Hacker claims new PS3 breakthrough
Geohot says he has GameOS access.
iPhone hacker George Hotz claims to have expanded the scope of his PS3 exploit, and reckons he now has complete access to the system's GameOS, the area of the console than runs the XMB and operates beneath game code.
"I believe that defeats the last technical argument against the PS3 being hacked," Hotz wrote on his blog.
Geohot's original PS3 hack concentrated on the attack and analysis of the Cell chip's so-called Hypervisor, the "guardian" code designed to oversee general system operation and prevent the types of assault that continue to compromise Sony's PSP.
However, despite the mass media coverage of Hotz's achievements, doubts remained over the usefulness of the exploit since the core encryption techniques used within the PS3 remained secure.
Typically PlayStation 3 dedicates an entire SPU for the purpose of decrypting code and the actual decryption keys never enter main RAM, making the process of retrieving them impossible using the typical hacking technique of dumping the system memory. But in OtherOS, with Linux installed and his exploit active, Hotz has a much more vulnerable system at his disposal.
"In OtherOS, all 7 SPUs are idle," Hotz explained. "You can command an SPU (which I'll leave as an exercise to the reader) to load metldr, from that load the loader of your choice, and from that decrypt what you choose, everything from PKGs to SELFs. Including those from future versions."
SELFs are best described as the PS3 equivalents to PC .EXE files - they contain game code, while PKGs are the containers in which game installs, PSN games and DLC are delivered. Think of them as encrypted ZIP files. We can assume that "metldr" is the code PS3 uses to set up the dedicated, security-focused SPU that descripts them.
Although he has not publicly confirmed it, it is widely believed that Geohot has not only established his own Linux-based decrypter, but that he has also decrypted GameOS, raising the possibility that the PS3 firmware could be patched to run homebrew code straight from the XMB.
Hotz himself maintains that he will never write code to directly enable piracy, and while attempts have been made to improve the somewhat unreliable nature of the original hack, actually getting the exploit to activate remains something of a haphazard process.
In short, if anything ever comes of this, chances are that Sony will have made a good attempt at updating its firmware to circumvent the hack in the meanwhile.
Just how Sony will choose to respond to this remains unknown. In a topic posted on the YellowDog Linux community board, an employee of Fixstar - the firm responsible for the Cell-accelerated CodecSys h264 encoder - reckons he has heard from a "reputable source" that OtherOS may be removed in the next PS3 system update.
However, this post has now been deleted, and the whole notion of OtherOS being removed sounds rather heavy-handed and extremely unfriendly to the consumer.
The chances are that Sony will move to close Geohot's loophole in a more elegant manner, leaving the potential pool of exploitable consoles to diminish as more and more people upgrade their firmware.