State of the PS3 technical discussion.

Discussion in 'PS3 - Hacking & Homebrew' started by FAST6191, Jan 6, 2011.

Jan 6, 2011
  1. FAST6191
    OP

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,738
    Country:
    United Kingdom
    <b>Intro</b>
    We have many threads on "ooh PS3 stuff" and speculation based on I am not sure (well we all have ideas but elaboration as to their source would not endear people to each other). Personally I quite enjoy the tech behind it all and I am making efforts to try and piece it all together in my head and not being the only one I thought I would try to make a thread so as to weather the present storm and not have to play catch up as and when it passes.
    As a sort of thread rule moralising can be left for somewhere else, baselessly comparing this to to other consoles and their hacks is not that welcome (granted I am set to ignore this suggestion several times in the upcoming post) and it should go without saying the "gimme brutally simple/cheap/works for what I have in my pockets PS3 iso loader" will not go over well either- there might be people who look like they can solve this ultra important request but rest assured the skills needed to make such a thing complete with shiny table effect for game covers are not necessarily the people replying here. All such questions have their place but this is not it, there will be several news threads for new and interesting things as the days go on (we are still very much in the midst of the initial rush)- this thread will not be kept up to date with every small thing in such a world but anything important should get edited in somewhere (for example- someone makes a resigned update with a hack type payload- interesting, a second person makes a minor bugfix to the first- not so much, a third person does a full blown ASM level hack where the old one did something a file level- interesting, another ASM hack- case by case basis)..
    I do not have all the answers, in the initial incarnation this thread will probably have very few and I would be shocked if there were no technical mistakes in it either.
    Keys much like roms attract unnecessary attention so try to avoid sharing them. They might be legal according to your reading/case law but a throwaway case/C&D fired at us means unnecessary hassle for something so useless to the conversation and so easy to find (if you found yourself here to discuss the aesthetic appeal of the numbers at hand we apologise).
    Likewise the "jailbreak" is not dead and buried just yet but it is set to be increasingly irrelevant- the video below deals with the operation of it if you want more and lots of USB reverse engineering work has gone on in recent months. What you need to know is that it replaces the gameOS with a custom (hacked) one that allows certain things. At this very moment in time "jailbreak grade" replacements have not been replicated with the "hacks" that follow but the foundations have been put in place for it.
    Where it ends up I have no idea- discussion rather than wiki/FAQ would be what I have in mind when posting this.

    <b>The thread proper</b>
    First the 27c3 presentation the kicked this current wave off.
    Youtube link
    <a href="http://www.youtube.com/watch?v=5E0DkoQjCmI" target="_blank">http://www.youtube.com/watch?v=5E0DkoQjCmI</a> naturally you can download from youtube but the link below is likely to be a better copy.
    <a href="http://mirror.fem-net.de/CCC/27C3/mp4-h264-HQ/?C=M;O=A" target="_blank">http://mirror.fem-net.de/CCC/27C3/mp4-h264-HQ/?C=M;O=A</a> (page search 4087) if you want a nice download.
    <a href="http://events.ccc.de/congress/2010/wiki/Documentation" target="_blank">http://events.ccc.de/congress/2010/wiki/Documentation</a> <- main list of download mirrors among other things.
    The 27c3 presentation covered the "getting there" more than adequately and in and of itself it is a fascinating watch but this is a forward looking thread and secondly much of the talk is effectively redundant in light of the end result of it.

    <i>PS3 architecture</i>
    For the PS3 CPU otherwise known as "cell" architecture see <a href="http://phrack.com/issues.html?issue=66&id=13#article" target="_blank">http://phrack.com/issues.html?issue=66&id=13#article</a> as it is far more in depth than is viable here.

