PS3 DPA On Lv0ldr.2

[zecoxao]

So, since i'm finally losing my patience on the matter of this crappy console being unhackable on specific models, i've decided to ask wildcard to do DPA (Differential Power Analysis) on Lv0ldr.2 on an emmc model for the superslim board PQX-001.

We have a dump already of the system, and now wild is moving to the hardware aspect of it. He has a sufficiently good Oscilloscope, the big issue here is if Sony does the same as IBM, which is Masking the boot sequence across SPE. if they do, it'll be really shitty for us to get access to the decrypted lv0ldr.2 with the proper keys.

The good part is that, if we do get access to it we get a decrypted lv0ldr.2 as gift and we can finally find out if the toctou was patched without resorting to lv0 (and also time the glitch in a precise manner to get access to every other component of the system), and of course we get the lv0.2 keys, but those are useless

 

[zecoxao]

For the record, the speed in which the sequence runs is 400Mhz, and not 3.2GHz, because it is ran on a single SPE. wild scope (which does 1GHz) should be able to handle this, since only 2 Channels are required, and they'd be 500Mhz each

 

[GuilloteTesla]

If my memory serves me right, didn't MikeM64 et al detected that the toctou bug was patched by the compiler version used by Sony?.

Other than that, congratulations and the best of luck and success on this endeavor!.

 

[RoboKing's Cosmos]

Hopefully Sony has some hidden FSM.2 somewhere in that dump that we can use to fix RSOD on Lv0ldr.2

 

[mysis]

Cool, would he be able to share at least a power trace or maybe even the traces when decrypting lv0ldr ? I have always been curious about the booting / decryption phase for lv0ldr.

You know lv0ldr is per console encrypted, so getting the keys will only work for that particular model you are attacking.
I wonder if having older consoles with ("eid") root keys dumped, doing DPA there would lead to the actual keys used to decrypt lv0ldr/metldr so we can decrypt also for other consoles and maybe even re-encrypt?


Other than that, it might be interesting to know if Sony SELFs are vulnerable to related nonce attacks, especially after the 3.56 fix when they tried starting using "really" random nonces : https://eprint.iacr.org/2023/305.pdf

 

[zecoxao]

Cool, would he be able to share at least a power trace or maybe even the traces when decrypting lv0ldr ? I have always been curious about the booting / decryption phase for lv0ldr.

You know lv0ldr is per console encrypted, so getting the keys will only work for that particular model you are attacking.
I wonder if having older consoles with ("eid") root keys dumped, doing DPA there would lead to the actual keys used to decrypt lv0ldr/metldr so we can decrypt also for other consoles and maybe even re-encrypt?


Other than that, it might be interesting to know if Sony SELFs are vulnerable to related nonce attacks, especially after the 3.56 fix when they tried starting using "really" random nonces : https://eprint.iacr.org/2023/305.pdf

We're still at the "emulating emmc" stage. if you, Joonie or bguerville want to join, you can ask me via dm, so we'll all be there and do some brainstorming

 

[Cruslan1]

Can we do anything about as users?

 

[RoboKing's Cosmos]

Can we do anything about as users?

Well.. if as users with hardware flashers maybe?

Hopefully that day comes when ps3hen and cfw merge together into just cfw. Although that still doesn't make PS3HEN useless though if we preserve it.

Don't forget to wish wildcard happy birthday too.