http://www.ps3hax.net/2012/10/marcan-fail0verflow-about-lv0/ by marcansoft (727665) on Tuesday October 23, @09:04PM (#41747075) Homepage The first-stage bootloader is in ROM and has a per-console key which is effectively in tamper-resistant silicon. The second-stage bootloader (bootldr) is encrypted with the per-console key, but is not upgradable and is the same for all consoles (other than the encryption wrapper around it). This second-stage bootloader verifies lv0. Sony signed lv0 using the same broken process that they used for everything else, which leaks their private key. This means that the lv0 private key was doomed from the start, ever since we demonstrated the screwup at the Chaos Communication Congress two years ago. 譯註：所以又是 SONY 自己耍笨，用了錯誤的加密方式導致 2nd-stage lv0金鑰 外流。 However, because lv0 is also encrypted, including its signature block, we need that decryption key (which is part of bootldr) before we can decrypt the signature and apply the algorithm to derive the private key. We did this for several later-stage loaders by using an exploit to dump them, and Geohot did it for metldr (the “second root” in the PS3′s bizarre boot process) using a different exploit (we replicated this, although our exploit might be different). At the time, this was enough to break the security of all released firmware to date, since everything that mattered was rooted in metldr (which is bootldr’s brother and is also decrypted by the per-console key). However, Sony took a last ditch effort after that hack and wrapped everything after metldr into lv0, effectively using the only security they had left (bootldr and lv0) to attempt to re-secure their platform. 譯註：依據 marcan 的說法，整個 PS3 在主機上頭的加密機制可以說是已經被 突破了，之前破解陣營突破了 metldr ，所以 SONY 把最後防線全部蓋到 bootldr 上頭，現在最後防線 bootldr 外圍也被突破，只剩本丸而已。 Bootldr suffers from the same exploit as metldr, so it was also doomed. However, because bootldr is designed to run from a cold boot, it cannot be loaded into a “sandboxed” SPU like metldr can from the comfort of OS-mode code execution (which we had via the USB lv2 exploit), so the exploit is harder to pull off because you don’t have control over the rest of the software. For the exploit that we knew about, it would’ve required hardware assistance to repeatedly reboot the PS3 and some kind of flash emulator to set up the exploit with varying parameters each boot, and it probably would’ ve taken several hours or days of automated attempts to hit the right combination (basically the exploit would work by executing random garbage as code, and hoping that it jumps to somewhere within a segment that we control – the probabilities are high enough that it would work out within a reasonable timeframe). We never bothered to do this after the whole lawsuit episode. 但 bootldr 跟 metldr 在本質上不同的地方是， bootldr 是拿來做冷開機的， 不能像 metldr 一樣，得到沙盒的防護，因此 bootldr 要是加密機制有漏洞， 就慘了。這說明了為何我們單憑 3.41 版韌體的 USB 驅動程式漏洞還不足以拿 下 metldr ，還得仰賴其他的漏洞才有辦法破解到 metldr 。但已知的漏洞， 要拿來執行未授權的程式還是有困難，因為缺少程式指標，所以只能希望運氣夠 好，開完機後程式指標能夠恰好跳到我們擺放程式的開頭，然後執行到我們要的 程式片段，這個機率很低，所以需要大量的時間去嘗試，反正在他們打官司的期 間，這個剛好可以拿來殺時間 Presumably, 18 months later, some other group has finally figured this out and either used our exploit and the hardware assistance, or some other equivalent trick/exploit, to dump bootldr. Once the lv0 decryption key is known, the signing private key can be computed (thanks to Sony’s epic failure). 結果 18 個月過去了，終於有人借助硬體支援，突破了最後一道防線，把 lv0 給解密了，然後私鑰也能夠算出來了。 