicated CPU key
49/70 Game consoles security July 2016

108.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: conclusion
Interesting exotic hardware platform (isolated SPE)
DMA attacks mitigations
BootROM with a dedicated CPU key
Limited hypervisor, not designed with security in mind
No defense in depth (no W¨X)
Cryptographic fail (ECDSA)
Boot chain with limited revocation and downgrade
features
Security through obscurity (SPE code)
Not designed with hardware attacks in mind (glitch)
49/70 Game consoles security July 2016

109.
Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

110.
Choose your player
PS4
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

111.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Playstation 4
Produced by Sony Computer Entertainment in 2013
Public Hacking starting 2015
51/70 Game consoles security July 2016

112.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: architecture
Hardware architecture :
SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores)
Same as Xbox One
52/70 Game consoles security July 2016

113.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: architecture
Hardware architecture :
SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores)
Same as Xbox One
Software architecture :
Kernel based on FreeBSD 9.0 kernel (2012)
Unlike for the Playstation 3, Sony bases its system now
on open source software:
* Webkit
* OpenSSL, Cairo . . .
* LLVM/Clang
52/70 Game consoles security July 2016

114.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: security
Security features:
Secure boot
Encrypted binaries (SELF) (like on PS3)
Using modern security features:
* W¨X (with x86 hardware help)
* ASLR
* FreeBSD Jails
53/70 Game consoles security July 2016

115.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: security
Security features:
Secure boot
Encrypted binaries (SELF) (like on PS3)
Using modern security features:
* W¨X (with x86 hardware help)
* ASLR
* FreeBSD Jails
Few or no information about hardware security features
(DMA, encrypted bus, . . . )
53/70 Game consoles security July 2016

116.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: SPI flash cloning
First hardware attack : Brasilian PS4 flash dump
It is possible to clone metadata stored in the flash
No pairing between SPI Flash and console
54/70 Game consoles security July 2016

117.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: SPI flash cloning
First hardware attack : Brasilian PS4 flash dump
It is possible to clone metadata stored in the flash
No pairing between SPI Flash and console
Exploit kit based on Raspberry Pi/Teensy
Quickly patched
54/70 Game consoles security July 2016

118.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: software exploit chain
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
Kernelland
code execution
Kernel land
User land
1
Userland ROP2
3 Privilege escalation
User input
55/70 Game consoles security July 2016

119.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: Webkit vulnerability
First true software attack (same on PSVita)
First entry point for reverse engineering
56/70 Game consoles security July 2016

120.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: Webkit vulnerability
First true software attack (same on PSVita)
First entry point for reverse engineering
CVE-2012-3748, heap overfow in Javascript VM
JS object corruption in JSArray:sort(...)
* Gives read and write primitives inside the browser
address space
* Allows arbitrary code execution (overwriting return
address and some function pointers . . . )
56/70 Game consoles security July 2016

121.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: Webkit vulnerability
First true software attack (same on PSVita)
First entry point for reverse engineering
CVE-2012-3748, heap overfow in Javascript VM
JS object corruption in JSArray:sort(...)
* Gives read and write primitives inside the browser
address space
* Allows arbitrary code execution (overwriting return
address and some function pointers . . . )
Problem : Sony uses ASLR and W¨X (FreeBSD)
56/70 Game consoles security July 2016

122.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: userland ASLR/W¨X bypass
57/70 Game consoles security July 2016
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
Attacker
@?
@?
@?
@?
@?
@?
Browser
(Process Memory)
syscalls
Kernel

123.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: userland ASLR/W¨X bypass
57/70 Game consoles security July 2016
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
Address leak
1
Browser
(Process Memory)
Attacker
syscalls
Kernel

124.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: userland ASLR/W¨X bypass
57/70 Game consoles security July 2016
Libkernel
Heap
Lib2
Lib 1
Executable
Browser
(Process Memory)
RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
ROP
Stack
2
Attacker
syscalls
Kernel

125.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: userland ASLR/W¨X bypass
57/70 Game consoles security July 2016
Libkernel
Heap
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
3
Syscalls
Stack
Browser
(Process Memory)
Attacker
syscalls
Kernel

126.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: sandboxing
Attacker is jailed inside process memory
FreeBSD jails
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
Libkernel
Heap
Stack
Lib2
Lib 1
Executable
syscalls
Browser
(Process Memory)
Attacker
Kernel
58/70 Game consoles security July 2016

127.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
LibKernel
User land
WebKit
Kernel land
syscalls
Memory aliasing
with different
access rights
• P1 => payload
with RW rights
• P2 => same
payload with RX
rights
Request an RX shared
memory allocation
sys_jitshm_create()

