27th chaos communication congress console hacking 2010 timeline.pdf · 27th chaos communication...
TRANSCRIPT
![Page 1: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/1.jpg)
Console Hacking 2010PS3 Epic Fail
bushing, marcan, segher, sven
27th Chaos Communication Congress
Mittwoch, 29. Dezember 2010
![Page 2: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/2.jpg)
Who are we?
• In 2008 at 25c3 these teams worked together as 'WiiPhonies'
• We won the 25c3 CTF
• We changed our name to 'Fail 0verflow'
• Not trademark infringing
• The domain was available
• The ratio of fail to win is high.
We've been collaborating on various embedded and thought expansive projects, the most famous of which that hit the press earlier this year was the full reconstruction of the $REDACTED allowing $REDACTED to be completely broken, that was a fun couple of weeks.
Mittwoch, 29. Dezember 2010
![Page 3: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/3.jpg)
Wii had a good run
• 3 years, 9 firmware updates, 1 real feature
• 73 mil. consoles, 30 mil. vuln. bootloaders
• 1 million users of Homebrew Channel
Mittwoch, 29. Dezember 2010
![Page 4: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/4.jpg)
t
Wii Xbox 360 PS3
2006
2011
2010
2009
2008
2007
Mittwoch, 29. Dezember 2010
![Page 5: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/5.jpg)
Twiizer Attack
Twilight HackHomebrew
Channel
Drivechips
Bannerbomb
Bannerbombfor 4.2
latest updatebroken
Indiana Pwns
t
Wii Xbox 360 PS3
2006
2011
2010
2009
2008
2007
Mittwoch, 29. Dezember 2010
![Page 6: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/6.jpg)
Twiizer Attack
Twilight HackHomebrew
Channel
Drivechips
Bannerbomb
Bannerbombfor 4.2
latest updatebroken
Indiana Pwns
t
Wii Xbox 360 PS3
2006
2011
2010
2009
2008
2007
Drive firmwarehacked
King Kong Hack
JTAG Hack
Mittwoch, 29. Dezember 2010
![Page 7: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/7.jpg)
Twiizer Attack
Twilight HackHomebrew
Channel
Drivechips
Bannerbomb
Bannerbombfor 4.2
latest updatebroken
Indiana Pwns
t
Wii Xbox 360 PS3
2006
2011
2010
2009
2008
2007
slim w/o Linuxreleased
Geohot’s hackLinux removed
JailbreakDowngradethis talk :)
OtherOSRSX exploit
Drive firmwarehacked
King Kong Hack
JTAG Hack
Mittwoch, 29. Dezember 2010
![Page 8: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/8.jpg)
Mittwoch, 29. Dezember 2010
![Page 9: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/9.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
Mittwoch, 29. Dezember 2010
![Page 10: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/10.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
Mittwoch, 29. Dezember 2010
![Page 11: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/11.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
Mittwoch, 29. Dezember 2010
![Page 12: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/12.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
Mittwoch, 29. Dezember 2010
![Page 13: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/13.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
Mittwoch, 29. Dezember 2010
![Page 14: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/14.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
Mittwoch, 29. Dezember 2010
![Page 15: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/15.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracy
Mittwoch, 29. Dezember 2010
![Page 16: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/16.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracy
Mittwoch, 29. Dezember 2010
![Page 17: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/17.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracy
4 years
Mittwoch, 29. Dezember 2010
![Page 18: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/18.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracy
4 years HomebrewPiracy
Mittwoch, 29. Dezember 2010
![Page 19: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/19.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracy
4 years HomebrewPiracy
piracy
Mittwoch, 29. Dezember 2010
![Page 20: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/20.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracy
4 years HomebrewPiracy
piracy
Mittwoch, 29. Dezember 2010
![Page 21: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/21.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracy
4 years HomebrewPiracy
piracy
hacked after it was closed
Mittwoch, 29. Dezember 2010
![Page 22: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/22.jpg)
device y security hacked for effectPS2 1999 ? ? piracy -
dbox2 2000 signed kernel 3 months Linux pay TV decoding
