L ß - PSX Scene

More documents

Recommendations

Info

Security architecture Two custom processors PowerPC 750CL "Broadway": Fast and insecure No OS! Games run on "bare metal". Fast and cheap. Hollywood: ATI Graphics, peripherals, memory, "IO Bridge" IO Bridge is a NEC ARM926 SoC: "Starlet" Runs a custom microkernel OS ("IOS") written by BroadOn Many features and drivers: Security and software DRM Drivers for DVD, SD, WiFi, USB, ... HTTP, SMTP, SSL, Bytecode VM ("CHANS") Runs while console is "off" All code is signed and authenticated by IOS All abstracted out - IOS is hidden behind APIs Secure Boot process Code is booted directly from an internal 512MB NAND Flash chip boot0: small (1.5k) bootloader mask ROM in Hollywood boot1: 2nd-stage loader (17k) in flash Verified against a factory-burned hash boot2: main loader (160k) in flash (mini IOS) IOS: ARM code (2MB) read from flash filesystem, running on Starlet Menu: PPC code read from flash filesystem, and pushed to Broadway boot2, IOS, Menu are signed using RSA Multi-stage process reduces cost and increases flexibility Software titles Case3:11-cv-00167-SI Document4 Filed01/11/11 Page68 of 282 1/9/2011 Console Hacking 2008: Wii Fail Channels, Games, WiiWare, System software are all titles A signed package of software, identified by a TitleID TMD: Title MetaData signs and describes the contents Contains SHA-1 hashes of the content files Permissions, group IDs, region locking eTicket: Your license to use the title (the key) Contains the encrypted AES key used to decrypt the title on installation The master key is stored in OTP ROM and hard to extract May contain time limits TMD and eTicket are signed using RSA-2048 eTickets may be specific to one console marcansoft.com/…/25c3_console_hac… 2/9
Wii Optical Discs (WODs) IOS Modified DVD format (with physical anti-duplication measures) Discs contain multiple partitions (update, game) Partition data is encrypted using AES (and the eTicket key) Each block is hashed using SHA-1 A hash tree traces each block to a master hash All data and game assets are signed and encrypted this way! The "root" signature is in the TMD The encryption key is in the eTicket Custom micro-kernel OS designed by BroadOn (California) handles most I/O to Broadway talks to Broadway via an IPC interface provides high-level network API decryption / authentication of Broadway's code enforces POSIX-like FS permissions Games (Title IDs) are users, vendors are groups IOS tracks the current permissions of Broadway Broadway can't see system files Starlet controls Broadway boot and memory limits Modular architecture - modules run as isolated userspace processes Kernel runs on internal SRAM, userspace uses the top 12MB of MEM2 Broadway can't use this area (it's protected) All in all, this is a pretty secure system. Breaking in: GameCube Mode GameCube software is totally unsigned, but runs in a sandbox The DVD drive is similar to the GameCube's Outsourced to Matshita GameCube drivechips were easily "ported" to the Wii Wii game piracy Case3:11-cv-00167-SI Document4 Filed01/11/11 Page69 of 282 1/9/2011 Console Hacking 2008: Wii Fail GameCube homebrew possible via GC mode discs But sandboxed, no IOS running, no Wii features Wii always boots first into native mode, then reboots into GameCube mode GameCube mode uses the first 16MB of MEM2 (as ARAM) Hack: Tweezer Attack! Upper 48MB is not cleared when entering GameCube mode Hardware register prevents Broadway from accessing memory Address lines of DRAM chip can be manipulated with hardware Possible to temporarily move 16MB "window" throughout DRAM marcansoft.com/…/25c3_console_hac… 3/9
