0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/1272 Thanks! 1 00:00:19,440 --> 00:00:21,659 Worldview owns an X 2 00:00:21,660 --> 00:00:24,179 box. Please raise your hands. 3 00:00:24,180 --> 00:00:25,229 X box. Yeah. 4 00:00:25,230 --> 00:00:27,439 One, two, three. 5 00:00:27,440 --> 00:00:28,469 Okay. 6 00:00:28,470 --> 00:00:29,470 Who are PlayStation? 7 00:00:32,049 --> 00:00:33,049 I call that even 8 00:00:35,380 --> 00:00:36,669 computers don't count. 9 00:00:36,670 --> 00:00:38,109 They run open source software. 10 00:00:38,110 --> 00:00:40,059 So forget about that. 11 00:00:40,060 --> 00:00:42,189 Our next speaker, Boehner's 12 00:00:42,190 --> 00:00:44,379 Loving will tell you a little 13 00:00:44,380 --> 00:00:46,959 bit more about hacking Sony PlayStation 14 00:00:46,960 --> 00:00:48,129 Blu ray drives. 15 00:00:48,130 --> 00:00:49,779 Please welcome with the very warm 16 00:00:49,780 --> 00:00:51,310 applause voice. 17 00:00:55,740 --> 00:00:56,740 Hello, everyone. 18 00:00:59,030 --> 00:01:00,079 So let's start. 19 00:01:01,280 --> 00:01:02,509 My name is Boris Laurean. 20 00:01:02,510 --> 00:01:04,699 I'm security shot at Kaspersky and 21 00:01:04,700 --> 00:01:06,679 at work I'm doing the hearing. 22 00:01:06,680 --> 00:01:08,659 Currently, my main focus is to find your 23 00:01:08,660 --> 00:01:10,819 days exported in about and 24 00:01:10,820 --> 00:01:13,219 I helped report a few of them. 25 00:01:13,220 --> 00:01:15,559 I was only used in attacks by a group of 26 00:01:15,560 --> 00:01:17,749 criminals and national state doctors. 27 00:01:17,750 --> 00:01:19,789 I'm also an original discoverer of a few 28 00:01:19,790 --> 00:01:21,379 large supply chain attacks. 29 00:01:21,380 --> 00:01:22,749 Maybe you heard about our research 30 00:01:22,750 --> 00:01:24,199 operations and the Hammer. 31 00:01:24,200 --> 00:01:26,089 It was released earlier this year. 32 00:01:26,090 --> 00:01:27,609 What some people might also know me. 33 00:01:27,610 --> 00:01:29,909 I saw I was active in PlayStation 34 00:01:29,910 --> 00:01:31,999 3 Homebrew Development Community since 35 00:01:32,000 --> 00:01:34,279 2011, and back then 36 00:01:34,280 --> 00:01:36,159 I was mostly known for my work on screen 37 00:01:36,160 --> 00:01:37,979 there and protected PlayStation 3 custom 38 00:01:37,980 --> 00:01:39,679 to various developed in possession, 39 00:01:39,680 --> 00:01:41,259 treat, debugging tools and etc.. 40 00:01:42,380 --> 00:01:44,059 And today I'm going to talk about my two 41 00:01:44,060 --> 00:01:45,989 favorite subjects, which are Virginia 42 00:01:45,990 --> 00:01:47,929 consoles and hiking. 43 00:01:47,930 --> 00:01:49,579 So in this presentation, I'm going to 44 00:01:49,580 --> 00:01:51,829 talk about the examples of Sony 45 00:01:51,830 --> 00:01:54,199 PlayStation 3 and Sony PlayStation. 46 00:01:54,200 --> 00:01:56,359 So games, they're distributed to optical 47 00:01:56,360 --> 00:01:58,189 media. So that's why I drive. 48 00:01:58,190 --> 00:02:00,559 She contains the best security possible. 49 00:02:00,560 --> 00:02:02,149 But it also makes it a very interesting 50 00:02:02,150 --> 00:02:04,009 subject for security research. 51 00:02:04,010 --> 00:02:05,749 And in this orientation, I'm going to 52 00:02:05,750 --> 00:02:07,549 discuss a process of obtaining and 53 00:02:07,550 --> 00:02:09,379 reverse engineering is often where I will 54 00:02:09,380 --> 00:02:10,929 provide in-depth analysis. 55 00:02:10,930 --> 00:02:13,009 I knew this and the exploitation to 56 00:02:13,010 --> 00:02:14,629 achieve code execution on the multiple 57 00:02:14,630 --> 00:02:17,149 models of Sony PlayStation users. 58 00:02:17,150 --> 00:02:19,189 And I will talk about scooch features to 59 00:02:19,190 --> 00:02:20,190 the presence of. 60 00:02:22,210 --> 00:02:24,349 But before continues my talk, I need to 61 00:02:24,350 --> 00:02:26,439 give the following disclaimer, first of 62 00:02:26,440 --> 00:02:28,359 all, this research doesn't have nothing 63 00:02:28,360 --> 00:02:30,669 to do with my employer, and this 64 00:02:30,670 --> 00:02:32,769 research is done purely of curiosity 65 00:02:32,770 --> 00:02:34,529 and presented for educational proposals. 66 00:02:35,800 --> 00:02:37,329 This is just done anyhow. 67 00:02:37,330 --> 00:02:39,439 Help, support, enable or endorse the 68 00:02:39,440 --> 00:02:41,019 biggest corporate law. 69 00:02:41,020 --> 00:02:43,029 I would talking about spiritual duties. 70 00:02:43,030 --> 00:02:45,129 But as far as I'm aware, they do 71 00:02:45,130 --> 00:02:46,939 not lead to full compromised security 72 00:02:46,940 --> 00:02:49,169 here and it's not possible to use them. 73 00:02:49,170 --> 00:02:51,269 This Canadian copy protection and there's 74 00:02:51,270 --> 00:02:52,720 a reason why I'm even talking about it. 75 00:02:54,730 --> 00:02:57,199 So probably all of you are quite familiar 76 00:02:57,200 --> 00:02:59,259 with that would be right. These kids 77 00:02:59,260 --> 00:03:00,999 are so uneasy. They did extremely well 78 00:03:01,000 --> 00:03:02,439 this PlayStation 2. 79 00:03:02,440 --> 00:03:04,479 It was a very first game console, too, 80 00:03:04,480 --> 00:03:06,399 that supported the DVDs. 81 00:03:06,400 --> 00:03:08,559 And people were buying it to watch 82 00:03:08,560 --> 00:03:10,149 movies and Sony. 83 00:03:10,150 --> 00:03:12,069 They wanted to repeat success is in the 84 00:03:12,070 --> 00:03:14,559 next game console, PlayStation 3. 85 00:03:14,560 --> 00:03:16,419 And it's really easy to the sense that 86 00:03:16,420 --> 00:03:18,729 just by looking at timeline of events 87 00:03:18,730 --> 00:03:20,979 like specifications when finalized 88 00:03:20,980 --> 00:03:22,719 and the first commercial Blu ray drives, 89 00:03:22,720 --> 00:03:24,549 they were released just 10 months prior 90 00:03:24,550 --> 00:03:26,739 to release of PlayStation 3 and 91 00:03:26,740 --> 00:03:28,389 actually Sony succeeded. 92 00:03:28,390 --> 00:03:30,639 Now, even as most users of abilities 93 00:03:32,170 --> 00:03:34,449 and actually physical format abilities 94 00:03:34,450 --> 00:03:36,399 is very well documented in white papers 95 00:03:36,400 --> 00:03:38,629 and patents, those documents 96 00:03:38,630 --> 00:03:40,779 reveal what types of discs 97 00:03:40,780 --> 00:03:43,119 persist in the houses, 98 00:03:43,120 --> 00:03:45,159 what areas are present on disks and 99 00:03:45,160 --> 00:03:46,839 houses. Areas are different from each 100 00:03:46,840 --> 00:03:48,789 other and what structures are stored 101 00:03:48,790 --> 00:03:50,919 there. So if you're really interested 102 00:03:50,920 --> 00:03:52,929 in the subject, I recommend you to read 103 00:03:52,930 --> 00:03:53,930 these documents. 104 00:03:54,580 --> 00:03:56,709 But these documents, they do not reveal 105 00:03:56,710 --> 00:03:58,659 one simple thing how PlayStation 106 00:03:58,660 --> 00:04:00,159 Discovery fight. 107 00:04:00,160 --> 00:04:02,349 And it's kind of interesting question and 108 00:04:02,350 --> 00:04:04,539 I was always wondering about that. 109 00:04:04,540 --> 00:04:06,729 So my initial thought was that maybe 110 00:04:06,730 --> 00:04:08,409 driving away may reveal some details 111 00:04:08,410 --> 00:04:09,410 about that. 112 00:04:10,760 --> 00:04:13,109 So let's talk about it is great, 113 00:04:13,110 --> 00:04:15,199 Blair drives PlayStation and there 114 00:04:15,200 --> 00:04:17,268 have been a lot of them, if you 115 00:04:17,269 --> 00:04:18,979 will, on back PlayStation streaming worry 116 00:04:18,980 --> 00:04:21,078 update. You will find the 117 00:04:21,079 --> 00:04:22,909 twelve different few various four 118 00:04:22,910 --> 00:04:25,129 different drive models, which is a really 119 00:04:25,130 --> 00:04:26,389 huge number. 120 00:04:26,390 --> 00:04:28,579 And you can see the first ever 121 00:04:28,580 --> 00:04:31,099 are Eusebio was the first ever 122 00:04:31,100 --> 00:04:33,379 Blu ray drive for PlayStation 3 123 00:04:33,380 --> 00:04:35,479 design. It is quite complicated, but the 124 00:04:35,480 --> 00:04:37,579 mine microcontroller microcontroller is 125 00:04:37,580 --> 00:04:38,580 produced by Sony 126 00:04:39,990 --> 00:04:41,059 and the well. 127 00:04:41,060 --> 00:04:43,549 After some time Sony decided to simplify 128 00:04:43,550 --> 00:04:45,899 design of CB and they switched to 129 00:04:45,900 --> 00:04:47,519 try and hold off on those accompanying 130 00:04:47,520 --> 00:04:48,649 green. 131 00:04:48,650 --> 00:04:51,049 And you can see CB of the first 132 00:04:51,050 --> 00:04:54,439 Blu ray drive Visa 3 SAS microcontroller. 133 00:04:54,440 --> 00:04:56,389 And after that, Sony decided to switch 134 00:04:56,390 --> 00:04:58,679 between Sony microcontroller and insert 135 00:04:58,680 --> 00:05:00,919 in SAS microcontroller for each new drive 136 00:05:00,920 --> 00:05:01,819 model. 137 00:05:01,820 --> 00:05:03,199 Well, I actually don't know what they 138 00:05:03,200 --> 00:05:05,689 were thinking, but maybe they wanted 139 00:05:05,690 --> 00:05:07,849 to diversify the platform to make 140 00:05:07,850 --> 00:05:08,850 cracking much more harder. 141 00:05:10,310 --> 00:05:12,139 And the Sony wasn't was much more 142 00:05:12,140 --> 00:05:14,299 consistent. Big rate rise for possession 143 00:05:14,300 --> 00:05:16,639 for if you will, unpack PlayStation 144 00:05:16,640 --> 00:05:17,859 4. You write about it. 145 00:05:17,860 --> 00:05:19,999 You'll find few words for six different 146 00:05:20,000 --> 00:05:21,259 drug models. 147 00:05:21,260 --> 00:05:23,089 And all of them were based on 148 00:05:23,090 --> 00:05:25,189 reinforcement getting older and only 149 00:05:25,190 --> 00:05:27,499 recently. The ZO was also 150 00:05:27,500 --> 00:05:29,389 a new addition to this family. 151 00:05:29,390 --> 00:05:30,660 It was I mean that I can control that. 152 00:05:32,390 --> 00:05:34,459 So as you see, a renaissance is the most 153 00:05:34,460 --> 00:05:36,499 common cheap for Blu ray drives across 154 00:05:36,500 --> 00:05:38,269 PlayStation 3 and PlayStation 4. 155 00:05:38,270 --> 00:05:40,039 And that's why it's a mind subject of 156 00:05:40,040 --> 00:05:41,040 this talk. 157 00:05:41,840 --> 00:05:43,909 So first of all, how did they get if you 158 00:05:43,910 --> 00:05:45,859 were in the first place, actually. 159 00:05:45,860 --> 00:05:48,409 This technique came out from Xbox 360 160 00:05:48,410 --> 00:05:50,719 and you can see a very famous picture 161 00:05:50,720 --> 00:05:52,949 of concussive hack for its books, 162 00:05:52,950 --> 00:05:55,039 360 Drive that was developed by a 163 00:05:55,040 --> 00:05:57,439 quite talented researcher, Jeremy. 164 00:05:57,440 --> 00:05:59,359 And does this hack it abuse the fact that 165 00:05:59,360 --> 00:06:01,599 quite often, often very stored on 166 00:06:01,600 --> 00:06:03,699 a flagship that is a separate day inside 167 00:06:03,700 --> 00:06:05,059 a package. 