GameCube 2001 encrypted boot 12 months Homebrew piracy
Xbox 2001 encrypted/signed bootup, signed executables 4 months LinuxHomebrew
piracy
iPod 2001 checksum <12 months Linux -
DS 2004 signed/encrypted executables 6 months Homebrew piracy
PSP 2004 signed bootup/executables 2 months Homebrew piracy
Xbox 360 2005 encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses
12 months LinuxHomebrew
leaked keys
PS3 2006 encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU
not yet - -
Wii 2006 encrypted bootup 1 month Linux piracy
AppleTV 2007 signed bootloader 2 weeks Linux Front Row piracy
iPhone 2007 signed/encrypted bootup/executables 11 days Homebrew, SIM-Lock
piracy
iPad 2010 signed/encrypted bootup/executables 1 day Homebrew piracy
4 years HomebrewPiracy
piracy
hacked after it was closed
12 months
Mittwoch, 29. Dezember 2010
![Page 23: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/23.jpg)
PS3 Architecture
Mittwoch, 29. Dezember 2010
![Page 24: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/24.jpg)
The Cell Broadband Engine
Source: IBM
Mittwoch, 29. Dezember 2010
![Page 25: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/25.jpg)
SPU Isolation
Source: IBM
0x00000 0x3e000 0x40000
Mittwoch, 29. Dezember 2010
![Page 26: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/26.jpg)
SPU
LV1 / Hypervisor
LV2 / GameOS
Problem State / Games
Mittwoch, 29. Dezember 2010
![Page 27: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/27.jpg)
metldr
Mittwoch, 29. Dezember 2010
![Page 28: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/28.jpg)
metldr
lv0ldr
Mittwoch, 29. Dezember 2010
![Page 29: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/29.jpg)
metldr
lv0ldr
lv0
Mittwoch, 29. Dezember 2010
![Page 30: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/30.jpg)
metldr
lv0ldr
lv0
metldr /lv1ldr
Mittwoch, 29. Dezember 2010
![Page 31: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/31.jpg)
metldr
lv0ldr
lv0
metldr /lv1ldr
lv1
Mittwoch, 29. Dezember 2010
![Page 32: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/32.jpg)
metldr
lv0ldr
lv0
metldr /lv1ldr
lv1
metldr /lv2ldr
Mittwoch, 29. Dezember 2010
![Page 33: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/33.jpg)
metldr
lv0ldr
lv0
metldr /lv1ldr
lv1
metldr /lv2ldr
lv2
Mittwoch, 29. Dezember 2010
![Page 34: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/34.jpg)
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 35: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/35.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 36: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/36.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 37: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/37.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 38: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/38.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 39: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/39.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 40: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/40.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 41: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/41.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 42: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/42.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 43: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/43.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 44: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/44.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 45: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/45.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 46: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/46.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 47: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/47.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 48: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/48.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 49: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/49.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKENMittwoch, 29. Dezember 2010
![Page 50: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/50.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
Mittwoch, 29. Dezember 2010
![Page 51: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/51.jpg)
OtherOS
Mittwoch, 29. Dezember 2010
![Page 52: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/52.jpg)
OtherOS✘Not supported on the PS3 Slim
Mittwoch, 29. Dezember 2010
![Page 53: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/53.jpg)
OtherOS✘
You have earned a trophy.Draw Attention!
