http://www.ps3hax.net/2012/10/marcan-fail0verflow-about-lv0/ by marcansoft (727665) on Tuesday October 23, @09:04PM (#41747075) Homepage The first-stage bootloader is in ROM and has a per-console key which is effectively in tamper-resistant silicon. The second-stage bootloader (bootldr) is encrypted with the per-console key, but is not upgradable and is the same for all consoles (other than the encryption wrapper around it). This second-stage bootloader verifies lv0. Sony signed lv0 using the same broken process that they used for everything else, which leaks their private key. This means that the lv0 private key was doomed from the start, ever since we demonstrated the screwup at the Chaos Communication Congress two years ago. 译注：所以又是 SONY 自己耍笨，用了错误的加密方式导致 2nd-stage lv0金钥 外流。 However, because lv0 is also encrypted, including its signature block, we need that decryption key (which is part of bootldr) before we can decrypt the signature and apply the algorithm to derive the private key. We did this for several later-stage loaders by using an exploit to dump them, and Geohot did it for metldr (the “second root” in the PS3′s bizarre boot process) using a different exploit (we replicated this, although our exploit might be different). At the time, this was enough to break the security of all released firmware to date, since everything that mattered was rooted in metldr (which is bootldr’s brother and is also decrypted by the per-console key). However, Sony took a last ditch effort after that hack and wrapped everything after metldr into lv0, effectively using the only security they had left (bootldr and lv0) to attempt to re-secure their platform. 译注：依据 marcan 的说法，整个 PS3 在主机上头的加密机制可以说是已经被 突破了，之前破解阵营突破了 metldr ，所以 SONY 把最後防线全部盖到 bootldr 上头，现在最後防线 bootldr 外围也被突破，只剩本丸而已。 Bootldr suffers from the same exploit as metldr, so it was also doomed. However, because bootldr is designed to run from a cold boot, it cannot be loaded into a “sandboxed” SPU like metldr can from the comfort of OS-mode code execution (which we had via the USB lv2 exploit), so the exploit is harder to pull off because you don’t have control over the rest of the software. For the exploit that we knew about, it would’ve required hardware assistance to repeatedly reboot the PS3 and some kind of flash emulator to set up the exploit with varying parameters each boot, and it probably would’ ve taken several hours or days of automated attempts to hit the right combination (basically the exploit would work by executing random garbage as code, and hoping that it jumps to somewhere within a segment that we control – the probabilities are high enough that it would work out within a reasonable timeframe). We never bothered to do this after the whole lawsuit episode. 但 bootldr 跟 metldr 在本质上不同的地方是， bootldr 是拿来做冷开机的， 不能像 metldr 一样，得到沙盒的防护，因此 bootldr 要是加密机制有漏洞， 就惨了。这说明了为何我们单凭 3.41 版韧体的 USB 驱动程式漏洞还不足以拿 下 metldr ，还得仰赖其他的漏洞才有办法破解到 metldr 。但已知的漏洞， 要拿来执行未授权的程式还是有困难，因为缺少程式指标，所以只能希望运气够 好，开完机後程式指标能够恰好跳到我们摆放程式的开头，然後执行到我们要的 程式片段，这个机率很低，所以需要大量的时间去尝试，反正在他们打官司的期 间，这个刚好可以拿来杀时间 Presumably, 18 months later, some other group has finally figured this out and either used our exploit and the hardware assistance, or some other equivalent trick/exploit, to dump bootldr. Once the lv0 decryption key is known, the signing private key can be computed (thanks to Sony’s epic failure). 结果 18 个月过去了，终於有人借助硬体支援，突破了最後一道防线，把 lv0 给解密了，然後私钥也能够算出来了。 