fail0verflow Progress Update and Response to GeoHot's Recent Work

Published on 01-04-2011 08:22 AM

46 Comments

There's been a few updates, regarding the fail0verflow team, since we last reported on them. The team has updated their PS3 Tools with a few new ones recently, as well as updated a few of their existing ones. In addition to the tool updates, marcan, the principal member of fail0verflow, has taken a moment to clarify some of his team's work. He also issued a direct response to GeoHot's recent Metldr work, which relied heavily on his team's work.

Attachment 587

First, on to some of fail0verflow's new and recent tool updates. One such new tool, is the PS3 NOR flasher/sniffer. This is the tool that was used to flash AsbestOS, onto the demo PS3, at the recent Chaos Congress Lightening Talk. The app allows users to flash files directly to their PS3's flash. It also allows you to sniff the data going to and from the flash as well. Please note, this tool requires hardware wired directly to the PS3's NOR flash.

Attachment 589

Another addition, which was recently added to the team's github, was an SPU emulator. The tool makes reversing SPU code much easier. Which in turn, will aid in the further understanding of the PS3.

The team has updated a few of their existing tools as well. Some people, have been reporting issues with fail0verflow's makeself tool. Well, the pleas did not go unanswered, as the team has updated their SELF signing tool with several fixes. However, the tool is still not working 100% correctly yet, but progress is being made.

In addition to this, they also updated their sceverify app, giving it support for spp files.

Also as we mentioned, marcan, clarified his teams current progress and also, issued a response to GeoHot's Metldr work. The full statement can be read below.

Courtesy of Slashdot

marcansoft writes on Monday January 03, @07:00PM:

We (fail0verflow) discovered and released two things:

An exploit in the revocation list parsing, enabling us to dump a bunch of loaders, and thus their decryption keys
A humongous screwup by Sony, enabling us to calculate their private signing keys for all of those loaders, and thus sign anything to be loaded by those loaders

We used these techniques to obtain encryption, public, and private keys for lv2ldr, isoldr, the spp verifier, the pkg verifier, and the revocation lists themselves. We could've obtained appldr, (the loader used to load games and apps), but chose not to, since we are not interested in app-level stuff and that just helps piracy. We didn't have lv1ldr, but due to the way lv1 works, we could gain control of it early in the boot process through isoldr, so effectively we also had lv1 control.

With these keys we could decrypt firmware and sign our own firmware. And since the revocation is useless and the lame "anti-downgrade" protection is also easily bypassed, this already enables hardware-based hacks and downgrades forever. Basically, homebrew/Linux on every currently manufactured PS3, through software means now, and through hardware means (flasher/modchip) forever, regardless of what Sony tries to do with future firmwares.

The root of all of the aforementioned loaders is metldr, which remained elusive. Then Geohot announced that he had broken into metldr (with an exploit, analogous to the way we exploited lv2ldr to get its keys) and was thus able to apply our techniques one level higher in the loader chain. He has released the metldr keyset (with the private key calculated using our attack), but not the exploit method that he used.

The metldr key does break the console's security even more (especially with respect to newer, future firmwares - and thus also piracy of newer games), and also makes some things require less workarounds. Geohot clearly did a good job finding an exploit in it, but considering a) he used our key recovery attack verbatim, and b) he found his exploit right after our talk, so he was clearly inspired by something we said when we explained ours, I think we deserve a little more credit than we're getting for this latest bit of news.

There's still bootldr and lv0, which are used at the earliest point during the PS3 boot process. These remain secure, but likely mean little for the PS3 security at this stage

Weaselmancer writes on Monday January 03, @04:33PM:

From the geohot site:
props to fail0verflow for the asymmetric half
Geohot isn't taking credit for anyone's work here.

marcansoft writes on Monday January 03, @07:05PM:

For the record, that wasn't there initially. We had to complain to him to get him to add that.

Also marcan issued the following statement via his Twitter:

I mean, maybe it's just me, but I think the "calculating private keys" part deserves a bit more credit than a metldr exploit.

