Cracking the PS3
January 25, 2010 11:13 AM Subscribe
George Hotz started a blog chronicling his journey to a software-only PS3 crack. Despite tackling a platform that has held strong for three years, Hotz claimed to have gained read/write access to all system memory after five weeks. Although the PS3 actually ships with Linux support, these cracks circumvent the hypervisor that place strict restrictions on low-level hardware access. You may know Hotz as the geohot who released first hardware iPhone jailbreak, added a software-only jailbreak for all iPhones and iPod Touches, and won multiple awards (pdf) at ISEF 2007 for building a working holographic display system while a senior in high school.
Burhanistan: I'd assume you'd need physical access to the machine though. I mean... do your machines allow you to boot from a (remote) USB drive?
posted by jock@law at 11:25 AM on January 25, 2010
posted by jock@law at 11:25 AM on January 25, 2010
Well, I'd say it's still TBD is this is a real pure-software hypervisor crack. That would of course be a BFD.
posted by GuyZero at 11:27 AM on January 25, 2010 [1 favorite]
posted by GuyZero at 11:27 AM on January 25, 2010 [1 favorite]
Burhanistan, unless your virtual servers for some weird reason run on Playstation 3 hardware, you have nothing to fear from this.
posted by ymgve at 11:31 AM on January 25, 2010 [1 favorite]
posted by ymgve at 11:31 AM on January 25, 2010 [1 favorite]
Do the research-purposed PS3's come without the hypervisor? I know that the cell processor is very popular among some researchers, but optimizing code within the hypervisor seems like a substantial restriction.
posted by a robot made out of meat at 11:31 AM on January 25, 2010
posted by a robot made out of meat at 11:31 AM on January 25, 2010
This is not what I picture when you say the words "software only."
posted by rokusan at 11:33 AM on January 25, 2010
posted by rokusan at 11:33 AM on January 25, 2010
OK, kids? This is what "hacking" means.
This is not hacking.
Nor is this.
Or this, or this, or this.
Thank you.
posted by Ratio at 11:34 AM on January 25, 2010 [31 favorites]
This is not hacking.
Nor is this.
Or this, or this, or this.
Thank you.
posted by Ratio at 11:34 AM on January 25, 2010 [31 favorites]
The link says Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software. But it's not clear if he needed the hardware just to figure out how it worked and can go software only now. What the link claims he's looking for is the encryption keys, I guess so that others can sign software like it was a patch for the hypervisor.
posted by a robot made out of meat at 11:39 AM on January 25, 2010 [1 favorite]
posted by a robot made out of meat at 11:39 AM on January 25, 2010 [1 favorite]
Sheesh, my reaction was about the proof of concept, not exact configuration specifics here.
Burhanistan is correct to worry in that if this kid break one hypervisor then it's going to be very, very bad news for every other hypervisor out there. The devil is in the details though so I'm not going to worry until I see something concrete. It could be a bug in the Cell processor, it could be related to something on the periphery of the processor, it could be a lot of things that don't translate at all to x86 server architectures and Intel hypervisors. But, who knows?
posted by GuyZero at 11:42 AM on January 25, 2010
Burhanistan is correct to worry in that if this kid break one hypervisor then it's going to be very, very bad news for every other hypervisor out there. The devil is in the details though so I'm not going to worry until I see something concrete. It could be a bug in the Cell processor, it could be related to something on the periphery of the processor, it could be a lot of things that don't translate at all to x86 server architectures and Intel hypervisors. But, who knows?
posted by GuyZero at 11:42 AM on January 25, 2010
Spent today rigging this up. Soldered to the bridge side of the SPI and the Cell side of the SPI. Cut the traces. The FPGA passes through the pins while the switch is on. So I power up the system with the switch on, chip gets configured, then turn the switch off to connect the Cell SPI to my USB parallel adapter. Now it's just a matter of the PC side SPI software and figuring out a way to use the myriad LV1 registers available to me to map the hypervisor.
