1. Forums /
  2. Gaming Lounge /
  3. PS3 /
  4. how fail0verflow cracked the ps3 system (picture tutorial)
Post: how fail0verflow cracked the ps3 system (picture tutorial)
03-15-2011, 11:21 PM #1
kyskidz's Avatar
kyskidz
Big Sister
(adsbygoogle = window.adsbygoogle || []).push({}); hello ngu, this thread is based on how 0verflow crack the ps3 system, dont flame as it has taken me a few hours to do, if u spot a mistake message me, let me no, if its in the wrong section it will get moved so no need to write "cool story, cool hack bro and all that bs"
Goto page 13 for the actual 0verflow confrence in berling
You must login or register to view this content.
You must login or register to view this content.
[multipage=who are fail0verflow]
Who are fail0verflow

• In 2008 at 25c3 these teams worked together as
'WiiPhonies'
• They won the 25c3 CTF
• They changed our name to 'Fail 0verflow'
• Not trademark infringing
• The domain was available
• The ratio of fail to win is high.

They have been collaborating on various embedded and thought expansive projects, the most famous of which that
hit the press last year was the full reconstruction of the $REDACTED allowing $REDACTED to be
completely broken, that was a fun couple of weeks.

You must login or register to view this content.

[multipage=PS3 Architecture]
this page explains the Architecture of the ps3

The Cell Broadband Engine
You must login or register to view this content.

SPU Isolation
You must login or register to view this content.

You must login or register to view this content.

You must login or register to view this content.

You must login or register to view this content.

[multipage=OtherOS (drawn attention)]

You must login or register to view this content.

Geohot Exploit:
XDR RAM Glitching Attack (hyper visor exposed)
You must login or register to view this content.
You must login or register to view this content.

[multipage=PSJailbreak Exploit]

jailbreak dongle
|
hub
/ / / \ \ \
PWN1 PWN2 PWN3 PWN4 JIG FINAL

You must login or register to view this content.
device 1
You must login or register to view this content.
Device 4
You must login or register to view this content.
Device 2
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
C++ Objects
You must login or register to view this content.
Device 3
You must login or register to view this content.
You must login or register to view this content.

NO W^X in LV2
Any old exploit == code execution

Hypervisor allows unsigned code
It happily marks pages as executable and plays no role
in enforcing that only trusted code runs

Results
• LV2 “GameOS” compromised
• LV1 Hypervisor NOT compromised
• Secure SPE NOT compromised
• Piracy
You must login or register to view this content.

[multipage=Fail Security Model]
Fail Security Model
• The hypervisor does not enforce LV2 and
game integrity
• You can just patch LV2 to run games from
HDD
You must login or register to view this content.

[multipage= Downgrades]
Downgrades
• Sony fixed the exploit
• Service mode triggered by USB “JIG”
• HMAC authenticated, keys dumped
• Leaked service app used to enable
downgrades
You must login or register to view this content.
[multipage=AsbestOS]
AsbestOS
• Replace LV2/GameOS in memory
• OtherOS mode and GameOS mode are
virtually identical
• Except GameOS can do more stuff, e.g. 3D
• Run Linux again (even on the Slim!)
• Use NetRPC to remote-control the PS3 and
experiment...
[multipage=SELFs]
SELFs
You must login or register to view this content.
[multipage=The Oracle]
The Oracle
• Sony‘s idea: “No one can see our code!”
• ... unless the PPE is compromised
• Decrypting all code possible from GameOS
• security coprocessor pointless!
• But we want keys!
You must login or register to view this content.
You must login or register to view this content.
[multipage=Chain of Trust]
Chain of Trust
You must login or register to view this content.
Breaking loaders
You must login or register to view this content.
You must login or register to view this content.
• „Only“ a bug in isolated loaders
• Chain of Trust already broken for all sold
consoles now.
• This is Fail™. But it‘s not Epic™ yet...
You must login or register to view this content.
You must login or register to view this content.
[multipage=ECDSA]
ECDSA
You must login or register to view this content.
    These are public:

p, a, b, G,N (elliptic curve params)

Q = public key

e = hash of data

R, S = signature,

and these are private:

m = random

k = private key.



