EurAsiayour console hacking resource
Select topic
  Create an account Home  ·  Your Account  ·  Online Shop  ·  Forums  ·  Downloads new  ·  Wiki  
Main Menu
· Home
· About Us
· Downloads
· FAQ
· Forums
· Info Pages
· Members List
· Online Shop
· PDA - AvantGo
· Private Messages
· Search Stories
· Statistics
· Stories Archive
· Submit Story
· Top 10
· Topics
· Upload
· WAP
· Web Links
· Wiki
· Your Account

Online Shop
Credit Card

Bitcoin

EurAsia Online Shop
enter

new products
· R4i Gold 3DS RTS
· Mars Pro GM-816HD
· EurAsia File Collection 2017
· Matrix Infinity 2.0
· Sky3DS Plus
· Modbo 5.0
· Screwdriver GC/SNES
· X360ACE V3
· E3 NOR Flasher
· TX J-R Programmer v2
· Corona Postfix Adapter V2
· SuperCIC SNES kit
· SuperCIC cart key
· Gateway 3DS
· X360ACE V1
· Wasp Fusion
· 3k3y 3KR (SATA)
· Mtx Glitcher v1
· Xk3y Reloaded (XKR)
· 3k3y Ripper v2

complete price list

Tor Hidden Service
Tor Project
EurAsia Onion URL: wrqgfbrcgttkp6pi.onion

Who's Online
There are currently 620 guest(s) and 15 member(s) online.

Alexw535434 - buxao - classek - Dulphinia - gjstroom - Gods69 - HitPoint - juniorelt - K405 - katzoo - KS303 - Mra2 - portems - theagedgamer - vatomalo

Welcome honored guest. You can register for free by clicking here.

Site Protection
INFOSEC
BM

Hot Wikis
· PS4 firmware updates
· 3k3y nokeys ISO tutorial
· 3DS game fw updates
· 3k3y microSD recovery
· PS3 SKU Models
· PS3 Metldrpwn
· Xk3y microSD recovery
· Xbox360 motherboards
· Xbox360 Reset Glitch Hack
· PS3 Blu-ray Drive
· Homemade Sputnik360
· PS3 BD drive swap
· PSP Crypto Keys
· PS3_Crypto_Keys
· PS3 Hypervisor RE
· PS3 Dongle User Guide
· PSGroove tutorial
· Xecuter LT Fakir
· PS3 YLOD Fix
· NSMB Modchip Tutorial
· PS3 Glitch Hack
· Xbox360NoDvdRom
· Ps3FactoryRestore
· Free60JtagHack
· Ps3HddDecrypt
· WiiKey2EjectFix
· SaveMiiFree
· WiiHwDiagram
· Ps3OsRels
· PandoraNoHomebrewPsp
· GcOsMultiGameWiiHowTo
· Xbox360LinuxBurn
· Xbox360EraserFix
· Xbox360Kernel
· Xbox360DisasmXtreme
· Ps2HdlPatchTutorial
· Ps2VersionTable
· XboxErrorCodes
· XboxVersionTable
· GameCubeLaserTweak
· ModchipSolderingGuide
· PspUmdIsoHaxorLinux

RSS Feed
News & Downloads & Wiki

IRC
#eur
EFnet

Hosted By

Ad

Respected Sites
· Home of the Hitmen
· radare
· gc-forever
· pouet.net
· English Amiga Board
· GXArena OFW Repo
· WiiBrew
· WiiUBrew
· 3DBrew
· SwitchBrew
· Games and Consoles
· Maxconsole.com
· Console Wizard
· GameCube Linux
· Xbox Linux
· Xbox-Scene.com
· XboxHacker.Net
· xbins.org
· Doom9.net
· bunnie's blog
· debugmo.de
· GX-Mod.com
· ElOtroLado.net
· uCON64
· GBADEV.ORG
· GBAtemp.net
· PocketHeaven.com
· PDRoms
· GameSX.com
· ASSEMbler
· phrack.org
· Woz.org

Support...

Pirate Party

Bitcoin

Namecoin

radare

OpenCores
Electronic Frontier Foundation
Amnesty International

Nectarine Radio

Demovibes Radio

GNU
Linux
Mozilla

Total Page Views
We received
142617104
page views since June 2002


Moderated by: Robert

EurAsia : Index » » PS3 » » Project: CFW on PS3 Super Slim (4k)
New Topic   Post Reply
Author Project: CFW on PS3 Super Slim (4k)
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34057 posted 2014-08-27 @ 12:43 GMT   
After releasing 3k3y firmware v2.11 beta (with OFW 4.55 support) and losing interest in the ODE "cat & mouse" game with Sony (OFW 4.60 and 4.65), I have spent the past few weeks researching and dumping raw data in an ongoing project to extract lv0.2 keys via bootldr.

What is required to install CFW on PS3 Super Slim (4k)?


Added lv0.2 to the crypto chain diagram which is how it works on PS3 Super Slim (4k).

Quote:
NEW consoles only: metadata lv0.2 (signed with nonrandomfail key) is used to check lv0 integrity



As I figured it (please correct me if I'm wrong) we need the keys for lv0.2 which are held by bootldr. Some claim that bootldr is "Per Console Encrypted at factory", but I have my doubts about that, either way, as long as we can get that key on one specific console it is enough for our purpose. More on that later.

