JuanNadie left but had us a gift - 改機
By James
at 2012-10-27T11:40
at 2012-10-27T11:40
Table of Contents
http://www.ps3hax.net/showthread.php?p=459578
如何讀出 bootloader ,會想到這種方法真的蠻聰明的
DUMPING THE BOOTLDR
As you know the bootldr is one of the two loaders that are signed per console
and it was the only part of the system that haven't been hacked.
Once you load it the same way as metldr (via SigNotify) it would start
requesting different addresses that we don't control. You can take a look on
my user page to the dma sequence that it produces.
As you see it access a lot of different addresses and we don't have control
of any of them so the first objective was to control the input/output.
The sandbox:
The objective was to redirect the flows of data to our controlled buffers so
we know what is written or read. To achieve that a driver was created.
This driver performs two functions:
- the first is creating lv1 peek/poke using the patched lv114 that comes with
OtherOs++ and other CFW.
- the second is reserve a block of consecutive memory that would be used as
an HTAB.
The SPU is told to use our HTAB which in turns redirects to our user buffers.
To get the physical address... the user pages are locked on memory and then
using an old trick found by geohot their real address is retrieved.
At this point we have control of what the SPU reads BUT if consecutive small
accesses are done we have no control if we want to change something in
between.
The first exploit:
I'm calling this an exploit but actually is a bad implementation of a feature
cause it should be disabled on isolation. The feature is called the
MFCLSACMP. Basically is a register on the spu that is checked before doing a
dma op.
If the source/target address on the SPU is inside the mask defined by this
register then dma is stopped and an interruption is reported. Until this
interrupt is cleared the dma is not started.
SONY 在實做 SPU 指令集時候沒有把一個叫 MFCLSACMP 的指令關掉,原則上 SPU 是
用不到這個功能的。這個功能啟動時, SPU 在進行 DMA 存取動作之前,都會先進行
查核,待查核通過後,才會繼續執行,否則暫停。
所以這個指令變成可以利用的中斷旗標,只要我們用硬體方式把這個暫存器的值設成
1,就可以輕而易舉的讓 SPU 暫停,然後趁這個時候去修改記憶體裡面的資料。為何
要改資料,因為這樣才能實做接下來要處發的那個漏洞。
Great, so we control what it reads and when it is read... the first objective
was achieved total control of the I/O. That is what you can see on my user
page on wiki.
However this all so allowed me to find the biggest problem on using the
booldr as an oracle.... the config ring.
The config ring is a series of bits that syscon sends to the cell before
during the power up.... On this cell implementation the config ring is
accessible from inside the spu as a read once channel.
So unless I could find a way to refill the channel the bootldr couldn't be
used as oracle. Even worse at this point I didn't know how the config ring
was read (although an undocumented channel was on top of the list).
I spent a couple weeks trying to figure the problem. Finally I posted the log
on the wiki looking for help. Obviously some approach. We exchanged info. I
gave then the tools and they gave me means of validating my hypothesis (those
on the log)
We worked a lot of time on this. Remember that I was trying to get an oracle
not an exploit so filling the config was a must... several thing were tried
but none worked.
After a month or so I started checking other projects while thinking of what
to do. Then after several months I decided to try to exploit it instead of
using it.... given the log the entry point was clear...
The bootldr exploit:
bootldr 漏洞說明:
If you see the log you'll see a lot of data exchanging between the spu and
the syscon. graf had described it on his bible so it was known... but the log
also said that the data was read twice once to read the header and once to
read header + data.
妳去讀紀錄檔的話,可以看到 syscon 跟 spu 之間是頻繁地在交換資料,注意到
資料的部份是要讀兩次才會讀入,第一次先讀標頭,第二次才讀標頭跟資料本身
On the header was a variable length. So I decided to change the len between
both reads.... didn't work until i corrected also the chksum... and then
BINGO! unexpected behavior... a possible exploit was found.
這個標頭裡面有一個地方記載資料的長度,所以我在兩次讀取之間改變了這個值,
經過嘗試後失敗了。最後我把檢核碼改正之後,才成功讓兩次的標頭都正確讀入。
譯註:簡單說,第一次讀標頭之後決定要在記憶體中開多少空間來存放接下來要讀
的資料,然後第二次就把剛剛記下來的長度一口氣讀進去,當然會用檢核碼驗證資
料的正確性。但是呢,我們可以把一筆很短資料,比如說才 256 bytes 長的資料的
標頭裡面紀錄長度的地方填入一個很大的值,例如 FFFF ,於是主機就會去記憶體
裡面開 65536 bytes 的空間,但第二次讀取前,又把長度改回原來大小,但主機沒
有再去確認(根本想不到會有人這樣搞)資料長度,所以就一口氣讀了 65536 bytes
的資料進去,形成違規存取。
這個違規存取有什麼好處呢,也許我們原來 256 bytes 這筆短資料後面跟著存放
的是 bootloader ,長度才 16384 bytes ,我們就有很高的機會把原本讀不到的
bootloader 讀到我們可以控制的記憶體區塊中( PS3 主機裡面核心專用的記憶體
和使用者可用的記憶體雖然有劃分開來,但在位址上是連續的),然後 dump 出來
。
The advantage of this exploit is that it gave us a lot of points to test. The
info was shared and two of us friendly raced one against the other to find
the correct possibility.
I won the race of finding the execution point although I lost the one for
dumping. The winner was command 0x20 which is an info message... casually the
config error message... so their own protection had given us the bootldr.
That's the story of the exploit... it was then decided that I got the
ultimate decision of releasing the exploit and any of us could leak the
keys... however they asked me too hold it until SONY has reacted to the dex
conversion and I told them that I would not release them until I got the
appldr keys by myself.
I suppose they passed the keys to others and them at some point the keys
probably arrived to EXETrimAll and N0DRM (I don't think they exploited
trublue...). Meanwhile i was in the middle of my holidays and when I come
back they were releasing non-stop so I didn't see that it was necessary to
leak them.
Unfortunately they also leaked to a scoundrel that sell the key to discblu.
That forced some one that have the key to make it public.
You said that I'm angry cause someone leak the key... nope. I was angry with
discblu... and with some hacker that reappeared just to say that he already
knew how to do it. As you can see the method is completely software and does
not use the signature bug (except for installing the cfw... but then all the
apps need to credit them). If you persist I'll tell you that this can also be
done on a 3.15 with geohot pulse exploit.
The code:
http://www.sendspace.com/file/wvknol
I have attached the code of a working version for latest exploitable slim. I
know that also works on other version but I don't know which ones. It is only
valid for NOR consoles cause it expects a full NOR flash as one of the
parameters.
It has two programs. One is a kernel module so it must be load with insmod.
The second its a user program that takes as parameter the speID (i recommend
using 0 that is normally enabled), the flash file and the output file.
The dump is shifted by as a side effect of the bug. For me it was 0x800
bytes... but others got different result. The start function must be at 0x400
once shift is corrected
BTW the code is ugly and there is a lot of data that is not used so if
someone has questions please ask me (on this or other ps3 related things)...
I'll be available until sunday... then I'll definitely leave.
Now I'll explain my idea for the hardware solution.
Improving the exploit
如何改進這個漏洞(讓漏洞更穩定或是觸發方式更簡便)
THE FOLLOWING IS ALL THEORETICAL AND IT WILL PROBABLY NOT WORK (I'M NOT A
HARDWARE EXPERT AND THAT'S THE MOST DIFFICULT PART)
In this case the objective is not dumping the bootldr but get code execution.
Using an small payload a program will be copied to spu. That program will
just copy a patched unencrypted lv0 to the memory and tell the PPU that code
was loaded successfully.
反正我們只是想要執行自己的程式而已,要不要把 bootldr 讀出來反而是其次。把
一小段程式丟進去 spu ,這段程式的作用只是把解密而且修改後的 lv0 丟到主記
憶體然後告知 ppu 說,正確載入 lv0
By achieving that we would have full control of the system. Our patched lv0,
will load an original lv1ldr (required to get the ATA keys) which will load
an original lv1 but before giving control to level1 our level0 will patch it
so we still have control. Same with lv2 and vsh.
