Tech Focus: The New PlayStation 3 Hack

Digital Foundry analyses the latest assault on Sony's console security protocols.

News of yet another PlayStation 3 hack is unlikely to be greeted with too much surprise, but the damage wrought by the release of the LV0 bootloader keys last week could have serious repercussions - not just in terms of PS3 piracy but also for the long-term security of the PlayStation Network.

Up until now, Sony has coped relatively well with the multiple breaches of its security that have occurred over the last couple of years. The original PSJailbreak was built around an exploit in the USB interface present up until firmware 3.41, and that hole was plugged by Sony within weeks. Hackers managed to run a small amount of games built for later system software revisions but through mandatory software upgrades, access to the PlayStation Network was off-limits for those who remained on the hacked firmware.

"The latest PlayStation 3 hack can only have a limited impact in terms of game piracy, but the door once again opening to PSN hacking is a genuine concern."

Then, disaster. Inherent weaknesses in Sony's encryption algorithms were unveiled by hacker group fail0verflow, swiftly followed by the publication of the metldr "master key" from the infamous Geohot. PlayStation 3 was blown wide open - seemingly irrevocably - from two fronts. Not only could all aspects of the system be decrypted with the master key and then reverse-engineered, but thanks to fail0verflow's signing tools, the code could be repackaged into a form that the PS3 was happy to process. The era of the "custom firmware" was upon us and there was a point where every console on the market could be compromised simply through running a CFW update from a memory stick.

System software 3.60 saw Sony fight back valiantly. New encryption protocols were put in place which effectively mothballed metldr, while the specific signing algorithms used for fail0verflow's tools were blacklisted. Encryption keys were changed so new software would not run on older firmware, and Sony even released a revised console with changes to the Cell architecture that addressed some of the exploits hackers were using to gain access to the PS3 hardware - even the metldr key was changed on this new hardware. Access to the PlayStation Network was completely locked out on hacked consoles.

There's little evidence that the hack which saw PSN's servers compromised in one of the biggest security fails in internet history had much to do with the breaches that preceded it. The hack was server-side and there Sony was running traditional hardware with open source software, which had vulnerabilities of its own. It's telling that even after PSN was restored to service, the underlying protocols by which PS3 "spoke" to the servers hadn't changed so much at all.

However, the hackers were not done with PS3. A new "jailbreak" based on another USB dongle appeared last year, dubbed "TrueBlue". This allowed newer games to run on older, compromised firmware 3.55 PlayStation 3s. It worked through the hackers decrypting newer games and then re-signing them with a variant of fail0verflow's tools. This time there was no exploit in Sony's USB code: instead the hackers released their own firmware which would not function without the dongle attached. In short, it was a crude way to monetise the fact that someone, somewhere had somehow managed to retrieve decryption codes from Sony's latest OS updates. At the same time, the unique "pass phrase" buried within the firmware that allows PS3s to connect with the PlayStation Network was also leaked - and then leaked again after Sony changed it.

So how was it done? Despite locking down metldr, there remained one further vulnerability - one that Sony simply cannot revoke: the bootloader key. If you still have an untouched PS3 from the 2006 launch, you can power it up and update it to the latest 4.30 firmware. Every PS3 requires the means by which to decrypt any firmware update - past, present or future. That's what the so-called "lv0" bootloader key does, and that's the final element of PlayStation 3 security that is now out there in the public domain.

How did it get out there? All the indications are that the hackers who made the discovery - who have dubbed themselves "the three muskateers" had no intention of ever making it out into the public domain. However, one of their associates with access to their work appears to have sold it on, and the release of the bootloader keys was made in response to Far Eastern hackers looking to profit from a new wave of "custom firmware". Rather than allow others to profit from their work, the "muskateers" went nuclear, and released the master key so any one with PS3 hacking experience could roll their own firmware. Since then, in just the space of a few days, at least two piracy enabling system updates have been released.

There's a little good news and somewhat more bad news for Sony here. The good news is that while decryption has now been fully blown open, there is no firmware 4.30 equivalent to fail0verflow's encryption tools - only Sony has the means to produce code that runs on any console running on firmware 3.56 or higher. The hackers meanwhile, have to rely upon the 3.55 fail0verflow tools, which can only run on un-updated consoles. Many firmware revisions have been released since then and we'd tentatively suggest that the vast majority of active consoles out there will be running on the newer firmware. At the time of writing, any new hacked code cannot be run on these machines.

"All PS3s need to be able to read firmware updates files from the past, present and future. The release of the bootloader keys gives hackers the same decryption access as the console. Patching this hole could prove to be almost impossible for Sony."

So while the overall damage is most likely limited for now in terms of revenue lost due to piracy, there are still many fundamental issues Sony has to address. Firstly there's the integrity of the PlayStation Network. Genuine, legitimate players will be playing online not only with people who've pirated PS3 software, but have the means to adjust any game data they want. Pirate games run from read/write PC hard drives rather than read-only optical media making customisation much simpler - maps could be altered for example to give hackers an unfair advantage in a first-person shooter. Sony can address this by changing the "pass phrase" which allows PS3s to connect to PSN, but this brings us nicely to the second major problem: how to tackle the leak of the lv0 bootloader keys.