Not supported on the PS3 Slim
Mittwoch, 29. Dezember 2010
![Page 54: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/54.jpg)
Geohot ExploitXDR RAM Glitching Attack
Mittwoch, 29. Dezember 2010
![Page 55: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/55.jpg)
RAM
Hypervisor
Kernel
HTAB
Mittwoch, 29. Dezember 2010
![Page 56: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/56.jpg)
RAM
Hypervisor
Kernel
HTAB
Mittwoch, 29. Dezember 2010
![Page 57: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/57.jpg)
RAM
Hypervisor
Kernel
HTAB
Mittwoch, 29. Dezember 2010
![Page 58: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/58.jpg)
RAM
Hypervisor
Kernel
HTAB
Mittwoch, 29. Dezember 2010
![Page 59: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/59.jpg)
RAM
Hypervisor
Kernel
HTAB
Mittwoch, 29. Dezember 2010
![Page 60: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/60.jpg)
RAM
Hypervisor
Kernel
HTAB
HTAB
Mittwoch, 29. Dezember 2010
![Page 61: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/61.jpg)
RAM
Hypervisor
Kernel
HTAB
HTAB
Mittwoch, 29. Dezember 2010
![Page 62: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/62.jpg)
RAM
Hypervisor
Kernel
HTAB
HTAB
You have earned a trophy.Hypervisor ExposedHV
Mittwoch, 29. Dezember 2010
![Page 63: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/63.jpg)
OtherOS✘Mittwoch, 29. Dezember 2010
![Page 64: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/64.jpg)
OtherOS✘✘✘Forcibly removed on the PS3 Fat
Mittwoch, 29. Dezember 2010
![Page 65: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/65.jpg)
OtherOS✘
You have earned a trophy.Pissed Off Hackers
✘✘Forcibly removed on the PS3 Fat
Mittwoch, 29. Dezember 2010
![Page 66: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/66.jpg)
Mittwoch, 29. Dezember 2010
![Page 67: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/67.jpg)
PSJailbreak
Mittwoch, 29. Dezember 2010
![Page 68: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/68.jpg)
PSJailbreak
(And over 9000 clones)
Mittwoch, 29. Dezember 2010
![Page 69: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/69.jpg)
PSJailbreak Exploit
Mittwoch, 29. Dezember 2010
![Page 70: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/70.jpg)
PSJailbreak
PWN1
Hub
FINALPWN2 JIGPWN4PWN3
Mittwoch, 29. Dezember 2010
![Page 71: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/71.jpg)
Device 1
PAYLOAD
TL = 0xF00INTERFACE #1CONFIGURATION #1 .. #4
Mittwoch, 29. Dezember 2010
![Page 72: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/72.jpg)
Device 4
Mittwoch, 29. Dezember 2010
![Page 73: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/73.jpg)
Device 4
CONFIGURATION #1TL = 0x12
INTERFACE #1
Mittwoch, 29. Dezember 2010
![Page 74: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/74.jpg)
Device 4
CONFIGURATION #1TL = 0x12
INTERFACE #1
CONFIGURATION #2
Mittwoch, 29. Dezember 2010
![Page 75: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/75.jpg)
Device 2
CONFIGURATION #1
TL = 0x16INTERFACE #1
04 21 B4 2F
Mittwoch, 29. Dezember 2010
![Page 76: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/76.jpg)
CONFIGURATION #2
CONFIGURATION #1
04 21 B4 2F
CONFIGURATION #1
Device 4
TL = 0x12INTERFACE #1
Mittwoch, 29. Dezember 2010
![Page 77: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/77.jpg)
CONFIGURATION #2
CONFIGURATION #1
Device 4
TL = 0x12INTERFACE #1
CONFIGURATION #2TL = 0x2FB4
Mittwoch, 29. Dezember 2010
![Page 78: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/78.jpg)
C++ Objects
INTERFACE OBJECT #NVTABLE POINTER
C++
INTERFACE OBJECT #N+1VTABLE POINTER
C++
INTERFACE OBJECT #N+2VTABLE POINTER
C++
Mittwoch, 29. Dezember 2010
![Page 79: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/79.jpg)
C++ Objects
INTERFACE OBJECT #NVTABLE POINTER
C++
INTERFACE OBJECT #N+1 C++
INTERFACE OBJECT #N+2VTABLE POINTER
C++
CONFIGURATION #3 INTERFACE #1
Mittwoch, 29. Dezember 2010
![Page 80: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/80.jpg)
C++ Objects
INTERFACE OBJECT #NVTABLE POINTER
C++
INTERFACE OBJECT #N+1 C++
INTERFACE OBJECT #N+2VTABLE POINTER
C++
CONFIGURATION #3 INTERFACE #1
PAYLOAD POINTER
Mittwoch, 29. Dezember 2010
![Page 81: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/81.jpg)
Device 3
CONFIGURATION #1 .. #2
INTERFACE #1 INTERFACE #2 INTERFACE #3
INTERFACE #4 INTERFACE #5 INTERFACE #6
INTERFACE #7 INTERFACE #8 INTERFACE #9
INTERFACE #10 INTERFACE #11 ...........
