GeoHot's Twitter, 3 Minutes ago..
yay, got R/O access to 32 bytes of RAM i wasn't supposed to. what uselessness
Keep this thread on topic guys... it's for posting geohot's twitter etc updates, not for comparing him or the devs here to others. Thanks!
From IRC today:
Wed Sep 9 16:48:26 :
geohot: hey, hows the ref tool working out for you?
cjpc: good - its still working
OMG I Idled like 5 days in IRC hoping to see something, and today I'm away and geohot came on IRC. I think that CJPC is getting the hang on the tool, shame that geohot can't experiment with it in RL like CJPC. Would be nice. Those 32Bits it's a great start seeing he started last month with hacking.
Nah, it wasn't in the public channel... that was just set up for people who whined about not having an IRC channel any more. As usual, nothing ever happens in it so it may end up being closed again as only a few people idle there.
On IRC geohot just messages CJPC by using /msg CJPC but he doesn't stick around to have a detailed conversation most of the time.
This definitely look promising.. Although I personally think the way to go is HDD decryption, and re-encryption.
That's Trusted Computing (check Wikipedia) and it seems that the PS3 is the first fully functional Trusted Computing device to be largely distributed to people in general, as it has all the requirements for this type of technology. It's very likely that the PS3 itself is a console developed in a way as to test the security of such new tech since we all know any console would be under heavy atack by hackers for obvious reasons.
To me (and I'm no expert) it looks like the only two means by which this type of security would be broken is:
1) Find a way to obtain the private and public endorsement keys somehow via hardware manipulation, since the private key would never be obtained through a virtual environment as it never leaves the chip. I have absolutely no idea if this is even possible at this moment, you know, to read hardware... but eventually, I think it could be done one day.
2) Breach the curtained memmory so the encryption keys might be read. This wouldn't get the private endorsement key but would get the means to communicate and authenticate to it and would open a hole in the chain of trust that could lead not only to the decryption of the HDD but also allow hackers to find ways to spoof remote attestation. This is, I think, the most likely way of doing it on the long run since it's inevitable that one day programmers will understand how curtained memmory works.
So, for now, I think we have to trust the devs work and wait for things to happen.
http://en.wikipedia.org/wiki/Public-key_cryptography) This mechanism ensures that private keys do not need to be present at all on PS3! Only public keys are enough to decrypt/check stuff (it would be quite helpful to be able to be able to decrypt binaries to be able for example to try to find some exploit). So no hardware manipulation will help you at all. And these are still protected by chain of trust...
But then again, as quoted from xorloser's blog by PS3News in this very thread:
August 17, 2009 at 4:35 pm
Correct, lv1.self is the hypervisor. The keys to decrypt it are stored inside lv1ldr which is a secure loader that runs on the SPU. So to get the the lv1 decryption keys you first need the secure loader decryption keys and decrypt lv1ldr. This chain of trust goes back to the initial bootloader that is encrypted using a key stored in the cell hardware itself. So you find a way around the chain of trust if you want to decrypt the hypervisor.
If you cannot obtain any encryption key in the middle of the way and you don't have access to memmory, how else are you supposed to get the keys if not by trying to rip it off the hardware itself? And what do you mean by "no hardware manipulation will help you at all. And these are still protected by chain of trust"?