What it boils down to is this (using CORE_OS data from OFW 4.65 in this test case)...

Code:
scetool -v -d lv0.2 foo2.out     
scetool 0.2.9 <public build> (C) 2011-2013 by naehrwert
NP local license handling (C) 2012 by flatz

[*] Loaded keysets.
[*] Loaded loader curves.
[*] Loaded vsh curves.
[*] Using keyset [lv0ldr 0x0000 00.00]
[*] Error: Could not decrypt header.



We need this to succeed in order to reach the final goal of installing CFW on PS3 Super Slim (4k).


This is how it looks for lv0 (where we have the keys already).

Code:
scetool -v -d lv0 foo.out     
scetool 0.2.9 <public build> (C) 2011-2013 by naehrwert
NP local license handling (C) 2012 by flatz

[*] Loaded keysets.
[*] Loaded loader curves.
[*] Loaded vsh curves.
[*] Using keyset [lv0ldr 0x0000 00.00]
[*] Header decrypted.
[*] Data decrypted.
[*] ELF written to foo.out.



Now that's a lot better...


My dumps include data from most of the PS3 4k chipsets, this was *NOT* collected by sniffing a bus (or several) in a conventional way, so even if targeted key is embedded in silicon, as long as it is processed/executed internally by any kind of microcode I might be able to catch it. At this point I don't want to reveal how the data was obtained exactly, it is a method of my own design based on several known side channel attacks. The intention is to release the method eventually.



I can clearly see the first steps during PS3 4k boot in the dumps, the syscon init of the CELL, things are a lot slower in the initial boot process, MHz rather than GHz.

http://www.psdevwiki.com/ps3/Boot_Order


What I'm trying to code right now is a clever python script that will parse the raw data and test potential keys by decrypting lv0.2 in a loop.

To be honest, chances are probably slim (phun intended) this will succeed even with the collected data and a clever method to test keys, but the final goal makes this project exciting no matter what the odds are!


I'm really hoping this project can be a collaboration without the usual fanboy drama, so if you have ideas or info, want to point out mistakes, or just cheer on, then go ahead and reply to this forum topic.

[ This message was edited by modrobert on 2014-08-27 @ 13:09 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
iCEQB



private

Registered: 2008-02-25
Messages: 5
Status: Offline
 _#34059 posted 2014-08-27 @ 15:09 GMT   
bootldr is encrypted per console with a unique key which CELL holds.

IF lv0.2 is indeed decrypted by bootldr, than bootldr does signature checks as well, which carries on for the rest of the bootchain.

This means, IF you manage to get the lv0.2 keys, you might be able to decrypt it, but not sign it, because the ECDSA fail is long gone.

So no matter where you try to exploit the system during boot, past the bootldr stage, you won't get far because of the signatures you can't produce for patched files.

The only way I see it going down is to get the unique console key to encrypt a patched bootldr, which keeps booting into an unsigned bootchain.
I don't know whether if bootldr is signed or IF CELL is capable to check signatures, but afaik and iirc, bootloader is "just" encrypted with the keys inside the on DIE bootrom of the CELL.

I heard rumors every now and then of a 360 like glitcher, which exploits the console during boot to execute an unsigned loader.

Or the other way around is to exploit the system during runtime ... something like HEN for PSP.

Regards

[ This message was edited by iCEQB on 2014-08-27 @ 15:18 GMT ]

 Profile  pm    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34061 posted 2014-08-27 @ 15:48 GMT   
iCEQB,

Thanks for the info.

Ok, so I need to dump bootldr (NAND at offset 0x000000, NOR at offset 0xFC0000) from the flash and decrypt that in my loop test. If the key is unique per console, and it is possible to reproduce key extraction on another console, then I can design a cheap device to do the bootldr key extraction.

What is a suitable string to look for (or add weight to statistically) in the bootldr data when doing the decrypt test loop? 'SCE'?

[ This message was edited by modrobert on 2014-08-27 @ 15:53 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
iCEQB



private

Registered: 2008-02-25
Messages: 5
Status: Offline
 _#34062 posted 2014-08-27 @ 16:06 GMT   
Dunno, you have the decrypted bootldr on hand
"Sony Computer Entertainment Inc" shows up pretty often their system related files ... but afaik this would only appear inside an isolated SPE, because bootldr and metldr never leave the CELL if I'm not mistaken.

You need a way to expose the boot ROM keys ... if that can be reproduced on other consoles w/o any decapping (or whatever you are doing ) then we might have something to look forward to for the broad audience

 Profile  pm    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34064 posted 2014-08-27 @ 17:46 GMT   
After thinking a bit more, should probably add weight to PPC assembler opcodes in the decrypt test routine.
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
Abkarino



private

Registered: 2006-01-01
From: Egypt
Messages: 9
Status: Offline
 _#34066 posted 2014-08-27 @ 23:04 GMT   
Quote:
On 2014-08-27 @ 17:46 GMT, modrobert wrote:
After thinking a bit more, should probably add weight to PPC assembler opcodes in the decrypt test routine.