168 00:06:05,060 --> 00:06:07,279 And this way, it's much more easier 169 00:06:07,280 --> 00:06:10,099 for manufacturer to produce such chips. 170 00:06:10,100 --> 00:06:11,869 But at the same time, it also makes it 171 00:06:11,870 --> 00:06:13,939 somehow easier to refresh contents with 172 00:06:13,940 --> 00:06:14,979 external tools. 173 00:06:14,980 --> 00:06:16,519 If you are able to, you could say package 174 00:06:17,810 --> 00:06:20,029 and he can see the latest package 175 00:06:20,030 --> 00:06:21,469 of reassessment controller for 176 00:06:21,470 --> 00:06:22,969 PlayStation 3 Drive. 177 00:06:22,970 --> 00:06:25,119 You can see that flash ship is also 178 00:06:25,120 --> 00:06:27,469 zipper die and it's located on the top 179 00:06:27,470 --> 00:06:28,940 of my chip. 180 00:06:29,960 --> 00:06:32,389 So how are you able to 181 00:06:32,390 --> 00:06:33,620 dump you? Very using it. 182 00:06:34,940 --> 00:06:36,679 So first you need to calculate your 183 00:06:36,680 --> 00:06:39,529 package that can be done with acid. 184 00:06:39,530 --> 00:06:41,209 Then you got band virus, for example, 185 00:06:41,210 --> 00:06:43,439 with laser and then you need to rebound 186 00:06:43,440 --> 00:06:45,619 this virus to custom. 187 00:06:45,620 --> 00:06:47,939 PCV, for example, is special 188 00:06:47,940 --> 00:06:50,059 or our binding machine or is 189 00:06:50,060 --> 00:06:52,129 she paint and then you are able 190 00:06:52,130 --> 00:06:53,209 to read flash contents 191 00:06:54,260 --> 00:06:56,239 and actually all the steps. 192 00:06:56,240 --> 00:06:57,829 They were done by me. 193 00:06:57,830 --> 00:06:59,689 They were done by more experienced 194 00:06:59,690 --> 00:07:01,399 researcher who had much more experience 195 00:07:01,400 --> 00:07:02,389 with this kind of stuff. 196 00:07:02,390 --> 00:07:04,489 And he also did a quite similar 197 00:07:04,490 --> 00:07:06,829 things with the most 360 drive. 198 00:07:06,830 --> 00:07:08,779 But it was a quite fun, friendly 199 00:07:08,780 --> 00:07:10,819 researcher because he shared his dump 200 00:07:10,820 --> 00:07:12,299 with me and the visa. 201 00:07:12,300 --> 00:07:14,159 Few other researchers from our community 202 00:07:14,160 --> 00:07:15,799 you just for your charge. 203 00:07:15,800 --> 00:07:17,479 And the only thing that was needed to 204 00:07:17,480 --> 00:07:19,399 start the Russian engineering was to find 205 00:07:19,400 --> 00:07:22,039 out what architecture it's composed for. 206 00:07:22,040 --> 00:07:23,809 And I checked website offerings. 207 00:07:23,810 --> 00:07:26,059 US C got a really huge list 208 00:07:26,060 --> 00:07:28,129 of different fingerprint holders 209 00:07:28,130 --> 00:07:30,349 and luckily there was also 210 00:07:30,350 --> 00:07:32,779 some documents on this website 211 00:07:32,780 --> 00:07:35,859 that revealed that microcontrollers 212 00:07:35,860 --> 00:07:38,319 for Blu ray drives and digital drives 213 00:07:38,320 --> 00:07:40,459 produce bearings. US are actually based 214 00:07:40,460 --> 00:07:42,889 on H it s architecture 215 00:07:42,890 --> 00:07:44,749 and quite luckily this architecture is 216 00:07:44,750 --> 00:07:46,309 supported by the broad. 217 00:07:46,310 --> 00:07:48,559 So it was really easy to start 218 00:07:48,560 --> 00:07:49,899 engineering. 219 00:07:49,900 --> 00:07:51,829 And here is a few more words about risk 220 00:07:51,830 --> 00:07:52,849 detection. 221 00:07:52,850 --> 00:07:55,099 It's a nice risk like mutation, but 222 00:07:55,100 --> 00:07:57,469 it reminds me 686 a little. 223 00:07:57,470 --> 00:07:59,149 It's really easy to quiz. 224 00:08:00,720 --> 00:08:02,399 You can get three different compilers 225 00:08:02,400 --> 00:08:04,639 food and 226 00:08:04,640 --> 00:08:06,829 one it's fun. Thing is that each of them 227 00:08:06,830 --> 00:08:08,929 uses different condition and there 228 00:08:08,930 --> 00:08:10,759 is even differences in kind condition 229 00:08:10,760 --> 00:08:13,009 between different versions of Q, 230 00:08:13,010 --> 00:08:14,809 which is official compiler for this 231 00:08:14,810 --> 00:08:16,910 architecture. It sold Barings House 232 00:08:18,590 --> 00:08:20,509 and sold the to Ross Engineering. 233 00:08:20,510 --> 00:08:22,459 And I knew to mention that it was a quite 234 00:08:22,460 --> 00:08:24,889 challenging task because FUBAR eats 235 00:08:24,890 --> 00:08:27,169 a really large in size almost 236 00:08:27,170 --> 00:08:29,509 two gigabytes and there are only 40 237 00:08:29,510 --> 00:08:31,699 strings for the whole 238 00:08:31,700 --> 00:08:32,700 amount of data. 239 00:08:33,590 --> 00:08:35,509 And in case you are wondering how the 240 00:08:35,510 --> 00:08:37,609 developers were able to debug as 241 00:08:37,610 --> 00:08:39,079 if you were in this case. 242 00:08:39,080 --> 00:08:41,449 Well, lotteries crunch that exists, 243 00:08:41,450 --> 00:08:43,899 but it only takes an idea 244 00:08:43,900 --> 00:08:45,139 as an argument. 245 00:08:45,140 --> 00:08:47,929 And then these ideas are converted 246 00:08:47,930 --> 00:08:49,219 to strings inside. 247 00:08:49,220 --> 00:08:51,349 Special software developer has 248 00:08:51,350 --> 00:08:53,299 most likely it was done to sway due to 249 00:08:53,300 --> 00:08:54,589 size constraints. 250 00:08:54,590 --> 00:08:56,899 So basically not its extra 251 00:08:56,900 --> 00:08:59,389 space and flash to stores with strings. 252 00:08:59,390 --> 00:09:00,949 But maybe they were thinking about 253 00:09:00,950 --> 00:09:03,169 security, but it 254 00:09:03,170 --> 00:09:04,429 complicates U.S. engineering 255 00:09:05,630 --> 00:09:07,879 and the first things that will want 256 00:09:07,880 --> 00:09:10,539 to do in such cases when you start to. 257 00:09:10,540 --> 00:09:12,649 Engineer And some you think there is 258 00:09:12,650 --> 00:09:14,569 that you want to download as much stuff 259 00:09:14,570 --> 00:09:16,339 as you can. From outside the hardline 260 00:09:16,340 --> 00:09:18,199 manufacturer, you want to get source 261 00:09:18,200 --> 00:09:20,259 quotes, you want to get libraries, 262 00:09:20,260 --> 00:09:22,369 you want to get compilers and you 263 00:09:22,370 --> 00:09:24,199 need all of that to make the process of 264 00:09:24,200 --> 00:09:26,059 reverse engineering much, much easier. 265 00:09:26,060 --> 00:09:28,459 Like you might want to get generate 266 00:09:28,460 --> 00:09:30,529 15 inches for the pro and you 267 00:09:30,530 --> 00:09:32,749 also need definitions, 268 00:09:32,750 --> 00:09:34,909 structures or different hardware 269 00:09:34,910 --> 00:09:35,910 registers 270 00:09:36,980 --> 00:09:39,109 and rings us is they provide a really 271 00:09:39,110 --> 00:09:41,309 huge stuff, really huge 272 00:09:41,310 --> 00:09:42,889 list of stuff and a load. 273 00:09:42,890 --> 00:09:45,289 But essentially any DVD Blu 274 00:09:45,290 --> 00:09:46,729 ray related stuff is not available 275 00:09:46,730 --> 00:09:48,799 publicly and it's really complicated 276 00:09:48,800 --> 00:09:49,999 the whole project. 277 00:09:50,000 --> 00:09:52,129 I had to reverse engineer all of it 278 00:09:52,130 --> 00:09:54,469 and research also provides 279 00:09:54,470 --> 00:09:56,149 dozens of different yields in person 280 00:09:56,150 --> 00:09:57,079 system. 281 00:09:57,080 --> 00:09:59,119 So some are available to no load. 282 00:09:59,120 --> 00:10:00,409 You can get them. 283 00:10:00,410 --> 00:10:02,299 And also official compilers are available 284 00:10:02,300 --> 00:10:04,779 for download so you can get a compilers 285 00:10:04,780 --> 00:10:07,269 that was likely used to compile. 286 00:10:07,270 --> 00:10:08,270 We are going to analyze. 287 00:10:10,000 --> 00:10:11,919 And when I was looking through the files 288 00:10:11,920 --> 00:10:13,989 of CU compiler, I was not able to 289 00:10:13,990 --> 00:10:16,359 find new sources of libraries 290 00:10:16,360 --> 00:10:18,279 because it appeared that all of them are 291 00:10:18,280 --> 00:10:20,559 stored inside special packages 292 00:10:20,560 --> 00:10:22,719 and only necessary files unpacked 293 00:10:22,720 --> 00:10:23,720 during compilation. 294 00:10:25,160 --> 00:10:27,159 But what I did was just I found out where 295 00:10:27,160 --> 00:10:28,749 this algorithms like like it. 296 00:10:28,750 --> 00:10:30,909 And I wrote my own intuit to unpack all 297 00:10:30,910 --> 00:10:31,910 these files. 298 00:10:32,950 --> 00:10:35,199 And I was not able to find any useful 299 00:10:35,200 --> 00:10:36,789 information about hardware there. 300 00:10:36,790 --> 00:10:39,419 But it was possible to generate 301 00:10:39,420 --> 00:10:41,529 a profit extinguishers and 302 00:10:41,530 --> 00:10:43,829 the manual just functions that we used by 303 00:10:43,830 --> 00:10:45,969 VAR offset that I got and it 304 00:10:45,970 --> 00:10:47,200 was a really useful finding. 305 00:10:48,880 --> 00:10:50,529 And the next step that I would usually do 306 00:10:50,530 --> 00:10:52,959 when analyzing and using where is that? 307 00:10:52,960 --> 00:10:55,199 I try and find out functions of real time 308 00:10:55,200 --> 00:10:56,409 purchases. 309 00:10:56,410 --> 00:10:57,639 It's a really important thing to do 310 00:10:57,640 --> 00:10:59,949 because control flow and that 311 00:10:59,950 --> 00:11:01,809 it might be passed between different 312 00:11:01,810 --> 00:11:04,209 tasks that are running at the same time. 313 00:11:04,210 --> 00:11:05,849 And you really need to follow that doing 314 00:11:05,850 --> 00:11:07,149 serious engineering. 315 00:11:07,150 --> 00:11:09,579 So I got many real time machine systems 316 00:11:09,580 --> 00:11:11,799 from which site offering insights and all 317 00:11:11,800 --> 00:11:13,689 of them were kinda similar but still had 318 00:11:13,690 --> 00:11:14,889 some differences. 319 00:11:14,890 --> 00:11:16,959 And in most of the cases they 320 00:11:16,960 --> 00:11:18,579 were written in assembly for different 321 00:11:18,580 --> 00:11:19,839 architectures. 322 00:11:19,840 --> 00:11:22,269 So in the end, nothing 323 00:11:22,270 --> 00:11:24,489 really closely matched our real 324 00:11:24,490 --> 00:11:26,439 time purchase systems that was used in 325 00:11:26,440 --> 00:11:27,849 PlayStation 3. 326 00:11:27,850 --> 00:11:30,159 So in the end it was not useful. 327 00:11:30,160 --> 00:11:31,689 But the best thing about reverse 328 00:11:31,690 --> 00:11:33,759 engineering was developed by 329 00:11:33,760 --> 00:11:35,799 a Japanese company is that it most likely 330 00:11:35,800 --> 00:11:37,779 will fall Meeker Industrial Trans Pacific 331 00:11:37,780 --> 00:11:39,909 Ocean. And does this specification needs 332 00:11:39,910 --> 00:11:42,279 a real lifesaver because it defines 333 00:11:42,280 --> 00:11:43,479 the name of the functions of their 334 00:11:43,480 --> 00:11:44,979 arguments and etc. 335 00:11:44,980 --> 00:11:47,139 There are more than 300 pages 336 00:11:47,140 --> 00:11:49,389 and it simplifies serious engineering 337 00:11:49,390 --> 00:11:51,519 a lot and 338 00:11:51,520 --> 00:11:53,709 the next subs will usually do that. 339 00:11:53,710 --> 00:11:55,719 I try to understand how I can communicate 340 00:11:55,720 --> 00:11:57,799 is my target and what logic I 341 00:11:57,800 --> 00:11:59,949 am able to interact with and 342 00:11:59,950 --> 00:12:01,179 blu ray disk drive. 