Mittwoch, 29. Dezember 2010
![Page 82: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/82.jpg)
Mittwoch, 29. Dezember 2010
![Page 83: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/83.jpg)
You have earned a trophy.LV2 Code Execution
Mittwoch, 29. Dezember 2010
![Page 84: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/84.jpg)
NO W^X in LV2Any old exploit == code execution
Mittwoch, 29. Dezember 2010
![Page 85: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/85.jpg)
Hypervisor allows unsigned code
It happily marks pages as executable and plays no role in enforcing that only trusted code runs
Mittwoch, 29. Dezember 2010
![Page 86: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/86.jpg)
Results
• LV2 “GameOS” compromised
• LV1 Hypervisor NOT compromised
• Secure SPE NOT compromised
Mittwoch, 29. Dezember 2010
![Page 87: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/87.jpg)
Results
• LV2 “GameOS” compromised
• LV1 Hypervisor NOT compromised
• Secure SPE NOT compromised
• Piracy
You have earned a trophy.Piracy
Mittwoch, 29. Dezember 2010
![Page 88: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/88.jpg)
Fail Security Model
• The hypervisor does not enforce LV2 and game integrity
• You can just patch LV2 to run games from HDD
Mittwoch, 29. Dezember 2010
![Page 89: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/89.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
Mittwoch, 29. Dezember 2010
![Page 90: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/90.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
USELESS
Mittwoch, 29. Dezember 2010
![Page 91: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/91.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
INEFFECTIVE
USELESS
Mittwoch, 29. Dezember 2010
![Page 92: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/92.jpg)
Downgrades
Mittwoch, 29. Dezember 2010
![Page 93: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/93.jpg)
Downgrades
• Sony fixed the exploit
Mittwoch, 29. Dezember 2010
![Page 94: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/94.jpg)
Downgrades
• Sony fixed the exploit
• Service mode triggered by USB “JIG”
• HMAC authenticated, keys dumped
Mittwoch, 29. Dezember 2010
![Page 95: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/95.jpg)
Downgrades
• Sony fixed the exploit
• Service mode triggered by USB “JIG”
• HMAC authenticated, keys dumped
• Leaked service app used to enable downgrades
Mittwoch, 29. Dezember 2010
![Page 96: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/96.jpg)
Downgrades
• Sony fixed the exploit
• Service mode triggered by USB “JIG”
• HMAC authenticated, keys dumped
• Leaked service app used to enable downgrades
You have earned a trophy.More Piracy
Mittwoch, 29. Dezember 2010
![Page 97: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/97.jpg)
AsbestOS
Mittwoch, 29. Dezember 2010
![Page 98: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/98.jpg)
AsbestOS
• Replace LV2/GameOS in memory
Mittwoch, 29. Dezember 2010
![Page 99: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/99.jpg)
AsbestOS
• Replace LV2/GameOS in memory
• OtherOS mode and GameOS mode are virtually identical
• Except GameOS can do more stuff, e.g. 3D
Mittwoch, 29. Dezember 2010
![Page 100: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/100.jpg)
AsbestOS
• Replace LV2/GameOS in memory
• OtherOS mode and GameOS mode are virtually identical
• Except GameOS can do more stuff, e.g. 3D
• Run Linux again (even on the Slim!)