Page 1 and 2:
0/;:: l ß"' 1 KILPATRICK TOWNSEND
Page 3 and 4:
Case3:11-cv-00167-SI Document4 File
Page 5 and 6:
Page 7 and 8:
PS3 Software Piracy Begins as First
Page 9 and 10:
PS3 Software Piracy Begins as First
Page 11 and 12:
Page 13 and 14:
fail0verflow (fail0verflow) on Twit
Page 15 and 16:
fail0verflow (fail0verflow) on Twit
Page 17 and 18: fail0verflow (fail0verflow) on Twit
Page 19 and 20: PlayStation 3 hack - how it happene
Page 21 and 22: PlayStation 3 hack - how it happene
Page 23 and 24: Case3:11-cv-00167-SI Document4 File
Page 25 and 26: git.fail0verflow.com Git - ps3tools
Page 27 and 28: git.fail0verflow.com Git - noralize
Page 31 and 32: Project Jerry 7, 2008 Our congratul
Page 33 and 34: 1/9/2011 xyzzy HackMii Notes from i
Page 35 and 36: 1/9/2011 xyzzy 5 SageChaozu // Jul
Page 37 and 38: 1/9/2011 xyzzy P.S. Bushing your op
Page 45 and 46: 1/9/2011 xyzzy close Galleries of b
Page 47 and 48: 1/9/2011 Keys, keys, keys. HackMii
Page 49 and 50: 1/9/2011 Keys, keys, keys. needs to
Page 51 and 52: 1/9/2011 Keys, keys, keys. other th
Page 59 and 60: 1/9/2011 Keys, keys, keys. close Ca
Page 63 and 64: Post a Reply Posted 899 days ago 0
Page 67: Console Hacking 2008: Wii Fail Is i
Page 71 and 72: Signatures All RSA signature compar
Page 73 and 74: 1/9/2011 Console Hacking 2008: Wii
Page 75 and 76: 1/9/2011 Console Hacking 2008: Wii
Page 79 and 80: 1/9/2011 Wii: Hardware, seguridad,
Page 83 and 84: Títulos Case3:11-cv-00167-SI Docum
Page 85 and 86: El eTicket El eTicket nos da acceso
Page 87 and 88: IOS Case3:11-cv-00167-SI Document4
Page 91 and 92: Twiizer Attack Case3:11-cv-00167-SI
Page 93 and 94: Twilight Hack Case3:11-cv-00167-SI
Page 103 and 104: 1/9/2011 Dev-Team Blog - Search res
Page 109 and 110: Reply Reply Reply gametheory 44p ·
Page 111 and 112: 1/9/2011 Case3:11-cv-00167-SI Dev-T
Page 115 and 116: Hector Martin (marcan42) on Twitter
Page 117 and 118: Hector Martin (marcan42) on Twitter
Page 119 and 120:
Hector Martin (marcan42) on Twitter
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
ushing (gnihsub) on Twitter http://
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
pytey (pytey) on Twitter http://twi
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
Page 213 and 214:
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
Page 221 and 222:
Page 223 and 224:
Page 225 and 226:
Page 227 and 228:
Page 229 and 230:
Page 231 and 232:
Page 233 and 234:
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
Page 241 and 242:
also @ TechSpot: Tech Tip: Customiz
Page 243 and 244:
trillionsin on January 5, 2011 11:3
Page 245 and 246:
Page 247 and 248:
Geohot: Here is your PS3 Root Key!
Page 249 and 250:
Geohot: Here is your PS3 Root Key!
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
Page 257 and 258:
*Maximus AVR USB *Acekard2i *modbo
Page 259 and 260:
Burberry Carlton Haymarket Notebook
Page 261 and 262:
Page 263 and 264:
5 January 2011 Last updated at 20:1
Page 265 and 266:
Page 267 and 268:
Page 269 and 270:
Page 271 and 272:
Comment: Re:Same private key? (Scor
Page 273 and 274:
1/10/2011 Case3:11-cv-00167-SI Docu
Page 275 and 276:
Page 277 and 278:
1/10/2011 Slashdot bushing (11) pri
Page 279 and 280:
1/10/2011 Slashdot bushing (11) Com
Page 281 and 282:
show all

L ß - PSX Scene

Create successful ePaper yourself

Delete template?

Save as template?