PS3 finally hacked?

By Vandalsquad
in PlayStation

 Share

Recommended Posts

Grand Master

+Audioboxer Subscriber²

Posted
  • Subscriber²
Posted
Whenever you insert a disc (bluray one that is) the ps3 drive will look at a special area of the disc called the Pic Zone (the BD ROM Mark is actually used in movie discs but not in game unlike what I first thought).

The PIC Zone which stands for Permanent Information & Control data Zone contains informations/data related to the disc's authentication which is done by the playstation 3 bluray drive. This area cannot easily be dumped (you'd pretty much need a bluray drive with a hacked firmware) and of course that specific area cannot be burned on any kind of discs or with any kind of burners commercially available.

There is no absolute certainty to what data the PIC zone actually contains, I initially thought that Sony would use a public/private cryptography cypher to authenticate the discs but that is quite unlikely considering the limited resources of the drive controller. There isn't any kind of hard cryptographic layer on the discs as I first expected, so the security on the discs themselves is much less invasive as I initially thought. Yet the fact that the PIC zone can't be rewitten without any kind of special equipment (basically a bluray discs factory) does its job well when it comes to preventing backups.

The authentication procedure itself is done through the use of a per bluray drive key pair, one being located on the drive controller itself while the other is stored encrypted in the playstation 3's EID area located on NAND. This key is also used while updating the drive which firmware's will be physically re-encrypted using that very same key and stored that way. As such you cannot swap a drive controller board from one ps3 to another, at least on earlier "fat" models. I have no idea if the drives are still paired with unique keys on the newer "slim" systems, though I do not know why it would be done another way. This also means that physically dumping the drive's firmware would lead nowhere with it being stored in an encrypted form. The only way to get a plain version of it would be to dump the drive controller's ram at runtime. Beside although I am not entirely sure about this, it is very unlikely that a command exists to read the firmware from the drive, should it exist, the dumped binary would still be encrypted, thus connecting the drive to a computer (the ps3 slim bluray drive uses a regular SATA or PATA bus depending on the model) literally leads nowhere..

Finally once the authentication procedure is done, there is another protection which happens to be a per sector software cryptographic layer, which I have the algorithm for (but which I can't share because I wasn't the one that initially reversed it) that cryptographic layer is the very same used on playstation 3 master discs as on retail ones with the exception of the key being used, masterdiscs are identified through their special masterdisc sectors locted at offset 0x7000 (sector 14) on the disc. The encryption itself is done in sector ranges rather than files, where the key for each sector is defined by the address of the said sector in correlation with an initial static key, on retail discs, there is a per disc key located at offset 0x800 on the disc with a header composed of "Playstation3" and the discs' title id such as "PlayStation3 BCES-00141" I assume that this key is in encrypted format and likely decrypted through lv2 by appldr.

The software cryptographic layer is done in such way that the disc sectors will be transparently decrypted so long as you are running a game or a playstation 3 application, this explains how easy it is to dump a disc's content whenever you can run playstation3 code on top of lv2.

The EBOOT.BIN as well as other self and sprx binaries themselves aren't tied to the disc's encryption, however their metadata may contain specific flags (in fact the ones on game discs always do) that will prevent them from being loaded from anywhere other than an authenticated disc (masterdiscs != authenticated discs) This would explain why someone on a debug console for instance can't just grab the games' binaries, put them on a masterdisc and hope for the game to just play. Other flags are being involved such as a "no debug" flag that will pretty much prevent you from loading your binary into sony's debugger.

Because the binaries on the discs still have to be signed as they are verified and decrypted by appldr, in the event that you would somewhat trick the drive into thinking that your disc is a genuine playstation 3 disc, you could still not have your own fself ("fake" secure elf, complied with Sony's sdk) in there and get it to run, thus this would never lead to homebrews no matter what some clueless people may claim about it.

Source: http://lan.st/showthread.php?t=1722

Veteran

CentralDogma

Posted
Posted

I assume he's talking about hacking drive firmwares and not the PS Jailbreak?

Just FYI to everyone: The thread mentioned in to OP has been a great source of news, but I've been skipping most of the comments in it except for the ones with links in them.

Also these blogs have been relatively well updated by PS3 developers:

Grand Master

DPyro

Posted
Posted

Chat on IRC :ninja: (Also posted some info on his twitter)

<Mathieulh> what you want to look for is at the same place the jig auth happens

<Mathieulh> the jig auth is a challenge/response

<Mathieulh> and the code that does the actual auth is very well hidden

<Mathieulh> and also you can't dump it without lv1 privs

<comex_> one thing: how high privileges does the exploit you're thinking of give?

