Lord Error
Insane For Sony
I wish my boss would think that way about my deadlines :\Alec said:
"(month later) But boss, I only actively worked on this project for 2 days!"
Right Let's Try This Again: PS3 Hypervisor Hacked
- Thread starter Dragona Akehi
- Start date
"(month later) But boss, I only actively worked on this project for 2 days!"
Lord Error said:
Not really. They learned their lesson. MS also had a huge problem with Xbox and as result the 360 is very secure (except those DVD drives). Though Nintendo is rather slow, with their experience this generation I'd expect them to hire a few more security professionals to look at their next system too. New piracy is mostly done by taking the system and dumping all your ROMs to a hard drive and running it on the hardware itself. It used to be just disc copying and emulation. It took a while for hardware manufacturers to catch on and start protecting their consoles from the inside.
NekoFever
Member
It's also worth bearing in mind that they can put padding on a disc to optimise access speeds, among other reasons, that only bloats an ISO without affecting performance. I routinely rip my PSP games to the Memory Stick and I've seen ISOs go from ~1.5GB to 500MB or even less once you've stripped out the padding, junk files and on-disc firmware updates. Also a lot of PS3 games use the extra space for, say, including the voice acting for all regions, so if it's like a PSP ISO you can strip out or relink the non-English audio and cut-scenes to remove those.ymmv said:
Lord Error
Insane For Sony
X360 was busted in a worst possible way (until recently when it was hacked completely again with jtag) - piracy only, but no homebrew. I'm sure MS would have preferred if it was the other way around, and I'd call that a pretty big security snafu.Somnid said:
Well, it hasn't been for naught, which is what I was replying to. They got at least 3+ years of piracy free sales out of it, which is rarely (if ever?) seen.lupinko said:
Paddings are always ripped out of scene ISOs. The reason some PS3 exclusive games take so much space is that they actually put a lot of content on them that would otherwise have to be split to multiple discs, and they use decent quality video bitrate (as opposed to garbage quality that we usually get on multiplat releases). Multiple language voices usually wouldn't take that much space in comparison.NekoFever said:
ReyBrujo
Member
While there is a bigger discussion behind which I would love to discuss (regarding regional elements like copyright, watchdog ratings, censorship, etc), I believe the news is interesting because of the time it actually took to hack: If the 5 weeks are true, it means no group really tried to crack the PS3.
Lets not be naive - there was most definately a bounty out there by the commercialized piracy industry for a PS3 exploit that they could profit off of.ReyBrujo said:
He's a pretty smart guy when it comes to cracking hardware, I'll give him that.
However, I still think cracking a lowly iPhone is orders of magnitude different from being able to fully bust open the CELL, as securely designed as it is.
KernelPanic
Member
It sounds like his hack is some sort of timing exploit, as he seems to claim it takes time to work and doesn't seem 100% reliable.
Lord Error said:
I forget which game it was where the PS3 cutscenes were beautiful high bitrate HD and the X360 cutscene videos were compressed and sub HD to fit on 1 disc. It was about 1 year ago, a Japanese game. But the review had a side by side of the videos and the difference was jarring.
Sure its cutscenes, but the point is compression and space saving.
And as to extra languages, a couple of developers said that their PS3 voice work was huge in size and had to cut English out in other regions to fit it all. So voice work can take a significant chunk if its multi region (think including 5+ languages in Europe).
ReyBrujo
Member
Is this thread killing NeoGAF?
Anyways, even if we agree that cracking an Apple is different from cracking a PS3, you don't usually sign a half-hearted crack. Once your reputation goes down, nobody will take you seriously again. Sure, it may not be 100% reliable, but again, 3 years and this is the most relevant PS3 cracking news?
Anyways, even if we agree that cracking an Apple is different from cracking a PS3, you don't usually sign a half-hearted crack. Once your reputation goes down, nobody will take you seriously again. Sure, it may not be 100% reliable, but again, 3 years and this is the most relevant PS3 cracking news?
Lord Error said:
Homebrew and piracy are very much entangled. Usually it starts with homebrew and then the pirates start building on that. This is how it happened with Wii, early Wiis required mod chips to pirate but it got much worse once homebrew USB loaders appeared. As a hardware manufacturer you don't want either because full reign over the system let's you do naughty things as well.
Particularly in Xbox's case people just ripped games to the hard drive, which in many ways makes it easier (and cheaper) than disc copying. Obviously, MS built around what they knew best. Next time the disc drive probably won't be a trusted component.
KernelPanic
Member
Raistlin said:
He probably means the door would be open for someone to try and write their own emulator.
Based on the IBM whitepapers I've read regarding CELL's security design, I agree that it's a timing exploit (IIRC he even said it was on one of his blog comments), based on messing with the hardware slightly so he can work his software magic to gain hypervisor control - no more, no less.
He still has no access to the isolated SPE responsible for all decryption, because it was designed to be fully isolated from hypervisor. He has the processes that go in and out, but he can't actually manipulate it in any meaningful manner.
