Slashdot Mirror
PS3 Root Key Found
An anonymous reader writes "The PlayStation 3 'root key' used for code signing has been found by GeoHot. This enables running homebrew without the need for psjailbreak-style USB-devices, and also provides hope for those at firmware version 3.55 that currently cannot be downgraded. The key also cannot be changed without hardware modifications. Oops."
I wonder how many job offers that kid has received.
Is this the same private key that was discovered last week?
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I wonder how long until the lawyers start raining down from the sky.
Did you guys hear about the next firmware update that bricks the console? It's fine, they offer free replacements for anyone affected by it.
Acid and a very powerful microscope? Or leaked information from a Sony insider?
Better known as 318230.
I can encrypt/sign anything on psp now.
It'd be cool if this finally gained us access to the RSX....
Since they basically did a "bait and switch" with the PS3.
When I bought it, it had the OtherOS feather AND I could do all the online stuff...not now
When I bought it, it had backwards comparability for almost all PS2 games...not now
So it appears to me that in a sense the "hackers" have returned my property that was stolen from me by the "legitimate corporation"
I doubt that Sony will learn anything from this, and after our family owning a PS2 and 3, the next console I buy will be Xbox...I had no idea a company could be dysfunctional enough to make me regret not buying a MS product.
you living in a farm son?
That was last week in Chaos convention
Still think revoking the "Other OS" function was a good idea?
Do not look at laser with remaining good eye.
Despite all the people claiming this is a dupe, it isn't. This is getting the PSP private key from inside the PS3.
They put the PSP private key on the PS3, presumably so you could buy games for your PSP through the PS3 and have the PS3 do all the heavy crypto work instead of encrypting it on the store end.
Presumably, they figured "hey, the PS3 is unhackable, it is OK to embed the super secret key to PSP software in it". But then the PS3 got hacked.
Will this awesome bit of back-hackery enable PS2 backwards compatibility again?
Informatus Technologicus
You understand it fine. It's just that Sony doesn't.
upon the advice of my lawyer, i have no sig at this time
Dangit, replied to the wrong post.
Let the corporate world beware, don't tread on Linux. Big mistake to allow it and then take it away.
They've found the key used to sign the code (presumably, the private key... not that it really matters). I didn't RTFA, but "found" here shouldn't be taken to imply that they just saw it lying around somewhere... More likely, it was deduced/reverse engineered through some flaws in the implementation.
To put it another way, if the consoles have the public key, then they've discovered the private key which corresponds to that public key.
"Laywers raining down from the sky"
<voice actor="Lloyd Bridges">Looks like I picked the wrong week to give up skeet shooting....</voice>
www.eFax.com are spammers
I think they only allowed it in the first place to try to get tax breaks in the European Union. So, after the EU decided that it wasn't really a personal computer, Sony pulled it from their newer models (the PS3 Slim never had Other OS).
However, it was tampering around with the Hypervisor that caused Sony to remove it from older models in a firmware update.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
http://www.youtube.com/watch?feature=player_detailpage&v=hcbaeKA2moE#t=2147s
Jump to 37:20 for the money shot.
On his website he credits those respontible. http://geohot.com/ Don't blame the other middle men. Geohot gives credit where credit is due.
SHIP'S VOICE: Counting down. Ten, nine, eight, seven, six, four....
SKROOB: Four? What happened to five?
SHIP'S VOICE: Just kidding.
(modified for the sake of parent AC joke)
lol, wut?
Since the lame submission doesn't bother to link to the /very/ source that the article is about, I'll paste it here.
Hey, that's the same combination that I have on my luggage!
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Backwards compatibility was never removed from any PS3. If you had it before, you have it now.
I have a 1st gen PS3 and the latest firmware and I still have my near 100% PS2 BC.
You really should consider making posts based upon facts instead of vitriol.
http://lkml.org/lkml/2005/8/20/95
SACD was not removed. It works and it works the same as it ever did. And there's no reason to think it won't work the same long-term as it has so far.
It's not a bait and switch if you simply didn't get a feature because the device you bought never had it.
No one uses SACD anyway. It's the height of hyperbole to try to make a mountain out of this molehill.
http://lkml.org/lkml/2005/8/20/95
He used the work of others, most notably the guys that just got the private keys.
The other guys are the ones truly responsible for this. GeoHot, as he tends to do, is just trying to take credit.
He's a known bullshitter in the scene.
