Hacking the Playstation Project

Hacking the Playstation Project

Hacking the PlayStation Francisco A. Fortes, L. Jacob Mariscal This project tries to be an approximation to different security tactics adopted by Sony in the history of his home videogames systems and the way this tactics has been violated by hackers/crackers of the underground scene . All this battle has been produced in terms of cryptology protections and decryption/inverse engineering. In competitive world of electronic entertainment, protect the own interests with complex and sophisticated systems is an obligation. With the perspective of a race, we’ll analyse the beginning of this protection systems from first PlayStation hardware and his easy region protection , the first modchips programmable and the next steal mochip who discover when the system tries to find illegal hardware installed. The next jump happen in PlayStation 2 with programmable modchips capable of many functions and two alternatives to crack the security: using exploits who filter data in mistakes of implementation and using a hard-disk to emulate the dvd-rom. Objectively our point of view will analyze how the cryptology must be not only reduced to theory applied to software, being present in design of hardware too. The ethical topics about the hacking won’t be considered, that not means it try to teach how to do illegal actions: It will be only a scientific study about reality, excluding from project the hardware with actual economic interests to Sony: PSP and PlayStation 3 . 1 Introduction Most of people have use an illegal copy of software in his life, and in the final process of piracy are no proofs of the technological battle from his beginning. The life of security in software (also in electronic systems) is short and similar in all cases: design with new cryptology systems by engineers of a company, release of the product and t-time of inviolability and finally crack the system. By now there is no system non-pirated in history of informatics, and videogames systems are not excluded of this curse. The first PlayStation, appeared in Japan in December of 1994, and was the first Sony video system and maybe the first focused to “adults”. His success was incredible, and his violation inevitable. The hacking in PlayStation coincided with the massive use of optical format Compact Disk and the reduction of prices in CD-RW recorders; with all this factors was inevitable the apparition of the underground scene of amateur users with knowledge of engineering and maths, who begins the biggest technological battle against the most rich electronic companies in the world, for all generation of PlayStation and others entertainment systems. The first bullet of this war, a simply chip, created in the cradle of piracy: Hong Kong, in 1996. In the beginning it was a commercial product for people who import games and had enough money to pay his elevated price. But sooner clone and cheapest versions of chip appear, and the hacker Scott Rider, aka Old Crow, published on internet the font code and functions of the chip, and instructions to rebuild it with a microcontroller PIC12C508 of MicroChip Technology. It was curious how Scott Rider’s altruist initiative make lost billions to electronic entertainment world. 1.1 The Regional Protection The most vulnerable point of a system is the boot, and there begins the hacking of PlayStation. The first action executed by this system is read the first sectors of the CD in the reader. The regional data block is a group of 4 bytes where is codified the nationality of the disk. Basically is the hexadecimal representation of SCEE (Sony Computer Entertainment Europe), SCEA (for America) and SCEI (for Asia). If the PlayStation is from one of this region, but this sector contains the code of another, the system doesn’t run and a message of error appear in the TV. At this low level is necessary to violate the system by hardware, leaving software for future restrictions. The first solution for this regional protection was a simply chip (called later multiregion-chip ) connected to the data channel of CD-ROM player. This chip send the 3 regional codes in a loop, one after another, in the start. The PlayStation compare all three codes with the system ROM and accept one, the only valid. This weakness was fixed soon adding new regional codes into the game, and the solution was again new chips more complex. The new chips try to block all this internal regional protections in the boot, because his signal can interfere with the 3 codes signal of the own chip and be identified by the system like trash (This block is not necessary in an original CD- ROM). The regional codes in CD go and disappear in earth spin of the chip, the 5th. Here is an example of all process of the regional codification. This is the information