How the PS3 Hypervisor was hacked, now fully explained

Discussion in 'PS3 Game Ripping, Custom Mods' started by Zeus, Jan 28, 2010.

  1. 11,051
    0
    0
    Zeus

    Zeus MaxConsole News Team

    Joined:
    May 29, 2003
    Location:
    Athens
    Home Page:
    'Root Labs' has put up a fairly technical coverage on just how GeoHot managed to hack the PS3's Hypervisor. So if you're a bit of a tech-head or just curious, then the article is definitely worth a read.

    So here's their explanation of it, FULL CREDIT must be given to <a href="http://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was-hacked/" target="_Blank">Rdist.root.org</a> for the feature article:

    How the PS3 hypervisor was hacked - Root Labs Explanation

    George Hotz, previously known as an iPhone hacker, announced that he hacked the Playstation 3 and then provided exploit details. Various articles have been written about this but none of them appear to have analyzed the actual code. Because of the various conflicting reports, here is some more analysis to help understand the exploit.

    The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.

    Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.

    The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor. The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).

    George’s hack compromises the hypervisor after booting Linux via the “OtherOS†feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.

    His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.

    George connected an FPGA to a single line on his PS3’s memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.

    His goal was to compromise the hashed page table (HTAB) in order to get read/write access to the main segment, which maps all memory including the hypervisor. The exploit is a Linux kernel module that calls various system calls in the hypervisor dealing with memory management. It allocates, deallocates, and then tries to use the deallocated memory as the HTAB for a virtual segment. If the glitch successfully desynchronizes the hypervisor from the actual state of the RAM, it will allow the attacker to overwrite the active HTAB and thus control access to any memory region. Let’s break this down some more.

    The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file’s data can still be accessed.

    The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor’s write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.

    At this point, the hypervisor has an HTAB with one or more read/write mappings pointing to a buffer it has deallocated. Thus, the kernel no longer owns that buffer and supposedly cannot write to it. However, the kernel still has one or more valid mappings pointing to the buffer and can actually modify its contents. But this is not yet useful since it’s just empty memory.

    The exploit then creates a virtual segment and checks to see if the associated HTAB is located in a region spanning the freed buffer’s address. If not, it keeps creating virtual segments until one does. Now, the user has the ability to write directly to this HTAB instead of the hypervisor having exclusive control of it. The exploit writes some HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.

    It is quite possible someone will package this attack into a modchip since the glitch, while somewhat narrow, does not need to be very precisely timed. With a microcontroller and a little analog circuitry for the pulse, this could be quite reliable. However, it is more likely that a software bug will be found after reverse-engineering the dumped hypervisor and that is what will be deployed for use by the masses.

    Sony appears to have done a great job with the security of the PS3. It all hangs together well, with no obvious weak points. However, the low level access given to guest OS kernels means that any bug in the hypervisor is likely to be accessible to attacker code due to the broad API it offers. One simple fix would be to read back the state of each mapping after changing it. If the write failed for some reason, the hypervisor would see this and halt.

    It will be interesting to see how Sony responds with future updates to prevent this kind of attack.

    [Edit: corrected the description of virtual segment allocation based on a comment by geohot.]
     
  2. 1,791
    0
    0
    panyan1991

    panyan1991 Loyal Member

    Joined:
    Jul 31, 2006
    Occupation:
    God of all Knowledge
    Location:
    Not the US!
    interesting read, hopefully this can be used by a dev group to make something useable for us commoners!
     
  3. 749
    0
    0
    ok123

    ok123 Loyal Member

    Joined:
    Oct 5, 2007
    Great reading! :) Although that i dont understand too much of this technical stuff, i understand more now about how the hacking process around the PS3 is and i enjoyed reading this article as well :) Thanks for posting this article! :)
     
  4. 6,064
    0
    36
    saleem

    saleem Loyal Member

    Joined:
    Apr 10, 2006
    Location:
    bradford west yorkshire
    uh!this is way way beyond me,so all i gotta say is.

    if you say so!
    :)
     
  5. 3,798
    0
    0
    iLLNESS

    iLLNESS Loyal Member

    Joined:
    Aug 26, 2005
    Occupation:
    HV Industrial Electrician, Mechanic + Emergency Re
    Location:
    Canada
    i wouldnt hold my breath on ps3 homebrew.
    just look at how small the ps2 homebrew scene was (and slow paced at that) compared to the xbox.
    ps3 will likely be even slower. if developers have a hard enough time porting/creating stuff for the ps3, i somehow doubt random joe in his basement is going to pull of anything really worthwhile any time soon.
     
  6. 469
    0
    0
    picopir8

    picopir8 Loyal Member

    Joined:
    Mar 31, 2007
    Great read. My only question is if the hypervisor code can be flashed. I thought that was in rom. If so then sony will not be able to patch it.
     