343 00:12:01,180 --> 00:12:03,549 It communicates through a protocol 344 00:12:03,550 --> 00:12:05,649 and here provide the key right here of BD 345 00:12:05,650 --> 00:12:06,819 protocols. 346 00:12:06,820 --> 00:12:08,419 So it's a button. We have PS control 347 00:12:08,420 --> 00:12:09,399 phases. 348 00:12:09,400 --> 00:12:10,539 We have better. 349 00:12:10,540 --> 00:12:12,569 That was previously known as just at 350 00:12:12,570 --> 00:12:13,709 totally e.g. 351 00:12:13,710 --> 00:12:16,329 it's a obsolete version of this protocol. 352 00:12:16,330 --> 00:12:18,699 And then we also have a setup. 353 00:12:18,700 --> 00:12:20,969 And on top of that we have two distinct 354 00:12:20,970 --> 00:12:22,029 mindsets. 355 00:12:22,030 --> 00:12:23,919 We have 88 common set. 356 00:12:23,920 --> 00:12:26,439 It's used for hard disk drives 357 00:12:26,440 --> 00:12:28,629 and we have attacked a common set. 358 00:12:28,630 --> 00:12:29,799 It's used in. 359 00:12:29,800 --> 00:12:31,209 In our cases. 360 00:12:31,210 --> 00:12:33,029 And basically it's just a transport for a 361 00:12:33,030 --> 00:12:34,030 CSA comments. 362 00:12:35,170 --> 00:12:37,279 And you are different devices. 363 00:12:37,280 --> 00:12:39,639 They may have different income assets 364 00:12:39,640 --> 00:12:41,739 because we have a primary common set, 365 00:12:41,740 --> 00:12:43,809 which is common for devices. 366 00:12:43,810 --> 00:12:45,319 And then we have device specific common 367 00:12:45,320 --> 00:12:46,539 sets. 368 00:12:46,540 --> 00:12:48,669 And for optical these drives, we even 369 00:12:48,670 --> 00:12:50,859 have two competing specifications. 370 00:12:50,860 --> 00:12:52,929 And you need to be aware that when 371 00:12:52,930 --> 00:12:54,720 you reverse engineering such maneuvers 372 00:12:56,440 --> 00:12:58,359 so primary command set, it implements 373 00:12:58,360 --> 00:13:00,519 query command and we provide some basic 374 00:13:00,520 --> 00:13:02,949 information about about hardware 375 00:13:02,950 --> 00:13:05,259 like name of the vendor name 376 00:13:05,260 --> 00:13:07,119 name of the product. 377 00:13:07,120 --> 00:13:08,319 It's basically what you're going to see 378 00:13:08,320 --> 00:13:10,689 if you connect such device to a computer. 379 00:13:10,690 --> 00:13:12,549 So what you do, you just look for such 380 00:13:12,550 --> 00:13:14,679 string things inside freeware 381 00:13:14,680 --> 00:13:16,419 and you will find a handler or CSA 382 00:13:16,420 --> 00:13:18,519 comments and then you're good to go from 383 00:13:18,520 --> 00:13:18,969 there. 384 00:13:18,970 --> 00:13:21,149 You just get specification and address 385 00:13:21,150 --> 00:13:22,749 and hear some commands. 386 00:13:22,750 --> 00:13:23,830 That looks interesting for you. 387 00:13:25,030 --> 00:13:26,829 So basically this is a roadmap that I'm 388 00:13:26,830 --> 00:13:28,989 usually try to follow when reverse 389 00:13:28,990 --> 00:13:31,089 engineering some using where and it 390 00:13:31,090 --> 00:13:32,299 will be also awesome. 391 00:13:32,300 --> 00:13:34,089 If we had a wait template of where 392 00:13:34,090 --> 00:13:37,299 because this way we can analyze 393 00:13:37,300 --> 00:13:39,339 it much more better and also getting good 394 00:13:39,340 --> 00:13:41,649 discussion will be nice because we can 395 00:13:41,650 --> 00:13:44,169 actually do some experiments and 396 00:13:44,170 --> 00:13:47,049 it also helps to analyze hardware 397 00:13:47,050 --> 00:13:49,299 and software and 398 00:13:49,300 --> 00:13:50,349 GDP. 399 00:13:50,350 --> 00:13:52,809 It actually provides and simulator 400 00:13:52,810 --> 00:13:55,179 for this lecture so you can compile 401 00:13:55,180 --> 00:13:57,729 it converting where to the error file 402 00:13:57,730 --> 00:13:58,839 and then you're good to go. 403 00:13:58,840 --> 00:14:01,089 You can debug some snippets of code, 404 00:14:01,090 --> 00:14:03,309 but I actually like using either raw 405 00:14:03,310 --> 00:14:05,379 as debugging UI, but it has some flaws 406 00:14:05,380 --> 00:14:06,380 of course. 407 00:14:07,090 --> 00:14:09,489 So first of all, GDP debug a plugin 408 00:14:09,490 --> 00:14:11,589 that comes with either its 409 00:14:11,590 --> 00:14:13,729 closed source and recently 410 00:14:13,730 --> 00:14:15,759 fixed rates improved it a lot, but back 411 00:14:15,760 --> 00:14:17,139 then it was quite buggy. 412 00:14:17,140 --> 00:14:18,129 And the support it. 413 00:14:18,130 --> 00:14:19,299 Only a few targets. 414 00:14:19,300 --> 00:14:21,519 And of course this texture was not 415 00:14:21,520 --> 00:14:22,719 in the least. 416 00:14:22,720 --> 00:14:24,849 So at some point I decided to write my 417 00:14:24,850 --> 00:14:26,979 own GDP debug plugin to 418 00:14:26,980 --> 00:14:28,179 work reside abroad. 419 00:14:28,180 --> 00:14:30,759 And actually it was a quite good decision 420 00:14:30,760 --> 00:14:32,379 because it didn't take too much time to 421 00:14:32,380 --> 00:14:34,599 make, but it saved a lot of time 422 00:14:34,600 --> 00:14:36,369 while debugging these freeware and some 423 00:14:36,370 --> 00:14:37,569 other just works. 424 00:14:37,570 --> 00:14:39,819 For example, GDP support for X 425 00:14:39,820 --> 00:14:41,979 6 of what I get was added on the in 426 00:14:41,980 --> 00:14:44,319 either pro six point nine and it was not 427 00:14:44,320 --> 00:14:45,320 that long ago. 428 00:14:45,970 --> 00:14:47,589 And here's just a screenshot controlled 429 00:14:47,590 --> 00:14:49,809 from how it looks like I leave it just 430 00:14:49,810 --> 00:14:50,810 for the reference. 431 00:14:52,010 --> 00:14:54,259 So actually, while I was a revision 432 00:14:54,260 --> 00:14:56,209 reverse engineering way of PlayStation, I 433 00:14:56,210 --> 00:14:58,729 was reverse engineering multiple ways 434 00:14:58,730 --> 00:15:01,339 because it appeared that there exist 435 00:15:01,340 --> 00:15:04,099 some redress for C 436 00:15:04,100 --> 00:15:06,439 that had the incorrect encoder produced 437 00:15:06,440 --> 00:15:08,539 by Renaissance and they were 438 00:15:08,540 --> 00:15:11,329 produced by Hitachi LG Data Storage 439 00:15:11,330 --> 00:15:12,729 and you can get not encrypted. 440 00:15:12,730 --> 00:15:15,409 You vary from very updated feature 441 00:15:15,410 --> 00:15:18,229 and I compare this to various. 442 00:15:18,230 --> 00:15:20,399 It's clear that the receiving variant 443 00:15:20,400 --> 00:15:22,939 station few hours are very different, 444 00:15:22,940 --> 00:15:25,669 but the beauty using the same is the key. 445 00:15:25,670 --> 00:15:27,769 I can tell that because many blu 446 00:15:27,770 --> 00:15:29,389 ray hardware related functions as the 447 00:15:29,390 --> 00:15:31,549 same are all peripheral 448 00:15:31,550 --> 00:15:34,699 devices are likely to the same addresses 449 00:15:34,700 --> 00:15:36,829 and assessed exactly the 450 00:15:36,830 --> 00:15:38,959 same and very uses 451 00:15:38,960 --> 00:15:41,039 the same pretty graphic processor 452 00:15:41,040 --> 00:15:43,249 NPC for variables continually to 453 00:15:43,250 --> 00:15:44,269 more debug strings. 454 00:15:44,270 --> 00:15:47,179 It kinda reveals the name of 455 00:15:47,180 --> 00:15:49,339 this green SAS platform for blue 456 00:15:49,340 --> 00:15:50,419 registers. 457 00:15:50,420 --> 00:15:52,129 It's called Indigo 3 internally. 458 00:15:55,110 --> 00:15:56,769 So at previous slide, I mentioned the 459 00:15:56,770 --> 00:15:58,239 cryptographic processor. 460 00:15:58,240 --> 00:16:00,329 So when I began to reverse engineer in 461 00:16:00,330 --> 00:16:02,369 favor of PlayStation, I found out that a 462 00:16:02,370 --> 00:16:04,589 really huge part of it is occupied bucket 463 00:16:04,590 --> 00:16:06,729 related functions and that this 464 00:16:06,730 --> 00:16:08,819 script related functions, they are used 465 00:16:08,820 --> 00:16:11,129 for communication with dedicated 466 00:16:11,130 --> 00:16:12,989 cryptographic processor and it's 467 00:16:12,990 --> 00:16:14,789 effectively protects all the secrets. 468 00:16:14,790 --> 00:16:16,849 So you can but you are not able 469 00:16:16,850 --> 00:16:18,939 to just dump in the regressions. 470 00:16:18,940 --> 00:16:19,940 Knew all of it. 471 00:16:21,350 --> 00:16:22,950 You are correct. Process protects it 472 00:16:24,060 --> 00:16:26,009 and the communication process is really 473 00:16:26,010 --> 00:16:27,899 complicated and obscure here. 474 00:16:27,900 --> 00:16:29,759 Provide some graphs of such crypto 475 00:16:29,760 --> 00:16:31,349 related functions. 476 00:16:31,350 --> 00:16:33,509 And actually for me it's much 477 00:16:33,510 --> 00:16:35,329 more easier to reverse. 478 00:16:35,330 --> 00:16:37,709 A lot of them obfuscated binary Chema 479 00:16:37,710 --> 00:16:39,299 understand logic of such functions 480 00:16:41,070 --> 00:16:43,319 and here provide a small snippet of one 481 00:16:43,320 --> 00:16:45,629 of such functions and 482 00:16:45,630 --> 00:16:47,489 it's clear that cryptographic processor 483 00:16:47,490 --> 00:16:49,709 ran some kind of you where and you are 484 00:16:49,710 --> 00:16:51,419 able to add additional models and 485 00:16:51,420 --> 00:16:52,420 additional keys. 486 00:16:53,620 --> 00:16:56,249 And what I wanted to do, I just wanted 487 00:16:56,250 --> 00:16:57,959 to play this little process. 488 00:16:57,960 --> 00:16:59,939 I just wanted to try to change some of 489 00:16:59,940 --> 00:17:02,009 these values to see what happens. 490 00:17:02,010 --> 00:17:04,259 But you need codification of that. 491 00:17:04,260 --> 00:17:06,358 And now it comes time to talk about 492 00:17:06,359 --> 00:17:09,149 code execution and how it was achieved 493 00:17:09,150 --> 00:17:10,139 so early this year. 494 00:17:10,140 --> 00:17:12,209 I give a presentation at Cancer Quest 495 00:17:12,210 --> 00:17:14,419 titled Can the Control the Virus to 496 00:17:14,420 --> 00:17:16,368 his Be? You can find more details by the 497 00:17:16,369 --> 00:17:17,679 following. 498 00:17:17,680 --> 00:17:20,009 But in that research examined how 499 00:17:20,010 --> 00:17:21,959 awesome is you re protocol for 500 00:17:21,960 --> 00:17:23,199 exploitation. 