The effect of this is essentially the same that the metldr key release had: all existing and future firmwares can be decrypted, except Sony no longer has the lv0 trick up their sleeve. What this means is that there is no way for Sony to wrap future firmware to hide it from anyone, because old PS3s must be able to use all future firmware (assuming Sony doesn’t just decide to brick them all…), and those old PS3s now have no remaining seeds of security that aren’t known. This means that all future firmwares and all future games are decryptable, and this time around they really can’t do anything about it. By extension, this means that given the usual cat-and-mouse game of analyzing and patching firmware, every current user of vulnerable or hacked firmware should be able to maintain that state through all future updates, as all future firmwares can be decrypted and patched and resigned for old PS3s. From the homebrew side, it means that it should be possible to have hombrew/linux and current games at the same time. From the piracy side, it means that all future games can be pirated. Note that this doesn’t mean that these things will be easy (Sony can obfuscate things to annoy people as much as their want), but from the fundamental security standpoint, Sony doesn’t have any security leg to stand on now. 这道防线带来的後果，可说是跟上次 metldr 被破解一样，截至目前为止所有的 韧体版本都会遭殃，除非 SONY 在 lv0 後面还有 lv-1 ，不然未来所有更新版本 的韧体， SONY 都别想在偷藏什麽在里面，因为这些韧体必须「向下相容」所有 版本的主机（其实也可以像 iOS 一样不同型号的下载同一版本但适用不同机型的 韧体）， 而旧版本的主机已经全部摊在阳光下了，这代表未来只要在旧版本主机 上发现软体漏洞，在新版主机上一样也可以故技重施。 对於自制软体阵营来讲当然是大好得消息，这代表可以光明正大执行 Linux 了， 对於盗版阵营来说一样是个好消息，这代表未来没有无法破解的游戏了（我猜 SONY 会要求接下来所有的游戏都必须要线上启动才能玩） It does not mean that current firmwares are exploitable. Firmware upgrades are still signed, so you need an exploit in your current firmware to downgrade. Also, newer PS3s presumably have fixed this (probably by using newer bootldr/metldrs as trust roots, and proper signing all along). 但是还有一些事情要注意，就是这不代表所有的韧体都能破解，更新版的韧体一 样有数位签证，所以目前版本的韧体必须有漏洞，才能够随意升级降级，新版的 主机在 bootldr/metldr 有做了修正（3007以上，2507以下都是旧版有漏洞的） The keys are used for two purposes: chain of trust and chain of secrecy. The compromise of the keys fully compromises the secrecy of the PS3 platform permanently, as you can just follow the links down the chain (off-line, on a PC) and decrypt any past, current, or future firmware version. Current consoles must be able to use any future firmware update, and we now have access to 100% of the common key material of current PS3s, so it follows that any future firmware decryptable by current PS3s is also decryptable by anyone on a PC. However, the chain of trust can be re-established at any point along the line that can be updated. The chain of trust is safely rooted in hardware that is near impossible to modify (i.e. the CPU’s ROM and eFuse key). The next link down the chain has been compromised (bootldr), and this link cannot be updated as it is specific to each console, so the chain of trust now has a permanent weak second link. However, the third link, lv0, can be updated as it is located in flash memory and signed using public key crypto. This allows Sony to secure the entire chain from there onwards. Unless you find a vulnerability in these updated links, you will not be able to attack them directly (applications, e.g. homebrew software, are verified much further down the chain). The only guaranteed way to break the chain is to attack the weak link directly, which means using a flash writer to overwrite lv0. Once you do so, the entire chain collapses (well, you still need to do some work to modify every subsequent link to turn off security, but that is easy). If you have old firmware, you have at least some other weak links that, when compromised, allow you direct access to break the bootldr link (replacing lv0), but if you run up to date firmware you’re out of luck unless you can find a weakness or you use hardware. 连锁认证的机制本来很安全，但弱点就是「不能有任何弱点」，有一个弱点，会 因为连锁的关系导致全部的安全机制都无效。认证的起点在 CPU 里面的 eFuse 金钥，这个部份的安全性很够，但才走到第二步 bootldr/metldr 这里就失败了 。连锁的其他地方都是做在软体上，所以有洞可以修，偏偏这 metldr/bootldr 是烧死的，所以没救了。连锁的第三步在 lv0 ，存在 flash 上头，有洞可以修 ，所以 SONY 恐怕必须改写整个连锁认证的机制，把 bootldr 也排除在外才行。 这样做还是不保险，因为 bootldr 被排除在连锁之外，因此 lv0 加不加密都没 用，破解阵营可以拿晶片烧录器把自己改写的 lv0 烧进 flash 里面，然後照样 欢乐地执行自己的程式。 