所以 ppu 就會載入我們自己的 lv0 ,自然取得整台主機的權限。我們修改過後的 lv0
會載入原本的 lv1ldr ,但是再把控制權交給 lv1 前,我們又會修改 lv1 ,因此主機
控制權換到 lv1 時候我們還是有完整的存取權限。同樣的方法我們可以用來載入自己
的 lv2 跟 vsh 。
As I said basically the bug consist of changing the response len between the
first read and the second. That is easily done if you control the buffer
where the data is located (exploitable consoles). But we want to do this
before anything is loaded
So we need to change the comm between syscon and cell before any software
outside the cell is loaded... the only option is a hardware interceptor. This
hardware will intercept the communications and change it so the exploit is
triggered (This is called a man in the middle attack). The payload will be
sent as part of the 0x20 command reply... if the bug is trigger properly we
know that our payload will start around 0x3E010.
In addition to this I recommend adding a second flash chip that will contain
the patched firmware. That will allow the user to go from patched to official
with a switch
As you see the device I propose is not a drm device... it actually triggers
an exploit similar to the ODE device that whats announced (BTW that is
perfectly done with the info that glevand posted).
The questions is: Is all of this possible?... well from the software part I'm
pretty sure but I don't know if the hardware can be build or if the cost will
be too much.
In any case if it is possible, there is enough info on this post to make it...
Unfortunately there is also a enough info to patch the bug (if they didn't
already). However it would only be patchable on factory...
當然,要修復這些漏洞不是不可能的,只是只能在生產階段做,賣出去後就沒辦法了
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
如何讀出 bootloader ,會想到這種方法真的蠻聰明的
DUMPING THE BOOTLDR
As you know the bootldr is one of the two loaders that are signed per console
and it was the only part of the system that haven't been hacked.
Once you load it the same way as metldr (via SigNotify) it would start
requesting different addresses that we don't control. You can take a look on
my user page to the dma sequence that it produces.
As you see it access a lot of different addresses and we don't have control
of any of them so the first objective was to control the input/output.
The sandbox:
The objective was to redirect the flows of data to our controlled buffers so
we know what is written or read. To achieve that a driver was created.
This driver performs two functions:
- the first is creating lv1 peek/poke using the patched lv114 that comes with
OtherOs++ and other CFW.
- the second is reserve a block of consecutive memory that would be used as
an HTAB.
The SPU is told to use our HTAB which in turns redirects to our user buffers.
To get the physical address... the user pages are locked on memory and then
using an old trick found by geohot their real address is retrieved.
At this point we have control of what the SPU reads BUT if consecutive small
accesses are done we have no control if we want to change something in
between.
The first exploit:
I'm calling this an exploit but actually is a bad implementation of a feature
cause it should be disabled on isolation. The feature is called the
MFCLSACMP. Basically is a register on the spu that is checked before doing a
dma op.
If the source/target address on the SPU is inside the mask defined by this
register then dma is stopped and an interruption is reported. Until this
interrupt is cleared the dma is not started.
SONY 在實做 SPU 指令集時候沒有把一個叫 MFCLSACMP 的指令關掉,原則上 SPU 是
用不到這個功能的。這個功能啟動時, SPU 在進行 DMA 存取動作之前,都會先進行
查核,待查核通過後,才會繼續執行,否則暫停。
所以這個指令變成可以利用的中斷旗標,只要我們用硬體方式把這個暫存器的值設成
1,就可以輕而易舉的讓 SPU 暫停,然後趁這個時候去修改記憶體裡面的資料。為何
要改資料,因為這樣才能實做接下來要處發的那個漏洞。
Great, so we control what it reads and when it is read... the first objective
was achieved total control of the I/O. That is what you can see on my user
page on wiki.
However this all so allowed me to find the biggest problem on using the
booldr as an oracle.... the config ring.
The config ring is a series of bits that syscon sends to the cell before
during the power up.... On this cell implementation the config ring is
accessible from inside the spu as a read once channel.
So unless I could find a way to refill the channel the bootldr couldn't be
used as oracle. Even worse at this point I didn't know how the config ring
was read (although an undocumented channel was on top of the list).
I spent a couple weeks trying to figure the problem. Finally I posted the log
on the wiki looking for help. Obviously some approach. We exchanged info. I
gave then the tools and they gave me means of validating my hypothesis (those
on the log)
We worked a lot of time on this. Remember that I was trying to get an oracle
not an exploit so filling the config was a must... several thing were tried
but none worked.
After a month or so I started checking other projects while thinking of what
to do. Then after several months I decided to try to exploit it instead of
using it.... given the log the entry point was clear...
The bootldr exploit:
bootldr 漏洞說明:
If you see the log you'll see a lot of data exchanging between the spu and
the syscon. graf had described it on his bible so it was known... but the log
also said that the data was read twice once to read the header and once to
read header + data.
妳去讀紀錄檔的話,可以看到 syscon 跟 spu 之間是頻繁地在交換資料,注意到
資料的部份是要讀兩次才會讀入,第一次先讀標頭,第二次才讀標頭跟資料本身
On the header was a variable length. So I decided to change the len between
both reads.... didn't work until i corrected also the chksum... and then
BINGO! unexpected behavior... a possible exploit was found.
這個標頭裡面有一個地方記載資料的長度,所以我在兩次讀取之間改變了這個值,
經過嘗試後失敗了。最後我把檢核碼改正之後,才成功讓兩次的標頭都正確讀入。
譯註:簡單說,第一次讀標頭之後決定要在記憶體中開多少空間來存放接下來要讀
的資料,然後第二次就把剛剛記下來的長度一口氣讀進去,當然會用檢核碼驗證資
料的正確性。但是呢,我們可以把一筆很短資料,比如說才 256 bytes 長的資料的
標頭裡面紀錄長度的地方填入一個很大的值,例如 FFFF ,於是主機就會去記憶體
裡面開 65536 bytes 的空間,但第二次讀取前,又把長度改回原來大小,但主機沒
有再去確認(根本想不到會有人這樣搞)資料長度,所以就一口氣讀了 65536 bytes
的資料進去,形成違規存取。
這個違規存取有什麼好處呢,也許我們原來 256 bytes 這筆短資料後面跟著存放
的是 bootloader ,長度才 16384 bytes ,我們就有很高的機會把原本讀不到的
bootloader 讀到我們可以控制的記憶體區塊中( PS3 主機裡面核心專用的記憶體
和使用者可用的記憶體雖然有劃分開來,但在位址上是連續的),然後 dump 出來
。
The advantage of this exploit is that it gave us a lot of points to test. The
info was shared and two of us friendly raced one against the other to find
the correct possibility.
I won the race of finding the execution point although I lost the one for
dumping. The winner was command 0x20 which is an info message... casually the
config error message... so their own protection had given us the bootldr.
That's the story of the exploit... it was then decided that I got the
ultimate decision of releasing the exploit and any of us could leak the
keys... however they asked me too hold it until SONY has reacted to the dex
conversion and I told them that I would not release them until I got the
appldr keys by myself.
I suppose they passed the keys to others and them at some point the keys
probably arrived to EXETrimAll and N0DRM (I don't think they exploited
trublue...). Meanwhile i was in the middle of my holidays and when I come
back they were releasing non-stop so I didn't see that it was necessary to
leak them.
Unfortunately they also leaked to a scoundrel that sell the key to discblu.
That forced some one that have the key to make it public.
You said that I'm angry cause someone leak the key... nope. I was angry with
discblu... and with some hacker that reappeared just to say that he already
knew how to do it. As you can see the method is completely software and does
not use the signature bug (except for installing the cfw... but then all the
apps need to credit them). If you persist I'll tell you that this can also be
done on a 3.15 with geohot pulse exploit.
The code:
http://www.sendspace.com/file/wvknol
I have attached the code of a working version for latest exploitable slim. I
know that also works on other version but I don't know which ones. It is only
valid for NOR consoles cause it expects a full NOR flash as one of the
parameters.
It has two programs. One is a kernel module so it must be load with insmod.
