1. 27th Chaos Communication Congress
Console Hacking 2010
PS3 Epic Fail
bushing, marcan, segher, sven
Mittwoch, 29. Dezember 2010
2. Who are we?
• In 2008 at 25c3 these teams worked together as
'WiiPhonies'
• We won the 25c3 CTF
• We changed our name to 'Fail 0verflow'
• Not trademark infringing
• The domain was available
• The ratio of fail to win is high.
We've been collaborating on various embedded and thought expansive projects, the most famous of which that
hit the press earlier this year was the full reconstruction of the $REDACTED allowing $REDACTED to be
completely broken, that was a fun couple of weeks.
Mittwoch, 29. Dezember 2010
3. Wii had a good run
• 3 years, 9 firmware updates, 1 real feature
• 73 mil. consoles, 30 mil. vuln. bootloaders
• 1 million users of Homebrew Channel
Mittwoch, 29. Dezember 2010
4. Wii Xbox 360 PS3
2006
2007
2008
2009
2010
2011
t
Mittwoch, 29. Dezember 2010
5. Wii Xbox 360 PS3
2006
Drivechips
2007
Twiizer Attack
2008 Twilight Hack
Homebrew
Channel
2009 Bannerbomb
Indiana Pwns
Bannerbomb
for 4.2
2010
latest update
broken
2011
t
Mittwoch, 29. Dezember 2010
6. Wii Xbox 360 PS3
2006
Drive firmware
hacked
Drivechips King Kong Hack
2007
Twiizer Attack
2008 Twilight Hack
Homebrew
Channel
2009 Bannerbomb
JTAG Hack
Indiana Pwns
Bannerbomb
for 4.2
2010
latest update
broken
2011
t
Mittwoch, 29. Dezember 2010
7. Wii Xbox 360 PS3
2006
Drive firmware
hacked
Drivechips King Kong Hack
2007
Twiizer Attack
OtherOS
RSX exploit
2008 Twilight Hack
Homebrew
Channel
2009 Bannerbomb
JTAG Hack
Indiana Pwns slim w/o Linux
Bannerbomb released
for 4.2 Geohot’s hack
2010 Linux removed
latest update Jailbreak
broken Downgrade
this talk :)
2011
t
Mittwoch, 29. Dezember 2010
78. C++ Objects
VTABLE POINTER
INTERFACE OBJECT #N
C++
VTABLE POINTER
INTERFACE OBJECT #N+1
C++
VTABLE POINTER
INTERFACE OBJECT #N+2
C++
Mittwoch, 29. Dezember 2010
79. C++ Objects
VTABLE POINTER
INTERFACE OBJECT #N
C++
CONFIGURATION #3 INTERFACE #1
INTERFACE OBJECT #N+1
C++
VTABLE POINTER
INTERFACE OBJECT #N+2
C++
Mittwoch, 29. Dezember 2010
80. C++ Objects
VTABLE POINTER
INTERFACE OBJECT #N
C++
CONFIGURATION #3 INTERFACE #1
PAYLOAD POINTER
INTERFACE OBJECT #N+1
C++
VTABLE POINTER
INTERFACE OBJECT #N+2
C++
Mittwoch, 29. Dezember 2010
83. You have earned a trophy.
LV2 Code Execution
Mittwoch, 29. Dezember 2010
84. NO W^X in LV2
Any old exploit == code execution
Mittwoch, 29. Dezember 2010
85. Hypervisor allows
unsigned code
It happily marks pages as executable and plays no role
in enforcing that only trusted code runs
Mittwoch, 29. Dezember 2010
86. Results
• LV2 “GameOS” compromised
• LV1 Hypervisor NOT compromised
• Secure SPE NOT compromised
Mittwoch, 29. Dezember 2010
87. Resultsearned a trophy.
You have
Piracy
• LV2 “GameOS” compromised
• LV1 Hypervisor NOT compromised
• Secure SPE NOT compromised
• Piracy
Mittwoch, 29. Dezember 2010
88. Fail Security Model
• The hypervisor does not enforce LV2 and
game integrity
• You can just patch LV2 to run games from
HDD
Mittwoch, 29. Dezember 2010
93. Downgrades
• Sony fixed the exploit
Mittwoch, 29. Dezember 2010
94. Downgrades
• Sony fixed the exploit
• Service mode triggered by USB “JIG”
• HMAC authenticated, keys dumped
Mittwoch, 29. Dezember 2010
95. Downgrades
• Sony fixed the exploit
• Service mode triggered by USB “JIG”
• HMAC authenticated, keys dumped
• Leaked service app used to enable
downgrades
Mittwoch, 29. Dezember 2010
96. Downgrades a trophy.
You have earned
More Piracy
• Sony fixed the exploit
• Service mode triggered by USB “JIG”
• HMAC authenticated, keys dumped
• Leaked service app used to enable
downgrades
Mittwoch, 29. Dezember 2010
98. AsbestOS
• Replace LV2/GameOS in memory
Mittwoch, 29. Dezember 2010
99. AsbestOS
• Replace LV2/GameOS in memory
• OtherOS mode and GameOS mode are
virtually identical
• Except GameOS can do more stuff, e.g. 3D
Mittwoch, 29. Dezember 2010
100. AsbestOS
• Replace LV2/GameOS in memory
• OtherOS mode and GameOS mode are
virtually identical
• Except GameOS can do more stuff, e.g. 3D
• Run Linux again (even on the Slim!)
Mittwoch, 29. Dezember 2010
101. AsbestOS
• Replace LV2/GameOS in memory
• OtherOS mode and GameOS mode are
virtually identical
• Except GameOS can do more stuff, e.g. 3D
• Run Linux again (even on the Slim!)
• Use NetRPC to remote-control the PS3 and
experiment...
Mittwoch, 29. Dezember 2010
102. SELFs
SCE header
ehdr + phdr
ehdrehdr + phdr
encrypted metadata key
metadata
ECDSA signature
{
ehdr + phdr (again...)
phdr #0 data
#0
phdr #1 data
ELF ...
phdr #N data
Mittwoch, 29. Dezember 2010
103. SELFs
SCE header
ehdr + phdr
ehdrehdr + phdr
encrypted metadata key
r key
l oade
metadata
ECDSA signature
{
SELF key
ehdr + phdr (again...)
phdr #0 data
#0
phdr #1 data
ELF ...
phdr #N data
Mittwoch, 29. Dezember 2010
104. SELFs
SCE header
ehdr + phdr
ehdrehdr + phdr
encrypted metadata key
er key
load
metadata
AES
ECDSA signature
{
SELF key
ehdr + phdr (again...)
phdr #0 data
#0
phdr #1 data
ELF ...
phdr #N data
Mittwoch, 29. Dezember 2010
105. SELFs
SCE header
ehdr + phdr
ehdrehdr + phdr
encrypted metadata key
er key
load
metadata
AES
ECDSA signature
{
SELF key
AES + SHA-1
ehdr + phdr (again...)
phdr #0 data
#0
phdr #1 data
ELF ...
phdr #N data
Mittwoch, 29. Dezember 2010
106. The Oracle
• Sony‘s idea: “No one can see our code!”
• ... unless the PPE is compromised
• Decrypting all code possible from GameOS
• security coprocessor pointless!
• But we want keys!
Mittwoch, 29. Dezember 2010
107. The Oracle a trophy.
You have earned
Obfuscation useless
• Sony‘s idea: “No one can see our code!”
• ... unless the PPE is compromised
• Decrypting all code possible from GameOS
• security coprocessor pointless!
• But we want keys!
Mittwoch, 29. Dezember 2010