1780 27c3 Console Hacking 2010

27th Chaos Communication Congress
Console Hacking 2010

PS3 Epic Fail
bushing, marcan, segher, sven
Mittwoch, 29. Dezember 2010
Who are we?

In 2008 at 25c3 these teams worked together as 'WiiPhonies' We won the 25c3 CTF We changed our name to 'Fail 0verow'
Not trademark infringing The domain was available The ratio of fail to win is high.
We've been collaborating on various embedded and thought expansive projects, the most famous of which that hit the press earlier this year was the full reconstruction of the $REDACTED allowing $REDACTED to be completely broken, that was a fun couple of weeks.
Wii had a good run

3 years, 9 rmware updates, 1 real feature 73 mil. consoles, 30 mil. vuln. bootloaders 1 million users of Homebrew Channel
Wii 2006 2007 2008 2009 2010 2011

Xbox 360
PS3
Wii 2006 2007 2008 2009 2010 2011

Xbox 360
PS3
Drivechips Twiizer Attack Twilight Hack Homebrew Channel
Bannerbomb Indiana Pwns Bannerbomb for 4.2 latest update broken
Wii 2006 2007 2008 2009 2010 2011

Xbox 360
PS3
Drive rmware hacked King Kong Hack
JTAG Hack
Wii 2006 2007 2008 2009 2010 2011

Xbox 360
PS3
Drive rmware hacked King Kong Hack
OtherOS RSX exploit
JTAG Hack slim w/o Linux released Geohots hack Linux removed Jailbreak Downgrade this talk :)
device
PS2 dbox2
y
1999 2000
security
? signed kernel encrypted boot encrypted/signed bootup, signed executables checksum signed/encrypted executables signed bootup/executables encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU encrypted bootup signed bootloader signed/encrypted bootup/executables
hacked for
? 3 months 12 months 4 months <12 months 6 months 2 months 12 months not yet 1 month 2 weeks 11 days piracy Linux Homebrew Linux Homebrew Linux Homebrew Homebrew Linux Homebrew Linux Linux Homebrew, SIM-Lock
effect
pay TV decoding piracy piracy piracy piracy leaked keys piracy Front Row piracy piracy
GameCube 2001 Xbox iPod DS PSP

2001 2001 2004 2004
Xbox 360 2005 PS3 Wii

2006 2006
AppleTV 2007 iPhone

2007
device
PS2 dbox2
y
1999 2000
security
hacked for
effect

2001 2001 2004 2004

2006 2006
AppleTV 2007 iPhone

2007
device
PS2 dbox2
y
1999 2000
security
hacked for
effect

2001 2001 2004 2004

2006 2006
AppleTV 2007 iPhone

2007
device
PS2 dbox2
y
1999 2000
security
hacked for
effect

2001 2001 2004 2004

2006 2006
AppleTV 2007 iPhone

2007
device
PS2 dbox2
y
1999 2000
security
hacked for
effect

2001 2001 2004 2004

2006 2006
AppleTV 2007 iPhone

2007
device
PS2 dbox2
y
1999 2000
security
hacked for
effect

2001 2001 2004 2004

2006 2006
AppleTV 2007 iPhone

2007
device
PS2 dbox2
y
1999 2000
security
? signed kernel encrypted boot encrypted/signed bootup, signed executables checksum signed/encrypted executables signed bootup/executables encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU encrypted bootup signed bootloader signed/encrypted bootup/executables signed/encrypted bootup/executables
hacked for
? 3 months 12 months 4 months <12 months 6 months 2 months 12 months not yet 1 month 2 weeks 11 days 1 day piracy Linux Homebrew Linux Homebrew Linux Homebrew Homebrew Linux Homebrew Linux Linux Homebrew, SIM-Lock Homebrew
effect
pay TV decoding piracy piracy piracy piracy leaked keys piracy Front Row piracy piracy piracy

