Advert

PMC_Banner_Small

Friday, January 29, 2010

How The PS3 Hypervisor Was Hacked, Now Fully Explained


'Root Labs' has put up a fairly technical coverage on just how GeoHot managed to hack the PS3's Hypervisor. So if you're a bit of a tech-head or just curious, then the article is definitely worth a read.

So here's their explanation of it, FULL CREDIT must be given to Rdist.root.org for the feature article:

How the PS3 hypervisor was hacked - Root Labs Explanation

George Hotz, previously known as an iPhone hacker, announced that he hacked the Playstation 3 and then provided exploit details. Various articles have been written about this but none of them appear to have analyzed the actual code. Because of the various conflicting reports, here is some more analysis to help understand the exploit.

The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.

Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.

The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor. The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).

George’s hack compromises the hypervisor after booting Linux via the “OtherOS” feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.

His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.

George connected an FPGA to a single line on his PS3’s memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.

His goal was to compromise the hashed page table (HTAB) in order to get read/write access to the main segment, which maps all memory including the hypervisor. The exploit is a Linux kernel module that calls various system calls in the hypervisor dealing with memory management. It allocates, deallocates, and then tries to use the deallocated memory as the HTAB for a virtual segment. If the glitch successfully desynchronizes the hypervisor from the actual state of the RAM, it will allow the attacker to overwrite the active HTAB and thus control access to any memory region. Let’s break this down some more.

The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file’s data can still be accessed.

The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor’s write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.

At this point, the hypervisor has an HTAB with one or more read/write mappings pointing to a buffer it has deallocated. Thus, the kernel no longer owns that buffer and supposedly cannot write to it. However, the kernel still has one or more valid mappings pointing to the buffer and can actually modify its contents. But this is not yet useful since it’s just empty memory.

The exploit then creates a virtual segment and checks to see if the associated HTAB is located in a region spanning the freed buffer’s address. If not, it keeps creating virtual segments until one does. Now, the user has the ability to write directly to this HTAB instead of the hypervisor having exclusive control of it. The exploit writes some HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.

It is quite possible someone will package this attack into a modchip since the glitch, while somewhat narrow, does not need to be very precisely timed. With a microcontroller and a little analog circuitry for the pulse, this could be quite reliable. However, it is more likely that a software bug will be found after reverse-engineering the dumped hypervisor and that is what will be deployed for use by the masses.

Sony appears to have done a great job with the security of the PS3. It all hangs together well, with no obvious weak points. However, the low level access given to guest OS kernels means that any bug in the hypervisor is likely to be accessible to attacker code due to the broad API it offers. One simple fix would be to read back the state of each mapping after changing it. If the write failed for some reason, the hypervisor would see this and halt.

It will be interesting to see how Sony responds with future updates to prevent this kind of attack.

As reported on other sites, Sony is already looking into this Hack.

We will report any findings as Sony release them.

27 comments:

large file transfer said...

The Japanese electronics and entertainment conglomerate enjoys strong sales and healthy profit from its digital camera operations, its loss-making TV and video game businesses had until recently been major drags on its earnings.

sudarma said...

I love each and every product made by the Japanese as the technology and the honesty which is there in their work, the quality reveals it.

Night Sweating  said...

Japanese have a great mind and therefore i am a great fan of these people.They make out wonderful products which can even after you die.

P. Rozac said...

Police and the banking community are concerned about an armed robbery at the ASB Bank in Grey Lynn, which follows what a senior bank manager has described as "probably the highest number in history" of such robberies across New Zealand last year.

valentines day gifts for him said...

But while the FDA panel recommended that the warning label on Tamiflu be strengthened to note that psychiatric episodes linked to the drug’s use have resulted in serious injury or death, it also voted 8-6 to note that such reactions may be due solely to the influenza virus.

send large files said...

I have an opportunity to choose to do something we've never done. Doing different to create different. We can choose to face that fear which has held us captive for too long. We can stop waiting and procrastinating and start doing. We can stop feeling sorry for ourselves. We can stop justifying and rationalising all that destructive crap we do. We can get responsible and proactive instead of offended and hurt.

baby gifts said...

The product made by the Japanese are great and have got some the endurance feeling in it. It is not like the products from China which do not last for long.

build credit score said...

Japanese have a great mind and therefore this quality s also visible in their products. I can blindly pay for these products.

L. Ibido said...

The variety of different treatment options for a low female libido range anywhere from medication and/or counseling to simple lifestyle changes and herbal supplementation.Then again, the cause of your decreased desire for sex might be because of a physical or emotional problem.  Some of the physical problems might include hormone deficiency, going through menopause, stress, childbirth, raising kids, diabetes, as well as certain kinds of medications.

T. Rama said...

Japanese are great people in terms of mind as well as the quality of product they produce. They are great.

S. Trad said...

I do not know how and what to compare Japanese people with the rest of the world. They are unique.

D. Rad said...

Japanese people are always good at their work. Recently i had a problem in my business but one guy from Japan solved it easily.

valentines day gifts for him said...

But while the FDA panel recommended that the warning label on Tamiflu be strengthened to note that psychiatric episodes linked to the drug’s use have resulted in serious injury or death, it also voted 8-6 to note that such reactions may be due solely to the influenza virus.

send large files said...

I have an opportunity to choose to do something we've never done. Doing different to create different. We can choose to face that fear which has held us captive for too long. We can stop waiting and procrastinating and start doing. We can stop feeling sorry for ourselves. We can stop justifying and rationalising all that destructive crap we do. We can get responsible and proactive instead of offended and hurt.

chicago veneers said...

I have no doubt on the working ability of the Japanese people. They are great in each and every aspect.

seduce flirt  said...

The Japanese are always on the tp when it comes on to show their hard work and dedication. They are most loyal people towards their work.

replica handbags  said...

The Japanese electronics and entertainment conglomerate enjoys strong sales and healthy profit from its digital camera operations, its loss-making TV and video game businesses had until recently been major drags on its earnings.

high temperature wire said...

I love each and every product made by the Japanese as the technology and the honesty which is there in their work, the quality reveals it.

aloe based skin care said...

I love each and every product made by the Japanese as the technology and the honesty which is there in their work, the quality reveals it.

chicago personal injury attorneys said...

Japanese, when it comes to show out their skills and sincerity towards their work, they are the best.

video game consoles said...

According to me, Japanese are god gifted with the talent specially in the production of electrics.

Get Your Ex Back said...

The Japanese are the most dedicated people in the world for their work. Whatever the case may be, they always stand out for the first position.

Magic of Making Up said...

Doing different to create different. We can choose to face that fear which has held us captive for too long. We can stop waiting and procrastinating and start doing. We can stop feeling sorry for ourselves. We can stop justifying and rationalising all that destructive crap we do. We can get responsible and proactive instead of offended and hurt.

Six Pack Abs said...

We can stop waiting and procrastinating and start doing. We can stop feeling sorry for ourselves. We can stop justifying and rationalising all that destructive crap we do. We can get responsible and proactive instead of offended and hurt.

designer replica shoes said...

replica cheap brand handbags wholesale web store online

gaybondage said...

i want to have PS3 in my home

B. Jack said...

Japanese electronics and entertainment conglomerate enjoys strong sales and healthy profit from its digital camera operations, its loss-making TV and video game businesses had until recently been major drags on its earnings.