501 00:17:23,200 --> 00:17:24,889 And I believe that is a separate code. 502 00:17:24,890 --> 00:17:26,909 Maybe even more so, but it's less common 503 00:17:26,910 --> 00:17:27,910 for sure. 504 00:17:28,260 --> 00:17:30,059 So how does it work? 505 00:17:30,060 --> 00:17:31,739 Our clients sense a common descriptive 506 00:17:31,740 --> 00:17:33,899 look. The device I 507 00:17:33,900 --> 00:17:36,269 Google just the command and 508 00:17:36,270 --> 00:17:38,459 such commands usually device supports 509 00:17:38,460 --> 00:17:40,649 a lot of them and they can 510 00:17:40,650 --> 00:17:42,909 be used to transfer data from an into 511 00:17:42,910 --> 00:17:44,219 device. 512 00:17:44,220 --> 00:17:46,469 And device 513 00:17:46,470 --> 00:17:49,439 also provides status of command 514 00:17:49,440 --> 00:17:50,869 and also provides a record. 515 00:17:51,900 --> 00:17:53,039 And quite often 516 00:17:54,420 --> 00:17:56,399 such commands, they have such parameters, 517 00:17:56,400 --> 00:17:59,009 assess sizes of data in some 518 00:17:59,010 --> 00:18:00,929 logical block others. 519 00:18:00,930 --> 00:18:03,359 So all those it makes is protocol perfect 520 00:18:03,360 --> 00:18:04,360 for Target for fuzzing 521 00:18:05,430 --> 00:18:06,430 I believe. 522 00:18:07,260 --> 00:18:09,449 But I actually found my ruler beauties 523 00:18:09,450 --> 00:18:10,450 to static analysis, 524 00:18:11,910 --> 00:18:14,309 so it seems that VAR itself was developed 525 00:18:14,310 --> 00:18:15,750 by some sort of party company 526 00:18:16,860 --> 00:18:18,989 and then when it was ready it was handed 527 00:18:18,990 --> 00:18:20,939 to Sonja to console specific stuff. 528 00:18:22,050 --> 00:18:24,309 And I can tell that because all general 529 00:18:24,310 --> 00:18:26,039 companies yes I comments they are looking 530 00:18:26,040 --> 00:18:28,149 can define but not comments 531 00:18:28,150 --> 00:18:29,639 implemented by Sonja. 532 00:18:29,640 --> 00:18:31,589 They doesn't seem to have boundary checks 533 00:18:34,230 --> 00:18:36,249 like one. Those samples of valuable 534 00:18:36,250 --> 00:18:39,169 command has operation quote E1 535 00:18:39,170 --> 00:18:40,619 and diseases command is used 536 00:18:40,620 --> 00:18:42,359 fortification or Blu ray drive and video 537 00:18:42,360 --> 00:18:43,319 game console. 538 00:18:43,320 --> 00:18:45,539 So the main target of it is to implement 539 00:18:45,540 --> 00:18:47,839 security, but it has 540 00:18:47,840 --> 00:18:49,979 to go wound right in because transfer 541 00:18:49,980 --> 00:18:50,980 lens is not checked. 542 00:18:52,350 --> 00:18:54,409 So we are able to write this 543 00:18:54,410 --> 00:18:57,149 buffer that is like it somewhere 544 00:18:57,150 --> 00:18:58,739 over here. But what memory doesn't 545 00:18:58,740 --> 00:18:59,740 belong? 546 00:19:00,180 --> 00:19:02,309 So find out this answer. 547 00:19:02,310 --> 00:19:04,079 Let's take a look at memory map is that I 548 00:19:04,080 --> 00:19:06,269 was able to come up with while reverse 549 00:19:06,270 --> 00:19:07,359 engineering. 550 00:19:07,360 --> 00:19:09,089 Where of PlayStation. 551 00:19:09,090 --> 00:19:11,339 So at first we have no memory. 552 00:19:11,340 --> 00:19:13,159 We have our own bootloader. 553 00:19:13,160 --> 00:19:15,779 We have flash with mine from where 554 00:19:15,780 --> 00:19:17,159 then we have all our memory. 555 00:19:17,160 --> 00:19:19,349 We have SRM in the room and 556 00:19:19,350 --> 00:19:21,389 it's clear that I just said we are able 557 00:19:21,390 --> 00:19:23,489 to write. It belongs to them. 558 00:19:23,490 --> 00:19:25,979 And we also have registers of personal 559 00:19:25,980 --> 00:19:26,980 devices. 560 00:19:28,350 --> 00:19:29,949 So let's start with SRM. 561 00:19:29,950 --> 00:19:31,999 It's a static fundamentals memory. 562 00:19:32,000 --> 00:19:34,079 It's small in size, it's executable, 563 00:19:34,080 --> 00:19:36,589 but it's configurable and it contains 564 00:19:36,590 --> 00:19:37,709 interrupter at our table. 565 00:19:37,710 --> 00:19:40,079 It contains quotes of a real time person 566 00:19:40,080 --> 00:19:42,089 system. It contains some important 567 00:19:42,090 --> 00:19:44,219 variables, splintered structures, and 568 00:19:44,220 --> 00:19:46,680 it also contains stacks of tasks. 569 00:19:48,240 --> 00:19:50,269 And we also have the dream which is done 570 00:19:50,270 --> 00:19:51,539 on condoms as memory. 571 00:19:51,540 --> 00:19:52,649 It's large in size. 572 00:19:52,650 --> 00:19:55,049 It megabytes to be precise 573 00:19:55,050 --> 00:19:57,209 and initially exact memory location was 574 00:19:57,210 --> 00:19:59,339 unknown because most of the time it's 575 00:19:59,340 --> 00:20:01,799 accessed through dark emeritus 576 00:20:01,800 --> 00:20:03,689 and it contains death from this. 577 00:20:03,690 --> 00:20:06,359 It contains data from SSA client 578 00:20:06,360 --> 00:20:08,349 and it also contains that as that do not 579 00:20:08,350 --> 00:20:10,569 fit this same because it's RAM, it's 580 00:20:10,570 --> 00:20:13,169 really small and worry is really huge. 581 00:20:13,170 --> 00:20:15,059 It needs a lot of space to store its 582 00:20:15,060 --> 00:20:17,249 valuables, so why not store them 583 00:20:17,250 --> 00:20:18,250 in DRAM? 584 00:20:18,990 --> 00:20:21,389 And actually one of such 585 00:20:21,390 --> 00:20:23,579 regions is used only for that 586 00:20:23,580 --> 00:20:25,589 store variables that do not feed to a 587 00:20:25,590 --> 00:20:26,669 stream. 588 00:20:26,670 --> 00:20:28,859 And I also found out about existence of 589 00:20:28,860 --> 00:20:29,759 those origin. 590 00:20:29,760 --> 00:20:31,619 It's actually unused interstitial finger, 591 00:20:31,620 --> 00:20:33,999 but I found out that it exists from 592 00:20:34,000 --> 00:20:36,509 few area of Hitachi LG Data Storage 593 00:20:36,510 --> 00:20:37,510 Drive. 594 00:20:38,370 --> 00:20:40,709 So we are able to write some 595 00:20:40,710 --> 00:20:43,359 data that is located inside this buffer, 596 00:20:43,360 --> 00:20:44,360 how to expose it 597 00:20:45,780 --> 00:20:47,609 and well, exploitation turned out to be 598 00:20:47,610 --> 00:20:50,279 very difficult because all variables 599 00:20:50,280 --> 00:20:52,439 Zale like get it, static addresses 600 00:20:52,440 --> 00:20:54,279 and the keeper's flotation techniques. 601 00:20:54,280 --> 00:20:55,899 They're not working there. 602 00:20:55,900 --> 00:20:57,429 And the thrust you need to find a very 603 00:20:57,430 --> 00:20:59,169 good exploitation, primitive, and you 604 00:20:59,170 --> 00:21:01,569 might need to write a lot of 605 00:21:01,570 --> 00:21:03,669 different data. 606 00:21:03,670 --> 00:21:05,679 Upon reaching this primitive and you need 607 00:21:05,680 --> 00:21:07,839 to do that without question, do I? 608 00:21:07,840 --> 00:21:09,339 And I need to mention that debugging is 609 00:21:09,340 --> 00:21:11,289 complicated. We are not able to debug it 610 00:21:11,290 --> 00:21:12,789 on real hardware. 611 00:21:12,790 --> 00:21:14,859 So we need to lead understand a 612 00:21:14,860 --> 00:21:16,290 really large portions of hardware. 613 00:21:17,380 --> 00:21:19,359 So in the end, I ended up reverse 614 00:21:19,360 --> 00:21:21,879 engineering all functions that test 615 00:21:21,880 --> 00:21:24,089 data in this region and 616 00:21:24,090 --> 00:21:25,929 Duran nobility of function pointers. 617 00:21:25,930 --> 00:21:27,969 So there are no good candidates for the 618 00:21:27,970 --> 00:21:30,219 right and the zero buffers, 619 00:21:30,220 --> 00:21:32,709 structures, variables, pointers 620 00:21:32,710 --> 00:21:34,509 exists, but there are not too much of 621 00:21:34,510 --> 00:21:36,739 them. But eventually I was able to find 622 00:21:36,740 --> 00:21:38,889 the brute exploitation primitive 623 00:21:38,890 --> 00:21:40,339 and I started to well exploit. 624 00:21:41,350 --> 00:21:43,779 But actually I was never 625 00:21:43,780 --> 00:21:46,149 I never finished this sport because 626 00:21:46,150 --> 00:21:48,219 while writing it, I was able to find a 627 00:21:48,220 --> 00:21:49,599 new source for my duties. 628 00:21:51,860 --> 00:21:55,309 So DP registers are very interesting. 629 00:21:55,310 --> 00:21:57,139 They're responsible for the most of this 630 00:21:57,140 --> 00:21:59,239 drive related nationality, like a 631 00:21:59,240 --> 00:22:01,479 top interface laser Sarah 632 00:22:01,480 --> 00:22:03,319 did to the ventilation. 633 00:22:03,320 --> 00:22:05,509 DP From our loading and etc. 634 00:22:05,510 --> 00:22:07,309 It will be so nice if we had access to 635 00:22:07,310 --> 00:22:08,310 it. 636 00:22:08,840 --> 00:22:11,479 And actually we do like the whole area 637 00:22:11,480 --> 00:22:13,699 of DP region is available 638 00:22:13,700 --> 00:22:15,889 for reading right through special SSA 639 00:22:15,890 --> 00:22:16,819 commands. 640 00:22:16,820 --> 00:22:18,979 And just as the comments exist for doing 641 00:22:18,980 --> 00:22:21,139 just that and the huge 642 00:22:21,140 --> 00:22:23,709 they are, it's actually 643 00:22:23,710 --> 00:22:25,699 read buffer and write buffer comments 644 00:22:25,700 --> 00:22:27,019 with special parameters. 645 00:22:28,670 --> 00:22:30,829 And it seems that these functions 646 00:22:30,830 --> 00:22:32,509 are part of some diagnostic rationale 647 00:22:32,510 --> 00:22:34,639 there, because exactly same functions are 648 00:22:34,640 --> 00:22:36,879 also available in the 649 00:22:36,880 --> 00:22:38,329 Hitachi data storage where. 650 00:22:40,600 --> 00:22:43,149 So do remember when I said that Jerome 651 00:22:43,150 --> 00:22:45,729 is obsessed, mostly Trujillo me, 652 00:22:45,730 --> 00:22:48,039 several registers available in this 653 00:22:48,040 --> 00:22:51,039 area are responsible for 654 00:22:51,040 --> 00:22:53,109 copy data from India and into your 655 00:22:53,110 --> 00:22:55,269 home. And Martin Jerome upsets to 656 00:22:55,270 --> 00:22:56,500 some memory addresses. 657 00:22:58,570 --> 00:23:01,269 So it appeared that these regions 658 00:23:01,270 --> 00:23:03,729 that us used to store 659 00:23:03,730 --> 00:23:06,189 few varied data, they actually mapped 660 00:23:06,190 --> 00:23:08,689 using these registers available 661 00:23:08,690 --> 00:23:09,690 in dispute. 662 00:23:10,480 --> 00:23:12,269 And we have access to some of these 663 00:23:12,270 --> 00:23:13,270 segments. 664 00:23:14,380 --> 00:23:16,839 So here, explain how does it work? 665 00:23:16,840 --> 00:23:18,939 We have four groups of memory 666 00:23:18,940 --> 00:23:21,129 mountain registers and the two 667 00:23:21,130 --> 00:23:23,289 groups are set like short on 668 00:23:23,290 --> 00:23:25,809 this picture on the slide and 669 00:23:25,810 --> 00:23:27,359 do not show us as true because they're 670 00:23:27,360 --> 00:23:29,629 said frequently by different functions. 671 00:23:29,630 --> 00:23:31,519 Let's add two different functions. 672 00:23:31,520 --> 00:23:33,249 But different values. 