PS3: LV0 Man-in-the-Middle Attack Description + Tools, by MikeM64. Full CFW for all PS3s next?

PS3 developer MikeM64 has released a full description of its hardware MITM attack on the PS3 after images of the attack were revealed a few weeks ago. The aim of this exploit is to fully unlock the LV0 (boot loader) on newer PS3 models, ultimately allowing full custom firmwares to be installed on the console.

PS3 Exploits – The Current Status

We mentioned it earlier, hacking a PS3 is doable on almost all models and firmware these days, although depending on your PS3 hardware you may or may not be able to install a Full Custom firmware. For most people, the difference between what they can use (PS3HEN) and a fully custom firmware is anecdotal, but LV0 remains the holy grail of PS3 hacking. MikeM64 has a great summary:

The PlayStation 3 has a very long homebrew history. When the PS3 was first released, Linux support was built in on day one! People had the option to install any PowerPC based distribution with full kernel support for the various system devices. This enabled all sorts of interesting applications like supercomputing clusters and a cheap PowerPC development box. There was some poking and poking from Linux to the hypervisor, but no one really bothered to dig too far until OtherOS support was removed from lightweight consoles. Following the release of GeoHot’s HTAB exploit, OtherOS was removed from all consoles in 3.21. This was the catalyst that opened the floodgates for full use of the console. I’ve summarized the current status of many exploits released for the PS3 console below:

Exploit execution Activated in LV1 Activated in LV2 Remarks
GeoHot HTAB interference Any? R/W Arbitrary HV memory N / A FPGA used to disrupt memory address lines
PSJailbreak Dongle 3.41 N / A Homebrew and Piracy in GameOS, OtherOS support restored Dongles exploit parsing of USB device descriptors to get code execution in LV2.
fail0verflow signal fail <= 3.55 Custom signed LV1 Custom signed LV2 Works on all consoles with a minver of <= 3.55.
Post 3.55/Sigfail era
lv0ldr Syscon Packet TOCTOU – Linux Dumping Any? N / A N / A The lv0 root keys were issued to allow decryption of all LV0 executables and login on <= 3.55 Minver consoles.
HEN <= 4.89 N / A Homebrew and Piracy in GameOS No OtherOS support
lv0ldr Syscon Package TOCTOU – HW Remix Any? Custom code in LV1 Custom code in LV2 Should work on all consoles with HW. That’s today’s topic!

After releasing the sigfail exploit, Sony attempted to re-secure the bootchain by moving all loaders to lv0 as they still needed to be discarded or exploited. This was a good stopgap until Juan Nadie and the Three Musketeers dropped lv0ldr and their exploit and keys were leaked. Once the LV0 keys were available, it was now possible to modify and re-sign all updatable code on older consoles. Consoles made after the sigfail release have been updated with new lv0 metadata (lv0.2) that are not vulnerable to the sigfail exploit.

For all consoles not vulnerable to Sigfail, HEN was released, which exploited both the built-in web browser and the LV2 kernel to enable both homebrew and piracy in GameOS. To date, this does not allow support for OtherOS or hypervisor modifications.

In other words, to gain complete control over all PS3 models, LV0 hijacking is essential and MikeM64 has achieved that with a bit of hardware and a lot of trial and error.

Using PS3 LV0 with hardware

The general idea was to reproduce a software vulnerability from the 3.55 era that led to an LV0 key dump (the “3 Musketeers” leak). MikeM64 writes:

That lv0ldr The exploit used to dump lv0ldr targets the processing of syscon packets between syscon and cell. It was discovered in lv0 that the code managing the reading of syscon packets contained a TOCTOU bug that rereads the packet header after validation.[…]

This problem alone would not normally be enough to exploit lv0ldr. You would need to be able to time memory writes and insert into the MMIO area containing the syscon packet buffer to pass the first checksum and then write the new header to exploit the memcpy of any size. The window of opportunity to exploit this is extremely, extremely small. Fortunately, thanks to the debugging facilities IBM left in the cell, we can extend this window of time at will. For both normal and isolated SPUs, we can turn on interrupts for all MFC transfers in or out of the SPU. This allows us to halt the execution of lv0ldr on each memory access, activating the exploit and emitting lv0ldr.

MikeM64 gives in-depth details on how to perform the hardware hack and provides all the necessary tools for fellow hackers to work on the next steps, including CFW support for all PS3 models. It is now probably only a matter of time before that happens.

The hardware required is “simple” (but the skills involved are not), namely a Teensy 4.0 and an Arty-S7 50 (although MikeM64 states that this could easily be ported to any Arty A-series) and their associated generic cables .

You can check the entire description here.