PS3 hacked wide open

[Devia Eleven]

The private keys for the PS3 (and PSP) have been found.

 

Who did it? A hole in the encryption scheme of the PS3 was found by team fail0verflow. Geohot used the information to find and publicly post the keys. Mathieulh then did some digging in the PS3 and found the encryption keys for the PSP as well (the PS3 and PSP interchange content under certain situations).

 

What are keys? The reason game systems will only run official content is because the company in question (e.g. Sony, Nintendo, or Microsoft) builds the system so that it will only accept digitally "signed" content. This "signature" basically takes the form of a key used to encrypt/lock the game/program. If the system is presented with a program that doesn't have the key incorporated into it, it refuses to run it.

 

This is how game companies keep people from running pirated games (when copied, part of the signature/lock is destroyed, so to speak), and it's also how they keep a tight control over what content their system plays. If you're a game designer and you want to make a pornographic game for the Wii, you can't unless Nintendo specifically allows you to by signing your content, which of course they won't. This makes sure that the system isn't ruined by an influx of crappy games, as happened with systems before the NES's age. A game company uses this to make sure only "quality" games make it through... and it's a way of making sure they get a cut of the profits of each game, of course.

 

How does this relate to current hacks? This content authentication I described is present in every modern game system.

All the hacks/mods we're used to target these protection systems in order to disable them.

 

Softmodding a Wii?

A flash cart for the DS/i?

FreeMCBoot for the PS2?

A jailbreak dongle for the PS3?

Custom firmware for the PSP?

 

The purpose of each of those mods is to stop the system from checking for the signature.

 

What can we do with the keys? With the keys, we can sign our own programs. We no longer have to hack the PS3 in order to run custom content, because our programs will have the signature that the system checks for. This means that now, somebody can make a program that will run on ANY PS3, regardless of it's firmware version or whether it's been modded or not. This opens the doors for anybody with a PS3 to develop content (not just hackers), and you don't need a hacked PS3 to run anything they make. This blows the PS3 wide open.

 

Some of you may ask about the Wii's key we have. That is the common key, which is not the key used to sign content (that's the private key). Yes, this means that the PS3 is even more open than the Wii now.

 

How can Sony stop this?Unfortunately, their options are extremely limited, for the following reasons.

1. Everything for the PS3 is signed with the keys.
   If Sony was to release a firmware update to simply block things signed with these keys, it would block every PS3 game that currently exists.
    
    
   
2. Sony has no legal way to force people to not develop for their system in the first place.
   There are various laws in place allowing interoperability and compatibility. This is part of the reason that game systems use this type of security. Since game companies have no way to sue people or prevent them from developing for the system through laws, they require that the system only run things signed with a key, and then they simply refuse to give the key to anybody else. Unfortunately for them, the keys have been found by outsiders.
    
    
   
3. Sony could attempt to claim that possession or use of the keys are illegal, but that's on shaky ground.
   A "key" is really just a number (a really big one). Sony would have to convince the courts that knowledge of a certain number is illegal. While something like that might happen when it deals with national security or protecting citizens during a war, Sony's going to have a hard time convincing the courts to do it for a video game system.
   

For some background on the legal aspects... this same sort of thing happened with the encryption key for the HD DVD format, and while companies sent out many threat letters, no site was actually sued or taken to court over posting the key (even those like digg that did so defiantly). I'm not sure Sony has a legal way to stop people from using the key, at least in the US.

 

http://gbatemp.net/t272700-ps3-psp-private-keys-released

 

First PS3 custom firmware created.

 

http://gbatemp.net/index.php?showtopic=272...p;#entry3371338

 

[Robert]

I'd heard the PS3 was blown open but hadn't seen the details. Thanks.

 

Now at last we can buy one with the knowledge that soon it will run anything.

[Devia Eleven]

I was wondering why no one else posted anything about.

 

Glad I could help.

[Lucandrake]

So when can we expect to see useful exploits be produced from this?

[emsley]

Good job, how come these fuckers are making it take son long? crack and "law abiding" side too.

why didnt this shit get opened up a while back, hackers have seriously lost a battle here.

They supposed to give us faith.

[Devia Eleven]

At least we have "hackers" to work their magic. I couldn't care less about how long it takes.

[emsley]

At least we have "hackers" to work their magic. I couldn't care less about how long it takes.

 

This has taken too long.

[Inky]

you're just mad cuz you sold yours.

 

if they gave a $100 price cut I'd buy one now.

[emsley]

Im not mad dude - how the hell can sony shit burgers make this shit so secure?

It will soon turn into sky - insane encryption every second of the day.

[Hard Core Rikki]

The PSP's master keys got pilfered too.

Now's the time to get a PSP-Go, I'd say. Homebrewers have made UMD games run on it, and the handheld sells for dirt cheap with a number of free downloadable games.

 

So when can we expect to see useful exploits be produced from this?

Exploits are not necessary anymore. The system is fully open now, and any countermeasures Sony might produce would be countered easily enough. As long as it's something PS3's can execute as official code from Sony (its not supposed to be possible to bypass all the protective layers of the hypervisor).

 

I suspect we'll start seeing mandatory internet activation tokens and initialization for offline games and hdd installs. With cartridges, onboard chips couldve been considered but blurays cant pack anything like that.

Also, games might chip 'incomplete' for that reason (like with Steam games not yet released officially. The missing code that is made available online only after release dates ensures noone can play games without at least a small enough, relatively identifiable base going through that activation thing).

Edited January 7, 2011 by Hard Core Rikki

[Devia Eleven]

It's all good now.

 

Castlevania - First Backup Working From 3.55 Geohot CFW

 

With the recent release of Geohot's 3.55 custom firmware, it was only a matter of time, before backups would be up and running. News is coming in that a user named Riku.kh3 has accomplished just that. He has managed to run Castlevania: Lords of Shadow from his internal hard drive, while on Geohot's 3.55 Custom Firmware. He achieved this by patching the game's main executable file (EBOOT.BIN) and making the PS3 think it's a PSN game.

 

Download: CastlevaniaLOD_BLES01047_signed_byRikuKH3.rar (33.56 MB)

 

Originally Posted by riku.kh3 View Post

Castlevania: Lords of Shadow (BLES01047) signed&packed EBOOT (33.5MB)

 

Multiupload.com - upload your files to multiple file hosting sites!

 

1) Install PKG file.

2) Transfer contents of USRDIR folder, EXCEPT EBOOT.BIN, to /devhdd0/game/BLES01047/USRDIR/

 

Thats all! Tested! The game will work from XMB on retail nonJB 3.41, 3.55 and future versions.

 

OK, here's the guide to patch your own games:

1) Download and compile latest tools from git.fail0verflow.com Git (old versions of unself produce incorrect ELF)

2) Extract ELF from SELF

3) Hexedit ELF, find and replace dev_bdvd to correct path on dev_hdd0 (not all, but most games require this step)

4) Build NPDRM SELF using Geohot's tools

5) Build package using psn_package_npdrm

6) Patch your builded package using Geohot's tool (only for 3.55 firmware)

That's it. If you can't follow this guide, more detailed guide won't help you.

 

This also works from 3.41, with no jailbreak dongle, video below (courtesy of TheRuler):