673 00:23:33,250 --> 00:23:36,459 But these two are initialized 674 00:23:36,460 --> 00:23:38,579 earlier during start up and they're 675 00:23:38,580 --> 00:23:40,839 set to these Pacific values and not 676 00:23:40,840 --> 00:23:41,840 touched after that. 677 00:23:42,640 --> 00:23:45,159 And each group of these registers, 678 00:23:45,160 --> 00:23:47,259 they map specific amount of 679 00:23:47,260 --> 00:23:49,299 data from the drama set to some 680 00:23:49,300 --> 00:23:50,340 predefined memory others. 681 00:23:51,370 --> 00:23:54,069 And you also can see to which 682 00:23:54,070 --> 00:23:56,140 memory addresses, which offsets a map 683 00:23:57,240 --> 00:24:00,219 in terms of offsets, correlated axes, 684 00:24:00,220 --> 00:24:02,619 value of a region are 685 00:24:02,620 --> 00:24:04,839 register. It's multiplied by four 686 00:24:04,840 --> 00:24:06,759 thousand in hex. 687 00:24:06,760 --> 00:24:09,459 And then this value is added to either 688 00:24:09,460 --> 00:24:11,569 first half or second half of 689 00:24:11,570 --> 00:24:13,689 durum depending on the bit 690 00:24:13,690 --> 00:24:14,690 that is set. 691 00:24:16,050 --> 00:24:17,009 But that's not all. 692 00:24:17,010 --> 00:24:19,439 We have a specially dedicated registers 693 00:24:19,440 --> 00:24:21,989 that allow us to read and write 694 00:24:21,990 --> 00:24:25,099 double what two annual set of Jerome 695 00:24:25,100 --> 00:24:27,329 and the here provide upset code for doing 696 00:24:27,330 --> 00:24:28,330 just that. 697 00:24:30,900 --> 00:24:33,059 So we have access to GMR registers 698 00:24:33,060 --> 00:24:35,069 with a CSA comments. 699 00:24:35,070 --> 00:24:36,749 Are we able to manipulate contents of the 700 00:24:36,750 --> 00:24:38,609 room? There are multiple ways of 701 00:24:38,610 --> 00:24:39,959 achieving this. 702 00:24:39,960 --> 00:24:41,680 For example, we are able to remap 703 00:24:43,220 --> 00:24:45,079 this special region to someone. 704 00:24:45,080 --> 00:24:47,529 NRG Ram upset and we can 705 00:24:47,530 --> 00:24:49,709 write. We can use out 706 00:24:49,710 --> 00:24:52,169 our exploit to write some data that 707 00:24:52,170 --> 00:24:54,389 will be not reachable otherwise, but 708 00:24:54,390 --> 00:24:56,489 it may lead to different behavior. 709 00:24:56,490 --> 00:24:58,439 And I'll need to mention again that 710 00:24:58,440 --> 00:25:00,929 debugging is really complicated 711 00:25:00,930 --> 00:25:02,549 and we are also able to use the MMI 712 00:25:02,550 --> 00:25:05,369 registers to write out that directive. 713 00:25:05,370 --> 00:25:07,919 But actually it's not true because 714 00:25:07,920 --> 00:25:09,789 this registers they are in use by 715 00:25:09,790 --> 00:25:10,949 somewhere. 716 00:25:10,950 --> 00:25:13,139 And if we try to do something, 717 00:25:13,140 --> 00:25:15,299 it will lead to different behavior as 718 00:25:15,300 --> 00:25:16,300 well. 719 00:25:16,590 --> 00:25:18,449 But still, I was believing that I may 720 00:25:18,450 --> 00:25:20,639 exploit that and I only needed 721 00:25:20,640 --> 00:25:22,770 a way to test my ideas on the hardware. 722 00:25:23,970 --> 00:25:26,009 And there are two ways of doing that. 723 00:25:27,060 --> 00:25:29,129 First, all, you are able to jailbreak 724 00:25:29,130 --> 00:25:30,239 your console. 725 00:25:30,240 --> 00:25:31,949 You can install Linux on it. 726 00:25:31,950 --> 00:25:34,169 Thanks to felt awful and you can 727 00:25:34,170 --> 00:25:35,119 communicate it to be right. 728 00:25:35,120 --> 00:25:36,069 Right. 729 00:25:36,070 --> 00:25:37,379 Another option you can disconnect. 730 00:25:37,380 --> 00:25:38,729 You'll be right from console and 731 00:25:38,730 --> 00:25:39,989 connected with you. 732 00:25:39,990 --> 00:25:41,789 And I decided to go with the second road 733 00:25:41,790 --> 00:25:43,889 because it's much more convenient and 734 00:25:43,890 --> 00:25:45,959 likely it was possible to buy a 735 00:25:45,960 --> 00:25:47,279 regional solution for you. 736 00:25:47,280 --> 00:25:48,280 Doing just that. 737 00:25:49,770 --> 00:25:51,739 I actually wanted to test my views on 738 00:25:51,740 --> 00:25:53,819 PlayStation 4 Drive because PlayStation 739 00:25:53,820 --> 00:25:55,739 3 Drive and PlayStation 4 Drive there, 740 00:25:55,740 --> 00:25:57,689 whereas the same they just using 741 00:25:57,690 --> 00:25:59,539 different FFC connectors. 742 00:26:00,870 --> 00:26:02,969 But the difference is not 743 00:26:02,970 --> 00:26:05,129 that big 744 00:26:05,130 --> 00:26:07,499 because I was able to modify FFC 745 00:26:07,500 --> 00:26:10,349 cable of PlayStation 4 with scissors 746 00:26:10,350 --> 00:26:12,959 and it worked with public solution for 747 00:26:12,960 --> 00:26:14,309 Best 3 Drive. 748 00:26:14,310 --> 00:26:16,859 So this is basically how my supposed 749 00:26:16,860 --> 00:26:18,509 hacking setup looks like. 750 00:26:18,510 --> 00:26:19,819 And it's the rifle. 751 00:26:19,820 --> 00:26:20,820 PlayStation 4 was away. 752 00:26:22,290 --> 00:26:24,389 So the first thing that I did was to dump 753 00:26:24,390 --> 00:26:26,459 the whole DP region and 754 00:26:26,460 --> 00:26:27,679 it was quite surprise. 755 00:26:27,680 --> 00:26:28,680 But 756 00:26:29,970 --> 00:26:32,039 others of my request and value of the 757 00:26:32,040 --> 00:26:34,649 Ameriquest Xavier set was yours. 758 00:26:34,650 --> 00:26:36,509 And it will indicate only one of two 759 00:26:36,510 --> 00:26:38,709 things. It's either in 760 00:26:38,710 --> 00:26:40,809 setting my model 761 00:26:40,810 --> 00:26:42,539 had revisions that I've got. 762 00:26:42,540 --> 00:26:44,669 My registers are not present at 763 00:26:44,670 --> 00:26:47,459 all. It was a just unused 764 00:26:47,460 --> 00:26:49,379 and so we're just unused. 765 00:26:49,380 --> 00:26:51,939 So in you newer models, Sony, 766 00:26:51,940 --> 00:26:54,019 I simply stopped to use 767 00:26:54,020 --> 00:26:56,369 the DMA dots as your arm. 768 00:26:56,370 --> 00:26:58,709 They started to use absolute 769 00:26:58,710 --> 00:27:00,779 memory addresses and it grants 770 00:27:00,780 --> 00:27:02,889 us a full 771 00:27:02,890 --> 00:27:05,859 lot. The right that to the whole drum. 772 00:27:05,860 --> 00:27:06,860 Yeah. 773 00:27:07,140 --> 00:27:09,509 So doing cool stuff with full access 774 00:27:09,510 --> 00:27:11,609 to Giroud, usually Jerome 775 00:27:11,610 --> 00:27:13,469 is full of these data. 776 00:27:13,470 --> 00:27:15,599 But Windsor is not just concerned. 777 00:27:15,600 --> 00:27:17,699 There are a lot of new space and 778 00:27:17,700 --> 00:27:19,929 this space is used to stay for a few 779 00:27:19,930 --> 00:27:21,989 wear during the system orbit and the 780 00:27:21,990 --> 00:27:24,479 procedural blu ray drive you were data 781 00:27:24,480 --> 00:27:26,399 for best 3 is well documented. 782 00:27:26,400 --> 00:27:27,479 You can find it now. 783 00:27:27,480 --> 00:27:29,719 Wikia and this patisserie 784 00:27:29,720 --> 00:27:31,619 exactly the same between PlayStation 3 785 00:27:31,620 --> 00:27:32,620 and PlayStation 4. 786 00:27:33,750 --> 00:27:36,569 But here I try to explain how it 787 00:27:36,570 --> 00:27:38,639 how it looks like from the site on blu 788 00:27:38,640 --> 00:27:39,759 ray drive. 789 00:27:39,760 --> 00:27:41,789 So it first blocks off in various 790 00:27:41,790 --> 00:27:44,909 received with a bright buffer comment. 791 00:27:44,910 --> 00:27:47,429 And if you write checks, 792 00:27:47,430 --> 00:27:48,989 is it the first book? 793 00:27:48,990 --> 00:27:51,119 If it's a case that will, then it 794 00:27:51,120 --> 00:27:53,579 will initiate a special structure 795 00:27:53,580 --> 00:27:56,669 and you will store this book to your room 796 00:27:56,670 --> 00:27:57,809 and then the checks. 797 00:27:57,810 --> 00:27:59,400 If all our blocks are received, 798 00:28:00,570 --> 00:28:02,639 if our blocks are received, then 799 00:28:02,640 --> 00:28:04,949 it will try to release dates of hash. 800 00:28:04,950 --> 00:28:07,259 And if Hirsch is correct, it will start 801 00:28:07,260 --> 00:28:08,849 to decrypt anywhere. 802 00:28:08,850 --> 00:28:10,919 But this process of decrypting to 803 00:28:10,920 --> 00:28:13,499 where it may it might take some time 804 00:28:13,500 --> 00:28:15,779 and how this logic was intended 805 00:28:15,780 --> 00:28:18,119 to work is read your game console 806 00:28:18,120 --> 00:28:20,879 should send this huge reader comment 807 00:28:20,880 --> 00:28:22,679 to check if variables are e.g. 808 00:28:22,680 --> 00:28:24,839 decrypted and there is a special 809 00:28:24,840 --> 00:28:26,219 logic inside that checks. 810 00:28:26,220 --> 00:28:28,349 If it was decrypted, then it will 811 00:28:28,350 --> 00:28:30,449 copy. If you worry, update their code 812 00:28:30,450 --> 00:28:33,149 to SRM and execute it. 813 00:28:33,150 --> 00:28:34,439 So do you see a problem here? 814 00:28:38,500 --> 00:28:40,329 Well, basically, it's time of check, the 815 00:28:40,330 --> 00:28:42,700 time of year when I go to you, because 816 00:28:44,860 --> 00:28:47,139 when it starts to decrypt to where 817 00:28:47,140 --> 00:28:48,639 we see it, what would I be able to do? 818 00:28:48,640 --> 00:28:50,489 We are able just to send off you where to 819 00:28:50,490 --> 00:28:51,519 be, right? Right. 820 00:28:51,520 --> 00:28:53,769 Wait until it's been decrypted. 821 00:28:53,770 --> 00:28:55,749 And when you do decrypt it, we are able 822 00:28:55,750 --> 00:28:57,849 to use our GMAT trick 823 00:28:57,850 --> 00:28:59,559 to just dump the world ram. 824 00:29:00,670 --> 00:29:02,809 And we also are able to modify a few 825 00:29:02,810 --> 00:29:05,319 of our image after validation. 826 00:29:05,320 --> 00:29:07,989 And we also able to change 827 00:29:07,990 --> 00:29:09,490 some structures that are stored there. 828 00:29:10,750 --> 00:29:13,349 So at the first I had on the 829 00:29:13,350 --> 00:29:15,909 phone where for this particular drive 830 00:29:15,910 --> 00:29:16,910 had 12 revision. 831 00:29:18,070 --> 00:29:20,169 But I've got this one and 832 00:29:20,170 --> 00:29:22,569 then I've got this one and this one 833 00:29:22,570 --> 00:29:24,819 and it's PlayStation the opposite way. 834 00:29:24,820 --> 00:29:25,990 And I've got even more. 835 00:29:28,440 --> 00:29:30,489 So on this stage, manipulation of 836 00:29:30,490 --> 00:29:32,549 marriage image to get to contusion 837 00:29:32,550 --> 00:29:34,659 is trivial and all update 838 00:29:34,660 --> 00:29:37,079 structures are stored in durum. 839 00:29:37,080 --> 00:29:39,299 It's basically a hint for those who want 840 00:29:39,300 --> 00:29:41,309 to repeat my steps at home. 841 00:29:41,310 --> 00:29:43,379 And when you exploit such devices 842 00:29:43,380 --> 00:29:45,659 usually means to be extremely careful 843 00:29:45,660 --> 00:29:48,099 because this device, 844 00:29:48,100 --> 00:29:49,649 it has internal memory. 