Mittwoch, 29. Dezember 2010
![Page 101: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/101.jpg)
AsbestOS
• Replace LV2/GameOS in memory
• OtherOS mode and GameOS mode are virtually identical
• Except GameOS can do more stuff, e.g. 3D
• Run Linux again (even on the Slim!)
• Use NetRPC to remote-control the PS3 and experiment...
Mittwoch, 29. Dezember 2010
![Page 102: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/102.jpg)
SELFs
SCE headerehdr + phdr
ehdrehdr + phdrencrypted metadata keymetadata
ECDSA signatureehdr + phdr (again...)
phdr #0 data #0phdr #1 data...
phdr #N data
{ELF
Mittwoch, 29. Dezember 2010
![Page 103: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/103.jpg)
SELFs
SCE headerehdr + phdr
ehdrehdr + phdrencrypted metadata keymetadata
ECDSA signatureehdr + phdr (again...)
phdr #0 data #0phdr #1 data...
phdr #N data
SELF key
{ELF
loader key
Mittwoch, 29. Dezember 2010
![Page 104: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/104.jpg)
SELFs
SCE headerehdr + phdr
ehdrehdr + phdrencrypted metadata keymetadata
ECDSA signatureehdr + phdr (again...)
phdr #0 data #0phdr #1 data...
phdr #N data
SELF key
{ELF
AESloader key
Mittwoch, 29. Dezember 2010
![Page 105: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/105.jpg)
SELFs
SCE headerehdr + phdr
ehdrehdr + phdrencrypted metadata keymetadata
ECDSA signatureehdr + phdr (again...)
phdr #0 data #0phdr #1 data...
phdr #N data
SELF key
{ELF
AES +
SHA
-1
AESloader key
Mittwoch, 29. Dezember 2010
![Page 106: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/106.jpg)
The Oracle
• Sony‘s idea: “No one can see our code!”
• ... unless the PPE is compromised
• Decrypting all code possible from GameOS
• security coprocessor pointless!
• But we want keys!
Mittwoch, 29. Dezember 2010
![Page 107: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/107.jpg)
The Oracle
• Sony‘s idea: “No one can see our code!”
• ... unless the PPE is compromised
• Decrypting all code possible from GameOS
• security coprocessor pointless!
• But we want keys!
You have earned a trophy.Obfuscation useless
Mittwoch, 29. Dezember 2010
![Page 108: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/108.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
INEFFECTIVE
USELESS
Mittwoch, 29. Dezember 2010
![Page 109: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/109.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
INEFFECTIVE
USELESS
POINTLESS
Mittwoch, 29. Dezember 2010
![Page 110: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/110.jpg)
Chain of TrustName Processor /
Modeupdateable revocable* usage
bootldr SPE ✖ ✖ boot lv0
lv0 PPE HV ✔ ✖ boot lv1
metldr SPE ✖ ✖ run *ldr
lv1ldr SPE ✔ ✖ decrypt lv1
lv1 PPE HV ✔ ✖ hypervisor
isoldr SPE ✔ ✖ decrypt modules
sc_iso SPE ✔ ✔
...lv2ldr SPE ✔ ✖ decrypt lv2
lv2 PPE SV ✔ ✔ kernel
appldr SPE ✔ ✔ decrypt games
some game PPE PS ✔ ✔ :-)
Mittwoch, 29. Dezember 2010
![Page 111: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/111.jpg)
Chain of TrustName Processor /
Modeupdateable revocable* usage
bootldr SPE ✖ ✖ boot lv0
lv0 PPE HV ✔ ✖ boot lv1
metldr SPE ✖ ✖ run *ldr
lv1ldr SPE ✔ ✖ decrypt lv1
lv1 PPE HV ✔ ✖ hypervisor
isoldr SPE ✔ ✖ decrypt modules
sc_iso SPE ✔ ✔
...lv2ldr SPE ✔ ✖ decrypt lv2
