A very good friend of mine who is a propeller head for a living sent me how the PS3 was hacked. Now, i'm still unsure what he's talking about and i also though the PS3 was hacked last year by that George Holz kid, so what's new?
As you can tell he gets turned on my numbers
His summary is still too complicated for me
PS3 pwned. This is how – but geek warning.
YouTube - PSGroove.com - Console Hacking 2010 Part 3 - Chaos Communication Congress
Or to avoid the geek stuff, summarised by this flawed code effectively doing this in PS3:
FYI - PS3 security pwned. Not that this is particularly intersting if you don't have a PS3, but check out HOW it ultimately failed in the security chain of trust.
Although it was a concerted attack on a number of fronts (much like iOS is done), the key killer was this line of code (slide 127/12:
def generate_ecdsa(k, sha):
k = bytes_to_long(k)
e = bytes_to_long(sha)
m = open(“/dev/random”,”rb”).read(30)
if len(m) != 30:
raise Exception(“Failed to get m”)
m = bytes_to_long(m) % ec_N
r = (m * ec_G).x.tobignum() % ec_N
kk = ((r * k) + e) % ec_N
s = (bn_inv(m, ec_N) * kk) % ec_N
r = long_to_bytes(r, 30)
s = long_to_bytes(s, 30)
Using complex elliptic curve cryptography algorithms, some dork wrote a random number extractor that produced the same number every time!!!!
Once they had the same number generated, they could determine Sony's private keys from just two instances (like reusing a one time pad).
Some code bunny has just had his arse fried!