128.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
Memory aliasing
with different
access rights
• P1 => payload
with RW rights
• P2 => same
payload with RX
rights
LibKernel
User land
WebKit
Request an RX shared
memory allocation
sys_jitshm_create()
syscalls
Payload (RX)
Kernel land
P1

129.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
Request an RX shared
memory allocation
sys_jitshm_create()
LibKernel
User land
WebKit
Create an RW alias
sys_jitshm_alias()
syscalls
Payload (RX)
Payload (RW)
Memory aliasing
with different
access rights
Kernel land
P2

130.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
Request an RX shared
memory allocation
sys_jitshm_create()
LibKernel
User land
WebKit
syscalls
Memory aliasing
with different
access rights
• P1 => payload
with RW rights
• P2 => same
payload with RX
rights
Payload (RX) P1
Payload (RW)
P2
Physical aliases
Kernel land

131.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: syscalls fuzzing and reverse engineering
At this point attackers want kernel privileges
Syscall reverse engineering results:
532 FreeBSD syscalls
85 proprietary syscalls (Sony)
jail filtering calls to critical syscalls (ex ptrace)
Unoficial SDK have been released by the community
60/70 Game consoles security July 2016

132.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: exploit chain user by CTurt (@CTurtE)
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
Kernelland
code execution
Kernel land
User land
1
Userland ROP2
3 Privilege escalation
User input
61/70 Game consoles security July 2016

133.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: exploit chain kernel by CTurt (@CTurtE)
IDT RW
(FreeBSD)
BadIRET
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
1
Userland ROP
4
2
Payload
5
Kernel Write primitive
(With constraints)
Kernelland
code execution
Kernel land
LibKernel
User land
3 Userland
code execution
62/70 Game consoles security July 2016

134.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: BadIRET kernel exploit
Originally discovered in Linux and later found to
affect FreeBSD too:
Fixed back in 2014 on FreeBSD
Not fixed on PS4 until firmware version > v2.01
* Rumor: Sony security officer being replaced around
this time . . .
63/70 Game consoles security July 2016

135.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Linux / BSD: BadIRET kernel vulnerability
64/70 Game consoles security July 2016
MemoryMemory
Kernel
User
GS: Thread
User
SWAP GS SWAP GS
GS: KThread
GS: GS:
Kernel
# interrupt IRET

136.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Linux / BSD: BadIRET kernel vulnerability
64/70 Game consoles security July 2016
Memory
GS Confusion
Payload
IDT
Kernel
User
GS: Thread
GS:

137.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Linux / BSD: BadIRET kernel vulnerability
64/70 Game consoles security July 2016
Memory
GS Confusion
GS: Thread
Payload
IDT
Kernel
User
IDT RW
+ NO SMEP
+ NO SMAP

138.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: update IDT
65/70 Game consoles security July 2016
Memory
#13
#PF 14
#15
IDT
Userland
Kernel payload
Address
to interup vector

139.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: update IDT
65/70 Game consoles security July 2016
Memory
#13
#PF 14
#15
Userland
Kernel payload
Address
to interup vector
IDT

140.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: exploit chain kernel
IDT RW
(FreeBSD)
BadIRET
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
1
Userland ROP
4
2
Payload
5
Kernel Write primitive
(With constraints)
Kernelland
code execution
Kernel land
LibKernel
User land
3 Userland
code execution
66/70 Game consoles security July 2016

141.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: conclusion
Sony has moved to classical hardware platform
Defense in depth (Mostly FreeBSD features):
W¨X
Userland ASLR
Sony has removed vulnerable kernel modules (SCTP)
67/70 Game consoles security July 2016

142.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: conclusion
Sony has moved to classical hardware platform
Defense in depth (Mostly FreeBSD features):
W¨X
Userland ASLR
Sony has removed vulnerable kernel modules (SCTP)
Hardware probably not designed with security in mind
Big holes in the defensive features:
BadiRet not patched
Interrupt Descriptor Table (IDT) RW, no SMAP/SMEP
67/70 Game consoles security July 2016

143.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Conclusion |Questions |Paper
Conclusion
Every penny worths it when it comes to security
Attackers always target the weakest point
Attackers mix software and hardware, they do not
distinguish them
Security must be seen as a whole and complex system
issue
Hardware and software design teams must communicate
68/70 Game consoles security July 2016

144.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Conclusion |Questions |Paper
Questions
69/70 Game consoles security July 2016

145.
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Conclusion |Questions |Paper
Full paper (in French) can be downloaded here:
http://goo.gl/J37lSK
70/70 Game consoles security July 2016