Playstation 3 Hacking – Linux Is Inevitable

In the talk “Why Silicon Security is still that hard” by Felix Domke at the 24th Chaos Communication Congress in 2007 (in which he described how he hacked the Xbox 360, and bushing had a cameo at the end explaining how they hacked the Wii), I had a little part, in which I argued that “Linux Is Inevitable”: If you lock down a system, it will eventually get hacked. In the light of the recent events happening with PlayStation 3 hacking, let’s revisit them.

This is the original slide from 2007:

device

y

security

hacked

for

effect

PS2

1999

?

?

piracy

dbox2

2000

signed kernel

3 months

Linux

pay TV decoding

GameCube

2001

encrypted boot

12 months

Homebrew

piracy

Xbox

2001

encrypted/signed bootup, signed executables

4 months

Linux

Homebrew

piracy

iPod

2001

checksum

<12 months

Linux

DS

2004

signed/encrypted executables

6 months

Homebrew

piracy

PSP

2004

signed bootup/executables

2 months

Homebrew

piracy

Xbox 360

2005

encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses

12 months

Linux

Homebrew

leaked keys

PS3

2006

encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU

not yet

Wii

2006

encrypted bootup

1 month

Linux

piracy

AppleTV

2007

signed bootloader

2 weeks

Linux

Front Row piracy

iPhone

2007

?

1 month

Homebrew

international

SIM-Lock revenue

The table shows the relationship between the quality of a device’s security system and the time it took to hack it, as well as the original motivation for hacking and the side effects (collateral damage) it caused.

Correlation security/time to hack

There is a pretty clear correlation betwen the quality of the security system and the time required for hacking it – with the notable exception being the GameCube, which had rather weak security, but since its release coincided with the much more powerful Xbox, much of the hacker community neglected the GameCube until the Xbox was done. What can also be seen is that recently, devices tend to get hacked more quickly; probably simply because there are more and more people interested in hacking.

Correlation Linux/time to hack

The other exception is the PlayStation 3, which was not hacked until about three and a half years after its introduction. I argued that this was because there was only very little motivation to hack it: Sony shipped the devices with the “Other OS” option and even sponsored a port of Linux to it, allowing any user to install Linux if they wanted. Although Linux was running on top of a hypervisor and did not have access to all of the features of the device, it seems to have been enough to take the enough motivation to hack it out of the hacker community.

Linux/homebrew is the primary motivation

This is supported by the by the fact that the motivation for hacking every system in the table was either homebrew (i.e. running unautorized hobbyist applications) or Linux. Hackers seem to love to convert their devices into Linux computers to run a big library of existing software, or to hack the device to make it possible to run versions of existing emulators and games on the native OS.

Piracy is a side effect

None of the hacks in the table was done with the motivation to allow running copied games – but whenever the point of the security system was to prevent piracy, hacking it inevitably enabled piracy as a side effect. Some security systems protected other things like pay TV keys and SIM-locks; these also fell as side effects.

2010 update

In September 2009, Sony started shipping the “slim” model of the PlayStation 3, with the “Other OS” feature removed. With firmware 3.21 in April 2010, the feature was also removed from existing original models that users chose to upgrade – which was required for using any of the online features. The missing “Other OS” feature on the slim model motivated George Hotz (geohot) to hack into hypervisor mode (Jan 2010), but this approach did not lead to a working hack of the security system. In August 2010, the Australian company OzMods announced the commercial “PSJailbreak” USB dongle that hacks into non-hypervisor mode, allowing piracy and homebrew (“Backup Manager” says “backups and homebrew”).

Although this is the first time that a commercial company is first to hack a system, and the first time that piracy seems to have been a key motivation, removal of “Other OS” might have been another motivation, and geohot’s previous attempts might have helped as an entry point for this hack.

Usually, an open hacker community develops a hack, and commercial companies convert them into modchips. This time, a company developed a hack and a modchip, and the community reverse engineered it and ported the exploit code onto several other devices, allowing people to hack the PlayStation 3 without a dedicated device. And I’m sure Linux will be adapted soon to run in the new environment.

Conclusion

What do we learn from this? Linux is inevitable. Or maybe it should be “Homebrew is inevitable”. In the history of mankind, there has yet to be a popular system that is locked down to only allow certain software to run, but does not get hacked to run arbitrary code. I still dare to say that if Sony had not removed “Other OS”, the PlayStation 3 would have been the first system to not get hacked. At all.

(Here is an updated 2010 version of the table:)

device

y

security

hacked

for

effect

PS2

1999

?

?

piracy

dbox2

2000

signed kernel

3 months

Linux

pay TV decoding

GameCube

2001

encrypted boot

12 months

Homebrew

piracy

Xbox

2001

encrypted/signed bootup, signed executables

4 months

Linux

Homebrew

piracy

iPod

2001

checksum

<12 months

Linux

DS

2004

signed/encrypted executables

6 months

Homebrew

piracy

PSP

2004

signed bootup/executables

2 months

Homebrew

piracy

Xbox 360

2005

encrypted/signed bootup,encrypted/signed executables, encrypted RAM, hypervisor, eFuses

12 months

Linux

Homebrew

leaked keys

PS3

2006

encrypted/signed bootup,encrypted/signed executables, hypervisor, eFuses, isolated SPU

4 years

Piracy

Homebrew

Wii

2006

encrypted bootup

1 month

Linux

piracy

AppleTV

2007

signed bootloader

2 weeks

Linux

Front Row piracy

iPhone

2007

signed/encrypted bootup/executables

11 days

Homebrew

SIM-Lock

piracy

iPad

2010

signed/encrypted bootup/executables

1 day

Homebrew

piracy

52 thoughts on “Playstation 3 Hacking – Linux Is Inevitable”

  1. Great article.

    Have you ever looked at Android? I heard that it uses SELinux, and that SELinux is what NSA uses.

    Would be possible to build a 100% secure console using SELinux?

  2. @Amadeus: iPhone uses SEDarwin, which is the same as SELinux, but adapted to the XNU kernel. Does this answer your question?

  3. @Michael: I haven’t followed how the iPhone was hacked in detail, but wasn’t it a hardware hack that Geohot did?

    Could it have been done only through software? I.e. is SEDarwin secure or not?

  4. @Amadeus: with the exception of the initial geohot hack, ALL the iPhone hacks have been software.

    Android uses a stock Linux kernel with no special patches for MAC (i.e., not SELinux). You get root, you own the device. Recent models have added trusted boot support so at least there is some lockdown on what you can do with root access. But really, Android is even farther behind on this than iPhone.

  5. Sorry mist, but …
    The Table is like comparing “Apples” with Trees -comparing a Word Exploit with an OS Rootkit

    For example, Xbox 1 was broken @bootloader Rom/Address Handling in Chipset (compleate chain of trust collapsed, OS was on Readonly unupdateable Flash, downgrade possible)
    compared to xbox360 / ps3
    Kernel exploit found (fixable), updateable, OS on flash updateable, downgrade restricted, Chain of trust NEVER broken

  6. Piracy is a side effect? what a joke. Almost all the hacks were done with one and only one goal: piracy. Do you really think those teams who spend thousands of dollars in development of a hack and then sell $150 modchips expect to profit from homebrewers and not pirates?

    How come several of those “linux” hacks are made by the same people who happen to be members of warez release groups?

    How come many of those “linux hacks” contain code with no other purpose than bypass anti-piracy checks that are only present in protected games and not in homebrew?

    How come one of the first xbox hack was re-released publicly as a linux loader when it was already circulating in the scene for some time as a warez loader?

    How come the linux dBox hack was made by people who are known to makes tons of money selling pirate pay-tv cards on the side ? (just ask Felix)

    How come sometimes warez groups start to release pirate ISOs for a console just a few weeks before the “linux hack” is finally released?

    I will admit that the iPhone case is different. But all the consoles and the dBox, you know very well they were hacked for piracy.

  7. what is realy wrong with you people of course that piracy is a big factor that the hacks are developed ..every system that is hacked never used homebrew ..why play emulators when u got games like mw2 ,black ops,killzone,shift etc etc …and the only homebrew people will use is backup manager

  8. You have the ps3 timetable mixed up a bit. Geohot used Other OS to find his exploit, then Sony removed it with a software update to keep others from doing the same thing. His motivation had nothing to do with Other OS being removed.

  9. @Josh: yes, it did. George started to hack the PS3 after the Slim was introduced which doesn’t offer OtherOS at all. The motivation was to explore the system to maybe find holes which are present in the Slim, too. After he succeeded, OtherOS was removed from the “fat” PS3 models, too.

  10. ?PSJailbreak? doesn’t enable running code that can control the hypervisor (lv1) but “only” GameOS (lv2).

    Geohot’s hack enabled full control and dumping the hv. The isolated SPUs are still unaccessible, similar to the PSP’s encryption system.

  11. @Roberto, it’s sad to hear you say that. tmbinc worked really hard on that hack, and all he _ever_ wanted was homebrew. Sad days when people don’t even know the origins of the hack that lets them pirate thousands of games.
    @John, you’re even dumber than Roberto. All of the hacks outlined were done with _SOFTWARE_, and had no modchips involved. Yes, modchip developers are usually in it for the sales to pirates. Software hack developers are usually in it for homebrew and Linux. The Wii was hacked for homebrew, the GameCube and DS were hacked for homebrew, PSP was hacked for homebrew (believe it or not!).

  12. I find this hard to believe. Geohot started hacking the PS3 before anyone knew Other OS was gonna be removed from Phat PS3s. He hacked it because noone had done so yet, he had no intentions to wright home brew code for it. I’m also gonna say that I don’t think PS jailbreak was slapped together in 4 months. Something like that takes a lot of research, development, time, testing and negotiations to get the product produced.

  13. The xbox 360 was hacked for the purpose of piracy only. The first hack (the drive hack) was supposed to be released to allow research into loading linux. Even after the “team” discovered that the binaries are signed and everything they continued to make firmwares that evaded microsoft banning your console.

    If the PS3 didn’t lose the other OS it may never have been hacked. I’m sure when the PS4 is out and the PS3 drops to $120 people will be tripping over themselves to turn the PS3 into a media centre / emulation machine / compute node. It’s inevitable that the PS3 will be hacked again and again until this dream comes true though.

  14. Since we’re (somewhat) on the subject of piracy I’d like to ask a question…regardless of their original intentions, who in their right mind, honestly, did NOT think piracy would be a side effect of their hacks? If any of these people(who are very obviously smart enough to know better) truly thought that piracy would not be an issue then I will gladly eat my shorts(racing stripes and all lol). The sad truth is, they just didn’t care. They wanted what they wanted and utlimately didn’t give a damn about what the consequences of that might be. Again, I’m not saying that their original motivations were piracy, but they simply HAD to know that it would happen as a result, yet did it anyway. So I suppose I’m saying the homebrew vs piracy issue is not as black and white as so many would have us believe. There really are no “good guys” here.
    On the subject of how the PS3 got hacked I totally agree that removing other os was the final nail in sony’s coffin. Add on to that they had been systematically removing many of the other features originally used as selling points, and you have a LOT of motivation for hacking from people who might not otherwise have bothered. You are absolutely right. I’m happy to have read it so elgantly stated.

  15. I’m missing the Dreamcast in your table. The system that has been hacked without any hardware mod or chip. Which was very sad as it essentially killed the system (although there are still releases of new software for the Dreamcast in Japan up until now)

  16. @trap15
    Of course I am dumb. I didn’t have most of those hacks, even the Wii one, running warez at home long before you even heard about them, let alone long before people even had the tools to develop homebrew.

    And sure, tmbinc is a little angel who did all of this stuff for the beauty of open source. His ties to Dream Multimedia are all in my imagination.

    @skittles
    Those guys are well aware of the piracy issues. Don’t kid yourself, most of them have tons of pirated games at home and almost never even run homebrew on their consoles. As I said, several of those hack developers are coders for pirate release groups.

    @edude03
    As others have said, you are deluded to think that the PS3 jailbreak has anything to do with the removal of otherOS. Finding the vulnerablity, developing a product, and then selling it takes months. And I don’t think that the $150 modchips re-enables the otherOS function (maybe I am wrong, can’t bother go check). On the contrary, it has a function to load pirated games. I haven’t seen much homebrew for PS3 yet. But I have seen that all the pirate BitTorrent trackers now have PS3 warez sections.

    @Darkstar
    And I don’t think that the Utopia boot disc’s primary use was to launch Dreamcast homebrew. http://en.wikipedia.org/wiki/Utopia_bootdisk

  17. “None of the hacks in the table was done with the motivation to allow running copied games…”

    100% untrue, as is the Xbox 360 section of the slides. How can you say the Xbox 360 was hacked for Linux homebrew in 2007 when it was a DVD drive firmware modification? The sole purpose of the firmware flash was to allow burned (pirated) copies, it did not modify the OS of the 360 itself at all and thus it did nothing towards allowing Linux. In fact, homebrew didn’t become a reality on the 360 until late 2009 / early 2010 (and even so, the number of 360s that can do it is very limited) so everything from launch until then was purely about playing burned games. Of course, it’s always thinly veiled as “making backups of your own games in case of scratches”. ;-)

  18. @Darkstar The fact that no hack was required is probably why it’s not even on the slide. I remember being able to burn games on CDR and play them on my Dreamcast without doing anything do it, they just booted and worked. It’s not hacking if that’s how Sega sent it to us.

  19. (Hey, my anti-spam word is “NUTTY” – how appropriate for this topic…)

    @John, I disagree. Please show me the hacks that have spent “thousands of dollars in development of a hack”. Sure, there are a lots of hacks that have been sold in the form of $150 modchips, but these hacks were done AFTER another hack appeared – on most systems. Ps3jb is, probably together with ps2 hacking, the notable exception.

    I also have to object strongly to your statement that the “linux dBox hack was made by people who are known to makes tons of money selling pirate pay-tv cards”. That’s simply not true. The linux dBox II hack was done by individuals that were not involved in illegal, or even immoral, activities regarding to selling “blank” smartcards. In fact, most people only got into the paytv “scene” by working on the dbox2. While it is true that projects that built on top of this hack have been funded by people who were involved in “gray” side activities, the dbox2 hack itself was not. Which pretty much proves the point again – the initial hack is usually done by individuals not interested in the business aspect, but the hacks will be commercially exploited afterwards by people who do care about the money.

    I can’t comment on the your other statements, since I don’t know what platform you’ve meant.

    In my eyes, hacks that were initially done with a commercial, or even just piracy background, that really contributed (in terms of applied knowledge, cleverness and novelty) are really rare. The recent ps3jb comes to my mind, additionally maybe the cobra/viper DVD exploit (not the actual hardware). Most of the remaining “interesting” hacks were not done directly linked to piracy.

    On the other hand, the moral responsibility for a hack is usually underrated. The usual “it’s just a knife” approach is easy, but very naive. But then again I stand firmly behind the “it’s about freedom, every hacker should do whatever he feels the right thing to do” (and of course live with the legal and moral consequences).

    @Dave, Michael simply ignored the DVD hack. Hacking the DVD-ROM on the Xbox 360 (which by the way happened in 2006 already) was a completely separate hack from the hack that initially allowed homebrew (the Hypervisor privilege escalation, also known packaged as the “king kong hack”). It was (and is) not relevant for his table. Unfortunately, the “homebrew hack” however back then also allowed certain console keys to be dumped and be used for cheating. That’s the relevant part for this discussion. Yes, maybe a second PS2-like row should be added for “Xbox 360 DVD Drive”.

  20. @Felix
    Just take Bunny’s xbox hack for example. He wasn’t the first one to do it, and I seem to remember that he used pretty expensive equipment. Of course he was lucky that it was university provided. Often when developing a hack for a console, you might destroy several consoles in the process, which is also costly. There there is the cost of prototyping and manufacturing, when talking modchips and other hacks that require custom hardware.

    And I still disagree. From my experience in the scene, most hacks were developed for piracy and the homebrew stuff came as a way for the hacker to make publicity for himself or as in attempt to seek protection from lawsuits.

    I will admit that even though some of the hacks are not commercial in nature (free, no modchip required), they were still developed for the purpose of piracy.

    I myself have developed such a hack, I even embedded some tricks to prevent its use as a pirate tool when I released it. But guess why I really developed it. The anti-piracy stuff was just a feable attempt at covering my ass.

  21. Interesting article. I just thought I’d point out that not citing piracy as the side effect for hacking the Xbox360 is weird from where I stand. It’s been the focus of one key argument for years in the Xbox360 X PS3 debates in Brazil, where console game piracy has been traditionally rampant and you can say it might be slowly changing (or it just a circumstantial thing) because PS3 owners have been forced to buy PS3 games in the past years. Additionally, Xbox360 game torrents are popular.

  22. @John: bunnie said, when asked, that he destroyed exactly a single console in the process (I remember someone asking him exactly that question on his talk at C3): the one where he decapped the chip out of curiosity – which was not required for the hack that he did either. Also his equipment was in the sub-$200 range I’d say. It was a custom PCB, some LVDS buffers he got as samples and an FPGA board that he used before.

    I don’t know the exact timeframe, but as far as I know, none of the milestones in Xbox1 hacking were done with a commercial background. They might have had a piracy-enabling background, but not a commercial. Other people here might be able to enlighten me.

    So, please provide an example: Which hack (for example from the table above) was developed with big $$$ in the background? I agree that this might be true for some piracy-only hacks (for example in the PayTV area), but none of them were even labeled as “homebrew”. It also might be different for example in the car chiptuning business. But for gaming consoles or consumer equipment? I’m still looking for a single really good example here.

    The explanation why most hacks are not developed by people who have the money is also easy: Hacking is not a straight-forward process. It’s not that you spend X amount of money to get the hack you want. It’s more something where you have to be lucky to find something. Who would invest money if he doesn’t know the outcome? Once something has proven to be hackable, that’s different of course.

  23. @trap15

    sorry but the kk hack used the dvd fw hack (and this has been done JUST for PIRACY)

    if you don’t know history, shut up

    and i think ps3 has been hacked by egohot, not by this modchip, this ps jailbreak only lead to PIRACY!!!!

    this article is a… shit.

    if 360 was hacked by domke and not by the people who worked for JTAG/SMC hack why ps3 has not been considered hacked by the kid who hacked the hv??

    hello word in ps3 was possible SINCE DAYONE!!!

  24. and xbox 360 hv hack effect, nowdays with jtag, is PIRACY…

    i’m sorry for domke but this is the reality…

    in that table seems the 360 has never had piracy… shit… only leaked keys…

    please next time write a more impartial article…

  25. I knew that this “but the KK hack used the DVD hack” would came up. Yes, using a modified firmware was the most convenient way, but you could always just hot-swap the original game with the modified, burned copy of the game. It did not technically require a modified firmware.

    And again, yes, the JTAG hack has lead to piracy. Again, the JTAG hack has been motivated by Homebrew, not by piracy. That’s the point – again. Many hacks that are motivated by homebrew do in the end lead to piracy or leaked keys, i.e. much worse problems than homebrew. The point is not that there haven’t been any hacks at all that have been motivated by piracy directly (which is clearly untrue, see Xbox 360 dvd hack for example).

    The bottom line is that it seems you can avoid a lot of “hack momentum” by allowing homebrew, and you will generate this momentum the moment where you restrict it. PS3 proves that *right now*. If piracy would be the only motivation, people would be done – OpenPSJailbreak delivers that today. But people spend more time on that to bring OtherOS back. And my personal opinion is that they will dismantle all security in this process as a side effect, for example the isolated SPU security.

  26. i know that jtag has been motivated by homebrew but if you assume this, you shoud consider that even ps jailbreak has been done for homebrew and not for hb and piracy too.
    the point is that homebrew is used for piracy at 99%…
    the only difference is that behind psj there is a commercial company and not an open community like jtag or other hacks.
    so you can say psj is for money, not piracy.
    but again if you want to compare kk hack motivations you shoud do with geohot hv hack.

    just my 2 cents.

  27. and sorry in my first post i never indended that domke has hacked the 360 for piracy, and i never used jtag for pirating games, i don’t even have a 360 or ps3 for gaming. i respect people who work for homebrew and linux.

    i just was considering that dvd hack comes before kk hack, so the first working hack for xbox 360 has been done for piracy.

  28. true, so true.

    Sony disrespected its costumers and removed OtherOS just because they were afraid of GeoHot.

    I should never bought my PS3. Sony never, never more.
    My PS3 is stuck in FW 3.15 and, if they never removed OtherOS, I would be sad about all this hack and piracy. But MAN, I’m loving all this shit. Sony deserves this. Now they will run like crazy bitches trying to fix this exploit (already “fixed”) and hackers will find another exploit, just like the PSP.

    Nintendo FTW.

  29. I don’t count the 360 DVD drive flash as a hack…
    And you guys should remember that tmbinc quit when the rebooter was released

    Motivation:Linux and Homebrew
    Adventual effect after some years: piracy
    Don’t listen otherwise
    I made my jtag before the rebooter, and use it for development, that makes me in the 1%

  30. what’s really funny of all this discussion
    is that nobody guessed what’s probably the real story behind the PS3 Jailbreak …
    (BTW also the fact that they removed the OOS from Ps3 on April 1st is clue)

    Piracy is the best promotional marketing any big company ever had

    without piracy none of these
    Microsoft
    Apple
    Nintendo
    Sony

    won’t be as big as is right now!!

    the fact is , the invested alot of money into PS3 …
    and when they start to sell it the natural progress was PS2 to die and PS3 to take his place ,, after 4 years and no piracy PS2 is still selling at around 100 euros/$ PS3 loosing places and big money in spite of Nintendo or XBOX
    (people just don’t buy consoles if the overal price is to high)
    then usually even if many of they would have many pirate copy they would anyway buy some tittle that they really like… so

    Nintendo right now is the KING just because there’s a lot of pirate tittles for it, and they sell much more console than the console quality is worth of

    the result is SONY change their mind and just pushed piracy a bit on his console to gain places in the market and put the RIP over the PS2 … etc..

    I think this time the only done by hackers was reverse engineering of the original Jailbreak (made by SONY :)

  31. Im sure the people involved in hacks for the sak of homebrew would like to justify their work as seeking freedom… but if thats really the main reason why buy closed devices in the first place? It makes no sense to buy a console when a generic pc will do more for the same money. If breaking security systems is your hobby fairenough but trying to justify it as some quest against closed systems is just silly. The best thing that can be done against closed systems is to not buy them. If your hobby is breaking security systems be prepared for your work to be used in ways you might not agree with.

  32. Cantido: The PS3 was one of the few affordable machines containing the Cell processor, which really is exceptionally well suited as a node in a supercomputing cluster. A fair number of us were specifically interested in that application, not in the PS3 as a game box.

    Of course, part of the reason the PS3 was cheap was “loss leader” pricing. Sony deliberately priced the box low to encourage sales, making most of their profit on the games. This is standard practice for game consoles. One could argue that those of us who just wanted the PS3 as a Linux box were taking unfair advantage of that system… but that was factored into Sony’s plans; Sony explicitly sold the PS3 as being able to run as a general computer in addition to gaming, and in fact if I bought a few as a home supercomputer I’d probably also consider buying a few games.

    I understand Sony’s concerns. But I think they may have done themselves more harm than good. Not least because we now know Sony’s promises about ongoing support of their products are not trustworthy.

    Which is a real pity. I’ve liked the other Sony products I’ve used. Now I need to stop and think about whether I’d rather buy from someone else who doesn’t have a history of sabotaging their customers.

  33. Pingback: programming

Leave a Reply to Technogeek Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.