2001 2001 2004 2004

2006 2006
AppleTV 2007 iPhone iPad

2007 2010
device
PS2 dbox2
y
1999 2000
security
hacked for
? 3 months 12 months 4 months <12 months 6 months 2 months 12 months not yet 1 month 2 weeks 11 days 1 day piracy Linux Homebrew Linux Homebrew Linux Homebrew Homebrew Linux Homebrew Linux Linux Homebrew, SIM-Lock Homebrew
effect

2001 2001 2004 2004

2006 2006

2007 2010
device
PS2 dbox2
y
1999 2000
security
hacked for
? 3 months 12 months 4 months <12 months 6 months 2 months 12 months 4 years not yet 1 month 2 weeks 11 days 1 day piracy Linux Homebrew Linux Homebrew Linux Homebrew Homebrew Linux Homebrew Linux Linux Homebrew, SIM-Lock Homebrew
effect

2001 2001 2004 2004

2006 2006

2007 2010
device
PS2 dbox2
y
1999 2000
security
hacked for
? 3 months 12 months 4 months <12 months 6 months 2 months 12 months 4 years not yet 1 month 2 weeks 11 days 1 day piracy Linux Homebrew Linux Homebrew Linux Homebrew Homebrew Linux Homebrew Homebrew Piracy Linux Linux Homebrew, SIM-Lock Homebrew
effect

2001 2001 2004 2004

2006 2006

2007 2010
device
PS2 dbox2
y
1999 2000
security
hacked for
effect
pay TV decoding piracy piracy piracy piracy leaked keys piracy piracy Front Row piracy piracy piracy

2001 2001 2004 2004

2006 2006

2007 2010
device
PS2 dbox2
y
1999 2000
security
hacked for
effect

2001 2001 2004 2004

2006 2006

2007 2010
device
PS2 dbox2
y
1999 2000
security
? signed kernel encrypted boot
hacked after hacked for it was closed

? piracy Linux Homebrew Linux Homebrew Linux Homebrew Homebrew Linux Homebrew Homebrew Piracy Linux Linux Homebrew, SIM-Lock Homebrew 3 months 12 months 4 months <12 months 6 months 2 months 12 months 4 years not yet 1 month 2 weeks 11 days 1 day
effect

2001 2001 2004 2004
encrypted/signed bootup, signed executables checksum signed/encrypted executables signed bootup/executables encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU encrypted bootup signed bootloader signed/encrypted bootup/executables signed/encrypted bootup/executables

2006 2006

2007 2010
device
PS2 dbox2
y
1999 2000
security
? signed kernel encrypted boot
hacked after hacked for it was closed

? piracy Linux Homebrew Linux Homebrew Linux Homebrew Homebrew Linux Homebrew Homebrew Piracy Linux Linux Homebrew, SIM-Lock Homebrew 3 months 12 months 4 months <12 months 6 months 2 months 12 months
effect

2001 2001 2004 2004
encrypted/signed bootup, signed executables checksum signed/encrypted executables signed bootup/executables encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU encrypted bootup signed bootloader signed/encrypted bootup/executables signed/encrypted bootup/executables

2006 2006
12 moyet s 4 years not nth

1 month 2 weeks 11 days 1 day

2007 2010
PS3 Architecture
The Cell Broadband Engine
Source: IBM
SPU Isolation
Source: IBM
0x00000
0x3e000
0x40000
LV1 / Hypervisor LV2 / GameOS Problem State / Games SPU
metldr
metldr
lv0ldr
metldr
lv0ldr
lv0
metldr
lv0ldr
lv0 metldr / lv1ldr
metldr
lv0ldr
lv0 metldr / lv1ldr lv1
metldr
lv0ldr
lv0 metldr / lv1ldr lv1 metldr / lv2ldr
metldr
lv0ldr
lv0 metldr / lv1ldr lv1 metldr / lv2ldr lv2
Xbox Wii 360 PS3

On-die bootROM On-die key storage Public-key crypto Chain of trust Per-console keys Signed executables Security coprocessor Full media encryption and signing Encrypted storage Self-signed storage Memory encryption/hashing Hypervisor User/kernelmode Anti-downgrade eFUSEs
Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

