PS3: LV0 Man-in-the-middle attack writeup + tools, by MikeM64. Full CFW for all PS3s is next?

PS3 Developer MikeM64 has published a full description of his hardware MITM attack on the PS3, following pictures of the attack revealed a few weeks ago. The aim of this exploit is to fully unlock the LV0 (Boot Loader) on PS3 newer models, to ultimately be able to install Full Custom Firmwares on the console.

PS3 Exploits – The current status

We’ve mentioned it before, hacking a PS3 is pretty much doable on all models and firmwares nowadays, although depending on your PS3 hardware, you might, or might not be able to install a Full Custom firmware. For most people, the difference between what they can use (PS3HEN) and a full custom Firmware is anecdotal, but LV0 remains the holy grail of PS3 Hacking. MikeM64 has a great summary:

The PlayStation 3 has had very long homebrew story. At the initial release of the PS3, Linux support was baked in on day 1! People had the ability to install any PowerPC based distribution with full kernel support for the assorted system devices. This enabled all sorts of interesting uses like supercomputing clusters and a cheap PowerPC development box. There was some poking and prodding done from Linux to the hypervisor but nobody really bothered to dig too far until OtherOS support was removed from slim consoles. After the release of GeoHot’s HTAB exploit, OtherOS was removed from all consoles in 3.21. This was the catalyst which opened the floodgates to complete exploit of the console. I’ve summarized the current state of many exploits released for the PS3 console below:

Exploit Version Enabled in LV1 Enabled in LV2 Notes
GeoHot HTAB Glitching Any? R/W Arbitrary HV Memory N/A FPGA used to glitch memory address lines
PSJailbreak Dongle 3.41 N/A Homebrew and Piracy in GameOS, OtherOS support restored Dongles exploited USB device descriptor parsing to get code execution in LV2.
fail0verflow Sigfail <= 3.55 Custom-signed LV1 Custom-signed LV2 Works on all consoles with a minver of <= 3.55.
Post 3.55/Sigfail Era
lv0ldr Syscon Packet TOCTOU – Linux Dumping Any? N/A N/A Dumped the lv0 root keys to allow decrypting of all LV0 executables and signing on <= 3.55 minver consoles.
HEN <= 4.89 N/A Homebrew and Piracy in GameOS No OtherOS support
lv0ldr Syscon Packet TOCTOU – HW Remix Any? Custom code in LV1 Custom code in LV2 Should work on all consoles with HW. This is today’s topic!

After the release of the sigfail exploit, Sony attempted to re-secure the bootchain by moving all loaders into lv0 as that had yet to be dumped or exploited. This was a good stop-gap solution until Juan Nadie and the Three Musketeers dumped lv0ldr and their exploit and keys were leaked. Once the LV0 keys were available, it was now possible to modify and re-sign all updatable code on older consoles. Consoles manufactured after the sigfail release were updated with new lv0 metadata (lv0.2) which is not vulnerable to the sigfail exploit.

For all consoles which were not vulnerable to sigfail, HEN was released which exploited both the built-in web browser and LV2 kernel to enable both homebrew and piracy in GameOS. This still does not allow for OtherOS support or hypervisor modification to this day.

In other words, to fully gain control of all models of PS3s, hijacking LV0 is essential, and this is what MikeM64 has achieved with a bit of hardware and a lot of trial and error.

Exploiting PS3 LV0 with hardware

The general idea was to reproduce a software vulnerability from the 3.55 era which led to LV0 keys dump (the “3 musketeers” leak). MikeM64 writes:

The lv0ldr exploit used to dump lv0ldr targets the processing of syscon packets between syscon and Cell. It was disovered in lv0 that the code which manages syscon packet reads had a TOCTOU bug in it which re-reads the packet header after validation.[…]

This issue alone would not normally be enough to exploit lv0ldr. You’d have to be able to time and inject memory writes to the MMIO space containing the syscon packet buffer in order to pass the first checksum and then write the new header to exploit the memcpy of arbitrary size. The timing window to exploit this is extremely, extremely tiny. Luckily, we can arbitrarily expand this timing window thanks to debugging facilities that IBM left in the Cell. For both regular and isolated SPUs, we can turn on interrupts for any MFC transfers in or out of the SPU. This allows us to pause execution of lv0ldr on any memory access, enabling the exploit and dumping lv0ldr.

MikeM64 gives extensive details on how to achieve the hardware hack, providing all the necessary tools for other hackers to work on the next steps, including CFW support for all PS3 models. It is now probably just a matter of time before this happens.

The required hardware is “simple” (but the skills involved are not) , namely a Teensy 4.0 and an Arty-S7 50 (although MikeM64 states this could easily be ported to any Arty A series) and the accompanying generic cables.

You can check the whole writeup here.

Leave a Comment