Hacking the PlayStation Francisco A. Fortes, L. Jacob Mariscal This project tries to be an approximation to different security tactics adopted by Sony in the history of his home videogames systems and the way this tactics has been violated by hackers/crackers of the underground scene. All this battle has been produced in terms of cryptology protections and decryption/inverse engineering. In competitive world of electronic entertainment, protect the own interests with complex and sophisticated systems is an obligation. With the perspective of a race, we’ll analyse the beginning of this protection systems from first PlayStation hardware and his easy region protection, the first modchips programmable and the next steal mochip who discover when the system tries to find illegal hardware installed. The next jump happen in PlayStation 2 with programmable modchips capable of many functions and two alternatives to crack the security: using exploits who filter data in mistakes of implementation and using a hard-disk to emulate the dvd-rom. Objectively our point of view will analyze how the cryptology must be not only reduced to theory applied to software, being present in design of hardware too. The ethical topics about the hacking won’t be considered, that not means it try to teach how to do illegal actions: It will be only a scientific study about reality, excluding from project the hardware with actual economic interests to Sony: PSP and PlayStation 3. 1 Introduction Most of people have use an illegal copy of software in his life, and in the final process of piracy are no proofs of the technological battle from his beginning. The life of security in software (also in electronic systems) is short and similar in all cases: design with new cryptology systems by engineers of a company, release of the product and t-time of inviolability and finally crack the system. By now there is no system non-pirated in history of informatics, and videogames systems are not excluded of this curse. The first PlayStation, appeared in Japan in December of 1994, and was the first Sony video system and maybe the first focused to “adults”. His success was incredible, and his violation inevitable. The hacking in PlayStation coincided with the massive use of optical format Compact Disk and the reduction of prices in CD-RW recorders; with all this factors was inevitable the apparition of the underground scene of amateur users with knowledge of engineering and maths, who begins the biggest technological battle against the most rich electronic companies in the world, for all generation of PlayStation and others entertainment systems. The first bullet of this war, a simply chip, created in the cradle of piracy: Hong Kong, in 1996. In the beginning it was a commercial product for people who import games and had enough money to pay his elevated price. But sooner clone and cheapest versions of chip appear, and the hacker Scott Rider, aka Old Crow, published on internet the font code and functions of the chip, and instructions to rebuild it with a microcontroller PIC12C508 of MicroChip Technology. It was curious how Scott Rider’s altruist initiative make lost billions to electronic entertainment world. 1.1 The Regional Protection The most vulnerable point of a system is the boot, and there begins the hacking of PlayStation. The first action executed by this system is read the first sectors of the CD in the reader. The regional data block is a group of 4 bytes where is codified the nationality of the disk. Basically is the hexadecimal representation of SCEE (Sony Computer Entertainment Europe), SCEA (for America) and SCEI (for Asia). If the PlayStation is from one of this region, but this sector contains the code of another, the system doesn’t run and a message of error appear in the TV. At this low level is necessary to violate the system by hardware, leaving software for future restrictions. The first solution for this regional protection was a simply chip (called later multiregion-chip) connected to the data channel of CD-ROM player. This chip send the 3 regional codes in a loop, one after another, in the start. The PlayStation compare all three codes with the system ROM and accept one, the only valid. This weakness was fixed soon adding new regional codes into the game, and the solution was again new chips more complex. The new chips try to block all this internal regional protections in the boot, because his signal can interfere with the 3 codes signal of the own chip and be identified by the system like trash (This block is not necessary in an original CDROM). The regional codes in CD go and disappear in earth spin of the chip, the 5th. Here is an