<Mathieulh> let's say it's not quite lv1 privs but it's high enough for you to patch lv2 and load it

<Mathieulh> you can also make use of all the hypercalls

<Mathieulh> and you can talk to syscon and set fancy flags

<Mathieulh> so yeah it's higher than we need it to be

Grand Master

+Audioboxer Subscriber²

Posted
  • Subscriber²
Posted
While we are all up and excited about PSJailbreak (PSjb), there might be a risk on playing with PSjb on PSN. According to SKFUand RichDevX, the Backup manager game ID (LAUN-12345) could be logged/recorded by Sony when logged into PSN (when online). This would obviously allow Sony to see who would be using the illegal PSjb/clone and we could very well see ban waves similar to the Xbox 360. Sony does currently ban PSN/consoles that results in the 8002A227 error code.

As people start getting their PSjb in the next few week, we highly advise that you do not log into PSN while using the backup manager, which means no playing online.

Stay tuned for the latest development on PS Jailbreak.

http://www.ps3hax.net/2010/08/psjailbreak-detectable-and-bannable-on-psn/

Veteran

SkyDX

Posted
Posted

Not that I'm pro illegal behavior but I like to speculate about tech stuff^^

Wouldn't it be easy to unban a PS3 as opposed to a 360? From what I got, unless your hacked 360 is JTagged, you have virtually no access to the core system making modifications impossible.

DPyro quoted Mathieulh who said we got pretty high system privileges, so if the privileges are possibly high enough to flash internal stuff, couldn't one simply alter the PS3s MAC address?

Assuming Sony even uses it to ban consoles of course.

Grand Master

Intersect

Posted
Posted

Not that I'm pro illegal behavior but I like to speculate about tech stuff^^

Wouldn't it be easy to unban a PS3 as opposed to a 360? From what I got, unless your hacked 360 is JTagged, you have virtually no access to the core system making modifications impossible.

DPyro quoted Mathieulh who said we got pretty high system privileges, so if the privileges are possibly high enough to flash internal stuff, couldn't one simply alter the PS3s MAC address?

Assuming Sony even uses it to ban consoles of course.

Iam sure Sony were clever enough to keep a record of every ps3's MAC addres's they sell to the public so spoofing it with a fake one

would not allow you to log onto PSN.

Grand Master

+Audioboxer Subscriber²

Posted
  • Subscriber²
Posted

Not that I'm pro illegal behavior but I like to speculate about tech stuff^^

Wouldn't it be easy to unban a PS3 as opposed to a 360? From what I got, unless your hacked 360 is JTagged, you have virtually no access to the core system making modifications impossible.

DPyro quoted Mathieulh who said we got pretty high system privileges, so if the privileges are possibly high enough to flash internal stuff, couldn't one simply alter the PS3s MAC address?

Assuming Sony even uses it to ban consoles of course.

You can change the 360's as well, but you need an address of an unbanned 360 anyway, meaning you somehow need to acquire another unbanned 360.

It'll be interesting to see if Sony ban PSN accounts, they've already done so for abuse in Home. Yeah yeah accounts are free but get your main banned and you lose all your downloads/trophies.

If they can ban in home I'm pretty sure they can ban for illegally using their stolen dev keys.

Proficient

The Guvnor

Posted
Posted

I modifies Sony Ericsson phone. I can flash it too. I can modify internal system files. A lot people can do that too. But none managed to modify the IMEI.

Maybe same goes to the ps3?

What was that all about ? Can i have some of that whatever it is that you are drinking ?

Grand Master

AbandonedTrolley

Posted
Posted

What was that all about ? Can i have some of that whatever it is that you are drinking ?

The fact that people have managed to previously flash Sony products but never been able to hide the actual unique identifier maybe?

Grand Master

DrunknMunky Veteran

Posted
  • Veteran
Posted

The authentication procedure itself is done through the use of a per bluray drive key pair, one being located on the drive controller itself while the other is stored encrypted in the playstation 3's EID area located on NAND. This key is also used while updating the drive which firmware's will be physically re-encrypted using that very same key and stored that way. As such you cannot swap a drive controller board from one ps3 to another, at least on earlier "fat" models. I have no idea if the drives are still paired with unique keys on the newer "slim" systems, though I do not know why it would be done another way. This also means that physically dumping the drive's firmware would lead nowhere with it being stored in an encrypted form. The only way to get a plain version of it would be to dump the drive controller's ram at runtime. Beside although I am not entirely sure about this, it is very unlikely that a command exists to read the firmware from the drive, should it exist, the dumped binary would still be encrypted, thus connecting the drive to a computer (the ps3 slim bluray drive uses a regular SATA or PATA bus depending on the model) literally leads nowhere..