The problem here is that any change Sony makes to the PS3 software has to be read by the PS3 - and that's what the bootloader does. The PSN pass phrase can be changed, but that change needs to be integrated into data that lv0 decrypts - and thus it can be read by hackers. Similarly, new games coming out can be re-encrypted with keys not present in current firmwares - but they need to be delivered to the console via an update that (you guessed it), lv0 - and thus, the hackers - will be able to read. Now Sony can make it harder for those keys to be revealed, they can encrypt to many hundreds of layers if they need to - but at the end of the day, the beginning of the process always begins with the bootloader, which has been irrevocably compromised.

In terms of guaranteeing the validity of the console attached to the network, Microsoft has been far more aggressive than Sony thus far, and has faced attacks from a number of different sources. Consoles running custom firmware are quickly identified and banned from Xbox Live, while users flashing the DVD drive in order to run burned games have also found themselves barred from the service. But it seems that the hackers are always one step ahead, and in the here and now, pirates are still able to access Xbox Live relatively easily using copied games. Only those foolish enough to run leaked code days or even weeks before the game is released are identified as hackers and face the uncompromising wrath of the banhammer.

So where does this all leave game developers? At the most basic level, when it comes to multiplayer gameplay, the bottom line is that the system-level methods of weeding out cheats probably aren't enough on their own: it's going to be down to developers to add further levels of security to ensure that integrity of online gameplay. In short, exactly the sort of thing that's been a required standard for PC gaming for a long, long time now...

More stories

Miniclip to acquire mobile game developer Sybo

The latest acquisition joins the mobile gaming firm's recent additions which includes Supersonic Software and Eight Pixels

By Jeffrey Rousseau

Game devs speak up for abortion rights

Studios and organizations across the industry condemn US Supreme Court decision allowing criminalization of abortion, commit to support employees, share fundraising links

By Brendan Sinclair

Latest comments (5)

Christopher Goodno Community & Network Manager (HAVAMedia) 9 years ago
***There's little evidence that the hack which saw PSN's servers compromised in one of the biggest security fails in internet history...***

Not to play it down too much, but that is only true if you remove banks and similar corporations from the mix (PayPal included). Hacking PSN was a big deal, but it's far from "one of the biggest security fails."

As far as the security of PSN, much like Microsoft, Sony can detect many things with your console and ban it. They did this before with CFW, in fact. So, I don't see the issue here. Much like previous CFW, the only people in danger of being exploted here are those who have CFW installed.
1Sign inorRegisterto rate and reply
Jesse HR and HMI consultancy. 9 years ago
So in summary, the PS3 after six years on the market, is finally compromised as badly as Xbox was after one year.

As the article suggests, this is limited to 3.55 firmware machines, of which I'd suggest make up less than a couple of percent of the total number of functional PS3s out there. Those niche pirates committed enough to have hung onto 3.55 machines for CFW aren't the kind of people that otherwise be purchasing games, nor utilising PS+ or the other pay services on PS3, so the true economic impact is quite low.

Will this impact software sales in any meaningful way? - no.
Will this impact sales of new ps3 consoles at all? - no.
Will this impact legitimate gamers online experience in any meaningful way? - no.
Will this open any doors to PSN beaches ala PSNGate,? - no.

Storm in a teacup IMHO.
2Sign inorRegisterto rate and reply
Andrew Jakobs Lead Programmer 9 years ago
Huh? they claim you cannot run homebrew on 4.30? that's weird as with the new 4.30 CFW you can run homebrew (as long as it's resigned with newer keys, which are available)..

And yes, at the moment this new custom firmware is only available if you're console is on 3.55 (or can be downgraded by a hardwareflasher back to 3.55, which is also not possible on newer consoles)..
But for being able to play the latest games, the 4.30 CFW wasn't necessary, a lot of games just ran perfectly appearantly on 3.55 with the original retail eboots patched..
0Sign inorRegisterto rate and reply
Show all comments (5)
John Bye Lead Designer, Freejam9 years ago
It does sound like this has been massively over-hyped, I suspect the actual impact will be negligible. Not to mention that the Xbox 360 has been cracked wide open pretty much since launch, piracy is endemic on the platform, and yet it still sells more hardware and software than the competition.
0Sign inorRegisterto rate and reply
Ben Campbell Graphic Designer / Freelance Games Journalist 9 years ago
Yet it still sells more hardware and software than the competition
One major reason for this: Price Cuts to where it is affordable to get a new console. (12GB PS3 slim it really isn't enough for more than a serious gamer. Allowinh you only 3-4 games max due to it being MANDATORY to install system AND game updates to even PLAY games, so I have been told by many people)

Prices taken from - Both Consoles are new

60GB Xbox 360 - 179.99

Playstation 3 12gb Slim - 149.99
0Sign inorRegisterto rate and reply

Sign in to contribute

Need an account? Register now.