Old PS3s are now in the same boat as an old Wii, and in fact we can draw a direct comparison of the boot process. On an old Wii, boot0 (the on-die ROM) securely loads boot1 from flash, which is securely checked against an eFuse hash, and boot1 loads boot2 but insecurely checks its signature. On an old PS3, the Cell boot ROM securely loads bootldr from flash, which is securely decrypted and checked using an eFuse key, and then bootldr loads lv0 but checks its signature against a hardcoded public key whose private counterpart is now known. In both cases, the system can be persistently compromised if you can write to flash, or if you already have code execution in system context (which lets you write to flash). However, in both cases, you need to use some kind of high-level exploit to break into the firmware initially, particularly if you have up-to-date firmware. It just happens that this is trivial on the Wii because there is no game patch system and Nintendo seems to have stopped caring, while this is significantly harder on the PS3 because the system software has more security layers and there is a game patch system. …. The name is presumably wrong – they would be the bootldr keys, as the keyset is considered to “belong” to the entity that uses those keys to check and decrypt the next thing down the chain – just like the metldr keys are the keys metldr uses to decrypt and verify other *ldrs, the bootldr keys are the keys bootldr uses to decrypt and verify lv0. Anyway, you’re confusing secrecy with trust. These keys let you decrypt any future firmware; as you say, if they were to “fix” that, that would mean new updates would not work on older machines. However, decrypting firmware doesn’t imply that you can run homebrew or anything else. It just means you can see the firmware, not actually exploit it if you’re running it. 要让新韧体向下相容旧主机就得容忍漏洞存在，否则旧主机就不能玩新游戏，我觉得 SONY 应该不敢这样搞消费者。 The only trust that is broken by this keyset (assuming they are the bootldr keys) is the trust in lv0, the first upgradable component in the boot process (and both it and bootldr are definitely software, not hardware, but bootldr is not upgradable/replaceable so this cannot be fixed). This means that you can use them to sign lv0. Period. Nothing more, nothing less. The only things that these keys let you modify is lv0. In order to modify anything else, you have to modify everything between it and lv0 first. This means that these keys are only useful if you have write access to lv0, which means a hardware flasher, or an already exploited console, or a system exploit that lets you do so. …. Oh, one more thing. I’m assuming that these keys actually should be called the bootldr keys (as in the keys that bootldr uses to verify lv0), and that the name “lv0〃 is just a misnomer (because lv0 is, itself, signed using these keys). If this keyset is just what Sony introduced in lv0 after the original hack, and they are used to sign everything *under* lv0 and that is loaded *by* lv0, then this whole thing is not newsworthy and none of what I said applies. It just means that all firmwares *to date* can be decrypted. Sony will replace this keyset and update lv0 and everything will be back at step 1 again. lv0 is updatable, unlike bootldr, and is most definitely not a fixed root of trust (unlike metldr, which was, until the architecture hack/change wrapped everything in lv0). If this is the case, color me unimpressed. ….. by marcansoft on Wednesday October 24, @01:04AM (#41748707) Attached to: PS3 Encryption Keys Leaked Nevermind, I just checked. They are indeed the bootldr keys (I was able to decrypt an lv0 with them). Consider this confirmation that the story is not fake. -- ○ ____ _ _ _ _ ____ _ _ ____ _____ ____ 。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \ ｏ _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧ (____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★ ｏ --

※ 发信站: 批踢踢实业坊(ptt.cc) ◆ From: 128.84.125.247