How a USB key defeated security on the Sony PlayStation 3 | MVG

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

My favorite is that the jig I used (because it was the only one I had) was a TI84 calculator: https://brandonw.net/ps3jb/

👍︎︎ 41 👤︎︎ u/ThatOnePerson 📅︎︎ Dec 10 2019 🗫︎ replies

Slightly related to emulation, but I know some of us here like good technical videos about consoles, security, and the like.

As usual, great job by MVG and kudos to him.

👍︎︎ 37 👤︎︎ u/JoshLeaves 📅︎︎ Dec 09 2019 🗫︎ replies

Damn, now this takes me waaaaay back!

Still remember all the fuss when it was first announced, with people calling it a scam and whatnot, with others defending the ridiculous price on the basis that it amounted to only about 3 games or something.

I held on until copycats started to appear and finally bought one for around 30€ or something. Worked great.

Of course, eventually we all moved on to custom firmwares and these things became uselled, but goddamn, wasn't that a funny started for breaking open the ps3.

👍︎︎ 12 👤︎︎ u/nebachadnezzar 📅︎︎ Dec 10 2019 🗫︎ replies

MISTAKES WERE MADE

👍︎︎ 15 👤︎︎ u/ThePixelMouse 📅︎︎ Dec 10 2019 🗫︎ replies

Now I need to know how this story ended...

I had a X360 with DVD drive Custom FW, this was my last videogame, and I had read somewhere about Jtagged X360 and ESP modded PS3s. but the video ended with a nod to the failoverflow team and the discovery of the private keys of the PS3... what did this unlocked? was this closed in any way? can you play online? how does this work??

👍︎︎ 5 👤︎︎ u/GuilhermeFreire 📅︎︎ Dec 10 2019 🗫︎ replies

it would be if he talked about any of the projects he's up to these days, if any. Although i love the history of console hacking and homebrew videos he does.

for me though nothing will ever match the OG xbox days. that was a golden era.

👍︎︎ 6 👤︎︎ u/128e 📅︎︎ Dec 10 2019 🗫︎ replies

I actually bought a Dingoo just to hack my PS3 years ago. It was the time my DS broke and I was like fuck it, I want a portable emulation device.