845 00:29:49,650 --> 00:29:51,509 If you corrupt something there, you will 846 00:29:51,510 --> 00:29:53,249 turn your device into brick. 847 00:29:53,250 --> 00:29:55,529 So you will have to spend a lot of money 848 00:29:55,530 --> 00:29:57,659 to buy just new device and do your 849 00:29:57,660 --> 00:29:59,939 experiments all over again. 850 00:29:59,940 --> 00:30:01,899 But actually in this case and in 851 00:30:01,900 --> 00:30:04,319 dimensions at a special media FUBAR 852 00:30:04,320 --> 00:30:06,899 exists. It called emergency boot 853 00:30:06,900 --> 00:30:08,969 and well during 854 00:30:08,970 --> 00:30:10,509 boot would load the checks. 855 00:30:10,510 --> 00:30:12,639 If your mind can 856 00:30:12,640 --> 00:30:14,699 very has a very cache and 857 00:30:14,700 --> 00:30:16,479 if it's on the keys, then this special 858 00:30:16,480 --> 00:30:18,329 thing will be executed. 859 00:30:18,330 --> 00:30:20,429 So you will be still be able John key 860 00:30:20,430 --> 00:30:21,430 to us. 861 00:30:22,140 --> 00:30:23,969 So why did it happen? 862 00:30:23,970 --> 00:30:25,410 Most likely scenario that 863 00:30:26,670 --> 00:30:28,819 is that when Fury was handed to Sonia 864 00:30:28,820 --> 00:30:31,019 to console specific stuff, engineers 865 00:30:31,020 --> 00:30:32,799 didn't really understood which narrative 866 00:30:32,800 --> 00:30:34,449 that is available to this period. 867 00:30:34,450 --> 00:30:35,729 Jesters. 868 00:30:35,730 --> 00:30:37,709 And this is the comments to read and 869 00:30:37,710 --> 00:30:39,989 write. The Spirit sisters said 870 00:30:39,990 --> 00:30:41,499 were left for the agnostic proposals for 871 00:30:41,500 --> 00:30:42,419 sure. 872 00:30:42,420 --> 00:30:44,649 But security risks 873 00:30:44,650 --> 00:30:46,139 are represented by free use of these 874 00:30:46,140 --> 00:30:47,129 protesters. 875 00:30:47,130 --> 00:30:48,630 They were not really considered. 876 00:30:50,970 --> 00:30:53,519 So we squad execution. 877 00:30:53,520 --> 00:30:55,819 I was able to do some experiments 878 00:30:55,820 --> 00:30:58,139 like community always wondered what 879 00:30:58,140 --> 00:31:00,349 is this musty blog data 880 00:31:00,350 --> 00:31:02,489 that Sony puts to disk when 881 00:31:02,490 --> 00:31:05,009 its protests at factory because 882 00:31:05,010 --> 00:31:06,809 algorithm to decrypt it was nowhere to be 883 00:31:06,810 --> 00:31:07,799 found. 884 00:31:07,800 --> 00:31:10,189 And I was able to decrypted and actually 885 00:31:10,190 --> 00:31:12,009 are not an interesting site. 886 00:31:12,010 --> 00:31:15,119 Now you can see an offensive 15 887 00:31:15,120 --> 00:31:18,059 four plus four and a first are just 888 00:31:18,060 --> 00:31:20,219 16 random bites is justified 889 00:31:20,220 --> 00:31:22,499 and then not used anyhow. 890 00:31:22,500 --> 00:31:25,259 And then just a few facts to set 891 00:31:25,260 --> 00:31:26,569 some drive interrogation stage. 892 00:31:28,140 --> 00:31:30,269 And for me, it also was interesting 893 00:31:30,270 --> 00:31:32,639 to see how discuss this case, 894 00:31:32,640 --> 00:31:35,099 I think because this 895 00:31:35,100 --> 00:31:36,869 information should be somehow related to 896 00:31:36,870 --> 00:31:39,369 the way how disks are verified 897 00:31:39,370 --> 00:31:41,579 and for trees are to these keys. 898 00:31:41,580 --> 00:31:44,159 One is used for decryption on this data 899 00:31:44,160 --> 00:31:46,379 and another one is used for encryption 900 00:31:46,380 --> 00:31:47,759 of CS data. 901 00:31:47,760 --> 00:31:49,509 And all this is about the same for Press 902 00:31:49,510 --> 00:31:50,729 4. 903 00:31:50,730 --> 00:31:52,859 And I found out that these keys 904 00:31:52,860 --> 00:31:54,239 are written. I returned from 905 00:31:54,240 --> 00:31:56,459 cryptographic processor, but it happens 906 00:31:56,460 --> 00:31:58,159 only in case of their ID. 907 00:31:59,190 --> 00:32:01,409 So I initially I was thinking that 908 00:32:01,410 --> 00:32:03,719 this logic to reading and this case, 909 00:32:03,720 --> 00:32:05,489 it should be like it had the inside 910 00:32:05,490 --> 00:32:06,490 cryptographic processor. 911 00:32:07,470 --> 00:32:09,679 So here are a few more words about driver 912 00:32:09,680 --> 00:32:11,159 interpretation. 913 00:32:11,160 --> 00:32:13,349 So it was a draft in education and 914 00:32:13,350 --> 00:32:15,059 drafted the program processor. 915 00:32:15,060 --> 00:32:17,189 It's the main things behind obstacle 916 00:32:17,190 --> 00:32:19,320 DRM security of Sony PlayStation 917 00:32:20,580 --> 00:32:22,449 and drafts allocation is secure and 918 00:32:22,450 --> 00:32:23,849 performed these big console keys. 919 00:32:23,850 --> 00:32:26,009 And I know only two ways to obtain 920 00:32:26,010 --> 00:32:27,119 those keys. 921 00:32:27,120 --> 00:32:28,799 You either need to cut cryptographic 922 00:32:28,800 --> 00:32:30,509 process or video game console. 923 00:32:30,510 --> 00:32:32,669 It's called spool for pastry or some 924 00:32:32,670 --> 00:32:34,839 of the best for all you need to have 925 00:32:34,840 --> 00:32:35,799 cryptographic process. 926 00:32:35,800 --> 00:32:37,859 So you're rating, right? 927 00:32:37,860 --> 00:32:39,389 And it's very hard to achieve such 928 00:32:39,390 --> 00:32:41,549 cracks. So security model is 929 00:32:41,550 --> 00:32:43,319 very effective against widespread piracy. 930 00:32:44,580 --> 00:32:46,199 Much more simple ways to pirate games 931 00:32:46,200 --> 00:32:47,519 always exist. 932 00:32:47,520 --> 00:32:49,889 For example, if you have mind very of 933 00:32:49,890 --> 00:32:52,169 PlayStation, you can pirate games, 934 00:32:52,170 --> 00:32:53,789 but if you have some viral possession you 935 00:32:53,790 --> 00:32:56,309 regret, you can park games 936 00:32:56,310 --> 00:32:58,679 and was singing how to better illustrate 937 00:32:58,680 --> 00:33:01,209 the security model and 938 00:33:01,210 --> 00:33:03,049 it's the best was what I was able to come 939 00:33:03,050 --> 00:33:04,259 off is. 940 00:33:04,260 --> 00:33:06,989 So imagine we have two floating islands 941 00:33:06,990 --> 00:33:08,339 and it's actually from various 942 00:33:09,650 --> 00:33:10,829 and just in various. 943 00:33:10,830 --> 00:33:13,229 They support white castles 944 00:33:13,230 --> 00:33:14,999 and these white castles cryptographic 945 00:33:15,000 --> 00:33:17,069 processors and these 946 00:33:17,070 --> 00:33:19,469 taken notice that there are no entrances 947 00:33:19,470 --> 00:33:21,479 to those castles. So you are not allowed 948 00:33:21,480 --> 00:33:23,280 to get in from where. 949 00:33:24,960 --> 00:33:27,149 But there is also communication happens 950 00:33:27,150 --> 00:33:28,150 between these castles. 951 00:33:29,460 --> 00:33:31,049 While it was the best that I was able to 952 00:33:31,050 --> 00:33:32,050 come up with 953 00:33:34,230 --> 00:33:36,329 and like 954 00:33:36,330 --> 00:33:38,129 if you have thing where off you can 955 00:33:38,130 --> 00:33:40,249 console, you are able to bypass 956 00:33:40,250 --> 00:33:41,639 this good communication. 957 00:33:41,640 --> 00:33:43,799 You just take this that as it comes out 958 00:33:43,800 --> 00:33:46,289 of it and you just run it on 959 00:33:46,290 --> 00:33:49,199 your console, you so you pirate games. 960 00:33:49,200 --> 00:33:51,659 But if you have a variable rate, if 961 00:33:51,660 --> 00:33:53,819 you are not able to put your data in this 962 00:33:53,820 --> 00:33:56,699 communication, you are not able to send 963 00:33:56,700 --> 00:33:57,839 this key. 964 00:33:57,840 --> 00:33:59,999 So you are not not able to 965 00:34:00,000 --> 00:34:01,000 part. 966 00:34:03,420 --> 00:34:05,759 And I also was able to play this complex 967 00:34:05,760 --> 00:34:06,869 processor. 968 00:34:06,870 --> 00:34:07,799 It was. 969 00:34:07,800 --> 00:34:08,819 It was initially. 970 00:34:08,820 --> 00:34:10,718 It was a reason why I needed good 971 00:34:10,719 --> 00:34:12,238 execution. 972 00:34:12,239 --> 00:34:14,428 And I did some experiments. 973 00:34:14,429 --> 00:34:16,529 I was able to load scripted from 974 00:34:16,530 --> 00:34:18,329 where PlayStation 3 Drive to PlayStation 975 00:34:18,330 --> 00:34:20,789 4 Drive and the PlayStation 976 00:34:20,790 --> 00:34:21,689 4 Drive. 977 00:34:21,690 --> 00:34:23,218 The cryptographic processor started to 978 00:34:23,219 --> 00:34:25,408 behave exactly like shoot on 979 00:34:25,409 --> 00:34:27,149 position 3. 980 00:34:27,150 --> 00:34:29,249 Even some of sets of some pretty rough 981 00:34:29,250 --> 00:34:31,468 parts registers, they have changed. 982 00:34:31,469 --> 00:34:33,539 So it proves my ideas 983 00:34:33,540 --> 00:34:36,359 that it run some kind of freeware 984 00:34:36,360 --> 00:34:37,919 and the like. 985 00:34:37,920 --> 00:34:39,509 As you know, I mentioned that 986 00:34:39,510 --> 00:34:40,769 communication process is quite 987 00:34:40,770 --> 00:34:42,899 complicated and I wanted to try 988 00:34:42,900 --> 00:34:44,399 to change some values. 989 00:34:44,400 --> 00:34:46,619 So I wrote especially hated father 990 00:34:46,620 --> 00:34:48,869 to flip some bits 991 00:34:48,870 --> 00:34:50,579 of these values that are set to 992 00:34:50,580 --> 00:34:51,580 registers. 993 00:34:52,139 --> 00:34:54,359 And it was a completely useless 994 00:34:54,360 --> 00:34:56,488 because if you change in you such 995 00:34:56,489 --> 00:34:58,619 values cryptographic processor returns 996 00:34:58,620 --> 00:35:00,719 error and after a few errors 997 00:35:00,720 --> 00:35:02,879 to just process a hands and you need to 998 00:35:02,880 --> 00:35:03,880 reset the device. 999 00:35:04,950 --> 00:35:06,509 So allegedly. 1000 00:35:06,510 --> 00:35:09,029 I think that of such cryptographic 1001 00:35:09,030 --> 00:35:10,949 functions, it works like this. 1002 00:35:10,950 --> 00:35:12,719 At first you provide some seed of the 1003 00:35:12,720 --> 00:35:15,449 hash, then you provide commands, 1004 00:35:15,450 --> 00:35:17,379 then you provide that, then keys. 1005 00:35:17,380 --> 00:35:20,459 You provide hash to verifies comments. 1006 00:35:20,460 --> 00:35:22,679 And in the end, these commands, they are 1007 00:35:22,680 --> 00:35:23,970 verified and executed. 1008 00:35:25,770 --> 00:35:27,869 And I played a tool for kept 1009 00:35:27,870 --> 00:35:30,029 processor, but eventually I lost 1010 00:35:30,030 --> 00:35:32,309 interest because breaking copy 1011 00:35:32,310 --> 00:35:33,929 protection was never go. 1012 00:35:33,930 --> 00:35:36,089 And moreover to viewing it 1013 00:35:36,090 --> 00:35:38,099 revealed that most likely group to 1014 00:35:38,100 --> 00:35:40,409 process it exists only for doing 1015 00:35:40,410 --> 00:35:42,599 crypto stuff and do exist, 1016 00:35:42,600 --> 00:35:44,909 especially dedicated component that 1017 00:35:44,910 --> 00:35:47,369 verifies disks, but most likely 1018 00:35:47,370 --> 00:35:49,019 is performed purely in hardware. 