Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
July 30, 2014
arrowPress Releases
July 30, 2014
PR Newswire
View All
View All     Submit Event





If you enjoy reading this site, you might also want to check out these UBM Tech sites:


 
Dismissing PS3 Fiction
by Wyatt Epp on 01/18/11 01:52:00 pm   Featured Blogs

The following blog post, unless otherwise noted, was written by a member of Gamasutra’s community.
The thoughts and opinions expressed are those of the writer and not Gamasutra or its parent company.

 

There is a lot of smoke being blown about regarding what has and has not happened with the systematic circumvention of almost every part of the Playstation 3 security subsystem, with most journalistic units lacking the expertise required to understand the issues and time to do effective research. 

This has lead to some fairly sickening press that does not adequately reflect the situation.  For those wanting to know roughly what has actually happened and what it all means, I have written this. 

This document should hopefully be accessible enough that people unfamiliar with the vagaries of specialist disciplines can follow along without too much difficulty.  Please inform me of errors or omissions in the comments or via email.

  • Multiple individuals working in concert discovered a method to access some functions of the RSX GPU directly from Linux instead of through the soft framebuffer.  A driver, ps3.ko, was written to take advantage of this.  While limited,  the driver improved performance of some demanding video decode tasks to within usable ranges.
    • What this means: Consumers were filling a software gap in their use case for their personal use on hardware they purchased.
    • Sony: Removed the ability to use this driver with the patches in firmware 2.10.
  • A full two years later, computer programmer George "GeoHot" Hotz began security analysis of the PS3 in response to the announcement of the PS3 Slim lacking OtherOS support.  With careful application of a pin-shorting attack and a lot of persistence and luck, he managed to successfully map the hypervisor and run code in at the hypervisor level.
    • What this means: Very little of any practical value.  It was an exploit, in the most academic sense of the word, but not a long-term solution to running unsigned code on the system.
      • In general, you find that homebrew developers much prefer software solutions; hardware disassembly and modification is a tall barrier for programmers.
    • Sony: Removed support for OtherOS for all PS3 systems with their next firmware update.
  • Less than a year later, the widely-maligned "PSJailbreak" was released by unknown parties.
    • For the unfamiliar, the PSJailbreak is a hideous kludge relying on peculiarities of USB driver initialisation (or software that emulates this behaviour).  The end result was Lv2 code execution.
    • What this means: Piracy.  Homebrew is vaguely possible at this point, but it relies on the easily-patched USB hack.
      • Strangely, this is only an exploit against a small part of the security system: it doesn't allow lower-level code execution and the integrity of the "secure" SPE is intact.
    • Sony: Injunction against the sale of the USB devices; patched firmware to defeat the exploit.
  • Using leaked service software, firmware downgrading was made possible.  To my recollection, this release is from the originators of the PSJailbreak.
    • What this means: Still, mostly just piracy.
    • Sony: A new battlefront in the war on modified firmware on Sony devices was predicted.  But the scope of the conflict changed in short order
  • Just last month, a group collectively known as "fail0verflow" (several of whom are known members of Team Twiizers, and involved with the Wii Homebrew Channel), revealed security work they had accomplished as a result of the public release of the PSJailbreak.
    • Their findings, presented at 27C3, revealed a system riddled with flaws, including what seems to be an act of faith that the first line of defense would never be breached.
    • Critically, the ECDSA signing implementation was flawed to the point that the generated signatures look something like this:
      • 806E078FA1529790CE1AAE02BADD6FAAA6AF 74178BAEB115B68AE33CCD812CE8E85170BDA4F95417
      • 806E078FA1529790CE1AAE02BADD6FAAA6AF 741771CD1F2DD1DB19252804DE93E50E71A69C9D1FFB
      • 806E078FA1529790CE1AAE02BADD6FAAA6AF 7417304D6DE39A90746F858A505F0871DFA96FE14D8D
      • 806E078FA1529790CE1AAE02BADD6FAAA6AF 7417A3B32962F39E6D08C4EFAB2EC3605C8257A070AA
    • Independently of this team, George Hotz came out of retirement and, as far as we're able to tell, replicated the work done by fail0verflow but also released the keys to the web.  There is some amount of implication that, he actually advanced the work of his predecessors by dumping the full metaloader key, but I believe this to be a misunderstanding.
      • Against all expectations, this key works to sign PSP executables as well.
    • What this means: This means that any person with sufficient knowledge, can write code for the PS3/PSP and run it on any PS3/PSP without modification.
      • To some degree, this does also enable piracy, but not to a greater extent than was already possible with the PSJailbreak and the firmware downgrade hack that came with it.
    • Sony: Currently pursuing legal against George Hotz, fail0verflow, and one hundred other unnamed people.
      • Likely also sacking numerous people for incompetence above and beyond the call of duty.
  • In the past day, an article has been circulated publicising the compromised security of Infinity Ward's Modern Warfare 2 servers.  They have blamed the security breach for allowing this to happen.
    • Infinity Ward states that they were reliant on the system's integrity to preserve the integrity of their own game.
      • It seems likely that a modified game image was signed that allowed server vulnerabilities to be exploited.
    • Infinity Ward further claims that this may not be recovered from.
    • What this means: There is likely to be a short term uptick of online game exploiting as users discover new vulnerabilities in online services and developers scramble to issue patches as they see fit.  Eventually this may incite networked game security as the assumption of a secure platform no longer holds.
    • Sony: No response on record.
    • This situation is ongoing.
  • UPDATE: After statements in public and on his personal weblog about interest in Windows Phone 7, Microsoft has contacted Hotz with an offer for a free Phone 7 device.
    • What this means: Many things.
      • The open dialogue indicates George isn't "damaged goods" as a researcher.
      • The positive stance by Miscrosoft may indicate better relations with security researchers in the future.
  • UPDATE 2: Much has happened in the past month, but most notably, firmware 3.60 basically rolls the low-level loaders into a single encrypted blob.  Cryptanalysis is ongoing, but this may be the "Epic Win" to go with the "Epic Fail".  From what I've been able to ascertain, this is a very clever hack Sony whipped up.  I am impressed.  Meanwhile, they have started banning modified consoles that access PSN (not so impressed by this).
    • What this means: Well, it means that, for the time being, the PS3 is secure once again.  Many homebrewers are satisfied with the 3.55 firmware to the point that they're not interested in updating, so the flow of exploits is likely to slow considerably.