Hi modrobert, i hope that you can finish this great process to hack the unhackable consoles this way,
I think that you must read this topic very will in ps3devwiki that talk about how the bootloader dumped using a bootloader exploit by JhonNadia and you can read the part about hardware modchip / glitcher that maybe produced to improve this hack and apply it to unhackable console.
Dumping Bootloader

 Profile  pm   skype   Quote
Abkarino



private

Registered: 2006-01-01
From: Egypt
Messages: 9
Status: Offline
 _#34067 posted 2014-08-27 @ 23:19 GMT   
BTW here is a link for a 2 unencrypted bootloaders that may help you in your researches:

Bootloader unencrypted dump 1

Bootloader unencrypted dump 2

Best regards


 Profile  pm   skype   Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34071 posted 2014-08-28 @ 04:29 GMT   
Abkarino,

Thanks a lot, got plenty of "good strings" to look for now.

I already have the first bootloader dump there, linked by a nice guy (not sure if he wants to be mentioned here?) on IRC last night, but I didn't have the second one. The "dumping bootloader" wiki page looks interesting, will be useful after checking if the collected side channel data dumps are worthless or not.

[ This message was edited by modrobert on 2014-08-28 @ 05:44 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
boxcutter



general

Registered: 2006-04-17
From: Europe
Messages: 1703
Status: Offline
 _#34072 posted 2014-08-28 @ 06:46 GMT   
slightly off-topic maybe,

i noticed that the boards atleast for fat & slim have testpoints that include a couple of uarts.
has anybody tried sniffing them to see if it runs any kind of boot mesages?


 Profile  pm    Quote
Abkarino



private

Registered: 2006-01-01
From: Egypt
Messages: 9
Status: Offline
 _#34073 posted 2014-08-28 @ 07:00 GMT   
Quote:
On 2014-08-28 @ 04:29 GMT, modrobert wrote:
Abkarino,

Thanks a lot, got plenty of "good strings" to look for now.

I already have the first bootloader dump there, linked by a nice guy (not sure if he wants to be mentioned here?) on IRC last night, but I didn't have the second one. The "dumping bootloader" wiki page looks interesting, will be useful after checking if the collected side channel data dumps are worthless or not.

[ This message was edited by modrobert on 2014-08-28 @ 05:44 GMT ]



You are welcome modrobert,
I think that JN exploit still exist and valid for unhackable consoles aka 3K - 4K, but since that we can not run a CFW on it now to dump the bootloader or exploit it, then you can try its theory for hardware glitcher, i'm in a contact with a person who are working in a company that produce E3 team products and he had confirmed me about the rummered PS3 Glitcher by E3 Team, but he told me that this project was stopped and canceled because the main guy behind it had been left.

 Profile  pm   skype   Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34074 posted 2014-08-28 @ 07:38 GMT   
boxcutter,

Hmm, maybe one is for syscon, and it could also be for XDR DRAM?

Quote:
In addition, each chip has a low-speed serial bus used to determine its capabilities and configure its interface. This consists of three shared inputs: a reset line (RST), a serial command input (CMD) and a serial clock (SCK), and serial data in/out lines (SDI and SDO) that are daisy-chained together and eventually connect to a single pin on the memory controller.




Abkarino,

Yes, remember reading about a glitcher from E3 Tech a while back.


On Xbox 360 the CELL supports fuses (IBM tech) to prevent flash downgrades by burning a few every update effectively setting a bitmap which can be read. I was thinking, maybe these fuses are used on PS3 4k to set the bootldr key at factory, thus making it unique per console?

  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
Abkarino



private

Registered: 2006-01-01
From: Egypt
Messages: 9
Status: Offline
 _#34075 posted 2014-08-28 @ 08:22 GMT   
Quote:
On 2014-08-28 @ 07:38 GMT, modrobert wrote:
boxcutter,

Hmm, maybe one is for syscon, and it could also be for XDR DRAM?

Quote:
In addition, each chip has a low-speed serial bus used to determine its capabilities and configure its interface. This consists of three shared inputs: a reset line (RST), a serial command input (CMD) and a serial clock (SCK), and serial data in/out lines (SDI and SDO) that are daisy-chained together and eventually connect to a single pin on the memory controller.




Abkarino,

Yes, remember reading about a glitcher from E3 Tech a while back.


On Xbox 360 the CELL supports fuses (IBM tech) to prevent flash downgrades by burning a few every update effectively setting a bitmap which can be read. I was thinking, maybe these fuses are used on PS3 4k to set the bootldr key at factory, thus making it unique per console?



Yes maybe you are right, i hope that you can investigate well in this field, anyway i think that you must look well into JN theory and try to apply it since it seems that it still working in Super Slim 4K.
BTW, i had a long chat with T.A. before about this subject and he said that this maybe applicable, also i had talked to flatZ about this and from the software POV it is applicable once the valid hardware developed.
I hope that you P.M. with your skype account so we can talk there better

 Profile  pm   skype   Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34076 posted 2014-08-28 @ 08:59 GMT   
I just PM my TorChat ID, don't trust Skype after Microsoft bought them and removed the existing encryption.
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
boxcutter



general

Registered: 2006-04-17
From: Europe
Messages: 1703
Status: Offline
 _#34077 posted 2014-08-28 @ 11:18 GMT   
dont trust tor, government own most hubs!

 Profile  pm    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34078 posted 2014-08-28 @ 12:48 GMT   
Yes, I know the Tor network as a project was started and funded by the US Navy, that's even officially mentioned at their website, but the interesting part in TorChat is the end-to-end point encryption, separate layer, so it doesn't matter what the underlying Tor nodes taps or not. In other words, the Tor network just adds a bit of IP address obfuscation to TorChat which uses its own encryption on top of that.