example of all process of the regional codification. This is the information generated by chip in loop: LINE 1: DB 09h A9h 3Dh 2Bh A5h F4h - PSone Asia (NTSC) LINE 2: DB 09h A9h 3Dh 2Bh A5h 74h - PSone Europe (PAL) LINE 3: DB 09h A9h 3Dh 2Bh A5h B4h - PSone America (NTSC) Our European PlayStation needs to run the data: 0x9 0xA9 0x3D 0x2B 0xA5 0x74 This same info in binary system: 1001 10101001 00111101 00101011 10100101 01110100 Expanding the bits in groups and using the first like init and the two last for stopping the sequence: 1 00110101 00 1 00111101 00 1 01011101 00 1 01011101 00 Without init and stop bits, and regroup: 00110101 00111101 01011101 01011101 Computing the inverse of all groups: 10101100 10111100 10111010 10111010 And the NOT operation in individual bits: 01010011 01000011 01000101 01000101 We convert to hexadecimal again: 0x53 0x43 0x45 0x45 The ASCII representation is: S C E E: our needed "Sony Computer Entertainment Europe" 1.2 Anticopy and Steals Chips Because modification of hardware, the first generation of chips were called modchips. But this generation was not useful since 1998, when Sony designed a new protection in his system. This new protection was compatible with first PlayStation models (the SCPH-1000 of 1994) to the actual in ’98, the SCPH-7502. The new protection was the detection, by software, of an independent and active component sending data to the original hardware. The first games with this protection were Final Fantasy VII and Chocobo Racing, created and published by Square Soft in 1999. 1. Normal Modchip diagram Only a few weeks later, three solutions appear to resolve the new anticopy protection. One of them was add a patch in the game before recorded it, erasing all additional protection. Other was include a programmable component in the modchip, which will be explained later, and the third was create a stealth-modchip, who try to be invisible to the software detection, knowing when have to be in silence and when have to work. For example, in the regional protection case, it’s only necessary when the system boot, so after the start the three codes loop must finish to not be detected. Others signal to break protection must work and disappear in different phases of the system, for example, start or finish when the reset button is pressed, when the CDROM player is opened, when the system read the memory card, etc. All this things do the stealth-modchip very hard to install, with many soldiering and the necessity of electronic instruments to control different values like voltage. In the firsts stealthmodchips around 4 wires was connected inside the PlayStation. With more complex protection in software was necessary to add 7 and mores wires, which can broke other hardware components. 2. Stealth-Modchip Diagram This soldiering were an inconvenient also because in the next years was implemented a software protection anti-stealth-modchip, first in Namco’s Dino Crisis game. Is important to say that this last protection in first PlayStation was very used in Japan, but not in Europe because the high number of PlayStation modified. There is examples like Silent Hill game from Konami, which appeared with anti-stealthmodchip in his country and without it in occident, because an original copy can’t be executed in modified hardware. And against the anti-stealth-modchip the only solution was programmed the chip for future encryptions. The microcontroller of chips (usually from PIC, FPGA or SX family) began to include an EEPROM memory in the circuit. It happened in the middle of two generations, from PlayStation to PlayStation 2, but including in the Microsoft Xbox too. From this point, the diversity and complexity of chips grow to new levels. 2. Programable Chips With PlayStation 2, appeared in middle of 1999 in Japan, the war between underground scene and Sony continues with new protections and weapons, again with the hacker Scott Rider in the background. Rider was the first in adapt the old stealthmodchips to the new system programming the code for the EEPROM of first versions. To programme a chip is necessary to extract the information from it, use an oscillator RC and being calibrate many times. The diversity of chips was opened in different families, depending how attack the BIOS (modbios) of system and how were programmed. Usually, the codes into chip attack when PlayStation is vulnerable, for example, when DVD-ROM is reading from disk (this attack is called swapping). There is a subdivision of the way they broke the security using the BIOS, changing all content in this Basic Input Output System directly and adding also new functions like play DivX video. The information can be replaced