Alleged "final hack" of PlayStation 3 surfaces
Contributed by: Email on 10/25/2012 02:36 PM [ Comments ]
A decryption key that is reported to be circulating on the net is said to remove the final protective barrier on some models of Sony's PlayStation 3 consoles. In the long run, the release of the key will probably allow unsigned software such as homebrew games, Linux distributions, or pirate copies of software to run on some PS3 consoles.
Allegedly, the private key can be used to modify and sign the "LV0" (Level 0), for example to disable its security checks. When the PS3 system boots, from version 3.60 of the PS3's firmware, the LV0 is directly launched by the bootloader (bootldr) that is built into the system's hardware which means that the chain of trust is broken at a very early stage. As Sony won't be able to update the bootloader with a software update, the hacker community considers this the "final hack" of the PS3 in its current forms.
However, for the modified LV0 to be executed, it must first be written to flash memory. This is most conveniently done using a firmware vulnerability, but no such vulnerabilities have so far been discovered in recent firmware versions. A more elaborate way is designed to work independently of the installed firmware and involves getting a hardware downgrade device to manipulate the flash, but this requires the console to be physically opened.
The only way for Sony to protect against this is with a newer hardware revision; apparently Slim models of the PS3 from CECH-30xx onwards and the new Super Slim model have a LV0.2 keys that check a second signature. This means that these newer models are unlikely to be vulnerable in the manner described above.
The key was released by a group that calls itself "The Three Musketeers". The hacker group claims that the private key has been in its possession for some time, but that it hadn't intended to disclose it. The "Musketeers" said that they took this step because the Chinese "BlueDiscCFW" hacker group got hold of the key and tried to monetise it by selling firmware that was modified using one of the keys. The hackers added that they wanted to prevent this by disclosing the LV0 key.
In the short term, the key is mainly of benefit to some PS3 owners who are still using the most recent vulnerable firmware version 3.55 or a modified version that's based on it. They can install a modified 4.x-based firmware that could, potentially, allow them to register with the PlayStation Network or launch games which require a newer firmware version.
Allegedly, the private key can be used to modify and sign the "LV0" (Level 0), for example to disable its security checks. When the PS3 system boots, from version 3.60 of the PS3's firmware, the LV0 is directly launched by the bootloader (bootldr) that is built into the system's hardware which means that the chain of trust is broken at a very early stage. As Sony won't be able to update the bootloader with a software update, the hacker community considers this the "final hack" of the PS3 in its current forms.
However, for the modified LV0 to be executed, it must first be written to flash memory. This is most conveniently done using a firmware vulnerability, but no such vulnerabilities have so far been discovered in recent firmware versions. A more elaborate way is designed to work independently of the installed firmware and involves getting a hardware downgrade device to manipulate the flash, but this requires the console to be physically opened.
The only way for Sony to protect against this is with a newer hardware revision; apparently Slim models of the PS3 from CECH-30xx onwards and the new Super Slim model have a LV0.2 keys that check a second signature. This means that these newer models are unlikely to be vulnerable in the manner described above.
The key was released by a group that calls itself "The Three Musketeers". The hacker group claims that the private key has been in its possession for some time, but that it hadn't intended to disclose it. The "Musketeers" said that they took this step because the Chinese "BlueDiscCFW" hacker group got hold of the key and tried to monetise it by selling firmware that was modified using one of the keys. The hackers added that they wanted to prevent this by disclosing the LV0 key.
In the short term, the key is mainly of benefit to some PS3 owners who are still using the most recent vulnerable firmware version 3.55 or a modified version that's based on it. They can install a modified 4.x-based firmware that could, potentially, allow them to register with the PlayStation Network or launch games which require a newer firmware version.
Comments