Besides, I know who the TorChat developer is, prof7bit, well known in the Bitcoin community. Also, that he moved the project from Google Code to GitHub because Google blocked downloads of TorChat in some countries, so he must be doing something right with the client. Last but not least, the client is open source, so you can check what it does.

Skype on the other hand offers nothing of that, and what could possibly be Microsoft's reason to remove existing encryption that was in the client for years before they bought the company? Whatever the reason, it can't be good for the end user.

A bit off topic, still, it's not easy if you really want to be private on internet, so knowing more about the communication tools is good.

[ This message was edited by modrobert on 2014-08-28 @ 13:27 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
Abkarino



private

Registered: 2006-01-01
From: Egypt
Messages: 9
Status: Offline
 _#34079 posted 2014-08-28 @ 13:55 GMT   
Quote:
On 2014-08-28 @ 12:48 GMT, modrobert wrote:
Yes, I know the Tor network as a project was started and funded by the US Navy, that's even officially mentioned at their website, but the interesting part in TorChat is the end-to-end point encryption, separate layer, so it doesn't matter what the underlying Tor nodes taps or not. In other words, the Tor network just adds a bit of IP address obfuscation to TorChat which uses its own encryption on top of that.

Besides, I know who the TorChat developer is, prof7bit, well known in the Bitcoin community. Also, that he moved the project from Google Code to GitHub because Google blocked downloads of TorChat in some countries, so he must be doing something right with the client. Last but not least, the client is open source, so you can check what it does.

Skype on the other hand offers nothing of that, and what could possibly be Microsoft's reason to remove existing encryption that was in the client for years before they bought the company? Whatever the reason, it can't be good for the end user.

A bit off topic, still, it's not easy if you really want to be private on internet, so knowing more about the communication tools is good.

[ This message was edited by modrobert on 2014-08-28 @ 13:27 GMT ]



Thank you so much modrobert, i'll use the TorChat also to contact you

 Profile  pm   skype   Quote
Geremia



private

Registered: 2006-04-23
Messages: 1
Status: Offline
 _#34080 posted 2014-08-29 @ 20:14 GMT   
rtl-sdr

 Profile  pm    Quote
windrider



private

Registered: 2007-03-25
From: AB
Messages: 24
Status: Offline
 _#34082 posted 2014-08-30 @ 04:59 GMT   
Keep digging modrobert. Work with these guys and find a way.

 Profile  pm    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34083 posted 2014-08-30 @ 08:16 GMT   
windrider,

Thanks.


Geremia,

Yes, you are definitely on the right track there with 'rtl-sdr'. I guess my waterfall plot gave it away.

I had some other pm replies guessing Acoustic Cryptanalysis which wasn't bad either, someone also mentioned "ground plane attack" which basically measures voltage diffs. They are all good guesses, and I've used bits and pieces from all those techniques.

My idea was to hook up a rtl-sdr device to the PS3 4k between chassis and real ground (yes, I actually have a two meter copper rod buried in my lawn) using the antenna leads. First I had to make sure the PS3 4k chassis wasn't grounded in the outlet, and that no video out or USB connector was hooked up to ground indirectly via other hardware. If you want to try this, make sure that the rtl-sdr antenna leads are the only lead between the PS3 mobo/chassis and real ground. Before connecting the rtl-sdr antenna leads I measured the voltage on the PS3 chassis which peaked at around 1.8V which was safe enough, didn't want to blow it up on the first try.

This method will effectively turn your console into an "active antenna" leaking all kind of interesting data on the rtl-sdr frequency spectrum (between 24 - 1766 MHz). After hooking it up, I started using gqrx on my laptop to look for signal peaks while the PS3 4k was turned on, after finding a peak I just powered off the PS3 completely and turned it back on, using the waterfall plot you've seen in my first post I can see if there is something interesting happening during boot and verify that the signal is indeed coming from the PS3. In a similar way I learned to distinguish between the PS3 BD drive, GPU and CPU which pops up at different frequencies. Then I dumped the data (I/Q recording) that looked interesting and made a note of the frequency. You also get reflected signals of some chipsets, so after searching some more a better "version" of the same signals from booting the PS3 might appear at a different frequency.




It's hard to describe the incredible feeling when you tune into a good signal and start watching the waterfall plot revealing opcodes, register bits and what might be stack contents. The Acoustic Cryptoanalysis paper (PDF) has a lot of good info how to interpret the output from various window functions in the plot.




What I'm coding right now is a gnuradio-companion block which will filter and test the dumped data for decryption keys against encrypted PS3 data. This turned out to be a lot harder than I expected, the human brain is better at finding interesting signals and decipher bits in a visual history plot than a computer based program, but with the amazing GNU Radio software you get a lot of signal processing for free in the form of existing blocks/modules. Computers are indeed dumb, but fast, as Feynman pointed out.

If this method produces anything useful, there is nothing stopping us from testing it on PS4, Xbox One and Wii U, right?

