Sony PlayStation 3 Hacked
Jan 31st
I previously heard that the Sony PS3 was hacked so I did a little research about it. If you understand how the geek stuffs work, the below will be helpful to you, else, just read it for fun, haha.
George Hotz, previously known as an iPhone hacker, announced that he hacked the Playstation 3 and then provided exploit details. Various articles have been written about this but none of them appear to have analyzed the actual code. Because of the various conflicting reports, here is some more analysis to help understand the exploit.
The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.
Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.
The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor. The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).
George’s hack compromises the hypervisor after booting Linux via the “OtherOS” feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.
His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.
George connected an FPGA to a single line on his PS3’s memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.
His goal was to compromise the hashed page table (HTAB) in order to get read/write access to the main segment, which maps all memory including the hypervisor. The exploit is a Linux kernel module that calls various system calls in the hypervisor dealing with memory management. It allocates, deallocates, and then tries to use the deallocated memory as the HTAB for a virtual segment. If the glitch successfully desynchronizes the hypervisor from the actual state of the RAM, it will allow the attacker to overwrite the active HTAB and thus control access to any memory region. Let’s break this down some more.
The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file’s data can still be accessed.
The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor’s write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.
At this point, the hypervisor has an HTAB with one or more read/write mappings pointing to a buffer it has deallocated. Thus, the kernel no longer owns that buffer and supposedly cannot write to it. However, the kernel still has one or more valid mappings pointing to the buffer and can actually modify its contents. But this is not yet useful since it’s just empty memory.
The exploit then creates a virtual segment and checks to see if the associated HTAB is located in a region spanning the freed buffer’s address. If not, it keeps creating virtual segments until one does. Now, the user has the ability to write directly to this HTAB instead of the hypervisor having exclusive control of it. The exploit writes some HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.
It is quite possible someone will package this attack into a modchip since the glitch, while somewhat narrow, does not need to be very precisely timed. With a microcontroller and a little analog circuitry for the pulse, this could be quite reliable. However, it is more likely that a software bug will be found after reverse-engineering the dumped hypervisor and that is what will be deployed for use by the masses.
Sony appears to have done a great job with the security of the PS3. It all hangs together well, with no obvious weak points. However, the low level access given to guest OS kernels means that any bug in the hypervisor is likely to be accessible to attacker code due to the broad API it offers. One simple fix would be to read back the state of each mapping after changing it. If the write failed for some reason, the hypervisor would see this and halt.
It will be interesting to see how Sony responds with future updates to prevent this kind of attack.
Source: Nate Lawson @ rdist.root.org
Singapore gets World Cup option?
Jan 29th
With SingTel and StarHub in a deadlock with Fifa over television rights to the 2010 World Cup, a new player has emerged with the ability to give Singaporeans full access to the biggest football extravaganza of the year.
British company Perform Group, a sports and entertainment specialist for digital media, has been closely monitoring the drama that has kept the telephone companies in an impasse with football’s world governing body over a reported $40 million fee.
No progress has been made yet despite the Football Association of Singapore’s approaches to Fifa.
Perform is now interested in making available all the World Cup matches from South Africa to Singapore viewers after Fifa’s sales representatives, Football Media Services, approached the company.
Mr Jason Swanson, Perform’s advertising and sponsorship sales manager in Singapore, told MediaCorp, they have the capability and technology in place, and can put it online – even at the eleventh hour.
The matches, he said, will be shown live on the Internet – which Fifa would not otherwise make available to a country that does not pay the rights for it.
Various packages, said Mr Swanson, would be made available to Singapore viewers.
“It could be a pay-per-view option or a package for all the games,” he said. “What we will do is to set up a site where people could go in and make their choices, whether they want to watch only the England games or all the matches. There are lots of ways we can do it.”
He added that Perform streams about 15,000 matches online every year and is currently delivering the Australian Open.
Last October, the company made history by broadcasting an England match for the first time exclusively on the Internet for £5 ($11) for those who booked early, and £12 for late subscribers.
The pre-World Cup qualifier with Ukraine was watched by 500,000 British viewers, which the company claimed was the largest audience for a pay-per-view sports event online.
Mr Swanson said the World Cup could be made cheaper for Singapore, relative to the England-Ukraine match, as Perform intends to rope in sponsors and advertisers.
He said the potential pool of 2 million viewers here can also expect high quality images of June’s World Cup that can be projected on television and big screens without Internet interruptions.
“When we delivered the England game, there were no issues and there should be none in Singapore because we have the servers and the broadband here is also very good,” he said.
Mr Swanson said providing the World Cup service is something Perform is keen to do.
“When I talk to people on the streets, they are pretty upset they may not get to see the World Cup. They want to watch here and not go across the Causeway,” he said.
“If none of the big players step up for the TV rights, we’ll see what Fifa wants because it would be worth doing it in Singapore.
“They know our capabilities and are familiar with how we deliver sports events online.”