And my VCR still flashes "12:00"! What's the deal with that? AMIRITE? Who's with me.
posted by KevinSkomsvold at 11:43 AM on January 25, 2010 [6 favorites]
And my VCR still flashes "12:00"! What's the deal with that? AMIRITE? Who's with me.
posted by KevinSkomsvold at 11:43 AM on January 25, 2010 [6 favorites]
What the link claims he's looking for is the encryption keys,
Yeah, for all we know he's just looking for keys so he can flash a new bootloader or something which wouldn't so much be a hypervisor crack as a way to bypass the DRM on the bootloader.
posted by GuyZero at 11:43 AM on January 25, 2010
Yeah, for all we know he's just looking for keys so he can flash a new bootloader or something which wouldn't so much be a hypervisor crack as a way to bypass the DRM on the bootloader.
posted by GuyZero at 11:43 AM on January 25, 2010
If he can get Matroska files to playback on the PS3 without transcoding, I'll bake him a cake. Also, NTFS support on external HDs, pretty please?
posted by porn in the woods at 11:43 AM on January 25, 2010 [6 favorites]
posted by porn in the woods at 11:43 AM on January 25, 2010 [6 favorites]
I'm kind of in awe every time someone cracks one of these locked-down systems. I can understand how someone might re-flash with a modified firmware, but these new cracks seem to require way, way more sophisticated code injection on a level I just can't comprehend.
posted by dunkadunc at 11:44 AM on January 25, 2010 [1 favorite]
posted by dunkadunc at 11:44 AM on January 25, 2010 [1 favorite]
Now it's just a matter of the PC side SPI software and figuring out a way to use the myriad LV1 registers
I'M IN UR BUS EATIN UR SIGNALZ
posted by GuyZero at 11:45 AM on January 25, 2010 [3 favorites]
I'M IN UR BUS EATIN UR SIGNALZ
posted by GuyZero at 11:45 AM on January 25, 2010 [3 favorites]
Burhanistan, an exploit in one specific hypervisor is as relevant to other hypervisors as an Internet Explorer hole would be to Firefox. The flaws are in specific implementations, not the idea of a hypervisor in itself.
posted by ymgve at 11:46 AM on January 25, 2010 [1 favorite]
posted by ymgve at 11:46 AM on January 25, 2010 [1 favorite]
For reference, the Xbox 360 hypervisor was broken over three years ago, then quickly got patched by Microsoft.
posted by ymgve at 11:51 AM on January 25, 2010
posted by ymgve at 11:51 AM on January 25, 2010
Here's an absolutly facinating video about how the Xbox 360 was cracked. The level of security in the hardware of the 360 is incredible, and the hack is pretty amazing too. If this interests you you really should check it out, although it's pretty technical. And long.
This guy hasn't published his hack yet, in the other thread I made joke about the guy getting assassinated by the Yakuza, because that's totally the kind of thing that would happen in a Gibson novel, but it I couldn't figure out a way to really work in a good sprawl series reference.
I mean, the Yakuza play a big part in the novels, but obviously they play a big part in the real world as well.
Oh well, still pretty badass.
posted by delmoi at 11:53 AM on January 25, 2010 [9 favorites]
This guy hasn't published his hack yet, in the other thread I made joke about the guy getting assassinated by the Yakuza, because that's totally the kind of thing that would happen in a Gibson novel, but it I couldn't figure out a way to really work in a good sprawl series reference.
I mean, the Yakuza play a big part in the novels, but obviously they play a big part in the real world as well.
Oh well, still pretty badass.
posted by delmoi at 11:53 AM on January 25, 2010 [9 favorites]
As someone who manages virtual servers, advances in hypervisor cracks like these fill me with professional dread more than they do gaming joy.
Well, just don't let people solder random FPGAs into your servers. Doesn't seem that hard.
posted by delmoi at 11:56 AM on January 25, 2010 [2 favorites]
Well, just don't let people solder random FPGAs into your servers. Doesn't seem that hard.
posted by delmoi at 11:56 AM on January 25, 2010 [2 favorites]
Well, just don't let people solder random FPGAs into your servers. Doesn't seem that hard.
Sure, IN THEORY.
posted by GuyZero at 12:04 PM on January 25, 2010 [12 favorites]
Sure, IN THEORY.
posted by GuyZero at 12:04 PM on January 25, 2010 [12 favorites]
If he can get Matroska files to playback on the PS3 without transcoding, I'll bake him a cake.
how's the transcoding on that, btw? I just got a ps3 recently, and a coworker hipped me to ps3mediaserver, which he says is basically an excellent way to watch matroskas on my tv, and he claims you don't notice any real quality degradation or framerate drops. I haven't tried it myself, yet.
posted by shmegegge at 12:21 PM on January 25, 2010
how's the transcoding on that, btw? I just got a ps3 recently, and a coworker hipped me to ps3mediaserver, which he says is basically an excellent way to watch matroskas on my tv, and he claims you don't notice any real quality degradation or framerate drops. I haven't tried it myself, yet.
posted by shmegegge at 12:21 PM on January 25, 2010
Yes, I'm running PS3 Enterprise for all web, mail, VPN, and domain infrastructure.
