Intrusion Prevention: PS3 Re-Secured?

It was only a few months ago when the PS3’s heralded security system dramatically failed them, thus resulting in hackers being able to sign their own homebrew code on the system.

The exploit, for those who don’t know, was based upon the discovery of the software and hardware keys Sony use for signing and authorising PS3 software. The company uses many keys to sign code, ranging from games to system updates, all of which are supposed to be locked away by a strong numerical encryption. However, a fatal blunder on the part of Sony meant that this didn’t happen.

All anyone needed to do in order to extract the various keys, was simply to find the random number used to encrypt them in the first place. Like with any encryption cipher worth its salt, it is encrypted using a different random number each time. Thus, preventing its discovery. Each file is signed using a different number each time. But, and somewhat foolishly for Sony, this wasn’t the case. Instead, the number responsible for signing every file was the same. In which case it is possible, by using two signatures and a mathematical equation, to reveal the key used to sign the code.

Doing this led to the discovery of all the main keys used to sign off code for use on the PS3; the firmware, the games, and the entire system security was, in a single moment, cracked wide open. Just a few days later, the posting of the system’s master key effectively made a solution to the problem almost unworkable… at the time.

Now, it appears that, via firmware update 3.56, Sony has been able to actively find a resolve to this problem. But it’s far from being a permanent one. And how long it actually holds up for, remains to be seen.

A detailed post on PSX-Scene, by RMS, a PS3 software/homebrew developer, explains it clearly.

“Well, I’ve been on EFnet for a while now, and I’ve seen many people asking about PS3 Custom Firmware 3.56, well, let me put it in a simple manner, it’s not possible thanks to what Sony did with their ECDSA (Elliptic Curve DSA) cryptography, and the new PUP format along with Cell-OS Lv2 having some extra checks on SELF files now."

"See, when we used to get private keys for earlier fail ECDSA keyset revisions, a variable, r, in the ECDSA signature was static, thus allowing us to get the keys using the signature itself, now, Sony fixed this by making that variable random, so we can no longer use simple algebra to get the private key like before. Do note that to retrieve the older private keys, one needed to use 2 signatures, and simply compare them to get the private key. Now, for those who do not know about private keys and public keys and ERK/RIV, here’s a simple explanation: Private keys are used to create signatures, public keys are used to verify the signature’s authenticity. ERK/RIV is used to decrypt the encrypted SELF data."

"The new PUP format has 2 extra files, one consists of a new tarball with spkg_hdr1 files, ensuring package integrity, so one can no longer create rehashed pups anymore. Until the spkg format is deciphered, and they can be resigned, one’s pretty much stuck with Official Firmware. Core OS also has some new additions, appldr now checks your SELF revision for NPDRM, and Lv2 selfs, they either must be whitelisted or use the new revision 0x0D keyset in 3.56. Lv2 now will also refuse to load older updater or Lv2diag.self files that do not use the 0x0D keyset. Core OS also has two new revoke lists, prog_srvk and pkg_srvk. They have yet to be fully inspected yet."

"So, in the end, Sony pretty much fixed most of the fail, some’s still around though, go look for it. =)”

In more simple terms, as it turns out, while both the old public and private keys were revealed, with the 3.56 update, Sony has replaced the old private keys with new ones. These new keys are apparently known to only the highest-ranking individuals at Sony. And, it’s using these new private keys, in combination with a proper random number generator that has allowed it to finally able to plug the whole.

Effectively, as long as the random number encryption holds – and it should do without another human error – then the all systems with this latest update will be mostly secure without hardware modification – the flashing of the console’s NOR/NAND chips. Of course, without doing that hackers could try and decrypt new games, which require the update using the old hack, before patching and re-encrpting them to run, but only on older firmwares. Although, this won’t work after the new public key comes into effect, nor will the games work on FW 3.56 or later.

That just leaves existing releases, which as the public keys are freely available, they are still susceptible to being run without proper authentication. However, there is no doubt that Sony are compiling a white list solution of sorts to the problem, seeing as changing this key will break compatibility with most, if not all older games. As a result, it will still be possible to run unsigned code on PS3’s that don’t have the 3.56 update. But on all consoles with the update, eventually, only white listed and new code will be able to run. It won’t be possible to sign new code with the old keys.

However, even then, there is still a sting in the tail. It will still be possible to get around these new security measures by flashing the internal AND/NOR chips, thus allowing the latest firmware to be downgraded and new custom firmware installed.

Talking to next-gen.biz, Mathieu Hervais, a respected homebrew developer elaborated on the issue.

“New keys were introduced in the 3.56 Firmware and code that is not whitelisted is now forced to use those keys. However, since the boot chain integrity is compromised it’s always possible to reprogram externally the NAND/NOR chips (where the firmware code is written to) to run unsigned code again."

“No matter what they do, a 3.56 (and onward) custom firmware is possible on all PlayStation 3 consoles manufactured so far,"

What this effectively means, is that Sony will have to make additional changes to the internals of the PS3 to stop the exploit from taking place. But at the same time, the 40+ million PS3’s that are already on sale are fully susceptible to being hacked, and cannot be completely patched against this. However, now getting access after the 3.56 firmware has been installed is in itself is no easy task. The flashing of the system’s NAND/NOR chips is no trivial matter for the everyday user, although it could open up a route for the pirates to start selling already flashed PS3’s, thus enabling the end user to run unsigned code and copied games until another flash is required later on.

But, for now at least, in terms of stopping an easy way into the system that anyone could exploit – the jailbreak for example - it appears that Sony have found a way of re-securing the PS3. And, with yet more firmware updates coming in the near future, even more of the system’s internals will be flashed with other changes to the security mechanism.

So long as the private keys are never revealed, nor the random number generator botched in its implementation, there’s no reason why newer PS3’s cannot re-maintain it’s once ‘solidly secure’ status. Although, from what recent events have shown, is that no system – no matter how strong the security – is ever immune to being cracked. Instead, it’s all about keeping one step ahead, making sure you have as many holes plugged as possible while trying to discover just where the next break with come from.