Post: fail0verflow! - Sony's ECDSA code
Options
12-29-2010, 04:08 PM
#1
manster
League Champion
Hi!
Featured News from You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
JAILBREAK -> DOWNGRADE -> fail0verflow
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
Well the big PS3 Exploit talk is now officially over at the annual 27C3 conference. All the big names in the developer scene world was there giving a one hour talk regarding Sony's EPIC FAIL
You must login or register to view this content.
But basically they talked about how the PS3 totally failed in security, by botching the pki implementation it became possible to calculate the keys needed to sign everything. PUBLIC PRIVATE KEYS, and replacing the "revoke-list" with super-large one (overflow) during the bootup NOR flash at startup, giving them full control of the PS3 system.
Featured News from You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
JAILBREAK -> DOWNGRADE -> fail0verflow
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
Well the big PS3 Exploit talk is now officially over at the annual 27C3 conference. All the big names in the developer scene world was there giving a one hour talk regarding Sony's EPIC FAIL
You must login or register to view this content.
But basically they talked about how the PS3 totally failed in security, by botching the pki implementation it became possible to calculate the keys needed to sign everything. PUBLIC PRIVATE KEYS, and replacing the "revoke-list" with super-large one (overflow) during the bootup NOR flash at startup, giving them full control of the PS3 system.
The 360 console is now more of secure system then the PS3 after all these years!
This site was announcend at the conference
You must login or register to view this content. - Coming Soon
You must login or register to view this content.
check this site too
You must login or register to view this content.
"The recent advent of these new exploits means current firmware is vulnerable, v3.55 and possibly beyond. It will be very difficult for Sony to fix the described exploits."
"we can now run unsigned code on an non-exploited PS3."
@KushanTheCat our goal is to have linux running on all existing PS3 consoles, whatever their firmware versions.
Our current PS3 goal: AsbestOS.pup
Myth #1: It took us 3-4 years to do this. Negative, this exploit only took a few months after we started working. We weren't trying before.
Myth #2: Sony can change keys. No, they can't. These aren't encryption keys, they're signing keys. If they change them GAMES STOP WORKING.
Clarification #3: The private keys refer to keys that Sony HQ uses. PS3s don't have these keys (but we calculated them due to the fail).
Clarification #4: the random number isn't 4, it's more like 007eabbb79360e14df1457a4194b82f71a0dc39280 (example). But it's still constant.
Note: we won't be working long-term on CFW or similar. We'll release tools and a PoC, someone else can take over. The fun part is done
Myth: Geohot -> Sony pulls OtherOS -> JB -> Fail. Fact: Slim had no OtherOS -> Geohot -> ... . Geohot started his work due to the Slim.
@You must login or register to view this content. yes, we'll release all our tools as soon as we cleaned them up in january or so.
Great news for all PS3 User's 
Console Hacking 2010 - Chaos Communication Congress
Screenshots:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
short videos from the conference:
[ame]https://www.youtube.com/watch?v=YbUVgxw1yWc&feature=player_embedded[/ame]
[ame]https://www.youtube.com/watch?v=GPjd6gHY6A4[/ame]
[ame]https://www.youtube.com/watch?v=ClnvJe4_u0Q&feature=player_embedded[/ame]
Full Video
[ame]https://www.youtube.com/watch?v=hcbaeKA2moE[/ame]
Splitted in 3 parts:
[ame]https://www.youtube.com/watch?v=X6CA4fqAdsc&feature=player_embedded[/ame]
[ame]https://www.youtube.com/watch?v=X8ohOy8_XO4&feature=player_embedded[/ame]
[ame]https://www.youtube.com/watch?v=Eag0VyRTld8&feature=player_embedded[/ame]
Download full video here (right click -> save as):
You must login or register to view this content.
Marcan @ 27C3 Lightning Talk
[ame]https://www.youtube.com/watch?v=lGI0EnNQ5GE&feature=player_embedded[/ame]
Have fun watching
Sources:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
This site was announcend at the conference
You must login or register to view this content. - Coming Soon
You must login or register to view this content.
check this site too
You must login or register to view this content.
Originally posted by another user
"The recent advent of these new exploits means current firmware is vulnerable, v3.55 and possibly beyond. It will be very difficult for Sony to fix the described exploits."
"we can now run unsigned code on an non-exploited PS3."
@KushanTheCat our goal is to have linux running on all existing PS3 consoles, whatever their firmware versions.
Our current PS3 goal: AsbestOS.pup
Myth #1: It took us 3-4 years to do this. Negative, this exploit only took a few months after we started working. We weren't trying before.
Myth #2: Sony can change keys. No, they can't. These aren't encryption keys, they're signing keys. If they change them GAMES STOP WORKING.
Clarification #3: The private keys refer to keys that Sony HQ uses. PS3s don't have these keys (but we calculated them due to the fail).
Clarification #4: the random number isn't 4, it's more like 007eabbb79360e14df1457a4194b82f71a0dc39280 (example). But it's still constant.