Therefore, he still does not have the "root key", the key that forbears all keys - the so-called "holy grail". That was the source of his success with the iPhone, and without it, any exploits are piecemeal and temporary at best.
And the problem is, the CELL isn't an iPhone - unless someone at IBM really screwed up, there's no way to get to that root key - it's hardware embedded with no method of access short of sending it to a hardware decryption facility.
So while he may have SOMETHING, the barriers that still stand before him are pretty vast
1) The massive amounts of reverse-engineering that has yet to be done at this point - for a one-man operation who isn't giving away his secrets, this will take a long, long time.
2) Stabilizing the timing exploit so there's some reliability of success.
3) Circumventing any "killswitch" methods Sony undoubtedly will implement
4) Running stable unsigned code all while intercepting any processes that would touch the sensitive isolated SPE from going terror warning level black and shutting the thing down
He still has no access to the isolated SPE responsible for all decryption, because it was designed to be fully isolated from hypervisor. He has the processes that go in and out, but he can't actually manipulate it in any meaningful manner.
Therefore, he still does not have the "root key", the key that forbears all keys - the so-called "holy grail". That was the source of his success with the iPhone, and without it, any exploits are piecemeal and temporary at best.
And the problem is, the CELL isn't an iPhone - unless someone at IBM really screwed up, there's no way to get to that root key - it's hardware embedded with no method of access short of sending it to a hardware decryption facility.
So while he may have SOMETHING, the barriers that still stand before him are pretty vast
1) The massive amounts of reverse-engineering that has yet to be done at this point - for a one-man operation who isn't giving away his secrets, this will take a long, long time.
2) Stabilizing the timing exploit so there's some reliability of success.
3) Circumventing any "killswitch" methods Sony undoubtedly will implement
4) Running stable unsigned code all while intercepting any processes that would touch the sensitive isolated SPE from going terror warning level black and shutting the thing down
Liquid Helium
Member
You gotta start somewhere.hauton said:
charlequin
Banned
Lord Error said:
Yeah. The best time for a system to get hacked is 4+ years into the generation, when the emergence of piracy is going to be late enough that it's extremely unlikely it'll meaningfully impact the software-buying habits of the install base.
Lord Error said:
Yes, although the security of the stuff they put together themselves really was pretty tight -- the problem was letting in hardware from an external vendor (the off-the-shelf disc drives) and thereby ensuring that their system could never be more secure than those drives were on their own.
Alec said:
Nah, that's BS. Dude could write a simple a line of code to just print something to a console or to the screen. And I'm sure he could write much more than that if he's able to hack systems like this. It's not at all a question of him not knowing how to write code that'll run - it's a question of getting it to run.
From his interviews et al he's claiming to be able to do whatever he wants, so a little hello world demo wouldn't go amiss at this point...why it is reasonable to ask for that.
On your first point, though, about the integrity checks - it's supposed to happen entirely in hardware. As it's meant to work, the hypervisor doesn't have any say in whether code is valid or not. Precisely so if the hypervisor is hacked it doesn't offer everything up to the hacker.
That's how it's supposed to be anyway. How things actually are, and how well these things are applied may differ, and may let a hacker through.
Will have to see what the exploit is, and if it really does work before the interesting stuff begins. Until then, it's just speculation (like all the other claims).
Seeing how Dark-Alex has been known to have been working on cracking the PlayStation 3 for a while and is very familiar with Sony hardware/software, I'm surprised to see this iPhone hacker do in 5 weeks, what nobody could do in 3 years.
Seeing how Dark-Alex has been known to have been working on cracking the PlayStation 3 for a while and is very familiar with Sony hardware/software, I'm surprised to see this iPhone hacker do in 5 weeks, what nobody could do in 3 years.
charlequin said:
Right.
But it can create a spike in console sales, if the homebrew/piracy/custom market is very good. Because the console gets cheaper and in addition to the legal uses, you also can do all the gray area stuff.
I can totally see more people buying a PS3 if you can get the equivalent of Boxee/XBMC quality stuff on there. If nothing else as a very high quality centerpiece for a home media center.
Psychotext
Member
Seek times.linsivvi said:
gofreak said:
He's got that. Problem is all the software he's shown is running in linux.
He's written a kernel module, from which he's presumably running hypervisor calls to test whether his hardware glitch works. From that, apparently he has full control over the hypervisor... in OtherOS. I'm not sure what's next. http://3.bp.blogspot.com/_NJ4JFBfr1tY/S1d3ZuG38gI/AAAAAAAAAbI/YLBQefLdIwI/s1600-h/iglitch.JPG
SecretBonusPoint
Banned
expy said:
I am pretty sure this is completely urban myth. DA has just left the scene for whatever reason, be it Sony threat/payoff, but it certainly isnt to abandon the PSP and crack the PS3.
blu
Wants the largest console games publisher to avoid Nintendo's platforms.
while i would not venture to guess what it takes to print something on the ps3 screen (you clearly need to have the entry points of the fw routines to be able to do that), i can only agree that ockham's edge here says that if he has not shown any, even the most minimalistic, of unsigned code running on the ps3, then he does not have one at this stage. so again, he may have all the cred in the word, but his announcement was premature.gofreak said:
yes, foolproof designs are one thing, their implementation - another. the human error factor - that's how 360 was hacked originally.