The effect of this is essentially the same that the metldr key release had: all existing and future firmwares can be decrypted, except Sony no longer has the lv0 trick up their sleeve. What this means is that there is no way for Sony to wrap future firmware to hide it from anyone, because old PS3s must be able to use all future firmware (assuming Sony doesn’t just decide to brick them all…), and those old PS3s now have no remaining seeds of security that aren’t known. This means that all future firmwares and all future games are decryptable, and this time around they really can’t do anything about it. By extension, this means that given the usual cat-and-mouse game of analyzing and patching firmware, every current user of vulnerable or hacked firmware should be able to maintain that state through all future updates, as all future firmwares can be decrypted and patched and resigned for old PS3s. From the homebrew side, it means that it should be possible to have hombrew/linux and current games at the same time. From the piracy side, it means that all future games can be pirated. Note that this doesn’t mean that these things will be easy (Sony can obfuscate things to annoy people as much as their want), but from the fundamental security standpoint, Sony doesn’t have any security leg to stand on now. 這道防線帶來的後果，可說是跟上次 metldr 被破解一樣，截至目前為止所有的 韌體版本都會遭殃，除非 SONY 在 lv0 後面還有 lv-1 ，不然未來所有更新版本 的韌體， SONY 都別想在偷藏什麼在裡面，因為這些韌體必須「向下相容」所有 版本的主機（其實也可以像 iOS 一樣不同型號的下載同一版本但適用不同機型的 韌體）， 而舊版本的主機已經全部攤在陽光下了，這代表未來只要在舊版本主機 上發現軟體漏洞，在新版主機上一樣也可以故技重施。 對於自製軟體陣營來講當然是大好得消息，這代表可以光明正大執行 Linux 了， 對於盜版陣營來說一樣是個好消息，這代表未來沒有無法破解的遊戲了（我猜 SONY 會要求接下來所有的遊戲都必須要線上啟動才能玩） It does not mean that current firmwares are exploitable. Firmware upgrades are still signed, so you need an exploit in your current firmware to downgrade. Also, newer PS3s presumably have fixed this (probably by using newer bootldr/metldrs as trust roots, and proper signing all along). 但是還有一些事情要注意，就是這不代表所有的韌體都能破解，更新版的韌體一 樣有數位簽證，所以目前版本的韌體必須有漏洞，才能夠隨意升級降級，新版的 主機在 bootldr/metldr 有做了修正（3007以上，2507以下都是舊版有漏洞的） The keys are used for two purposes: chain of trust and chain of secrecy. The compromise of the keys fully compromises the secrecy of the PS3 platform permanently, as you can just follow the links down the chain (off-line, on a PC) and decrypt any past, current, or future firmware version. Current consoles must be able to use any future firmware update, and we now have access to 100% of the common key material of current PS3s, so it follows that any future firmware decryptable by current PS3s is also decryptable by anyone on a PC. However, the chain of trust can be re-established at any point along the line that can be updated. The chain of trust is safely rooted in hardware that is near impossible to modify (i.e. the CPU’s ROM and eFuse key). The next link down the chain has been compromised (bootldr), and this link cannot be updated as it is specific to each console, so the chain of trust now has a permanent weak second link. However, the third link, lv0, can be updated as it is located in flash memory and signed using public key crypto. This allows Sony to secure the entire chain from there onwards. Unless you find a vulnerability in these updated links, you will not be able to attack them directly (applications, e.g. homebrew software, are verified much further down the chain). The only guaranteed way to break the chain is to attack the weak link directly, which means using a flash writer to overwrite lv0. Once you do so, the entire chain collapses (well, you still need to do some work to modify every subsequent link to turn off security, but that is easy). If you have old firmware, you have at least some other weak links that, when compromised, allow you direct access to break the bootldr link (replacing lv0), but if you run up to date firmware you’re out of luck unless you can find a weakness or you use hardware. 連鎖認證的機制本來很安全，但弱點就是「不能有任何弱點」，有一個弱點，會 因為連鎖的關係導致全部的安全機制都無效。認證的起點在 CPU 裡面的 eFuse 金鑰，這個部份的安全性很夠，但才走到第二步 bootldr/metldr 這裡就失敗了 。連鎖的其他地方都是做在軟體上，所以有洞可以修，偏偏這 metldr/bootldr 是燒死的，所以沒救了。連鎖的第三步在 lv0 ，存在 flash 上頭，有洞可以修 ，所以 SONY 恐怕必須改寫整個連鎖認證的機制，把 bootldr 也排除在外才行。 這樣做還是不保險，因為 bootldr 被排除在連鎖之外，因此 lv0 加不加密都沒 用，破解陣營可以拿晶片燒錄器把自己改寫的 lv0 燒進 flash 裡面，然後照樣 歡樂地執行自己的程式。 