Xbox Wii 360 PS3

ASSED BYP
OtherOS
OtherOS
Not supported on the PS3 Slim
You have earned a trophy. Draw Attention
OtherOS
Not supported on the PS3 Slim
Geohot Exploit
XDR RAM Glitching Attack
RAM
Kernel
Hypervisor
HTAB
RAM
Kernel
Hypervisor
HTAB
RAM
Kernel
Hypervisor
HTAB
RAM
Kernel
Hypervisor
HTAB
RAM
Kernel
Hypervisor
HTAB
RAM
Kernel
HTAB
Hypervisor
HTAB
RAM
Kernel
HTAB
Hypervisor
HTAB
Kernel
HV
RAM You have earned a trophy. Hypervisor Exposed
HTAB
Hypervisor
HTAB
OtherOS

OtherOS
Forcibly removed on the PS3 Fat
You have earned a trophy. Pissed Off Hackers

OtherOS
Forcibly removed on the PS3 Fat
PSJailbreak
PSJailbreak
(And over 9000 clones)

PSJailbreak Exploit
PSJailbreak
Hub
PWN1
PWN2
PWN3
PWN4
JIG
FINAL
Device 1
TL = 0xF00 CONFIGURATION #1 .. #4 INTERFACE #1
PAYLOAD
Device 4
Device 4
TL = 0x12 CONFIGURATION #1 INTERFACE #1
Device 4
CONFIGURATION #2
Device 2
TL = 0x16 INTERFACE #1 CONFIGURATION #1 04 21 B4 2F
Device 4
TL = 0x12 CONFIGURATION #1 CONFIGURATION #1 04 21 B4 2F CONFIGURATION #2 INTERFACE #1
Device 4
TL = 0x2FB4 CONFIGURATION #2
C++ Objects
VTABLE POINTER INTERFACE OBJECT #N
C++ C++ C++
VTABLE POINTER INTERFACE OBJECT #N+1
C++ Objects
VTABLE POINTER INTERFACE OBJECT #N CONFIGURATION #3 INTERFACE OBJECT #N+1
C++
INTERFACE #1
C++ C++
C++ Objects
VTABLE POINTER INTERFACE OBJECT #N CONFIGURATION #3 PAYLOAD POINTER INTERFACE OBJECT #N+1
C++
INTERFACE #1
C++ C++
Device 3
CONFIGURATION #1 .. #2 INTERFACE #1 INTERFACE #4 INTERFACE #7 INTERFACE #10 INTERFACE #2 INTERFACE #5 INTERFACE #8 INTERFACE #11 INTERFACE #3 INTERFACE #6 INTERFACE #9 ...........
You have earned a trophy. LV2 Code Execution
NO W^X in LV2
Any old exploit == code execution
Hypervisor allows unsigned code

It happily marks pages as executable and plays no role in enforcing that only trusted code runs
Results
LV2 GameOS compromised LV1 Hypervisor NOT compromised Secure SPE NOT compromised
You have Resultsearned a trophy. Piracy
LV2 GameOS compromised LV1 Hypervisor NOT compromised Secure SPE NOT compromised Piracy
Fail Security Model

The hypervisor does not enforce LV2 and
game integrity HDD
You can just patch LV2 to run games from
Xbox Wii 360 PS3

ASSED BYP
Xbox Wii 360 PS3

ASSED BYP E ESS US L
Xbox Wii 360 PS3

On-die bootROM On-die key storage Public-key crypto Chain of trust Per-console keys Signed executables Security coprocessor Full media encryption and signing Encrypted storage Self-signed storage Memory encryption/hashing Hypervisor User/kernelmode Anti-downgrade eFUSEs CTIVE FFE
INE
Downgrades
Downgrades
Sony xed the exploit
Downgrades
Sony xed the exploit Service mode triggered by USB JIG HMAC authenticated, keys dumped
Downgrades
Sony xed the exploit Service mode triggered by USB JIG HMAC authenticated, keys dumped Leaked service app used to enable
downgrades
You have earned Downgrades a trophy. More Piracy
Sony xed the exploit Service mode triggered by USB JIG HMAC authenticated, keys dumped Leaked service app used to enable
downgrades
AsbestOS
AsbestOS
Replace LV2/GameOS in memory
AsbestOS

