Marcan: It Is Not An “Exploit” Or “Bug” –
Hector Martin or Marcan as we’ve known has giving out more insight to what we can expect from the fail0verflow team through his recent tweets and replies. He started by claiming that their team doesn’t took 3 or 4 years (the time since PS3 was released) before they can discover the epic security flaws in the PS3 console system in fact it’s only just few months. He never stated though if it’s after the PS Jailbreak was released or before the trend of dongles starting to come.
Marcan later bashed out the myth that Sony can change keys by saying that it is not an encryption keys but a signing keys instead. If they change the keys, Marcan claimed that the games won’t work. So, from my understanding, each games, apps either have their own version signing keys and they need to be signed before the game can be started. He also explained further that “They actually CAN change keys for LV2/LV1, isolated modules, rvklists, spp, but that’s useless because you can just downgrade the loaders”.
To go more deeper in this, you can read more in his Twitter page. I am a really noobie person in this area actually but i am always try to understand how it works, supposedly. So, my another (stupid) theory is that, there might be a tool or something that will sign those keys even for a Blu-ray disk. Yeah, i might think that there will be pirated PS3 Blu-ray discs for those money sucking companies to produce, correct me if I’m wrong though.
Nonetheless, 2011 is really a bright year for PS3 owners out there and Sony perhaps in a way they can profit from the console sales icon smile Marcan: It Is Not An Exploit Or Bug
Compiled the tweets here, lots of Q&A explaining more about fail0verflow’s plan and concept for the hack.
Myth #1: It took us 3-4 years to do this. Negative, this exploit only took a few months after we started working. We weren’t trying before.
Myth #2: Sony can change keys. No, they can’t. These aren’t encryption keys, they’re signing keys. If they change them GAMES STOP WORKING.
They actually CAN change keys for LV2/LV1, isolated modules, rvklists, spp, but that’s useless because you can just downgrade the loaders.
we don’t have the game signing key but the same epic fail applies to it. Once someone dumps appldr they can calculate it too.
@marcan42 and how about game patches? After changing keys they cant release a update a game with new keys or something?
@AluProductions they could, to some extent, but they’d **** over everyone who doesn’t go online and gets an update from a new game.
no one can create a new metldr (for an existing console). Not even Sony (unless they have that console’s key stashed somewhere).
The XKCD “return 4″ function that we showed is (essentially) part of the code that Sony HQ runs to sign games, it’s not in the PS3 FW.
This is also why we didn’t use the term “exploit” or “bug”. The PS3 signature fail is neither an exploit nor a bug (in the PS3 firmware).
It’s Sony not knowing WTF they’re doing when making signatures, and thus mathematically leaking their keys.
Clarification #3: The private keys refer to keys that Sony HQ uses. PS3s don’t have these keys (but we calculated them due to the fail).
@marcan42 How did you find out the m value was the same?
@Zmathue because that causes the R value to be the same, i.e. the first half of every signature is the same.
@marcan42 Did you learn some new and good security practices from breaking the PS3?
@LouiseHoffman not much, it’s all a large pile of fail. The Wii has better security design (it just has a lot of implementation holes).
Clarification #4: the random number isn’t 4, it’s more like 007eabbb79360e14df1457a4194b82f71a0dc39280 (example). But it’s still constant.
@marcan42 we are able to create our own metldr and co and decrypt (dump decrypted) ldr for reversing? So i finaly can brick my consol tryin?
@KDSBest we can’t modify lv1 directly yet (no lv1ldr dump) but we can pwn lv1 early in the boot process via a hacked iso module.
@marcan42 Last year you mentioned that the Wii code is a mess. How do you imagine the original Sony code looks like?
@LouiseHoffman worse, at least the Wii stuff is mostly C. Sony loves C++, especially in SPU code. Security feature! SPU C++ is hell to RE icon razz Marcan: It Is Not An Exploit Or Bug
@marcan42 my fault, ofc you are right. We can create our own Hypervisor? I should sleep. What can we modify?
nice work @fail0verflow will we be able to install any distro of liunx or just AsbestOS?
@Idlewild2007 AsbestOS isn’t a distro, it’s a bootloader that works with any distro (given a tweaked kernel).
Source from tweets: Hector Martin (marcan42) on Twitter
Source of the article: ps3crunch.com
PS3 FAT 80Gb CECHL-03 Rebug CFW 3.55.2 (update 0.3) with OTHEROS++ & MultiMAN 2.05.05 Many thanks all scene hackers involved !