Okay, now I completely want this.
posted by rokusan at 12:22 PM on January 25, 2010
Okay, now I completely want this.
posted by rokusan at 12:22 PM on January 25, 2010
Ratio: "OK, kids? This is what "hacking" means."
Ha! I was about to link to your "Jawdropping feat of breadcraft" comment.
posted by brundlefly at 12:26 PM on January 25, 2010 [1 favorite]
Ha! I was about to link to your "Jawdropping feat of breadcraft" comment.
posted by brundlefly at 12:26 PM on January 25, 2010 [1 favorite]
how's the transcoding on that, btw?
For 90-odd percent of mkvs, mkv2vob unpacks and repacks a 1080p movie of 8-12 gigs in a few minutes or a pretty vanilla core2 box. It's not sit and watch it happen, but it's deeply painless. If it has to just do some audio conversion it takes a bit longer, maybe a half hour.
posted by ROU_Xenophobe at 12:31 PM on January 25, 2010
For 90-odd percent of mkvs, mkv2vob unpacks and repacks a 1080p movie of 8-12 gigs in a few minutes or a pretty vanilla core2 box. It's not sit and watch it happen, but it's deeply painless. If it has to just do some audio conversion it takes a bit longer, maybe a half hour.
posted by ROU_Xenophobe at 12:31 PM on January 25, 2010
>OK, kids? This is what "hacking" means.
Here's another example. This 60-year-old is so good at hacking he hacked into somebody's online account without even trying.
posted by ekroh at 12:39 PM on January 25, 2010 [1 favorite]
Here's another example. This 60-year-old is so good at hacking he hacked into somebody's online account without even trying.
posted by ekroh at 12:39 PM on January 25, 2010 [1 favorite]
...building a working holographic display system while a senior in high school.
Yeah well I managed to get Xxxxxx Xxxxxxx to have sex with me when I was a senior in High School... so there, nerd. You want me to check your oil?
posted by From Bklyn at 12:43 PM on January 25, 2010
Yeah well I managed to get Xxxxxx Xxxxxxx to have sex with me when I was a senior in High School... so there, nerd. You want me to check your oil?
posted by From Bklyn at 12:43 PM on January 25, 2010
We don't want to hear what you did in bed with Paris Hilton, OK?
posted by dunkadunc at 12:46 PM on January 25, 2010
posted by dunkadunc at 12:46 PM on January 25, 2010
This 60-year-old is so good at hacking he hacked into somebody's online account without even trying.
FTA: "Mr. Goldstein immediately called American Express’s customer service. 'I got a woman in India,' he said, 'I explained I’ve hacked into someone’s private account by mistake.'"
Goldstein, you say? GOLDSTEIN?
Hmmmm.
posted by Ratio at 12:48 PM on January 25, 2010 [1 favorite]
FTA: "Mr. Goldstein immediately called American Express’s customer service. 'I got a woman in India,' he said, 'I explained I’ve hacked into someone’s private account by mistake.'"
Goldstein, you say? GOLDSTEIN?
Hmmmm.
posted by Ratio at 12:48 PM on January 25, 2010 [1 favorite]
OK, kids? This is what "hacking" means.
This is not hacking.
Nor is this.
Or this, or this, or this.
Thank you.
posted by Ratio at 11:34 AM on January 25
I love how most of the examples are from BoingBoing, the site that MF loves to hate (though jessamyn is guest blogger over there right now).
posted by 445supermag at 1:05 PM on January 25, 2010
This is not hacking.
Nor is this.
Or this, or this, or this.
Thank you.
posted by Ratio at 11:34 AM on January 25
I love how most of the examples are from BoingBoing, the site that MF loves to hate (though jessamyn is guest blogger over there right now).
posted by 445supermag at 1:05 PM on January 25, 2010
If he can get Matroska files to playback on the PS3 without transcoding, I'll bake him a cake.
how's the transcoding on that, btw?