Pretty much the exact process in the 360 flashing then. I wouldn't be so sure on it leading nowhere, it seems that the actual cryptographic layer on the software sectors will be harder to crack. Which would explain why Team Jungle announced last week they were joining forces with Team Hades. 360 dvd keys are encrypted too when they're dumped and they managed to decrypt them.

You can change the 360's as well, but you need an address of an unbanned 360 anyway, meaning you somehow need to acquire another unbanned 360.

You don't actually need to have access to another 360, physically. People sell them online.

Veteran

SkyDX

Posted
Posted

I just thought of something else, maybe I think too much PSP here but:

"Assuming we get all high access privileges, couldn't we simply store a modified firmware on the PS3s HDD with all online functions stripped out? We then could boot this FW for all our homebrew needs and if we want to play online we simply boot back to the original NAND firmware? Unless they scan the actual HDDs I doubt Sony could detect this."

Just a theory out of my mind inspired by the old PSP DevHook days^^

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • what other retro software do yall use

      By goretsky · Posted

      Hello, Also known for https://www.theguardian.com/technology/2009/jan/29/adware-internet.   Regards, Aryeh Goretsky    
    • You pay just $100 per TB with this rare 4TB PCIe Gen4 NVMe SSD deal

      By goretsky · Posted

      Hello, I have used a few TEAM Group SSDs, USB flash drives, and Micro SDXC cards in the past. They all seemed to work fine. Regards, Aryeh Goretsky
    • You pay just $100 per TB with this rare 4TB PCIe Gen4 NVMe SSD deal

      By vjlex · Posted

      "just $100 per TB"? Just? Are we trying to make this seem like the new normal? Kinda weird to make it sound like that is not a ridiculously expensive asking price.
    • Major Xbox layoffs may claim South of Midnight developer Compulsion entirely

      By qbrick · Posted

      The reviews you refer to mean nothing. Where there is no journalism there is no reason to call the gaming media's opinion pieces "reviews". For GP games there is indeed a metric for success - increasing subscriptions. Which turns in revenue. The only circumstance in which subs do not rise when great is being released is a Game Pass system where the company is close to fully saturated with customers in a subscription. However, in that case as the theory goes you spend aplenty in all kind of games - from shady live service cash cows and customer offending agitprop crap in purple colours to robust and entertaining single player games. And keep a solid level of profitability. Ignoring the simply innocuous but mid games MGS has released primarily of the second kind.
    • Report: Microsoft to use AWS to help GitHub deal with a major surge in demand

      By pradeepviswav · Posted

      Report: Microsoft to use AWS to help GitHub deal with a major surge in demand by Pradeep Viswanathan Thanks to the surge of coding AI agents, GitHub's usage has skyrocketed over the past 12 months. To meet this demand, GitHub started with a plan in October 2025 to increase capacity by 10x. However, by early this year, the company realized that it needed 30x scale. This rapid growth has caused severe strain on the platform's reliability, resulting in several small outages over the past few months. In April, GitHub published a long blog post explaining the steps it is taking to resolve these reliability issues. In the post, the company also confirmed that it is working toward a multi-cloud architecture for better resilience. Today, Business Insider reported that GitHub is turning to Amazon Web Services to help deal with a major surge in AI-driven coding activity. It is important to note that GitHub is still in the process of moving completely to the Azure cloud. The current plan is to move the platform fully to Azure by 2027 so that it can scale better as per developer demand. Therefore, the current decision to utilize AWS might be part of a short-term plan to meet immediate demand. A Microsoft spokesperson confirmed that GitHub is using multiple cloud providers with the following statement: For Microsoft, the decision highlights the operational pressure behind the AI boom. GitHub has to stay reliable for developers at a time when rivals such as Codex, Cursor, Claude Code, and other AI coding tools are gaining attention. And the decision to use AWS for computing capacity seems practical given the circumstances.

  • Recent Achievements

    • Collaborator
      vjlex earned a badge
      Collaborator
    • Reacting Well
      Dys Topia earned a badge
      Reacting Well
    • Conversation Starter
      NovaEdgeX earned a badge
      Conversation Starter
    • One Year In
      Console General earned a badge
      One Year In
    • Week One Done
      Twozo Technologies earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      517
    2. 2
      +Edouard
      182
    3. 3
      PsYcHoKiLLa
      106
    4. 4
      Steven P.
      88
    5. 5
      ATLien_0
      68
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!