by a copy without copyright into the chip’s memory, or patching the BIOS in execution time only with the values the game need to run free of protections. This chips had many names, like Aladdin, Executer, Enigma and Spider. The updating of information into chip, or how the EEPROM is programmed, open new subdivisions also including hybrids in BIOS replacement family. That update can be stored into a flash memory in the chip, connecting it to a PC or with other instruments. Legally, all programmable chips are sold blank and is responsibility of user to use a hack-code. This hack-code is usually created by a group of the underground scene who do support during two years approximately, improving it. Other type of chip don’t need to be updated or programmed, only a modification of the firmware in the DVD-ROM reader, hacking all content send to system. His installation is easiest but sometimes dangerous to integrity of the optical driver. The opposite of this dangerous option is the external chips, which are inside the PlayStation 2 but use an external connection to USB port to access to new codes and only need one soldered joint (they have the name USBMod). There are two more types of chips, the solderless and the LPC, but they were more commons in Microsoft Xbox. 2.1 Exploits and Executables The use of modchips has been very popular, but is not the only method to break the security in a videogame system and not the more effective. The other alternative is use the hardware and software design’s errors to dodge protection, which is called exploit or softmod. There are many types of exploits which attack the system’s vulnerability in diverse ways using networks, bugs and more. Sometimes, an exploit is discovered and his creator keep it in silence until is useful, because the companies’ weapon is to patch the bugs in new versions. This exploits waiting to be used are called Zero Day. Here is a list of types of exploits: • • • • • • • Code injection: Alter operations to keep opened the bug for new code. Cross-site request forgery: The exploit is hide in code. Cross-site scripting: Similar to request forgery, is common in webpages. SQL injection: Typical of data bases systems. Buffer overflow: Produce instability feeding memory with trash. Heap overflow: The same, but only in the program data zone. Stack buffer overflow: The exploit write in address stack unlimited: void f(void) { g(); } void g(void) { f(); } • • • • Integer overflow: Create numeric value excessive big for the type. Return-to-libc attack: All the stack of program is replaced by address of another instruction. Race condition: Create critical dependency of timing and other events. Format string attack: The C functions (like printf) are used to insert malicious code in %x token and %s tokens. 3.a) 3.b) 3.c) 3. Stack Overflow Diagrams a) before data is copied, b) "hello" is the first command line argument and c) trash in the first command line argument. Usually, the way to load codes for exploits is use the memory card of the PlayStation 2. This code in memory card had to have relation with an original game used to boot the system (doing swap), so they share a SLES or SLUS file, which are the system files of PlayStation 2 (like *.cnf or *.sys in PC). PlayStation 2 have executables too, the ELF codes, which run in the start of system and use the files in memory card and real data in original DVD to break the security. This ELF codes or PlayStation 2 executables permit to connect the system to a hard disk for example, how we will see. The info in file system into memory card contains: • • • • • • Cdvd.irx = Driver or exploit to access to DVD Dummy = Folder of dummy.dat, big file to create volume. Expinst.elf = Executable which install the exploit. System.cnf = Needed by executable. Title.db = Signs of game/s used to start process. Files = Folder where files are. Files folder contains all this codes: boot.elf* hdadvanc.elf* ipconfig.dat* mcloader.elf* ps2link.elf* ps2media.elf* cdloader.elf* kl.dat* ps2dev9.irx* ps2link.irx* ps2smap.irx* csl.elf* iomanx.irx* mcformat.elf* ps2ip.irx* ps2load.elf* unrar.irx* Where ipconfig,dat is net configuration and kl.dat is part of keyluncher, crucial component of executable. The keyluncher has information about which buttons the gamer have to press if he wants to load games from hard disk, use a movie player, etc. This is an usual content into keyluncher: []=mc0:/BEDATA-SYSTEM/PS2MEDIA.ELF;PS2 MediaPlayer 1.50 /\=mc0:/BEDATA-SYSTEM/MCLOADER.ELF;MCLoader O=mc0:/BEDATA-SYSTEM/HDLOADER.ELF;HDD Loder Free X=mc0:/BEDATA-SYSTEM/HDADVANC.ELF;HDAdvance R1=mc0:/BEDATA-SYSTEM/CSL.ELF;CogSwapLoader by Hermes R2=mc0:/BEDATA-SYSTEM/PS2LINK.ELF;PS2Link 1.23 R3= L1=mc0:/BEDATA-SYSTEM/PS2LOAD.ELF;CDLoader v7 5.2 L2=mc0:/BEDATA-SYSTEM/MCFORMAT.ELF;MCFormat Where [] is square button, O circle, etc, into PlayStation 2 controller. The line mcd0:/BEDATA_SYSTEM means it copy the info in first memory card (the zero). BEDATA is folder for Europeans memory cards, Americans and Japanese are called BADATA and BIDATA respectively. This executable in memory card is really the key for a new storage of games in PlayStation 2: the possibility of install a HardDisk. 