HomeTechnologyPS3: Man in the middle attack writing LV0 + tools, by MikeM64....

PS3: Man in the middle attack writing LV0 + tools, by MikeM64. Is full CFW for all PS3s next?

PS3 developer MikeM64 has released a full description of his MITM hardware attack on the PS3, following footage of the attack that was revealed a few weeks ago. The purpose of this exploit is to fully unlock the LV0 (Boot Loader) on new PS3 models, eventually being able to install full custom firmwares on the console.

PS3 Exploits – The Current Status

We’ve already mentioned that hacking a PS3 is pretty much doable on all models and firmware these days, although depending on your PS3 hardware, you may or may not be able to install fully custom firmware. For most people the difference between what they can use (PS3HEN) and fully custom Firmware is anecdotal, but LV0 remains the Holy Grail of PS3 Hacking. MikeM64 has a great summary:

The PlayStation 3 has had a very long homebrew history. When the PS3 was initially released, Linux support was built in from day one! People had the option of installing any PowerPC-based distribution with full kernel support for assorted system devices. This allowed all sorts of interesting uses like supercomputing clusters and a cheap PowerPC development box. There were a few Linux nudges and pushes towards the hypervisor, but no one really bothered to dig too deep until OtherOS support was dropped from thin consoles. After GeoHot’s HTAB exploit was released, OtherOS was removed from all consoles in 3.21. This was the catalyst that opened the floodgates to complete the exploitation of the console. I have summarized the current status of many exploits released for the PS3 console below:

To exploit Version Activated in LV1 Activated in LV2 Remarks
Glitch GeoHot HTAB Any? R/W Arbitrary HV Memory N / A FPGA used to scramble memory address lines
PS Jailbreak Dongle 3.41 N / A Homebrew and hacking in GameOS, OtherOS support restored Dongles exploited USB device descriptor parsing to achieve code execution in LV2.
fail0verflow Sigfail <= 3.55 Custom Signed LV1 Custom signed LV2 Works on all consoles with a minver of <= 3.55.
Post 3.55/era Sigfail
lv0ldr Syscon TOCTOU Package – Linux Dump Any? N / A N / A Dump lv0 root keys to allow all LV0 executables to be decrypted and signed on consoles <= 3.55 minver.
CHICKEN <= 4.89 N / A Homebrew and hacking in GameOS No support for other operating systems
lv0ldr Syscon TOCTOU Package – HW Remix Any? Custom code in LV1 Custom code in LV2 Should work on all consoles with HW. This is the topic of the day!

After the sigfail exploit was released, Sony attempted to re-secure the bootchain by moving all loaders to lv0 as this had not yet been flushed or exploited. It was a good interim solution until Juan Nadie and the Three Musketeers dropped lv0ldr and their achievement and keys were leaked. Once LV0 keys were available, it was now possible to edit and re-sign all updatable code on older consoles. Consoles manufactured after the release of sigfail have been updated with the new lv0 metadata (lv0.2) which is not vulnerable to the sigfail exploit.

For all consoles that were not vulnerable to sigfail, HEN was released which exploited both the built-in web browser and the LV2 kernel to enable both homebrew and hacking in GameOS. This still does not support OtherOS or hypervisor modification as of today.

In other words, to take full control of all PS3 models, the LV0 diversion is essential, and that’s what MikeM64 achieved with a little hardware and a lot of trial and error.

Exploit PS3 LV0 with hardware

The general idea was to reproduce a software vulnerability from the 3.55 era which led to the dumping of LV0 keys (the “3 Musketeers” leak). MikeM64 writes:

The lv0ldr The exploit used to dump lv0ldr targets the processing of syscon packets between syscon and Cell. It was discovered in lv0 that the code that handles syscon packet reads contained a TOCTOU bug that rereads the packet header after commit.[…]

This problem alone would normally not be enough to exploit lv0ldr. You need to be able to time and inject memory writes to the MMIO space containing the syscon packet buffer to pass the first checksum and then write the new header to exploit the arbitrarily sized memcpy . The window of time to exploit this is extremely, extremely small. Fortunately, we can arbitrarily extend this timing window thanks to the debugging facilities that IBM left in the cell. For standard and isolated SPUs, we can enable interrupts for all MFC transfers entering or leaving the SPU. This allows us to suspend execution of lv0ldr on any memory access, enabling the exploit and dumping lv0ldr.

MikeM64 gives in-depth details on how to do the hardware hack, providing all the tools other hackers need to work out the next steps, including CFW support for all PS3 models. It’s probably only a matter of time before that happens.

The hardware required is “simple” (but the skills involved are not), namely a Teensy 4.0 and an Arty-S7 50 (although MikeM64 states that this could easily be ported to any Arty A series) and generic cables that come with it.

You can read the full editorial here.

Must Read