[ This message was edited by modrobert on 2014-08-30 @ 11:24 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34084 posted 2014-08-30 @ 20:39 GMT   
If you want to try this and "tune into your console", then I recommend this free software:

SDR (Software Defined Radio)

http://gqrx.dk/ (Linux/Mac)
http://sdrsharp.com/ (Windows)

Development: http://gnuradio.org/ (Linux & partial Mac/Windows support)


The hardware you need is a DVB-T dongle based on the RTL2832U chipset, they are cheap and easy to find, lots of brands to choose from, I got this one:

http://www.dx.com/p/170541
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
crispycritter911



general

Registered: 2004-08-17
Messages: 1857
Status: Offline
 _#34085 posted 2014-08-31 @ 02:17 GMT   
Have you thought about a faraday cage to help with any back ground noise or try dividing sections of the board with miniature cages? Any issues with the cooling fan motor generating unwanted noise?

 Profile  pm    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34086 posted 2014-08-31 @ 06:31 GMT   
Quote:
On 2014-08-31 @ 02:17 GMT, crispycritter911 wrote:
Have you thought about a faraday cage to help with any back ground noise or try dividing sections of the board with miniature cages? Any issues with the cooling fan motor generating unwanted noise?



That would probably be a good approach if I was receiving emissions from a distance (air gap), but in this case the rtl-sdr device antenna leads are directly hooked up between PS3 chassis and ground (with PS3 otherwise isolated from ground), so a faraday cage would be bypassed by the circuit. However, it might help with reflections (signals showing up on several frequencies).

What I try to do when identifying signals is to use moments when some chipsets are inactive while others aren't (eg. early boot), or better, remove parts from the circuit completely when possible. I also use chipsets extensively to identify. For example, when I find a signal peak, I mount a BD disc and watch the signal when the drive spins up, if it changes a lot and starts to show stuff in sync with servo movements, controller, coils charged up etc., then I know that it is the drive. The pattern is also useful to remember, if it shows up in signals on other frequencies as interference.

The frequency range of these rtl-sdr devices is huge, 24 MHz - 1766 MHz, so interference hasn't been a major issue so far. After searching for a while I can find a relatively clean signal of some part I have identified during boot cycle or otherwise.


I realized last night is that I should write homebrew code on my other PS3 with CFW that just executes one PPC assembler instruction (opcode) thousands of times in sequence (not in a tight loop though, because that involve branches). While doing that I have to dump the signal to map out the opcodes, and make a signature system for each opcode so it can be identified by my grc block program (and visual waterfall screenshot so I can remember the signal in my head as well). Then using opcodes on one specific register at the time to map out those with bit contents, and the stack, and so on. Imagine the possibilities when having a "waterfall view" where it's raining opcodes (disassembly) and register contents rather than signal dots. Sure, it will be random opcodes from execution at best, with gaps (incomplete disassembly), but all we need is a single register (or stack) content at some point early on in the boot regarding the keys.

[ This message was edited by modrobert on 2014-08-31 @ 07:17 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
iCEQB



private

Registered: 2008-02-25
Messages: 5
Status: Offline
 _#34089 posted 2014-08-31 @ 10:29 GMT   
Very interesting approach !
Can you show us how the ouput looks like when you are looking for strings or something ?
Something familiar that the average joe would recognise

Also, is it possible to focus on the cell ? Only receive what the CPU is doing ?
I ask in case the unique console key ever gets exposed in isolated SPU mode?

I don't know if the cell has a hw crypto engine or not, but if so I can't image we ever get the key out of there, because it's hard burned into the CPU and probably never leaves its location (?)

On the other hand I don't know what exactly you can sniff with this method.

Regards,
iCEQB


 Profile  pm    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34090 posted 2014-08-31 @ 11:35 GMT   
Yes, the CELL (PPC CPU) appears to be an isolated signal cluster, you can see it from a "zoomed out perspective" in my previous black & white waterfall image, it's on both sides of the bright white vertical line there, with what appears to be registers or cache of some sorts (stack?) flanking each side where single bits seem to change over time (vertical axis).

To understand it better you really need to see a video of the signal in action (also with audio for added effect), or try it yourself. I can upload a video later to youtube if I figure out some smart way of doing it.

All keys have to be processed by some CPU/GPU/MCU somewhere during boot (from power on moment) or it can't be used for decryption. These are not memory dumps, and not bus dumps either, but rather detailed boot logs with signal fragments of a targeted chipset operating with a clock oscillator, depending on oscillator speed and other factors the signals appear at different frequencies, which is great for us, since we get CPU, GPU, memory controller, BD drive, etc., appearing on different frequencies.

To get an idea what you are looking at when doing this you need to check the signal screenshots/images in the Acoustic Cryptoanalysis paper (PDF). They have some examples there identifying the keys in PGP decryption from a computer by just using audio dumps from a standard microphone at a distance, which looks really hard to do because their data is filled with noise and looks really fussy compared to the signals I dumped via rtl-sdr from the PS3 which are clear and detailed in comparison.

[ This message was edited by modrobert on 2014-08-31 @ 11:36 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
futaris



private

Registered: 2003-12-10
Messages: 1
Status: Offline
 _#34091 posted 2014-09-03 @ 01:21 GMT   
Wow. Interesting Approach!

 Profile  pm    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34092 posted 2014-09-03 @ 10:38 GMT   
Thanks for the help so far, here and on IRC, not sure how to proceed though.

