It turns out that predictions of the ability to hack the Sony PS3 gaming console without the use of a USB-dongle might not be completely accurate. The hacking will still utilize USB flash drives, however, a drive with a specialized controller chip won't be required, just a standard USB storage device.
Fail0verflow, a group who is referring to themselves as “a bunch of curious hackers”, put on a demonstration at the 27C3 (Chaos Communication Congress) Hacker Conference 2010 on Thursday, unveiling their discovery of Sony’s ECDSA code, the PS3 “official signature key”, and how it can be used to allow anyone to sign executable files and run them on any retail PS3 console, undetected.
The group is now expected to release a custom firmware, AsbestOS.PUP, to allow PS3 owners to replace the operating system on the fly and install their own “signed” homebrew applications.
Hacking blog Dukio has written up two likely scenarios of how this new hack will work.
Scenario 1
1. Install custom but correctly signed firmware. The PS3 will think that it’s valid firmware because the “SONY-FIRMWARE” header is correctly decrypted.
2. Install from the USB drive a signed program that allows you to load other signed applications from any source. Note that this signed program may be masked as another legitimate application thanks to private key reverse engineering.
3. Reinstall legitimate firmware on the PS3. It is now very hard to trace your Trojan application, and you can still sign onto PSN.
Scenario 2
1. Install firmware whose signature exactly matches that of the latest legitimate Sony firmware. This is now very easy to do thanks to private key exposure; hackers just have to download the latest legit firmware, extract the signature, and sign custom firmware with the same signature. The custom firmware specifies that applications can be loaded from USB drives.
2. There is no step 2.
For more information about Fail0verflow’s findings, check out the slides from their 27C3 presentation now available in PDF format.