lv2 PPE SV ✔ ✔ kernel
appldr SPE ✔ ✔ decrypt games
some game PPE PS ✔ ✔ :-)
*as per Sony‘s specificationMittwoch, 29. Dezember 2010
![Page 112: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/112.jpg)
Breaking loaders
Revocation list bufferrvk_shared
Revocation list bufferrvk_isolated
lv2ldr code
Mittwoch, 29. Dezember 2010
![Page 113: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/113.jpg)
Breaking loaders
Revocation list bufferrvk_shared
Revocation list bufferrvk_isolated
lv2ldr code
memcpy(rvk_isolated, rvk_shared, *((int *)(rvk_shared + 0x1c)))
Mittwoch, 29. Dezember 2010
![Page 114: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/114.jpg)
Breaking loaders
Revocation list bufferrvk_shared
Revocation list bufferrvk_isolated
lv2ldr code
memcpy(rvk_isolated, rvk_shared, *((int *)(rvk_shared + 0x1c)))
Mittwoch, 29. Dezember 2010
![Page 115: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/115.jpg)
Breaking loaders
Revocation list bufferrvk_shared
Revocation list bufferrvk_isolated
lv2ldr code
memcpy(rvk_isolated, rvk_shared, *((int *)(rvk_shared + 0x1c)))
You have earned a trophy.Obtained AES keys
6692d17903220582592e77a204a81b91b9b73c68f9b3b9accda438602901308bbd685c672f11cedf36c507ebd2779e3e711d6b501ae0f003
Mittwoch, 29. Dezember 2010
![Page 116: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/116.jpg)
• „Only“ a bug in isolated loaders
• Chain of Trust already broken for all sold consoles now.
Mittwoch, 29. Dezember 2010
![Page 117: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/117.jpg)
You have earned a trophy.Chain of Fail
• „Only“ a bug in isolated loaders
• Chain of Trust already broken for all sold consoles now.
• This is Fail™. But it‘s not Epic™ yet...
Mittwoch, 29. Dezember 2010
![Page 118: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/118.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
INEFFECTIVE
USELESS
POINTLESS
Mittwoch, 29. Dezember 2010
![Page 119: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/119.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
INEFFECTIVE
USELESS
BROKEN
POINTLESS
Mittwoch, 29. Dezember 2010
![Page 120: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/120.jpg)
SELFs
SCE headerehdr + phdr
ehdrehdr + phdrencrypted metadata keymetadata
ECDSA signatureehdr + phdr (again...)
phdr #0 data #0phdr #1 data...
phdr #N data
SELF key
{ELF
AES +
SHA
-1
AESloader key
Mittwoch, 29. Dezember 2010
![Page 121: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/121.jpg)
SELFs
SCE headerehdr + phdr
ehdrehdr + phdrencrypted metadata keymetadata
ECDSA signatureehdr + phdr (again...)
phdr #0 data #0phdr #1 data...
phdr #N data
SELF key
{ELF
AES +
SHA
-1
AESloader keyHow doesthis work?
Mittwoch, 29. Dezember 2010
![Page 122: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/122.jpg)
ECDSA
Mittwoch, 29. Dezember 2010
![Page 123: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/123.jpg)
These are public:
p, a, b,G, N (elliptic curve params)
Q = public key
e = hash of data
R,S = signature,
and these are private:
m = random
k = private key.
Mittwoch, 29. Dezember 2010
![Page 124: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/124.jpg)
A signature is a pair of numbers R,S computedby the signer as
R = (mG)x
S =e + kR
m.