Share
- Share this post on
- Digg
- Del.icio.us
- Technorati
- Twitter

Categories:

PS3 Dev

46 Comments

nightrider9 - 01-04-2011, 09:40 AM
- Reply
why they making such a big deal. geohot released the files they didnt simple.if they already had the keys then good. but they didnt release it so shut up loool whats the point keeping all the stuff u find to ur self. thats not exactly helping the scene as theres always gona be someone better.

cawthorne - 01-04-2011, 09:54 AM
- Reply
Lol. Is someone bit jealous? Who really cares who did it, they both put some effort into it and at the end of the day it all goes to help the same cause. Instead of posting something that complained that Geohot cheated, like an infant, they should have done it in a more positive, mature way and made it sound as if they were best buds, and worked off each other; not only causing them to possibly work together in the future and get more work done, but also making them more likeable as a team. But Whatever, like i said before it's all progress at the end of the day.

hideki-PSG - 01-04-2011, 09:56 AM
- Reply
I think the point was more that the appropriate credit wasn't given for the tools he used, this is a problem generally tbh though, heh, in any case, let's just be happy with what we now have! it's certainly way more progress than I expected after only a few months...

mRcL0wN-PSG - 01-04-2011, 10:13 AM
- Reply
right on! keep up the great work fail0verflow!!! And I agree with them getting a bit upset, I would be too

PHPMyPS3 - 01-04-2011, 10:25 AM
- Reply
I like how marcansoft uses the word "lame" on every sentence. he seems to forget that the ps3 has remained many years unhacked. and if he's able to decrypt the keys it's thanks to the jailbreak exploit. otherwise he would never be able to do it.

what an ass

straith - 01-04-2011, 11:13 AM
- Reply
Originally Posted by mRcL0wN

right on! keep up the great work fail0verflow!!! And I agree with them getting a bit upset, I would be too

Whats the point about find something and do not share it?

They are just jealous.

CaptainCPS-X-PSG - 01-04-2011, 11:25 AM
- Reply
Not to make you feel pissed off but, Marcan, you should stop acting like a kid hehe, just imagine somebody saying all those things to you at some point, you will understand what I mean then, anyway good job everyone involved in the PS3 hacking scene keep up the excellent work.

Zero95 - 01-04-2011, 11:32 AM
- Reply
PHPMyPS3:

Oh no the PS3 was juts many years unhacked because OtherOS it only requires 4 month after OtherOS revoke to become hacked and that so much that Sony could not fix it with an Firmware Update.

marcan and all other Hackers don´t care about the PS3 before OtherOS was be revoked.

Geohot was the only one really Hacker that hacked the PS3 before OtherOS was revoked.

Aristoles - 01-04-2011, 11:35 AM
- Reply
I want the latest firmware with this key/hack to play downloaded ps3 games. Why don't they hurry a little?

hispasat-PSG - 01-04-2011, 11:42 AM
- Reply
who gives a f*ck for the conference and terms not familiar to 90% of PS3 users, did geohot go live ????????

instead of giving statements all over the net, help community for the complete hack

grandy - 01-04-2011, 11:49 AM
- Reply
Originally Posted by hispasat

who gives a f*ck for the conference and terms not familiar to 90% of PS3 users, did geohot go live ????????

instead of giving statements all over the net, help community for the complete hack

Devs also read this news site and do understand the terminology. Informing devs of new tool updates sooner, means faster developments for end users like yourself. If you don't understand the article, that's fine but there's no need to be rude about it.

Regarding geohot, he is currently ice skating XD

[11:02] <+geohot> and i'm going ice skating now

hispasat-PSG - 01-04-2011, 12:04 PM
- Reply
if u read carefully, i never said to misunderstand the terminology !

faillOverflow fellowship shows no respect to Geohot and his work

PS3 jailbreak existed way before we noticed their nicks

Tilton - 01-04-2011, 12:22 PM
- Reply
Just like in the Wii scene, Marcan is stomping his feet and throwing a sissy fit. Did he ever stop to think that maybe the reason Geohot is getting more press is because no one really gives a shit about running Linux and a bunch of lame demos? They want full access to the system and that includes the ability to pirate.

Geohot was the first to do any real hacking on the PS3 and, without his early work, Marcan and his team wouldn't have accomplished much. Their lack of respect for other hackers and developers is shameful. Again, they pulled this same crap in the Wii scene. Marcan cried about Waninkoko releasing his tools based on "their" work. Give us all a break and grow up, Marcan.

Kolawole Alaba - 01-04-2011, 01:19 PM
- Reply
Originally Posted by Tilton

Just like in the Wii scene, Marcan is stomping his feet and throwing a sissy fit. Did he ever stop to think that maybe the reason Geohot is getting more press is because no one really gives a shit about running Linux and a bunch of lame demos? They want full access to the system and that includes the ability to pirate.

Geohot was the first to do any real hacking on the PS3 and, without his early work, Marcan and his team wouldn't have accomplished much. Their lack of respect for other hackers and developers is shameful. Again, they pulled this same crap in the Wii scene. Marcan cried about Waninkoko releasing his tools based on "their" work. Give us all a break and grow up, Marcan.