Replace LV2/GameOS in memory OtherOS mode and GameOS mode are virtually identical
Except GameOS can do more stuff, e.g. 3D
AsbestOS

Run Linux again (even on the Slim!)
AsbestOS

Run Linux again (even on the Slim!) Use NetRPC to remote-control the PS3 and experiment...
SELFs
SCE header ehdr + phdr ehdrehdr + phdr encrypted metadata key metadata ECDSA signature ehdr + phdr (again...) phdr #0 data #0 phdr #1 data ... phdr #N data
ELF
SELFs
r key oade
SELF key
ELF
SELFs
r key e load AES
SELF key
ELF
SELFs
r key e load AES
SELF key
ELF
AES + SHA-1
The Oracle
Sonys idea: No one can see our code! ... unless the PPE is compromised Decrypting all code possible from GameOS But we want keys!
security coprocessor pointless!
The Oracle a trophy. You have earned

Obfuscation useless
Sonys idea: No one can see our code! ... unless the PPE is compromised Decrypting all code possible from GameOS But we want keys!
security coprocessor pointless!
Xbox Wii 360 PS3

INE
Xbox Wii 360 PS3

INE LESS POINT ASSED BYP

E ESS US L
Chain of Trust
Name bootldr lv0 metldr lv1ldr lv1 isoldr sc_iso lv2ldr lv2 appldr some game
Processor / updateable revocable* Mode SPE PPE HV SPE SPE PPE HV SPE SPE SPE PPE SV SPE PPE PS
usage
boot lv0 boot lv1 run *ldr decrypt lv1 hypervisor decrypt modules
...
decrypt lv2 kernel decrypt games :-)
Chain of Trust
Name bootldr lv0 metldr lv1ldr lv1 isoldr sc_iso lv2ldr lv2 appldr some game
Processor / updateable revocable* Mode SPE PPE HV SPE SPE PPE HV SPE SPE SPE PPE SV SPE PPE PS
usage
boot lv0 boot lv1 run *ldr decrypt lv1 hypervisor decrypt modules
...
decrypt lv2 kernel decrypt games :-) *as per Sonys specication
Breaking loaders
Revocation list buffer rvk_isolated lv2ldr code Revocation list buffer rvk_shared
Breaking loaders
memcpy(rvk_isolated, rvk_shared, *((int *)(rvk_shared + 0x1c)))
Breaking loaders
You have earned Breaking loadersa trophy.

6692d179032205 82592e77a204a8 1b91b9b73c68f9 b3b9accda43860 2901308bbd685c 672f11cedf36c5 07ebd2779e3e71 1d6b501ae0f003
Obtained AES keys
Revocation list buffer rvk_isolated
lv2ldr code
Revocation list buffer rvk_shared
Only a bug in isolated loaders Chain of Trust already broken for all sold
consoles now.
You have earned a trophy. Chain of Fail
Only a bug in isolated loaders Chain of Trust already broken for all sold
consoles now.
This is Fail. But its not Epic yet...
Xbox Wii 360 PS3

INE LESS POINT ASSED BYP E ESS US L
Xbox Wii 360 PS3

ROKEN B
CTIVE FFE
INE LESS POINT ASSED BYP E ESS US L
SELFs
r key e load AES
SELF key
ELF
AES + SHA-1
SELFs
r key e load How does AES
SELF key
this work?
ELF
AES + SHA-1
ECDSA
These are public: p, a, b, G, N (elliptic curve params) Q = public key e = hash of data R, S = signature, and these are private: m = random k = private key.
A signature is a pair of numbers R, S computed by the signer as R = (mG)x e + kR S= . m It is imperative to have a random m for every signature: from a pair of signatures that use the same m, we can compute m and k.
R = (mG)x R = (mG)x e1 + kR e2 + kR S1 = S2 = m m When m is identical for two signatures, so is R, and e1 e2 S1 S2 = m e1 e2 m= S1 S2 mSi ei e1 S2 e2 S1 k= = . R R(S1 S2 )
Our ECDSA code