I'd guess it's some kind of superiority complex. On his site he offers an executable that supposedly uses the key but offers no source code or anything other than indirectly mentioning that he used PSL1GHT.
Personally I'm looking forward to getting my hands on fail0verflow's tools. I've been too lazy to do the USB thing, and though I'm still sitting on 2.15 I've been too lazy to pull out my keyboard and mouse and load up my half-assed Yellow Dog install so I could tinker with fgalea's Freezer engine. But, something that I could easily cross compile on my laptop and load from the XMB makes the barrier to entry so low that I'd finally get that motivation to get back into the homebrew scene again.
Google "AsbestOS PS3"
It's been available for a while, now...
From the geohot site:
props to fail0verflow for the asymmetric half
Geohot isn't taking credit for anyone's work here.
Weaselmancer
rediculous.
I think they only allowed it in the first place to try to get tax breaks in the European Union. So, after the EU decided that it wasn't really a personal computer, Sony pulled it from their newer models (the PS3 Slim never had Other OS).
This story about trying to get the console recognized as a computer for EU tax purposes applies to the PS2, not the PS3.
Do what thou wilt shall be the whole of the Law
No, it was their choice to do that. In no way did someone messing with the hypervisor cause the removal of the feature. To say that is like saying because my dinner was cold I had to beat my wife.
I use SACD. I don't have a great deal of media, but I appreciate being able to play what I have.
I've fallen off your lawn, and I can't get up.
It'd be cool if this finally gained us access to the RSX....
First there was MSX, an 8-bit home computer built around the ColecoVision architecture. Then there was the BS-X, a satellite modem for the Japanese version of the Super NES. Then there were two different Sony products called PSX: the original PlayStation and a DVR with a built-in PS2 console. Now the PS3's GPU is called the RSX. What is it about video game consoles and ?SX names?
I've never owned any Sony products (not even a walkman) but I must say I'm seriously considering buying a PS3 now!
reminds me of this guy "DVD Jon" which everybody thinks programmed DeCSS but actually did nothing more than program a menu system
I do not recall them saying metldr but instead GameLauncher. Am I mistaken in what it's called or is this yet another key? I've not gone back to listen to the video again but I do know exactly what you're talking about - the person who wanted to know why they weren't launching code from DVD. They said that they hadn't gotten the key for XYZ, and weren't interested in piracy. I believe they indicated they had the lower level key they needed instead.
Build it, Drive it, Improve it! Hybridz.org
In a utopian future, people would pay the actual cost of manufacturing the console - plus a reasonable profit margin. Anyone could write games - and the cost of them would be reduced because they wouldn't have to pay the "Sony Tax" on each one. For people who'll own very few games over the life of the console, this is not so attractive - but for people who buy more than the average number of games, it's a huge win. But at least we're honest about it.
I already live in that future. I have a console hooked to my TV that runs code that doesn't have to be signed by Sony, Microsoft, Nintendo, et al. I can also run multiple OSes on it without having to jailbreak it. And I have hundreds* of legally-purchased games to play on it that probably cost me less than what 20 new PS3/360 games would (at $60).
It's called an HTPC. It pretty much does everything a PS3/360 does better (including blu-ray playback). Not to mention backwards-compatibility with at least a dozen of older consoles via emulators. I still have my PS3, but primarily for GT5 and not much else.
*My Steam account alone has 300+ titles. Mostly bought through holiday sale packs at a huge discount. I've probably played less than half so far, but I'm still discovering games that I bought more than a year ago.
Sigs are for losers
How will the system tell if a game with the current key really is a game and not something else?
Also, you're assuming Sony will bother publishing updates to all games. Sure, they might update the popular ones, but obscure ones they probably wouldn't bother with, leaving them unplayable forever.
I'd assume that in the imaginary 3.60 update, they'd invalidate the original key by either removing it from the internal certificate store or trusted certificate store, so any binary signed with that key would be treated as an un-signed or incorrectly signed executable and would not run.
That does bring up the point that if the actual SELF does not run due to being signed with an invalid key, would it be able to launch a stub that attempted to upgrade the app? I think they'd have to come up with a secure and crafty way of managing this. Whatever they do will need to ensure that legitimate users with physical discs containing SELF executables signed with the bad key can at bare minimum launch the stub which will download the updated, newly signed SELF binary. In any case, I digress.
I don't think it's too long of a shot to assume they would publish updates to all of the games -- they already have the update data on a centralized server that each game contacts as it is run, it wouldn't be much of a stretch of the imagination that they could take the original un-signed executables (I'd hope they have them stored!) and just write a script that signs the most current executable with the new key and publishes for testing. This does assume that they have a valid database of this information today and that they have the ability to quickly and easily get their hands on the unsigned copies of the binaries -- something that could easily be quite an incorrect assumption.
To the darkened skies once more, and ever onward.
Actually it was. He found it by getting into the secret area on level 4 of the latest Crash Bandicoot game.
Do not look at laser with remaining good eye.
They put the PSP private key on the PS3, presumably so you could buy games for your PSP through the PS3 and have the PS3 do all the heavy crypto work instead of encrypting it on the store end.
they did not put any private key anywhere outside the Sony headquarters. They just did something stupid with the encryption algorithm (always use the same seed) so that if you have several objects encrypted with the same key you can reconstruct the original key.
and you cant push updates to the Discs.
Unless they want to make ALL games released on Disc broken, they have to leave those keys in place.
just like how they cant blacklist the new HDCP crack dongles... they will blacklist a giant swath of Sony bluray players if they did.
Do not look at laser with remaining good eye.
Take the root-key of PS3 and then just multiplicate with 360, and woila! you got the Xbox 360 key as well!
...Sony does the geek gamer world a huge honor by throwing open this damned fine machine to exploitation by a horde of geniuses and starts beating the drum really loud about PS4.
...for the first time at a buddy's house. Just sat there looking around while dudes ran by and shot/stabbed/exploded/bombed me. I was helpless.
I can play some NCAA Football 11, though...just takes practice.
Fine, we can call it sell-and-yoink when a vendor pulls features from a captive product.
The obvious lesson to manufacturers is that if you yoink the wrong feature, the captive audience will jailbreak as the necessary solution.
Let's see how many iterations it takes to learn it.
I'm sick of these sorts of comments. This is Slashdot people, news for nerds. Don't make these kinds of comments!
We will not know whether or not lawyers are full of hot air enough to reduce terminal velocity to a survivable speed, until we have taken a significantly large random sample, and dropped them from planes.
I suggest we take some aspiring lawyers, and use them as our control, as I couldn't bear the thought of accidentally killing someone who isn't a lawyer.
Scientific rigour, people. Use it!
This is my footer. There are many like it, but this one is mine.
Did you view the 27C3 talk about the PS3? The first keys ARE in hardware, fixed. It's the first keys used to check anything, and they are set in stone so no hacker can touch them, but also no update can touch them. Also changing them would break everything out there. You might be able to get around those with huge whitelists. But that's not practical in the end at all.
I wonder... It has been 4 years since the PS3 was realeased. I remember Nintendo's reaction to the first gamecube hacks "well, it was inevitable, but the countermeasures lasted several years. Now we are launching a new game console, have fun !"
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Actually DEC (now HP (now Compaq)) released the Alpha
Alpha is the chip....
His website was changed. Only after he was asked, as was pointed out in other comments here by folks from fail0verflow, did he give credit where it was due.
Encryption is preventing Alex from seeing what Betty is saying to Charlie.
DRM is trying to prevent Betty from seeing what Betty is saying to Charlie. Since Betty has the keys in her physical possession, it's just a matter of time before the DRM is broken.
From http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/comment-page-1/#comment-6413 :
"You wouldn’t even have seen discussion inside Sony. Their corporate culture is very stovepiped, quite dysfunctionally so since what would be regarded as normal communication channels in other companies (even the highly regulated ones that exist in Japan where as an engineer or developer you’re given a task and perform it to the best of your ability without thinking of questioning any of it) simply don’t exist. So for something like this development team A would have been handed a fait accompli by development team B without any ability to question it, or even an ability to provide feedback if they noticed a problem. In fact the first that one team may hear about some new techology is when it gets shipped to them from some other development group (people complain about the lack of technical info from Sony to work with the PS3 but it’s not much better for people working inside the company, who have extreme difficulty getting the information they need).
So not only would Sony not have employed Root Labs to look at this, they wouldn’t have involved anyone else at Sony outside the narrow stovepipe that worked on it."
The key also cannot be changed without hardware modifications.
Simple. Sony releases a new PS3+ that is backwards compatible with PS3, but with new keys and this exploit patched. Any PS3 can be upgraded to a PS3+ for FREE, you only need to take your PS3 to a service center and wait for 15 minutes for a hardware "upgrade".
PS3 will no longer be sold. Only PS3+ are available.
New games eventually requires PS3+, and as hacks and aimbots start to plagues games that supports the old PS3, PS3 players (those wiling to PAY for games) flock to upgrade and play PS3+ only multiplayer games.
Might cost Sony a bunch, but hardly showstopping if they start to see real damage from pirate games or hacks.
Oliver.
Can someone explain what is the rationale behind keeping the private key inside the device?
If it needed to verify the authenticity of digitally signed applications, did it not need to have just the public key that corresponds to the private key of the signer?
The saddest poem
Cheap hardware (which you have to buy anyway) combined with expensive software (which is trivially copied) only serves to make piracy far more attractive too.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Steam is a rental, not a purchase. If Valve folded tomorrow and Steam went to liquidators, their "We promise to release DRM on the games" statement is worth less than the electrons fired along the wire to your monitor allowing you to read it.
Don't get me wrong, I love Steam and like you made many, many purchases over the holiday period. I'm under no illusion, however, that I am absolutely guaranteed ownership of those games if Valve turns off the servers.
Finally had enough. Come see us over at https://soylentnews.org/
Here's what they would have to do (from a high level perspective, all you encryption experts can retract your claws) to fix this [...]
Very good point and I wouldn't... ahem... won't be surprised when this happens. At least this will provide homebrewers with the option to either have an unbound system or not homebrew. This is in contrast to either still being bound with Other OS or bound without.
Actually, it would be almost perfect if Sony succeeded in this. Pirates still lose and homebrew still lives. I mean, I download shit all the time but I know there's millions of people out there and corporations who have to deal with this who provide for these millions of people who will ultimately lose.
I cheer it being broken open, now people can do what they want with the hardware they paid for. Sony doesn't have to lose business over this.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
> *My Steam account alone has 300+ titles.
WTF.
> Mostly bought through holiday sale packs at a huge discount. I've probably played less than half so far, but I'm still discovering games that I bought more than a year ago.
WTF.
That is all.
They only have as much control as you give them. A cracked executable works with Steam just as well as a retail game.
Haha, what an elite group they're in. Somebody should make a list of this stuff and get credit for coining a term.
Hey, look at that, EVERYONE shows me right and then what happens, I'm modded Troll. Geohot's crew taking vengeance?
Hey, GeoHot, if you were so good, why does the shit on your site not work, and why are there no in-depth detailed instructions or how-tos to replicate exactly what you did?
You're a fraud. Any basic EE or Programmer can tell miles away.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
You can output SACD stereo and multi-channel in 176KHz/24-bit over HDMI. You can output SACD stereo over optical also. The only change is you can't have multichannel output converted to DTS over optical, which if you are really using SACD for quality, you didn't want to use anyway.
I realize that the format still exists. And I also realize that talking about "how many titles" are available should really be phrased "how few titles" are available.
I agree the SACD feature never worked perfectly. If you're serious about SACD, a PS3 is a poor choice for several reasons. Get a real SACD player, it'll work better and you can even get DSD direct output.
Again, if you feel SACD was degraded with a firmware update, then THIS IS NOTHING LIKE HOW BACKWARD COMPATIBILITY WAS TREATED. Backward compatibility was not removed at any point. If your PS3 had it before, it has it now. Mine still has full PS2 BC, with firmware 3.55. I just booted up SSX Tricky (PS2 game) last week.
Calling Other OS (removal), SACD (still there, one feature removed) and BC (not altered at all) to be all the same so you can call this a recurring pattern is quite a stretch.
http://lkml.org/lkml/2005/8/20/95
I did, but I don't believe for a second that Sony can't work around this, even if it's not practical for them to do so and even if it involves a huge whitelist -- as mentioned, historically they've proven that they will go to immeasurable lengths to protect their intellectual property, easily at the expense of the customer.
Beyond that, Sony has already come out and acknowledged the flaw and announced that they will have a fix for it that will resolve the issue -- I don't think their PR firm would have been allowed to say that if they couldn't actually fix the problem.
That said, thanks for clarifying some of the misinformation I had -- I watched part of the 27C3 talk but did not view in its entirety, and had not seen the portion where they mentioned that the key was locked tight in the hardware somewhere.
To the darkened skies once more, and ever onward.