Post: how fail0verflow cracked the ps3 system (picture tutorial)
Options
03-15-2011, 11:21 PM
#1
kyskidz
Big Sister
Goto page 13 for the actual 0verflow confrence in berling
You must login or register to view this content.
You must login or register to view this content.
[multipage=who are fail0verflow]
Who are fail0verflow
• In 2008 at 25c3 these teams worked together as
'WiiPhonies'
• They won the 25c3 CTF
• They changed our name to 'Fail 0verflow'
• Not trademark infringing
• The domain was available
• The ratio of fail to win is high.
They have been collaborating on various embedded and thought expansive projects, the most famous of which that
hit the press last year was the full reconstruction of the $REDACTED allowing $REDACTED to be
completely broken, that was a fun couple of weeks.
You must login or register to view this content.
[multipage=PS3 Architecture]
this page explains the Architecture of the ps3
The Cell Broadband Engine
You must login or register to view this content.
SPU Isolation
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
[multipage=OtherOS (drawn attention)]
You must login or register to view this content.
Geohot Exploit:
XDR RAM Glitching Attack (hyper visor exposed)
You must login or register to view this content.
You must login or register to view this content.
[multipage=PSJailbreak Exploit]
jailbreak dongle
|
hub
/ / / \ \ \
PWN1 PWN2 PWN3 PWN4 JIG FINAL
You must login or register to view this content.
device 1
You must login or register to view this content.
Device 4
You must login or register to view this content.
Device 2
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
C++ Objects
You must login or register to view this content.
Device 3
You must login or register to view this content.
You must login or register to view this content.
NO W^X in LV2
Any old exploit == code execution
Hypervisor allows unsigned code
It happily marks pages as executable and plays no role
in enforcing that only trusted code runs
Results
• LV2 “GameOS” compromised
• LV1 Hypervisor NOT compromised
• Secure SPE NOT compromised
• Piracy
You must login or register to view this content.
[multipage=Fail Security Model]
Fail Security Model
• The hypervisor does not enforce LV2 and
game integrity
• You can just patch LV2 to run games from
HDD
You must login or register to view this content.
[multipage= Downgrades]
Downgrades
• Sony fixed the exploit
• Service mode triggered by USB “JIG”
• HMAC authenticated, keys dumped
• Leaked service app used to enable
downgrades
You must login or register to view this content.
[multipage=AsbestOS]
AsbestOS
• Replace LV2/GameOS in memory
• OtherOS mode and GameOS mode are
virtually identical
• Except GameOS can do more stuff, e.g. 3D
• Run Linux again (even on the Slim!)
• Use NetRPC to remote-control the PS3 and
experiment...
[multipage=SELFs]
SELFs
You must login or register to view this content.
[multipage=The Oracle]
The Oracle
• Sony‘s idea: “No one can see our code!”
• ... unless the PPE is compromised
• Decrypting all code possible from GameOS
• security coprocessor pointless!
• But we want keys!
You must login or register to view this content.
You must login or register to view this content.
[multipage=Chain of Trust]
Chain of Trust
You must login or register to view this content.
Breaking loaders
You must login or register to view this content.
You must login or register to view this content.
• „Only“ a bug in isolated loaders
• Chain of Trust already broken for all sold
consoles now.
• This is Fail™. But it‘s not Epic™ yet...
You must login or register to view this content.
You must login or register to view this content.
[multipage=ECDSA]
ECDSA
You must login or register to view this content.
These are public:
p, a, b, G,N (elliptic curve params)
Q = public key
e = hash of data
R, S = signature,
and these are private:
m = random
k = private key.
A signature is a pair of numbers R, S computed
by the signer as
R = (mG)x
S = e + kR
m
.
It is imperative to have a random m for every
signature: from a pair of signatures that use the
same m, we can compute m and k.
You must login or register to view this content.
there ECDSA code
Used for HBC’s network update function
def generate_ecdsa(k, sha):
k = bytes_to_long(k)
e = bytes_to_long(sha)
m = open(“/dev/random”,”rb”).read(30)
if len(m) != 30:
raise Exception(“Failed to get m”)
m = bytes_to_long(m) % ec_N
r = (m * ec_G).x.tobignum() % ec_N
kk = ((r * k) + e) % ec_N
s = (bn_inv(m, ec_N) * kk) % ec_N
r = long_to_bytes(r, 30)
s = long_to_bytes(s, 30)
return r,s
m = open(“/dev/random”,”rb”).read(30)
Sony’s ECDSA code
int GetRandomNumber()
{
return 4; //chosen by fair dice roll.
