Lots of exciting things happened in the PS3 scene the past few days. The aftermath is that the entire PS3 encryption scheme has been irrevocably cracked and broken, with no possibility of a firmware fix, due to a rookie cryptography mistake made by Sony who is now crying in a corner.

Let’s take a look at the itinerary of events.

The Story

First, a little background.

Sony excluded Other OS (Linux) support from its new PS3 Slim models for unknown reasons. This annoyed some people but did not cause too much stir because hackers who wanted Linux still had their old PS3s.

In his attempt to restore Other OS functionality to the PS3 Slim, George Hotz, a famed iPhone hacker who has a slight ego issue, discovered an exploit in the PS3’s Other OS system that may lead to enabling of piracy. Sony made some legal noise and took the drastic measure of removing Linux support from all PS3 consoles through the 3.21 firmware update. This is illegal in Europe and probably other countries with decent consumer protection laws, but no substantial legal challenges have succeeded thus far. This move also pissed off a lot of hackers who previously ignored the PS3 due to its existing Linux support. George Hotz disappeared like a little girl without releasing his claimed exploit because he was afraid of law suits.

Months later when the uproar had died down, the PS3 was suddenly cracked using a USB exploit by a (presumed-to-be) Chinese hacker group who released the hack commercially as the PSJailbreak. Out of the blue, PS3 homebrew and piracy communities sprung to life. The technique was refined and made open source by various individual and community efforts such as PSGroove and PSFreedom and ported to numerous devices.

However, Sony released the 3.50 and 3.55 firmware to block the exploit. The community remained on 3.41 and no real breakthrough was made after that, with the small exception of a “downgrader” released by the same mysterious PSJailbreak team, which was also subsequently cloned by other jailbreak manufacturers and open sourced. While the downgrader allowed 3.50 and 3.55 firmwares to revert to 3.41 using USB protocols copied from Sony’s official maintenance tools, it does nothing to allow 3.41 firmwares to run new games such as Gran Turismo 5 which are signed by a new encryption key present only in 3.50 and newer firmwares.

The Breakthrough

On 29th Dec 2010, a collaboration of hackers called fail0verflow unveiled a groundbreaking discovery at the 27th Chaos Communication Congress (27C3) hacking conference held in Berlin. By observing files and runtimes in the PS3 using processes made possible by the PSJailbreak exploit, the team discovered that Sony had made numerous mistakes in the design of the PS3’s much-hyped security architecture. You can watch their presentation on YouTube and download their slides here.

Towards the end of their presentation, they revealed the most fatal flaw in the system: Sony had failed to correctly implement the cryptography scheme they used to sign their ELF executables (PS3’s equivalent of an EXE). The encryption scheme required the generation of a new random number each time a signature is created, but Sony’s implementation uses the same “random” number every time. This made it a constant instead of an unknown variable, reducing the number of unknowns from two (private key and random number) to one and making it mathematically possible to derive the encryption keys via algebra, which is what fail0verfow did. They published their method but not the actual keys they obtained through it.

The Keys

Almost immediately after fail0verflow’s disclosure, George Hotz made a sudden grand entrance back into the scene and released the PS3’s metldr keys he discovered by using an undisclosed exploit to dump the “metldr”, which fail0verflow did not achieve, and then applying fail0verflow’s method to recover the private encryption key. I am not completely clear on this part, but I gather that the metldr is some kind of bootloader the PS3 uses to call up the higher-level functions like the Game OS.

The metldr key is a very low level encryption key embedded in the PS3 hardware that can then be used to decrypt higher level keys found in the Game OS firmware that are used to sign actual games. Immediately following this announcement, community members of the PS3 scene used the metldr key to decrypt and post every single encryption keys used in every PS3 firmware version.

The Aftermath

With these keys, it is now possible for anyone to sign any PS3 ELF executable as if he were Sony and there is no reason for any PS3, modded or otherwise, to reject the signed files.

The immediate effect is of course homebrew. Anyone can now create applications for the PS3 and run them without using PSJailbreak.

The next obvious outcome is of course piracy. Since all PS3 games can now be decrypted, it is trivial to decrypt new games such as Gran Turismo 5 using the 3.55 key and re-encrypt them with the 3.41 key so that they can be played on an exploited PS3 running older firmware. Indeed, fixed EBOOT.BIN for the frequently-requested Gran Turismo 5 was one of the first scene releases following the breakthrough.

Going forward, it is likely that the current piracy methods will be greatly streamlined and such manual patching processes will no longer be necessary. This is because the keys allow hackers to decrypt all official Sony firmware updates and use them as the basis for creating custom firmwares similar to those prevalent in the PSP piracy scene. Since these custom updates will be signed with Sony’s official keys, even non-modded PS3s will accept them without complaints. The first custom firmware for the PS3 came out just days later and allows users to install homebrew without using the PSJailbreak exploit.

In the next few months, there will likely be non-stop releases and refinements of PS3 custom firmwares, amazing homebrews (an XMBC port maybe?) and streamlined piracy tools.

An amusing side effect of all these is that PSP’s private encryption keys are also completely exposed and they have been used to implement the HEN exploit on the newest 3000-series and PSP Go hardware running 6.31/6.35 firmware. The keys were presumably being used by the PS3 to play PSP Minis games. Apparently, Sony was very confident of the PS3’s protection scheme.

The Conclusion

For Sony, there is no way to put the genie back into the bottle. The metldr key cannot be revoked through a firmware update and changing it will require new hardware. But a new hardware revision is utterly meaningless, since current PS3 consoles (with their metldr key exposed) must presumably be able to run all future PS3 games and firmwares. As a result, future game- and OS-level encryption keys will forever remain vulnerable to reverse engineering, unless Sony takes the extremely drastic action of breaking games compatibility with current PS3s.

The conventional wisdom has always been that console-hacking is motivated mainly by piracy. This idea is being challenged by the case study of the PS3, a console which remained secured for years despite what we now know is a utterly broken security architecture. The piracy motivation has always been there, but the pirates apparently did not possess the technical expertise needed to make the breakthrough.

The explanation proposed by fail0verflow, which they say apply to themselves, is that highly motivated and technically competent hackers were initially not interested in cracking the PS3 protection scheme because it ran Linux out of the box. Efforts to crack it by capable individuals only began after Sony excluded Other OS from the PS3 Slim and subsequently removed it from all existing PS3s through a firmware update.

Looking at the flurry of activities in recent months, less than a year after Other OS was removed, there appears to be some truth in that explanation.

Sony has completely lost the battle. The war will continue with the PS4.

It’s been just over a month since the sudden debut of the world’s first PS3 mod device. The original release was purely commercial and overpriced (around 150 USD for what is essentially a simple USB development board in a casing), and as a result it was quickly made obsolete by cheaper (and free) alternatives). Still, its spirit lives on in the countless clones that have since flooded the market and we owe the original creators for the breakthrough. If only they weren’t such greedy bastards.

Since the breakthrough, a PS3 homebrew community has blossomed overnight and, though it still has a long way to go, significant progress has been made. It’s really like the early days of PSP’s 1.5 firmware. Here’s a quick summary of the current state of PS3 homebrew.

Jailbreak Method

The method of jailbreaking itself has not fundamentally changed since the original PS Jailbreak was unveiled a month ago. The essential steps are:

1. Have a PS3 (slim or original) with firmware 3.41.
2. Switch off and on the PS3’s main power.
3. Plug in the jailbreak USB device (this comes in many possible forms).
4. Press the PS3’s power button followed immediately by the eject button.
5. Jailbreak device does its magic.
6. PS3 starts up in debug mode, allowing you to install and run all unsigned code.

The general idea is that Sony uses a proprietary dongle to repair and reflash bricked PS3s at their service centres, much like the Pandora battery for PSPs. The PS3 looks for such a dongle when the eject button is pressed immediately after powering on. The role of the jailbreak device is to emulate a USB hub with a USB device plugged into it that shares the same device ID as Sony’s service dongle. It doesn’t actually work as a service dongle, but it uses this access to execute some exploits that put the PS3 into debug mode. The exact payload used is described here for those who can understand it.

The jailbreak device itself has grown to include a whole variety of reprogrammable USB devices thanks to the PSGroove and PSFreedom projects. The list of compatible devices include:

• Nokia N900
• Palm Pre
• Archos 5 IMT
• Dingoo
• TI-84+ calculator
• iPhone 2G and 3G and iPod touch 1G
• MP3 players running Rockbox
• Various Android phones, including the major ones like Droid, Hero, Desire, Legend, Dream, Nexus One
• Various USB development boards, including Teensy, AT90USBKEY, Minimus AVR USB

This is of course not an exhaustive list. In addition to homemade solutions, there are various dedicated jailbreak devices, some of which are reprogrammable with a PC, such as PS3 Key and X3 Jailbreak.

Running the Jailbreak (TI-84 Plus)

I am using a TI-84 Plus because it’s the only compatible device I have on hand. I’ll probably be getting a dedicated dongle (PS3 Key in my case) soon because it’s somewhat troublesome to run the corresponding programme on the calculator each time I start up my PS3, plus the calculator requires four AAA batteries… Here’s how the process looks like:

Run the installed programme on the TI-84+

Ready to switch on PS3

Eject button pressed

Debug mode enabled, allowing you to install arbitrary .pkg files

A FTP server for managing files on the PS3’s internal HDD, an example of a homebrew currently available

Backup Manager

Let’s face it: most people who jailbreak their PS3 are going to play pirated (“backup”) games. The Backup Manager is the tool that lets you do that. Indeed, it was the very first homebrew released for the PS3 and it was made by the original creators of the PS Jailbreak.