    A nod to the 27c3 presentation itself as it provides the basis for the following

    All modern computers with aspirations towards being secure layer/abstract security- see CPU rings for your PC for example, a method that is taken to the extreme in the cell processors (see SPU/SPE). This layer stuff ultimately manifests as the ultra simplified list as follows

    <u>hypervisor</u>- this keeps things in line and makes sure the lower pieces of code do not get ideas above their station. It has been mapped and more or less reverse engineered in a previous round of hacking. <a href="http://www.eurasia.nu/wiki/index.php/PS3_Hypervisor_Reverse_Engineering" target="_blank">http://www.eurasia.nu/wiki/index.php/PS3_H...rse_Engineering</a>

    <u>gameOS or otherOS (a more locked down version of gameOS)</u>- the level tied to appldr in the various pieces of documentation (certainly one appears to need appldr keys to fiddle around with games themselves). This is what the fail0verflow team's "AsbestOS" is a replacement for and what the jailbreaks poke around.

    <u>games themselves</u>- these come in the SELF format (although there are other wrappers for various things, see PSP/PS3 PKG Decrypter & Extractor v.1.0.0.0 ) which much like many executable formats is a tweak on the common format known as ELF
    <a href="http://ps3wiki.lan.st/index.php/Self_file_format" target="_blank">http://ps3wiki.lan.st/index.php/Self_file_format</a> - there are several slight variations for PSN content and system content.
    <a href="http://www.eurasia.nu/wiki/index.php/PS3_SELF_File_Format_and_Decryption" target="_blank">http://www.eurasia.nu/wiki/index.php/PS3_S..._and_Decryption</a>
    SELF, ELF, PRX and SPRX (PS3 DLL equivalents) modules for IDA are available from XORloser ( <a href="http://xorloser.com/" target="_blank">http://xorloser.com/</a> ). You will need decrypted files but tools for that have been available for a short while at this point (alas the best link I have found also has keys). PS3-decrypt-tools, Waninkoko’ FWtool, PUPXtractor_v0.3_by_Ac_K and Kataroks ps3utils to name but a few choice things. Most are command line but should have usage with them (equally many are available if not originally made for linux type systems).
    The PS3 games that were loader locked out of the jailbreak capable firmwares now can be made to work (certain places were distributing hacked files for it) simply by decrypting the EBOOT.BIN file and changing the relevant required version string. Granted it will probably become irrelevant as we can sign updates but depending on how the firmware works it might be the case that a new SDK will add new calls that do not exist on old firmware versions.

    <i>Keys- what are there?</i>
    As much as categorising is awful there are two schools of encryption in the world- symmetric and asymmetric. Both are used at various points in the PS3 to do various things but the big news is that Sony messed up the asymmetric part to such an extent that some simple maths drummed up the signing/encrypting keys for PS3 from those used to do the checking/decrypting but the presentation covered all that- long story short if you have the keys you can have your software appear as official code without relying on any bugs that can be fixed.
    For a basic intro to ECC and indeed some of the ideas behind cryptography in general <a href="http://math.arizona.edu/~mleslie/files/ecc.pdf" target="_blank">http://math.arizona.edu/~mleslie/files/ecc.pdf</a> and <a href="http://faculty.colostate-pueblo.edu/dawn.spencer/Security/WP-ECCprimer.pdf" target="_blank">http://faculty.colostate-pueblo.edu/dawn.s...P-ECCprimer.pdf</a> are pretty good. The actual signing code is ECDSA (based on the same thing/maths though) more <a href="http://security.ece.orst.edu/koc/ece575/papers/ecdsa.pdf" target="_blank">http://security.ece.orst.edu/koc/ece575/papers/ecdsa.pdf</a> (this one is a bit more technical and somewhat dry if you are not versed in the concepts).
    There are various ones for various things and revisions of them but getting them is an almost trivial matter from this point forward.
    To save looking for those not in the know "iv" stands for initialisation vector (the PS3 and so the PS3 hackers use the term "RIV")- it is a way to help lessen or mitigate identical (or nearly identical) things, such as headers for the code, when being encoded multiple times and things being gleaned about the original data.