Works pretty well - Gotsent on Windows is the way to go.
You can also use QuickTime Pro on a Mac to transcode to MP4 (works on about 3/4s of the MKV files I encounter).
posted by porn in the woods at 1:27 PM on January 25, 2010
how's the transcoding on that, btw?
Works pretty well - Gotsent on Windows is the way to go.
You can also use QuickTime Pro on a Mac to transcode to MP4 (works on about 3/4s of the MKV files I encounter).
posted by porn in the woods at 1:27 PM on January 25, 2010
rokusan: "This is not what I picture when you say the words "software only.""
Just speculating, since this is way over my head, but developing the hack probably needs more access than actually executing it. With the iPhone too, he started with a hardware jailbreak before developing a software one.
posted by d. z. wang at 1:39 PM on January 25, 2010
Just speculating, since this is way over my head, but developing the hack probably needs more access than actually executing it. With the iPhone too, he started with a hardware jailbreak before developing a software one.
posted by d. z. wang at 1:39 PM on January 25, 2010
d. z. wang, this is a great post, and a huge improvement over your first attempt yesterday! Good job.
Also, I am in awe of geniuses like this guy, since my level of expertise with the PS3 includes occasionally turning it off instead of changing the disk like I intended. If it weren't for Resistance, Fall of Man, I'd be a total dud.
posted by misha at 1:55 PM on January 25, 2010
Also, I am in awe of geniuses like this guy, since my level of expertise with the PS3 includes occasionally turning it off instead of changing the disk like I intended. If it weren't for Resistance, Fall of Man, I'd be a total dud.
posted by misha at 1:55 PM on January 25, 2010
Re: rootkits for hypervisors, Rutkowska: Anti-Virus Software Is Ineffective which has been called into question (see references) by AMD and other security researchers. Rutkowska/Invisible Things blog, previously
posted by morganw at 2:33 PM on January 25, 2010
posted by morganw at 2:33 PM on January 25, 2010
BBC coverage of George Hotz's PS3 hacking.
posted by porn in the woods at 4:04 PM on January 25, 2010
posted by porn in the woods at 4:04 PM on January 25, 2010
OK, kids? This is what "hacking" means.
Sure about that?
posted by dhartung at 4:56 PM on January 25, 2010
Sure about that?
posted by dhartung at 4:56 PM on January 25, 2010
I'm less opposed to piracy on the PS3 as I am on the iPhone. Obviously, it must not hurt the game manufacturers that bad, or they wouldn't continue to release PC versions of games. And if a modchip is required, that will eliminate a huge chunk of would be pirates. If you are willing to open up your system, learn some electronics, and solder, perhaps you deserve free games.Uh. That's not how it works. This kid is a fucktard.
posted by Dreamcast at 6:43 PM on January 25, 2010
Here's an absolutly facinating video about how the Xbox 360 was cracked.
This is really interesting. The whole exploit is due to one assembly instruction using a word argument instead of a double-word.
posted by smackfu at 10:31 PM on January 25, 2010
This is really interesting. The whole exploit is due to one assembly instruction using a word argument instead of a double-word.
posted by smackfu at 10:31 PM on January 25, 2010
Ratio: OK, kids? This is what "hacking" means.
That? That's not a hack. This is a hack.
posted by Pronoiac at 2:45 AM on January 26, 2010 [1 favorite]
That? That's not a hack. This is a hack.
posted by Pronoiac at 2:45 AM on January 26, 2010 [1 favorite]
Hacking? I only care for amazing feats of breadcraft these days, sorry.
posted by ersatz at 5:49 AM on January 26, 2010 [1 favorite]
posted by ersatz at 5:49 AM on January 26, 2010 [1 favorite]
Anything to get PrimeGrid working on my PS3 Slim. Like, getting banned from every online Sony service for eternity.
posted by spamguy at 7:37 AM on January 26, 2010
posted by spamguy at 7:37 AM on January 26, 2010
So yeah, he has to glitch the bus to get it to take his bait. Still, it's better than nothing.
posted by GuyZero at 5:47 PM on January 26, 2010
posted by GuyZero at 5:47 PM on January 26, 2010
« Older The Art of the Famewhore | It's gotta be better than Charlie's Angels Newer »
This thread has been archived and is closed to new comments
posted by ymgve at 11:16 AM on January 25, 2010 [1 favorite]