It is imperative to have a random m for everysignature: from a pair of signatures that use thesame m, we can compute m and k.
Mittwoch, 29. Dezember 2010
![Page 125: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/125.jpg)
R = (mG)x R = (mG)x
S1 =e1 + kR
mS2 =
e2 + kR
m
When m is identical for two signatures, so is R,and
S1 − S2 =e1 − e2
m
m =e1 − e2
S1 − S2
k =mSi − ei
R
�=
e1S2 − e2S1
R(S1 − S2)
�.
Mittwoch, 29. Dezember 2010
![Page 126: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/126.jpg)
Our ECDSA codeUsed for HBC’s network update functiondef generate_ecdsa(k, sha): k = bytes_to_long(k) e = bytes_to_long(sha)
m = open(“/dev/random”,”rb”).read(30)
if len(m) != 30: raise Exception(“Failed to get m”) m = bytes_to_long(m) % ec_N
r = (m * ec_G).x.tobignum() % ec_N kk = ((r * k) + e) % ec_N s = (bn_inv(m, ec_N) * kk) % ec_N r = long_to_bytes(r, 30) s = long_to_bytes(s, 30) return r,s
Mittwoch, 29. Dezember 2010
![Page 127: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/127.jpg)
Our ECDSA codeUsed for HBC’s network update functiondef generate_ecdsa(k, sha): k = bytes_to_long(k) e = bytes_to_long(sha)
m = open(“/dev/random”,”rb”).read(30)
if len(m) != 30: raise Exception(“Failed to get m”) m = bytes_to_long(m) % ec_N
r = (m * ec_G).x.tobignum() % ec_N kk = ((r * k) + e) % ec_N s = (bn_inv(m, ec_N) * kk) % ec_N r = long_to_bytes(r, 30) s = long_to_bytes(s, 30) return r,s
Mittwoch, 29. Dezember 2010
![Page 128: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/128.jpg)
Sony’s ECDSA code
Mittwoch, 29. Dezember 2010
![Page 129: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/129.jpg)
With private keys you can SIGN THINGS
Mittwoch, 29. Dezember 2010
![Page 130: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/130.jpg)
With private keys you can SIGN THINGS
You have earned a trophy.Public Private Keys
Mittwoch, 29. Dezember 2010
![Page 131: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/131.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
INEFFECTIVE
USELESS
BROKEN
POINTLESS
Mittwoch, 29. Dezember 2010
![Page 132: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/132.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
INEFFECTIVE
USELESS
BROKEN
POINTLESS
EPIC FAIL
Mittwoch, 29. Dezember 2010
![Page 133: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/133.jpg)
Xbox Wii 360 PS3On-die bootROM ✓ ✓ ✓ ✓On-die key storage ✓ ✓Public-key crypto ✓ ✓ ✓ ✓
Chain of trust ✓ ✓ ✓Per-console keys ✓ ✓ ✓
Signed executables ✓ ✓ ✓Security coprocessor ✓ ✓
Full media encryption and signing ✓Encrypted storage ✓ ✓Self-signed storage ✓
Memory encryption/hashing ✓Hypervisor ✓ ✓
User/kernelmode ✓Anti-downgrade eFUSEs ✓
BROKENBROKEN
BYPASSED
INEFFECTIVE
USELESS
BROKEN
POINTLESS
EPIC FAIL
You have earned a trophy.Fail0verflow
Mittwoch, 29. Dezember 2010
![Page 134: 27th Chaos Communication Congress Console Hacking 2010 timeline.pdf · 27th Chaos Communication Congress Mittwoch, 29. Dezember 2010 ... iPod 2001 checksum](https://reader035.vdocuments.site/reader035/viewer/2022081505/5f10e4d242cae56cfb335ece/html5/thumbnails/134.jpg)
Thanks, Sony!
http://fail0verflow.com
Mittwoch, 29. Dezember 2010