1019 00:35:50,520 --> 00:35:52,259 I was able to find out about that with a 1020 00:35:52,260 --> 00:35:54,329 cap the first ever PlayStation 3 1021 00:35:54,330 --> 00:35:55,859 that our retail drive. 1022 00:35:55,860 --> 00:35:58,259 So it has a few components, 1023 00:35:58,260 --> 00:36:00,539 but the main components 1024 00:36:00,540 --> 00:36:02,039 are these two. 1025 00:36:02,040 --> 00:36:03,809 It's a mind the controller produced by 1026 00:36:03,810 --> 00:36:06,839 Sonja. It has to pull. 1027 00:36:06,840 --> 00:36:08,929 And we also have one megabyte 1028 00:36:08,930 --> 00:36:11,349 on our flash with where 1029 00:36:11,350 --> 00:36:12,449 by Spencer. 1030 00:36:12,450 --> 00:36:14,969 So one megabyte nor flash 1031 00:36:14,970 --> 00:36:15,970 reasoning where. 1032 00:36:16,920 --> 00:36:17,920 So. 1033 00:36:19,040 --> 00:36:20,799 Actually, if in ways you did from stone 1034 00:36:20,800 --> 00:36:23,059 to fish, and that is you keep 1035 00:36:23,060 --> 00:36:24,319 it on fire. 1036 00:36:24,320 --> 00:36:26,359 And of course, a very encryption that is 1037 00:36:26,360 --> 00:36:27,360 based on shore. 1038 00:36:28,850 --> 00:36:30,499 So we have 1039 00:36:31,790 --> 00:36:33,979 some stores in a specific size, 1040 00:36:33,980 --> 00:36:36,199 but Zimbabwe is much, much larger. 1041 00:36:36,200 --> 00:36:38,269 And what we do, we do what we always 1042 00:36:38,270 --> 00:36:39,379 do in such cases. 1043 00:36:39,380 --> 00:36:41,449 We just look for the 1044 00:36:41,450 --> 00:36:44,129 some spacing for very few by zeros 1045 00:36:44,130 --> 00:36:45,379 and we are able to partition. 1046 00:36:45,380 --> 00:36:47,599 You recall exhaustion and 1047 00:36:47,600 --> 00:36:49,759 now it can be used to encrypt or decrypt 1048 00:36:49,760 --> 00:36:50,689 some pieces of you. 1049 00:36:50,690 --> 00:36:52,939 They're not not all of that, 1050 00:36:52,940 --> 00:36:53,940 but some pieces. 1051 00:36:56,180 --> 00:36:58,009 So I mentioned that code executed from 1052 00:36:58,010 --> 00:37:00,559 external flash, but integrity 1053 00:37:00,560 --> 00:37:01,719 of being very strict about. 1054 00:37:02,800 --> 00:37:05,149 So it seems like who we 1055 00:37:05,150 --> 00:37:06,379 are not able to do something, is that 1056 00:37:06,380 --> 00:37:07,380 right? Right. 1057 00:37:08,720 --> 00:37:10,969 Well, actually, no, because 1058 00:37:10,970 --> 00:37:12,709 we are able to observe all memory 1059 00:37:12,710 --> 00:37:14,809 accesses and reads from 1060 00:37:14,810 --> 00:37:16,549 support. External flash is logic 1061 00:37:16,550 --> 00:37:17,869 analyzer. 1062 00:37:17,870 --> 00:37:19,999 We are able to modify those accesses 1063 00:37:20,000 --> 00:37:22,069 with FPGA and we 1064 00:37:22,070 --> 00:37:24,759 can write my prolog that encrypts, 1065 00:37:24,760 --> 00:37:26,759 we can encrypted through the recovery 1066 00:37:26,760 --> 00:37:29,389 coverage source stream and 1067 00:37:29,390 --> 00:37:31,669 we can modify some memory accesses 1068 00:37:31,670 --> 00:37:33,739 from spool after through 1069 00:37:33,740 --> 00:37:35,859 various verified to execute this 1070 00:37:35,860 --> 00:37:37,419 motherlode. 1071 00:37:37,420 --> 00:37:39,169 So is our payload. 1072 00:37:39,170 --> 00:37:40,960 We can read plaintext and lick it 1073 00:37:42,320 --> 00:37:44,569 so we get closer execution and bury them. 1074 00:37:46,850 --> 00:37:49,249 And this very was quite interesting 1075 00:37:49,250 --> 00:37:51,289 because unlike Princess You, where it 1076 00:37:51,290 --> 00:37:53,539 contains a lot of debug strings, 1077 00:37:53,540 --> 00:37:55,699 it even has a special serial 1078 00:37:55,700 --> 00:37:57,620 monitor with huge list of commands, 1079 00:37:58,670 --> 00:38:00,679 and some of these comments are looking 1080 00:38:00,680 --> 00:38:02,579 interesting. You see big dump. 1081 00:38:02,580 --> 00:38:04,489 Both ends are much more 1082 00:38:06,150 --> 00:38:08,299 the. But you need some special 1083 00:38:08,300 --> 00:38:10,359 parser touches that I need to mention 1084 00:38:10,360 --> 00:38:12,539 that also create 1085 00:38:12,540 --> 00:38:13,789 the processor is 1086 00:38:14,820 --> 00:38:16,429 these trifles can cause it. 1087 00:38:16,430 --> 00:38:18,649 But it's very simple, very different from 1088 00:38:18,650 --> 00:38:20,719 the ones it was used in the resource. 1089 00:38:20,720 --> 00:38:22,699 It's also much more simple. 1090 00:38:22,700 --> 00:38:24,979 You just said he's that 1091 00:38:24,980 --> 00:38:27,349 size of data to put some specific 1092 00:38:27,350 --> 00:38:29,869 offsets, encrypt your region 1093 00:38:29,870 --> 00:38:31,680 and then you initiate the duration. 1094 00:38:33,570 --> 00:38:34,730 And like 1095 00:38:36,140 --> 00:38:37,639 if you tried to read the script region 1096 00:38:37,640 --> 00:38:39,859 from the flesh, you will be not able 1097 00:38:39,860 --> 00:38:41,959 to that you will 1098 00:38:41,960 --> 00:38:44,480 get on the garbage to support registers. 1099 00:38:45,570 --> 00:38:47,449 So it was intended to work like you need 1100 00:38:47,450 --> 00:38:49,579 to use special functions that are present 1101 00:38:49,580 --> 00:38:51,739 in the bootloader to offset on this 1102 00:38:51,740 --> 00:38:53,989 specific offsets inside 1103 00:38:53,990 --> 00:38:55,820 this cryptographic descriptor region. 1104 00:38:57,200 --> 00:38:59,259 But of course, you can bypass it 1105 00:38:59,260 --> 00:39:01,459 is written in programing 1106 00:39:01,460 --> 00:39:03,389 and also all these functions they have 1107 00:39:03,390 --> 00:39:04,969 integral overflows. 1108 00:39:04,970 --> 00:39:07,099 So this check, I think it's 1109 00:39:07,100 --> 00:39:08,809 useless. You are able to read the whole 1110 00:39:08,810 --> 00:39:10,819 group to region anyway, and if you do 1111 00:39:10,820 --> 00:39:12,629 that, there will be one interesting 1112 00:39:12,630 --> 00:39:14,689 string at the start. 1113 00:39:14,690 --> 00:39:16,609 Others of this cryptic region and it 1114 00:39:16,610 --> 00:39:17,809 should be not possible to read it 1115 00:39:17,810 --> 00:39:18,810 otherwise. 1116 00:39:20,930 --> 00:39:23,309 And Sony maybe told you and Princess 1117 00:39:23,310 --> 00:39:24,619 Margaret. And although they are 1118 00:39:24,620 --> 00:39:26,719 completely different systems and it 1119 00:39:26,720 --> 00:39:29,119 means that are all peripheral 1120 00:39:29,120 --> 00:39:31,519 devices should be different 1121 00:39:31,520 --> 00:39:33,979 and they should be assessed differently. 1122 00:39:33,980 --> 00:39:36,409 But I found out one spatial device 1123 00:39:36,410 --> 00:39:38,629 that assessed exactly the same. 1124 00:39:38,630 --> 00:39:40,769 So it means that one particular 1125 00:39:40,770 --> 00:39:42,569 peripheral device is exactly the same in 1126 00:39:42,570 --> 00:39:43,570 both 1127 00:39:44,810 --> 00:39:47,299 in different color, such as Sony 1128 00:39:47,300 --> 00:39:50,169 and in subsequent products, all 1129 00:39:50,170 --> 00:39:52,529 the different different addresses 1130 00:39:52,530 --> 00:39:54,499 in Sony you can control those registers 1131 00:39:54,500 --> 00:39:56,899 are located inside special region and 1132 00:39:56,900 --> 00:39:58,759 in your resource they are accessed 1133 00:39:58,760 --> 00:40:00,440 through Indigo DP registers. 1134 00:40:01,730 --> 00:40:04,129 So I believe this spatial 1135 00:40:04,130 --> 00:40:07,159 device is actually a security component 1136 00:40:07,160 --> 00:40:09,439 and it performs some interesting things. 1137 00:40:09,440 --> 00:40:11,609 Like it are two 1138 00:40:11,610 --> 00:40:14,569 very quickly plates you see of the title 1139 00:40:14,570 --> 00:40:16,939 sorted with a string Nokia 1140 00:40:16,940 --> 00:40:18,769 and puts it into registers of this 1141 00:40:18,770 --> 00:40:19,909 device. 1142 00:40:19,910 --> 00:40:21,829 And if you modify it, then cryptographic 1143 00:40:21,830 --> 00:40:23,779 processes will not be able to return this 1144 00:40:23,780 --> 00:40:24,859 key. 1145 00:40:24,860 --> 00:40:26,149 So. 1146 00:40:26,150 --> 00:40:28,219 Right. So I know one part 1147 00:40:28,220 --> 00:40:30,349 of this verify process, but 1148 00:40:30,350 --> 00:40:32,529 find out the rest will be 1149 00:40:32,530 --> 00:40:33,889 re re changing dusk. 1150 00:40:33,890 --> 00:40:36,079 If it's implemented purely in hardware. 1151 00:40:37,100 --> 00:40:38,639 And one more fun fact. 1152 00:40:38,640 --> 00:40:40,849 Nokia is short for Nokia, which is a very 1153 00:40:40,850 --> 00:40:42,869 tasty mushroom in Japanese cuisine. 1154 00:40:44,540 --> 00:40:46,119 So let's make a conclusion. 1155 00:40:47,150 --> 00:40:49,399 I think that Sony and Partners, they did 1156 00:40:49,400 --> 00:40:50,529 exceptional work. 1157 00:40:50,530 --> 00:40:52,549 Scrooge Mantle is really good and has 1158 00:40:52,550 --> 00:40:53,809 proven itself. 1159 00:40:53,810 --> 00:40:55,699 Imagine our perception to address. 1160 00:40:55,700 --> 00:40:58,369 They existed since 2006, 1161 00:40:58,370 --> 00:41:00,270 but not public parks since then. 1162 00:41:01,560 --> 00:41:03,219 But when you have tried the consumers. 1163 00:41:04,560 --> 00:41:06,919 So here is the one lessons that we also 1164 00:41:06,920 --> 00:41:09,149 can learn from this example. 1165 00:41:09,150 --> 00:41:11,089 Ferrari can be hard, so put all your 1166 00:41:11,090 --> 00:41:13,579 security hardware in this case. 1167 00:41:13,580 --> 00:41:15,019 Guys like me, they will have some 1168 00:41:15,020 --> 00:41:17,149 problems, reverse engineering it 1169 00:41:17,150 --> 00:41:19,599 and also believes it cryptographic 1170 00:41:19,600 --> 00:41:21,769 process and might be an interesting real 1171 00:41:21,770 --> 00:41:23,869 world target if you're into legion 1172 00:41:23,870 --> 00:41:25,759 and such in our analysis. 1173 00:41:25,760 --> 00:41:27,500 But it will be a tough one, I believe. 1174 00:41:28,610 --> 00:41:30,289 And I want to give my respects to 1175 00:41:30,290 --> 00:41:32,479 everyone who also ever worked on 1176 00:41:32,480 --> 00:41:34,479 this subject of hacking, potentially 1177 00:41:34,480 --> 00:41:35,480 raiders. 1178 00:41:36,140 --> 00:41:38,299 And I want to say thank 1179 00:41:38,300 --> 00:41:39,949 you, Nokia. This research will be not 1180 00:41:39,950 --> 00:41:40,950 possible without you. 1181 00:41:42,360 --> 00:41:44,749 And here's a few more words about 1182 00:41:44,750 --> 00:41:45,750 responsible discussion. 1183 00:41:47,090 --> 00:41:49,249 So on November 2008, 1184 00:41:49,250 --> 00:41:51,319 our security team at Sony 1185 00:41:51,320 --> 00:41:53,299 Interactive, the payment reached out to 1186 00:41:53,300 --> 00:41:55,909 me and said, we saw your presentation. 