> news sites are overhyping the release/leak/whatever of the rom keyseeds, saying it could be used to fully unlock the ps5. i've already stated on twitter and i'll state it again. rom and seeds alone are NOT enough to pwn a ps5, you either need fuses and nandgroups to complement it
> ... or alternatively, you need to find bugs in the rom that you can use to exploit the ps5. neither of these are easy and require immense work. also, decapping a ps5 apu to retrieve the fuses optically will prove useless to the end user because those fuses are encrypted/xored/obfuscated
Nitpicking: the media isn’t completely wrong. It can be used it just needs sone extra conditions but if they are given the leaked keys definitely help.
> This isn’t the first time that Sony has had to deal with a security crisis with the popular PlayStation family. The PlayStation 3 was previously hit with a vulnerability when the company made a mistake with their cryptography on the console, allowing users to install homebrew software and allow piracy and cheating on popular titles.
Probably could have been avoided if Sony kept the Linux version of the Playstation still alive. Imagine what the (console) world would have looked like, if it was still alive. I never got the chance to even try it myself before it was gone, but I'm sure a lot of the homebrew community's energy could have been redirected towards it instead, hitting two flies with one swath.
If anyone is interested in the cryptography mistake that Sony made I recommend watching the Console Hacking talk at 27c3 by the fail0verflow team: https://youtu.be/DUGGJpn2_zY?t=2096
I had Yellowdog on mine from the day I bought it until the day Sony erased it. It was not useful. I don't regret doing it and I HATE that they took it away, and I'm a linux/bsd/various-unix daily driver home and work since forever, but this linux system on this hardware was just a curiosity to play with. Too slow and limited by the hardware to be useful.
> According to The Cybersec Guru, this is an unpatchable problem for Sony, because these keys cannot be changed and are burned directly in the APU.
I'm just speculating at this point, but what could prevent Sony from anticipating this exact situation and burning several keys in the APU? I mean, eFuse is not exactly a new technology. That way, once a key is leaked, Sony could push a firmware update switching the APU to a new key which hasn't been leaked yet.
I have seen some manufacturers enroll multiple manufacturer keys, probably with this notion, but this isn’t useful against almost any threat model.
If keys are recovered using some form of low level hardware attack, as was almost surely the case here, the attacker can usually recover the unused key sets too.
If the chip manufacturing provisioning supply chain is leaky the new keys will probably be disclosed anyway, and if the key custody chain is broken (ie, keys are shared with OEMs or third parties) they will definitely be disclosed anyway.
How did the keys get leaked and where are they sourcing this from? Did Sony get compromised, disgruntled employee, what?
If there was a breach, I'd expect keys for the PS4 to be leaked as well which would be quite handy. There are soft jailbreaks you can do currently on the PS4, but they're not full on CFW (custom firmware) and don't persist reboots.
Based on the other comments it looks like it's the decryption keys for the bootrom, which obviously have to be available somehow to every PS5 for it to be able to boot. That means they probably compromised the processor or something, but no need to invoke "Sony get compromised" or "disgruntled employee".
General question: (I don't know enough about cryptography)
Are these symmetric keys or asymmetric ones? Both allow you to decrypt, but only the former would allow you to make changes to it, whereas the latter would still require you to find an exploit in the next stage. I think?
I hope this doesn't lead to further cracks, and PS5 multiplayer games being overrun with cheaters.
Once PS3 was cracked enough to run game mods, every PS3 GTA freeroam session was overrun with obnoxious cheaters, ruining it for everyone else. (Sorta like the tech industry.)
In most computer tech things, I'm all Linux, OpenWrt, Coreboot, GrapheneOS, etc., but the game console is one thing that that I like being locked down.
I don't, your forced under the mercy of that they keep supporting. At any time they can render your console usless and force you to upgrade.
Consoles are e-waste in my eyes, perfectly good for other uses but liocked to what the vendor wants to give. Limited by the hardware that's given and then nagged to buy latest model.
Why am I not allowed to turn an old PS4 in to a Linux router? It has a beast of a CPU, USB ports and suports SSD's, what's the issue?
Oh the travesty! People now have the keys to unlock hardware they paid money to and legally 'own', and can inspect their legally owned hardware as they choose!
given that there is no dev mode or ssh server running on a console, how do they even read low level binary code such as boot loader? Do they transplant memory chips?
In this case, by using fault injection to induce a glitch into a test mode which bypasses secure boot and loads code from SPI, combined with a SPI emulator (and I2C to send the boot vectors).
Chip-off is a common way to retrieve the ROM of embedded devices. It often requires multiple chip-off reads and a reconstruction of the striped data across the chips.
This is the same hardware as a PC, but TPM and UEFI “Secure Boot” happen way, way later in the boot process and aren’t present here; this is the hardware root of trust, in this case the AMD PSP boot firmware, which runs on an ARM system alongside the x86 cores. Intel’s version is called Boot Guard and runs on a combination of x86 sub-cores (TXE) and ME.
> Now that the ROM keys have been leaked (and assuming they are valid), a hacker could then decrypt and study the official bootloader and potentially use that as a starting point to understand how the PS5’s boot system works.