While this is doubtlessly a loaded topic, if you must comment, please do so with a modicum of courtesy.  Unprovoked attacks on the character of the individuals or groups represented here are not acceptable.  If you have an update or correction, as mentioned, please inform me however you are able.

As a further note, I don't intend to document the results of every bit of legal wrangling.  On that, I am unqualified to offer more than my non-professional opinion.  My primary interest lies in establishing what is and is not true about the state of PS3 security.  I have attempted to avoid unproven extrapolation excepting cases where I feel it helpful to the developing discourse.

Links:

27C3 - Console Hacking 2010 (45 minutes)

In Sony removed support for OtherOS
In Sony removed support for OtherOS

Related Jobs

Raven Software / Activision
Raven Software / Activision — Madison, Wisconsin, United States
[07.30.14]

Network Engineer
2K
2K — Novato, California, United States
[07.29.14]

Level Architect
Cloud Imperium Games
Cloud Imperium Games — Santa Monica, California, United States
[07.29.14]

Art Outsourcing Manager
Respawn Entertainment
Respawn Entertainment — San Fernando Valley, California, United States
[07.29.14]

Senior Systems Designer






Comments


Marc-Olivier Beaupre
profile image
Like said before, I don't know why IW came out speaking about that, the 360 and PS3 versions were pirated way before the PS3 piracy problem, in fact, it was the same month of the launch.

Glenn Sturgeon
profile image
Intresting.

Thanks for your insite.

Jamie Mann
profile image
That was well written.



Out of interest: prior to the PSJailbreak, was there any mechanism for enabling piracy on the PS3? I'm not aware of any. Also, how does the "time to piracy-enabled" compare against other consoles such as the PS2, Xbox, Xbox 360 and Wii?



(it's also worth noting that AFAIK, there's been minimal progress in soft-hacking the Xbox 360; could this be partly due to the fact that the XNA development environment allows people to write games and applications for the Xbox 360 for free (plus a $99 subscription fee if they want to sell/distribute them)?)