HAHA omg you are soo true i was with the wii scene ages ago (til i got bored and realised the wii is complete shite and its still collecting dust on my shelf) and followed team twizzers stuff, then waninkoko brought some stuff out and marcan tried to discredit his work......now its geohot who basically said "well done fail0verflow but ppl dont really care about linux, lets get this root key out already and make examples of signed homebrew"

To be fair this is what a lot of people want really, lets be honest here more than half of the ppl in this ps3 scene want emulators and some new functions on the ps3 (new web browser, cross game chat and what not...plus unfortunately piracy)...rather than linux on their system. Im definately not hating on fail0verflow as what they have done is awesome, but people always one up each other (hence why companies always have trade secrets). Once you expose a secret and want to get recognition for it, dont expect every ps3 hacker to applaud and wait patiently for you to deliver tools and keys etc, some will but some will analyse what they discovered and play with it which is what geohot did and he found an exploit in metlr. Its life...move on already.

medi01-PSG - 01-04-2011, 03:19 PM
- Reply
Originally Posted by nightrider9

why they making such a big deal. geohot released the files they didnt simple.if they already had the keys then good. but they didnt release it so shut up loool whats the point keeping all the stuff u find to ur self. thats not exactly helping the scene as theres always gona be someone better.

It is indeed a big deal: you make a breakthrough and release your findings to everyone. Somebody else finds somthing USING YOUR WORK and NEITHER GIVES YOU CREDIT nor releases his findings back to you.

I completely agree with marcan on this one.

anomaly-PSG - 01-04-2011, 05:04 PM
- Reply
Geohot used fail0verflow's info and tools, who in return used Geohot's info, who in return...

Everyone feeds everyone's work here. Very little is actually done by individuals solely unaided. I think for the most part every dev actually knows this, it's just sometimes in haste to announce big things we forget to thank those who helped us get there. It happens. Most of the time it's accidental and easily remedied too.

Also if you watch the conference vids, fail0verflow give geohot a lot of credit for the early work and for kicking off the first return volley of the sony vs world game that lead to all this.

damanptyltd - 01-04-2011, 05:24 PM
- Reply
Originally Posted by medi01

It is indeed a big deal: you make a breakthrough and release your findings to everyone. Somebody else finds somthing USING YOUR WORK and NEITHER GIVES YOU CREDIT nor releases his findings back to you.

I completely agree with marcan on this one.

He released the key to public, how isn't that fair? Fair enough he should have given credit, but its not something worth getting worked up about if i were them. So they know that it was a result of their work at the congress or w/e, why need to make sure they boast about it to every user out there? I really just think its an ego thing. There work would have continued unchanged and appreciated just as much had Geohot got all the credit for all the keys.

But then on the other hand, i think its Geohot trying to get back in the scene since his fails after his initial hpervisor exploit way back. He really hasn't contributed much since then and i think he is just scrounging for anything he can get.

bigheads-PSG - 01-04-2011, 05:32 PM
- Reply
What do they even care that I (me, bigheads, the one and only, now you know my name, now you will remember me, now you can thank me) know the fail0verslow group? They act like kids when it's about getting fame.

Why don't they give credit to Sony. They have put a random in their private keys so some hacking group could deserve some fame. Argh, such people, we are absolutely grateful for their work but you just don't ask for fame. Seems like they don't understand the internet, it's full of losers (just like me, you and grandy (j/k) ).

Fail0verflow I like you even less than Geoth now, he's not making a big deal of everything...

anomaly-PSG - 01-04-2011, 05:52 PM
- Reply
Originally Posted by bigheads

(me, bigheads, the one and only, now you know my name, now you will remember me, now you can thank me)

'Bighands' was it? Yeah I remember him

wiisixtyfour - 01-04-2011, 06:04 PM
- Reply
You people are idiots. All geohot cares about is getting fame. (Why do you think people call him egohot?). What fail0verflow want is an open system. Geohot has a tendency to release things early just because he can and he doesn't even think of the consequences. (Remember when Sony removed OtherOS?) The reason fail0verflow (and this goes for iDevice hacking as well) hadn't released anything was because they were making it ready for the public. Geohot, who only cares about the credit, releases these things and all these stupid news sites go crazy for it. Are you guys really gonna forget the fact that geohot claimed to have a CFW with OtherOS? Geohot is full of shit, he just wants fame. You guys think marcan is whining but really, geohot has screwed people over before. Even with regard to the Wii scene, Waninkoko's work was nothing compared to Team Twiizers.
All you pirates may not care about running Linux, but if you've learned anything over the past 10 years then you'd know that piracy will find a way sooner or later (see the 27c3 Console Hacking talk). What Team Twiizers and fail0verflow are doing is keeping the system open without adding to piracy. Someone will most likely step up and do the dirty work, but they shouldn't be praised for that. All the hard work has been done for them so that's why marcan and others say stuff like that.