Features that the PS3 advanced from previous generations are the included extra security features. The main ones are listed below.
- Blu-ray Disc encryption
- Harddrive encryption
- Generic data encryption
- Hypervisor
To help with the security, the following hardware are also included inside the Cell:
- Hardware root key
- Hardware decryption routine
- Hardware random number generator
Game data from the Blu-ray disc can have a disc-based encryption on it. The encryption key (128 bit) is hidden inside the disc as a BD-ROM Mark, and requires special Blu-ray reader technology to read it. The disc layered encryption is usually used to encrypt EBOOT.BIN from Blu-ray game discs. After decrypting this disc layer, the result is a file named *.SELF. These *.SELF files are packed NPDRM encrypted data and includes SHA1 hashes. When this layer of encryption is removed, the result is an *.ELF file ready for execution on the PS3. The harddrive is also per PS3 encrypted, so it is not possible to swap drives into another PS3.
Hypervisor
There is a security layer called the Hypervisor running on the PS3 (running at the lowest level: Level 1 or lv1). The Hypervisor (code contained in lvl1.self stored on the encrypted NAND flash chip in early PS3) runs on the PPE and the one reserved SPE with the highest priviledge. The Hypervisor utilizes dedicated hardware on the PPE running in priviledge mode, allowing only itself, for example, to change the read-only status of code memory. There are 256 Hypervisor related System Calls. The GameOS and OtherOS (like linux) runs on Level 2 or higher on top of the hypervisor.
Encrypted code can be secured by having it run on the one reserved SPE (like the secure loader: lv1ldr which decrypts lvl1.self hypervisor code). lv1ldr itself is decrypted following a chain trust to the initial bootloader decrypted using hardware root key and hardware decryption routine built inside the Cell. Practically all the passed data for decryption happens inside Cell registers. The PPE would take the encrypted code (can be analogous to an application file from the decrypted Blu-ray disc, or something from the flash memory) and setup a SPE to go into secured (isolation) mode. In this mode, the hardware decryption routine takes over, grabs the encrypted code, decrypts it using a hardware root key, and puts the decrypted code inside the SPE's local store. Note that an SPE in isolation mode cannot have its whole code and data read or written externally (not even by the PPE that started it up), with the exception of a small area of the local store for communication purposes. The only thing the PPE can do is kill the SPE process (along with the SPE local code and data). The hardware random number generator in the Cell is there so that you can timestamp sessions keyed to a random number to prevent replay attacks.
Almost all of the keys inside the PS3 are public RSA keys for decryption only. With the exception of creating Save Games and general encryption of the harddrive, encryption keys for encrypting games and Blu-ray discs are held in secret by Sony.
Harddrive Layout
The PS3 harddrive (dev_hdd0) layout looks as follows:
○bootflag.dat
○ GameFolderName1
- USRDIR
- EBOOT.BIN
- ICON0.PNG
- PARAM.SFO
- PIC1.PNG
- PS3LOGO.DAT
○ GameFolderName2...
Installed games would have its own folder under the game folder, and EBOOT.BIN from each game's USRDIR would be run to boot the game. Games downloaded from the PlayStation Store are actually one large packaged .pkg file. When you install the .pkg file, it is expanded and the PARAM.SFO file from inside provides information about the game or program. It also provides other information like the name of the directory that is created inside the /game directory of the harddrive for the rest of the .pkg files to be dumped into. The contents hierarchy of the .pkg file would look like the above (residing in its own /game folder of course). There is a limit of 4GB per file on the harddrive (same as on the Blu-ray disc). Game demos (because they are packaged in a .pkg file) cannot exceed 4GB in size. The /data/bootflag.dat most likely tells the PS3 to boot into XMB or the OtherOS (Linux).
Also, there was a contest held by a company a while back, where the company was running the PS3 with Linux on it for two months straight, to see if it could be used as a viable secure server, and the first person to hack into it would win a PS3, no-one managed to do it. (www.pcworld.idg.com.au/article/177124/ps3_withstands_hack_challenge) (2)
But that is a bit weird, a hacking contest held by a company :P
Log in to comment