Personally, I think the PS3 proved that if an outlet for hackers (in the "experimenting and exploring boundaries" sense) is provided, it can significantly delay the appearance of "soft" piracy[*], simply because a lot of piracy tools are based on the work of said hackers. HDAdvance on the PS2 is a prime example, as is the Homebrew channel on the Wii and the Utopia hack on the Dreamcast, which was allegedly produced to allow people to play imported games. Even the flash carts for the GBA and DS tend to use homebrew software, such as Moonshell. At the risk of making a sweeping generalisation, commercial pirates simply don't have the resources or mindset to explore or innovate: they take what other people have produced and repurpose it.



Note that this doesn't mean hackers are doing a bad thing, but as with things like barbed wire (originally intended to keep cows from straying, then reinvented in WW1 to horrific effect), once the genie is out of the bottle, there's no way to control it. By providing hackers with a sandboxed environment, you give them a way to experiment and also reduce the socio-political motivations for hacking (e.g. "I haXXored teh PS3!" or "Down with DRM! Stick it to the Man!") - there's little kudos to be gained from hacking an "open" system you're freely allowed to tinker with.



However, if you don't provide this outlet, then you will attract attention from hackers.



[*] I.e. hacks easily reproduced without making physical changes to the hardware; modchips have been around since the days of the Saturn/PSX but availability is generally limited due to the higher cost, the fact that you need to be skilled with a soldering iron and the risk that you'll brick an expensive piece of electronics...

Joe Wreschnig
profile image
The video of fail0verflow's presentation (starting at http://www.youtube.com/watch?v=LuIlbmn-4A4) had several charts comparing console security features and time-to-hack. It tends to support your (and their) argument that OtherOS kept homebrew hackers away from anything piracy-enabling.



However, as you say, as soon as GeoHotz did something not supported by OtherOS (but still not piracy-enabling, and not accessible to a wide enough audience even if it was), Sony simply stripped out all possibility of homebrew, leading to widespread hacker interesting to re-enable it.



Then PSJailbreak came along, only allowed piracy, and was basically unrelated to anything Geohotz did.



So, good job Sony. By removing OtherOS you a) did nothing to stop piracy, b) kicked off a chain of events that cracked your platform open wider than anyone expected.

Wyatt Epp
profile image
I think that is a fair assessment given what we've observed, the time-scale, and the individuals involved. As proposed by Michael Steil, the PS3 only remained secure _from piracy_ for roughly twelve months once closed, putting it at parity with the Xbox 360. As I've observed in the past, people pursuing legitimate homebrew will go to absurd lengths to make incremental progress while often still devoting some time to denounce or even curtail piracy (Bushing's attempt at dialogue with Nintendo over piracy-enabling exploits in the Wii, for example).



Though I say "at parity", you are also correct that there is no known method of software circumvention of the Xbox 360. Given the greater sophistication of that model, excepting a mistake of similar magnitude to Sony's ECDSA, it will be very difficult to make even small amounts of progress without specialised hardware. I'm not sure of the specifics, but it would probably involve some method of injection very early in the boot process and a substantial number of bricked 360s. As the encryption keys are stored on-die in the 360, this may not even be a possible avenue. In the end, I would say the _most_ likely route for system-level access to the 360 will come in the form of a human leak of some sort.



Given what we've observed with the Kinect and Windows Phone 7, Microsoft has had a markedly different tone with regard to circumvention of late. In light of this, a far-future possibility that comes to mind is eventual release of the console as an open platform. There is some small amount of precedent for such things, as with Hasbro's release of publishing rights for the Jaguar hardware after the Atari acquisition. But don't hold your breath; 2020 is still a ways off.



The observation that pirates ride the coattails of people with real skill and dedication is unfortunately true, and I'm not sure how that could be prevented without an honest mutually beneficial rapport between researchers and the company making the device. The Wii and PSP are good representative examples of areas where piracy has continued while homebrew developers struggle to retain access.



The Wii Homebrew Downloader is an possible prototype of how homebrew could be done legitimately. It provides a digital repository, and is largely unmoderated, aside from disallowing the class of software that enables Wii piracy or has the potential of bricking systems; it's a brilliant piece of work. Sure, it doesn't disallow the installation of disk dumpers and WAD loaders, but it makes people do extra legwork to get them. It's a simple mental hack that helps reduce "Casual Piracy" (it's not foolish to acknowledge that piracy can never be completely eliminated).



I'll be adding a link to the 27c3 video, and maybe others, if important information is unearthed. (Thanks for the reminder, Joe)


none
 
Comment: