Cracking the PS3
January 25, 2010 11:13 AM   Subscribe

It might be worth noting that the new slim Playstation 3s doesn't have Linux support anymore, so there's more of an incentive to crack the system now.
posted by ymgve at 11:16 AM on January 25, 2010 [1 favorite]

As someone who manages virtual servers, advances in hypervisor cracks like these fill me with professional dread more than they do gaming joy.
posted by Burhanistan at 11:23 AM on January 25, 2010 [4 favorites]

Burhanistan: I'd assume you'd need physical access to the machine though. I mean... do your machines allow you to boot from a (remote) USB drive?
posted by jock@law at 11:25 AM on January 25, 2010

Well, I'd say it's still TBD is this is a real pure-software hypervisor crack. That would of course be a BFD.
posted by GuyZero at 11:27 AM on January 25, 2010 [1 favorite]

Burhanistan, unless your virtual servers for some weird reason run on Playstation 3 hardware, you have nothing to fear from this.
posted by ymgve at 11:31 AM on January 25, 2010 [1 favorite]

Do the research-purposed PS3's come without the hypervisor? I know that the cell processor is very popular among some researchers, but optimizing code within the hypervisor seems like a substantial restriction.
posted by a robot made out of meat at 11:31 AM on January 25, 2010

awards link is 404.
posted by kenko at 11:32 AM on January 25, 2010

This is not what I picture when you say the words "software only."
posted by rokusan at 11:33 AM on January 25, 2010

OK, kids? This is what "hacking" means.

This is not hacking.
Nor is this.
Or this, or this, or this.

Thank you.
posted by Ratio at 11:34 AM on January 25, 2010 [32 favorites]

unless your virtual servers for some weird reason run on Playstation 3 hardware, you have nothing to fear from this.

Yes, I'm running PS3 Enterprise for all web, mail, VPN, and domain infrastructure.

Sheesh, my reaction was about the proof of concept, not exact configuration specifics here.
posted by Burhanistan at 11:37 AM on January 25, 2010 [4 favorites]

The link says Took 5 weeks, 3 in Boston, 2 here, very simple hardware cleverly applied, and some not so simple software. But it's not clear if he needed the hardware just to figure out how it worked and can go software only now. What the link claims he's looking for is the encryption keys, I guess so that others can sign software like it was a patch for the hypervisor.
posted by a robot made out of meat at 11:39 AM on January 25, 2010 [1 favorite]

Sheesh, my reaction was about the proof of concept, not exact configuration specifics here.

Burhanistan is correct to worry in that if this kid break one hypervisor then it's going to be very, very bad news for every other hypervisor out there. The devil is in the details though so I'm not going to worry until I see something concrete. It could be a bug in the Cell processor, it could be related to something on the periphery of the processor, it could be a lot of things that don't translate at all to x86 server architectures and Intel hypervisors. But, who knows?
posted by GuyZero at 11:42 AM on January 25, 2010

Spent today rigging this up. Soldered to the bridge side of the SPI and the Cell side of the SPI. Cut the traces. The FPGA passes through the pins while the switch is on. So I power up the system with the switch on, chip gets configured, then turn the switch off to connect the Cell SPI to my USB parallel adapter. Now it's just a matter of the PC side SPI software and figuring out a way to use the myriad LV1 registers available to me to map the hypervisor.

And my VCR still flashes "12:00"! What's the deal with that? AMIRITE? Who's with me.
posted by KevinSkomsvold at 11:43 AM on January 25, 2010 [6 favorites]

What the link claims he's looking for is the encryption keys,

Yeah, for all we know he's just looking for keys so he can flash a new bootloader or something which wouldn't so much be a hypervisor crack as a way to bypass the DRM on the bootloader.
posted by GuyZero at 11:43 AM on January 25, 2010

If he can get Matroska files to playback on the PS3 without transcoding, I'll bake him a cake. Also, NTFS support on external HDs, pretty please?
posted by porn in the woods at 11:43 AM on January 25, 2010 [6 favorites]

I'm kind of in awe every time someone cracks one of these locked-down systems. I can understand how someone might re-flash with a modified firmware, but these new cracks seem to require way, way more sophisticated code injection on a level I just can't comprehend.
posted by dunkadunc at 11:44 AM on January 25, 2010 [1 favorite]

Now it's just a matter of the PC side SPI software and figuring out a way to use the myriad LV1 registers

I'M IN UR BUS EATIN UR SIGNALZ
posted by GuyZero at 11:45 AM on January 25, 2010 [3 favorites]

Burhanistan, an exploit in one specific hypervisor is as relevant to other hypervisors as an Internet Explorer hole would be to Firefox. The flaws are in specific implementations, not the idea of a hypervisor in itself.
posted by ymgve at 11:46 AM on January 25, 2010 [1 favorite]

For reference, the Xbox 360 hypervisor was broken over three years ago, then quickly got patched by Microsoft.
posted by ymgve at 11:51 AM on January 25, 2010

Here's an absolutly facinating video about how the Xbox 360 was cracked. The level of security in the hardware of the 360 is incredible, and the hack is pretty amazing too. If this interests you you really should check it out, although it's pretty technical. And long.

This guy hasn't published his hack yet, in the other thread I made joke about the guy getting assassinated by the Yakuza, because that's totally the kind of thing that would happen in a Gibson novel, but it I couldn't figure out a way to really work in a good sprawl series reference.

I mean, the Yakuza play a big part in the novels, but obviously they play a big part in the real world as well.

Oh well, still pretty badass.
posted by delmoi at 11:53 AM on January 25, 2010 [9 favorites]

As someone who manages virtual servers, advances in hypervisor cracks like these fill me with professional dread more than they do gaming joy.

Well, just don't let people solder random FPGAs into your servers. Doesn't seem that hard.
posted by delmoi at 11:56 AM on January 25, 2010 [1 favorite]

Well, just don't let people solder random FPGAs into your servers. Doesn't seem that hard.

Sure, IN THEORY.
posted by GuyZero at 12:04 PM on January 25, 2010 [11 favorites]

If he can get Matroska files to playback on the PS3 without transcoding, I'll bake him a cake.

how's the transcoding on that, btw? I just got a ps3 recently, and a coworker hipped me to ps3mediaserver, which he says is basically an excellent way to watch matroskas on my tv, and he claims you don't notice any real quality degradation or framerate drops. I haven't tried it myself, yet.
posted by shmegegge at 12:21 PM on January 25, 2010

Yes, I'm running PS3 Enterprise for all web, mail, VPN, and domain infrastructure.

Okay, now I completely want this.
posted by rokusan at 12:22 PM on January 25, 2010

Ratio: "OK, kids? This is what "hacking" means."

Ha! I was about to link to your "Jawdropping feat of breadcraft" comment.
posted by brundlefly at 12:26 PM on January 25, 2010 [1 favorite]

how's the transcoding on that, btw?

For 90-odd percent of mkvs, mkv2vob unpacks and repacks a 1080p movie of 8-12 gigs in a few minutes or a pretty vanilla core2 box. It's not sit and watch it happen, but it's deeply painless. If it has to just do some audio conversion it takes a bit longer, maybe a half hour.
posted by ROU_Xenophobe at 12:31 PM on January 25, 2010

>OK, kids? This is what "hacking" means.

Here's another example. This 60-year-old is so good at hacking he hacked into somebody's online account without even trying.
posted by ekroh at 12:39 PM on January 25, 2010 [1 favorite]

This 60-year-old is so good at hacking he hacked into somebody's online account without even trying.

FTA: "Mr. Goldstein immediately called American Express’s customer service. 'I got a woman in India,' he said, 'I explained I’ve hacked into someone’s private account by mistake.'"

Goldstein, you say? GOLDSTEIN?

Hmmmm.
posted by Ratio at 12:48 PM on January 25, 2010 [1 favorite]

OK, kids? This is what "hacking" means.

This is not hacking.
Nor is this.
Or this, or this, or this.

Thank you.
posted by Ratio at 11:34 AM on January 25

I love how most of the examples are from BoingBoing, the site that MF loves to hate (though jessamyn is guest blogger over there right now).
posted by 445supermag at 1:05 PM on January 25, 2010

If he can get Matroska files to playback on the PS3 without transcoding, I'll bake him a cake.

how's the transcoding on that, btw?

Works pretty well - Gotsent on Windows is the way to go.

You can also use QuickTime Pro on a Mac to transcode to MP4 (works on about 3/4s of the MKV files I encounter).
posted by porn in the woods at 1:27 PM on January 25, 2010

rokusan: "This is not what I picture when you say the words "software only.""

Just speculating, since this is way over my head, but developing the hack probably needs more access than actually executing it. With the iPhone too, he started with a hardware jailbreak before developing a software one.
posted by d. z. wang at 1:39 PM on January 25, 2010

d. z. wang, this is a great post, and a huge improvement over your first attempt yesterday! Good job.

Also, I am in awe of geniuses like this guy, since my level of expertise with the PS3 includes occasionally turning it off instead of changing the disk like I intended. If it weren't for Resistance, Fall of Man, I'd be a total dud.
posted by misha at 1:55 PM on January 25, 2010

Re: rootkits for hypervisors, Rutkowska: Anti-Virus Software Is Ineffective which has been called into question (see references) by AMD and other security researchers. Rutkowska/Invisible Things blog, previously
posted by morganw at 2:33 PM on January 25, 2010

BBC coverage of George Hotz's PS3 hacking.
posted by porn in the woods at 4:04 PM on January 25, 2010

OK, kids? This is what "hacking" means.

Sure about that?
posted by dhartung at 4:56 PM on January 25, 2010

I'm less opposed to piracy on the PS3 as I am on the iPhone. Obviously, it must not hurt the game manufacturers that bad, or they wouldn't continue to release PC versions of games. And if a modchip is required, that will eliminate a huge chunk of would be pirates. If you are willing to open up your system, learn some electronics, and solder, perhaps you deserve free games.

Uh. That's not how it works. This kid is a fucktard.
posted by Dreamcast at 6:43 PM on January 25, 2010

But has he ever kissed a girl?
posted by bardic at 7:43 PM on January 25, 2010

Here's an absolutly facinating video about how the Xbox 360 was cracked.

This is really interesting. The whole exploit is due to one assembly instruction using a word argument instead of a double-word.
posted by smackfu at 10:31 PM on January 25, 2010

Ratio: OK, kids? This is what "hacking" means.

That? That's not a hack. This is a hack.
posted by Pronoiac at 2:45 AM on January 26, 2010 [1 favorite]

Hacking? I only care for amazing feats of breadcraft these days, sorry.
posted by ersatz at 5:49 AM on January 26, 2010 [1 favorite]

Anything to get PrimeGrid working on my PS3 Slim. Like, getting banned from every online Sony service for eternity.
posted by spamguy at 7:37 AM on January 26, 2010

The hack has been released. Zip file here.
posted by Skorgu at 5:43 PM on January 26, 2010

So yeah, he has to glitch the bus to get it to take his bait. Still, it's better than nothing.
posted by GuyZero at 5:47 PM on January 26, 2010