  7. 26,553
    169
    63
    Xenogears V

    Xenogears V Senior Helper Staff Member Clean-Up Crew

    Joined:
    Dec 28, 2006
    Location:
    Italy Rulez! - Proud To Italian
    My poor english, can't me understand full test, but is really interesting. But, I think is wrong say all these information...Now Sony can cover the bugs faster...:confused:
     
  8. 33
    3
    0
    miller420

    miller420 Loyal Member

    Joined:
    Jul 20, 2003
    Home Page:
    Very nice read indeed.

    @iLLNESS. You are probably right, but this will open doors for the back-up scene. Maybe not a modified firmware for the drive anytime soon, but maybe playing games off hdd or usb device.

    @picopir8 If hypervisor is in rom then all consoles right now would be vulnerable. Sony could update the hypervisor in future consoles.
     
  9. 78
    0
    0
    darkmaster_101

    darkmaster_101 Loyal Member

    Joined:
    May 15, 2006
    Well the story seams to suggest that functions are added to the hyper visor (read and write memory)

    Now I will admit upfront that I don't know allot about the PS3's hardware, but unless these functions are only temporary (i.e till a reboot) the hypervisor can be programmed, even if it is ROM and not programmable if a hack can add functions to it you can bet Sony will do the same on boot and patch it each time the system starts.
     
  10. 75
    0
    0
    aduszonice

    aduszonice Loyal Member

    Joined:
    Aug 11, 2005
    Got some info from geohots blog:

    "A way has been found to run the exploit without glitching hardware (i.e. no fpga needed). It's an overflow bug now.
    Will update when more info comes out.
    A file will be released within the hour (a c file, of course). Oh and this works on all FW versions, supposedly."

    Hope its true...

    Farewell
    Aduszonice
     
  11. 33
    3
    0
    miller420

    miller420 Loyal Member

    Joined:
    Jul 20, 2003
    Home Page:
    @aduszonice WOW if it completely software not then whats preventing a linux "re"boot cd. :) wow awesome progress!
     
  12. 300
    0
    0
    technolust

    technolust Loyal Member

    Joined:
    Jun 15, 2007
    cant see what you have quoted on his blog.
     
  13. 56
    0
    0
    robcrazee

    robcrazee Loyal Member

    Joined:
    Dec 30, 2006
    This is good news and wasnt much into the ps3 scene but in a way it sounds like its structured like a normal ibm p-series box in a way so this will defo lead somewhere but security is defo gonna be tight i can say

    Rob
     
  14. 199
    0
    0
    twoboys

    twoboys Loyal Member

    Joined:
    Jan 28, 2006
    What's the link to the source of this new information? I can't seem to find anything about it?
     
  15. 19
    0
    0
    dvader2009

    dvader2009 Loyal Member

    Joined:
    Dec 15, 2008
    Perhaps if people didn't publish this information in the first place they wouldn't respond to "prevent" this kind of attack..
     
  16. 300
    0
    0
    technolust

    technolust Loyal Member

    Joined:
    Jun 15, 2007
    i searched his blog and looked for posts made around the same time as what was quoted by the maxconsole member here, i saw what was posted but its been removed from the blog, it was proberly just some punk kid trying to be clever. geohot would have announced it at the top of his silverplatter blog if there was a new way right?

    some guy who called him self hacker on geos blog has just deleted his posts the only thing i can find that sorta proves what was posted is a quote from
    January 28, 2010 3:19 PM
    Emsi said...
    "Sweet, word on the vine is that a way has been found to run the exploit without glitching hardware (i.e. no fpga needed). It's an overflow bug... :)"

    If that is ture it's probably a race condition than an overflow ;-)
    ....
    but as i have said the post that talked about not needing a FPGA has been removed. dont ya just hate it when kiddys chat rubish
     
    Last edited by a moderator: Jan 28, 2010
  17. 173
    0
    0
    ecsw

    ecsw Loyal Member

    Joined:
    Jun 19, 2006
    all hail to the king. I always thought DA would be the one who hacked PS3.

    Good job, GeoHot. And thanks Root Labs for translating it in English. :D
     
  18. 7,336
    1
    0
    ThreeDog

    ThreeDog Loyal Member

    Joined:
    Dec 4, 2008
    He probably read the above and decided to claim a full software exploit was released or coming shortly. I don't know that's my theory anyway.
     
  19. 0
    0
    0
    soussi

    soussi Guest

    I saw the comment of 'hacker' and after a short period he deletetd it and the comments of 'Toloratedmeat' were deleted too...

    I think its idd a kid that wants to fool us with 2 accouns or somehin...
     
  20. 75
    0
    0
    aduszonice

    aduszonice Loyal Member

    Joined:
    Aug 11, 2005
    Yeas it was this guay calling himself "hacker" who removed all his comments on the blog.

    I hope he was not just kidding.
    Well, one hour is over, but i do not see anything.

    Lets hope, an overflow would bring us a step closer to an really open ps3...
     

Share This Page