    <i>How they might be useful.</i>

    That we have keys means that we can sign anything to appear as official- in the case of the wii we had to trick it into thinking it was official (see trucha bug- <a href="http://debugmo.de/2008/03/thank-you-datel/" target="_blank">http://debugmo.de/2008/03/thank-you-datel/</a> ) and a similar thing was done at some level on the 360 for the homebrew there. The original xbox and several other pieces of hardware used or have used bad encryption algorithms that have holes in <a href="http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System#The_TEA_Hash" target="_blank">http://www.xbox-linux.org/wiki/17_Mistakes...em#The_TEA_Hash</a> for example. This is much like the hole in the encryption example (it will be as far as the console is concerned official but rather than there actually being a hole instead we have the keys to the kingdom).

    Much of what many people will want can be accomplished by just resigning the game files and carrying on with life, those that aspire to greater things will look higher up in the hierarchy- each lower level will call up the chain to do some of the more interesting things and those higher levels will shoot down anything that they (Sony) did not want happening.

    <b>PSN (online play for PS3)</b>

    Much has been said regarding the sending of logs/lists and the like. To ignore the intro the thread (primarily as what follows is speculation) it is worth looking at the 360 (specifically JTAG) and other "secure transactions" (27c3 also provided another great video on "chip and pin" in payment cards <a href="http://www.youtube.com/watch?v=PWnH_yblgTc" target="_blank">http://www.youtube.com/watch?v=PWnH_yblgTc</a> ).
    The amount of games allowing "LAN"/system link type play is vanishingly small ( <a href="http://www.co-optimus.com/system.php?id=2&sort=lan&direction=ASC" target="_blank">http://www.co-optimus.com/system.php?id=2&...p;direction=ASC</a> , even smaller than the 360) and most modern games have extensive server side backends so replicating a server or even the entire PSN setup is not necessarily that viable (there might be options for cross platform games including the PC but it is likely to be a full blown hacking project).

    Here assuming total control of the console as we now have the trick comes in making the handshake mechanisms undetectably the same. This is where some are possibly quite right to look at the custom firmwares with apprehension- detectability comes in many forms but the hardest are things like timing. Likewise obfuscation can be used by those wanting to hide the intended purpose of things in their code (even DS AP developers use such techniques on occasion). Essentially it is a reversal of the parties in the old security phrase- attacking means you just have to find one weakness, defending means trying to make it so you have none. As mentioned though a custom loader (or indeed patches for the existing one) allow for a lot of nice things to be done to the existing loader (one need look no further than the PRX stuff for the PSP and the rebooter/dashlaunch patches for JTAG 360s or even the menu patchers the wii (startpatch, starfall and the like) and depending on how far you are willing to push the definition the (in game) loaders and hooks used by DS slot flash cards can fall under that banner too).

    What also remains to be seen is how effective a ban might be- the 360 bans an entire key vault which under certain conditions can be replaced (although not as of the August 2009 update as you can not get your current key to allow replacement)- the wii and DS (the wii is more common, the DS stuff only happened to a select few people most notably Parasyte who did a lot of early cheat work) use a mac address which is held in memory (able to be bypassed with a cheat) in the case of the wii or flash (able to be overwritten at will) on the DS. There will always be "impossible score" and statistical analysis type options available to the PSN mods/ban crew however.

    Not wishing to examine the "hacking scene" in depth traditionally the "you do not mess with online services", "you hack- you lose online" and other similar mindsets are deep rooted among those that make and distribute high grade hacks that these custom firmwares/patches will be categorised as.

    <b>What is/should be being looked into</b>
    <i>PUP files </i>(update packages- as we can sign anything it should ultimately be as simple as running an update.) Decryption tools are available, <a href="http://www.eurasia.nu/wiki/index.php/Ps3OsRels" target="_blank">http://www.eurasia.nu/wiki/index.php/Ps3OsRels</a> has a nice list if you fancy. KaKaRoTo made a script to allow you to hack an update to contain a basic pkg loader.

    <i>"rebooter"/in memory replacement for various things</i>- depending on how you look at it many of the consoles effectively have a bypass on the way to the "hacked mode" (the wii does, the 360 JTAG stuff does). It might also be enough for something like a "PS3 time machine" for different firmwares/updates (granted a "best of the PS3" thing will probably hit at some point).