I've been firmly convinced for a while now that Sony purposely doesn't discourage jailbreakers too strongly. They quietly win loyalty by being just a little friendlier than Nintendo.
[+] [-] Retr0id|2 months ago|reply
> news sites are overhyping the release/leak/whatever of the rom keyseeds, saying it could be used to fully unlock the ps5. i've already stated on twitter and i'll state it again. rom and seeds alone are NOT enough to pwn a ps5, you either need fuses and nandgroups to complement it
> ... or alternatively, you need to find bugs in the rom that you can use to exploit the ps5. neither of these are easy and require immense work. also, decapping a ps5 apu to retrieve the fuses optically will prove useless to the end user because those fuses are encrypted/xored/obfuscated
[+] [-] tonyhart7|2 months ago|reply
I always fascinated by works of people that try to reverse engineer this secure system
[+] [-] croes|2 months ago|reply
[+] [-] embedding-shape|2 months ago|reply
Probably could have been avoided if Sony kept the Linux version of the Playstation still alive. Imagine what the (console) world would have looked like, if it was still alive. I never got the chance to even try it myself before it was gone, but I'm sure a lot of the homebrew community's energy could have been redirected towards it instead, hitting two flies with one swath.
[+] [-] Sesse__|2 months ago|reply
The causality here is backwards; Sony removed Other OS support precisely because the first jailbreak (a glitching attack) relied on it.
[+] [-] xav_authentique|2 months ago|reply
[+] [-] Brian_K_White|2 months ago|reply
But it was fun.
[+] [-] mrheosuper|2 months ago|reply
[+] [-] naoru|2 months ago|reply
> According to The Cybersec Guru, this is an unpatchable problem for Sony, because these keys cannot be changed and are burned directly in the APU.
I'm just speculating at this point, but what could prevent Sony from anticipating this exact situation and burning several keys in the APU? I mean, eFuse is not exactly a new technology. That way, once a key is leaked, Sony could push a firmware update switching the APU to a new key which hasn't been leaked yet.
[+] [-] bri3d|2 months ago|reply
If keys are recovered using some form of low level hardware attack, as was almost surely the case here, the attacker can usually recover the unused key sets too.
If the chip manufacturing provisioning supply chain is leaky the new keys will probably be disclosed anyway, and if the key custody chain is broken (ie, keys are shared with OEMs or third parties) they will definitely be disclosed anyway.
[+] [-] EPWN3D|2 months ago|reply
[+] [-] ghshephard|2 months ago|reply
[+] [-] j45|2 months ago|reply
[+] [-] hypeatei|2 months ago|reply
If there was a breach, I'd expect keys for the PS4 to be leaked as well which would be quite handy. There are soft jailbreaks you can do currently on the PS4, but they're not full on CFW (custom firmware) and don't persist reboots.
[+] [-] gruez|2 months ago|reply
[+] [-] sagacity|2 months ago|reply
This also goes into a bit more detail regarding how these keys are used.
[+] [-] OptionOfT|2 months ago|reply
Nasty filler to add that to the page.
General question: (I don't know enough about cryptography)
Are these symmetric keys or asymmetric ones? Both allow you to decrypt, but only the former would allow you to make changes to it, whereas the latter would still require you to find an exploit in the next stage. I think?
[+] [-] neilv|2 months ago|reply
Once PS3 was cracked enough to run game mods, every PS3 GTA freeroam session was overrun with obnoxious cheaters, ruining it for everyone else. (Sorta like the tech industry.)
In most computer tech things, I'm all Linux, OpenWrt, Coreboot, GrapheneOS, etc., but the game console is one thing that that I like being locked down.
[+] [-] doublerabbit|2 months ago|reply
Consoles are e-waste in my eyes, perfectly good for other uses but liocked to what the vendor wants to give. Limited by the hardware that's given and then nagged to buy latest model.
Why am I not allowed to turn an old PS4 in to a Linux router? It has a beast of a CPU, USB ports and suports SSD's, what's the issue?
[+] [-] mystraline|2 months ago|reply
/sarcasm
[+] [-] m00dy|2 months ago|reply
[+] [-] shipscode|2 months ago|reply
[+] [-] lpcvoid|2 months ago|reply
[+] [-] nopurpose|2 months ago|reply
[+] [-] bri3d|2 months ago|reply
https://m.youtube.com/watch?v=cVJZYT8kYsI
[+] [-] MSFT_Edging|2 months ago|reply
[+] [-] Thaxll|2 months ago|reply
[+] [-] bri3d|2 months ago|reply
[+] [-] unknown|2 months ago|reply
[deleted]
[+] [-] MuffinFlavored|2 months ago|reply
edit:
> You still won't get a jailbroken PlayStation 5 with this leak, but it will make it easier for hackers to compromise the console's bootloader.
nope?
[+] [-] peddling-brink|2 months ago|reply
This would just allow further study.
[+] [-] TheRealPomax|2 months ago|reply
[+] [-] t-3|2 months ago|reply
[+] [-] downrightmike|2 months ago|reply
Ref: https://www.pcmag.com/news/japans-cyber-security-minister-do...
[+] [-] monocasa|2 months ago|reply