    A signature is a pair of numbers R, S computed

by the signer as

R = (mG)x

S = e + kR

m

.

It is imperative to have a random m for every

signature: from a pair of signatures that use the

same m, we can compute m and k.

You must login or register to view this content.
there ECDSA code
Used for HBC’s network update function

def generate_ecdsa(k, sha):
k = bytes_to_long(k)
e = bytes_to_long(sha)

m = open(“/dev/random”,”rb”).read(30)

if len(m) != 30:
raise Exception(“Failed to get m”)
m = bytes_to_long(m) % ec_N

r = (m * ec_G).x.tobignum() % ec_N
kk = ((r * k) + e) % ec_N
s = (bn_inv(m, ec_N) * kk) % ec_N
r = long_to_bytes(r, 30)
s = long_to_bytes(s, 30)
return r,s

    m = open(“/dev/random”,”rb”).read(30)


Sony’s ECDSA code

int GetRandomNumber()
{
return 4; //chosen by fair dice roll.
// guaranteed to be random
}

With private keys you can
SIGN THINGS
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
[multipage=chaos confrence"console hacking": 0overflow prensentation (youtube video)]

part 1
[ame]https://www.youtube.com/watch?v=HEFMAP0mTvY[/ame]
part 2
[ame]https://www.youtube.com/watch?v=X8ohOy8_XO4&feature=related[/ame]
part 3
[ame]https://www.youtube.com/watch?v=84WI-jSgNMQ&feature=related[/ame]
(adsbygoogle = window.adsbygoogle || []).push({});

The following 42 users say thank you to kyskidz for this useful post:

1337UNO, acklamjoshua, Agentcell, albania123, anddrew, Asmel, Beta-, cbenj25, cdkane, Curt, Dardy_one, DaveedDB, deroad, djblade17, dreamkid58, Goldberg, GUESS_HU, ILovePie24!!, Infernape263, IRiSe_GodFather, ishauny, izyehboy, jkry_2_1_, Josh1210, jsrgaj, khalids19, killa skillz, oI xPozeD Io, Pablo2010, Press ►, s0ph0r, Solid Snake, Swade, thee3nd, theycallmeryan, ThwiX, VHS, vipervimal, weebobe, xCristian, xRafiq-, zxz0O0
03-15-2011, 11:22 PM #2
superhighme's Avatar
superhighme
dude, wheres my car
NIce post manHappy
great tutorials
i really like how in depth it is
03-15-2011, 11:23 PM #3
wowaka's Avatar
wowaka
Former Staff
Nice in depth 'how-to', I like the added trophies Happy
03-15-2011, 11:23 PM #4
The Rangers's Avatar
The Rangers
At least I can fight
Originally posted by D View Post
NIce post manHappy


nice sig lmao

The following 2 users say thank you to The Rangers for this useful post:

acklamjoshua, matticolada
03-15-2011, 11:24 PM #5
MCPADDINGTON's Avatar
MCPADDINGTON
Banned
Even though this is month's old your the first person to properly organize all the pics. I fear this may be closed homever :(. Nice post Smile
03-15-2011, 11:24 PM #6
EnVy_AsTrO's Avatar
EnVy_AsTrO
Hurah!
Cool story bro.

Lol, why would we need to know this? It's useless now, and it's simple as a algebraic equation.
03-15-2011, 11:25 PM #7
djblade17's Avatar
djblade17
I am error
can you make it a pdf Smile
03-15-2011, 11:26 PM #8
hows_my_SCOPE's Avatar
hows_my_SCOPE
Grunt
lol nice post man looks nice and it took u a while

The following 2 users say thank you to hows_my_SCOPE for this useful post:

Mr.Houston, xDeluxe
03-15-2011, 11:26 PM #9
whty's Avatar
whty
Little One
i watched the video on this, great post
03-15-2011, 11:26 PM #10
kyskidz's Avatar
kyskidz
Big Sister
Originally posted by djblade17 View Post
can you make it a pdf Smile


i will soon enough if you want, its taken me long enough to do all that tho lol

Copyright © 2026, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo