Your on the right track, however when you started talking about the cluster of PS3's using Linux i just stopped reading, firstly we are limited when we use the PS3's linux software, here are the main reason's. Firstly, we are limited on linux because they blocked all the main features like accessing the RSX and the cell processor. You might have a good theory here but many people already have thought of that hypothesis and as i am not extremely knowlegable on hacking, i think the best person to speak to is Powerslave.

at least your trying that's the main point, its good to see your active.

Last edited by Trixta (2008-07-12 09:13:13)

Yes i realise our Yellow Dig Linux is being controlled by the Hypervisor howeever, we do not need access to the custom graphic card ( we will not do any emulation, just brutal force/analystic cracking. Although we are limited when we command something on linux, i do not belive the hypervisor understands what exactly are we trying to crack, so it will not crash/brick if we try to decrypt the firmware files. It is possible to use external hard to throw the files into linux, thus there is really no restriction what we can run / crack.

I do not see technical problem with the method ( maybe ps3 will overheat, but if places in an open area the chanse of that is reduced...there is always sony warranty

Xakker wrote:

Mr.TurnSignal wrote:

There is no way to hack the ps3. Every theory has been thought of and tried with no luck. Nothing will work. The only way you could maybe hack it is if you bought really expensive mod chips and replaced your whole entire ps3 with them.

Could you explain in detail why we need to have custom chips? We cannot hack ps3 because of the friggin updates, where they patch up holes in the system (and brick our ps3s, 2.40 anyone?) however, if we get the latest firmware (2.35 is stables now) , we could reverse engeneer by cryptoanalysis. No need for custom chips and such

First off, welcome to PS3 hacks, and don't double post. The custom chips could disable the Hypervisor or the HAL, giving us one hell of an easier time hacking it.

do not use "l33t speak"

The public key is in the CBE die; it's manufactured into it. This is one of the things the IBM and Sony stuff reveals.

Sony as far as I can tell didn't have to do any security stuff. The hypervisor is a Type I, meaning hardware- it's inside the CBE and consists of trusted processing with the PPU, SPE's, and the CBE RAM. Everything is stored in "vaults" inside portions of the CBE SDRAM for each SPE at run time. The 8th SPE and a small piece of SDRAM hold internal security stuff I guess for controlling everything. The CBE SDRAM contents are all encrypted(I'm not going to go into what all they do- read my sig.)

The interesting key note to the PS3 firmware is that the FLASH boot loader(first thing CBE loads outside it's own stuff) defines the security model for all code and content on the PS3.

Where did you get "2048 bit AES" from?

After reading all the tech docs from the vendors I can say from having professional experience as a embedded software engineer for systems about as complex as the PS3 in the field of industrial robotics- that the PS3 -can- be cracked. It'll take analyzing the die and a lot of computing power like I said before though; memory corruption(ex: buffer overflows, race condition, null pointer, format string etc..) won't work because the the PPU|SPE|SDRAM sequencing and checks and the way the FLASH boot loader dictates integrity of code.


Read the IBM docs, Sony forum posts, and PS3 secrets page.

NOTE: If Sony would of used quantum crypto with a key exchange based on hardware characteristics nobody including a top level physicist could figure out the PS3.

Last edited by 0m1kr0n (2008-07-12 19:15:03)

I am with ya there, except for one thing. Don't you have to have a  quantum processor to have quantum keys?

so basicly you want to brute force your way using 50 ps3s.
btw, personally i think that trying to hack the ps3 using brute force is stupid, hacking it software wise as proved to be a hard task.
I Think that concentrating on trying to find a way into service mode is better, the PS3 nad PSP work on the same XMB only the PS3 has alot mort crypto, thus making the software hard to crack.
The right way is finding an exploit much like the Pandora one, there are four ways to get into service mode, hackers just need to find them.

Last edited by tkato (2008-07-12 21:35:36)

Ok im back guyes, thnx for posting your comments about the project. First off , I want to say to people who started talking about quantum computers and quantum keys, WTF? If we had quantum computer, we could crack FBI's security (Tripple AES, Two keys) in under a minute. Unfortunately, we dont have quantum computer yet, so that wont work anytime soon. Next i have been asked why do sony used 2048-bit AES. Currently this is the most secure uncryption, also the most efficing in fast encryption/decryption, giving making ps3 load up reasonably fast, not like 20 mins. 2048 bit is what i heard from sony rep, however since there isnt 4000 bit encryption, 1024 will be even easier to hack for us

I have also heard that we will require to DISABLE hypervisor. First  I would like to say we can only get rid of hypervisor by replacing cell proccessor, which would be prohibitingly expensive (500 dollars a ps3 + 600 for a new CELL, *50....im bankrupt!). The idea is to extract encrypted firmware from the eeprom and put it on external hard drive. Then we would not need to disable the hyper/super visor, and could run the brutal force/cryptoanalysis in usermode

Edit:There are two keys in the cell proccessor, the easier way to find those keys would be borrow a scanning electron microscope. They have those in a univercity near me

Thanx for replies, and remeber, 1 uz l33t tawlk all teh timez L0L~!! ( )

Last edited by Xakker (2008-07-13 03:43:48)

I did dude. This guy actually knows what hes talking about. Ill use my ps3 to crack the code. But whos gonna make the brute force program?

Last edited by Mr.TurnSignal (2008-07-13 11:37:37)

A lot of people come and talk like that, but there's no substance to it.  You can say all you want about hacking the PS3, and Keys, and encryption, but till someone actually DOES IT, then there's no room to crow about anything.  You can't ignore the tech sheets on the CPU itself.

As far as the keys go?  They got lucky with the XB360 and were able to obtain the KEY in the CPU Vault (DVD drive and CPU key must match), but they STILL have not been able to do anything with it, except a complete DVD drive swap, with a new key to unban a console, and even so, you need a VALID key from another person's CPU, you can't make one up.   When their on-line service bans you, it is the CPU Key they ban, so you can't get on with it, EVER.  You also need hardware to put another Key into the 360's CPU vault. AGAIN PEOPLE, even with what's known about and obtained with the 360, they're still not really any farther with it.  All you got is hacked DVD DRIVE firmware to run specifically made backups. 

Now; Sony, more than likely, had the key ETCHED in the CPU circuitry so #1, it can't be changed, and #2, you can only get it by dissecting it.  The key would be a series of etchings that make it permanent.  Think if it as a ROM value rather than something like EPROM or FLASH that can be changed, the Key in the PS3 probably CANNOT be changed.  Then you have e-Fuse technology to make a kernel not be able to run anymore.  Sony, with their many MANY updates can't be blowing e-Fuses left and right, because there are a limited amount of them.   

When a Kernel is keyed to run on a CPU, it goes by the CPU configuration, just making this REALLY simple.  IF an exploit is found in that Kernel (like the two XB360 kernels had), an update to the Kernel is made, and then specifically made to run in a different configuration, so an e-Fuse or two is popped in the CPU so the older ones will not run EVER again.  All you can do with the Exploit on the 360 is run Linux, but guess what?  Still no hardware access...   

This is reportedly how it works: By utilizing an eFUSE (or more realistically, a number of individual eFUSEs), a chip manufacturer can allow for the circuits on a chip to change while it is in operation.  The primary application of this technology is to provide in-chip performance tuning. If certain sub-systems fail, or are taking too long to respond, or are consuming too much power, the chip can instantly change its behavior by 'blowing' an eFUSE. This process reportedly, does not physically destroy the eFUSE, so it is reversible, and repeatable.  I do not know about the reversible and repeatable part though, I read elsewhere it is permanent.  It basically prevents downgrading.  The xbox 360 CPU has 12 fuse-lines of 64 fuses each.  Five those fuse-lines for about 320 fuses that can be used to prevent kernel downgrading.  So, you have a LOT of room for updating kernels, and I doubt there would be even 160 updates...    The other 7 fuse-lines are fore the performance tuning and maintenance.   Also, with the 360 first year runs, if you remove a resister (R36T) you are cutting the power line to the method used to handle e-Fuese, thus no changes can be made.  You would have to do this prior to taking ANY update though.   This won't work with NEW consoles, because they already come with the new kernels.

We're almost TWO YEARS into the PS3, and there is no information like that available like there is for the 360.  So, just sit back, buy your games, and play them.  We won't be seeing anything done with the PS3 for a long time.

Code Red wrote:

Powerslave, smashing the hopes and dreams of newbies everywhere.

That is the brutal reality of it.  The only hope people have is some kind of optical drive firmware hack in the future.  Even that seems unlikely, as the 360s was hacked in six months; and we are now 22 months into the PS3, and nothing, NOTHING.  So, what's that tell you?  SOMEONE did their homework this time.

We have the Emulation thing, which is cool and all, but really, we all have PCs that can run the emulators 100% better.  So, why bother with these minor hacks that any modern PC can handle with no hacks? It's just another thing that someone can put out there "I DID THIS", that's about it.

0m1kr0n wrote:

The CBE is suppose to have an internal hypervisor(the functions that check loaded code and assign SPE's.) So my guess to what the 8th SPE is locked for, is that a extra security mechanism is loaded by the Sony boot loader to protect DMA calls according to what is being booted(gameos or otheros)- which is dictated by an XML(?) file that is altered by the XMB when you flip the configuration in the menu.

From everything I read, and I keep repeating this:

YES, the Cell has 8SPEs, but only Six are used for whatever.  The 7th is a backup in case one fails during real-time, it can be activated.  The 8th was put in there in case of a MFR defect, it is just a redundancy in case one SPE failed testing off the production line, so it could be activated as the backup; thus one would be completely inert.  That means that at any given time, SEVEN of those SPEs have to be in working order.

So, if the Cell is using all 8SPEs, or even Seven, while only six for gaming, then one or both of the backups are used for the security overhead?  That would make sense, but from what I read, that's not the case.  Also, the Cell has a General Purpose core, a NINTH core, which is used as the CPUs micro controller, but it may also so more than what they are saying.    IF the cell is using even SEVEN of the SPEs, then there is very little room for MFR defects, and that can be costly even at a 10% CPU failure rate.   So, it would make sense to MFR a CPU with 8 SPEs, and have two backups, one for a real time failure, and one for MFR failure. 

Then again, having just one SPE for security detail, is feasible.  We really know nothing about what why the CELL was made the way it was, and what all eight SPEs are for.  However, many sources say SIX for the unit, one for backup, and one for MFR defect.  SO, who really knows, there is lots of conflicting data.

That is the picture of the die than everyone shows...   Still, there could have been a few designs on the Cell, and one was just customized for PS3 use.   

CPU: Cell Processor

    * PowerPC-base Core @3.2GHz (Prototype ran at 4.66Ghz)
      > 64 bit, "Power Architecture" processor
      > Dual issue, dual threaded, in-order processor.
      > 235 square mm
      > 235 million transistors
      > Rambus XDR and FlexIO technology allow up to 100 gigabyte/s memory transfer rates.
      > 90nm Process CMOS SOI
         > 65nm CMOS SOI Process Started March 07
            - 6GHz at 1.3V
            - Dual power supply; enhances SRAM stability and performance using an elevated  array-specific power supply, while reducing the logic power consumption.
      > Power consumption has been estimated at 60 - 80 Watts at 4 GHz
    * 9 Core CPU
       > 1 Power Processor Element (PPE) - Acts as Controller (PowerPC Core)
          > The PPE is dual threaded
       > 8 Synergistic Processor Elements (SPEs) with 256KB "Local Stores" per Core
          > Each SPE capable of 32 GigaFlops (32 bit)
    * 1 VMX vector unit per core
    * 512KB L2 cache
    * 7 x SPE @3.2GHz
      > 1 of 8 SPEs reserved for redundancy
      > 6 SPE used for game applications
    * 7 x 128b 128 SIMD GPRs
    * 7 x 256KB SRAM for SPE
    * Element Interconnect Bus (EIB)
    * Direct Memory Access Controller (DMAC).
    * 2 Rambus XDR memory controllers
    * Rambus FlexIO (Input / Output) interface
    * Test and Debug Logic
    * Total floating point performance: 218 GFLOPS
    * Capable of running at speeds beyond 4 GHz

   * Synergistic Processor Elements (SPEs)

An SPE is a self contained vector processor which acts as an independent processor.  They each contain 128 x 128 bit registers, there are also 4 (single precision) floating point units capable of 32 GigaFLOPS* and 4 Integer units capable of 32 GOPS (Billions of integer Operations per Second) at 4GHz.  The SPEs also include a small 256 Kilobyte local store instead of a cache.  According to IBM a single SPE (which is just 15 square millimetres and consumes less than 5 Watts at 4GHz) can perform as well as a top end (single core) desktop CPU given the right task.

*This is counting Multiply-Adds which count as 2 instructions, hence 4GHz x 4 x 2 = 32 GFLOPS. 32 X 8 SPEs = 256 GFLOPS

Like the PPE the SPEs are in-order processors and have no Out-Of-Order capabilities.  This means that as with the PPE the compiler is very important.  The SPEs do however have 128 registers and this gives plenty of room for the compiler to unroll loops and use other techniques which largely negate the need for OOO hardware.