His latest comment:
"Everyone can already run unsigned code, it's called OtherOS"
Responding to questions if he has unsigned code running.
A bit facetious, no?
I don't think he has unsigned code running yet, but he doesn't want to say anything explicit on it until he DOES have it running and can say he has it running. He doesn't want to say 'no, I don't'.
"Everyone can already run unsigned code, it's called OtherOS"
Responding to questions if he has unsigned code running.
A bit facetious, no?
I don't think he has unsigned code running yet, but he doesn't want to say anything explicit on it until he DOES have it running and can say he has it running. He doesn't want to say 'no, I don't'.
Psychotext
Member
Sounds like textbook arse covering.gofreak said:
gofreak said:
That combined with my post... basically, he's hacked OtherOS. :lol
I'm not saying he can't do anything with that, but I'm becoming more optimistic that this hack isn't going anywhere any time soon.
For the people wanting XBMC, you'll help me out this summer on the linux version, right? Anybody good at writing multi-core h264 codecs?
blu
Wants the largest console games publisher to avoid Nintendo's platforms.
gofreak said:
a 'bit' facetious? that's akin to saying 'everybody can run unsigned code, it's called java script on a web page'.
running unsinged code means running code that the authority in the system would not allow you to run.
Psychotext said:
Maybe I'm missing something but how would padding blank data help with seek times? Storing the commonly used data in several places might help (say storing item and NPC textures together with each level's data), but those kinds of real data padding can't really be trimmed in the ISO process.
I dunno. Maybe his comment is a double-speak reference to some role otheros plays in allowing his own code to run somewhere else with full privledges.
On the other hand though, he's avoided answering if his function patches have worked or not.
Well, anyway, if he has got unsigned code running I think now would be the time to show it. Or to just say he's still working on it. If he is still working on it, though, then conservatively speaking it's probably been premature to claim a system hack at this point and to talk the way he has to the register et al. Maybe it is just a matter of time, but without this bit of the puzzle he's not quite there yet.
On the other hand though, he's avoided answering if his function patches have worked or not.
Well, anyway, if he has got unsigned code running I think now would be the time to show it. Or to just say he's still working on it. If he is still working on it, though, then conservatively speaking it's probably been premature to claim a system hack at this point and to talk the way he has to the register et al. Maybe it is just a matter of time, but without this bit of the puzzle he's not quite there yet.
Psychotext
Member
I have no knowledge of how data may or may not be "trimmed in the iso process", I'm just commenting on why a developer would choose to replicate data over the disc.linsivvi said:
Just thought I'd let you guys know that, this news has been posted on the BBC news website.
http://news.bbc.co.uk/1/hi/technology/8478764.stm
http://news.bbc.co.uk/1/hi/technology/8478764.stm
Valkyr Junkie
Member
expy said:
Him saying someone gave it to him 2 years ago would be a good indicator of that
Truespeed
Member
hauton said:
And therein lies the problem. He hasn't produced the elusive "Hello World" program yet. This is probably one of the first things you do when you claim to have 'owned' a system. Now, I'm going to disregard the lame comments that have suggested he just isn't familiar with programming the system because if he's talented enough to 'own' the system then he really should have no problem with this.
He's probably realizing right about now that the PS3 isn't an iPhone.
Psychotext said:
Well, DVD drives read data faster on the outer portion of the disc, and that's why some developers would pad empty data to keep the actual content on the outer rings. Since those blank data are never needed or even read, they can be easily trimmed when you convert the disc to an iso file.
If a blu-ray disc uses duplicated data to lower the seek time, such data cannot be trimmed because those are actual data that the game would use.
I have never worked with blu-ray discs though so that's just my understanding from what I've read previously.
Truespeed
Member
Alec said:
The Hypervisor isn't part of the chain of trust. Did you really think IBM would entrust a weak link like a software Hypervisor? The decryption keys are only exposed in the isolated SPU vault. And once an application is executing in the vault absolutely nothing can monitor or tamper with what's happening inside. If his claim to fame is taking control of the Hypervisor then he's set himself up for failure.
charlequin
Banned
Truespeed said:
Just a "Hello World" wouldn't actually prove anything, though, because you can already run unsigned code on a PS3. In order to produce real proof that he's accomplished anything, he needs to produce a demonstration that does something that can't be done in OtherOS.
I mean, I agree, he doesn't have a "complete" hack working yet, but just due to the nature of what specifically he's working on, a concrete demonstration is a higher standard than it is on a system that has no OtherOS-style openings.