Note: we won't be working long-term on CFW or similar. We'll release tools and a PoC, someone else can take over. The fun part is done
Myth: Geohot -> Sony pulls OtherOS -> JB -> Fail. Fact: Slim had no OtherOS -> Geohot -> ... . Geohot started his work due to the Slim.
@You must login or register to view this content. yes, we'll release all our tools as soon as we cleaned them up in january or so.
Console Hacking 2010 - Chaos Communication Congress
Screenshots:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
short videos from the conference:
[ame]https://www.youtube.com/watch?v=YbUVgxw1yWc&feature=player_embedded[/ame]
[ame]https://www.youtube.com/watch?v=GPjd6gHY6A4[/ame]
[ame]https://www.youtube.com/watch?v=ClnvJe4_u0Q&feature=player_embedded[/ame]
Full Video
[ame]https://www.youtube.com/watch?v=hcbaeKA2moE[/ame]
Splitted in 3 parts:
[ame]https://www.youtube.com/watch?v=X6CA4fqAdsc&feature=player_embedded[/ame]
[ame]https://www.youtube.com/watch?v=X8ohOy8_XO4&feature=player_embedded[/ame]
[ame]https://www.youtube.com/watch?v=Eag0VyRTld8&feature=player_embedded[/ame]
You must login or register to view this content.
Marcan @ 27C3 Lightning Talk
[ame]https://www.youtube.com/watch?v=lGI0EnNQ5GE&feature=player_embedded[/ame]
Have fun watching
Sources:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
Last edited by
manster ; 12-31-2010 at 11:43 PM.
The following 29 users say thank you to manster for this useful post:
369lo, 8======D----, bcb, Cain, CHuRCHYx, CRACKbomber, Fallen152039, Geigers, GetDeleted -_-, Hells, ihaxgames, IRiSe_GodFather, iSergeant-Adam, KimKardashian, MarioDaKid, Mark00agent, Mr. Aimbot, Mr. Star, Nicky74me, ProjectPartial, Slashey, Solid Snake, Suxh4rd2bu, That Guy_, The InvadeR, The Overdose, Uk_ViiPeR, UMD, XxLuisMaxX
12-30-2010, 02:11 PM
#39
Cyborg Ninja
PS3 Security FtW !
Originally posted by BNPunish
1 day after = new FW => patched from day1
Are you stupid how are they going to patch this with a new firmware they cant block signed code can they.
If they block signed code previous games and maybe even stuff like controllers would not work.
The only possible way to patch it is if they implement a new signature which i don't even think is possible as the system would have to be modified.
12-30-2010, 02:18 PM
#40
manster
League Champion
Originally posted by packarda12
Are you stupid how are they going to patch this with a new firmware they cant block signed code can they.
If they block signed code previous games and maybe even stuff like controllers would not work.
The only possible way to patch it is if they implement a new signature which i don't even think is possible as the system would have to be modified.
If they block signed code previous games and maybe even stuff like controllers would not work.
The only possible way to patch it is if they implement a new signature which i don't even think is possible as the system would have to be modified.
Originally posted by defxor
new work package This is how Sony will likely respond, if they feel the effort is worth the result. It's quite an effort, and the result .. well.
1) Respin the hardware. There's an incredible exploit in that the verification of bootloaders loaded off the NAND/NOR is verified after they've been loaded, and then they're allowed to continue to execute. This is why ALL EXISTING PS3s on the market are from now on hackable. Really. There's nothing that can be done to stop this.
2) Design new firmware(s) that contains the infamous "whitelist" of all previously (and erroneously) signed software, but with new keys and new signature verification algorithms. Deploy these firmwares/loaders ONLY on the respinned hardware (see above).
3) For older hardware (that is, everything already produced from the factory and on the market) release new firmware that contains the new signature verification algorithms, but NOT any of the new keys. Remember, what you deploy on the old hardware is fully transparent. Update the loaders as well, as talked about in the presentation, since that will force everyone who wants to have a still jailbroken console to install a modchip (see #1).
4) Dual-sign all new stuff. Old broken consoles will be able to run it, and the new secure model will verify with new keys. Previously signed software will only execute on the new systems if they pass the whitelist-test.
... so, this would be quite an effort, and quite expensive. It should restore chain of trust on the new systems, and the new signing key shouldn't be leaked. I _think_ the whitelisting should succeed then as well.
Success? Well, that still leaves all produced PS3s to date completely broken, and also able to run all new software. Only the new systems will be "homebrew-free". Modchip-installers will be happy though, NOR/NAND replacements aren't for the faint hearted to install. And, all this with the assumption that Sony will find and close ALL existing holes in one try. Not likely.
(Comments on my logic from those who understood the presentation welcome)
As far is I understand the earliest patch is in lv2ldr (no access to lv1ldr plaintext = no key = no lv1 access yet). However, what they state is that IF Sony manages to update the loaders to remove the lv2ldr exploit (which is a proper buffer overflow) they can just use a modchip to run the old version of it and gain access right back (and that will always work since metldr, which verifies and loads lv2ldr, is not updateable).
That is, whatever you happen to do with your broken PS3 the chain of trust is gone and you can always root the current hardware. It will require a modchip in the worst case scenario though, and if you're careful and don't allow, by choice or by mistake, the loaders to get updated you're fine with a software/firmware hack only.