    <i>Dashboard hacking</i> Sony seem to have made a nice dashboard to hack if the posts are to be believed.

    <i>"PRX" files</i>- these are plugins after a fashion (as far as I am aware they sit at the gameOS level). The main priority (presumably after hello prx world and minor tweaks to existing ones) is probably an in game debugger/memory poker (technically this is a cheat engine although true cheat engines will have more features aimed at allowing more elaborate cheats- with modern coding practices simple memory editing tends to get tricky to do anything good with) and maybe a PRX as "one time" hack loader (no PRX no hacks- a "stock" PS3).

    <strike>Presumably finishing off the key collection/versioning.</strike>- aside from extracting PSP keys and making them available this one has been done.

    <i>NPDRM work</i>- NPDRM is a version of SELF for internal hard drive use (typically seen in games purchased online) as well as a few other things.

    <i>Game hacking proper</i>- we do love us some "rom" hacking around here. There are not so many Japanese only titles so translations may not be the order of the day. If it is anything like the 360 XBLA though the PSN download stuff is likely to be ripe for hacking- simple games, simple formats and a lot of scope for modification. Similarly replicating PC game hacks on the consoles is always fun (looking at stuff like Oblivion- <a href="http://www.uesp.net/wiki/Oblivion:Xbox_360" target="_blank">http://www.uesp.net/wiki/Oblivion:Xbox_360</a> )
     
  2. Cyan

    Global Moderator Cyan GBATemp's lurking knight

    Joined:
    Oct 27, 2002
    Messages:
    16,433
    Location:
    Engine room, learning
    Country:
    France
    About the idea of redirecting the PSN access to a private PSN server running on computer, I guess we would need to understand the communication between the PS3 and the PSN. For the moment, these communications are all crypted (AES ?).

    Do you think this communication can be intercepted before the crypting process ?
    maybe like a packet sniffing homebrew ?
     
  3. FAST6191
    OP

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,738
    Country:
    United Kingdom
    You probably could hack a dash to dump relevant session keys (or allow us to hose the random number generators so they pick from a few known ones), the keys we now have as part of these developments for the PS3 should then sort enough of the public key stuff (this is assuming they did not mess this up as well and give us private keys for PSN) and use conventional sniffing/packet dumping attacks to sort out the "simple" PSN communications- redirecting would just be a matter of VPN and/or hosts/firewall rules as we have all done for years.

    The real trick would be figuring out the server backend- games and for that matter services like PSN are increasingly carrying large amounts of data/running code on the servers and leaving the games/consoles/clients themselves with little to do (you send a request- the server then does a load of work and sends you back something). Depending on the game you might need a full server implementation (score tables, lobbies, messaging and beyond) and/or a series of extensive hacks to the game (how often have we seen something error out when something not essential in the grand scheme of things is not present).

    We had a similar discussion the other week for the wii http://gbatemp.net/t266793-possible-to-mak...vate-wfc-server and there is another half decent one for those considering trying something like it for XBL on the 360 http://www.xboxhacker.org/index.php?topic=12986

    Definitely possible and many things made easier by virtue of us now "owning" the PS3 but still loads of work to try and pull it off.
     
  4. Cyan

    Global Moderator Cyan GBATemp's lurking knight

    Joined:
    Oct 27, 2002
    Messages:
    16,433
    Location:
    Engine room, learning
    Country:
    France
    Thank you for the answer and the links.
    After the recent events nobody know were the scene is going, it will certainly stabilize by itself and we will find a way to develop homebrew more efficiently.
    I will only wait and follow the scenes news as always. I spend more time reading and learning than testing or playing.
     
  5. T-hug

    Chief Editor T-hug Always like this.

    pip
    Joined:
    Oct 24, 2002
    Messages:
    8,599
    Location:
    England
    Country:
    United Kingdom
    I got a PS3 this week, what are some good sites to follow for hacks, loaders, emus, tutorials etc?
     

Share This Page