Documente Academic
Documente Profesional
Documente Cultură
We've been collaborating on various embedded and thought expansive projects, the most famous of which that
hit the press earlier this year was the full reconstruction of the $REDACTED allowing $REDACTED to be
completely broken, that was a fun couple of weeks.
2007
2008
2009
2010
2011
t
Mittwoch, 29. Dezember 2010
Wii Xbox 360 PS3
2006
Drivechips
2007
Twiizer Attack
2009 Bannerbomb
Indiana Pwns
Bannerbomb
for 4.2
2010
latest update
broken
2011
t
Mittwoch, 29. Dezember 2010
Wii Xbox 360 PS3
2006
Drive firmware
hacked
Drivechips King Kong Hack
2007
Twiizer Attack
2009 Bannerbomb
JTAG Hack
Indiana Pwns
Bannerbomb
for 4.2
2010
latest update
broken
2011
t
Mittwoch, 29. Dezember 2010
Wii Xbox 360 PS3
2006
Drive firmware
hacked
Drivechips King Kong Hack
2007
Twiizer Attack
OtherOS
RSX exploit
2008 Twilight Hack
Homebrew
Channel
2009 Bannerbomb
JTAG Hack
Indiana Pwns slim w/o Linux
Bannerbomb released
for 4.2 Geohot’s hack
2010 Linux removed
latest update Jailbreak
broken Downgrade
this talk :)
2011
t
Mittwoch, 29. Dezember 2010
Mittwoch, 29. Dezember 2010
device y security hacked for effect
PS2 1999 ? ? piracy -
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
encrypted/signed bootup,encrypted/signed
PS3 2006 executables, hypervisor, eFuses, isolated SPU
not yet - -
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
encrypted/signed bootup,encrypted/signed
PS3 2006 executables, hypervisor, eFuses, isolated SPU
not yet - -
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
encrypted/signed bootup,encrypted/signed
PS3 2006 executables, hypervisor, eFuses, isolated SPU
not yet - -
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
encrypted/signed bootup,encrypted/signed
PS3 2006 executables, hypervisor, eFuses, isolated SPU
not yet - -
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
encrypted/signed bootup,encrypted/signed
PS3 2006 executables, hypervisor, eFuses, isolated SPU
not yet - -
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
encrypted/signed bootup,encrypted/signed
PS3 2006 executables, hypervisor, eFuses, isolated SPU
not yet - -
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
encrypted/signed bootup,encrypted/signed
PS3 2006 executables, hypervisor, eFuses, isolated SPU
not yet - -
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
encrypted/signed bootup,encrypted/signed
PS3 2006 executables, hypervisor, eFuses, isolated SPU
not yet - -
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
encrypted/signed bootup,encrypted/signed
PS3 2006 executables, hypervisor, eFuses, isolated SPU
4 years
not yet - -
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
pay TV
dbox2 2000 signed kernel 3 months Linux
decoding
Linux
Xbox 2001 encrypted/signed bootup, signed executables 4 months
Homebrew
piracy
Front Row
AppleTV 2007 signed bootloader 2 weeks Linux
piracy
Homebrew,
iPhone 2007 signed/encrypted bootup/executables 11 days
SIM-Lock
piracy
Source: IBM
Source: IBM
lv0ldr
lv0ldr
lv0
lv0ldr
lv0
metldr /
lv1ldr
lv0ldr
lv0
metldr /
lv1ldr
lv1
lv0ldr
lv0
metldr /
lv1ldr
lv1
metldr /
lv2ldr
lv0ldr
lv0
metldr /
lv1ldr
lv1
metldr /
lv2ldr
lv2
✘
OtherOS
Kernel
Hypervisor
HTAB
Kernel
Hypervisor
HTAB
Kernel
Hypervisor
HTAB
Kernel
Hypervisor
HTAB
Kernel
Hypervisor
HTAB
Kernel
HTAB
Hypervisor
HTAB
Kernel
HTAB
Hypervisor
HTAB
HTAB
Hypervisor
HTAB
✘
✘✘OtherOS
Hub
PAYLOAD
CONFIGURATION #2
04 21 B4 2F
04 21 B4 2F
CONFIGURATION #2
TL = 0x2FB4
CONFIGURATION #2
{
ehdr + phdr (again...)
phdr #0 data
#0 data
phdr #1
ELF ...
phdr #N data
{
SELF key
ehdr + phdr (again...)
phdr #0 data
#0 data
phdr #1
ELF ...
phdr #N data
{
SELF key
ehdr + phdr (again...)
phdr #0 data
#0 data
phdr #1
ELF ...
phdr #N data
{
SELF key
AES + SHA-1
ehdr + phdr (again...)
phdr #0 data
#0 data
phdr #1
ELF ...
phdr #N data
{
SELF key
AES + SHA-1
ehdr + phdr (again...)
phdr #0 data
#0 data
phdr #1
ELF ...
phdr #N data
{
SELF key
AES + SHA-1
ehdr + phdr (again...)
phdr #0 data
#0 data
phdr #1
ELF ...
phdr #N data
Q = public key
e = hash of data
R, S = signature,
and these are private:
m = random
k = private key.
Mittwoch, 29. Dezember 2010
A signature is a pair of numbers R, S computed
by the signer as
R = (mG)x
e + kR
S= .
m
m = open(“/dev/random”,”rb”).read(30)
if len(m) != 30:
raise Exception(“Failed to get m”)
m = bytes_to_long(m) % ec_N
r = (m * ec_G).x.tobignum() % ec_N
kk = ((r * k) + e) % ec_N
s = (bn_inv(m, ec_N) * kk) % ec_N
r = long_to_bytes(r, 30)
s = long_to_bytes(s, 30)
return r,s
m = open(“/dev/random”,”rb”).read(30)
if len(m) != 30:
raise Exception(“Failed to get m”)
m = bytes_to_long(m) % ec_N
r = (m * ec_G).x.tobignum() % ec_N
kk = ((r * k) + e) % ec_N
s = (bn_inv(m, ec_N) * kk) % ec_N
r = long_to_bytes(r, 30)
s = long_to_bytes(s, 30)
return r,s
http://fail0verflow.com