February 8, 2010

PS3 hypervisor exploit reproduced

Filed under: Embedded,Hacking,Security,Software protection — Nate Lawson @ 10:03 am

There’s a nice series of articles by xorloser on reproducing the recent PS3 hypervisor hack. He used a microcontroller to send the glitch and improved the software exploit to work on multiple firmware revisions. Here’s a picture of his final setup.

It remains to be seen what security measures Sony has taken to address a hypervisor compromise. One countermeasure would be to lock down the OtherOS environment, since the attack depends on the ability to manipulate low-level OS memory structures. They could be using a simpler hypervisor than the GameOS side (say, one that just prevents access to the GPU). Perhaps the SPEs have a disable bit that turns off the hardware decryption unit, and the hypervisor does this before booting OtherOS.

Beyond this, they may not be using a single global key that is shared amongst all SPEs. Broadcast encryption schemes have long been used in the pay TV industry to allow fine-grained revocation of keys that have leaked. They work by embedding a subset of keys from a matrix or tree in each device. If the keys leak, they can be excluded from subsequent software releases. This requires attackers to keep extracting keys and discarding the devices as they are revoked.

Also, it’s possible there are software protection measures in place. For example, the SPE could request hashes of regions of the calling hypervisor and use this to detect patching. This results in a cat-and-mouse game where firmware updates (or even individual games) use different methods of detecting attackers. Meanwhile, attackers would try to come up with new ways to avoid these countermeasures. This has already been happening in the Xbox 360 world, as well as with nearly every other game console before now.

We’ll have to wait and see if Sony used this kind of defense-in-depth and planned for this eventuality or built a really tall wall with nothing more behind it.


  1. Check out my latest blog post, I don’t think they have lines of defense past the hypervisor.

    Comment by George Hotz — February 13, 2010 @ 7:54 am

    • George, what’s up buddy? Where have yah been ? I had a few questions I wanted to ask you, I’ve been doing my best to pick up where you and a few others have left off. Working on a custom .pup for downgrading all fat PS3 firmware versons that no longer have the option to install another OS.

      Anyway, I’m getting ready to gain Lv1 once access (thanks to you and Xorhack) and then hopefully it will be on to dumping Lv2, but I was wondering once I dump Lv2 will have I have full access to the systems hardware or do I get that right after I dump the Hypervisor? (something tells me it’s only giving me control over memory allocation).

      Meh, I’m new to this so for give my newbieness !

      Comment by PS3Cracker — July 3, 2010 @ 9:56 am

  2. now that Sony has disabled the other os in the ps3, does anyone here believe that Sony might reenable this feature if they can patch it?

    Comment by LinuxJackal — April 8, 2010 @ 9:42 am

  3. I made the seemingly `fatal` error of installing firmware 3.21 anyway, prior to having knowledge of the proxy workaround to remain connected with my PSN and ignore the update…. Does the update actually erase the software that the GameOS uses to run Linux (and the allocation of HD space options when choosing to format).. Is anybody working on a restoration method

    Comment by yournamehereca — April 12, 2010 @ 12:47 pm

RSS feed for comments on this post.

Blog at WordPress.com.