The second its a user program that takes as parameter the speID (i recommend
using 0 that is normally enabled), the flash file and the output file.
The dump is shifted by as a side effect of the bug. For me it was 0x800
bytes... but others got different result. The start function must be at 0x400
once shift is corrected
BTW the code is ugly and there is a lot of data that is not used so if
someone has questions please ask me (on this or other ps3 related things)...
I'll be available until sunday... then I'll definitely leave.
Now I'll explain my idea for the hardware solution.
Improving the exploit
如何改進這個漏洞(讓漏洞更穩定或是觸發方式更簡便)
THE FOLLOWING IS ALL THEORETICAL AND IT WILL PROBABLY NOT WORK (I'M NOT A
HARDWARE EXPERT AND THAT'S THE MOST DIFFICULT PART)
In this case the objective is not dumping the bootldr but get code execution.
Using an small payload a program will be copied to spu. That program will
just copy a patched unencrypted lv0 to the memory and tell the PPU that code
was loaded successfully.
反正我們只是想要執行自己的程式而已,要不要把 bootldr 讀出來反而是其次。把
一小段程式丟進去 spu ,這段程式的作用只是把解密而且修改後的 lv0 丟到主記
憶體然後告知 ppu 說,正確載入 lv0
By achieving that we would have full control of the system. Our patched lv0,
will load an original lv1ldr (required to get the ATA keys) which will load
an original lv1 but before giving control to level1 our level0 will patch it
so we still have control. Same with lv2 and vsh.
所以 ppu 就會載入我們自己的 lv0 ,自然取得整台主機的權限。我們修改過後的 lv0
會載入原本的 lv1ldr ,但是再把控制權交給 lv1 前,我們又會修改 lv1 ,因此主機
控制權換到 lv1 時候我們還是有完整的存取權限。同樣的方法我們可以用來載入自己
的 lv2 跟 vsh 。
As I said basically the bug consist of changing the response len between the
first read and the second. That is easily done if you control the buffer
where the data is located (exploitable consoles). But we want to do this
before anything is loaded
So we need to change the comm between syscon and cell before any software
outside the cell is loaded... the only option is a hardware interceptor. This
hardware will intercept the communications and change it so the exploit is
triggered (This is called a man in the middle attack). The payload will be
sent as part of the 0x20 command reply... if the bug is trigger properly we
know that our payload will start around 0x3E010.
In addition to this I recommend adding a second flash chip that will contain
the patched firmware. That will allow the user to go from patched to official
with a switch
As you see the device I propose is not a drm device... it actually triggers
an exploit similar to the ODE device that whats announced (BTW that is
perfectly done with the info that glevand posted).
The questions is: Is all of this possible?... well from the software part I'm
pretty sure but I don't know if the hardware can be build or if the cost will
be too much.
In any case if it is possible, there is enough info on this post to make it...
Unfortunately there is also a enough info to patch the bug (if they didn't
already). However it would only be patchable on factory...
當然,要修復這些漏洞不是不可能的,只是只能在生產階段做,賣出去後就沒辦法了
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
Tags:
改機
All Comments
By Isla
at 2012-10-27T20:38
at 2012-10-27T20:38
By Yedda
at 2012-11-01T07:38
at 2012-11-01T07:38
By Margaret
at 2012-11-01T12:21
at 2012-11-01T12:21
By Margaret
at 2012-11-05T10:10
at 2012-11-05T10:10
By Agatha
at 2012-11-09T11:55
at 2012-11-09T11:55
By Hamiltion
at 2012-11-13T18:56
at 2012-11-13T18:56
Related Posts
KaKaRoTo says something
By Kumar
at 2012-10-24T02:51
at 2012-10-24T02:51
Rogero 4.21 CFW
By Ivy
at 2012-10-23T21:09
at 2012-10-23T21:09
Lv0 Key leaked..
By Yuri
at 2012-10-23T09:21
at 2012-10-23T09:21
中壢哪裡買PS3+改機
By Catherine
at 2012-10-20T21:03
at 2012-10-20T21:03
要注意改機的店家
By Isla
at 2012-10-20T13:47
at 2012-10-20T13:47