PS3: LV0 Man-in-the-middle attack writing + tools, by MikeM64. Full CFW for all PS3s is next?

PS3 developer MikeM64 has released a full description of his hardware MITM attack on PS3, following photos of the attack that were revealed a few weeks ago. The goal of this exploit is to fully unlock LV0 (Boot Loader) on PS3 newer models, in order to eventually be able to install Full Custom Firmwares on the console.

PS3 exploits – current status

We’ve mentioned it before, hacking a PS3 is pretty much possible on all models and firmware today, but depending on the PS3 hardware you may or may not be able to install a Full Custom firmware. For most people, the difference between what they can use (PS3HEN) and a fully custom firmware is anecdotal, but LV0 remains the holy grail of PS3 Hacking. MikeM64 has a great summary:

PlayStation 3 has had a very long home-brewed history. At the first release of PS3, Linux support was baked in on day 1! People had the ability to install any PowerPC-based deployment with full core support for various system devices. This enabled all sorts of interesting uses such as superdata clusters and an inexpensive PowerPC development box. There were a few tweaks from Linux to the hypervisor, but no one bothered to dig too far before OtherOS support was removed from sleek consoles. Following the release of GeoHot’s HTAB Utilization, OtherOS was removed from all consoles in 3.21. This was the catalyst that opened the locks to complete the utilization of the console. I have summarized the current state of many utilities released for the PS3 console below:

Exploit Version Activated in LV1 Activated in LV2 Notes
GeoHot HTAB glitching Some? R / W Random HV memory NOW FPGAs are used to fail memory address lines
PSJailbreak dongle 3.41 NOW Homebrew and GameOS piracy, support for OtherOS restored Dongler utilized USB device description parsing to get code execution in LV2.
fail0verflow Sigfail <= 3.55 Specially signed LV1 Specially signed LV2 Works on all consoles with a minver of <= 3.55.
Post 3.55 / Sigfail Era
lv0ldr Syscon Packet TOCTOU – Linux Dumping Some? NOW NOW Dumped the lv0 root keys to allow decryption of all LV0 executables and login to <= 3.55 minver consoles.
HEN <= 4.89 NOW Home brewing and piracy in GameOS No OtherOS support
lv0ldr Syscon Packet TOCTOU – HW Remix Some? Custom code in LV1 Custom code in LV2 Should work on all consoles with HW. This is the topic of the day!

Following the release of the sigfail exploit, Sony tried to secure the boot chain again by moving all loaders into lv0, since it had not yet been dumped or exploited. This was a good stop-gap solution until Juan Nadie and the three musketeers dumped lv0ldr and their exploits and keys were leaked. When the LV0 keys were available, it was now possible to change and sign all updatable code on older consoles. Consoles produced after the sigfail release were updated with new lv0 metadata (lv0.2) that are not vulnerable to sigfail exploitation.

For all consoles that were not vulnerable to sigfail, HEN was released that utilized both the built-in browser and the LV2 kernel to enable both home brewing and piracy in GameOS. This still does not allow OtherOS support or hypervisor modifications to this day.

In other words, to gain full control of all PS3 models, hijacking the LV0 is crucial, and this is what MikeM64 has accomplished with a little hardware and a lot of trial and error.

Utilizes PS3 LV0 with hardware

The general idea was to reproduce a 3.55 software vulnerability that led to the LV0 keys dump (“3 musketeer” leak). MikeM64 writes:

The lv0ldr exploit used to dump lv0ldr targets the processing of syscon packages between syscon and Cell. It was discovered in lv0 that the code that manages syscon packet reads had a TOCTOU error in it that reads the packet header again after validation.[…]

This problem alone will not normally be enough to exploit lv0ldr. You must be able to time and inject memory writes to the MMIO slot that contains the syscon packet buffer in order to pass the first checksum, and then type the new header to take advantage of the memcpy of any size. The time window for exploiting this is extremely, extremely small. Fortunately, we can arbitrarily extend this time window thanks to troubleshooting facilities that IBM left in the cell. For both regular and isolated GPFs, we can turn on interruptions for all MFC transfers in or out of the GPFG. This allows us to pause the running of lv0ldr on any memory access, enabling the utilization and dumping of lv0ldr.

MikeM64 provides comprehensive details on how to achieve the hardware hack, and provides all the necessary tools for other hackers to work on the next steps, including CFW support for all PS3 models. Now it’s probably just a matter of time before this happens.

The required hardware is “simple” (but the skills involved are not), namely a Teensy 4.0 and an Arty-S7 50 (although MikeM64 says that this can be easily ported to any Arty A-series) and the included generic cables.

You can check out the entire recipe here.