// guaranteed to be random
}
With private keys you can
SIGN THINGS
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
[multipage=chaos confrence"console hacking": 0overflow prensentation (youtube video)]
part 1
[ame]https://www.youtube.com/watch?v=HEFMAP0mTvY[/ame]
part 2
[ame]https://www.youtube.com/watch?v=X8ohOy8_XO4&feature=related[/ame]
part 3
[ame]https://www.youtube.com/watch?v=84WI-jSgNMQ&feature=related[/ame]
The following 42 users say thank you to kyskidz for this useful post:
1337UNO, acklamjoshua, Agentcell, albania123, anddrew, Asmel, Beta-, cbenj25, cdkane, Curt, Dardy_one, DaveedDB, deroad, djblade17, dreamkid58, Goldberg, GUESS_HU, ILovePie24!!, Infernape263, IRiSe_GodFather, ishauny, izyehboy, jkry_2_1_, Josh1210, jsrgaj, khalids19, killa skillz, oI xPozeD Io, Pablo2010, Press ►, s0ph0r, Solid Snake, Swade, thee3nd, theycallmeryan, ThwiX, VHS, vipervimal, weebobe, xCristian, xRafiq-, zxz0O0
03-16-2011, 02:18 PM
#38
cyberdoc
Brute
this is just a rehash of old data, it has been posted and reported on many times over. The videos of Fail0verflows lecture is still available.
Originally posted by kyskidz
hello ngu, this thread is based on how 0verflow crack the ps3 system, dont flame as it has taken me a few hours to do, if u spot a mistake message me, let me no, if its in the wrong section it will get moved so no need to write "cool story, cool hack bro and all that bs"
Goto page 13 for the actual 0verflow confrence in berling
You must login or register to view this content.
You must login or register to view this content.
[multipage=who are fail0verflow]
Who are fail0verflow
• In 2008 at 25c3 these teams worked together as
'WiiPhonies'
• They won the 25c3 CTF
• They changed our name to 'Fail 0verflow'
• Not trademark infringing
• The domain was available
• The ratio of fail to win is high.
They have been collaborating on various embedded and thought expansive projects, the most famous of which that
hit the press last year was the full reconstruction of the $REDACTED allowing $REDACTED to be
completely broken, that was a fun couple of weeks.
You must login or register to view this content.
[multipage=PS3 Architecture]
this page explains the Architecture of the ps3
The Cell Broadband Engine
You must login or register to view this content.
SPU Isolation
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
[multipage=OtherOS (drawn attention)]
You must login or register to view this content.
Geohot Exploit:
XDR RAM Glitching Attack (hyper visor exposed)
You must login or register to view this content.
You must login or register to view this content.
[multipage=PSJailbreak Exploit]
jailbreak dongle
|
hub
/ / / \ \ \
PWN1 PWN2 PWN3 PWN4 JIG FINAL
You must login or register to view this content.
device 1
You must login or register to view this content.
Device 4
You must login or register to view this content.
Device 2
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
C++ Objects
You must login or register to view this content.
Device 3
You must login or register to view this content.
You must login or register to view this content.
NO W^X in LV2
Any old exploit == code execution
Hypervisor allows unsigned code
It happily marks pages as executable and plays no role
in enforcing that only trusted code runs
Results
• LV2 “GameOS” compromised
• LV1 Hypervisor NOT compromised
• Secure SPE NOT compromised
• Piracy
You must login or register to view this content.
[multipage=Fail Security Model]
Fail Security Model
• The hypervisor does not enforce LV2 and
game integrity
• You can just patch LV2 to run games from
HDD
You must login or register to view this content.
[multipage= Downgrades]
Downgrades
• Sony fixed the exploit
• Service mode triggered by USB “JIG”
• HMAC authenticated, keys dumped
• Leaked service app used to enable
downgrades
You must login or register to view this content.
[multipage=AsbestOS]
AsbestOS
• Replace LV2/GameOS in memory
• OtherOS mode and GameOS mode are
virtually identical
• Except GameOS can do more stuff, e.g. 3D
• Run Linux again (even on the Slim!)
• Use NetRPC to remote-control the PS3 and
experiment...
[multipage=SELFs]
SELFs
You must login or register to view this content.
[multipage=The Oracle]
The Oracle
• Sony‘s idea: “No one can see our code!”
• ... unless the PPE is compromised
• Decrypting all code possible from GameOS
• security coprocessor pointless!
• But we want keys!
You must login or register to view this content.
You must login or register to view this content.
[multipage=Chain of Trust]
Chain of Trust
You must login or register to view this content.
Breaking loaders
You must login or register to view this content.
You must login or register to view this content.
• „Only“ a bug in isolated loaders
• Chain of Trust already broken for all sold
consoles now.
• This is Fail™. But it‘s not Epic™ yet...
You must login or register to view this content.
You must login or register to view this content.
[multipage=ECDSA]
ECDSA
You must login or register to view this content.
You must login or register to view this content.
there ECDSA code
Used for HBC’s network update function
def generate_ecdsa(k, sha):
k = bytes_to_long(k)
e = bytes_to_long(sha)
m = open(“/dev/random”,”rb”).read(30)
if len(m) != 30:
raise Exception(“Failed to get m”)
m = bytes_to_long(m) % ec_N
r = (m * ec_G).x.tobignum() % ec_N
kk = ((r * k) + e) % ec_N
s = (bn_inv(m, ec_N) * kk) % ec_N
r = long_to_bytes(r, 30)
s = long_to_bytes(s, 30)
return r,s
Sony’s ECDSA code
int GetRandomNumber()
{
return 4; //chosen by fair dice roll.