Old PS3s are now in the same boat as an old Wii, and in fact we can draw a direct comparison of the boot process. On an old Wii, boot0 (the on-die ROM) securely loads boot1 from flash, which is securely checked against an eFuse hash, and boot1 loads boot2 but insecurely checks its signature. On an old PS3, the Cell boot ROM securely loads bootldr from flash, which is securely decrypted and checked using an eFuse key, and then bootldr loads lv0 but checks its signature against a hardcoded public key whose private counterpart is now known. In both cases, the system can be persistently compromised if you can write to flash, or if you already have code execution in system context (which lets you write to flash). However, in both cases, you need to use some kind of high-level exploit to break into the firmware initially, particularly if you have up-to-date firmware. It just happens that this is trivial on the Wii because there is no game patch system and Nintendo seems to have stopped caring, while this is significantly harder on the PS3 because the system software has more security layers and there is a game patch system. …. The name is presumably wrong – they would be the bootldr keys, as the keyset is considered to “belong” to the entity that uses those keys to check and decrypt the next thing down the chain – just like the metldr keys are the keys metldr uses to decrypt and verify other *ldrs, the bootldr keys are the keys bootldr uses to decrypt and verify lv0. Anyway, you’re confusing secrecy with trust. These keys let you decrypt any future firmware; as you say, if they were to “fix” that, that would mean new updates would not work on older machines. However, decrypting firmware doesn’t imply that you can run homebrew or anything else. It just means you can see the firmware, not actually exploit it if you’re running it. 要讓新韌體向下相容舊主機就得容忍漏洞存在，否則舊主機就不能玩新遊戲，我覺得 SONY 應該不敢這樣搞消費者。 The only trust that is broken by this keyset (assuming they are the bootldr keys) is the trust in lv0, the first upgradable component in the boot process (and both it and bootldr are definitely software, not hardware, but bootldr is not upgradable/replaceable so this cannot be fixed). This means that you can use them to sign lv0. Period. Nothing more, nothing less. The only things that these keys let you modify is lv0. In order to modify anything else, you have to modify everything between it and lv0 first. This means that these keys are only useful if you have write access to lv0, which means a hardware flasher, or an already exploited console, or a system exploit that lets you do so. …. Oh, one more thing. I’m assuming that these keys actually should be called the bootldr keys (as in the keys that bootldr uses to verify lv0), and that the name “lv0〃 is just a misnomer (because lv0 is, itself, signed using these keys). If this keyset is just what Sony introduced in lv0 after the original hack, and they are used to sign everything *under* lv0 and that is loaded *by* lv0, then this whole thing is not newsworthy and none of what I said applies. It just means that all firmwares *to date* can be decrypted. Sony will replace this keyset and update lv0 and everything will be back at step 1 again. lv0 is updatable, unlike bootldr, and is most definitely not a fixed root of trust (unlike metldr, which was, until the architecture hack/change wrapped everything in lv0). If this is the case, color me unimpressed. ….. by marcansoft on Wednesday October 24, @01:04AM (#41748707) Attached to: PS3 Encryption Keys Leaked Nevermind, I just checked. They are indeed the bootldr keys (I was able to decrypt an lv0 with them). Consider this confirmation that the story is not fake. -- ○ ____ _ _ _ _ ____ _ _ ____ _____ ____ 。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \ ｏ _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧ (____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★ ｏ -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 128.84.125.247