generated by chip in loop: LINE 1: DB 09h A9h 3Dh 2Bh A5h F4h - PSone Asia (NTSC) LINE 2: DB 09h A9h 3Dh 2Bh A5h 74h - PSone Europe (PAL) LINE 3: DB 09h A9h 3Dh 2Bh A5h B4h - PSone America (NTSC) Our European PlayStation needs to run the data: 0x9 0xA9 0x3D 0x2B 0xA5 0x74 This same info in binary system: 1001 10101001 00111101 00101011 10100101 01110100 Expanding the bits in groups and using the first like init and the two last for stopping the sequence: 1 00110101 00 1 00111101 00 1 01011101 00 1 01011101 00 Without init and stop bits, and regroup: 00110101 00111101 01011101 01011101 Computing the inverse of all groups: 10101100 10111100 10111010 10111010 And the NOT operation in individual bits: 01010011 01000011 01000101 01000101 We convert to hexadecimal again: 0x53 0x43 0x45 0x45 The ASCII representation is: S C E E : our needed "Sony Computer Entertainment Europe" 1.2 Anticopy and Steals Chips Because modification of hardware, the first generation of chips were called modchips. But this generation was not useful since 1998, when Sony designed a new protection in his system. This new protection was compatible with first PlayStation models (the SCPH-1000 of 1994) to the actual in ’98, the SCPH-7502. The new protection was the detection, by software, of an independent and active component sending data to the original hardware. The first games with this protection were Final Fantasy VII and Chocobo Racing, created and published by Square Soft in 1999. 1. Normal Modchip diagram Only a few weeks later, three solutions appear to resolve the new anticopy protection. One of them was add a patch in the game before recorded it, erasing all additional protection. Other was include a programmable component in the modchip , which will be explained later, and the third was create a stealth-modchip, who try to be invisible to the software detection, knowing when have to be in silence and when have to work. For example, in the regional protection case, it’s only necessary when the system boot, so after the start the three codes loop must finish to not be detected. Others signal to break protection must work and disappear in different phases of the system, for example, start or finish when the reset button is pressed, when the CD- ROM player is opened, when the system read the memory card, etc. All this things do the stealth-modchip very hard to install, with many soldiering and the necessity of electronic instruments to control different values like voltage. In the firsts stealth- modchips around 4 wires was connected inside the PlayStation. With more complex protection in software was necessary to add 7 and mores wires, which can broke other hardware components. 2. Stealth-Modchip Diagram This soldiering were an inconvenient also because in the next years was implemented a software protection anti-stealth-modchip , first in Namco’s Dino Crisis game. Is important to say that this last protection in first PlayStation was very used in Japan, but not in Europe because the high number of PlayStation modified. There is examples like Silent Hill game from Konami, which appeared with anti-stealth- modchip in his country and without it in occident, because an original copy can’t be executed in modified hardware. And against the anti-stealth-modchip the only solution was programmed the chip for future encryptions. The microcontroller of chips (usually from PIC, FPGA or SX family) began to include an EEPROM memory in the circuit. It happened in the middle of two generations, from PlayStation to PlayStation 2 , but including in the Microsoft Xbox too. From this point, the diversity and complexity of chips grow to new levels. 2. Programable Chips With PlayStation 2, appeared in middle of 1999 in Japan, the war between underground scene and Sony continues with new protections and weapons, again with the hacker Scott Rider in the background. Rider was the first in adapt the old stealth- modchips to the new system programming the code for the EEPROM of first versions. To programme a chip is necessary to extract the information from it, use an oscillator RC and being calibrate many times. The diversity of chips was opened in different families, depending how attack the BIOS (modbios) of system and how were programmed. Usually, the codes into chip attack when PlayStation is vulnerable, for example, when DVD-ROM is reading from disk (this attack is called swapping ). There is a subdivision of the way they broke the security using the BIOS, changing all content in this Basic Input Output System directly and adding also new functions like play DivX video. The information can be replaced by a copy without copyright into the chip’s memory, or patching the BIOS in execution time only with the values the game need to run free of protections.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us