1187 00:41:55,910 --> 00:41:57,820 You want to talk about it at CCC? 1188 00:41:59,180 --> 00:42:00,739 Can you give us some information about 1189 00:42:00,740 --> 00:42:01,740 that? 1190 00:42:02,420 --> 00:42:03,739 Well, yeah, sure. 1191 00:42:05,540 --> 00:42:07,389 I provided information and grabbed my 1192 00:42:07,390 --> 00:42:08,390 abilities 1193 00:42:09,680 --> 00:42:12,349 and it was quite a surprise. 1194 00:42:12,350 --> 00:42:13,350 What happened next? 1195 00:42:14,190 --> 00:42:16,789 Like it was totally not expected, 1196 00:42:16,790 --> 00:42:18,889 but Stewart's team invited me 1197 00:42:18,890 --> 00:42:20,939 to join to join our recently launched 1198 00:42:20,940 --> 00:42:21,940 backbones here. 1199 00:42:23,090 --> 00:42:25,189 And they charged all my 1200 00:42:25,190 --> 00:42:26,459 world duties. 1201 00:42:26,460 --> 00:42:28,639 They told me that it's a high and 1202 00:42:28,640 --> 00:42:29,640 medium security box. 1203 00:42:31,480 --> 00:42:34,189 They told me that it's not critical 1204 00:42:34,190 --> 00:42:35,190 in the way 1205 00:42:36,770 --> 00:42:38,899 and the overall duties were fixed in the 1206 00:42:38,900 --> 00:42:40,969 latest system, such vibrations 1207 00:42:40,970 --> 00:42:42,050 that come out just 1208 00:42:43,360 --> 00:42:45,199 10, nine days ago. 1209 00:42:46,590 --> 00:42:48,539 So it seems that I have become a first 1210 00:42:48,540 --> 00:42:50,759 researcher who 1211 00:42:50,760 --> 00:42:52,140 won the bounty of local station money. 1212 00:43:01,470 --> 00:43:03,839 So please stay tuned. 1213 00:43:03,840 --> 00:43:05,459 Sony is about to announce something 1214 00:43:05,460 --> 00:43:06,569 really awesome. 1215 00:43:06,570 --> 00:43:08,129 I'm sure that all of you are going to 1216 00:43:08,130 --> 00:43:09,389 like that. 1217 00:43:09,390 --> 00:43:11,989 And actually 1218 00:43:11,990 --> 00:43:13,469 I had a very pleasant experience with 1219 00:43:13,470 --> 00:43:16,169 working with them. And I can recommend 1220 00:43:16,170 --> 00:43:18,719 you to that in future. 1221 00:43:18,720 --> 00:43:20,729 So all my slides, they will be offloaded 1222 00:43:20,730 --> 00:43:22,289 by the Falcon 9. 1223 00:43:22,290 --> 00:43:23,510 And I want to say thank you. 1224 00:43:32,770 --> 00:43:34,809 Thank you very much, Lois Lane. 1225 00:43:35,860 --> 00:43:38,079 If you have questions, you know how 1226 00:43:38,080 --> 00:43:40,209 it works out into websites, questions 1227 00:43:40,210 --> 00:43:41,349 already. 1228 00:43:41,350 --> 00:43:42,489 There are microphones, 1229 00:43:43,540 --> 00:43:45,849 microphones, 1 2 1230 00:43:45,850 --> 00:43:48,009 7 and 2 2 8. 1231 00:43:48,010 --> 00:43:50,229 Please make perfect dro and 1232 00:43:50,230 --> 00:43:52,779 we were Q So it into apps quest. 1233 00:43:52,780 --> 00:43:55,299 First question the interweb 1234 00:43:55,300 --> 00:43:57,709 is asking the US to 1235 00:43:57,710 --> 00:43:59,949 use B to Santa adapt 1236 00:43:59,950 --> 00:44:02,319 to just a common chipset with a 1237 00:44:02,320 --> 00:44:03,969 F F C connector. 1238 00:44:05,290 --> 00:44:07,729 Yep, that's the case. 1239 00:44:07,730 --> 00:44:09,699 So just some common parties that you are 1240 00:44:09,700 --> 00:44:11,829 able to get there and you can solo it 1241 00:44:11,830 --> 00:44:14,019 yourself. But for me it was convenient 1242 00:44:14,020 --> 00:44:16,029 to just buy one because it was freely 1243 00:44:16,030 --> 00:44:17,030 available. 1244 00:44:20,340 --> 00:44:21,340 Short answer. 1245 00:44:22,140 --> 00:44:23,429 Microphone number one, please. 1246 00:44:24,570 --> 00:44:26,789 So I think there are some third party 1247 00:44:26,790 --> 00:44:29,309 like drive emulation hardware 1248 00:44:29,310 --> 00:44:31,199 available in the market. 1249 00:44:31,200 --> 00:44:32,919 Do know something about it. 1250 00:44:32,920 --> 00:44:34,519 Have a hack, some something? 1251 00:44:34,520 --> 00:44:36,659 Or is it like not secured from 1252 00:44:36,660 --> 00:44:38,609 that way that you can replace the 1253 00:44:38,610 --> 00:44:40,979 hardware with your own basically 1254 00:44:40,980 --> 00:44:42,030 emulation device? 1255 00:44:43,470 --> 00:44:46,019 So like like I mentioned 1256 00:44:46,020 --> 00:44:48,060 for doing that, you need 1257 00:44:49,110 --> 00:44:51,449 a way to bypass the secure 1258 00:44:51,450 --> 00:44:53,009 communication. Right? 1259 00:44:53,010 --> 00:44:55,139 And for doing it like this, good 1260 00:44:55,140 --> 00:44:56,669 communication is secure. 1261 00:44:56,670 --> 00:44:58,769 You need to get to get their console 1262 00:44:58,770 --> 00:45:01,140 keys and to get those keys. 1263 00:45:02,280 --> 00:45:03,729 It's a really challenging task. 1264 00:45:03,730 --> 00:45:05,809 Like maybe you remember the presentation 1265 00:45:05,810 --> 00:45:08,399 of fellow info like when 1266 00:45:08,400 --> 00:45:10,199 many years ago Wednesday we were able to 1267 00:45:10,200 --> 00:45:11,129 break a spoon. 1268 00:45:11,130 --> 00:45:12,130 Right. 1269 00:45:12,480 --> 00:45:14,549 We have not seen something like that for 1270 00:45:14,550 --> 00:45:16,869 someone, which is a critical process of 1271 00:45:16,870 --> 00:45:19,379 press for but 1272 00:45:19,380 --> 00:45:21,599 still like even for pastries a 1273 00:45:21,600 --> 00:45:24,269 Sonia's, they were able to fix this box 1274 00:45:24,270 --> 00:45:27,179 and like a new model. 1275 00:45:27,180 --> 00:45:28,739 You had the revisions. 1276 00:45:28,740 --> 00:45:30,479 There were no such bugs. 1277 00:45:30,480 --> 00:45:32,729 And that's why 1278 00:45:32,730 --> 00:45:35,219 it's a challenging task to make some 1279 00:45:35,220 --> 00:45:36,570 hardware emulation devices. 1280 00:45:38,040 --> 00:45:39,040 That's all because 1281 00:45:40,240 --> 00:45:41,929 their console keys are used. 1282 00:45:44,600 --> 00:45:45,739 Thank you very much. 1283 00:45:45,740 --> 00:45:48,289 And microphone number seven, I think 1284 00:45:49,490 --> 00:45:51,619 is the Sony MCU, some 1285 00:45:51,620 --> 00:45:54,499 sort of a derivative of the Shiba 1286 00:45:54,500 --> 00:45:56,749 M.C. use the tuba arm 1287 00:45:56,750 --> 00:45:58,819 amps used like in the PS Vita 1288 00:45:58,820 --> 00:46:00,090 or is it something else? 1289 00:46:01,450 --> 00:46:02,369 Oh, excellent. 1290 00:46:02,370 --> 00:46:03,370 I know. 1291 00:46:04,700 --> 00:46:07,299 I have spent most of this 1292 00:46:07,300 --> 00:46:09,829 of the most of time of my research 1293 00:46:09,830 --> 00:46:11,810 on looking at really such stuff. 1294 00:46:13,280 --> 00:46:15,349 And I actually never had a chance to 1295 00:46:15,350 --> 00:46:17,569 take a look at the Toshiba 1296 00:46:17,570 --> 00:46:19,339 PSP stuff. 1297 00:46:19,340 --> 00:46:21,409 So I actually am not able to tell 1298 00:46:21,410 --> 00:46:22,789 you for sure. 1299 00:46:22,790 --> 00:46:23,790 OK. Thanks. 1300 00:46:25,010 --> 00:46:27,019 Microphone number two, please. 1301 00:46:27,020 --> 00:46:29,329 Have you looked at how the drive 1302 00:46:29,330 --> 00:46:31,429 verifies whenever a disk is 1303 00:46:31,430 --> 00:46:34,039 real to Europeans for disk from 1304 00:46:34,040 --> 00:46:35,059 the manufacturer? 1305 00:46:35,060 --> 00:46:37,189 Or is it just a Hope Burns 1306 00:46:37,190 --> 00:46:38,229 disc? No. 1307 00:46:38,230 --> 00:46:40,349 So yeah, it's actually 1308 00:46:40,350 --> 00:46:42,079 was present in my presentation. 1309 00:46:42,080 --> 00:46:44,239 So I believe that especially 1310 00:46:44,240 --> 00:46:46,399 dedicated companion exists 1311 00:46:46,400 --> 00:46:49,399 and disks, they are verified 1312 00:46:49,400 --> 00:46:51,619 by this component and this logic it 1313 00:46:51,620 --> 00:46:53,659 implemented by hardware. 1314 00:46:53,660 --> 00:46:55,879 And I know that some 1315 00:46:55,880 --> 00:46:58,289 parts exist like two 1316 00:46:58,290 --> 00:47:00,529 to set some data from software like 1317 00:47:00,530 --> 00:47:02,989 this one where it calculates seriously 1318 00:47:02,990 --> 00:47:05,089 you of this title and source 1319 00:47:05,090 --> 00:47:06,739 it with some educator. 1320 00:47:06,740 --> 00:47:08,929 I'm sure that this is part of discovery 1321 00:47:08,930 --> 00:47:11,519 process, but the rest of the magic 1322 00:47:11,520 --> 00:47:13,699 is unknown because it sees 1323 00:47:13,700 --> 00:47:15,829 where you need to reverse engineer 1324 00:47:15,830 --> 00:47:17,209 this. 1325 00:47:17,210 --> 00:47:18,979 Yeah. And this kind of car. 1326 00:47:18,980 --> 00:47:19,980 OK, thanks 1327 00:47:21,760 --> 00:47:22,979 D Internet. 1328 00:47:24,260 --> 00:47:26,689 The internet has a more complex question 1329 00:47:26,690 --> 00:47:29,149 for you. Why is there more interest 1330 00:47:29,150 --> 00:47:30,889 in hacking? P.S. 1331 00:47:30,890 --> 00:47:33,149 Three or four then x box may 1332 00:47:33,150 --> 00:47:35,479 be because there's no need to privacy 1333 00:47:35,480 --> 00:47:37,669 because every X box games and windows 1334 00:47:37,670 --> 00:47:38,670 game. 1335 00:47:39,330 --> 00:47:41,269 No. Well, you know like 1336 00:47:42,590 --> 00:47:45,229 people low people like PlayStation 1337 00:47:45,230 --> 00:47:47,239 because they got exclusives. 1338 00:47:47,240 --> 00:47:48,369 Right. 1339 00:47:48,370 --> 00:47:50,549 And well. 1340 00:47:50,550 --> 00:47:51,649 Well. 1341 00:47:51,650 --> 00:47:54,009 Well Xbox security is kinda 1342 00:47:54,010 --> 00:47:56,119 very good. I mean, I actually 1343 00:47:56,120 --> 00:47:57,689 believe it's better than the PlayStation. 1344 00:47:57,690 --> 00:47:58,690 Good to me. 1345 00:47:59,840 --> 00:48:01,699 Some of my friends had experience with it 1346 00:48:01,700 --> 00:48:03,579 and it's really painful to walk. 1347 00:48:03,580 --> 00:48:05,959 Is that because while Microsoft, 1348 00:48:05,960 --> 00:48:07,730 they protect your computers, 1349 00:48:09,180 --> 00:48:11,339 they so they protect the computers 1350 00:48:11,340 --> 00:48:13,519 and they have technologies that they can 1351 00:48:13,520 --> 00:48:15,649 use to protect their 1352 00:48:15,650 --> 00:48:17,359 intellectual property. 1353 00:48:17,360 --> 00:48:19,339 And they also add some special stuff, 1354 00:48:19,340 --> 00:48:21,409 like some new techniques, some 1355 00:48:21,410 --> 00:48:22,759 noble ideas. 1356 00:48:22,760 --> 00:48:24,829 And, you know, they use all set 1357 00:48:24,830 --> 00:48:27,009 to make hacking even much more harder 1358 00:48:27,010 --> 00:48:28,550 than to hack computer. 1359 00:48:32,130 --> 00:48:33,269 Thank you for that. 1360 00:48:33,270 --> 00:48:35,489 And as far as I can see, and no one 1361 00:48:35,490 --> 00:48:37,589 is shaking and waving hands, we 1362 00:48:37,590 --> 00:48:39,030 have no more questions left. 1363 00:48:40,110 --> 00:48:42,409 Please, with a very warm clothes boys 1364 00:48:42,410 --> 00:48:43,410 night. Thank you.