I keep receiving hints about an upcoming lawsuit by some people privately, at the same time getting help from PS3 hackers in many different ways. Unfortunately this also includes being fed like a "fall guy" with existing PS3 information no one else dare to release it seems.

When starting this project I assumed that there was a lot of RE work needed to reach the goal of installing CFW on PS3 Super Slim (4k), but after getting extensive feedback the past week, it seems like this information is already known, but deliberately not used/finalized, either out of fear or other reasons.

The rtl-sdr side channel method I'm trying to develop here is far from complete, haven't even started to test the decryption with collected data yet, still developing the grc stream block by identifying signatures of opcodes, registers, stack, etc. However, I'm starting to feel this is time wasted, at least on PS3.

Let me know what you think.

  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
TheWhiteTyger



private

Registered: 2014-09-02
From: Internet, where else?
Messages: 2
Status: Offline
 _#34093 posted 2014-09-03 @ 18:18 GMT   
Quote:
On 2014-09-03 @ 10:38 GMT, modrobert wrote:
Thanks for the help so far, here and on IRC, not sure how to proceed though.

I keep receiving hints about an upcoming lawsuit by some people ...

...this information is already known, but deliberately not used/finalized, either out of fear or other reasons.

However, I'm starting to feel this is time wasted, at least on PS3.

Let me know what you think.



modrobert, first forgive me for the EXTREMLY long reply. But either way you are already on $ony's shit-list because a name was put to these methods. What you outta do is continue your work, and continue to document your findings to the public so others may learn and do their own work. Instead of releasing a "final" product, split it up and allow others to piece the "final" results themselves or allow someone else to put it together and release it in a nice little "do-it-yourself" package. You can't be arrested for educational work, trying to learn how computer systems work as a whole. (Not yet anyways, they are trying to change that as well)

Also, do it to get rid of these "donge-makers" because they profit off of work like yours and they are stealing from everyone including the end users because what should be free, is instead sold to those who have the means to buy.

No one wants to be arrested, but greedy companies are trying to do whatever they can to scare people like you from unraveling their "lies" and forcing them to lose money. They claim that we are doing harm by "stealing money away from developers" however companies like that are forcing developers of great games to not be entitled to what they should be making. For example $ony is acting as a middle man by providing cheap, copied hardware (the PS4 was admitted to being a locked/watered down PC, they are not even trying to create anything new and useful) only giving a small percentage to the real game developers and keeping most of the overpriced game profits to themselves, using "pirating" to justify robbing more from people by making examples out of certain few ones that are not able to defend themselves against their army of lawyers. All for what? to censor and silence people like you from revealing their lies. This applies to 95% of the companies of 'Murika and the world. (Likey the percentage is higher, I'm just trying to be generous)

That's why $ony is trying to "embrace" indie game developers suddeny, they have great ideas but they don't want to hire these people on permanently just for one game. Another means to save money to the overpaid higher-ups and not distribute their money to people that really need it.

$ony and other gaming companies are scared of you and they will use any means needed to try to "re-coop" their losses, but all the while keeping prices for games high and furthering their own greed and using their customers to keep people like every CEO from getting a real job and doing real work. Every employee underneath is doing their job and making money all the while CEOs sit back and reap benefits.

$ony is a HUGE dongle-maker as in they are using their money and means to create a locked down PC to distribute games on, all the while robbing both the public and game developers of their money in some form or fashion.

$ony and video game companies may be needed to help make hardware to play the video games on, but they do not need to make so much money as they are, their prices need to be lowered and the only way that will ever happen is if something threatens to take away more money then they want to lose, and this is the means. This is a fight against greed and the ability to keep the power in consumer's hands and not allowing them to "dictate" to us what we should be able to do and what we shouldn't with what they sell to us and how much we have to pay to them to get a little satisfaction of a game until we get bored with said game and try to move on to the next "game" to come out.

This isn't something that is exclusive for one locked down game system, this is a means to prevent companies from profiting of of an idea that has been re-hased and re-done so much (the computer) that it is now too complicated for computers to be made solely by the hands of one man. They are trying to force us to listen to their lie that they have made something new and exciting when it's just re-hashed same thing but with prettier outer decorations and a little bit newer technology.

If they are allowed to continue, then in the future people won't know enough how to "unlock" computers and then all the public will be forced to listen and deal with "locked down" slavery. That is what a dictator does and throughout history man doesn't want one single dictator to tell us how we should spend our lives.

Look at Television, companies are getting people to buy bigger TVs by shrinking the view of the picture and blaming it on "hardware" limitations when they can fix it and have a full picture on any TV. Instead of only buying one TV and waiting until it breaks to buy a new one, they get people to pay them more money for something that works fine but doesn't meet certain requirements of the TV viewer. in my eyes that's steaing because they do not tell pepole "it can be fixed" but instead get more money from those people buy selling them a "fix" which shouldn't have been an issue in the first place. Now they have twice as much money, so create more problems to get people to spend more money.


TL;DR Continue your work to force CEOs and other grossly over-paid "higher ups" to start using their money to keep their business going instead of always "stealing" more from us. It may not happen still, look at Hollywood.

This is an opinion based off facts, if anything stated here is not correct, please feel free to let me know otherwise so that I may correct it and others that read this won't get "lied" to. I am a nobody who wished to share my opinion, I'm a new user to this forum and I have no credit for any reason, you asked for thoughts and I wanted to share mine. Thanks for your time.