2.2 HDLoader and HDDumb With PlayStation 2, Sony had in mind plugging his system to internet for first time, with possibility to download contents and play online. For this, the company create a network adapter to add it in back of PlayStation 2, with an IDE port to use a HardDisk. The HardDisk, formatted in a special PS2 format, was used in games like Final Fantasy XI to storage user’s info, but what happen if someone copy ISO’s of games in this PS2 format and change the file systems to boot from it, disconnecting the input data of DVD-ROM and connecting it to the HardDisk? The answer is the massive storage of illegal items in an easy and cheap way, which produced an incredible increase in sales of PlayStation 2 and a preoccupant decrease of games sold. Sony created a special and small HardDisk (only 10-20Gb) for his PlayStation 2, but the underground scene created applications to adapt all HardDisk of PC to PS2 format with the only requeriment of a 4mb buffer inside. Soon, two programs appear, ironically, in original DVD format: the HDLoader and the HDDumb. Both have an easy interface to manage the different ISO’s of games installed in disk (it’s possible to connect it to a PC for transference or copy it from DVD-ROMs), and they can format, rename and administrate the games. From this point, the battle between piracy and Sony was moved to the compatibility or not with this two programs to manage HardDisk. It’s logic to think all games released before apparition of HDLoader and HDDumb are totally compatible with the new piracy methodology, but soon (we have to talk in past because PS2 is an obsolete product) the companies tried with different methods (detect HardDisk in boot, detect access to an ISO in execution and detect a transference more fast than a DVD-ROM bandwidth). Because of that, HDLoader and HDDumb had three different internal modes to block this protections. Nevertheless, there are a few games which security systems is impossible to solve into this programs and needed a very complex modification by inverse engineering, added by patch into the ISO, like Gran Turismo 4 of Shadow of Collosus, by Sony. 3. Short view in Present and Future The next system of Sony was the PlayStation Portable (PSP), based in special disks which cannot be pirated, the UMD (Universal Media Disk UMD), but Sony did a mistake basing the corrections of his system in updates of firmware. Now, the piracy in PSP is based in downgrades of the firmware from secure versions to vulnerable old versions which can read ISO’s from memory sticks. Later appeared the third PlayStation generation, PlayStation 3 internally based in Linux, with a new and exclusive format (the Blu-Ray) and complex encryptions in all of his data. But Blu-Ray will be a massive format in one-two years, and Linux permits modifications easily, so who knows: the electronic war continues. Maybe in 5 years some students start their project in the exact point we must stop. 4. Summary and Conclusions We have seen how important is to dedicate many efforts adapting cryptology techniques in security of an electronic system, not only in software, also in hardware, because the vulnerability of one is always the door to enter in second one. How we have read, the cryptology wasn’t present in first implementations and was used only to repair mistakes and vulnerable points, but the cryptology must be used to implement the system from the first steps of design. It has happened only in PlayStation 3, but now it’s too soon to know if the piracy could win the battle again. By now, PS3 is out of danger since was released in the end of 2006. Resources: The topic of this document is an activity (the piracy) not officially documented, so academic books and thesis about it doesn’t exist. The only resource of information is internet, with many FAQs and forums without authors using real names. For further information, see the following websites: http://wikipedia.org/ http://www.darlok.com/hdloader/ (english) http://www.cdrinfo.com/ (english) http://www.ps3news.com/ (english) http://www.elotrolado.net (spanish) http://www.modchip.it (italian) http://www.divineo.fr (french)
© Copyright 2024