1) Respin the hardware. There's an incredible exploit in that the verification of bootloaders loaded off the NAND/NOR is verified after they've been loaded, and then they're allowed to continue to execute. This is why ALL EXISTING PS3s on the market are from now on hackable. Really. There's nothing that can be done to stop this.
2) Design new firmware(s) that contains the infamous "whitelist" of all previously (and erroneously) signed software, but with new keys and new signature verification algorithms. Deploy these firmwares/loaders ONLY on the respinned hardware (see above).
3) For older hardware (that is, everything already produced from the factory and on the market) release new firmware that contains the new signature verification algorithms, but NOT any of the new keys. Remember, what you deploy on the old hardware is fully transparent. Update the loaders as well, as talked about in the presentation, since that will force everyone who wants to have a still jailbroken console to install a modchip (see #1).
4) Dual-sign all new stuff. Old broken consoles will be able to run it, and the new secure model will verify with new keys. Previously signed software will only execute on the new systems if they pass the whitelist-test.
... so, this would be quite an effort, and quite expensive. It should restore chain of trust on the new systems, and the new signing key shouldn't be leaked. I _think_ the whitelisting should succeed then as well.
Success? Well, that still leaves all produced PS3s to date completely broken, and also able to run all new software. Only the new systems will be "homebrew-free". Modchip-installers will be happy though, NOR/NAND replacements aren't for the faint hearted to install. And, all this with the assumption that Sony will find and close ALL existing holes in one try. Not likely.
(Comments on my logic from those who understood the presentation welcome)
As far is I understand the earliest patch is in lv2ldr (no access to lv1ldr plaintext = no key = no lv1 access yet). However, what they state is that IF Sony manages to update the loaders to remove the lv2ldr exploit (which is a proper buffer overflow) they can just use a modchip to run the old version of it and gain access right back (and that will always work since metldr, which verifies and loads lv2ldr, is not updateable).
That is, whatever you happen to do with your broken PS3 the chain of trust is gone and you can always root the current hardware. It will require a modchip in the worst case scenario though, and if you're careful and don't allow, by choice or by mistake, the loaders to get updated you're fine with a software/firmware hack only.
found this on psxscene
The following 2 users say thank you to manster for this useful post:
12-30-2010, 03:18 PM
#41
ImTrippinHoes
Vault dweller
12-30-2010, 04:45 PM
#42
ImWithStupid
Banned
12-30-2010, 04:53 PM
#43
darkesthour
Little One
. I must have lol'd for about 5 minutes.
12-30-2010, 05:00 PM
#44
Castiel
Guest
In the case this really success here is my point of view.
Disadvantages for me:
-We will have a non competitive and destroyed online game community, imagine a COD match with lots of people using an aimbot, that really isn't fun at all. In general I'm talking about using hacks online.
-PSN will turn into a paid service, since mostly everyone will stop buying original discs, how will they keep the service?
Advantages for me:
-A possible drop in original dics.
-Be able to play every game without paying.
Giving a full control to the PS3 will be a terrible error. In what will this really end?. I don't think this will be a pure victory for the PS3 users.
Someone else wants to make another advantage and disadvantage list, or all will be just perfect?
Disadvantages for me:
-We will have a non competitive and destroyed online game community, imagine a COD match with lots of people using an aimbot, that really isn't fun at all. In general I'm talking about using hacks online.
-PSN will turn into a paid service, since mostly everyone will stop buying original discs, how will they keep the service?
Advantages for me:
-A possible drop in original dics.
-Be able to play every game without paying.
Giving a full control to the PS3 will be a terrible error. In what will this really end?. I don't think this will be a pure victory for the PS3 users.
Someone else wants to make another advantage and disadvantage list, or all will be just perfect?
12-30-2010, 05:46 PM
#45
Goone
Looking for Suzzy
Incase some people don't know..we can asign the private key onto a modded savegame or patch with the private key so it's "signed by sony". Therefore the game can't be like, "no, erase data!". It will just let it work through as if it actually WAS signed by sony.
This means, we can literally change the values in the save data on a USB flash drive, put it into the ps3 after it's been signed and the game will just read it as if it was a patch official by sony.
In otherwords, ever patch that cod4 had to destroy usb hacks, or now back .
This means, we can literally change the values in the save data on a USB flash drive, put it into the ps3 after it's been signed and the game will just read it as if it was a patch official by sony.
In otherwords, ever patch that cod4 had to destroy usb hacks, or now back .
12-30-2010, 08:07 PM
#46
ihatecompvir
VERTIGO
Actually no bro, the CoD4 save isn't signed by Sony. It's patched because I'm pretty sure it has something to do with how the playlists check the save. Or maybe its something to do with how the executable checks the save. I'm pretty sure its the latter.
But, WaW and BO savegame hacking, anyone?
Maybe, amazingly, no savegame mods for either game are patched on PS3. I highly doubt it for both of them though.
But, WaW and BO savegame hacking, anyone?
Maybe, amazingly, no savegame mods for either game are patched on PS3. I highly doubt it for both of them though.
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