[ This message was edited by TheWhiteTyger on 2014-09-03 @ 18:20 GMT ]
420 is guud.

 Profile  pm  icq aim yim  skype   Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34094 posted 2014-09-04 @ 06:49 GMT   
I found some interesting arguments in your reply, and agree with most of them. However, there have been several lawsuits in the past regarding PS3 reverse engineering projects which were clearly started with the intention to be "educational", so that doesn't seem to help much unless you are backed by a powerful institution (eg. university), Fail0verflow (homebrew) and Graf Chokolo (Linux) comes to mind.

Ironically, in this case, it might be worth the risk to continue if there were profits to be made, preferably enough to cover a potential lawsuit, this is sadly how it works in this world. In other words, "doing the right thing" would only be safe in a society based on ethics shared by the majority of people, not when the biggest wallet dictates the law.

I'm still thinking of a way forward, haven't given up completely yet.

[ This message was edited by modrobert on 2014-09-04 @ 07:09 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
playonlcd



private

Registered: 2013-09-30
Messages: 14
Status: Offline
 _#34095 posted 2014-09-04 @ 07:19 GMT   
If you are alone in this, you are just a drop on the ocean that will disappear the in the next day. If a institution/more people are representing/supporting you then you may be a wave in the ocean for a change; and become a geohot case wich escaped by many donations...hardly to see this nowdays...

Regarding the method used, i am thinking this can be applied to all other systems making security nowadays more vulnerable (this i think is more dangerous than hacking ps3) or more secure, depending on investments...

If you are powerful enough to made it then just show just a proof a concept that demonstrate the achievement and let it like this; but then all the babys will doomed you, requesting the solution wich are better than $ony lawyers


[ This message was edited by playonlcd on 2014-09-04 @ 07:20 GMT ]

[ This message was edited by playonlcd on 2014-09-04 @ 07:22 GMT ]

[ This message was edited by playonlcd on 2014-09-04 @ 10:14 GMT ]

 Profile  pm    Quote
TheWhiteTyger



private

Registered: 2014-09-02
From: Internet, where else?
Messages: 2
Status: Offline
 _#34110 posted 2014-09-11 @ 20:23 GMT   
Quote:
On 2014-09-04 @ 06:49 GMT, modrobert wrote:
Fail0verflow (homebrew) and Graf Chokolo (Linux) comes to mind.

In other words, "doing the right thing" would only be safe in a society based on ethics shared by the majority of people, not when the biggest wallet dictates the law.

I'm still thinking of a way forward, haven't given up completely yet.

[ This message was edited by modrobert on 2014-09-04 @ 07:09 GMT ]



After careful re-reading of all of the posts I regret that you are right in this case, and they will surely find "something" to stick to you regardless of the outcome. (Even if released except with one crucial part) I'm sure they would find some way to say that that you stole money they haven't even made yet like the MPAA bullshit argument. I recall those famous names, also I recall *ugh* George Holtz (GeoHot, the traitor that sold himself out to $ony) and how he made available his "patch" and exclusively disabling the ability to play ISOs but allowed for home-brew, he still got bar time (jail).

There has to be another way, but in any case this is still a wonderful idea and I am glad someone has the means to continue this work. (For clarification, I have an unlocked PS3 already so I have no stake in this project except that I grow tired of people asking me how I got emulators on my Ps3 and I can't do it for any of theirs.)


420 is guud.

 Profile  pm  icq aim yim  skype   Quote
damotheking



captain

Registered: 2007-06-14
Messages: 164
Status: Offline
 _#34111 posted 2014-09-12 @ 12:55 GMT   
indeed

 Profile  pm    Quote
iCEQB



private

Registered: 2008-02-25
Messages: 5
Status: Offline
 _#34158 posted 2014-10-07 @ 21:31 GMT   
Any updates on this biatch?

 Profile  pm    Quote
BadBoy17



private

Registered: 2014-10-05
Messages: 3
Status: Offline
 _#34159 posted 2014-10-08 @ 00:52 GMT   
there is no lv0ldr ... lv 0 private key is lv0ldr a key leaked by the muskateers , lv0 is decrypted by bootldr
I AM  GOING  to OPEN YOUR WORLD! ;)

 Profile  pm    Quote
Mulzaren



private

Registered: 2014-10-07
Messages: 2
Status: Offline
 _#34160 posted 2014-10-08 @ 02:06 GMT   
Well, when did already released firmware?

 Profile  pm    Quote
boxcutter



general

Registered: 2006-04-17
From: Europe
Messages: 1703
Status: Offline
 _#34161 posted 2014-10-08 @ 02:31 GMT   
just a thought,
if every console has it's own key based on fuse-bits.
if we could find out how they function, maybe blow the lot.
set the key-seed to "FF / 00" or whatever!!!

have you done a patent search for the ps3 chips?