// guaranteed to be random
}
With private keys you can
SIGN THINGS
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
[multipage=chaos confrence"console hacking": 0overflow prensentation (youtube video)]
part 1
You must login or register to view this content.
part 2
You must login or register to view this content.
part 3
You must login or register to view this content.
Goto page 13 for the actual 0verflow confrence in berling
You must login or register to view this content.
You must login or register to view this content.
[multipage=who are fail0verflow]
Who are fail0verflow
• In 2008 at 25c3 these teams worked together as
'WiiPhonies'
• They won the 25c3 CTF
• They changed our name to 'Fail 0verflow'
• Not trademark infringing
• The domain was available
• The ratio of fail to win is high.
They have been collaborating on various embedded and thought expansive projects, the most famous of which that
hit the press last year was the full reconstruction of the $REDACTED allowing $REDACTED to be
completely broken, that was a fun couple of weeks.
You must login or register to view this content.
[multipage=PS3 Architecture]
this page explains the Architecture of the ps3
The Cell Broadband Engine
You must login or register to view this content.
SPU Isolation
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
[multipage=OtherOS (drawn attention)]
You must login or register to view this content.
Geohot Exploit:
XDR RAM Glitching Attack (hyper visor exposed)
You must login or register to view this content.
You must login or register to view this content.
[multipage=PSJailbreak Exploit]
jailbreak dongle
|
hub
/ / / \ \ \
PWN1 PWN2 PWN3 PWN4 JIG FINAL
You must login or register to view this content.
device 1
You must login or register to view this content.
Device 4
You must login or register to view this content.
Device 2
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
C++ Objects
You must login or register to view this content.
Device 3
You must login or register to view this content.
You must login or register to view this content.
NO W^X in LV2
Any old exploit == code execution
Hypervisor allows unsigned code
It happily marks pages as executable and plays no role
in enforcing that only trusted code runs
Results
• LV2 “GameOS” compromised
• LV1 Hypervisor NOT compromised
• Secure SPE NOT compromised
• Piracy
You must login or register to view this content.
[multipage=Fail Security Model]
Fail Security Model
• The hypervisor does not enforce LV2 and
game integrity
• You can just patch LV2 to run games from
HDD
You must login or register to view this content.
[multipage= Downgrades]
Downgrades
• Sony fixed the exploit
• Service mode triggered by USB “JIG”
• HMAC authenticated, keys dumped
• Leaked service app used to enable
downgrades
You must login or register to view this content.
[multipage=AsbestOS]
AsbestOS
• Replace LV2/GameOS in memory
• OtherOS mode and GameOS mode are
virtually identical
• Except GameOS can do more stuff, e.g. 3D
• Run Linux again (even on the Slim!)
• Use NetRPC to remote-control the PS3 and
experiment...
[multipage=SELFs]
SELFs
You must login or register to view this content.
[multipage=The Oracle]
The Oracle
• Sony‘s idea: “No one can see our code!”
• ... unless the PPE is compromised
• Decrypting all code possible from GameOS
• security coprocessor pointless!
• But we want keys!
You must login or register to view this content.
You must login or register to view this content.
[multipage=Chain of Trust]
Chain of Trust
You must login or register to view this content.
Breaking loaders
You must login or register to view this content.
You must login or register to view this content.
• „Only“ a bug in isolated loaders
• Chain of Trust already broken for all sold
consoles now.
• This is Fail™. But it‘s not Epic™ yet...
You must login or register to view this content.
You must login or register to view this content.
[multipage=ECDSA]
ECDSA
You must login or register to view this content.
These are public:
p, a, b, G,N (elliptic curve params)
Q = public key
e = hash of data
R, S = signature,
and these are private:
m = random
k = private key.
A signature is a pair of numbers R, S computed
by the signer as
R = (mG)x
S = e + kR
m
.
It is imperative to have a random m for every
signature: from a pair of signatures that use the
same m, we can compute m and k.
You must login or register to view this content.
there ECDSA code
Used for HBC’s network update function
def generate_ecdsa(k, sha):
k = bytes_to_long(k)
e = bytes_to_long(sha)
m = open(“/dev/random”,”rb”).read(30)
if len(m) != 30:
raise Exception(“Failed to get m”)
m = bytes_to_long(m) % ec_N
r = (m * ec_G).x.tobignum() % ec_N
kk = ((r * k) + e) % ec_N
s = (bn_inv(m, ec_N) * kk) % ec_N
r = long_to_bytes(r, 30)
s = long_to_bytes(s, 30)
return r,s
m = open(“/dev/random”,”rb”).read(30)
Sony’s ECDSA code
int GetRandomNumber()
{
return 4; //chosen by fair dice roll.
// guaranteed to be random
}
With private keys you can
SIGN THINGS
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
[multipage=chaos confrence"console hacking": 0overflow prensentation (youtube video)]
part 1
You must login or register to view this content.
part 2
You must login or register to view this content.
part 3
You must login or register to view this content.
The following user thanked Aspire. for this useful post:
The following user thanked vipervimal for this useful post:
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