Used for HBCs network update function
def generate_ecdsa(k, sha): k = bytes_to_long(k) e = bytes_to_long(sha) m = open(/dev/random,rb).read(30) if len(m) != 30: raise Exception(Failed to get m) m = bytes_to_long(m) % ec_N r = (m * ec_G).x.tobignum() % ec_N kk = ((r * k) + e) % ec_N s = (bn_inv(m, ec_N) * kk) % ec_N r = long_to_bytes(r, 30) s = long_to_bytes(s, 30) return r,s
Our ECDSA code

Used for HBCs network update function
def generate_ecdsa(k, sha): k = bytes_to_long(k) e = bytes_to_long(sha) m = open(/dev/random,rb).read(30) if len(m) != 30: raise Exception(Failed to get m) m = bytes_to_long(m) % ec_N r = (m * ec_G).x.tobignum() % ec_N kk = ((r * k) + e) % ec_N s = (bn_inv(m, ec_N) * kk) % ec_N r = long_to_bytes(r, 30) s = long_to_bytes(s, 30) return r,s
Sonys ECDSA code
With private keys you can SIGN THINGS
You have earned a trophy. Public Private Keys
With private keys you can SIGN THINGS
Xbox Wii 360 PS3

ROKEN B
CTIVE FFE
INE LESS POINT ASSED BYP

E ESS US L
Xbox Wii 360 PS3

IC FAIL P E ROKEN B INE LESS POINT ASSED BYP

CTIVE FFE
E ESS US L
On-die bootROM On-die key storage Public-key crypto Chain of trust Per-console keys Signed executables Security coprocessor
Xbox Wii a trophy. You have earned360 PS3 Fail0verow

IC FAIL P E ROKEN B INE LESS POINT ASSED BYP

CTIVE FFE
Full media encryption and signing Encrypted storage Self-signed storage Memory encryption/hashing Hypervisor User/kernelmode Anti-downgrade eFUSEs
E ESS US L
Thanks, Sony! http://fail0verow.com

1780 27c3 Console Hacking 2010

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1780 27c3 Console Hacking 2010

Uploaded by

Copyright:

Available Formats

27th Chaos Communication Congress

Console Hacking 2010

Mittwoch, 29. Dezember 2010

Who are we?

Mittwoch, 29. Dezember 2010

Wii had a good run

Mittwoch, 29. Dezember 2010

Wii 2006 2007 2008 2009 2010 2011

Wii 2006 2007 2008 2009 2010 2011

Drivechips Twiizer Attack Twilight Hack Homebrew Channel

Bannerbomb Indiana Pwns Bannerbomb for 4.2 latest update broken

Wii 2006 2007 2008 2009 2010 2011

Drivechips Twiizer Attack Twilight Hack Homebrew Channel

Drive rmware hacked King Kong Hack

Bannerbomb Indiana Pwns Bannerbomb for 4.2 latest update broken

Wii 2006 2007 2008 2009 2010 2011

Drivechips Twiizer Attack Twilight Hack Homebrew Channel

Drive rmware hacked King Kong Hack

OtherOS RSX exploit

Bannerbomb Indiana Pwns Bannerbomb for 4.2 latest update broken

Mittwoch, 29. Dezember 2010

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone

Mittwoch, 29. Dezember 2010

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone

Mittwoch, 29. Dezember 2010

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone

Mittwoch, 29. Dezember 2010

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone

Mittwoch, 29. Dezember 2010

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone

Mittwoch, 29. Dezember 2010

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone

Mittwoch, 29. Dezember 2010

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone iPad

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone iPad

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone iPad

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone iPad

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone iPad

GameCube 2001 Xbox iPod DS PSP

Xbox 360 2005 PS3 Wii

AppleTV 2007 iPhone iPad