Digital Foundry vs. PSJailbreak
How PlayStation 3's security has been compromised and what it means.
It's real. Almost four years after its launch, the PlayStation 3's much vaunted security has finally been completely and unequivocally compromised. Within weeks, if not days, PS3 users willing to pay an exorbitant premium have the option of copying all the games they own - and any they don't - onto hard disk, and nothing stops them from spreading them across the internet. The question is, how can Sony fight back? Can new firmware updates keep the platform holder one step ahead of the hackers?
As sample "PSJailbreak" hardware circulates around shops and modship suppliers around the world, further details emerge, giving us some idea of how the system works. From that we can extrapolate the scale of the task facing Sony as it embarks on what must surely be the biggest damage limitation exercise in its recent history.
This attack on PlayStation security consists of both software and hardware. A USB dongle is attached to the PS3, and pressing the eject button on the console while it cold-boots causes the code on the stick to override the console's typical launch procedure. Based on views of the XMB seen in the now numerous YouTube videos, the dongle appears to inject elements from debug PS3 firmware onto the retail unit. The option to install PKG files, available only on development and test units, now works on the retail machine. From here, the main tool to "backing up" software is added to the machine.
While you may not have heard of a PKG file before, the chances are that you've installed plenty of them on your PS3. Just about every kind of program you download from PSN is in the PKG container. Once downloaded, the PS3 decompresses the data and installs it onto your PS3. On development and test/reviewer units, so-called "unsigned code" is routinely distributed on disc, via download or on USB flash drives in PKG format. The only difference between this and a regular PSN download is that the code is not encrypted, allowing for easier distribution of unfinished or review copy games (only Sony's mastering labs can encrypt, or "sign" code).
The fact that the Install PKG option now appears on a retail unit gives us a strong indication as to how the new "Jailbreak" works as it's almost certainly not present in the regular firmware. It suggests that elements of the bespoke system updates used on the debug PS3s are being injected into the memory of the retail unit. But how?
There are two potential explanations here. First of all, whoever is behind this is extremely clever and has isolated an exploit that allows for the injection of code over the USB port. More likely is that the USB-based tools Sony uses to test and recover PS3s with corrupt firmware have been leaked and reverse-engineered for more nefarious ends. PlayStation 3s locked into "factory service mode" have been popping up every now and again for years, and the PC-side software that runs the USB dongle was leaked a while ago.
Now it would appear that the hardware has also been "liberated" from Sony's repair and test labs. This may sound somewhat implausible, but in a world where PS3 Slim photos circulate months before the launch and final units appear in a Philippines marketplace, anything is possible. Besides, the exact same thing happened with the tools used to service the PSP just prior to the PSP-2000 launch in September 2007.
In terms of the make-up of the dongle itself, pictures posted online of the internals show a basic USB device - what looks like an innocuous 48-pin microcontroller chip on the tiny PCB and not much else. It's quite astonishing to believe that the makers are asking for a colossal $130+ for such a tiny piece of tech, and it's almost certain to be reverse-engineered, ripped off and duplicated by the Chinese mass-suppliers within days of hitting the market.
The software side of PSJailbreak is publicly available to download, installs onto a debug PS3 and throws up few surprises. It's an extremely basic tool that rips off every single file on a game disc onto the internal HDD or else onto a USB flash drive or hard disk. It does appear that some of the encryption Sony uses on the files is stripped away (hashes on encrypted files change drastically), but the executable still won't work without the USB dongle in place. When selecting a game to run, the machine drops back to the XMB. From here on out, we can only speculate but it's reasonable to assume that the chip then diverts all major disc functions to the device where the game-rip lies.