👍︎︎ 2 👤︎︎ u/fvig2001 📅︎︎ Dec 16 2019 🗫︎ replies
Captions
[Music] In 2009 three years had passed after the launch of the Sony Playstation 3 when renowned security Researcher George Hot or Gio Hot announced on his blog that he was attempting to hack the PlayStation 3 up until that point The PlayStation 3 had not been breached and its security was heralded as the best ever designed in a console implementation compared to the Xbox 360 which had already been exploited first with DVD firmware hacks and then later a hypervisor attack utilizing the JTAG port the PlayStation 3 stood firm But geo made SONY nervous his blog post went into detail discussing the method to attack the hypervisor and his way in was to use other OS a feature on the PlayStation 3 that enabled the installation of Linux distributions Yellow dog linux was a popular distribution for the system and with a mouse and keyboard other OS could turn the playstation 3 Into an everyday home computer geo Hot published his findings on his blog and even the theoretical methods of exploiting the system Sony started to panic and wondered what if What if some exploit was left wide open in other OS that compromised the hypervisor and on April 1st 2010 SONY released firmware 3.21 Their response was to completely remove other OS from the firmware in effect Disable Linux from ever running on the PlayStation 3 again the next system software update for the PlayStation 3 will be released on April 1st 2010 and will disable the install other OS feature that was available on the ps3 systems prior to the current slimmer models This feature enabled users to install an operating system but due to security concerns SONY Computer Entertainment will remove this functionality through the 3.21 system software update The response to this was one of disbelief and anger the SONY Playstation 3 was advertised to run Linux and to take that away was a red flag and it was the motivation needed to begin targeted hacking attempts on the PlayStation 3 on top of this a class action lawsuit Against SONY and its removal of other OS was formed and other OS removal cost Sony millions of dollars in settlement checks That are still being paid out today after Sony had removed other OS in April there was a consolidated effort of groups of different individuals that were rolling around to come up with ways to defeat security on the PlayStation 3 in short people were unhappy about the removal and they wanted to get back at SONY in different ways in August of 2010 from out of nowhere a mod device known as the PS jailbreak was announced that would allow for homebrew and game backups to run This jailbreak device was nothing more than a simple USB stick and did not require any soldering or modification at all And it worked on all PlayStation 3s at the time people were skeptical the PlayStation 3 remained hack-proof for years And SONY had thought that they had closed every possible security hole with the removal of other OS but when the device released it was true The PS jailbreak worked the company that designed the jailbreak never made themselves known for obvious reasons But they knew that they had something special it was accessible to all users and was simple to use and they had charged 120 dollars for the privilege of owning one as it turns out the PS jailbreak was a real thing and did everything as advertised The question is how does it work? So to answer this we need to understand a couple of things first Let's do a quick crash course in USB devices a USB device like a flash drive Contains information that lets the host know in this instance the PlayStation 3 what the device is? Who makes it what version of USB it uses how it can be configured its endpoints and more This information is known as the USB descriptors and this is a standard across every single USB device every USB device contains one device descriptor But multiple configuration interface and endpoint descriptors So if we consider a typical mass storage device like a flash drive It would contain a single configuration descriptor that had an interface type of mass storage And two endpoint descriptors one for receiving data and the other for sending data But something like a USB hub would contain more descriptors a four port USB hub Would contain four device and for configuration descriptors Furthermore each USB device is identified by a 2 byte vendor code and a 2 byte Product ID these codes are assigned by the USB consortium group and the manufacturer for Example this Logitech mouse that I use on my PC, The vendor code is 0 for 6d and the device ID is C 0 8 3 If we look these up in a database, you can see that it returns the G 403 prodigy Gaming Mouse So why is this important? It's because when SONY received defective PS3s They would sometimes use a USB device known as a service mode jig this would be connected to the USB port on the Ps3 and it would put the system into factory service mode from here different things could be performed on the ps3 Including rebuilding the hard drive and also downgrading the firmware Information about factory service mode was discovered and leaked early in 2008 and with this information in hand a Group such as the PS jailbreak team would be able to figure out a way to replicate the jig but Sony knew that information on the jig would eventually be discovered and one approach might be to replicate the jig by effectively replicating the USB device and configuration descriptors to match an official ps3 service mode jig and match the device and manufacturer IDs So they added security around this and it worked However, when ps3 jailbreak was released in August of 2010 two things happened The first is when everyone thought it was fake It actually worked and two it did not boot into factory service mode it booted into a retail PS3 but from here, you could run homebrew and play games from a USB device or installed directly onto the PlayStation 3 hard disk Now because the PS jailbreak was the first method out there and they tried to hide their tracks So that no one else could really replicate what they were doing they ended up charging a lot of money for the privilege and I saw prices anywhere from 120 to 150 US dollars depending on which reseller you purchased it from and this really upset a lot of people especially those that wanted to do this system mod themselves but they didn't want to pay for the the privilege of doing so so in the end there was a Fairly big group of people that ended up reverse engineering the PS jailbreak Understanding the control between the PS3 and the USB device Understanding how the flow worked and the exploit and ended up Replicating it and making it open source for anyone to either do that do it themselves for free or buy a cheap solution like a teensy or an Arduino style device in order to replicate the exact control flow between the jig and the PlayStation 3 So how does the PS jailbreak work? when you connect the device to the USB port Its device descriptor tells the ps3 that it's actually a six port USB hub now of course this is fake After the hub is initialized the PS jailbreak informs the ps3 a device has been plugged into fake port one Port one also contains the payload data of the exploit that will jump into after gaining control so after reading port 1 it then tells the ps3 a device has been plugged into port 2 and then tells the ps3 that a device has been plugged into fake port 3 which also contains an unusually large Descriptor it then disconnects the device in port 2 This is important because the memory that was used to allocate the descriptors for port 2 are freed Now a device is connected to fake port 4 with 3 configuration descriptors the third containing PowerPC shellcode which contains an extra 14 bytes After this is complete a device is plugged into port 5 which contains the exact same product and vendor IDs as the official SONY jig The PS3 allocates memory for the challenge-response to authenticate that this is a real jig This is where a heap overflow exploit occurs this occurs because the 64 bytes of memory allocation points to the next free memory space which was overwritten earlier this means that the shellcode is sent to the ps3 and starts executing when the ps3 detects removal of device and the last step is to disconnect the devices in port 5 port 4 and port 1 from here The shellcode will execute the payload that we loaded earlier from port 1 when the ps3 boots It's important to note that the hypervisor or level 1 has not been compromised at all But level 2 or game OS has been exploited the payload remaps the blu-ray Partition to either the USB device or hard disk in order to allow pirate or game backups to run from either device It also opens up some other features and allows for unsigned code to run First short while no one really knew how the PS jailbreak worked, but it didn't take long before complete. USB dumps were logged PS jailbreak charged an exorbitant amount for their device But it was quickly reverse engineered and open sourced for free You could easily replicate the same process with a teensy or an Arduino or even a Raspberry Pi and after a few weeks there were 10 PS jailbreak clones announced which all had the exact same feature It also wasn't much longer after that that the jailbreak device could also be set into factory service mode thanks to the jig master key discovery This meant that you could downgrade its firmware back to 3.41 or lower as necessary in the end Sony ultimately patched the issue after firmware 3.5 5 But it was too late This was only the first but a very important step in a targeted effort Against the removal of other OS and with the second and more crucial was the discovery of the PlayStation 3's private key Which opened up the door to a custom firmware and the possibility of bringing back other OS So there you have it guys that's the story of the PS jailbreak and how a simple jig exploit was able to Defeat security on the Sony Playstation 3 It was a very important first step in defeating security on the PS3 The method itself was quite limited in what you could do with it I mean you could play game backups and homebrew in a limited capacity But you certainly didn't have access to the hypervisor and some of the more advanced things you could do on the PS3 but it was a very important first step and as we know history will tell us that Ultimately the private key was discovered on the PS3 by fail overflow and that really unlocked the potential and really just busted the security of the system wide open with the discovery of that private key and that's obviously something that is very well documented and I'll leave a link in the description below to the CCC conference where the fail overflow team found their discoveries and disclosed it to the public Well guys I'm going to leave it here for this video thank you so much for watching if you liked it you know what to do Leave me a thumbs up And as always don't forget to Like and subscribe and I'll catch you guys in the next video Bye for now [Music]
Info
Channel: Modern Vintage Gamer
Views: 756,323
Rating: 4.9370651 out of 5
Keywords: sony, playstation 3, sony playstation 3, ps3, mvg, modern vintage gamer, ps3 jailbreak, ps3 emulator, fbanext ps3, otheros ps3, linux ps3, yellow dog linux ps3, psjailbreak, otheros, linux, playstation 3 games, ps3 games, psjig, geohot, hypervisor, GameOS
Id: 2yQCOso_4hc
Channel Id: undefined
Length: 12min 19sec (739 seconds)
Published: Mon Dec 09 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.