 Profile  pm    Quote
tjhooker73



sgt

Registered: 2012-10-10
From: usa
Messages: 49
Status: Offline
 _#34196 posted 2014-10-16 @ 06:26 GMT   
Quote:
On 2014-10-08 @ 00:52 GMT, BadBoy17 wrote:
there is no lv0ldr ... lv 0 private key is lv0ldr a key leaked by the muskateers , lv0 is decrypted by bootldr



It has been said many times before that the key they put out was the Bootldr key not lv0 And I'm pretty sure its only the pub-priv key not the private key.

http://wololo.net/2012/10/25/clarifying-the-confusion-on-the-ps3-development/

 Profile  pm    Quote
B7U3C50SS



private

Registered: 2014-08-30
Messages: 4
Status: Offline
 _#34197 posted 2014-10-17 @ 10:20 GMT   
Okay so someone wants to know about the processor they use? the chip patent was it? well i can help you narrow it down for good measure.

PS3.. still uses FreeBSD, open Solaris CSW, Oracle, Java, SUSE, fedora, UNIX, Linux, and the Sparc processor. (not sure on the patent though) On every FW update this is all they do - change the Linux type and base off those factors (make it UNIX).

that stuff is all licensed by GNU ^

It seems this way to me at least. Least I think Deank has to have figured this out as well considering he used all these exact types of linux distros to create MulitMAN.

also deank never really used the psl1ght sdk from what i'm hearing
__________                   .___ ___________           .__            
\______   \ ____ _____     __| _/ \__    ___/___ ______ |__| ____      
 |       _// __ \\__  \   / __ |    |    | /  _ \\____ \|  |/ ___\     
 |    |   \  ___/ / __ \_/ /_/ |    |    |(  <_> )  |_> >  \  \___     
 |____|_  /\___  >____  /\____ |    |____| \____/|   __/|__|\___  > /\ 
        \/     \/     \/      \/                 |__|           \/  \/ 

 Profile  pm    Quote
iCEQB



private

Registered: 2008-02-25
Messages: 5
Status: Offline
 _#34318 posted 2014-11-29 @ 22:01 GMT   
Is this project still active?

 Profile  pm    Quote
B7U3C50SS



private

Registered: 2014-08-30
Messages: 4
Status: Offline
 _#34326 posted 2014-12-08 @ 05:08 GMT   
@iCEQB good question.
__________                   .___ ___________           .__            
\______   \ ____ _____     __| _/ \__    ___/___ ______ |__| ____      
 |       _// __ \\__  \   / __ |    |    | /  _ \\____ \|  |/ ___\     
 |    |   \  ___/ / __ \_/ /_/ |    |    |(  <_> )  |_> >  \  \___     
 |____|_  /\___  >____  /\____ |    |____| \____/|   __/|__|\___  > /\ 
        \/     \/     \/      \/                 |__|           \/  \/ 

 Profile  pm    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6223
Status: Offline
 _#34328 posted 2014-12-10 @ 11:49 GMT   
The project is sleeping.
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
B7U3C50SS



private

Registered: 2014-08-30
Messages: 4
Status: Offline
 _#34337 posted 2014-12-12 @ 09:47 GMT   
LOL! I don't believe that for a mnute you guysl... are HARD at work.. just somewhere else on the web. xD i know it.
__________                   .___ ___________           .__            
\______   \ ____ _____     __| _/ \__    ___/___ ______ |__| ____      
 |       _// __ \\__  \   / __ |    |    | /  _ \\____ \|  |/ ___\     
 |    |   \  ___/ / __ \_/ /_/ |    |    |(  <_> )  |_> >  \  \___     
 |____|_  /\___  >____  /\____ |    |____| \____/|   __/|__|\___  > /\ 
        \/     \/     \/      \/                 |__|           \/  \/ 

 Profile  pm    Quote
B7U3C50SS



private

Registered: 2014-08-30
Messages: 4
Status: Offline
 _#34408 posted 2015-02-14 @ 08:14 GMT   
On second thought..i maybe need to retract.. my former statement.. it has been a while since i posted that last comment after all. Sorry for double post. only just wanted to get the ball rolling again.

[ This message was edited by B7U3C50SS on 2015-02-14 @ 08:16 GMT ]
__________                   .___ ___________           .__            
\______   \ ____ _____     __| _/ \__    ___/___ ______ |__| ____      
 |       _// __ \\__  \   / __ |    |    | /  _ \\____ \|  |/ ___\     
 |    |   \  ___/ / __ \_/ /_/ |    |    |(  <_> )  |_> >  \  \___     
 |____|_  /\___  >____  /\____ |    |____| \____/|   __/|__|\___  > /\ 
        \/     \/     \/      \/                 |__|           \/  \/ 

 Profile  pm    Quote
playonlcd



private

Registered: 2013-09-30
Messages: 14
Status: Offline
 _#34799 posted 2016-02-23 @ 07:47 GMT   
Seems they extrapolate this method for other encryption methods.

http://fossbytes.com/how-hackers-steal-decryption-keys-from-an-offline-laptop-in-another-room/

Any news on ps3, at least a demo?


[ This message was edited by playonlcd on 2016-02-23 @ 07:56 GMT ]

 Profile  pm    Quote
tozornox



private

Registered: 2016-01-03
Messages: 1
Status: Offline
 _#34800 posted 2016-03-05 @ 21:27 GMT   
¿¿¿this project is dead???

[ This message was edited by tozornox on 2016-03-05 @ 21:31 GMT ]

 Profile  pm    Quote
_
New Topic   Post Reply
Jump To
 

All trademarks and copyrights on this page are owned by their respective owners.
Comments and forum messages are owned by the Poster.