Source: TODAY
Burberry Sales 2010
Jan 25th
British luxury goods brand Burberry will be holding it’s first-ever sale at Expo! Don’t miss the irresistible discounts on apparel, leather products and accessories for men, women and kids. I wonder if I can find a good wallet there?
Organizer : Burberry (Singapore) Pte Ltd
Date: 04 Feb 2010 – 07 February 2010
Time: 10.30am to 10pm
Venue: Conference Halls GHJ, Singapore EXPO
Admission: Free Admission
EDIT: I dropped an email to the person in charge to find out if there will be blue/black label available at the sales and the b/m would be her reply.
Dear Jason,
Thank you for your email. We do not have blue and black label as that is exclusive to japan only. We do not have any other website promoting the sale. It is a sale for season spring/summer 09 and older. Discounts are from 40 percent for more special merchandise and up to 80 percent for older stocks. We accept cash and credit cards.
Key World Cup matches may be telecast on MediaCorp’s channels
Jan 22nd
Football fans in Singapore may get to watch the 2010 FIFA World Cup matches on television after all.
That is because national broadcaster MediaCorp confirmed on Wednesday that it has put in an offer to telecast key World Cup matches on its free—to—air channels.
Earlier reports claimed that should SingTel and StarHub fail in their joint bid to broadcast World Cup matches, Singaporeans could miss out completely on the football action.
But MediaCorp’s bid means football fans here can breathe easier now. The company is currently waiting for FIFA’s response.
MediaCorp said any matches telecast on its free—to—air channels are subject to the company’s successful bid.
The broadcaster understands that there is no specific FIFA ruling for any match to be provided free—of—charge to any broadcaster nor is there a mandate for any match to be aired on a free—to—air basis.
As Singapore’s national broadcaster, it needs to balance between catering to viewers’ needs and the returns from advertising revenues that will fund the telecast of the matches.
The latest development spelt good news for fans.
Said one man in the street: “Half a loaf is better than none, isn’t it?”
Another football fan said: “I think that will be good because if SingTel or StarHub get the bid, we need to pay.”
“Why should we suffer because of some corporate fight, that’s not fair, that’s not really fair, we should be able to watch everything,” said another man in the street.
In 2006, MediaCorp telecast four World Cup matches — the opening, two semi—finals and the final game on its free—to—air channels.
Source: CNA
S’pore Pools to hold 2 Toto draws to usher in 2010 Lunar New Year
Jan 21st
HUAT AH! Anyone going to buy for the below mentioned Toto draws?
Singapore Pools will hold two draws to usher in the 2010 Lunar New Year.
The Reunion Draw with a jackpot prize of S$5 million will be held on Monday, February 15. Ticket sales will close at 9pm that day.
Ticket sales for the Hongbao Draw with a jackpot prize of S$10 million will close on Friday, February 26 at 9pm.
There will be no Toto draw on Thursday, February 25.
Source: CNA
SNSD 1st Asia Concert Bromide Set
Jan 18th
Finally 1-2 weeks of waiting, my snsd bromide set arrived at my doorstep!
City Harvest Church acquires land for S$310m in central-south Singapore
Jan 18th
OMG, I wonder where CHC gets all their funds from. They are probably the richest religion organisation in Singapore. But since I’m not one who ‘donated’, so I don’t really care. Congrats to them in advance!
City Harvest Church has acquired a piece of land in central-south Singapore with the intention of building a 12,000-seater hall at S$310 million, said the church’s senior pastor, Kong Hee. He disclosed the news at a service at the Singapore Expo on Saturday. The exact location of the land will only be made known once the acquisition is complete. City Harvest Church has the largest Christian congregation in Singapore estimated at 27,000.
Source: TOC
Singapore to get Nexus One
Jan 15th
SINGAPORE is one of the first four places in the world where Google’s first ‘own-brand’ mobile phone will be available. Called the Nexus One, the phone was unveiled at a private press-only event at Google’s headquarters in the United States on Tuesday.
The phone is sold only through Google’s very first US web store at google.com/phone and is now available for purchase. Hong Kong and Great Britain are the other two locations where the phone will ship to currently.
This reporter viewed the event via a private live webcast and immediately ordered one for US$577.31 (S$806.65), which comprises US$529 for the device, US$19.99 for the power adapter and US$28.32 for shipping through DHL.
Payment is made through credit-card but users will need to have a Google account.
For US users, they have the option to buy the phone at the regular rate or sign-up with US telco T-Mobile for a two-year contract and enjoy a subsidised US$180 price tag. Users outside of the US can only order the unsubsidised phone, which will not be SIM-locked so customers of all three telcos here should be able to simply switch their existing SIM cards to the new phone.
The Nexus One is sold by Google but manufactured by its partner, Taiwan’s HTC. The Nexus One has been touted as the best Android – Google’s mobile operating system – phone since the first Android phone G1 was launched 15 months ago.
Source: ST