Backup Manager, used to rip and load games off internal or external HDDs

That said, there are some very compelling legitimate reasons to use the Backup Manager over Blu-ray. Loading games off the HDD is many times faster than loading games off Blu-ray. The reduced load-time is especially noticeable in games like Bayonetta which suffer from extremely long loading screens. Loading a stage in Bayonetta from the internal HDD takes less than 10 seconds. Using the Backup Manager also reduces wear and tear of the Blu-ray drive. Given that DVD drive failure was the number one cause of PS2 mortality, this is an attractive advantage.

The Manager works by ripping wholesale the entire folder structure on the game Blu-ray disc onto either the internal HDD or an external USB HDD. This means that it will not produce an ISO image, but rather a folder of files and subfolders. There is currently no way to run a game off a Blu-ray ISO image, which is encrypted.

Backup Manager menu. Note the lack of unicode support resulting in Tales of Vesperia having a blank title (still works otherwise)

Upon loading a game, the Manager exits to the main menu. The current game disc is replaced by the loaded backup, much like in very early UMD loaders for the PSP

The PS3 does not support NTFS for external media and only accepts FAT. Since FAT only supports files up to 4GB in size, this may be problematic. However, since the Manager rips games into folders instead of a single ISO image, this is only a problem if the size of a single file in a game exceeds 4GB (usually a movie file) and it is not as common as you may imagine.

The PS3’s proprietary internal file system supports files of any size (at least for current-day purposes) and therefore has better compatibility with games. This serves as an incentive to upgrade your internal 2.5″ HDD. Furthermore, loading games off the internal HDD is significantly faster than loading games through the USB interface. The internal HDD also has better games compatibility, no doubt as a result of the difference in load time. A comprehensive list of compatible games can be found on Google Docs.

The first release of the Backup Manager requires any legitimate Blu-ray disc to be in the drive in order for backups to work, much like the first-generation PSP UMD loaders. A new release removes this requirement but appears to have poorer game compatibility.

Homebrew

Currently, the PS3 homebrew scene is still in its infancy. There are no comprehensive development environments or programming guides available and development is largely carried out by dedicated long-time veterans in the console homebrew community. The use of Sony’s official development kit to compile homebrew programmes also brings legality into question.

But still, impressive progress has been made in the span of one month. There are various proofs of concept such as Pong, a port of SNES9X SNES emulator, a port of NullDC Dreamcast emulator, a port of Yabause Saturn Emulator, a file manager, an FTP server, and various tools for PS3 development such as a registry editor.

The FTP server in particular is a god-sent because it allows direct access to the PS3’s internal HDD.

blackb0xâ€s FTP Server running

PS3’s root folder accessed using Filezilla

Folders containing ripped games

I suspect the next homebrew breakthrough will be a full Linux distro. Sony previously removed the PS3’s OtherOS Linux support in firmware 3.21 due to concerns over Linux being used as a potential vector for exploiting PS3’s anti-piracy protection. This pissed off a lot of people who actually used the OtherOS for things like distributed computing. I am sure a successful Linux port would be too delicious an “up yours” for the dedicated hackers out there to ignore.

The Future of PS3 Jailbreak

Current jailbreak solutions offer no fundamental improvement over the original PS Jailbreak. The exploit used only works in PS3 firmware version 3.41 and older and no new exploit has yet been uncovered for firmwares 3.42 (which was released with the sole purpose of blocking the exploit) and 3.50 (which went one step further by blocking all unauthorized USB devices, including unlicensed third-party controllers).

Much like the early PSP homebrew scene’s reliance on PSP firmware 1.5, current PS3 homebrew development appears to be confined to 3.41. This problem was solved for the PSP with the discovery of new buffer overflow exploits in later firmware revisions and eventually by the Pandora battery hardware solution and the development of custom firmwares capable of spoofing official firmware versions. There is no guarantee that the same will happen with the PS3 due to the complexity of its hardware, but there is no indication that it is impossible either. We can only wait and see.

PS3 Key, one of the more reputable jailbreak solutions currently available

For now, using the Backup Manager and homebrew solutions requires that you do not update your firmware beyond 3.41. This means that you will not be able to log on to PSN, but your PS3 can remain connected to the Internet as long as you disable auto-updating. Games released after September will also start to require firmware 3.42 or newer, which will pose a problem if no solution is found in the long run.

The Xbox 360 and Wii were successfully modded a long time ago and both have now developed more sophisticated jailbreak solutions than the initial exploits. If the same applies for the PS3, future developments will likely see the release of firmware loaders that allow the user to switch between different firmware revisions or custom firmwares that are capable of fooling the PSN and version-checkers that come with games.

However, there is no guarantee for this due to the PS3’s notoriously complex Cell architecture and the fact that it took three years to even produce one viable exploit. On the bright side, should such a solution come to be, most current jailbreak devices are easily re-programmable using a PC and you won’t have to pay for new mods.

Conclusion

I’ve been following the development of the PS3 jailbreak since the first batch of working samples was quietly mailed out to modchip vendors by the secretive people behind PS Jailbreak and subsequently reverse engineered by the community. This article serves as a summary of all the important milestones that have transpired so far.

If you are looking for a more instructional article, please look through PS3 Hacks or PSFreedom.